The Industrial control systems (ICS) security teams are actively fighting against a worm that is breaching and compromising the defense mechanisms of the air-gapped systems.
A China-linked nation-state actor was suspected in a series of attacks on Eastern European industrial firms last year, targeting air-gapped systems for data theft.
Cybersecurity researchers at Kaspersky ICS-CERT recently discovered a novel second-stage malware evading air-gapped data security, targeting ICS and critical infrastructure in Eastern Europe.
New Malware Evading Air-Gapped Data Security
This works as an advanced tool that enables threat actors to perform the following illicit activities:
- Data extraction
- Development of third-stage tools
- Transmission of harvested data
Security analysts also discovered two implants that extracted data from the systems. The implants that researchers detect are:-
- A sophisticated modular malware: This implant shapes the removable drives, infects them with the worm, and then exfiltrates data from air-gapped Eastern European industrial networks.
- Data Stealer: Since it’s a data-stealing implant, so, this data-stealing implant sends local computer data to Dropbox via next-stage implants.
While the systems targeted by the threat actors are mainly infected or compromised, they then use these implants for the second stage of the attack.
Tasks Performed by the Modules
Moreover, the air-gapped data exfiltration malware infects the removable drives with three different modules and they all are used to perform various tasks.
Here below, we have mentioned all the tasks that are performed by the malicious modules:-
- Profiling removable drives
- Handling removable drives
- Capturing screenshots
- Planting second-step malware on newly connected drives
Not only that, even the researchers at Kaspersky found threat actors evading the detection via encrypted payloads hidden in separate binary data files and using DLL hijacking and memory injections.
Recommendations
Here below, we have mentioned all the recommendations offered by the security experts:-
- Always perform regular security assessments for OT systems to find and resolve cybersecurity issues.
- Continuous vulnerability assessment and triage system for effective vulnerability management.
- Make sure to use robust security solutions for unique actionable information.
- Ensure timely updates and security fixes for OT network components to prevent major incidents.
- Implement robust EDR solutions for threat detection and remediation.
- Make sure to maintain incident prevention, detection, and response skills through OT security training.
Source: https://cybersecuritynews.com/air-gapped-ics-systems/
