At a glance.
- Nord Stream pipelines sabotaged.
- NSA and CISA issue guidance on ICS threats.
- Palestinian threat actor compromises Israeli PLCs.
- Lazarus Group targets the energy sector.
- White House issues memorandum on software supply chain security.
- Dragos recieves CVE numbering authority.
- CISA's ICS Advisories.
Nord Stream pipelines sabotaged in a kinetic attack.
The Nord Stream pipelines appear to have been sabotaged. Swedish monitoring stations early Monday morning detected two explosions in the Baltic Sea near the pipelines, Bloomberg reports. Natural gas has been breaking to the surface in the vicinity breaks in the pipeline. This isn't a cyberattack, but rather a more traditional act of kinetic sabotage. The incident does, however, indicate the substantial grey zone threat to critical infrastructure.
The Washington Post writes that the explosions, which occurred in international waters near the Danish island of Bornholm, broke two Nord Stream 1 lines and one Nord Stream 2 line. The Swedish National Seismic Network and Germany's Research Center for Geosciences both say that their observations indicate an artificial, human-induced explosion, not a natural seismic event. “These are deliberate actions, not an accident,” Danish Prime Minister Mette Frederiksen said yesterday. “The situation is as serious as it gets.” Investigation is in progress.
Kremlin spokesman Dmitry Peskov denied any Russian involvement, and said that Moscow was "extremely concerned" about the incident. Mr. Peskov elaborated, when asked about widespread suspicion of Russian responsibility for the sabotage, ""That's quite predictable and also predictably stupid. This is a big problem for us because, firstly, both lines of Nord Stream 2 are filled with gas - the entire system is ready to pump gas and the gas is very expensive... Now the gas is flying off into the air. Are we interested in that? No, we are not, we have lost a route for gas supplies to Europe." Russia's embassy to Denmark said, ""The unsubstantiated accusations and assumptions that are now being made everywhere are intended to create information noise and prevent an objective and impartial investigation." Again, investigation is in progress.
The Nord Stream pipelines deliver natural gas from Russia to Germany, and thence to other European users. Nord Stream 1 hasn't functioned since August, after Russia shut it down in response to imposition of sanctions by the European Union, and Nord Stream 2 hasn't yet received authority to operate, so severing them has no immediate effect on European natural gas supplies. The proximate concerns are environmental, and large-scale leaks of residual methane in the lines are worrisome.
NSA and CISA issue guidance on ICS threats.
The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint cybersecurity advisory outlining threats to operational technology (OT) and industrial control systems (ICS):
"Cyber actors, from cyber criminals to state-sponsored APT actors, target critical infrastructure to achieve a variety of objectives. Cyber criminals are financially motivated and target OT/ICS assets for financial gain (e.g., data extortion or ransomware operations). State-sponsored APT actors target critical infrastructure for political and/or military objectives, such as destabilizing political or economic landscapes or causing psychological or social impacts on a population. The cyber actor selects the target and intended effect—to disrupt, disable, deny, deceive, and/or destroy—based on these objectives. For example, disabling power grids in strategic locations could destabilize economic landscapes or support broader military campaigns. Disrupting water treatment facilities or threatening to destroy a dam could have psychological or social impacts on a population."
The agencies explain that most threat actors targeting ICS systems, regardless of their motive, typically attempt to achieve the following goals:
- "Degrade the operator's ability to monitor the targeted system or degrade the operator’s confidence in the control system’s ability to operate, control, and monitor the targeted system. Functionally, an actor could prevent the operator's display (human machine interface, or HMI) from being updated and selectively update or change visualizations on the HMI, as witnessed during the attack on the Ukraine power grid.(Manipulation of View [T0832]
- "Operate the targeted control system. Functionally, this includes the ability to modify analog and digital values internal to the system (changing alarms and adding or modifying user accounts), or to change output control points — this includes abilities such as altering tap changer output signals, turbine speed demand, and opening and closing breakers. (Manipulation of Control [T0831])
- "Impair the system's ability to report data. Functionally, this is accomplished by degrading or disrupting communications with external communications circuits (e.g., ICCP2, HDLC3, PLC4, VSAT, SCADA radio, other radio frequency mediums), remote terminal units (RTUs) or programmable logic controllers (PLCs), connected business or corporate networks, HMI subnetworks, other remote I/O, and any connected Historian/bulk data storage. (Block Reporting Message [T0804], Denial of View [T0815])
- "Deny the operator's ability to control the targeted system. Functionally, this includes the ability to stop, abort, or corrupt the system’s operating system (OS) or the supervisory control and data acquisition (SCADA) system’s software functionality. (Denial of Control [T0813])
- "Enable remote or local reconnaissance on the control system. Functionally, an actor could obtain system configuration information to enable development of a modified system configuration or a custom tool. (Collection [TA0100], Theft of Operational Information [T0882])."
