Solved

Night Dragon - Remote Control of your Control System?

Posted on 2011-02-16
5
608 Views
Last Modified: 2013-11-22
Hi Experts,

Received the following email, kindly advise (1) if this is for real (2) is there anything we need to to ensure we safe, we currently run Sophos AV for our 60 odd XP/Windows 7 PC's and Server 2003,

Kindly advise...
Craig
_____________________________________________________________________________
From: ID EMEA [mailto:ID_EMEA@mail.vresp.com]
Sent: Thursday, 17 February 2011 1:11 a.m.
To:
Subject: Night Dragon - Remote Control of your Control System?

McAfee has released a report describing a new Advanced Persistent Threat they dubbed “Night Dragon.” The attackers were able to take remote control of assets they compromised. In this attack, though, the motive was not sabotage, but the theft of competitive intelligence. What is distressing is that while the adversary behind the attack seems very capable, the technology of the attacks was not very sophisticated. These adversaries were able to take over control system assets and energy-industry infrastructure using fairly unsophisticated “remote administration” toolkits.
Why Night Dragon Matters
Night Dragon demonstrates that simple techniques, applied by a skillful and persistent adversary, are enough to break into energy-sector firms, even to the extent of compromising their control system assets. Worse, the tools used by these adversaries let them take complete control of compromised machines, through remote-desktop-like facilities. Night Dragon used these tools to steal valuable information, but could just as easily have used them to take control of the user interface on any machine they compromised, including the control system assets.
The McAfee report doesn’t say it outright, but it seems very likely that this same adversary could have taken over and sabotaged the physical processes behind the control systems they compromised, if they had been given that objective. The team had remote control of all the control system assets they compromised, and a remote-control tool on a computer with HMI capabilities gives the attacker control of the physical process through the HMI.

Read more at our blog "Findings from the Field" http://findingsfromthefield.com/?p=725

What Needs to be Done
How do we prevent persistent adversaries using well-understood attack tools from taking over our control systems? The answer is a defense-in-depth security posture. In fact, since the Night Dragon APT was focussed entirely on remote control, protecting against that threat is somewhat easier than protecting against the USB-capable and S7-project-infecting Stuxnet:

Find our comments on how best to protect your Critical Control Systems here http://findingsfromthefield.com/?p=725

Forward this message to a friend

If you would like any further information, or would like to discuss how we could help you to ensure your organisation is protected against this type of attack, please contact me.

Best regards
David


David Brown
European Sales Director
dbrown@industrialdefender.com
Direct: +44 (0)1933 419866
Mobile: +44 (0)7880 528350

Industrial Defender, Inc.
The Global Leader in Automation System Security Management
www.industrialdefender.com
Industrial Defender, Inc.
16 Chestnut Street - Suite 300
Foxborough, MA USA 02035

0
Comment
Question by:craigleenz
5 Comments
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 150 total points
ID: 34914045
0
 

Author Comment

by:craigleenz
ID: 34914067
thank you phototropic for the reply, that answer my one question,
just need to find out if there is anything in particular we need to do ensure we safe?
0
 
LVL 8

Accepted Solution

by:
lancecurwensville earned 250 total points
ID: 34917486
I personally believe that the response to this threat would be to ensure that best practices are being followed:
Firewall blocking all unnecessary incoming ports
GPO's set to allow only the needed permissions for employees to do work and nothing more.
A patch management plan or system to ensure all appropriate updates are installed after they're reviewed for functionality.
A anti-virus solution that provides a level of protection you are comfortable with.
An appropriate working backup strategy that has been tested.
Appropriate logging capabilities setup on firewalls and servers to view usage and track anomalies; and most importantly with this, these logs must be read and not ignored.
0
 
LVL 6

Assisted Solution

by:Melannk24
Melannk24 earned 100 total points
ID: 34920829
In the McAfee report, they mention the Remote Access Tool protocol being used in this attack.  One way to possible identity the threat is look for the RAT protocol communication in your firewall and IDS logs.  In this particular threat, the malware is using a specific beacon and server response, signed with a plain text signature of "hW$" at the byte offset 0x42.  Specifically, McAfee Threat Research said the following: The backdoor begins its beacon at approximately five-second intervals with an initial packet that maybe detected with the pattern: “\x01\x50[\x00-\xff]+\x68\x57\x24\x13.”  You could use this "indicator of compromise" and set alerts within your IDS, log server, etc.  
0
 

Author Closing Comment

by:craigleenz
ID: 34940929
thanks guys
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Opening Ports 18 98
Network Infrastructure for Branch Office 16 100
Pfsense - and other email Servers 8 48
Internet Connection -- PING testing ? 1 42
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question