A sophisticated malware campaign compromised numerous industrial control system (ICS) environments using a variant of the BlackEnergy malware, according to a report on ICS-CERT.
Analysis indicates this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT identified the malware on Internet-connected human-machine interfaces (HMI).
Users of HMI products from various vendors ended up targeted in this campaign, including GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC, according to ICS-CERT. It remains unknown whether other vendor’s products are also targets. ICS CERT is working with the involved vendors to evaluate this activity and also notify their users of the linkages to this campaign.
At this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control processes.
ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system. However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. The malware is highly modular and not all functionality deploys.
In addition, public reports reference a BlackEnergy-based campaign against a variety of overseas targets leveraging vulnerability CVE-2014-4114 (affecting Microsoft Windows and Windows Server 2008 and 2012). ICS-CERT has not observed the use of this vulnerability to target control system environments. However, analysis of the technical findings in the two report shows linkages in the shared command and control infrastructure between the campaigns, suggesting both are part of a broader campaign by the same threat actor.
ICS-CERT analysis identified the probable initial infection vector for systems running GE’s Cimplicity HMI with a direct connection to the Internet. Analysis of victim system artifacts has determined attackers have been exploiting a vulnerability in GE’s Cimplicity HMI product since at least January 2012. The vulnerability, CVE-2014-0751, was published in ICS CERT advisory ICSA-14-023-01 on January 23. Guidance for remediation published to the GE IP portal in December 2013. GE has also released a statement about this campaign on the GE security web site.
Using this vulnerability, attackers were able to have the HMI server execute a malicious .cim file [Cimplicity screen file] hosted on an attacker-controlled server.
ICS-CERT has analyzed two different .cim files used in this campaign: devlist.cim and config.bak. Both files use scripts to ultimately install the BlackEnergy malware.
• devlist.cim: This file uses an embedded script executed as soon as the file opens using the Screen Open event. The obfuscated script downloads the file “newsfeed.xml” from the same remote server, which it saves in the Cimplicity directory using the name <41 character string>.wsf. The name ends up randomly generated using upper and lower case letters, numbers, and hyphens. The .wsf script then executes using the Windows command-based script host (cscript.exe). The new script downloads the file “category.xml,” which it saves in the Cimplicity directory using the name “CimWrapPNPS.exe.” CimWrapPNPS.exe is a BlackEnergy installer that deletes itself once the malware installs.
• config.bak: This file uses a script that executes when the file opens using the OnOpenExecCommand event. The script downloads a BlackEnergy installer from a remote server, names it “CimCMSafegs.exe,” copies it into the Cimplicity directory, and then executes it. The CimCMSafegs.exe file is a BlackEnergy installer that deletes itself after the malware installs.
Analysis suggests the attackers likely used automated tools to discover and compromise vulnerable systems.
ICS-CERT fears any companies running Cimplicity since 2012 with their HMI directly connected to the Internet could suffer from the BlackEnergy malware. ICS-CERT recommended companies use the indicators and Yara signature in this alert to check their systems.
Resident in the same folder hosting the Cimplicity .cim files referenced above was a file with the name “CCProjectMgrStubEx.dll.” While this file is not part of the WinCC product, it uses a name that is similar to legitimate WinCC files. Given the use of filenames matching legitimate Cimplicity files to exploit Cimplicity systems, the presence of this file alongside other BlackEnergy campaign files suggests that WinCC could potentially also be a target.
A number of the victims associated with this campaign were running the Advantech/BroadWin WebAccess software with a direct Internet connection. ICS-CERT has not yet identified the initial infection vector for victims running this platform but it could also be a target.
ICS-CERT produced a Yara signature to aid in identifying if the malware files are present on a given system. This signature is “as is” and has not undergone full testing for all variations or environments. Any positive or suspected findings should be immediately report to ICS CERT for further analysis and correlation.
YARA is a pattern-matching tool used to by computer security researchers and companies to help identify malware. You can find usage help and download links on the main Yara page.