Yesterday the folks at ICS-CERT published an updated
Joint Security Awareness Report (JSAR) on the sKyWIper
‘information-stealing malware’ (someone has got to come up with a better name
for this type thing; how about ‘cyber-sucker’?). The JSAR adds some information
about the use of Microsoft digital certificates in this malware.
There is not a lot of information here (to be fair it does
provide a link
to the Microsoft advisory that does provide more detailed information), but
it does make two very important points about the MS certificate issues. First:
“This is an avenue for compromise
that may be used by additional attackers on systems not originally the focus of
the sKyWIper malware.”
This is a general problem for all new security holes that
are re-discovered during the investigation of any new cyber-attack tool. While
sKyWIper currently appears to be focused on systems in the Middle East (and
that could always change; it’s a very flexible tool), the certificate issue
could be used by any malware designer for a new attack tool.
The second issue is more directly related to industrial
control systems. The JSAR notes that:
“ICS-CERT and US-CERT recommend
that industrial control systems owners and operators review the Microsoft
Advisory and work with equipment vendors to install this update.”
While this is similar to the standard ICS-CERT warning to “to
perform proper impact analysis and risk assessment prior to taking defensive
measures” (which is also included later in the same paragraph of the JSAR), it
would seem to indicate that there may be some product specific problems with
the application of this specific MS update.
I know that Siemens reports
on their analysis of the applicability and usability of MS updates with
their products, but I am not so sure that other vendors do the same (one would
expect that the larger ones would). Even so that is going to take weeks or
months before the vendors are going to be able to commit to compatibility of
the update with their systems and even longer to produce a working implementation
if there are system related problems. Meanwhile the good, the bad and the ugly
in the hacker community are working on exploiting this problem.
Unfortunately, there is no easy answer to this problem; have a good in-depth ICS security program in place and hold your breath.
Posts
No comments:
Post a Comment