Dangerous New Malware Can Shut Down, Sabotage Industrial Sites
Pipedream, or Incontroller, is a custom-made, modular ICS attack framework that could be leveraged to cause disruption, degradation, and possibly even destruction depending on targets and the environment.
Pipedream can manipulate a wide variety of PLCs and industrial software, including Omron and Schneider Electric controllers, and can attack ubiquitous industrial technologies including CODESYS, Modbus, and OPC UA.
The framework's capabilities include performing system enumeration, issuing WMI commands, executing host-based commands, and manipulating the registry. It exploits the known-vulnerable ASRock-signed motherboard driver to execute malicious code in the Windows kernel (CVE-2020-15368).
The framework includes three tools that enable the attacker to send instructions to ICS devices using industrial network protocols:
- The first tool has multiple capabilities, such as the ability to scan for and enumerate OPC UA servers, suggesting a reconnaissance role.
- The second tool communicates with ICS devices using the Modbus protocol, which potentially gives it the ability to interact with devices from different manufacturers. However, the tool contains a specific module to interact with, scan, and attack Schneider Electric's Modicon M251 PLC using Codesys.
- The third tool is designed to obtain shell access to Omron PLCs. It primarily operates using the HTTP protocol, however it also utilizes Omron's proprietary FINS over UDP protocol for scanning and device identification.
CISA's Alert Recommends Using OT Monitoring Tools
CISA's Alert (AA22-103A) states DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:
"Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic..."
SCADAfence has been on the forefront, defending organizations around the world from attacks on industrial control systems, both with our products, and as a managed network monitoring service.
The Impact of the INCONTROLLER / Pipedream Malware
- The cyber threat detection SCADAfence Platform detects new connections, connections from external devices and from the Internet, and unauthorized connections to OT assets.
- Furthermore, the Platform detects start, restart, and stop commands sent to PLCs in the OT network, as well as remote mode change commands which are needed steps to alter programs in PLCs.
- The Platform additionally detects system enumeration scans and HTTP command execution.
SCADAfence's Expert Recommendions for Cyber Attack Prevention
- Isolate ICS systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving the perimeter.
- Limit ICS systems’ network connections to allowed management and engineering workstations.
- Enforce multi-factor authentication for all remote access to ICS networks and devices whenever possible.
- Change all passwords to ICS devices, especially all default passwords, to unique, strong passwords.
- Apply the latest security patches on the OT assets in the network.
- Maintain offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
- Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.
- Monitor systems for loading of unusual drivers, especially for ASRock drivers if no ASRock driver is normally used on the system.
Since the DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices to work with a continuous network monitoring solution going forward, let our experts help you keep your networks & industrial devices secure. Contact us here.