Havex malware targets ICS/SCADA systems
Posted on 24.06.2014
F-Secure researchers have, for a while now, been monitoring the spreading of the Havex malware family and have been trying to determine who are the attackers that wield it.

Initially spotted in 2013, the group's attacks were directed towards the energy sector, but now they have turned their attention to Industrial Control Systems (ICS).

Havex - a relatively generic Remote Access Trojan (RAT) - gets delivered to victims via spam emails and exploit kits, but to maximize the likelihood that the right people would get infected, the attackers have also poisoned a few online watering holes.

The website in questions belong to three ICS vendors based in Germany, Switzerland and Belgium. "Two of them are suppliers of remote management software for ICS systems and the third develops high-precision industrial cameras and related software," shared Daavid Hentunen, senior researcher at F-Secure.

The attackers have managed to compromise the websites by exploiting vulnerabilities in the software used to run them, and have exchanged legitimate software installers available for download to customers with trojanized versions that include the Havex RAT.

"The trojanized software installer will drop and execute [Havex] as a part of the normal installation. The user is left with a working system, but the attacker now has a backdoor to access and control the computer," Hentunen explained.

F-Secure researchers have, so far, analyzed 88 variants of malware, and have discovered that it can also download and execute additional malicious components, one of which is set on exfiltrate data about the local network and ICS/SCADA hardware connected to it.

The researchers have discovered some 146 C&C servers directing the behavior of the malware, and these servers are usually compromised websites.

"The group doesn't always manage the C&C's in a professional manner, revealing lack of experience in operations. We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors," he noted.

"The majority of the victims are located in Europe, though at the time of writing at least one company in California was also observed sending data to the C&C servers. Of the European-based organizations, two are major educational institutions in France that are known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction company that appears to specialize in structural engineering."









Spotlight

Using Hollywood to improve your security program

Posted on 29 July 2014.  |  Tripwire CTO Dwayne Melancon spends a lot of time on airplanes, and ends up watching a lot of movies. Some of his favorite movies are adventures, spy stuff, and cunning heist movies. A lot of these movies provide great lessons that we can apply to information security.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Jul 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //