Slashdot Mirror

← Back to Stories (view on slashdot.org)

Forget Stuxnet: Banking Trojans Attacking Power Plants

Posted by Soulskill on from the subprime-malware-lending dept.

New submitter PLAR writes: Everyone's worried about the next Stuxnet sabotaging the power grid, but a security researcher says there's been a spike in traditional banking Trojan attacks against plant floor networks. The malware poses as legitimate ICS/SCADA software updates from Siemens, GE and Advantech. Kyle Wilhoit, the researcher who discovered the attacks, says the attackers appear to be after credentials and other financial information, so it looks like pure cybercrime, not nation-state activity.

7 of 34 comments (clear)

  1. pure cybercrime, not nation-state by fustakrakich · · Score: 4, Interesting

    How do you distinguish the two?

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:pure cybercrime, not nation-state by Anonymous Coward · · Score: 3, Insightful

      The cybercriminals target your wallet, while the nation-state targets you.

  2. Are they after Diebold? by 140Mandak262Jamuna · · Score: 3, Informative
    Diebold is the ATM maker with near monopoly marketshare. They also make voting machines. There were lots of conspiracy theories from the left that there are backdoors and secret keys that could be used to remotely steal an election. Mostly based on tenuous facts, like the top managers of Diebold donated (caution pun ahead) liberally to conservatives. So they might believe there are secret backdoors to all Diebold machines, including ATMs.

    There are lots of stories of how bad Diebold is in upgrades and that most ATMs are running on WinXP and how they can be made to dispense cash with remote exploits. Though it all requires physical access to the usb ports inside the machine first.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Are they after Diebold? by Firethorn · · Score: 4, Insightful

      Though it all requires physical access to the usb ports inside the machine first.

      The ones protected by armor plate? That's a bit like complaining that safes aren't safe because they can be drilled.

      Not only do you need to know how to do the hack, you have to know where to drill and how far.

      If they're showing up with that much invested in it they're getting the money out of the ATM/Safe no matter what.

      --
      I don't read AC A human right
    2. Re:Are they after Diebold? by 140Mandak262Jamuna · · Score: 4, Informative

      Bribe the low paid worker who services the machine to plug in a usb fob for a few minutes, unplug the device and walk away. There were some ATM machines where if you use a coat hanger to snag the edge of the plastic cover and pull, you could expose a usb port under the screen. Once the malware is uploaded into the machine, then it can be made to remotely dispense cash. Again they recruit low paid mules to actually pick the cash.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  3. Why aren't these networks air gapped? by ErichTheRed · · Score: 3, Interesting

    SCADA and the like are the worst things to have available on an accessible network. Vendors never update their software, everything's insecure by default, etc.

    I've worked in environments like this, and some of the equipment is just not possible to secure without leaving it on its own network. It makes maintenance a nightmare -- sneakernetting patches, software updates, AV signatures, etc. I know an air gap isn't a guarantee of security, but it at least prevents dumb things like drive by downloads on someone's computer affecting production equipment.

    Working with vendors of some of this stuff is equally bad...most of them deny a problem exists. And even if they acknowledge a problem, they won't lift a finger to fix it because they just have to say it's secure if installed as per our instructions. I've seen lots of software for control systems, etc. with 15 or 20 year old software libraries gluing everything together. (Using the 15 year old version now, I mean.) The vendor knows they're one of a handful of firms providing stuff like this, and they know that companies don't care about information security anyway. (One example of this from outside of the manufacturing industry -- I was integrating a very specific peripheral for a customer, and the vendor absolutely refused to digitally sign the Windows drivers, rendering it nearly impossible to install on 64-bit Windows. A lot of people might say "that's what you get with closed source," but open source libraries and other code have their problems as well.

  4. Inconceivable! by nurbles · · Score: 5, Insightful

    Any company that has a SCADA system that is allowed to automatically install any sort of update needs new management. I write software for industrial SCADA systems (many of them nuclear, but some not) and absolutely NONE of them have any form of automatic update enabled. That goes for the operating system platform, even anti-virus packages (when they are used) must be manually updated after the update has been tested in a sandbox lab system. Even a well intentioned update may disrupt a SCADA system's operation, so why would anyone in their right mind allow a SCADA system or the operating system it runs on, or any other software running on the same machine automatically update itself? Sorry, but that's just insane.. At best, SCADA systems should have a one-way data flow (preferably on a serial link with the receive line physically CUT) but none of them should accept input from outside their physically controlled environments.

    Except for toys and things like that.