Attackers planting banking Trojans in industrial systems

SCADA insecurity not just about Stuxnet

Trend Micro researcher Kyle Wilhoit says the latest attacks on SCADA and industrial control networks are turning out to carry rather pedestrian banking Trojans, and have been on the rise since October 2014.

Talking to DarkReading, Wilhoit said rather than Stuxnet-style attacks, ne'er-do-wells are dropping banking Trojans into these networks disguised as updates to SCADA software.

So far, the DarkReading piece says, he's seen the attack software disguised as Siemens' Simatic WinCC, GE Cimplicity, and Advantech device drivers.

Rising numbers of attacks on SCADA environments in recent years have put sysadmins on edge. Apart from the nation-state-level Stuxnet, there's been a growing number of bugs identified in SCADA software.

Apart from generic bugs like Heartbleed and Poodle, which are inherited via popular libraries the vendors deploy, industrial systems also suffer from all-too-common problems like hard-coded passwords and remote-access bugs. The SCADA-specific Havex and BlackEnergy attacks also grabbed headlines in 2014.

That makes the banking Trojan more unexpected, Wilhoit said, adding: “The ultimate end goal here is probably not industrialised espionage, but to get banking credentials”.

That, of course, assumes that there are industrial controllers whose owners allow operators to use as bank login points.

Wilhoit adds that many industrial control systems use Windows as the human interface platform, and users in those environments don't seem particularly diligent at running anti-virus and other security software.

He notes that a successful crimeware attack on a Windows-based industrial controller would be catastrophic even if it didn't make a steel plant explode: if, for example, someone deployed a Cryptolocker-based attack against the control system, it would be rendered unusable.

“HMI systems are very finicky, so it doesn't take much to make these things fall over. Financial information could be stolen, but what if an [HMI] box drops inadvertently?” Wilhoit added.

He will be detailing his findings at Miami's S4 ICS/SCADA conference next week. ®




Biting the hand that feeds IT © 1998–2018