A sophisticated malware campaign that has compromised numerous industrial control systems (ICS) environments using a variant of the BlackEnergy malware appears to be targeting internet-connected human-machine interfaces (HMIs).
The BlackEnergy campaign has been ongoing since at least 2011, and the United States’ ICS-CERT recently published information and technical indicators about it, which we reported on back in October. Now, it’s issued a further warning on the campaign after determining that users of HMI products from GE Cimplicity, Advantech/Broadwin WebAccess and Siemens WinCC may be affected. ICS-CERT said that it’s actively working with the vendors to determine the extent of the infection and danger.
Typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. Analysis suggests that the actors likely used automated tools to discover and compromise vulnerable systems as an initial vector.
For instance, the organization’s analysis has identified that systems running GE’s Cimplicity HMI with a direct connection to the internet are being targeted using an exploit for a vulnerability in GE’s Cimplicity HMI product that has been known since at least January 2012. GE has patched the vulnerability, CVE-2014-0751, so users should update their systems immediately.
Meanwhile, ICS-CERT lacks definitive information on how WinCC systems are being compromised by BlackEnergy, but there are indications that one of the vulnerabilities fixed with the latest update for SIMATIC WinCC may have been exploited. Users of WinCC, TIA Portal and PCS7 should update their software to the most recent version as soon as possible.
Also, a number of the victims were running the Advantech/BroadWin WebAccess software with a direct Internet connection—but the ICS-CERT hasn’t yet identified the initial infection vector for that platform yet.
The good news is that so far, the damage appears to be confined. “At this time, ICS-CERT has not identified any attempts to damage, modify or otherwise disrupt the victim systems’ control processes,” it said in the alert. “ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system.”
ICS-CERT has produced a Yara signature to aid in identifying if the malware files are present on a given system. Yara is a pattern-matching tool used by computer security researchers and companies to help identify malware.