ICS Malware Found on Vendors’ Update Installers

The Havex RAT has infected the software update installers of three known industrial control system vendors, according to an advisory for ICS-CERT.

Malware targeting industrial control systems has infected the update installers belonging to three known industrial control vendors, according to an advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

The Havex remote access Trojan (RAT) is targeting vendors via phishing campaigns, website redirects and most recently by infecting the software installers. Three vendor websites have been compromised in watering hole attacks, the advisory said.

“According to analysis, these techniques could have allowed attackers to access the networks of systems that have installed the trojanized software,” the ICS-CERT advisory said. “The identities of these three known industrial control system vendors are available along with additional indicators of compromise to critical infrastructure owners and operators on the US-CERT secure portal.”

The advisory also revealed that ICS-CERT has received reports of numerous system crashes caused by Havex infections, leading to denial-of-service conditions.

Havex is a traditional RAT in that the Trojan opens a backdoor where stolen data is flushed out to the attacker’s server. The command and control server can also send back additional payloads. ICS-CERT said the Trojan has the capability of mapping all network resources connected to the victim, including network shares.

“[Havex] uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system resources within the network,” the advisory said. “The known components of the identified Havex payload do not appear to target devices using the newer OPC Unified Architecture (UA) standard.”

The Trojan gathers a laundry list of system information, including server name, OPC version, vendor and server bandwidth information. ICS-CERT said Friday there is no indication the Trojan can make any changes to the connected network hardware resource.

“It is important to note that ICS-CERT testing has determined that the Havex payload has caused multiple common OPC platforms to intermittently crash,” the advisory said. “This could cause a denial of service effect on applications reliant on OPC communications.”

OPC is an open specification used for process control across a number of industries, primarily for operability between gear from different vendors.

The advisory also suggests a number of mitigations for ICS operators, including locking down network access to OPC clients and servers and using OPC tunneling to avoid legacy DCOM services.

ICS-CERT also said that it is investigating whether Havex has been involved in other watering hole attacks.

ICS-CERT also said that it is investigating whether Havex has been involved in other watering hole attacks.

Earlier this year, a watering hole attack targeting energy utilities involved a compromised website belonging to a law firm that represents energy companies that redirected victims to a site hosting the LightsOut exploit kit.

The exploit kit used a number of Java and Adobe exploits and researchers at Zscaler said in March that the site used in the attack is also a known command site for Havex.

This isn’t the first time experts have warned about update services as a possible malware vehicle. During the TrustyCon event in February, activist Chris Soghoian of the American Civil Liberties Union said that intelligence agencies could also target mass, automated update mechanisms with surveillance software.

Soghoian said at that time that his concern is that the government will not only exploit the convenience of these update services offered by most large providers, but also that it will erode the trust users have in the services leaving them vulnerable to cybercrime, identity theft and fraud.

“There are really sound security reasons why we want automatic security updates. If consumers have to do work to get updates, they won’t, and they will stay vulnerable,” Soghoian said. “What that means though is giving companies root on our computers—and we really don’t know what’s in the code after fact. This is a point of leverage the government can use. We have no evidence they are using it right now, but these companies have a position of power over our devices that is unparalleled.”

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.