As your IT security provider, we wanted to update you on some recent breaking news.
ESET has discovered a new malware strain designed specifically to target industrial control systems-such as electric power grids.
The malware, detected by ESET as Win32/Industroyer, is believed to have been used in the December 2016 attack on Ukraine’s power grid that caused a major blackout.
ESET detects and blocks Industroyer. Our role in identifying this threat is just another example of our commitment to innovation and technical excellence.
The 2016 attack on Ukraine’s power grid that deprived part of its capital, Kiev, of power for an hour was caused by a cyberattack. ESET researchers have since analyzed samples of malware, detected by ESET as Win32/Industroyer, capable of performing exactly that type of attack.
Whether the same malware was really involved in what cybersecurity experts consider to have been a large-scale test is yet to be confirmed. Regardless, the malware is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.
Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).
These switches and circuit breakers are digital equivalents of analogue switches; technically they can be engineered to perform various functions. Thus, the potential impact may range from simply turning off power distribution, cascading failures and more serious damage to equipment. The severity may also vary from one substation to another, as well. Needless to say, disruption of such systems can directly or indirectly affect the functioning of vital services.
Industroyer’s dangerousness lies in the fact that it uses protocols in the way they were designed to be used. The problem is that these protocols were designed decades ago, and back then industrial systems were meant to be isolated from the outside world. Thus, their communication protocols were not designed with security in mind. That means that the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware “to speak” those protocols.
The recent power outage occurred on December 17th, 2016, almost exactly one year after the well-documented cyberattack that caused a blackout that affected around 250,000 households in several regions in Ukraine on December 23rd, 2015.
In 2015, the perpetrators infiltrated the electricity distribution networks with the BlackEnergy malware, along with KillDisk and other malicious components, and then abused legitimate remote access software to control operators’ workstations and to cut off power. Aside from targeting the Ukrainian power grid, there are no apparent similarities in code between BlackEnergy and Industroyer.
Industroyer is modular malware. Its core component is a backdoor used by attackers to manage the attack: it installs and controls the other components and connects to a remote server to receive commands and to report to the attackers.
What sets Industroyer apart from other malware targeting infrastructure is its use of four payload components, which are designed to gain direct control of switches and circuit breakers at an electricity distribution substation.
Each of these components targets particular communication protocols specified in the following standards: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA).
Generally, the payloads work in stages whose goals are mapping the network, and then figuring out and issuing commands that will work with the specific industrial control devices. Industroyer’s payloads show the authors’ deep knowledge and understanding of industrial control systems.
The malware contains a few more features that are designed to enable it to remain under the radar, to ensure the malware’s persistence, and to wipe all traces of itself after it has done its job.
For example, the communication with the C&C servers hidden in Tor can be limited to non-working hours. Also, it employs an additional backdoor – masquerading as the Notepad application – designed to regain access to the targeted network in case the main backdoor is detected and/or disabled.
And its wiper module is designed to erase system-crucial Registry keys and overwrite files to make the system unbootable and the recovery harder. Of interest is the port scanner that maps the network, trying to find relevant computers: the attackers made their own custom tool instead of using existing software. Finally, yet another module is a Denial-of-Service tool that exploits the CVE-2015-5374 vulnerability in Siemens SIPROTEC devices and can render targeted devices unresponsive.
Industroyer is highly customizable malware. While being universal, in that it can be used to attack any industrial control system using some of the targeted communication protocols, some of the components in analyzed samples were designed to target particular hardware. For example, the wiper component and one of the payload components are tailored for use against systems incorporating certain industrial power control products by ABB, and the DoS component works specifically against Siemens SIPROTECT devices used in electrical substations and other related fields of application.
While in principle it’s difficult to attribute attacks to malware without performing an on-site incident response, it’s highly probable that Industroyer was used in the December 2016 attack on the Ukrainian power grid. On top of the fact that the malware clearly possesses the unique capabilities to perform the attack, it contains an activation timestamp for December 17th, 2016, the day of the power outage.
The 2016 attack on the Ukrainian power grid attracted much less attention than the attack that occurred a year earlier. However, the tool most likely used, Win32/Industroyer, is an advanced piece of malware in the hands of a sophisticated and determined attacker.
Thanks to its ability to persist in the system and provide valuable information for tuning-up the highly configurable payloads, attackers could adapt the malware to any environment, which makes it extremely dangerous. Regardless of whether or not the recent attack on the Ukrainian power grid was a test, it should serve as a wake-up call for those responsible for security of critical systems around the world.
Additional technical details on the malware and Indicators of Compromise can be found in our comprehensive white paper, and on github. For any inquiries, or to make sample submissions related to the subject, contact us at: firstname.lastname@example.org.
So what is malware? It comes in a bewildering variety of forms. Computer viruses are probably the most familiar type of malware so named because they spread by making copies of themselves. Worms have a similar property. Other types of malware, such as spyware, are named for what they do: In the case of spyware, it transmits personal information, such as credit card numbers.
