Let's find the answer to all the questions by looking into some history of OT attacks and malware.
We systematically categorize the attacks into direct and indirect vectors.
Direct attacks are those that target OT systems through the exploitation of inherent vulnerabilities within the OT devices and protocols themselves.
Indirect attack, on the other hand, involve entry points through connected IT systems, supply chain compromises, or human vectors such as phishing or insider threats, so seeing some previous examples of OT malware and how they got into the OT network let's understand the possible ways the attacker or malware can get into the critical environment.
Our analysis begins with an examination of the infamous Stuxnet incident, Stuxnet is the first infamous OT malware which was discovered in 2010, It was designed to target Industrial control systems, even though Stuxnet is not actively spreading still it is considered a significant threat as it was complex and advanced malware.
PLC rootkit modifies the controller code to perform an attack and record received data.
It was first seen in 2016 when it attacked Ukraine's power grid and after some years again in 2022 the second variant of Industroyer came to light when it attacked operational technology supporting power grid operations in Ukraine.
INDUSTROYER. The attacker first installs the Main Backdoor which connects to a remote Command and control server using HTTPS to receive commands from threat actors and they also use the proxy address.
Once an attacker gains administrator privileges, they upgrade the main backdoor to execute as a window service, it is achieved by replacing the ImagePath registry value of an existing, non-critical Windows service with the path of a new backdoor binary.
The attacker also makes some changes in the system like inserting malicious code in Windows Notepad so that each time the application is launched the malicious code will also execute.
MZ. In Coordination with the deployment of Industroyer 2 within the Industrial control system network, the attacker introduced an updated variant of CaddyWiper malware.
CosmicEnergy malware does not have built-in functionality to autonomously reconnaissance, discover, and identify target systems in the network, due to this limitation the attacker must conduct prior reconnaissance, like gathering the IP address of the MSSQL server and target IEC-104 device and credentials, identifying critical systems and their vulnerabilities, etc.
CosmicEnergy malware potentially involves using an MSSQL server as a gateway to access OT systems and once the attacker gains access, they can manipulate power line switches and circuit breakers, leading to power disruptions.
This remains the top entry point, where attackers send malicious emails to employees with malicious attachments to deliver malware into the network.
OT systems, their software or applications often run on older, less supported software which has a high chance of having unpatched vulnerabilities.
Unsecure remote access protocols such as RDP can help the attacker with a backdoor into the OT network.
Devices with weak configurations, default credentials, or unnecessary enabled services can be easily exploited by attackers.
External hard drives, USB drives, or other removable media can be used by attackers to transfer malware into an OT network.
Attackers can spread through an OT network by compromising the supply chain of a vendor or service provider.
Once the malware has gained access to one system, the Attacker will use various techniques to move laterally throughout the network and infect other systems.
This Cyber News was published on securityboulevard.com. Publication date: Tue, 09 Jan 2024 10:13:03 +0000