Dangerous New Malware Can Shut Down, Sabotage Industrial Sites
Pipedream, or Incontroller, is a custom-made, modular ICS attack framework that could be leveraged to cause disruption, degradation, and possibly even destruction depending on targets and the environment.
Pipedream can manipulate a wide variety of PLCs and industrial software, including Omron and Schneider Electric controllers, and can attack ubiquitous industrial technologies including CODESYS, Modbus, and OPC UA.
The framework’s capabilities include performing system enumeration, issuing WMI commands, executing host-based commands, and manipulating the registry. It exploits the known-vulnerable ASRock-signed motherboard driver to execute malicious code in the Windows kernel (CVE-2020-15368).
The framework includes three tools that enable the attacker to send instructions to ICS devices using industrial network protocols:
- The first tool has multiple capabilities, such as the ability to scan for and enumerate OPC UA servers, suggesting a reconnaissance role.
- The second tool communicates with ICS devices using the Modbus protocol, which potentially gives it the ability to interact with devices from different manufacturers. However, the tool contains a specific module to interact with, scan, and attack Schneider Electric’s Modicon M251 PLC using Codesys.
- The third tool is designed to obtain shell access to Omron PLCs. It primarily operates using the HTTP protocol, however it also utilizes Omron’s proprietary FINS over UDP protocol for scanning and device identification.
CISA’s Alert to this also recommends using a tool such as SCADAfence
CISA’s Alert (AA22-103A) states “DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:
“Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic…”
The Impact Of The INCONTROLLER / Pipedream Malware
The intent is to leverage the access to ICS systems to elevate privileges, move laterally within the networks, and sabotage mission-critical functions in liquified natural gas and electric power environments.
It has not yet been seen deployed in target networks.
How SCADAfence Detects INCONTROLLER / Pipedream
- The SCADAfence Platform detects new connections, connections from external devices and from the Internet, and unauthorized connections to OT assets.
- Furthermore, the Platform detects start, restart, and stop commands sent to PLCs in the network, as well as remote mode change commands which are needed steps to alter programs in PLCs.
- The Platform additionally detects system enumeration scans and HTTP command execution.
Our Experts Recommend
- Isolate ICS systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving the perimeter.
- Limit ICS systems’ network connections to allowed management and engineering workstations.
- Enforce multi-factor authentication for all remote access to ICS networks and devices whenever possible.
- Change all passwords to ICS devices, especially all default passwords, to unique, strong passwords.
- Apply the latest security patches on the OT assets in the network.
- Maintain offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
- Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.
- Monitor systems for loading of unusual drivers, especially for ASRock drivers if no ASRock driver is normally used on the system.
Since the DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices to work with a continuous network monitoring solution going forward, let our experts help you keep your networks & industrial devices secure.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.