Researchers Discover Most Dangerous Infrastructure Malware To Date

Schtask

Limp Gawd
Joined
Nov 29, 2011
Messages
436
Security researchers at ESET and Davos inc. have discovered what appears to be the most dangerous form of infrastructure attack malware to date. The companies are calling this malware by two names: "Industroyer and "CrashOverRide". I will refer to it from here on out as the latter, since Industroyer messes with my OCD for whatever reason.

CrashOverRide represents a very scalable platform with modules and capabilities that allow it to focus on infrastructure that utilize four standard industry control system (ICS) protocols. These protocols are commonly used in power generation infrastructure outside of the United States, however, researchers state that CrashOverRide is so versatile that tailoring it for US based power systems would take only moderate effort. Tailoring ChrashOverRide to affect water, gas and transportation systems is also estimated to be relatively trivial.
 
Last edited by a moderator:
In before the Cyber-apocalypse in 3... 2...

Oh, right, just another day in a technologically advanced - but still not quite as civilized as the population of the world seems to think - fucked up world, no worries. :D
 
Love ESET, this is why I pay them.

This. I'm a huge fan of Eset. I pay for Nod32 on my personal systems and recommend it to clients, friends, and family that will actually pay for AV. For those that want free my current go-to is Avira.
 
Since private companies control our infrastructure, who's liable when it's taken down by a cyber attack?
 
Since private companies control our infrastructure, who's liable when it's taken down by a cyber attack?

Didn't you get the memo? Any failure of energy infrastructure is due solely to those hippies and their damn renewable sources. A coal plant would never leave you without lights!

/s (though I sincerely hope it isn't needed!)
 
There's just a *bit* of difference between IoT crap being bolted into the Internet, and the issues that this malware is exploiting. While toasters, fridges, low-end security cameras, and so on have been the target of multiple attacks due to shitty security, that's because they had shitty design choices. Those devices had full access to the standard connections and protocols that everything else online uses. They just had manufacturers that cut corners, shitty QA policies, terrible developers, or some combination of all of these (most likely). It isn't an inherent problem with the device category, though I think most of that stuff is in the solution-looking-for-a-problem category.

These SCADA systems, on the other hand, are using legacy communications protocols from the 60's and 70's (or older, in some cases) to run their controls. When most of these systems were designed, Arpanet wasn't even a concept that their designers would have been familiar with, let alone the modern Internet. There is zero security on these systems, because they are designed from the ground up to run on isolated communication circuits with no links to the outside world. When their systems get an Internet-facing portal for remote access, anything goes if their externally-facing security isn't up to par. Anything that gets past whatever they use to firewall themselves away is going to have free reign to do whatever it wants to on their internal network. There are a *very* few products that allow any kind of defense-in-depth strategy on these kinds of networks, simply because it's trying to graft modern cybersecurity techniques into an environment that is both significantly different from a normal network.
 
I've chimed in on this topic before as a 20+ year automation engineer and here it is again. These systems are inherently vulnerable as Paladin21 points out. Any manufacturing or utility facility that doesn't lock these systems up behind private networks with no physical access and very strong firewalls (maybe even air gap them) deserves whatever they get.

Unfortunately, there's a lot of stupid people in the world that do stupid things, even when the risks are staring them in the face. Can't tell you how many times I've seen a control system sitting wide open to the internet...
 
I have worked on SCADA systems extensively in the past. They are designed to be good at what they need to do, which is usually talk over serial or serial-over-IP.
In some equipment, the commands are not even authenticated to a master, so they will accept any valid command on the right port. Most of these only have "security" to the point of a password on the master device.
These types of systems were given IP as an afterthought, and were/are never intented to be on a live internet-facing network.
Worse, they are being cobbled together over WAN's with the range of IP cameras for the building, and open internet vlans so that the workers can get to facebook. One place even had a water treatment plant on an unapproved wifi router so he didn't have to get out of his truck.

In my opinion, there is less than zero reason to actually do so, even if they did have an actual security mechanism.
They should be in an isolated network, and there should be no need to ever connect to something from outside that network.
Personally, I feel that the people running gas pipelines, water facilities, and power plants should have to be at work to make changes to the systems that run modern society.
I don't think that my paying obscenely high fees entitles the utility workers to "fix problems" from their living room.
 
So why are these old outdated unsecure systems attached to the internet.....

Because of some combination of the following, depending on which one you're talking about:
A. It somehow generates higher profits (via decentralized management, reduced staffing, etc.) -- approved because $$$ and short-sighted management who want a bonus
B. Some lazy-ass worker with no security training thought it would be useful to not have to actually go in person to a system to issue a change (ie, not an approved solution)
C. Incompetent IT staff manage to bungle system implementations and co-mingle Internet-facing networks with internal systems

And probably some other reasons as well, but those general categories should cover most of it. In general, it's either because it will save a few bucks, save a pain in the ass, or was just an unintended configuration. As for why the systems are like that in the first place...it is, again, down to money. They work, and work well to perform their job. It would cost significant amounts of money to rip all the control equipment out and replace it with a modern version (if it's even possible, and it might not be depending on the systems). Management that spends money fixing things that aren't demonstrably broke don't get bonuses and/or get raked over the coals by shareholders, who are just as greedy and shortsighted as the management they're supposed to oversee (though there are limits, lol Mylan).
 
That anyone connecting these systems to the Internet in any way isn't immediately liable for gross negligence is the real problem here. NONE of these systems have ANY reason to be connected to the Internet in any way. The bastards are just too cheap to pay for dedicated communication circuits as was done in the pre-Internet days.

Simply mind boggling - we will be taken out by our own stupidity and greed.
 
Back
Top