Today the DHS ICS-CERT published the second update of their
alert concerning the BlackEnergy malware campaign. The first update was
published on October
29th and the original alert
was published the day before.
This update provides a little more information on the
probable existence of a Siemens WinCC attack vector involved in the campaign.
The original alert only provided the vaguest hint about the use of WinCC which
ICS-CERT plainly said they could not confirm. They now say:
“While ICS-CERT lacks definitive
information on how WinCC systems are being compromised by BlackEnergy, there
are indications that one of the vulnerabilities fixed with the latest
update for SIMATIC WinCC [link added] may have been exploited by the
BlackEnergy malware. ICS-CERT strongly encourages users of WinCC, TIA
Portal, and PCS7 to update their software to the most recent version as soon as
possible.”
This version of the alert also updates the Yara Rules that
allow organizations to interpret the results of scan conducted with the Yara
pattern matching tool. ICS-CERT recommends that organizations running the updated
scan and the application of the updated Yara Rules send copies of the results
to ICS-CERT for more detailed interpretation of the data if there are any
indications of potential compromise in the results.
ICS-CERT does not specifically state in this update that
even those organizations that have already run the earlier version should run
the updated scan. Since this apparently checks for later versions (or at least
different versions) of the malware associated with BlackEnergy, it would seem
to me that it would only be prudent to run this latest version and any new
versions that ICS-CERT might publish in the future.
Posts
No comments:
Post a Comment