New Knowledge Pack Released (KP-2022-008)

Dragos Platform Knowledge Packs provide regular updates related to ICS/OT threat analytics, protocols, device data, and investigation playbooks to equip customers with visibility into their environments and the tools to respond. Each Knowledge Pack contains the latest insight from the Dragos intelligence team, streamlining the detection of devices and potential malicious activity across industrial networks. In this Knowledge Pack (KP-2022-008), Dragos assessed vulnerabilities affecting more than 200 hardware assets including several from Phoenix Contact, Mitsubishi Electric, Hitachi Energy, Bachmann, Rockwell Automation, Siemens, Omron, and Emerson.

KP-2022-008 includes several characterizations focused on identifying assets from the IEC-61850 suite of protocols. Specifically, through GOOSE and MMS, Dragos identifies certain device models for ABB, Siemens, and GE devices. Additional firmware and/or model information is identified utilizing data acquired through HTML, SNMP, LLDP and Telnet for IEC-6150 devices independent of the IEC-61850 protocols. Further, a new set of asset identification rules has improved coverage for vendors based on characterizations for asset identification by SNMP (80+ new rules), LLDP (20+ new rules) and CDP (5 new rules). This coverage includes enhancements to detections for vendors including: Beckhoff Automation, Broadcom, Cisco, Dell, Digi, GE, Hewlett-Packard, Honeywell, Juniper Networks, Lantronix, Moxa, Palo Alto Networks, RedLion, Rockwell Automation, Schneider Electric, Siemens, VMware, and over 45 other vendors.

Full release notes are available for registered customers in the Dragos Customer Portal, here are some highlights of what you can find there:

Characterizations:

• GOOSE – numerous updates to improve device identification and profile details that support more detailed queries and analytics. This update will be of particular interest to customers in the electric sector in low latency environments.
• SNMP – SNMP strings being processed through an expanded set of logic rules to extract information on the hardware details and functional roles of assets across the network. Content updated to include a large increase in asset identification inventory, Axis camera/video encoders and fixed reporting of Cisco firmware versions.
• IEC 61850 – new rules have been developed to look for http/xml traffic containing model information and firmware versions for ABB IEDs along with others specifically geared towards ABB, GE, and Siemens traffic over TCP port 102 supporting more verbose alerts.

Detections:

• Moxa – detections have been updated to include traffic to retrieve sensitive administrative passwords (per CVE-2016-9361) and HTTP cookies associated with exploits over NPort 5110, which can lead to an OOB Write and denying availability and overwriting/modifying data.
• DirectLogic – traffic associated with a password retrieval exploit leveraging CVE-2022-2003.

Playbooks:

• Metasploit – a new playbook has been added related to the network transfer of an executable file header consistent with the Metasploit Meterpreter activity.
• Sliver C2 – another playbook for Sliver Command and Control (C2) traffic in the form of HTTP POSTs to min.css file as well as user-agent strings encoded with Cyrillic characters. Sliver is a general-purpose cross-platform implant framework that supports C2 over TLS, HTTP, and DNS.

To learn more about Dragos Knowledge Packs and how we continuously incorporate our expertise into the Dragos Platform, we invite you to read this overview or contact sales@dragos.com.