NSA and CISA explain the potential consequences of these attacks:
"Using these techniques, cyber actors could cause various physical consequences. They could open or close breakers, throttle valves, overfill tanks, set turbines to over-speed, or place plants in unsafe operating conditions. Additionally, cyber actors could manipulate the control environment, obscuring operator awareness and obstructing recovery, by locking interfaces and setting monitors to show normal conditions. Actors can even suspend alarm functionality, allowing the system to operate under unsafe conditions without alerting the operator. Even when physical safety systems should prevent catastrophic physical consequences, more limited effects are possible and could be sufficient to meet the actor’s intent. In some scenarios though, if an actor simultaneously manipulates multiple parts of the system, the physical safety systems may not be enough. Impacts to the system could be temporary or permanent, potentially even including physical destruction of equipment."
The agencies offer extensive advice on defending against these attacks in their report.
Palestinian threat actor compromises Israeli PLCs.
The Palestinian hacktivist group GhostSec earlier this month claimed to have compromised fifty-five Berghof PLC devices–that is, programmable logic controllers–in Israel, according to researchers at OTIRO. The researchers found that the PLCs were exposed to the Internet and had default passwords.
“Although access to the admin panel provides full control over some of the PLC’s functionality, it does not provide direct control over the industrial process,” the researchers write. “It is possible to affect the process to some extent, but the actual process configuration itself isn’t available solely from the admin panel.... From our research, we concluded that Berghof uses CODESYS technology as its HMI, and is also accessible via the browser at a certain address. From our observations of GhostSec’s proofs of breach, we did not know whether GhostSec gained access to the HMI. But we’ve confirmed that the HMI screen was also publicly available.”
While it’s not clear if the hackers actually had the ability to manipulate the industrial processes, the group said on Twitter that they decided not to alter Ph levels in water in order to avoid harming civilians.
The researchers continue, “The fact that the HMI probably wasn’t accessed, nor manipulated by GhostSec, and the hackers were not exploiting the Modbus interface, shows an unfamiliarity with the OT domain. To the best of our knowledge, GhostSec hadn’t brought critical damage to the affected systems, but only sought to draw attention to the hacktivist group and its activities. Despite the low impact of this incident, this is a great example where a cyber attack could have easily been avoided by simple, proper configuration. Disabling the public exposure of assets to the Internet, and maintaining a good password policy, especially changing the default login credentials, would cause the hacktivists’ breach attempt to fail.”
Lazarus Group targets the energy sector.
Cisco Talos warns that North Korea’s Lazarus Group has been targeting the energy sector in the US, Canada, and Japan. The threat actor uses the Log4Shell vulnerability to compromise VMware Horizon servers. The researchers stated, “The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
Talos also describes the threat actor’s post-exploitation activities:
“Successful post-exploitation led to the download of their toolkit from web servers. The same initial vector, URL patterns and similar subsequent hands-on-keyboard activity have been described in this report from AhnLab from earlier this year. There are also overlapping IOCs between the campaign described by AhnLab and the current campaign, such as the IP address 84[.]38.133[.]145, which was used as a hosting platform for the actors' malicious tools. Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus. Additionally, we've also observed similarities in TTPs disclosed by Kaspersky attributed to the Andariel sub-group under the Lazarus umbrella, with the critical difference being the deployment of distinct malware. While Kaspersky discovered the use of Dtrack and Maui, we've observed the use of VSingle, YamaBot and MagicRAT.”
