CrashOverrideJune 21, 2017
On June 20th Check Point published an IPS signature providing virtual patching for the Siemens SIPROTEC DoS vulnerability. This IPS signature can help protect against a new malware, CrashOverride, also known as Industroyer– that is a direct threat to Electric Grid Operators.
CrashOverride is the fourth piece of ICS-tailored malware used against these targets and the second ever to be designed and deployed for disrupting physical industrial processes. CrashOverride was employed in the December 17th, 2016 cyber-attack on the Kiev, Ukraine transmission substation resulting in electric grid operations impact.
This malware is an extensible platform that can be used to target critical infrastructure sectors, specifically using IEC- 101, IEC104 and IEC1850 protocols (mainly used outside the Americas).
- CrashOverride issues valid commands directly to RTU’s
- It’s extensible and inclusion of DNP3 would affect the Americas as well
- The functionality in the CrashOverride framework serves no espionage purpose. The only real feature of the malware is for attacks which would lead to electric outages.
- CrashOverride could exploit Siemens SIPROTEC relay denial-of-service (DoS) vulnerability, leading to a shutdown of the relay. Using CVE-2015-5374 to Hamper Protective Relays.
ICS-CERT reported this on June 14, 2017. The tactics, techniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target U.S. critical information networks and systems; however, this malware can be stopped by taking the right precautions.
- Using Check Point’s Application Control for commandVisibility and baselining. It has the ability to identify IEC-104, DNP3 and IEC-61850 commands. The user can also set a baseline and the system would alert new commands.
- Check Point published an IPS signature providing Virtual Patching for the Siemens SIPROTEC DoS vulnerability (based on CVE-2015-5374).