Triton Hackers Focus on Maintaining Access to Compromised Systems, Report Says
(SecurityWeek – Eduard Kovacs) – The tools and techniques used by the threat group behind the notorious Triton malware show that the hackers are focused on maintaining access to compromised systems, according to FireEye.
The existence of Triton, also known as Trisis and HatMan, came to light in 2017 after the malware had caused disruptions at an oil and gas plant in Saudi Arabia. FireEye’s Mandiant was called in to investigate the incident and the company has been tracking the threat ever since.
FireEye revealed on Wednesday that it recently responded to another attack carried out by the Triton group against a critical infrastructure facility.
The cybersecurity firm says it has come across several custom tools used by the threat actor, including ones designed for credential harvesting (SecHack, WebShell), remote command execution (NetExec), and several backdoors based on OpenSSH, Bitvise, PLINK and Cryptcat. The attackers have also relied on widely available tools, such as Mimikatz.
“The actor’s custom tools frequently mirrored the functionality of commodity tools and appear to be developed with a focus on anti-virus evasion. The group often leveraged custom tools when they appeared to be struggling with anti-virus detection or were at a critical phase in the intrusion (e.g., they switched to custom backdoors in IT and OT DMZ right before gaining access to the engineering workstation),” FireEye researchers explained. “In some instances, the actor leveraged custom and commodity tools for the same function. For example, they used Mimikatz (public) and SecHack (custom) for credential harvesting.”
FireEye, which previously linked Triton to a research institute owned by the Russian government, pointed out that disruptive attacks aimed at industrial environments take a lot of preparation. In one attack analyzed by the company, the attackers had been present in the target’s network for nearly a year before gaining access to an engineering workstation in charge of safety instrumented systems (SIS).
In the attack on the Saudi Arabian oil company, the attackers targeted SIS products made by Schneider Electric and they leveraged a zero-day vulnerability affecting the industrial giant’s Triconex products.
Learn More About ICS Threats at SecurityWeek’s 2019 ICS Cyber Security Conference
Unlike in espionage operations, the attackers focused on maintaining access, moving laterally, conducting reconnaissance, and avoiding being detected, rather than stealing information from compromised devices.
They also took steps to cover their tracks, hide their activities, and make it more difficult for researchers to examine their tools and techniques. They did this by renaming their tools to look like legitimate files, using standard utilities (e.g., RDP, WinRM), relying on SSH-based tunnels to transfer data, using infrequently accessed folders, and deleting tools, logs and other files.
“They attempted to reduce the chance of being observed during higher-risk activities by interacting with target controllers during off-hour times. This would ensure fewer workers were on site to react to potential alarms caused by controller manipulation,” FireEye researchers said.
The threat actor behind Triton is believed to have been active since at least 2014, but the methods it has used have helped it avoid exposure of its operations and tools. The group’s malware was first detected after they accidentally triggered a process shutdown at the plant in Saudi Arabia.
Industrial cybersecurity firm Dragos, which tracks the group behind Triton as Xenotime, reported last year that the hackers had expanded their list of targets to outside the Middle East and had started targeting safety systems other than ones made by Schneider Electric.
