US cybersecurity officials have issued a detailed advisory alerting cyberattacks on critical ICS infrastructure via tools. US warns companies to be aware of such APT attacks.
Industrial Control System (ICS) Cyberattacks Via Custom APT Tools
Through a recent joint advisory from the US CISA, Dept. of Energy, FBI, and NSA, the security officials have warned about a wave of dedicated cyberattacks.
As revealed, the officials warn that APT groups have devised custom-made cyber tools to target Industrial Control System (ICS)/Supervisory Control And Data Acquisition (SCADA) devices. Elaborating further, the advisory states the following three as precise (but not the only) targets.
- Schneider Electric programmable logic controllers (PLCs),
- OMRON Sysmac NEX PLCs, and
- Open Platform Communications Unified Architecture (OPC UA) servers.
The officials have detected specific targets based on the custom-made cyber tools that APT groups have developed to execute the attacks. When used, these tools allow the attackers to infiltrate the target network, scan for the target devices, exploit vulnerabilities, and take control of the systems. Once done, the attackers can then execute various malicious commands. As stated in the advisory,
The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices…
The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.
In addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel.
Such explicit access to the target systems also enables attackers to move laterally and target further devices.
Recommended Mitigations
Officials advise the target industries to practice caution and apply robust measures to prevent such attacks. Some of the recommended mitigation strategies include,
- Isolating ICS/SCADA systems and networks and restricting communications with them.
- Devising a solid cyber incident response plan.
- Updating passwords and applying multi-factor authentication.
- Maintaining offline backups.
- Scanning systems for any unusual driver uploads.
Let us know your thoughts in the comments.