Month: January 2015

General awareness for the need to improve cybersecurity in industrial control systems (ICS) has increased significantly in recent years, but there are still plenty of misconceptions. A recent incident that can be used to highlight some of these is the cyber attack on a German steel factory, described in a report from the German Federal Office of Information Security (BSI). According to an article which translated and summarized some passages of the report:

1. After the system was compromised, individual components or even entire systems started to fail frequently. Due to these failures, one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant.”
2. The attack used spear phishing and sophisticated social engineering techniques to gain access to the factory’s office networks, from which access to production networks was gained.
3. The attack involved the compromise of a variety of different internal systems and industrial components, BSI said; not only was there evidence of a strong knowledge of IT security but also extended know-how of the industrial control and production process.

This attack effectively debunks a few myths about ICS cybersecurity. One common myth is that “Besides Stuxnet, cyber attacks to ICS have not really led to any physical damage.” To many, the Natanz Stuxnet incident just seems so one-off and far-removed from the rest of the world, that the kinds of ICS cyber risks it exposed, particularly cyber-physical damage, can be ignored. But physical damage from cyberthreats does happen and is often not publicly disclosed. This reported incident is a clear reminder that critical assets can be destroyed by cyber attacks.

Another myth challenged by the German incident is that “ICS systems can be secured by air-gapping.” There are many economic, operational and even regulatory drivers that compel ICS environments to have connectivity to internal and 3^rd party organizations. Air-gapping for the most part is not a practical option in this day and age. Organizations need to plan for connectivity outside of “Ops” and ensure it is done in a cyber-secure manner. This is not to say that internal segmentation/security can be ignored — insider threats are also very real.

The third myth that comes to mind is one I still hear a lot: “All you need are firewalls to achieve security.” This is not to say that the only security devices the steel mill had were firewalls. They could have very well had a range of security devices and technologies deployed. But the point here is that putting just legacy, stateful-inspection firewalls in the ICS environment is not enough to ensure security. Additional security capabilities at the network and endpoint levels are required to effectively stop advanced threats.

To achieve true defense in depth in an escalating threat landscape, more effective technologies such as application visibility and control, network IPS/AV/Anti-spyware, and malware sandboxing, to name a few, need to be brought in. Also, the paradigm of deploying signature-based endpoint protection technologies needs to be challenged as those technologies do nothing to stop completely new attacks. Advanced endpoint protection that prevents even zero-day attacks needs to be deployed. Furthermore, these technologies need to be brought together into a tightly integrated platform that ensures prevention, instead of just detection, and that automates security tasks as much as possible to reduce the burden on security personnel.

ISA-99 Managing Director, Joe Weiss, and I will debunk these myths and several other recurring misconceptions with regards to securing SCADA and ICS environments in a January 7 webinar: “Exposing Common Myths Around Cyberthreats to SCADA and ICS.”

We also discuss some best practices and the Palo Alto Networks enterprise security platform, with which you can address security gaps and drive change in your organization. Register for the webinar here.

[Palo Alto Networks Blog]

March 20, 2012 was a good day for cybersecurity. It was the day that the Russian police had managed to arrest the criminals behind “Carberp”, a Trojan used to compromise numerous bank accounts. Less than two years later, the minds behind this operation can add to their list of accomplishments: a major operation targeting financial institutions was successfully executed.The core malware that was used in this attack was dubbed “Anunak”: a Trojan that according to current research has been used only for targeted attacks. Unsurprisingly, within the Trojan code, parts of “Carberp” codes were found.

The attackers were able to penetrate internal networks using two major vectors: the first by leveraging existing botnets (including both botnets that were created by the group and those owned by collaborators) and the second by sending malicious spear-phishing emails. The spear-phishing emails contained an infected attachment exploiting CVE-2012-2539 and CVE-2012-0158, both of which are familiar vulnerabilities. For the process of privileged escalation, the attackers used CVE-2014-4113, a vulnerability that had recently been exploited in the wild.

This first attack of this campaign was initiated at the beginning of 2013 against a Russian bank. After using the method mention above to infect an employee computer, the attackers had spread to various servers (using privilege escalation) and eventually gained access to the Holy Grail: the banking system servers and workstations. Once the attackers managed to gain a foothold in internal banking system, malicious software was installed and remotely controlled.

The exposure of this operation comes shortly after a different campaign targeting the same sector: On December 18, Kaspersky Labs published details of a new malware threat called Torjan-Banker.Win32.Chtonic. This malware is described as an evolvement of the infamous Zeus Trojan, and as Zeus did, has been targeting the financial sector – specifically, online banking systems and customers. The spread of this malware is quite wide; Chthonic was found in over 20 payments systems and over 150 different banks in 15 countries, mainly in UK, US, Spain, Japan, Russia and Italy.

This widespread attack was carried out by the rather pervasive infection technique: a backdoor for a malicious code was embedded within a .DOC file which was sent as an email attachment or as web link. This malicious file exploits a familiar vulnerability in Microsoft Office products: CVE-2014-1761. This exploitation then initiates a series of actions in which a malicious code is being injected into the process msiexec.exe and several modules are being installed on the victim’s machine.

As is often the case in targeted attacks, the enabler of the attack in both of these cases was exploitation. The term exploitation is used quite frequently; it refers to the exact moment that a vulnerability is being leveraged to enable malicious code execution. That moment is also the basis with which Palo Alto Networks Traps was developed. Traps is our Advanced Endpoint Protection solution which proactively prevents vulnerability exploitation without prior knowledge. It is agnostic to whether the threat is familiar or new (Zero Day).

Why does Traps matter to this discussion? In these specific attack cases, all of the mentioned vulnerabilities that were used for exploitation (CVE-2012-2539, CVE-2012-0158, CVE-2014-4113 and CVE-2014-1761) would have been successfully prevented with Traps deployed.

Learn more about Advanced Endpoint Protection and Traps here.

[Palo Alto Networks Blog]