White House issues memorandum on software supply chain security.
The White House has issued guidance for Federal agencies’ use of software security practices. The memorandum instructs agencies to obtain a self-attestation from software providers that their products are in line with NIST’s security guidelines:
“Ensuring software integrity is key to protecting Federal systems from threats and vulnerabilities and reducing overall risk from cyber-attacks. The NIST Guidance provides ‘recommendations to federal agencies on ensuring that the producers of software they procure have been following a risk-based approach for secure software development.’ Federal agencies must only use software provided by software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance.”
Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director, said in a statement, “The guidance, developed with input from the public and private sector as well as academia, directs agencies to use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered.”
Dragos receives CVE numbering authority.
Dragos has been designated a CVE numbering authority by the CVE Program. Dragos explains the implications of the designation: "As a CNA, Dragos is authorized to assign CVE IDs to newly discovered vulnerabilities and publicly disclose information about these vulnerabilities through CVE Records. This includes assigning CVE IDs to vulnerabilities found in the company’s own products as well as any third-party products not covered by another CNA that Dragos finds through its ongoing research to help organizations protect their ICS/OT systems." The CVE Program is sponsored by the US Cybersecurity and Infrastructure Security Agency and administered by the MITRE Corporation.
CISA's ICS Advisories.
On September 1st, 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) released two Industrial Control Systems Advisories. One, for Contec CMS8000 addresses "Improper Access Control, Uncontrolled Resource Consumption, Use of Hard-Coded Credentials, [and] Active Debug Code vulnerabilities" in an ICU/CCU Vital Signs Patient Monitor. The other, for Delta Electronics DOPSoft, mitigates "an Out-of-bounds Read vulnerability in versions of Delta Electronics DOPSoft, a software supporting the DOP-100 series HMI screens."
Less than a week later, on September 6th, CISA released five industrial control system (ICS) advisories, for Triangle Microworks Library ("mitigations for Access of Uninitialized Pointer vulnerabilities"), AVEVA Edge 2020 R2 SP12020 R2 ("mitigations for Insufficient UI Warning of Dangerous Operations, Uncontrolled Search Path Element, and Deserialization of Untrusted Data, Improper Restriction of XML External Entity Reference vulnerabilities"), Cognex 3D-A1000 Dimensioning System ("mitigations for Missing Authentication for Critical Function, Improper Output Neutralization for Logs, and Client-side Enforcement of Server-side Security vulnerabilities"), Hitachi Energy TXpert Hub CoreTec 4 ("mitigations for Authentication Bypass Using an Alternate Path or Channel and Improper Input Validation, Download of Code Without Integrity Check vulnerabilities"), and Delta Electronics DOPSoft 2 ("mitigations for Stack-based Buffer Overflow, Out-of-Bounds Write, and Heap-based Buffer Overflow vulnerabilities").
On September 8th, CISA released four ICS security advisories. Two of them are for Industrial Control Systems (ICS), one for MZ Automation GmbH libIEC61850 ("mitigations for Buffer Overflow, Access of Resource Using Incompatible Type, NULL Pointer Dereference vulnerabilities"), and one for PTC Kepware KEPServerEX (Update A) ("mitigations for Heap-based Buffer Overflow and Stack-based Buffer Overflow vulnerabilities"). The other two are for Medical Industrial Control Systems: Baxter Sigma Spectrum Infusion Pumps ("mitigations for Missing Encryption of Sensitive Data, Use of Externally Controlled Format String, Missing Authentication for Critical Function vulnerabilities") and Hillrom Medical Device Management (Update B) ("mitigations for Out-of-bounds Write, Out-of-bounds Read vulnerabilities").
On September 13th, CISA released five Industrial Control Systems Advisories, for Hitachi Energy TXpert Hub CoreTec 4 Sudo Vulnerability ("mitigations for an Off-by-one Error vulnerability"), Honeywell SoftMaster ("mitigations for Uncontrolled Search Path Element and Incorrect Permission Assignment for Critical Resource vulnerabilities"), Delta Industrial Automation DIAEnergie ("mitigations for a Use of Hard-coded Credentials vulnerability"), Kingspan TMS300 CS ("mitigations for an Improper Authentication vulnerability"), and Paradox IP150 (Update A) ("mitigations for Stack-based Buffer Overflow and Classic Buffer Overflow vulnerabilities").
