2

Various reports have been published that analyze BlackEnergy2 and BlackEnergy3 in-depth. However, there seems to be discrepancies regarding the malware delivery phase, i.e., initial exploitation.

The CrashOverride report published by Dragos describes the BlackEnergy2 malware as follows:

This ICS tailored malware contained exploits for specific types of HMI applications including Siemens SIMATIC, GE CIMPLICITY, and Advantech WebAccess. BLACKENERGY 2 was a smart approach by the adversaries to target internet connected HMIs.

The ICS-ALERT-14-281-01E alert issued by ICS-CERT regarding BlackEnegery3 seems to confirm this:

In a departure from the ICS product vulnerabilities used to deliver the BE2 malware, in this case the infection vector appears to have been spear phishing via a malicious Microsoft Office (MS Word) attachment.

However, there are various sources that indicate that BlackEnergy3 includes ICS-specific exploits targeting HMIs(, instead of BlackEnergy2).

For example:

CyberX:

The main attack vector observed was infection of Human-Machine-Interface (HMI) machines in ICS networks. These machines provide a user interface for interacting and controlling industrial networks. According to the alert issued by ICS-CERT, various vendors were targeted, including GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC.

iTrust:

According to [3], all BlackEnergy3 malware used for targeted attacks infect the Human-Machine-Interface (HMI) workstations in ICS plant networks.

Khan et al.:

BE3 was also found scanning the internet for a specific HMI, the GE Intelligent Platforms HMI/SCADA - CIMPLICITY. The HMI was known to have a directory traversal vulnerability in CimWebServer.exe (the WebView component) which allows remote attackers to execute arbitrary code via a crafted message to TCP port 10212, (ZDI-CAN-1623).

What am I missing here?

John Doe
  • 21
  • 1
  • It sounds like BlackEnergy2 used vulnerabilities in the ICS HMI as it's infection vector while BlackEnergy3 used a spearfishing email with a MS Word attachment. Reguardless of the infection vector they both attacked HMIs intended to interact with and control industrial networks. I think the wording you're getting confused about is the infection vector, vs the actual malicious actions (attack) the malware performed once it was in place. – Daisetsu Dec 27 '18 at 18:45
  • But the Dragos report states that: `BLACKENERGY 3 does not contain ICS components in the way that BLACKENERGY 2 did. Instead, the adversaries leveraged the BLACKENERGY 3 malware to gain access to the corporate networks of the power companies and then pivot into the SCADA networks.` On the other hand the CyberX report clearly states that the initial infection occurred by using GE CIMPLICITY. This seems contradicting to me; apparently I am missing something... – John Doe Dec 27 '18 at 19:10
  • It seems likely and evidenced that spear phishing was used as the initial delivery vector to get on-net but the compromise of the HMI/ICS systems was performed by the different actual HMI vendors' software exploits. Not only do the reports confirm this as used but is also pretty much a boiler plate attack these days for an initial foothold. – thepip3r Dec 28 '18 at 19:15
  • @thepip3r As far as I understand, that's not what the Dragos report states: Yes, spearphishing was the initial delivery vector in BlackEnergy3 in order to get into the corporate networks, allowing them to pivot into ICS networks. In contrast, the CyberX report never mentions that spearphishing was involved, but indicates that the initial vector was through HMIs that were connected via the Internet. – John Doe Dec 28 '18 at 21:14

0 Answers0