This Knowledge Pack includes a group of detections focused on the CHERNOVITE activity group, recently announced by Dragos, and PIPEDREAM – a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.
CHERNOVITE’s PIPEDREAM can execute 38 percent of known ICS attack techniques and 83 percent of known ICS attack tactics.1 PIPEDREAM can manipulate a wide variety of industrial programmable logic controllers (PLC) and industrial software, including Omron and Schneider Electric controllers, and can attack ubiquitous industrial technologies including CODESYS, Modbus, and Open Platform Communications Unified Architecture (OPC UA). Together, PIPEDREAM can affect a significant percentage of industrial assets worldwide. PIPEDREAM is not currently taking advantage of any Schneider or Omron vulnerabilities, instead it leverages native functionality.
While CHERNOVITE is specifically targeting Schneider Electric and Omron PLCs, there could be other modules targeting other vendors as well, and PIPEDREAM’s functionality could work across hundreds of different controllers.
PIPEDREAM accomplishes this far-reaching impact through a series of five components that Dragos labels:
- EVILSCHOLAR – A capability designed to discover, access, manipulate, and disable Schneider Electric PLCs.
- BADOMEN – A remote shell capability designed to interact with Omron software and PLCs.
- MOUSEHOLE – A scanning tool designed to use OPC UA and FINS protocols to enumerate PLCs and OT networks.
- LAZYCARGO – Drops and exploits a vulnerable ASRock driver to load an unsigned driver for privilege escalation.
These combined components allow CHERNOVITE to enumerate an industrial environment, infiltrate engineering workstations, exploit process controllers, cross security and process zones, fundamentally disable controllers, and manipulate executed logic and programming. All of these capabilities can lead to a loss of safety, availability, and control of an industrial environment, dramatically increasing time-to-recovery, while potentially placing lives, livelihoods, and communities at risk.
Among the group of detections focused on Omron FINS protocol v2, are categories that include: access rights, memory area operations, program and parameter area operations, file operations commands, reset commands, error manipulations, run, stop and reset commands, memory card format command, name delete, and clock write commands. It also includes detections for an OPC UA Server in degraded state or when it responds with user access denied.
This Knowledge Pack contains a characterization for the Ovation Database Transmit Service, which is used to transmit information about the Drops between server and client. Additionally, characterizations and traffic summaries for the Omron FINS v2, OPC UA, and WonderWare SuiteLink traffic are included. For OPC UA Server Identification, the characterization checks for various fields and sets those fields on the associated asset for greater visibility.
A detection is included for the traffic associated with scans to identify SAP systems affected by CVE-2022-22536, a critical vulnerability rated with CVSSv3 score of 10.0. It contains a YARA rule detection for the malicious file transfer associated with COMpfun / Reductor. It includes a series of signatures for the BITSAdmin tool, a legitimate & native Microsoft command-line tool that is used to create download or upload jobs. BITSAdmin has been used by malicious actors for lateral tool transfer. Lastly, a series of signatures is included to detect communications to top level domains of interest as seen through HTTP, DNS, and TLS network traffic.
Over 250 characterizations and 500 detections are included in this Knowledge Pack
Each Knowledge Pack contains the latest insight from the Dragos team, automating the detection of devices and potential malicious activity across industrial networks. They provide regular updates related to protocols, threat analytics, ICS/OT device data, and investigation playbooks to equip customers with comprehensive visibility into their environments.
Dragos Platform customers can download new Knowledge Packs from the Customer Portal. Registered users get access to Platform documentation, integration guides, tech notes, best practices, Dragos Academy online learning center, and support case creation. Users of Neighborhood Keeper and WorldView Threat Intelligence also access those services using their Customer Portal credentials.
For more background on Dragos Knowledge Packs and how we continuously incorporate our expertise into the Dragos Platform, we invite you to read this overview or contact sales@dragos.com.
References:
1 As measured against the MITRE ATT&CK for ICS malicious behavior matrix.
Ready to put your insights into action?
Take the next steps and contact our team today.