Experts at ICS-CERT say that the BlackEnergy malware that has been seen infecting human-machine interface systems may be exploiting a recently patched vulnerability in the Siemens SIMATIC WinCC software in order to compromise some systems.
The ICS-CERT originally issued an alert about the attacks by the venerable BlackEnergy malware in October, and at the time the group warned that the malware was targeting three specific HMI products: GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC.
“At this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control processes. ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system. However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. The malware is highly modular and not all functionality is deployed to all victims,” the alert said.
At the time of the original alert, ICS-CERT wasn’t sure how WinCC systems were being infected, but it now appears that BlackEnergy may be targeting a vulnerability that was patched in November by Siemens.
“While ICS-CERT lacks definitive information on how WinCC systems are being compromised by BlackEnergy, there are indications that one of the vulnerabilities fixed with the latest update for SIMATIC WinCC may have been exploited by the BlackEnergy malware.g ICS-CERT strongly encourages users of WinCC, TIA Portal, and PCS7 to update their software to the most recent version as soon as possible,” the updated alert says.
Siemens patched two vulnerabilities in WinCC on Nov. 11, including one that could allow remote code execution.