Blog

Strategies for Defense Against Fuxnet ICS Malware

May 29, 2024

Strategies for Defense Against Fuxnet ICS Malware

Introduction

According to recent cybersecurity media reports, a new destructive ICS malware named Fuxnet has been discovered. This incident is allegedly linked to the Blackjack hacker group, which is associated with Ukrainian security agencies. It involved a major attack on Moscollector, a Moscow-based company responsible for managing critical infrastructure such as water supply, sewage treatment, and communication systems. The attackers employed the Fuxnet malware, which is similar to Stuxnet, to disable industrial sensors and disrupt operations across multiple sectors.

Initially, the attackers claimed to have disabled 87,000 sensors, but later clarified that the actual impact was on 2,659 sensor gateways, of which approximately 1,700 sensor gateways were successfully compromised. The attackers managed to disable these sensors by sabotaging the gateways and exploiting a specialized M-Bus obfuscator within the malware.

This incident should be of significant concern for any manufacturing and critical infrastructure operators, as it demonstrates the malware’s capability of disrupting the operation of industrial sensors and monitoring infrastructure. Industrial organizations need to heighten their vigilance to prevent similar scenarios from occurring in their own ICS environments.

 

Fuxnet Malware on Moscollector by Blackjack Hackers

Claroty’s analysis revealed that Fuxnet primarily targeted sensor gateways using serial bus protocols like RS485 and Meter-Bus, rather than the sensors themselves. The malware first deleted critical files and directories, shut down remote access services and corrupted routing table information. It then proceeded to damage the file system, reprogram the devices’ firmware, and physically damage NAND memory chips. To top it all off, Fuxnet sent random data to connected sensor gateways, overloading communication channels and effectively disabling the sensors.

1. Initial Attack

The attack originated with RL22w 3G routers manufactured by the Russian company iRZ, which use OpenWRT as their operating system. The attackers gained root passwords for these devices, connected to them using SSH, and tunneled into internal systems, eventually gaining full access. Searches on Shodan and Censys revealed 111 such devices with Telnet enabled, directly exposed to the internet.

 

2. Sustained Reconnaissance

The attackers targeted IoT gateway devices manufactured by Russian company AO SBK, primarily focusing on two types:

a) MPSB: Designed for information exchange with external devices via various interfaces, supporting Ethernet and serial communication protocols, including CAN, RS-232, and RS-485.

b) TMSB: Similar to MPSB, with a built-in 3/4G modem for transmitting data to remote systems via the internet.

These gateways were connected to numerous physical sensors measuring industrial air concentrations of methane, carbon dioxide, oxygen, and carbon monoxide, communicating through Meter-Bus/RS485 serial channels.

 

3. Script Deployment

Attackers created and deployed lists of target sensor gateway IPs, including their physical locations and descriptions. Malware was distributed to each target via SSH or the sensor protocol (SBK) on port 4321.

 

4. Device Lockdown and File System Destruction

Attackers remounted file systems, deleted critical files and directories, shut down remote access services, and corrupted routing table information to sever communication between devices.

 

5. NAND Chip Destruction

Performed bit-flip operations on NAND memory chips, repeatedly rewriting memory, causing chip failure and rendering recovery impossible.

 

6. UBI Volume Destruction

Overwrote UBI volumes, making them unusable, damaging flash memory management, and resulting in an unstable file system.

 

7. Denial of Service via M-Bus Protocol

Conducted fuzz testing on the M-Bus protocol by sending random data through serial channels, overloading communication pathways, and disabling sensors.

 

Strategic Recommendations

Given the complexity and severity of the Fuxnet attack, it is crucial for security decision-makers and CISOs to implement robust cybersecurity measures in their OT/ICS environments. Reflect on the following questions: How comprehensive are your current OT/ICS system defenses? Have you established an incident response plan for attacks similar to Fuxnet? Are there devices in your system still using default passwords? Are your access control lists (ACLs) regularly updated to address new threats? Here are some relevant recommendations:

1. Mitigate Default Password Vulnerabilities

In a bustling manufacturing plant, cyberattack exploiting default passwords can cause an unexpected halt, significantly disrupting operations. Default passwords, often found in device manuals or online, are easily accessible and provide an open door to critical systems. Replacing default passwords with strong, unique ones is crucial, particularly for IoT routers and sensor gateways. Regular audits should be conducted to verify compliance, thereby fortifying access points and significantly reducing the risk of unauthorized intrusion.

 

2. Implementing Access Control Lists (ACLs)

Access Control Lists (ACLs) act as digital gatekeepers, defining who or what can access specific parts of a network. Deploying ACLs on gateways restricts communication to authorized devices only, creating a controlled environment. Tools like TXOne’s EdgeIPS can automatically learn and enforce these ACLs, ensuring a robust security perimeter. Regular reviews and updates of ACLs are necessary to adapt to new threats and network changes.

 

3. Monitoring SSH Login Attempts

Failed SSH login attempts can indicate brute force attacks, where attackers systematically try different passwords to gain access. Monitoring these attempts helps identify potential breaches. Implementing brute force detection mechanisms, such as those offered by TXOne’s EdgeIPS, can catch these attempts early. Addressing false positives ensures that genuine alerts receive prompt attention.

 

4. Regular Firmware Updates

Firmware updates are essential for maintaining the optimal and secure functioning of OT/ICS devices. These updates patch known vulnerabilities and enhances security features. Establishing a routine schedule for firmware updates across all OT/ICS devices, with prompt testing and application, helps maintain the integrity and security of the infrastructure, safeguarding it against emerging threats.

 

5. Developing an Incident Response Plan

An incident response plan prepares a team for handling cybersecurity threats effectively, outlining the steps to take when an incident occurs, defining roles, communication protocols, and recovery procedures. Developing and routinely updating an incident response plan tailored to the OT/ICS environments is crucial. Regular drills to test the plan’s effectiveness and continuous refinement based on lessons learned from drills and real incidents will enhance readiness and resilience.

 

Conclusion

The Fuxnet incident underscores the importance of robust cybersecurity measures in protecting OT/ICS environments. By addressing default password vulnerabilities, implementing strict access controls, monitoring for suspicious activities, maintaining up-to-date firmware, and having a well-defined incident response plan, organizations can significantly mitigate the risks posed by advanced malware attacks.

Securing industrial environments involves unique challenges that differ greatly from those found in IT networks. TXOne Networks focuses exclusively on OT cybersecurity, offering solutions tailored specifically to the equipment, environment, and daily operations of industrial settings.

Reach out to the cybersecurity specialists at TXOne today to find out more about safeguarding your operational technology.

 

References

[1] Eduard Kovacs, “Destructive ICS Malware Fuxnet Used by Ukraine Against Russian Infrastructure,” SecurityWeek, April 15, 2024.

[2] Claroty Team82, “Unpacking the Blackjack Group’s Fuxnet Malware,” Claroty, April 12, 2024.

[3] Jai Vijayan, “Dangerous New ICS Malware Targets Orgs in Russia and Ukraine,” Dark Reading, April 18, 2024.

[4] ForeSight Team, “Unveiling the Blackjack Group’s Fuxnet Malware: A Stealthy Cyber Threat,” ForeSight, April 17, 2024.

TXOne image
TXOne Networks

Need Assistance with OT Security ?

Our team is here to assist with OT security challenges and provide guidance on implementing effective solutions.​