Threat Report
In this week’s report we are covering two vulnerabilities. One being a recent vulnerability that is targeting Triton ICS deployments. The other is a banking trojan that stealthily uses MSSQL database traffic.
Malware: Triton ICS Malware Developed Using Legitimate Code
Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product through a legitimate .dll file. For more information there are a few links below:
Links:
Some Mitigation Strategies:
- Mail Filtration to screen for malicious phishing or targeted email campaigns
- File Integrity Management looking for the installation of malicious software like Remote Access Trojans (RATS) for functionality and access
- Intrusion detection systems (IDS) would detect intrusion and network communication
- Filtering USB ports that are on equipment connected to the ICS systems
- 24x7 Security Monitoring for malicious behavior and immediate incident response
Malware: MnuBot Banking Trojan Stealthily Uses MSSQL Database Traffic
Security researchers from IBM X-Force Research Team have discovered a new banking Trojan named MnuBot. This Delphi-based malware uses the Microsoft SQL Server to communicate with the C&C Server and send commands to infected machines. This evades regular antivirus and malware detection since it uses SQL traffic, unlike common C&C Server communication that happens through web servers or apps. Researchers also indicate that this might be coded by a seasoned hacker. This MnuBot has a two-stage attack. First, it checks if the system is infected already. Second, it deploys the remote access trojan completely (RAT).
Links:
Some Mitigation Strategies:
- Intrusion detection systems (IDS) to monitor for malicious communication and downloads from port 5003
- File Integrity Management looking for access to registry keys accessed and new keys created
- Mail Filtration to capture potential files attached to phishing emails
- 24x7 Security Monitoring with Focused Security Content for solid threat detection
We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com
Next: Threat Report Wednesday June 5th 2018
Share this on:
Subscribe to our blog