SoylentNews

"x" writes:

Story automatically generated by StoryBot Version 0.0.1f (Development).

Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.

FeedSource: [TheRegister] collected from rss-bot logs

Time: 2016-06-03 06:02:54 UTC

Original URL: http://www.theregister.co.uk/2016/06/03/laboratory_ics_malware_masks_attack_with_replayed_normal_traffic/ [theregister.co.uk]

Title: 'Irongate' attack looks like Stuxnet, quacks like Stuxnet ...

Suggested Topics by Probability (Experimental) : 20.0 hardware 20.0 OS 10.0 techonomics 10.0 security 10.0 science 10.0 code 10.0 careers 10.0 breaking

--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---
 
 

'Irongate' attack looks like Stuxnet, quacks like Stuxnet ...

FireEye threat researchers have found a complex malware instance that borrows tricks from Stuxnet and is specifically designed to work on Siemens industrial control systems.

                               

Josh Homan, Sean McBride, and Rob Caldwell named the malware "Irongate" and say it is probably a proof-of-concept that is likely not used in wild.

                               

Industrial control system malware are complex beasts in large part because exploitation requires knowledge of often weird, archaic, and proprietary systems.

                               

The steep learning curve required to grok such systems limits the risk presented by the many holes they contain.

                               

It is this that makes Irongate interesting. The malware is also unique in that it employs man-in-the-middle attacks to capture normal traffic on human machine interfaces to replay it in a bid to mask anomalies during attacks.

                               

That replay trick is reminiscent of work [theregister.co.uk] by IOActive researcher Alexander Bolshev who told The Register how frequency and amplitude modifications in waves generated by control programmable logic controllers could allow attacks to be masked.

                               

Irongate is also capable of evading VMware and Cuckoo sandboxes - the use of which is indicative of white hat researchers - a standard feature of well-designed malware.

                               

The FireEye and Mandiant team found the malware on VirusTotal, likely uploaded by authors wanting to test their trojan for antivirus detection. No security platforms detected it.

                               

"While Irongate malware does not compare to Stuxnet in terms of complexity, ability to propagate, or geopolitical implications, it leverages some of the same features and techniques" the team says [fireeye.com].

                               

"Even though process operators face no increased risk from the currently identified members of the Irongate malware family, it provides valuable insight into adversary mindset."

                               

The malware operates in Siemens simulated programmable logic controller environments which are used before live deployment, seeking out and replacing proprietary DLL files, but does not function in standard environments.

                               

Its infection vector is unknown. ®

                               

                                        Sponsored:
                                        Top 5 Reasons for cloud-based disaster recovery [theregister.com]
                               

                               

-- submitted from IRC

Original Submission