A new string of ransomware called ClearEnergy was uncovered by researchers at CRITIFENCE Critical Infrastructure and SCADA/ICS Cyber Threats Research Group. The virus works like other infections of this type. It penetrates computer systems and locks the files on their hard disk drives. To provide the decryption key, the attackers require victims to pay a ransom.
ClearEnergy is dangerous because of its target group. The ransomware’s attacks are concentrated on Programmable Logic Controllers (PLCs). The virus erases the ladder logic diagram which plays an important role in energy plants. ClearEnergy affects a wide range of PLC models which makes it a potential threat for leading manufacturers.
The virus can reportedly compromise Schneider Electric Unity series PLCs and Unity OS, builds 2.6 and later. Certain PLC models of General Electric (GE) and Allen-Bradley (MicroLogix family) are also on the list of vulnerable devices.
“ClearEnergy attack is based on the most comprehensive and dangerous vulnerability ever found in Critical Infrastructure, SCADA and ICS Systems, and affects a wide range of vulnerable products from different manufacturers and vendors. These attacks target the most important assets and critical infrastructure and not just because they are easy to attack but also hard to be recovered,” explained CRITIFENCE CEO Brig. Gen. (ret.) Rami Ben Efraim.
To examine the contemporary ransomware concepts, scientists from the School of Electrical and Computer Engineering in Georgia Institute of Technology conducted a test study a month ago. The researchers simulated a proof-of-concept ransomware attack on a limited scale. A program dubbed LogicLocker was devised to launch attacks on critical infrastructure, SCADA and industrial control systems.
The results from the study can be used as reference for the capabilities of ClearEnergy ransomware. The program’s attacks target Critical Infrastructure and SCADA systems, like nuclear, power plant, water and waste facilities, transportation infrastructure and other industrial objects.
When ClearEnergy gets installed to a machine, it begins looking for vulnerable PLCs. The program snatches the ladder logic diagram from the PLC and uploads it to a remote server. The last step is to start a timer which schedules a process for deleting the logic diagram from all PLCs after one hour. Victims thus have less than an hour to make a payment in order to have the timer canceled.
ClearEnergy launches the same types of attacks on SCADA and Industrial Control Systems. The ransomware targets the critical infrastructure. The attacks can cause a power failure and damage the field equipment. The aftermath is causing problems which require a lot of time to be solved. They could even lead to a halt in the plant’s production line.
On a side note, SCADA and Industrial Control Systems have exhibited weaknesses on a number of occasions over the course of the past several years. The companies have been the victim of similar types of attacks several times. The penetrations have resulted in a loss of service and the subsequent power outage.
ClearEnergy exploits security flaws in the UMAS protocol of Schneider Electric. As disclosed by CRITIFENCE, the ransomware is based on CVE-2017-6032 (SVE-82003203) and CVE-2017-6034 (SVE-82003204) vulnerabilities. The UMAS protocol has a weakness in the design of the protocol session key. This weakness can be exploited, allowing hackers to bypass the authentication.
As Eran Goldstein, CTO and founder of CRITIFENCE, explained: “UMAS is a Kernel level protocol and an administrative control layer used in Unity series PLC and Unity OS from 2.6. It relies on the Modicon Modbus protocol, a common protocol in Critical Infrastructure, SCADA and industrial control systems and used to access both unallocated and allocated Memory from PLC to SCADA system. What worries our researchers is that it may not be entirely patched within the coming years, since it affects a wide range of hardware and vendors.”
Schneider Electric responded to the analysis of CRITIFENCE, confirming that PLC products from the Modicon family are indeed vulnerable to attacks. The company issued an Important Cybersecurity Notification (SEVD-2017-065-01) as an official alert. Subsequently, the Department of Homeland Security (DHS) at ICS-CERT published an advisory regarding the threat. The report revealed that the basic security flaw allows hackers to guess a weak (1-byte in length) session key which has only 256 possibilities in total. With the session key, the attacker can manipulate the controller at will. He can read the controller’s program and rewrite it with a code of his own.
“Recovering from such an attack would be a slow and tedious process, and prone to many failures. Every plant using PLCs which is part of a production line would have dozens of these devices all around the plant. Let’s assume that each PLC is indeed backed-up to its recent configuration. It would take a painstakingly long time to recover each and every one of them to its original status,” explained Eyal Benderski, Head of the Critical Infrastructure and SCADA/ICS Cyber Threats Research Group at CRITIFENCE.