(SecurityWeek – Eduard Kovacs) – Remote administration tools (RATs) installed for legitimate purposes in operational technology (OT) networks can pose a serious security risk, allowing malicious actors to abuse them in attacks aimed at industrial organizations, Kaspersky Lab warns.
A report published on Friday by the security firm reveals that, on average, in the first half of 2018, legitimate RATs were found on more than two-thirds of computers used for industrial control systems (ICS).
The highest percentage of ICS computers with RATs were found in Kazakhstan, where over half of all analyzed systems had a remote admin tool installed. In the United States, 29% of the devices monitored by Kaspersky had a legitimate RAT. It’s worth noting that this does not include the remote desktop tool found by default in Windows.
Industrial organizations may use RATs to control or monitor HMIs or SCADA systems from a workstation, to connect multiple operators to one workstation, or connect computers on the corporate network to devices on the OT network.
“Some of [these scenarios] indicate that the use of RATs on the OT network can be explained by operational requirements, which means that giving up the use of RATs would unavoidably entail modifications to work processes,” Kaspersky researchers said.
In 18% of cases observed by the security firm, legitimate RATs were installed as part of the ICS software distribution package, while the rest were specifically installed by employees or suppliers. There are also cases where attackers stealthily install RATs to gain access to the targeted organization’s systems.
Legitimately installed tools can introduce serious security risks as they often require elevated privileges, they don’t support two-factor authentication, they don’t restrict local access, they are impacted by vulnerabilities, and they make use of relay servers to bypass security restrictions applied to the network perimeter.
“The most critical RAT-related problem is the use of elevated privileges and the absence of any means to limit these privileges (or to restrict a remote user’s local access). In practice, this means that if attackers (or malware) gain access to a remote user’s computer, steal authentication data (login/password), hijack an active remote administration session or successfully attack a vulnerability in the RAT’s server part, they will gain unrestricted control of the ICS system. By using relay servers for reverse connections, attackers can also connect to these RATs from anywhere in the world,” researchers explained.
Register for SecurityWeek’s 2018 ICS Cyber Security Conference
Another problem with the use of RATs is that they make it very difficult for security services and teams to distinguish legitimate activity from malicious activity.
Kaspersky has seen several attacks where malicious actors had installed tools such as TeamViewer or Remote Manipulator System (RMS). However, in the case of a car manufacturer, experts noticed that hackers had abused a tool installed for legitimate purposes after obtaining its access credentials.
“The ability to manipulate the ICS remotely significantly reduces maintenance costs, but at the same time, uncontrolled remote access, the inability to provide 100% verification of the remote client’s legitimacy, and the vulnerabilities in RAT code and configuration significantly increase the attack surface. At the same time, RATs, along with other legitimate tools, are increasingly used by attackers to mask malicious activity and make attribution more difficult,” Kaspersky said.
