Security researchers alert that crooks and other malicious actors can hijack mission-critical control systems that don’t pose an obvious risk and use them for their attacks.
Nowadays, ransomware is more and more used by hackers to make an illegitimate profit by encrypting individuals` and business data. However, experts also warn that there is a possibility of ransomware developers to start targeting industrial control systems (ICS) as well.
The CRITIFENCE security company and the team at the Georgia Institute of Technology created a Proof-of-concept (PoC) ransomware, designed specially for ICS attacks, which rely on programmable logic controllers (PLCs).
Usually, the controllers are critical for operations and are an easy target for threat actors. However, on Thursday, at SecurityWeek’s 2017 Singapore ICS Cyber Security Conference, the ICS security consultant at Applied Risk, Alexandru Ariciu, revealed a different potential target. Ariciu demonstrated ransomware attacks, which he called “Scythe”, able to target inconspicuous and less risky SCADA devices.
The names of the targets are not revealed but Ariciu describes the affected devices as several types of I/O systems which stand between OPC servers and field devices. The devises run a web server and are powered by an embedded operating system. Ariciu says that a large number of these systems are unprotected and easily accessible online, which allows crooks to hijack them by replacing their firmware with a malicious one.
The demonstration of the attack which Applied Risk developed begins with the attacker performing s Web scan for potential targets. According to Ariciu, most of the devices can be found via the Shodan and Google search engines. The researcher tested four different devices from four different vendors and found out almost 10,000 systems which can be easily accessed through the Internet as they don’t have any authentication mechanism.
Ariciu says that the malicious actor could find devices which are widely used and focus on them. When a device is infected, the attacker would first have to acquire the device and conduct hardware debugging on it to find out how exactly does it work. Even though the attack process is the same for all devices, the exploit needs to be customized for each different device.
The Applied Risk company needed three months in order to determine how reach device works and how it can be attacked. Ariciu explained that the hands-on analysis is necessary to create and exploit but after that, the attack can be launched remotely on devices that are accessible from the Internet.
The attack itself is based on a firmware validation bypass vulnerability that is used to replace the original firmware with a malicious one. In the Applied Risk`s attack scenario, the attacker connects to the interface of the targeted device, creates a backup of the configuration and then install firmware with disrupts regular processes.
When the victim accesses the targeted device for analysis they see a ransomware message and realize that the device has been disconnected. The attacker can “disable” the firmware configuration update functionality so that the victim could not restore the firmware. Moreover, the “restore factory settings” feature doesn’t help too as it neither stops the attack nor restores the original firmware but it even if it did, the hacker could easily disable it as well.