The disclosure of a comprehensive toolkit, termed Pipedream, has been released by The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI).
Advanced Persistent Threat actors, known as APT, have developed a custom set of tools targeting ICS/SCADA devices found within critical infrastructure. The APT actors’ tools include a modular architecture that enables cyber actors to conduct reconnaissance, uploading of malicious configuration and code, and ultimately, the modification of device parameters.
Devices under consideration include, but are not limited to:
- Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
- OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and
- OPC Unified Architecture (OPC UA) servers
The DOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations, to implement detection and mitigation recommendations including, but not limited to, the following:
- The implementation of strong boundary controls and the monitoring of all connections across those boundaries
- The enforcement of multifactor authentication for all remote access to ICS networks
- Strong password rotation to all SCADA/ICS devices
Additional mitigation details can be detailed within CISA Alert AA22-103A,
Armis is Ready to Help
Existing Armis customers can run the following console queries to identify at risk devices and to monitor OT and ICS activities:
- Identify at risk OPC-UA Servers: in:devices traffic:(port:4843 opc)
- Identify at risk Schneider Electric and Omron PLCs: in:devices brand:Omron,”Schneider Electric” type:PLCs
- Identify known vulnerable Windows Kernel Exploit, ASRock-signed motherboard driver that allow lateral movement within IT/OT, AsrDrv103.sys: in:vulnerabilities id:(CVE-2020-15368)
- Port scanning for port 502 identifies Modbus Device Port Scans: in:activity type:”Port Scan Detected” content:(502) device:(!category:”Network Equipment” !boundary:Guest,”Off Network” !type:”Vulnerability Scanners”)
- Port scanning for port 9600 Omron Device Port Scans using FINS protocol devices as targets: in:activity type:”Port Scan Detected” content:(9600) device:(!category:”Network Equipment” !boundary:Guest,”Off Network” !type:”Vulnerability Scanners”)
- Monitor External connections to/from Omron and Schneider devices for unauthorized connections: in:ipConnections endpointA:(device:(brand:”Schneider Electric”,Omron)) endpointB:(networkLocation:External)
- Monitor Omron and Schneider devices for Telnet and HTTP and telnet connections to load a native implant to support further command execution: in:ipConnections endpointB:(role:Server device:(type:PLCs brand:Omron,”Schneider Electric”)) protocol:Telnet,HTTP
- Monitor affected PLCs for new outbound connections: in:ipConnections serverPort:(1740,1741,1742,1743,1105,11740) endpointB:(role:Server device:(type:PLCs))
- Monitor suspicious connections such as access to UDP/1740-1743, TCP/1105, and TCP/11740: in:ipConnections serverPort:(1740,1741,1742,1743,1105,11740)
Not an Armis customer? No worries – We can still help! Armis offers a free Quick Asset Visibility Assessment with our agentless, cloud-based platform to help you find and identify assets with vulnerable installations. Our platform works with your existing infrastructure to ensure you have a complete, real-time inventory you can rely on.
Staying Ahead of the Game
Mapping out your connected assets and understanding which of them can be impacted by this and other critical vulnerabilities helps IT and security teams respond to threats and improve the overall security posture. The Armis platform’s asset visibility and intelligence can improve overall asset management, IT hygiene, threat detection and response, and even reduce costs. To find out more, contact us today.