Tag Archives: Advanced Persistent Threat

Application control solutions for protecting critical infrastructures

13 October 2019

Application Control Solutions (ACS) are easy to deploy and manage protective security controls in process automation. From my point of view, they are essential when it comes to critical infrastructures. The major SCADA vendors recommend and certify them for use with their product suites.

Rick Gorskie, Global Sales Manager Cybersecurity at Emerson Automation Solutions, recommends “using both solutions for an effective “one-two” punch against malware infection. Using applications whitelisting to protect from “zero-day” attacks as well as using antivirus blacklisting to scan for malware yields the best result.”(1)

Schneider Electric recommends the application control for their Power SCADA systems: “Power SCADA has been validated with the McAfee Application Control whitelisting application. Power SCADA and McAfee whitelisting can make your system more resilient to zero-day threats.”(2)

In addition to the protection against zero-days, application control allows to reduce the patch frequency and to extent the life of legacy systems.

The ACS kicks in during the exploitation phase of the Cyber Kill Chain. It checks every object at execution time whether it is known in the white list. Since new malware is not on the list, ACS just blocks the execution. This is a plain, but very effective approach.

Cyber Kill Chain - Application Control Solutions

Cyber Kill Chain – Application Control Solutions

This works for file-less malware like Nodersok (3) as well as for file-based malware like Reductor (4) or COMpfun (5). Even crypto worms like WannaCry are blocked.

In the case of COMpfun, for example, two DLLs are loaded into the users AppData directory. Both DLLs are not on the white list, so the execution is blocked although they are defined as COM objects.

Reductor uses two delivery methods, COMpfun and infected software installers. If COMpfun is used for delivery, the ACS blocks the malware.

But if the Reductor is delivered through infected software installers, ACSs will not work because they have their Achilles heels.

ACSs must be suspended during deployment or update of software.

A malware, for example a trojan disguised as part of a software suite, will become a legitimate program after the ACS is enforced again. Thus, the malware will never be blocked because it’s on the white list.

ACSs allow exceptions.

Some SCADA vendors request exceptions for the execution of some of their software tools. If malicious actors exploit these exceptions, they can inject malware outside regular installations.

So, we have a residual risk, depending on the threat actor and the environment.

For non-critical infrastructures, ACSs provides great protection against all threat actors. But in the case of critical infrastructures, APT and, to some extent, cyber criminals have the resources and the know how to exploit the Achilles heels of ACSs.

Additional security controls must be implemented to reduce this risk. Operators and engineering service providers must work together to solve this issue.

This may include an extended integrity check of all software before installation in the SCADA network and the encryption of all media during transport.

By the way, ACSs provide effective protection against zero-days only if they are not suspended. So, it’s a good idea to check regularly if the ACS agents are operated in enforced mode on the systems.

Have a great week.


References

  1. Gorskie R. Should You Be Using Application Whitelisting? [Internet]. Emerson Exchange 365. 2017 [zitiert 22. September 2019]. Verfügbar unter: https://emersonexchange365.com/products/control-safety-systems/f/deltav-discussions-questions/6792/should-you-be-using-application-whitelisting
  2. Schneider Electric. Power SCADA Operation 9.0 System Guide | Schneider Electric [Internet]. 2019 [zitiert 22. September 2019]. Verfügbar unter: https://www.schneider-electric.com/en/download/document/PowerSCADAOperationSystemGuide/
  3. Microsoft. Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware [Internet]. Microsoft Security. 2019 [zitiert 28. September 2019]. Verfügbar unter: https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/
  4. GReAT. COMpfun successor Reductor infects files on the fly to compromise TLS traffic | Securelist [Internet]. Kaspersky Securelist. 2019 [zitiert 12. Oktober 2019]. Verfügbar unter: https://securelist.com/compfun-successor-reductor/93633/
  5. G Data. COM Object hijacking: the discreet way of persistence [Internet]. G Data Blog. 2014 [zitiert 12. Oktober 2019]. Verfügbar unter: https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence

You may Wanna Cry on Monday morning if your Anti-Phishing Training was no success

14 May 2017

In the past days WannaCry was making the headlines. I found a really well written post on Binary Defense which explains the basics of the initial infection as well as the propagation method.

WannaCry does not use any heavy sophistication methods for delivery. It first uses a password protected zip file, which has a document inside.

Packaged this way anti-malware solutions cannot scan the attachment because they can’t enter the password for opening the attachment, although it is stated in the email body. Even APT (Advanced Persistent Threat) solutions may fail if they are not properly configured.

If your Anti-Phishing Awareness Training was successful, the chance of an infection is small.

In addition, it makes sense to block incoming mails with zip files, which cannot be inspected by the anti-malware solution. Don’t deliver them to the users junk mail folder, block them on the mail gateway.

This gives you the time to implement patch MS17-010, if you have not yet done so. Or isolate the affected systems from the network, if patching is not possible, e.g. in GxP controlled environments.

Take care!