Hackers Behind Triton ICS Malware Hit Additional Critical Infrastructure Facility
Triton Hackers Focus on Maintaining Access to Compromised Systems, Report Says (SecurityWeek - Eduard Kovacs) - The tools and techniques used by the threat group behind the notorious Triton malware show that the hackers are focused on maintaining access to compromised systems, according to FireEye. The existence of Triton, also known as Trisis and HatMan, came to light in 2017 after the malware had caused disruptions at an oil and gas plant in Saudi Arabia. FireEye’s Mandiant was called in to investigate the
Active vs. Passive Network Monitoring: No Longer an Either-Or Proposition
The Opportunity for OT Security Teams to Fill the Gaps in Their Visibility Has Never Been Better (SecurityWeek - Galina Antova) - Most experienced security professionals have heard the axiom, “You can’t protect what you can’t see.” It’s admittedly a truism for cybersecurity… obviously the more you know and understand about your environment, the better equipped you are to detect and investigate suspicious behavior. But it also leads to a classic security conundrum: how do you implement discovery and monitoring in
Tripwire Launches Industrial Cybersecurity Assessment Services
(Eduard Kovacs - SecurityWeek) Belden-owned Tripwire on Monday announced the availability of two new assessment services designed to help enterprises and industrial organizations find potentially dangerous vulnerabilities in their systems. One of the new services, Industrial Cybersecurity Assessment, provides experts who can discover vulnerabilities in industrial control system (ICS) environments and determine if they can actually be exploited and if they pose a significant risk. As part of the service, Tripwire employees review data from automated scanners, proprietary tools and manual reviews. Each
Study Analyzes the Challenges and Concerns for IT/OT Convergence
(SecurityWeek- Eduard Kovacs) - A survey conducted by the Ponemon Institute on behalf of security solutions provider TUV Rheinland OpenSky analyzes the security, safety and privacy challenges and concerns related to the convergence between information technology (IT), operational technology (OT), and industrial internet of things (IIoT). Industrial systems are increasingly sophisticated and automation plays a critical role in ensuring efficiency, which has led to IT, OT and IIoT systems becoming increasingly integrated. However, there are several challenges and concerns that need
Critical Flaws Allow Hackers to Take Control of Kunbus Industrial Gateway
(SecurityWeek - Eduard Kovacs) - Several serious vulnerabilities have been identified in a gateway made by Kunbus, including flaws that can be exploited to take complete control of a device. Germany-based Kunbus offers connectivity solutions for industrial networks. The company’s gateway products, which are used by various types of organizations around the world, are designed to provide continuous and reliable communications between different networks and systems. Kunbus Industrial Gateway Nicolas Merle, a researcher with industrial cybersecurity firm Applied Risk, discovered that Kunbus’ PR100088
ICS Red Team/Blue Team Training (Singapore)
SecurityWeek is pleased to offer the following optional workshop for attendees of our 2019 Singapore ICS Cyber Security Conference, taking place April 16-18, 2019. When: Thursday, April 18, 2019 – 8AM-5PM ($400 Fee – Limited to 40 Students – Register Now) What is red team/blue team training? Security aware and knowledgeable users serve as the “front line” of your overall security posture. As such, training is one of the most essential components of your risk mitigation strategy and overall cybersecurity program. However, without learning cybersecurity from the “hacker’s”
Russia, China Can Disrupt Critical Infrastructure: U.S. Intelligence Report
(Eduard Kovacs - SecurityWeek) - Russia and China are capable of disrupting critical infrastructure in the United States, and Iran is not far behind, according to the Worldwide Threat Assessment made public by the U.S. intelligence community on Tuesday. The assessment covers a wide range of threats, including cyber. Similar to the reports published in the past years, it warns that the US’s adversaries and competitors will increasingly use their cyber capabilities for political, military and economic advantage. China and Russia continue
New Training: Advanced ICS/IIoT Security 1-Day Training (Singapore)
SecurityWeek is pleased to offer the following optional workshop for attendees of our 2019 Singapore ICS Cyber Security Conference, taking place April 16-18, 2019. When: Thursday, April 18, 2019 - 8AM-5PM ($400 Fee - Limited to 40 Students - Register Now) Industrial Control Systems (including DCS, HMI, PLC, SCADA, SIS) and Industrial IoT are often poorly understood, yet they are used in the most critical environments in the world. Although they generally remain unseen they are responsible for the smooth running of our
Leadership, Security, and Support at the Clinton White House
Presented at SecurityWeek's 2018 ICS Cyber Security Conference How would you handle leadership in this the most stressful Chief Information Officer (CIO) job in the World – being the CIO at The White House? Colonel Gelhardt answers this question, and talks about the leadership and mentorship he used and how you can use the same skills in the civilian world. If he can do it so can you! Speaker: Colonel Mark Gelhardt - Former CIO for President Clinton
[Video] Hunting for Xenotime, Creators of TRITON-TRISIS ICS Malware
Presented at SecurityWeek's 2018 ICS Cyber Security Conference Speakers: Robert Lee - CEO, Dragos Marc Seitz - Threat Analyst, Dragos The activity group responsible for the TRISIS/TRITON malware is identified as XENOTIME. After the attack on the safety instrumented system in 2017 the group remained active targeting other environments with different safety systems in other regions of the world. Hunting for the behaviors of this group allows defenders to not only search for existing threats but also identify new threats leveraging such