[CDP-development] Joint Cybersecurity Advisory: APT Cyber Tools Targeting ICS/SCADA Devices - TLP: WHITE

[Masse, Theresa]

FYSA

CISA, the Department of Energy (DOE), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a (TLP:WHITE) Joint Cybersecurity Advisory: APT Cyber Tools Targeting ICS/SCADA Devices<https://www.cisa.gov/uscert/ncas/alerts/aa22-103a>

Certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:

  *   Schneider Electric programmable logic controllers (PLCs)
  *   OMRON Sysmac NEX PLCs
  *   Open Platform Communications Unified Architecture (OPC UA) servers

The APT actors have developed custom-made tools for targeting ICS/SCADA devices that enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. The actors can also compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.

CISA Recommendations:

  *   Critical infrastructure organizations, especially Energy Sector organizations, should review the joint CSA<https://www.cisa.gov/uscert/ncas/alerts/aa22-103a> and apply the recommendations listed in the Mitigations section. These mitigation actions include, but are not limited to:

     *   Enforcing multifactor authentication for all remote access to ICS networks and devices whenever possible
     *   Changing all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks
     *   Leveraging a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors

We kindly request any incidents or anomalous activity related to this message be reported to CISA at https://us-cert.cisa.gov/report, report at cisa.gov<mailto:report at cisa.gov>, or (888) 282-0870 and/or to the FBI via your local FBI field office<https://urldefense.us/v3/__https:/www.fbi.gov/contact-us/field-offices__;!!BClRuOV5cvtbuNI!XRF6iHkf-DtZ_CjQPGJS83GO4NpweYP0j_upTuHWu-gq1MwEOJDMiUCc73oTqtWkfzhOoRc$> or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch at fbi.gov<mailto:CyWatch at fbi.gov>.


Theresa A. Masse
Cyber Security Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image007.png at 01D84F29.2E4E5A90]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220413/32a25df7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 16152 bytes
Desc: image007.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220413/32a25df7/attachment-0001.png>