• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Ursnif Banking Trojan – Active IOCs
April 14, 2022
Rewterz Threat Alert – ZLoader’s Botnet Disruption by Microsoft – Active IOCs
April 14, 2022

Rewterz Threat Alert – ICS/SCADA Devices Under Attack Using APT Tools

April 14, 2022

Severity

High

Analysis Summary

APT groups have created custom-made tools to attack and infiltrate ICS/SCADA devices. These tools have been recently observed in control specific devices and attacks. The tools can be used to scan for affected devices, compromise them, and also control them. Known vulnerabilities are also being exploited by the threat actors. The following devices are being exploited by APT actors:

  1. Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
  2. OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NXSL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and
  3. OPC Unified Architecture (OPC UA) servers.

A known vulnerability CVE-2020-15368 in which an ASRocksigned motherboard driver, AsrDrv103.sys is being exploited to run malicious codes on windows servers. Lateral movement and disruption of critical devices are only part of the attack capabilities of these APT tools. The tools can also:

  1. Identify all Schneider PLCs by running a rapid scan.
  2. Passwords for e Schneider Electric PLCs can also be identified using brute-force attacks.
  3. Conduct a denial-of-service attack.
  4. Crash PLCs using a “packet of death” attack.
  5. Retrieve MAC addresses.
  6. Backup and restore files from the PLC.

Impact

  • Data Theft
  • Denial Of Service
  • System Performance Degradation
  • Financial Loss

Affected Vendors

  • Schneider Electric
  • Omron
  • OPC UA

Remediation

  • ICS/SCADA systems and networks should be isolated from internal and corporate networks.
  • Multifactor authentication should be enabled for all ICS networks.
  • Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
  • Never maintain default passwords. Use unique and strong passwords to mitigate dictionary and brute-force attacks.
  • Backup your data. Any damage in case of a successful attack will be mitigated if data is backed up.
  • Limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
  • Set up a Web Application Firewall with rules to block suspicious and malicious requests.
  • Log your IT/OT environment’s network activity and web server activity.
  • Monitor systems for loading of unusual drivers, especially for ASRock drivers.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.