I am subscribed to the Homeland Security National Cyber Awareness System and will begin posting these cyber-security bulletins here for all of you, my dedicated readers.
The United States Computer Emergency Readiness Team (US-CERT) strives for a safer, stronger internet for all Americans by responding to major incidents, analyzing threats, and exchanging critical cyber-security information with trusted partners around the world.
TA17-163A: CrashOverride Malware
06/12/2017 05:44 PM EDT
Original release date: June 12, 2017
Industrial Controls Systems
The National Cybersecurity and Communications Integration Center (NCCIC) is aware of public reports from ESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine. As reported by ESET and Dragos, the CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors. NCCIC is working with its partners to validate the ESET and Dragos analysis, and develop a better understanding of the risk this new malware poses to the U.S. critical infrastructure.
Although this activity is still under investigation, NCCIC is sharing this report to provide organizations with detection and mitigation recommendations to help prevent future compromises within their critical infrastructure networks. NCCIC continues to work with interagency and international partners on this activity and will provide updates as information becomes available.
For a downloadable copy of IOCs, see:
To report activity related to this Alert, please contact NCCIC at NCCICCustomerService@hq.dhs.gov or 1-888-282-0870.
|NCCIC Cyber Incident Scoring System (NCISS) Rating Priority Level (Color)
|A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
There is no evidence to suggest this malware has affected U.S. critical infrastructure. However, the tactics, techniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target U.S. critical information networks and systems.
CrashOverride malware represents a scalable, capable platform. The modules and capabilities publically reported appear to focus on organizations using ICS protocols IEC101, IEC104, and IEC61850, which are more commonly used outside the United States in electric power control systems. The platform fundamentally abuses a targeted ICS system’s legitimate control systems functionality to achieve its intended effect. While the known capabilities do not appear to be U.S.-focused, it is more important to recognize that the general TTPs used in CrashOverride could be leveraged with modified technical implementations to affect U.S.-based critical infrastructure. With further modification, CrashOverride or similar malware could have implications beyond electric power so all critical infrastructure organizations should be evaluating their systems to susceptibilities in the TTPs outlined. The malware has several reported capabilities:
- Issues valid commands directly to remote terminal units (RTUs) over ICS protocols. As reported by Dragos, one such command sequence toggles circuit breakers in a rapid open-close-open-close pattern. This could create conditions where individual utilities may island from infected parties, potentially resulting in a degradation of grid reliability.
- Denies service to local serial COM ports on windows devices, therefore preventing legitimate communications with field equipment over serial from the affected device.
- Scans and maps ICS environment using a variety of protocols, including Open Platform Communications (OPC). This significantly improves the payload’s probability of success.
- Could exploit Siemens relay denial-of-service (DoS) vulnerability, leading to a shutdown of the relay. In this instance, the relay would need to be manually reset to restore functionality.
- Includes a wiper module in the platform that renders windows systems inert, requiring a rebuild or backup restoration.
As CrashOverride is a second stage malware capability and has the ability to operate independent of initial C2, traditional methods of detection may not be sufficient to detect infections prior to the malware executing. As a result, organizations are encouraged to implement behavioral analysis techniques to attempt to identify pre-courser activity to CrashOverride. As additional information becomes available on stage one infection vectors and TTPs, this alert will be updated.
NCCIC is providing a compilation of indicators of compromise (IOCs) from a variety of sources to aid in the detection of this malware in the appendices. The sources provided do not constitute an exhaustive list and the U.S. Government does not endorse or support any particular product or vendor’s information referenced in this report. However, NCCIC has included this data to ensure wide distribution of the most comprehensive information available and will provide updates as warranted.