Kaspersky issued a research report on Havex they called Energetic Bear – Crouching Yeti after the threat actor. It’s probably worth it’s own post and worth reading but here are three highlights.
On page 15 (HT: Damiano Bolzoni) they describe the Network Scanning Module that looks for much more than OPC servers. It is scanning for Modbus (502), Siemens S7 (102), EtherNet/IP (44818) and ports for two proprietary ICS vendor protocols. Much like Stuxnet, I expect we are just starting to learn what Havex’s ICS capabilities are. Is it asking too much for DHS/INL to actually perform research and inform the community? It’s understandable, after the fact, why they didn’t research Stuxnet, but this is only the second piece of public ICS malware. Stop sending fly away teams for telnet password cracking attacks and other corporate network exploits and use that pricey ICSsec expertise developed over the last decade.
Kaspersky identifies the Swiss company, Mesa Imaging. This is what we were told and is very helpful for identifying the target. Mesa Imaging is not an ICS vendor. So what company or country sector is using eWon, MB Connect and Mesa Imaging products? That is the best clue so far for who the threat actor was targeting with that phase of the attack.
Kaspersky states there is not enough data to identify the Crouching Yeti threat actor. Some have pointed the finger at Russia, but I’d agree that there is not dispositive evidence in the public at this time.
Belden announced Tofino 2.0 this week. Lot’s of good technical info surrounding the obligatory marketing hype in Eric’s blog entry. I want to dig into the technical details more in a future article and perhaps podcast. The EtherNet/IP Deep Packet Inspection had to be a bear to write, and I’m looking forward to running it through some use cases. When are we going to see this technology integrated into a PLC Ethernet module?
Take note of the latest ICS-CERT advisory from the Crain/Sistrunk DNP3 Telegyr 8979 master fuzzing. This one is related to a SUBNET Solutions product. Most important is a 13-word sentence: “SUBNET had also determined the root issue was in the GPT software library“. The GPT software library was sold by ASE to a number of ICS vendors that now have a latent, remotely exploitable vuln that is available to all. Shouldn’t ICS-CERT be disclosing these vendor names so affected electric utilities can take action? This could be a difficult fix because ASE is no longer selling the GPT/Protocol Pak, but SUBNET found a way.
All software needs to be part of your security patching program … including your security software. Latest example is a new 0day in Symantec Endpoint Protection (SEP). It’s also why you keep your attack surface as small as possible.
Cisco takes your IoT and raises it to Internet of Everything (IoE). They announced partnerships with Rockwell Automation and Yokogawa to support “risk management and compliance for industrial control environments.” It’s one of those press releases that is hard to digest. “It addresses risks using a combination of people, process and technology.” The best I can tell is Cisco will be helping Rockwell Automation and Yokogawa design Cisco products into their ICS.
Graham Speake made the move from Yokogawa to NexDefense. NexDefense is another Mike Assante venture that is trying to commercialize the INL Sophia product. Mike also heads up the SANS ICS security program, and Graham is a SANS ICS security instructor as well as longtime active participant in ISA99. Good luck Graham.
EMET 5.0 is now available from Microsoft. This latest version adds Attack Surface Reduction and Export Address Table Filtering Plus. EMET has gotten some traction in the ICS space, especially for vendors that seem to have little concern for security or fixing identified vulns.
You can get some great tools at reasonable prices by backing the right Kickstarter campaigns. We will be taking the RFIDIer out to an assessment next week, and we should be soon getting our HackRF’s. Look for soon to follow reviews so you can consider them for your toolkit.
Image by ChrisInPlymouth