Sadly, ICS/SCADA devices have been in a very sad state of security since around 2010 when security researchers found you could often find them on Google (active ones) complete with default username and password. The next couple of years had repeated announcements of additional flaws in existing devices, more than were left exposed to the open internet and even a couple of actual incidents where these devices were directly targeted in attacks. This all happened around the same time as Stuxnet and a copycat dubbed Duqu was hitting the news. The two were a big concern as the it was one of the first times that people had the fragility of their utilities exposed.

Now, 12 years later the issue is not only still present, but the techniques and tactics are improving and making the detection and compromise of these devices easier. The tools in question are looking for specific vendor equipment including Schneider Electric PLCs (programable logic controllers), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture Servers. Once they compromise the IT and OT (operational technology) networks, which as we said is not a hard thing, they use these to identify the ICS systems, gain privileged access and carry out potential sabotage missions.

According to the CISA alert the threat group that they are warning about is using a specific vulnerability in a Windows driver package for ASRock RGB controls. The driver AsDrv103.sys the CVE associated with this sits at a CVSS score of 5.5 and with most vulnerability management programs would be left on the table as it is not a critical or a high. Once exploited through this the attackers leverage their custom tools, identify the ICS controls they want and set up shop. The toolset is highly modular allowing them to bolt on additional components. It also has automation features and a command console that ties in the compromised nodes. With the ability to scan for ICS/SCADA controls the attackers can build up a good picture of the environment they are working in. Once they have that they can leverage the same tools to backup existing configurations, upload new ones, modify device parameters and more.

Although it is 12+ years later, once again the specter of having things we take for granted simply turned off. This comes at a time when tensions between nations are high due to the Russian invasion of Ukraine. There have already been threats thrown around about attacks and what the responses would be. An attack on electricity production and natural gas are excellent targets on both a tactical and strategic level. They might even be higher than hitting financial and communications platforms as you need power to run those so hitting those key systems would have a huge cascade effect.

The good news is that as far as anyone knows, this new toolkit has not been deployed to any targets. It was identified before the attack it is intended to carry out. The discovery allows for organizations to properly review their security controls and environments before an attack hits. However, they actually have to devote the time and money to this review and then remediate the findings. Historically this last piece has never been completed. Utility companies might be aware of issues, but they rarely spend the time and money to fix them. Instead, they try to bank on the assumption that no one really wants to shut off power or gas to innocent people.