Legitimate Remote Admin Tools Pose Serious Risk to Industrial Systems
(SecurityWeek - Eduard Kovacs) - Remote administration tools (RATs) installed for legitimate purposes in operational technology (OT) networks can pose a serious security risk, allowing malicious actors to abuse them in attacks aimed at industrial organizations, Kaspersky Lab warns. A report published on Friday by the security firm reveals that, on average, in the first half of 2018, legitimate RATs were found on more than two-thirds of computers used for industrial control systems (ICS). The highest percentage of ICS computers with RATs
Serious Vulnerability Found in Honeywell’s Android-based Handhelds
(SecurityWeek - Eduard Kovacs) - Members of Google’s Android team discovered that some of Honeywell’s Android-based handheld computers are affected by a high severity privilege escalation vulnerability. The vendor has released software updates that should address the flaw. Honeywell’s handheld computers are advertised as devices that combine the advantages provided by consumer PDAs with high-end industrial mobile computers. These rugged devices run Android or Windows operating systems and they provide a wide range of useful functions and connectivity features, including Wi-Fi,
Red Team/Blue Team ICS Cyber Security Training
SecurityWeek is happy to be partnering with LEO Cyber Security to offer a half-day Red Team/Blue Team ICS Cyber Security Training workshop at SecurityWeek’s 2018 ICS Cyber Security Conference. The workshop will take place on Monday, October 22 and is available as an option for conference attendees. (Registration available here) What is Red Team/Blue Team Training? Security aware and knowledgeable users serve as the “front line” of your overall security posture. As such, training is one of the most essential components of your
Reconnaissance, Lateral Movement Rise in Manufacturing Firms
(SecurityWeek - Eduard Kovacs) - An unusually high volume of malicious internal reconnaissance and lateral movement have been observed in the manufacturing industry, which experts believe is a result of the rapid convergence between IT and OT networks. The data comes from the 2018 Spotlight Report on Manufacturing released on Wednesday by threat detection company Vectra. The report is based on observations from another report released on Wednesday by the company, the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which shows
ICS Honeypot Highlights Danger to Critical Systems From Criminal Hackers
(SecurityWeek - Kevin Townsend) - Security firm Cybereason established a sophisticated honeypot masquerading as a power transmission substation for a major electricity provider. The purpose was to attract attackers and analyze how they operate against the energy sector of the critical infrastructure. Within two days of going live on June 17, the honeypot developed and operated by Cybereason was found, prepped by a black-market reseller, and sold on in the dark web underworld. xDedic RDP Patch was found in the environment.
Conference Speakers: The Importance of Knowing Your Audience
(SecurityWeek - Joshua Goldfarb) - If you’re like me, you’ve likely sat through some pretty painful conference talks, meetings, industry sessions, or other gatherings over the course of your career. In my experience, these events can generally be broken up into three categories: Those that are good. Those that are so-so. Those that are painful. While it’s unrealistic to expect every event to be a good one, I don’t think it’s unrealistic to expect them not to be painful. This begs the
Industrial Control Systems Security Market to See 20% CAGR Over 2018-2024
The ICS Security Market is set to grow from its current market value of more than $1.5 billion to over $7 billion by 2024; according to a new research report by Global Market Insights, Inc. The ICS security market growth is attributed to the increasing incidents of cyber-attacks on critical infrastructure industries. Constantly evolving cyber threats, such as ransomware and viruses, can adversely affect production processes in critical infrastructure environments resulting in large-scale financial losses for the companies. The security concerns
Siemens Warns Customers of New Meltdown, Spectre Variants
(Eduard Kovacs - SecurityWeek) - Siemens recently updated its security bulletin for the Meltdown and Spectre vulnerabilities to inform customers of the latest variants, specifically the ones known as LazyFP and Spectre 1.1. Several industrial control systems (ICS) vendors published security advisories for the CPU flaws shortly after they were disclosed in early January. Siemens published a bulletin on speculative side-channel vulnerabilities on January 11. In late May, the company updated its bulletin to include information about Variant 3a and Variant 4,
Vulnerabilities Expose Siemens Central Plant Clocks to Attacks
(SecurityWeek - Eduard Kovacs) Siemens informed customers on Tuesday that some of its SICLOCK central plant clocks are affected by several vulnerabilities, including ones that have been rated “critical.” Siemens SICLOCK devices are used to synchronize time in industrial plants. The central plant clock ensures stability in case of a failure or loss of reception at the primary time source. According to the German industrial giant, SICLOCK systems are affected by a total of six vulnerabilities. The security holes have been assigned
U.S. House Passes Bill to Enhance Industrial Cybersecurity
(SecurityWeek - Eduard Kovacs) - The U.S. House of Representatives on Monday passed a bill aimed at protecting industrial control systems (ICS), particularly ones used in critical infrastructure, against cyberattacks. The legislation, H.R. 5733, formally known as the “DHS Industrial Control Systems Capabilities Enhancement Act,” was introduced on May 9 by Rep. Don Bacon (R-NE) and it was approved by the House Committee on Homeland Security on June 6. The bill was announced a few weeks after the United States officially