Attackers Deploy 'Triton' Malware Against Industrial Safety Equipment

wiredmikey writes: A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye said on Thursday. The malware, which has been dubbed "Triton," is designed to target Schneider Electric's Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation. The investigation found that the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.

Re:Don’t worry

[nnull]

It's not like you have to do much. Most of these manufacturers don't care about security, because it's additional costs. You'd be surprised how many machines out there are just openly connected to the internet, because ooo wow, we made a phone app so you can see how your production is going, but you have to open port xxx on your firewall. When I tell these guys no, they all go into a fury and try to talk down to me like a child (At least most American machine manufacturers do).

When I ask for encryption and security precautions from manufacturers, they just look at me funny and think I'm crazy. If you think I'm joking, just scan through a bunch of IP's and enjoy how many high tech equipment is just out there in the open where you can just completely obliterate someones manufacturing process. It's not like it hasn't happened before, you know. Knowledge of SCADA systems? What the hell for? Most of these idiots run some unsecured remote access, so you can easily press buttons like you're there. My favorite latest thing these guys do now is install TeamViewer on these machines (Free version of course, surprised TeamViewer hasn't gone after these people for using it for commercial use, big name manufacturers too that I can easily name), with some social engineering, you can easily get the Teamviewer ID and password. Nobody ever changes it, like, ever. These are "Professionals" doing this on a daily basis by the way.

What I quite hate is how after these places get hacked, they claim the hacker is some sort of genius, that meticulously planned this attack, when all he did was login to the PLC or some Windows based Operator console and messed with the whole thing.

Re:Don’t worry

[thegarbz]

This is actually quite interesting. It looks like the remote access was to the engineering workstation which by its very nature needs to be networked with the control system. This doesn't sound like some vendor's bullshit idea but rather that the plant engineers had no idea what they were doing. Also since this is an SIS system, there's no reason for it to require a remote access and any of your talk on fancy apps and what not doesn't really apply.

There are far more interesting things under here as well, either:
a) write access was enabled via the keyswitch on the Tricon chassis which is a really stupid thing to do permanently, or
b) far worse: the keyswitch doesn't prevent writing to the program space and is just a trigger for the software not to proceed. This would be a huge failing, one that would likely get TÜV to strip their certification against the IEC standard for this.

Watching keenly. We've got these systems everywhere.