Air-Gapped ICS Systems Targeted by Sophisticated Malware

  /     /     /  
Publicated : 23/11/2024   Category : security


Air-Gapped ICS Systems Targeted by Sophisticated Malware


Researchers uncovered new worming second-stage tools used to locally exfiltrate data from air gapped ICS environments, putting threat actors one step away from transmission of the info to a C2.



Security teams in industrial control systems (ICS) environments are fighting a worm that gets past air-gapped defenses.
Researchers from Kaspersky ICS-CERT have been investigating cyberattacks against ICS and critical infrastructure in Eastern Europe, and uncovered a novel
second-stage malware
that gets around the typical data security that an air gapped system provides. The threat actors were trying to establish a permanent presence on the target networks for data exfiltration, the team said.
First, the attackers use known remote access and data collection tools to gain an initial foothold in 
the ICS network
. Then, they deploy a sophisticated modular malware against the air-gapped
ICS networks
, which contaminates
removable storage drives
with a worm that exfiltrates targeted data. From there, they are just one step away from being able to transmit stolen data out of the environment.
The malware, designed explicitly to exfiltrate data from air-gapped systems by infecting removable drives, consist of at least three modules, each responsible for different tasks, such as profiling and handling removable drives, capturing screenshots, and planting second-step malware on newly connected drives,
the report says
.
The team also spotted another second-stage implant used in the attacks, which sends stolen data from a local computer to Dropbox, the Kaspersky team added.
The cyberattackers were able to evade detection by hiding encrypted payloads in their own binary file and using DLL hijacking to embed the malware in the memory of authorized apps, the researchers explained.
The threat actors deliberate efforts to obfuscate their actions through encrypted payloads, memory injections, and DLL hijacking [underscore] the sophistication of their tactics, Kirill Kruglov, senior security researcher at Kaspersky ICS CERT said about the new findings. 
The final piece of the cyberattack chain required to pull off the full data exfiltration would be a third slate of  tools that upload stolen data to the command and control server (C2). Kruglov added that Kasperkys team will continue to investigate.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Air-Gapped ICS Systems Targeted by Sophisticated Malware