Triton is the world’s most murderous malware, and it’s spreading

[bigheadfred]

https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/

Triton is the world’s most murderous malware, and it’s spreading
     by Martin Giles March 5, 2019

The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too.



As an experienced cyber first responder, Julian Gutmanis had been called plenty of times before to help companies deal with the fallout from cyberattacks. But when the Australian security consultant was summoned to a petrochemical plant in Saudi Arabia in the summer of 2017, what he found made his blood run cold.

The hackers had deployed malicious software, or malware, that let them take over the plant’s safety instrumented systems. These physical controllers and their associated software are the last line of defense against life-threatening disasters. They are supposed to kick in if they detect dangerous conditions, returning processes to safe levels or shutting them down altogether by triggering things like shutoff valves and pressure-release mechanisms.

The malware made it possible to take over these systems remotely. Had the intruders disabled or tampered with them, and then used other software to make equipment at the plant malfunction, the consequences could have been catastrophic. Fortunately, a flaw in the code gave the hackers away before they could do any harm. It triggered a response from a safety system in June 2017, which brought the plant to a halt. Then in August, several more systems were tripped, causing another shutdown.

[bigheadfred]

snip

However, not even the most pessimistic of cyber-Cassandras saw malware like Triton coming. “Targeting safety systems just seemed to be off limits morally and really hard to do technically,” explains Joe Slowik, a former information warfare officer in the US Navy, who also works at Dragos.

Other experts were also shocked when they saw news of the killer code. “Even with Stuxnet and other malware, there was never a blatant, flat-out intent to hurt people,” says Bradford Hegrat, a consultant at Accenture who specializes in industrial cybersecurity.

[Smokin Joe]

https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/

Triton is the world’s most murderous malware, and it’s spreading
     by Martin Giles March 5, 2019

The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too.



As an experienced cyber first responder, Julian Gutmanis had been called plenty of times before to help companies deal with the fallout from cyberattacks. But when the Australian security consultant was summoned to a petrochemical plant in Saudi Arabia in the summer of 2017, what he found made his blood run cold.

The hackers had deployed malicious software, or malware, that let them take over the plant’s safety instrumented systems. These physical controllers and their associated software are the last line of defense against life-threatening disasters. They are supposed to kick in if they detect dangerous conditions, returning processes to safe levels or shutting them down altogether by triggering things like shutoff valves and pressure-release mechanisms.

The malware made it possible to take over these systems remotely. Had the intruders disabled or tampered with them, and then used other software to make equipment at the plant malfunction, the consequences could have been catastrophic. Fortunately, a flaw in the code gave the hackers away before they could do any harm. It triggered a response from a safety system in June 2017, which brought the plant to a halt. Then in August, several more systems were tripped, causing another shutdown.

@thackney Just a head's up, because this is likely the dream of the dangerous breed of ecowhackos that are out there shutting down pipeline valves now. (Not to mention a form of asymmetrical warfare.)

[Weird Tolkienish Figure]

Can we start executing these virus writers?

[Smokin Joe]

snip

However, not even the most pessimistic of cyber-Cassandras saw malware like Triton coming. “Targeting safety systems just seemed to be off limits morally and really hard to do technically,” explains Joe Slowik, a former information warfare officer in the US Navy, who also works at Dragos.

Other experts were also shocked when they saw news of the killer code. “Even with Stuxnet and other malware, there was never a blatant, flat-out intent to hurt people,” says Bradford Hegrat, a consultant at Accenture who specializes in industrial cybersecurity.

If they were shocked, they underestimated the malicious nature of not only geopolitical enemies, but dirt-worshipers who already have tried to create situations where pipelines or other infrastructure fail to further their jihad against industry.

[Free Vulcan]

Can we start executing these virus writers?

Funny you say that, some of these hacker types are tech smart, street stupid. There are many companies, govts, and organizations that will off you and your team for screwing with them like that.

What I'm concerned about is that the ones behind this might be real terrorists or state actors.

[roamer_1]

ANY and every critical system needs to be air-gapped.

End of story.

[Smokin Joe]

ANY and every critical system needs to be air-gapped.

End of story.

That works best for keeping things secure, unless Hillary is loading them onto her server, that is....

[bigheadfred]

ANY and every critical system needs to be air-gapped.

End of story.

How do you air gap our electrical grid?

[bigheadfred]

What is an Air Gapped Computer?

Read more at: https://www.thesslstore.com/blog/air-gapped-computer/

[roamer_1]

How do you air gap our electrical grid?

The control equipment, not the grid itself. Every critical system needs to have a manual override and an air-gapped control. All that crap should run manually on the flip of a (manual) switch.

[bigheadfred]

The control equipment, not the grid itself. Every critical system needs to have a manual override and an air-gapped control. All that crap should run manually on the flip of a (manual) switch.

And that is where the Hillary Option comes in. Or the Snowden Apocalypse. IOW, the human factor.

[roamer_1]

And that is where the Hillary Option comes in. Or the Snowden Apocalypse. IOW, the human factor.

Sure... And physical security has to counteract anyone having physical access to the system...

My place has backdoors in security. Like every lazy fat-assed admin, it is too easy to allow myself the convenience of logging in from the internet to take care of things while I am on the road.
That is the problem. And it is getting worse. But the way I am rigged, all I have to do is walk over and unplug one switch, and all those backdoors physically go away, and I am wholly locked down.
That is not air - gapped per se but all the doors are immediately gone.

That manual end game will always always be there.

