Yesterday the folks at ICS-CERT published an updated Joint Security Awareness Report (JSAR) on the sKyWIper ‘information-stealing malware’ (someone has got to come up with a better name for this type thing; how about ‘cyber-sucker’?). The JSAR adds some information about the use of Microsoft digital certificates in this malware.
There is not a lot of information here (to be fair it does provide a link to the Microsoft advisory that does provide more detailed information), but it does make two very important points about the MS certificate issues. First:
“This is an avenue for compromise that may be used by additional attackers on systems not originally the focus of the sKyWIper malware.”
This is a general problem for all new security holes that are re-discovered during the investigation of any new cyber-attack tool. While sKyWIper currently appears to be focused on systems in the Middle East (and that could always change; it’s a very flexible tool), the certificate issue could be used by any malware designer for a new attack tool.
The second issue is more directly related to industrial control systems. The JSAR notes that:
“ICS-CERT and US-CERT recommend that industrial control systems owners and operators review the Microsoft Advisory and work with equipment vendors to install this update.”
While this is similar to the standard ICS-CERT warning to “to perform proper impact analysis and risk assessment prior to taking defensive measures” (which is also included later in the same paragraph of the JSAR), it would seem to indicate that there may be some product specific problems with the application of this specific MS update.
I know that Siemens reports on their analysis of the applicability and usability of MS updates with their products, but I am not so sure that other vendors do the same (one would expect that the larger ones would). Even so that is going to take weeks or months before the vendors are going to be able to commit to compatibility of the update with their systems and even longer to produce a working implementation if there are system related problems. Meanwhile the good, the bad and the ugly in the hacker community are working on exploiting this problem.
Unfortunately, there is no easy answer to this problem; have a good in-depth ICS security program in place and hold your breath.