back to article Attackers planting banking Trojans in industrial systems

Trend Micro researcher Kyle Wilhoit says the latest attacks on SCADA and industrial control networks are turning out to carry rather pedestrian banking Trojans, and have been on the rise since October 2014. Talking to DarkReading, Wilhoit said rather than Stuxnet-style attacks, ne'er-do-wells are dropping banking Trojans into …

  1. Destroy All Monsters Silver badge
    Paris Hilton

    Malware carpet bombing and targets of opportunity

    So is this like the Allies getting a bit silly in later stages of WWII and dropping bombs on anything and everything to test those device and because why the hell not?

  2. Robert Helpmann??

    It doesn't look good

    ...if, for example, someone deployed a Cryptolocker-based attack against the control system, it would be rendered unusable.

    Unless, of course, the systems were redundant and consistently backed up and there was a disaster recovery plan in place and... what am I talking about? If an industrial control system was in a position to be compromised by someone deploying ransomware, none of these things are likely to be in place or set up correctly if they were.

    1. Anonymous Coward
      Anonymous Coward

      Re: It doesn't look good

      Speak for yourself. All of our industrial control systems are backed up every hour, accessible USB ports are removed or filled with araldite, disaster recovery is tested once a month, the network is independent and monitored for any any changes (when I say independent I mean just that - own servers, switches and monitoring systems). The last time a bean counter wanted access he was taken to HR and given his discharge papers - we don't compromise security for anyone.

      1. Pascal Monett Silver badge

        @ Ivan 4

        Glad to know your security is so tight.

        Now tell me, do you really think your company is a typical case ?

        I wish it were.

        1. Anonymous Coward
          Anonymous Coward

          Re: @ Ivan 4

          I must say that some of the supposedly secure sites I have seen are not even, apparently, trying to be secure - something I just don't understand.

          We were asked to design and implement a secure system - we did and it has been running without any problems for the last 15 years.

          It can be done BUT it does require the will to do it, something that seems to be lacking in so many instillations today - especially government installations.

      2. drewf74

        Re: It doesn't look good

        Lucky you. Not many places have the luxury of a ground-up secure design. Most are as leaky as a leaky thing with holes in it; most of the kit was installed before anyone really thought about security. It's going to take a long time to sort, starting from the current position.

        'We' had people who believed the systems were totally secure. Armed with nothing more than an Android phone and a free app, I accessed a system and showed I could change a speed parameter. Nothing fancy, didn't even enter the physically secure plant room. Highly successful demo - jaws are still on the floor.

        1. Anonymous Coward
          Anonymous Coward

          Re: It doesn't look good

          Good for you drewf74. Now the question is, what are they going to do about it? My experience says SFA.

          I should think that someone should be kicking the hardware suppliers at your place. Depending on the speed tolerance % why didn't the independent setting alarms go off, or are they missing?

      3. Wize

        Re: It doesn't look good

        "Speak for yourself. All of our industrial control systems are backed up every hour, accessible USB ports are removed or filled with araldite, disaster recovery is tested once a month, the network is independent and monitored for any any changes (when I say independent I mean just that - own servers, switches and monitoring systems). The last time a bean counter wanted access he was taken to HR and given his discharge papers - we don't compromise security for anyone."

        Suxnet was created just for that. A separate network that wasn't connected to the outside world. It jumped the air gap.

        What happens when there is an upgrade to the system? Say, add some new equipment or change how part of the process operates. Even an operating system patch. You'll have to transfer that data to the independent network somehow.

        And software backups wont be any good if they manage to cause some physical damage.

        1. Anonymous Coward
          Anonymous Coward

          Re: It doesn't look good

          A good point Wize but we even have that covered. Any updates, and there are very few because we don't use windows, are tested on another separate network and they have to pass all tests before they get to our operating network. To get them to the operating network three people are involved and each person has to sign off their part of the operation before the operations manager starts the transfer that is monitored at every stage, also requiring a sign off.

          We do not compromise security.

    2. thames

      Re: It doesn't look good

      The historical process data that is normally logged is often valuable. In many cases they are required to save it for process optimization or legal reasons. If the historical data was encrypted, they would either lose the data, or else have to pay to get it back when they discovered what happened.

  3. Dafyd Colquhoun

    AV is often not an option

    I worked on a substation SCADA system that was infected with viruses. One of the reasons is that the SCADA vendors bastardise Windows (XP in this case, installed in 2013!) to do things it isn't meant to. They then do not guarantee it will work if ANY anti-virus software is installed. The mods included blocking Ctrl-Alt-Del until an Admin user was logged in. That isn't mean to be possible, but somehow they managed!

    The only way we got to clean things up was AV boot CDs, and taking one server down at a time (thank goodness for redundancy). I was ready to chew out our technicians for sloppy behaviour, but then found viruses on a server fresh from being supplied.

    The functional spec required vendors include AV and provide a certificate of cleanliness. When the Contract Dept was challenged they shrugged and said 'so what?' With an attitude like that is it any wonder that crap gets delivered, accepted and paid for?