[Joe Wooten]

The control equipment, not the grid itself. Every critical system needs to have a manual override and an air-gapped control. All that crap should run manually on the flip of a (manual) switch.

They need to look no further than the American Nuke plants. The process control computer network is isolated from the internet and can only be hacked as a result of an inside job. The NRC takes this stuff very seriously. Every plant has a data server that has a one way feed from the process computer so the NRC and pant personnel can look at the data without accessing the process computer.

[roamer_1]

They need to look no further than the American Nuke plants. The process control computer network is isolated from the internet and can only be hacked as a result of an inside job. The NRC takes this stuff very seriously. Every plant has a data server that has a one way feed from the process computer so the NRC and pant personnel can look at the data without accessing the process computer.

Sadly, that is not the case with utilities, or corporate industry in general. Analog is so 80's, after all...

[Joe Wooten]

Sadly, that is not the case with utilities, or corporate industry in general. Analog is so 80's, after all...

Yep, I know.

[Weird Tolkienish Figure]

Sadly, that is not the case with utilities, or corporate industry in general. Analog is so 80's, after all...

Analog is way easier to "hack" than digital. For example, hot wiring a car, etc.

[Smokin Joe]

Analog is way easier to "hack" than digital. For example, hot wiring a car, etc.

Yabbut, you have to be there.

[Weird Tolkienish Figure]

Yabbut, you have to be there.

Social engineering makes that possible. Everything is "hackable".

[Smokin Joe]

Social engineering makes that possible. Everything is "hackable".

There is a difference between stealing a vehicle and blowing up an oil refinery using the safety mechanisms to cause problems. One is trouble, sure, but the other the sort of thing you would not want to 'be there' for. You'd want to be at least a few miles away. Hacking digital systems has the potential to give that capability from anywhere in the world as opposed to standing in the heart of the coming conflagration.

[roamer_1]

Analog is way easier to "hack" than digital. For example, hot wiring a car, etc.

@Weird Tolkienish Figure
No.

You can have a valve that has an electronic motor - that's fine. But have an analog override (an actual manual valve).
The valve with the electronic motor can be operated with a servo, but have a switch too.
The servo that operates the electronic motor can be operated by a computer, but have a switch too.
the computer can be operated by a local network, but the computer should be able to do that job air-gapped too.
The local network can be operated by a wider domain, but it should first be able to function air-gapped too.

And so on.

It is called redundancy. And it is important. IT and top brass have a similar mindset, call it a 'god complex' or 'castle mentality'. Central control. It is foolish.  The guy running the floor with 25 years of experience sure as hell knows better when to turn that valve than you do.

Distributed and redundant simple systems are, in the end, the easiest to protect. Look at it this way:
You will always have the analog component to protect. That relies upon actual boots-on-the-ground.

Everything bolted onto that physical site on the ground is just another level you have to protect.
So the further the control is from that valve, the more protections are required. And each level has it's own vulnerabilities. And every vulnerability has an exploit. Every one.

[roamer_1]

Social engineering makes that possible. Everything is "hackable".

Every layer is susceptible to social engineering. The one most needful to protect is the actual device.

I am a fairly adept hacker. I can guarantee you, no matter what security you may put in place else-wise, The very most important item to protect is your physical computer. If I get my hands on that, you cannot stop me at all. Not only can I walk right in once I have my hands on your keyboard, I can also eliminate any trace that I was there.

That is never going to change. No matter how big and complex your organization and security becomes, that computer is always going to be a vulnerability.

[Sanguine]

@roamer_1,  would you mind talking about VPNs?  Do I need one?  I'm not on standard wired cable internet.   

[roamer_1]

@roamer_1,  would you mind talking about VPNs?  Do I need one?  I'm not on standard wired cable internet.   

@Sanguine
VPN=Virtual Private Networking - It is used to tie remote locations to a local network. IOW, if you are down in town and forgot something on your computer at home, you can use a laptop to access your home network from a coffee shop or some such. Or you are a virtual secretary working from home, so you need to be let in to a business's network to perform your duty...

In a word, no.  Unless you need remote access to your system, which opens a whole dang can of worms, you have no need for VPN.

I don't know your exact situation nor requirements, but as a rule, if your machines in your house are behind a properly configured router, that is all you need. But you DO need that, even with one machine, and pretty well regardless of your internet source...

My cable company provided me with a wireless router (under their control)... Plug n' play. woohoo!

Nope. Brought it back and requested a bridged modem, and I will operate my own dang router, thank you very much. That router is the front door to your system.

[Sanguine]

@Sanguine
VPN=Virtual Private Networking - It is used to tie remote locations to a local network. IOW, if you are down in town and forgot something on your computer at home, you can use a laptop to access your home network from a coffee shop or some such. Or you are a virtual secretary working from home, so you need to be let in to a business's network to perform your duty...

In a word, no.  Unless you need remote access to your system, which opens a whole dang can of worms, you have no need for VPN.

I don't know your exact situation nor requirements, but as a rule, if your machines in your house are behind a properly configured router, that is all you need. But you DO need that, even with one machine, and pretty well regardless of your internet source...

My cable company provided me with a wireless router (under their control)... Plug n' play. woohoo!

Nope. Brought it back and requested a bridged modem, and I will operate my own dang router, thank you very much. That router is the front door to your system.

Thanks, that's sort of what I thought.  I use satellite internet and when that runs out, I use a mobile hotspot the rest of the time and whenever I travel.  I never use public networks.