One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8624830 |
| Date de publication | 2024-12-13 23:02:14 (vue: 2024-12-14 00:09:06) |
| Titre | Inside a New OT/IoT Cyberweapon: IOCONTROL |
| Texte | #### Targeted Geolocations - Israel - United States - Middle East - North America ## Snapshot Team82 has obtained a sample of IOCONTROL, a custom-built malware targeting western IoT and OT devices, including PLCs, HMIs, and Linux-based platforms. Its modular design allows it to affect devices from various vendors. Team82 reports that the malware has been tied to the CyberAv3ngers, a group linked to Iran\'s IRGC-CEC. This malware has been leveraged in significant geopolitical cyberattacks, including the compromise of fuel management systems in the United States and Israel. ## Description The group using the IOCONTROL malware targeted Orpak Systems, affecting 200 gas stations in Israel and the U.S., and leaked management portal screenshots and sensitive databases. They used the tylarion867mino\[.\]com domain to establish command-and-control infrastructure for compromised devices. IOCONTROL malware was found on Orpak-associated Gasboy fuel systems, hiding within payment terminals. This granted attackers control to disrupt fuel services and potentially steal customer payment data. The analyzed IOCONTROL malware was designed for ARM 32-bit Big Endian architecture, utilizing in-memory unpacking to hide its payload. Researchers employed the Unicorn emulation engine to safely analyze the malware, tracing its execution flow and handling syscall invocations to prevent harm to testing environments. The malware appeared to use a modified UPX packer, evidenced by unique byte sequences like "ABC!" in place of the standard UPX signature, suggesting efforts to evade detection. Despite this, researchers successfully unpacked and analyzed the malware, revealing its sophisticated design. The IOCONTROL malware includes an encrypted configuration section containing critical parameters like file paths and IP addresses. Each configuration entry is encrypted using AES-256-CBC, with keys and initialization vectors (IVs) derived from a GUID. Researchers identified flaws in the attackers\' implementation, including oversized keys and IVs, which limited their actual use in the decryption process. Unique GUIDs allow the malware to distinguish between victims and campaigns. After extracting the encryption details, researchers decrypted the configuration, revealing identifiers such as "Orpak," tying the malware to specific IoT vendor targets. The IOCONTROL malware uses DNS-over-HTTPS (DoH) to resolve its command-and-control (C2) domain, avoiding detection by encrypting DNS traffic. It ensures persistence by installing a backdoor and storing itself under /usr/bin. The malware communicates with its C2 via the MQTT protocol on port 8883, authenticating using GUID-derived credentials. Upon connection, it sends a "hello" message with device details and subscribes to a specific topic for receiving commands. Supported commands include system actions, with responses published back to the C2. This design enhances stealth and functionality for IoT environments. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this activity: - Review web-facing assets and services using tools like[Microsoft Defender External Attack Surface Management](https://www.microsoft.com/security/business/cloud-security/microsoft-defender-external-attack-surface-management), which continuously discovers and maps a digital attack surface to provide an external view of an organization\'s online infrastructure. Ensure that unneeded, unintended, or potentially insecure protocols are not widely accessible from the Internet. - Reduce your attack surface by eliminating unnecessary internet connections to IoT devices in the network. Apply network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion. IoT and critical device networks should be isolated with firewalls and [placed behind a VPN](https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-vpn). - Adopt a comprehensive IoT and OT soluti |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | #### **© /usr/bin 0784 200 2024 2024** 256 8883 abc accessed accessible accounts across actions activity: actual addresses adopt aes affect affecting after all allow allows america analyze analyzed any appeared apply architecture are arm assets associated attack attacker attackers authenticating avoiding back backdoor based been behind between big bit built byte campaigns cbc cec claroty com com/en com/intel com/security/business/cloud com/security/business/endpoint com/team82/research/inside com/windows/security/threat command commands communicates complex comprehensive compromise compromised compromising computing configuration connection connections containing content continuously control copyright credential credentials critical custom customer cyber cyberattacks cyberav3ngers cyberweapon: data databases decrypted decryption default defender derived description design designed despite details detection device devices dictionary/what digital discovers disrupt distinguish distribution dns doh domain each east efforts eliminating employed emulation encrypted encrypting encryption endian engine enhances ensure ensures entry environments establish evade evidenced execution exposure external extracting facing file firewalls flaws flow following found from fuel functionality gas gasboy geolocations geopolitical granted group guid guids handling harm has hello hide hiding hmis https https://azure https://claroty https://learn https://security https://www human hygiene identified identifiers impact implementation include includes including increase infrastructure initialization insecure inside installing interfaces internet intrusion invocations iocontrol iot iran irgc isolated israel its itself ivs keys laterally leaked leveraged like limited linked linux long machine malware management maps memory message microsoft middle mitigations modified modular monitor moving mqtt network networks new north not obtained of online organization orpak ot/iot over oversized packer parameters part passwords patch paths payload payment permission persistence place placed platforms plcs policy port portal possible to potentially prevent process profiles/fce01e740cbcfb374ed146a4bf0eb395cdc131590cecee6147fd6893a1a3958b prohibit prohibited protection/security protocol protocols provide published receiving recommendations recommends reduce references reports reproduction require researchers reserved resolve respond responses retaining revealing review rights risks safely sample screenshots section secure security/microsoft segmentation sends sensitive sequences services settings/password should signature significant site snapshot solution like sophisticated specific standard states stations steal stealth storing storm subscribes successfully such suggesting supported surface surface by syscall system systems targeted targeting targets team82 terminals testing thereof threats tied tools topic tracing traffic tying tylarion867mino under unicorn unintended unique united unnecessary unneeded unpacked unpacking upon upx us/resources/cloud use used users uses using utilizing various vectors vendor vendors victims view visibility vpn vulnerable weapon web western whenever which widely within without written your in to |
| Tags | Malware Tool Industrial |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.