ICS-CERT – New JSAR, Advisory and Updated Alert

Still getting caught up after Isaac; while ICS-CERT hasn’t been real busy they haven’t waited for me either. So here is a quick look at a new Joint Security Awareness Report (JSAR), a new privilege escalation advisory and an update on a Siemens related alert.

Shamoon JSAR

ICS-CERT and US-CERT published a JSAR on Wednesday for the information-stealing malware W32.DistTrack, also known as Shamoon. Actually calling this an ‘information-stealing’ malware is misleading since it also contains a module that corrupts selected existing files on the hard drive and then erases the Master Boot Record so that the computer cannot be re-started. To me this sounds like a software bomb that also steals information. Oh, and before it destroys the virtual computer it spreads to other computers on the network.

The JSAR is very light on details about this threat, but it does reference two pages from the Symantec web site that provide more details. Of the two sites referenced the best one contains all of the publicly available Symantec information.

Symantec rates this as a low level threat in the wild, but that is based upon the small number of times this has been detected (less than 50). Neither the JSAR or the Symantec site mention that the Shamoon is suspected of being responsible for the shut down on the Saudi oil company’s computer systems last month. I suppose they think that if you are not a targeted company you may be okay. But this is another low-risk, high-consequence piece of malware.

There is no mention in the JSAR of why this is a joint US-CERT ICS-CERT publication. There is nothing that currently indicates that this is targeted at control systems, but it would appear to be difficult to determine exactly what information was stolen from a subsequently unusable computer. Since one of the targets appears to have been an energy sector company, it would seem prudent to think that control system access information may have been part of what may have been stolen.

GarrettCom Advisory

Justin Clarke of Cylance has identified another hard coded password in an industrial control system component. This time it was in the GarrettCom Magnum MNS-6K (an Ethernet switch) Management Software. Since access to the network is required to exploit this vulnerability it is called an ‘escalation of privilege’ vulnerability; someone with limited access can gain administrator level access to the system.

GarrettCom has released a patch that ‘mitigates this vulnerability’, though there is nothing in the advisory that indicates that either ICS-CERT or Justin has verified this mitigation. Interestingly though, the advisory does note that the vulnerability is not specifically identified in the release notes for the updated software version that was released back in May. This may mean that system owners are not aware of how important the upgrade may actually be and thus may decide to delay or completely forgo implementing the upgrade.

I have noticed that Justin has been taken to task on some internet sites (the SCADASEC list in particular) for this disclosure. It is apparent, however, that his detractors were not aware that this was a coordinated disclosure where the vendor was able to produce a patch and that patch to be publicized on the secure server at US-CERT before it became general public knowledge. Part of the fault there lies with this Advisory as it does not specifically state that this was a coordinated disclosure, but that really is clear if you read the ‘Overview’ portion of the Advisory carefully.

RuggedCom Alert Update

This is the second update of the RuggedCom Alert originally published back on August 21^st. Well, it looks like a second update as it is version B. I can’t find where ICS-CERT published anything on this between August 21^st and yesterday when this version was published. Maybe they got confused with the A version of the earlier RuggedCom Alert published in May.

In any case this update is based upon a Siemens CERT report published on Friday (NOTE: the Revised Alert points at the page where the Siemens alerts are posted not this specific alert). Siemens reported that vulnerabilities similar to those identified by Justin in the RuggedCom ROS were also found in the ROX operating system and the RuggedMax operating system. Interim mitigations are have been provided by Siemens/RuggedCom.

Siemens is to be commended for their effort to identify the fact that other systems produced by their recently purchased subsidiary have similar problems and to publicly report that fact. Hopefully they are also taking internal measures to ensure that security is a higher priority in the production of future products.