A new malware strain dubbed "FrostyGoop" that uses Modbus TCP communications to target operational technology (OT) was observed in April attacking an energy company in Lviv, Ukraine, resulting in a two-day loss of heating to customers.
In a recent blog post, industrial control researchers at Dragos said given the widespread use of Modbus devices globally, they warned there’s an “urgent need” for security teams worldwide to enhance industrial control system (ICS) network visibility, as well as monitor and segment Modbus traffic.
“Detecting and flagging deviations from normal behavior and identifying attack patterns and behaviors that exploit the Modbus protocol is crucial,” wrote the researchers. “This necessitates the development of detections from the latest threat intelligence on vulnerabilities, attack vectors, and malware targeting Modbus systems.”
According to the Dragos researchers, Modbus operates as a client/server communication protocol initially designed for Modicon programmable logic controllers (PLCs) in 1979, but it’s now widely used in many other ICS/OT devices. Modbus runs as an open protocol and it’s hardware agnostic, making it popular for communications between PLCs, distributed control systems, controllers, sensors, actuators, field devices, and interfaces.
John Gallagher, vice president of Viakoo Labs, explained that Modbus — the most widely used protocol in industrial manufacturing — sits at the intersection of analog and digital, making it ideal for attacking ICS systems.
Gallagher said threat actors can rely on port 502 being open, so attackers can use TCP/IP messages to initiate an attack. He also noted that a quick search on Shodan.io for Modbus already showed 90 exposed devices in the United States alone.
“That this was an internet-exposed port is what makes this exploit possible,” said Gallagher. “That won’t be the case in most Modbus deployments. Probably the most surprising aspect is that this is the first malware strain to directly use Modbus TCP/IP communications — and it won’t be the last.”
Gallagher added that he was also surprised by the lack of segmentation, which won’t be the case at many organizations because they will have their ICS systems on segmented networks that restrict lateral movement.
“Organizations should ensure they have effective network segmentation, and also ensure that their ICS systems do not have internet-exposed ports,” added Gallagher.
Morgan Wright, chief security advisor at SentinelOne, said this malware targets one of the most vital critical infrastructure sectors: power. Wright said as he has pointed out in the past, to bring a nation to its knees, our adversaries will go after power and water.
“Russia has a military interest in disrupting power and water in Ukraine and has targeted Lviv with deadly air attacks in the past," said Wright, adding that it's still not verified that Russia had a connection to this incident.
The SC Media columnist added that this malware's targeting of OT systems opens up another vector of attack, made easier when the system’s port is exposed to the internet, like the attacks by Iran-linked CyberAv3ngers on Israeli Unitronic PLCs used in water and wastewater plants. Wright also pointed out that the original BlackEnergy attack malware targeting Ukraine took down three energy stations and two backup stations, knocking out power to over 750,000 homes.
Josh Salmanson, senior vice president of technology solutions at Telos Corporation, added that these types of issues are surprisingly rare, but have been proven via proof-of-concept (POC) exploits for years by vulnerability researchers. Salmanson said the adversaries have finally found a way to affect the exploit.
“The problem is most likely that the organizations affected are protecting the ICS and the enterprise separately,” said Salmanson. “In this case, the OT environment is exposed via the enterprise, and the enterprise tools most likely are not capable of seeing the Modbus protocols traversing the non-OT networks. For small and less mature organizations, this is a very big problem. They are flying blind, and while they likely have the tools and ability to block this traffic, they have no sensors configured within the enterprise to catch it.”
Salmanson added that seeing OT protocols like this on the enterprise network should be an immediate “priority-one” issue to fix, with all efforts made to isolate these protocols onto non-internet routable subnets/Vlans.
“If the adversaries haven’t already, they will eventually encrypt the traffic and cloak their activities, leaving the enterprise completely blind to the true nature of the traffic,” said Salmanson.
Terrence Driscoll, chief information security officer at Cyware, said defense against attacks on critical infrastructure require a collaborative approach to security. By having security teams partner with critical business functions, coupled with advanced automation, Driscoll said companies can have a better understanding of the threats and what actions they need to take quickly to mitigate impact in the event of an attack.
“Ensuring robust, real-time information sharing among trusted stakeholders will help fortify our defenses and minimize the impact of such malicious activities on critical infrastructure’s essential services,” noted Driscoll.