New Threats Target Infrastructure and Identities

By Roy Urrico12.27.2017

New cybersecurity threats could create some holiday havoc. Dangers include malware targeting industrial facilities and core infrastructures and a Trojan snatching usernames and passwords from Excel spreadsheets.

Hackers employing a new form of malware called Triton shut down a critical infrastructure firm in the Middle East, according to Cybersecurity researchers from FireEye's Mandiant.

It is one of malware families known developed specifically to attack industrial processes and core infrastructure. Creighton Magid, a partner at the international law firm Dorsey & Whitney, who specializes in product liability and cybersecurity and worked extensively with the Consumer Product Safety Commission said discovery should put industries and IT professionals on high alert.

"Triton appears to be the latest generation of malware targeting industrial control systems for the purpose of disrupting or destroying an industrial process, rather than for stealing data,” Magid said. He added, the first two were Stuxnet – used to destroy nuclear enrichment centrifuges in Iran – and Industroyer – which attacked Ukrainian power facilities.

"Triton appears to work by reprogramming the controllers of a Safety Instrumented System, a control system that monitors, through sensors and actuators, a physical process. By taking control of the SIS, a bad actor can either shut down an industrial process by tricking the SIS into erroneously thinking something is wrong with the industrial process, or can damage or destroy an industrial process by causing the industrial process to operate in an unsafe way without triggering a shutdown or warning,” Magid said. The malware could cause both economic and catastrophic damage Magid warned.

"The emergence of Triton underscores the need for factories and utilities to evaluate their cyber vulnerabilities and to rethink their control and cyberdefense strategies. The laggards are going to face huge financial risks, not only from the event itself, but also from liability to shareholders, customers and others," Magid says.

Redwood City, Calif.-based Lastline uncovered a new attack vector launched through Microsoft Excel spreadsheets, and recently expanded into other Office applications. The challenge is not only the novel technique used but also the difficulty in detecting it in its early stages. Lastline suggested in a blog post, “When Scriptlets Attack,” too often companies, due to lack of malware behavior analysis, dismiss alerts as false positives, losing precious time during which the malware is busy stealing credentials.

In its blog Lastline Labs described the new infection method in Microsoft Excel spreadsheets first seen Nov. 29 with only three tools detected it as malicious. “With such a low detection rate of this method of attack, many organizations would be at the mercy of the scriptlets payload. Indeed, with only three detections, many would consider the original Excel infection vector to be a false positive and do no further investigation or remediation of this attack.” The payload delivered by the Excel scriptlet is Loki, a notorious credential stealer malware tuned to focus on exfiltrating usernames and passwords.

This creates a double threat Lastline blogger Andy Norton, director of threat intelligence, revealed. Firstly, the low detection rate of the infection vector leans people towards a false positive verdict. And secondly, even if they discovered the main payload, often teams often incorrectly implement mitigation of the Loki threat. “This leaves the victimized organization open to a secondary malware-less attack when the exfiltrated credentials are used by subsequent threat actors to gain unauthorized access and then try to move around inside the network.”

Lastline found an infected client with a malicious Excel spreadsheet that communicated with a domain and installed a generic Trojan. Subsequently it detected the Trojan and reimaged the client system. Further studying of logs found the generic Trojan made some callbacks to a command and control server, but because they detected no lateral movement they decided to close the incident.

Reprinted with permission from Credit Union Times.