September 15th saw another round of ICS security advisories, this one somewhat larger than the normal run. CISA released eleven Industrial Control Systems Advisories, for Siemens Mobility CoreShield OWG Software ("mitigations for an Improper Access Control vulnerability"), Siemens Simcenter Femap, Parasolid ("mitigations for Multiple File Parsing vulnerabilities"), Siemens RUGGEDCOM ROS ("mitigations for an Uncontrolled Resource Consumption vulnerability"), Siemens Mendix SAML Module ("mitigations for an Authentication Bypass by Capture-replay vulnerability"), Siemens SINEC INS ("mitigations for Improper Input Validation, Integer Overflow or Wraparound, Uncontrolled Resource Consumption, Command Injection, Inadequate Encryption Strength, Missing Encryption of Sensitive Data, Improper Restriction of Operations Within the Bounds of a Memory Buffer, Exposure of Private Personal Information to an Unauthorized Actor, Open Redirect, Improper Resource Shutdown or Release, and Server-Side Request Forgery (SSRF) vulnerabilities"), Siemens RUGGEDCOM ROS (Update A) ("mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer and Resource Management Errors vulnerabilities"), Siemens Simcenter Femap and Parasolid (Update B) ("mitigations for an Out-of-bounds Read vulnerability"), Siemens Industrial Products Intel CPUs (Update F)("mitigations for a Missing Encryption of Sensitive Data vulnerability in the Siemens SIMATIC and SINUMERIK products. Siemens OpenSSL Affected Industrial Products (Update C) ("mitigations for an Infinite Loop vulnerability"), Siemens OpenSSL Vulnerability in Industrial Products (Update F) ("mitigations for a Cleartext Transmission of Sensitive Information vulnerability"), and Siemens SCALANCE (Update A) ("mitigations for Improper Neutralization of Special Elements in Output Used, Allocation of Resources Without Limits or Throttling, and Basic Cross Site Scripting vulnerabilities").
On the 20th of September, CISA issued eight more Industrial Control System (ICS) Advisories, for Medtronic NGP 600 Series Insulin Pumps ("mitigations for a Protection Mechanism Failure vulnerability"), Hitachi Energy PROMOD IV ("mitigations for an Improper Access Control vulnerability"), Hitachi Energy AFF660/665 Series ("mitigations for a Stack-base Buffer Overflow vulnerability"), Dataprobe iBoot-PDU ("mitigations for OS Command Injection, Path Traversal, Exposure of Sensitive Information to an Unauthorized Actor, Improper Access Control, Improper Authorization, Incorrect Authorization, and SSRF vulnerabilities"), Host Engineering Communications Module ("mitigations for a Stack-based Buffer overflow vulnerability"), AutomationDirect DirectLOGIC with Ethernet (Update A) ("mitigations for Uncontrolled Resource Consumption and Cleartext Transmission of Sensitive Information vulnerabilities"), AutomationDirect DirectLOGIC with Serial Communication (Update A) ("mitigations for a Cleartext Transmission of Sensitive Information vulnerability"), and MiCODUS MV720 GPS tracker (Update A) ("mitigations for Use of Hard-coded Credentials, Improper Authentication, Cross-site Scripting, and Authorization Bypass Through User-controlled Key vulnerabilities").
September 22nd saw three more ICS Advisories, these for Measuresoft ScadaPro Server ("mitigations for an Improper Access Control vulnerability"), Mitsubishi Electric Multiple Products (Update E) ("mitigations for a Predictable Exact Value from Previous Values vulnerability"), and Mitsubishi Electric Factory Automation Engineering Software (Update D) ("mitigations for a Permission Issues vulnerability").
And the final set of ICS Advisories released as we went to press came out yesterday, for Hitachi Energy AFS ("Improper Input Validation"), Hitachi Energy APM Edge ("Out-of-Bounds Write and Improper Authentication"), and Rockwell Automation ThinManager ThinServer ("Heap-based Buffer Overflow").