Story image

IRONGATE malware simulation provides valuable insight into ICS attacks

07 Jun 16

A joint research effort between four cybersecurity organisations has released research about IRONGATE, a type of ICS malware that is not so much an active threat as a proof of concept.

FireEye, iSIGHT Intelligence, FLARE and Mandiant recently released researched which discovered the mechanisms behind the malware. 

IRONGATE can enter sandboxes to avoid detection, which suggests that its development was malicious, and not a legitimate operation. The research says that VMware or Cuckoo Sandbox environments seem to stop IRONGATE droppers from running.

The researchers discovered the potential malware when analysing droppers used with PyInstaller, which is a method some malicious programmes can adopt.

Strings also found in the dropper also included the word 'payload', which is a common malware keyword.

IRONGATE's most dangerous feature is that it can operate a man-in-the-middle (MitM) attack by entering through a Dynamic Link Library (DLL). This malicious DLL can record five of seconds normal activity through the PLC on Siemens products.

IRONGATE then simulates the traffic while sending different information through to the PLC, which means any attack could control systems without legitimate users knowing.

While statements from Siemens Product Computer Emergency Readiness Team (ProductCERT) show that IRONGATE is not an active threat to any Siemens products, it does demonstrate the potential effects an attack could have.

ProductCERT says that they acknowledge the potential attack as a test case, proof of concept or a research activity for ICS malware attacks.

ICS malware is also dangerous as it uses DLLs to manipulate single and specific processes and while it's not quite the same as STUXNET, it uses some of the same attack methods.

The research concludes that although there is no threat, it recommends that users:

  • Implement integrity checks and code signing for both vendor and user-generated code. Cryptographic verification will prevent MitM and replacement attacks from occurring.
  • Use specific processes for sanity checking IO data, which could include independent sensing and backhaul, and comparison of process states. Awareness of process states can thwart attack attempts.
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.