Today the DHS ICS-CERT published the second update of their alert concerning the BlackEnergy malware campaign. The first update was published on October 29th and the original alert was published the day before.
This update provides a little more information on the probable existence of a Siemens WinCC attack vector involved in the campaign. The original alert only provided the vaguest hint about the use of WinCC which ICS-CERT plainly said they could not confirm. They now say:
“While ICS-CERT lacks definitive information on how WinCC systems are being compromised by BlackEnergy, there are indications that one of the vulnerabilities fixed with the latest update for SIMATIC WinCC [link added] may have been exploited by the BlackEnergy malware. ICS-CERT strongly encourages users of WinCC, TIA Portal, and PCS7 to update their software to the most recent version as soon as possible.”
This version of the alert also updates the Yara Rules that allow organizations to interpret the results of scan conducted with the Yara pattern matching tool. ICS-CERT recommends that organizations running the updated scan and the application of the updated Yara Rules send copies of the results to ICS-CERT for more detailed interpretation of the data if there are any indications of potential compromise in the results.
ICS-CERT does not specifically state in this update that even those organizations that have already run the earlier version should run the updated scan. Since this apparently checks for later versions (or at least different versions) of the malware associated with BlackEnergy, it would seem to me that it would only be prudent to run this latest version and any new versions that ICS-CERT might publish in the future.