Havex malware targets ICS/SCADA systems
Posted on 24.06.2014
F-Secure researchers have, for a while now, been monitoring the spreading of the Havex malware family and have been trying to determine who are the attackers that wield it.

Initially spotted in 2013, the group's attacks were directed towards the energy sector, but now they have turned their attention to Industrial Control Systems (ICS).

Havex - a relatively generic Remote Access Trojan (RAT) - gets delivered to victims via spam emails and exploit kits, but to maximize the likelihood that the right people would get infected, the attackers have also poisoned a few online watering holes.

The website in questions belong to three ICS vendors based in Germany, Switzerland and Belgium. "Two of them are suppliers of remote management software for ICS systems and the third develops high-precision industrial cameras and related software," shared Daavid Hentunen, senior researcher at F-Secure.

The attackers have managed to compromise the websites by exploiting vulnerabilities in the software used to run them, and have exchanged legitimate software installers available for download to customers with trojanized versions that include the Havex RAT.

"The trojanized software installer will drop and execute [Havex] as a part of the normal installation. The user is left with a working system, but the attacker now has a backdoor to access and control the computer," Hentunen explained.

F-Secure researchers have, so far, analyzed 88 variants of malware, and have discovered that it can also download and execute additional malicious components, one of which is set on exfiltrate data about the local network and ICS/SCADA hardware connected to it.

The researchers have discovered some 146 C&C servers directing the behavior of the malware, and these servers are usually compromised websites.

"The group doesn't always manage the C&C's in a professional manner, revealing lack of experience in operations. We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors," he noted.

"The majority of the victims are located in Europe, though at the time of writing at least one company in California was also observed sending data to the C&C servers. Of the European-based organizations, two are major educational institutions in France that are known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction company that appears to specialize in structural engineering."


Pen-testing drone searches for unsecured devices

You're sitting in an office, and you send a print job to the main office printer. You see or hear a drone flying outside your window. Next thing you know, the printer buzzes to life and, after spitting out your print job, it continues to work and presents you with more filled pages than you expected.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 9th