    1. Anonymous Coward
      Anonymous Coward

      Re: AV is often not an option

      Are you saying the people in the Contract Department are still employed by the company. Shirking their responsibilities should be the reason for instant dismissal.

  4. Voland's right hand Silver badge

    Why use cryptolocker?

    I would have thought that the threat to turn on/off the water flow to a city of 1M+ until all major pipes rupture from hydraulic shock or the threat to dump a few hundred tons of industrial chemicals, sewerage, etc into the nearby river (and call the EPA immediately therafter) are considerably more effective ransom demands than encrypting a hard drive.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why use cryptolocker?

      "considerably more effective ransom demands than encrypting a hard drive."

      Cryptolocker does what it does and the malware supplier doesn't need to know anything about the target environment. No installation-specific info is required.

      To do the other kind of things you mention, that involve changing the SCADA system behaviour in a specific way, the malware supplier has to understand many installation-specific details of the SCADA system.

  5. STZ

    Why use Windows ?

    When trying to cause widespread harm, attacking a nation's power grid is much more effective - darkness for everyone, no more production or transportation, gas stations might still have fuel but the pumps are not working ...

    One might assume that critical infrastructure is controlled by some very robust industrial IT gear that isn't susceptible to common PC malware. But no, there is Windows to be found everywhere - and replacing it by Linux wouldn't be such a good idea either. There are even more Linux than Windows vulnerabilities ...

    Rather than now calling in many thousands of those security consultants into industrial IT who have already failed to make commercial and consumer IT reasonably secure, it might be better to go for some proprietary IT gear that is not within easy reach of everybody and his brother. Security by obscurity is often condemned by cryptographers, but usually works pretty well in the real world.

    1. Wize

      Re: Why use Windows ?

      Security by obscurity is absolute nonsense. Someone wants to target you, they will hunt for that obscure information. They even managed to damage a reactor via an air gap. For that you'd need knowledge of the systems the other side of that gap. If they can find that out, they will find what obscure kit you are using.

      A system protected by "security by obscurity" is an easy target for a hacker.

    2. The Original Steve

      Re: Why use Windows ?

      Because the OS is secure enough. Good security applies to all platforms (physical security, access control, least privilege, firewalling, separate networks, patching etc).

      Windows, as with Linux and *BSD based platforms are equally mature and secure enough for industrial workloads. It's not the platform that's the issue - it's good security practices that lets these things happen.

    3. thames

      Re: Why use Windows ?

      Why use Windows is simple. Back when most of these SCADA software packages originated, there weren't a lot of alternatives. They have a large legacy code base and re-writing them isn't judged profitable, especially as the software vendors view security as being strictly a customer responsibility.

      What's keeping them on Windows now is proprietary drivers for talking to the actual hardware which controls and monitors the processes (the SCADA system just provides a front end). Most of that hardware is very proprietary along with the protocols to talk to it. The driver interface the industry uses is based on Microsoft stuff, and is Windows only. If you try to build anything that runs on something other than Windows, there will always be a huge amount of stuff on the market that you can't talk to.

      As for using "some proprietary IT gear", that's exactly what the vendors do in the actual control hardware, and that's exactly why the security is so pathetic. The industrial market simply isn't big enough to support the level of security expertise found in the general IT market. If the control hardware was more open, then they could base their designs off the standards found in the general IT industry and take advantage of security developments there. Instead, the goal is "vendor lock-in by obscurity", and security suffers as a result.

  6. thames

    Banking? Unlikely.

    “The ultimate end goal here is probably not industrialised espionage, but to get banking credentials”.

    The story is lacking in details to tell what is really happening. Two far more likely possibilities are either that the malware is something infecting the company's PCs in general, or else someone is looking for passwords to use for other purposes.

    In the latter case, they may want passwords which will also work to get access to the corporate network for more normal data pillaging purposes. SCADA and HMI systems are often soft targets because they often running old unpatched versions of MS Windows because that is all the vendor supports.

  7. hayzoos

    many issues

    The vendors of SCADA systems deserve a large portion of the blame. I have dealt with some of these systems and the vendors. They claim the systems are secure, the SCADA app does not work with AV or any other system utility on the system, admin credentials are required to run the SCADA app, it should be connected to the internet with firewall ports opened for vendor remote support, etc. Some are perfect examples of exactly how NOT to secure a system.

    I was able to implement many appropriate security measures to better the situation. But, some things could not be implemented without the vendor rewriting the control app, device firmware and/or redesigning the overall system. The development cycle times in the SCADA sector are extremely long. I am not at all surprised to hear of one using WinXP installed in 2013, I saw one with Win95 installed in 2007 because the control app did not work on the NT codebase found in WinXP and newer. More likely even the default loose file permissions restrictions were too strict for the app design.

    My guess is these getting infected with banking cred stealing malware are not targeted. They are the lowest hanging fruit. I shudder to think anything could be less secure to be lower hanging fruit.

    There is a bright side, there is plenty of room for improvement.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like