Introduction
Description
begin ignore
Version 2.0 - July 8th 2016
Rockwell Automation has learned about the existence of a malicious file called "Allenbradleyupload.zip" that is being distributed on the internet. This file is NOT an official update from Rockwell Automation, and we have been informed that this file contains a type of ransomware malware that, if successfully installed and launched, may compromise the victim’s computer. This advisory is intended to raise awareness to control system owners and operators of reports of the file’s existence as a result of reports Rockwell Automation received from the Electricity Information Sharing and Analysis Center ("E-ISAC").
Update 08-JUL-2016: Our investigation has confirmed the existence of the reported malware through VirusTotal.com. According to VirusTotal, it "is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware." According to information on VirusTotal.com, the file "Allenbradleyupload.zip" contains a single file called "Allenbradleyupload.exe", which may be malicious. File hashes and links to VirusTotal.com are in the table that follows below. These file hash values can be used with Application Whitelisting technologies to reduce the ability of this malware to execute on a system. According to VirusTotal, most of the antivirus/anti-malware vendors have updated their databases to detect this malware. However, we strongly recommend ensuring that your antivirus programs and virus definitions are up to date.
File Name Hash Type Hash Value Allenbradleyupload.zip MD5 b552a95bd3eceb1770db622a08105f52 SHA-1 4dbba01786068426c032a7524e31668f2435d181 SHA-256 e7b4a2c05e978b86a231fa276db29bb8362bd25160bdeb4c2239cb614d7f44df Allenbradleyupload.exe MD5 49067f7b3995e357c65e92d0c7d47c85 SHA-1 5f8c4246fc24d400dffef63f25a44b61932b13af SHA-256 97ec86160dea82a17521a68076fe0d5537f60577b79338e67a15528115e94b88
Rockwell Automation confirms that this malware is NOT an official product update and it is not connected with any Rockwell automation product, software update, or website.
Rockwell Automation decided to provide this advisory since the attackers have used the Rockwell Automation brand name on the file, possibly as a means to increase the likelihood of an ICS-knowledgeable user to download and execute the malware as part of their strategy. We are continuing to monitor this situation, and we will update this advisory as we learn more.
BACKGROUND
Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary ransom in order to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications. Typically the user is required to pay the ransom in some form of untraceable currency, and must do so before the deadline expires and the decryption key is destroyed.
According to the September/October 2015 issue of the ICS-CERT Monitor, "Ransomware, such as Cryptolocker or TeslaCrypt, is currently one of the most prolific categories of malware growth, rising 165 percent in varieties seen between the fourth quarter of 2014 and the first quarter of 2015".CUSTOMER RISK MITIGATIONS
Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below are recommended. When possible, multiple strategies should be employed simultaneously.
- Obtain product software and firmware from Rockwell Automation’s official download portal, available at http://www.rockwellautomation.com/global/support/drivers-software-downloads.page.
- Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in KB546987.
- Consult VirusTotal.com’s analysis of the malware (using the links above), to determine if your deployed antivirus solution is able to detect this malware. (UPDATED 08-JUL-2016)
- Analyze outbound network traffic against the known indicators of compromise (IoC), available from the US-CERT portal, to identify and assess the risk of any unusual network activity.
- Develop, and then deploy, backup and disaster recovery policies and procedures. Test backups on a regular schedule.
- Implement a change management system to archive network, controller and computer assets (e.g., clients, servers and applications).
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack, which can also serve as a vehicle for malware infection.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
end ignore
KCS Status
