Today the DHS ICS-CERT updated their advisory on “Ongoing
Sophisticated Malware Campaign Compromising ICS”, or BlackEnergy. The original
advisory was published
in October 2014 and updated in October
and December
of that year.
The update is based on information about the recent cyber
based attack on Ukrainian power distribution systems over the Christmas
holidays. More detailed information on that attack can be found on the SANS
ICS Blog. The ICS-CERT update makes the point that a new variant of
BlackEnergy (BlackEnergy 3) has been associated with this event and that the
vector for the delivery of the malware appears to have been via “spear phishing
via a malicious Microsoft Office (MS Word) attachment”.
The second addition to this advisory deals with the use of
YARA rules to detect BlackEnergy infections. ICS-CERT maintains that the
originally published YARA rules “has been shown to identify a majority of the
samples seen as of this update and continues to be the best method for
detecting BlackEnergy infections”. They also point out that using YARA
signature with a control system must be done carefully since there are
potentials for unintended interactions with control systems. They note:
“ICS-CERT has published instruction
for how to use the YARA signature for typical information technology
environments. ICS-CERT recommends a phased approach to utilize this YARA
signature in an industrial control systems (ICSs) environment. Test the use of
the signature in the test/quality assurance/development ICS environment if one
exists. If not, deploy the signature against backup or alternate systems in the
top end of the ICS environment; this signature will not be usable on the
majority of field devices.”
NOTE: ICS-CERT continues to not list updates on their main landing page. For an update that
is potentially important as this, it defies explanation why they did not at
least make an exception in for this particular update. The only saving grace is
that they did
announce the update on TWITTER®.
Posts
No comments:
Post a Comment