So after asking “What is malware?” the next logical questions are, “who is creating it, and why?” The days when most malware was created by teenage pranksters are long gone. Malware today is largely designed by and for professional criminals.
These criminals may employ a variety of sophisticated tactics. In some cases, as technology site Public CIO notes, cybercriminals have even “locked up” computer data making the information inaccessible then demanded ransom from the users to get that data back.
But the main risk that cyber criminals pose to heavy computer users is stealing online banking information such as banking and credit card accounts and passwords. The criminal hackers who steal this information may then use it to drain your account or run up fraudulent credit card bills in your name. Or they may sell your account information on the black market, where this confidential information fetches a good price.
67 – 69 Public Square
Talk to a Jungle Computer Professional …
570.970.6555 | PHONE
Pennsylvania Contractor License:
The strategies hackers use to break into your site can be complicated but the results are usually pretty simple; lost revenue.
Here are the 10 most common threats identified by the Open Web Application Security Project:
It’s not uncommon for web applications to have injection flaws, especially SQL injection flaws. A hacker who finds one will send malicious data as part of a command or query. The attacker’s message tricks the app into changing data or executing a command it was not designed to obey.
2. Cross-site Scripting.
Cross-site Scripting flaws occur whenever an application sends user-supplied data to a web browser without validating it first. Hackers use these flaws to hijack users away from the site or deface it, thereby costing the site owner in lost business.
3. Insecure Direct Object References.
Applications that lack checks to verify a user is authorized to view particular content can be manipulated to access private data.
4. Broken Authentication.
When account credentials and session tokens aren’t properly protected, hackers can assume users’ identities online.
5. Cross-site Request Forgery (CSRF).
A CSRF attack tricks unknowing site visitors into submitting forged HTTP requests via image tags, XSS, or other techniques. If the user is logged in, the attack succeeds.
6. Security Misconfiguration.
Security misconfiguration flaws give hackers unauthorized access to system data via default accounts, unused pages, unpatched flaws, unprotected files and directories.
7. Insecure Cryptographic Storage.
Many web applications don’t do enough to protect sensitive data such as credit card numbers, Social Security numbers and login credentials . Thieves may use this data for identity theft, credit card fraud or other crimes.
8. Failure to Restrict URL Access.
Often an app will protect sensitive interactions by not showing links or URLs to unauthorized users. Attackers use this weakness to access those URLs directly in order to carry out unauthorized actions.
9. Insufficient Transport Layer Protection.
Applications often fail to authenticate, encrypt and protect the confidentiality of network traffic. Some use weak algorithms, expired or invalid certificates or use them incorrectly. This allows hackers to “eavesdrop” on online exchanges. An SSL Certificate typically neutralizes this threat.
10. Invalidated Redirects & Forwards.
Web applications often redirect or forward legitimate users to other pages and websites, using insecure data to determine the destination. Attackers use this weakness to redirect victims to phishing or malware sites, or use forwards to open private pages.
SiteLock protects your web investment, keeping you and your customers safe from hackers and other online threats.
Every time shoppers place an order, they’re trusting you to keep them safe from hackers who steal information or spread spyware and viruses. Deliver on that promise with SiteLock. It not only finds malware but the security gaps hackers use to break in.
SiteLock scans your website to find malicious software (malware) before it can harm you or your customers. Hackers insert malware onto legitimate websites in order to steal customer passwords and credit card numbers, deface or destroy the website or use your server to launch attacks on other websites.
Daily scans root out bugs.
Automatically removes malware and back-end files to keep your site from being disabled or blacklisted by search engines. (Professional and Premium plans)
Seventy percent of web visitors look for proof a site is secure before submitting personal data. Our Trust Seal shows customers they’re safe on your website.
Jungle Computer LLC.
67 – 69 Public Square
Talk to a Jungle Computer Professional …
570.970.6555 | PHONE
Most Commonly Asked Questions
Looking to change your antivirus solution but aren’t sure where to begin? We have you covered. In addition to our comprehensive reviews, we’ve compiled answers to some of the most commonly asked questions to help you get started.
1. What are the best antivirus programs?
There are many different antivirus programs on the market all offering a host of features and services. While it is difficult to say which service is the best, the better antivirus programs provide their users with solid virus and malware detection and removal rates, light, adaptable software and real-time protection. Some of the top antivirus providers include McAfee, Norton and Bullguard.
2. What is the best virus protection for my pc?
There is a lot of different antivirus software on the market. Finding the ideal software to suit your needs depends on a variety of factors. One of the most reputable antivirus solutions you may want to consider is McAfee which scored well in independent lab tests, and earned top score in PCMag’s URL blocking test.
3. What is the best antivirus for Mac?
One of the biggest misconceptions when it comes to virus protection is that Macs don’t need to be protected. This is a myth and you can quickly find yourself in hot water if you aren’t careful. While not all antivirus solutions are compatible with Mac, there is still a decent enough selection. Mcafee, ESET, and Norton are just a few of the top Mac-compatible solutions that will keep your computer functioning at its best.