New Knowledge Pack Released (KP-2023-002)

While preparing this Knowledge Pack, Dragos assessed newly disclosed vulnerabilities in over 800 products from vendors including: Siemens, Mitsubishi Electric, Weidmueller, SAUTER Controls, and Baicells. Over 280 characterizations and 560 detections are included in KP-2023-002 for customers running Dragos Platform 2.x. Full release notes are available for registered customers in the Dragos Customer Portal, key highlights of this release are included below.

Building Automation Systems

Many of our customers are using the Dragos Platform to improve visibility into environments that include building automation and management systems. As threat scenarios evolve, we are continuing to invest resources to further improve characterizations of related protocols and devices common in building automation systems. This includes updates to BACnet traffic analysis and characterizations of devices communicating using Echelon’s LonWorks LonTalk protocol.

Emerson ROC800 Controllers

Companies who have deployed Emerson ROC800 series controllers for remote operations will recognize the importance of the ROC Plus protocol. KP-2023-002 adds a new characterization for the dissection and traffic summary of ROC Plus communications. It also contains new detections related to AMS Device Manager regarding service account and network share creation which could indicate suspicious behavior.

Schweitzer Engineering Laboratories (SEL)

Detections are included for 5 different types of events related to user logins to SEL devices including 2AC read/write, failed attempts, and calibration account activity.

Omron Factory Interface Network Service

The OMRON Factory Interface Network Service (FINS) protocol is widely used in industries such as manufacturing, automotive, and food and beverage. With this Knowledge Pack, we’ve added characterizations to identify controller models and hardware versions from FINS traffic.  New detections are also included for memory related commands and characters that could indicate malicious activity.

In addition to the above updates, we are including several other miscellaneous detections based on threat intel analysis, observed behavior, and customer requests. For example:

• Transfer of a file that includes features associated with DUSTTUNNEL (one of the utilities in PIPEDREAM, as reported by Dragos in 2022)
• Traffic indicator associated with an ASPX web shell. Web shells are a common mechanism used by attackers to run commands on a compromised host (a backdoor), including from another compromised internal host.
• FCC Section 2 Vendors – Detects possible indications of hardware manufactured by vendors listed as part of FCC Section 2 of the Secure Networks Act of the 2019 U.S. National Defense Authorization Act (NDAA) which prohibits the U.S. federal government, U.S. government contractors, and U.S. grant and loan recipients from procuring or using certain equipment provided by specific vendors.
• Brute Ratel C4 Server – an attack simulation tool also used to evade detection during post-exploitation.
• Detection of possible malicious activity related to the Telerik Web application vulnerability.
• SoftEther VPN – Malicious use of SoftEther VPN protocol communications on specific UDP ports.

Dragos Platform customers receive regular updates through Knowledge Packs which include enhancements to threat detections, protocol support, asset visibility, and playbooks to equip customers with continuous improvements for their OT cybersecurity operations. Each Knowledge Pack contains the latest exclusive insight from Dragos intelligence teams, streamlining the detection of devices and potential malicious activity across industrial networks. To learn more about Dragos Knowledge Packs and how we continuously incorporate our industry-leading OT expertise into the Dragos Platform, we invite you to read this overview or contact sales@dragos.com.