Triton Malware Exploited Zero-Day Flaw in Schneider Electric Safety Controllers

Schneider Electric has confirmed that a recently uncovered malware program that was used to attack industrial infrastructure exploited a vulnerability in its Triconex safety controllers.

The malware, dubbed Triton, was uncovered in December by researchers from security firm FireEye after it triggered an emergency shutdown event at a critical infrastructure organization. It was the first case of malware designed to specifically infect industrial controllers after Stuxnet, which was used to destroy uranium enrichment centrifuges at Iran’s Natanz nuclear plant in 2010.

The FireEye team found that Triton was able to reprogram Triconex safety instrumented system (SIS) controllers, which are used to monitor industrial processes and initiate safety shutdowns when certain parameters are exceeded. The researchers noted at the time that the malware’s authors reverse-engineered the undocumented proprietary protocol used by the legitimate TriStation software application to reprogram the controllers.

However, at the S4x18 ICS/SCADA conference Jan. 18, Schneider Electric revealed that Triton exploited a previously unknown vulnerability in the firmware of older versions of Triconex Tricon safety controllers.

“During our extensive investigation, Schneider Electric identified a vulnerability in the Tricon firmware, which is limited to a small number of older versions of the Tricon,” the company said in a security advisory. “This vulnerability was a part of a complex malware infection scenario.”

Also making the attack possible was the affected customer leaving the Tricon controller’s key switch in the “PROGRAM” position, which is against the product’s security recommendations provided by Schneider. This might have been done out of convenience, to allow remote reprogramming of the controller instead of sending a person to unlock the switch every time such an operation would have had to be performed.

Schneider is developing a security enhancement for the Tricon controllers, a tool to detect the malware’s presence and a procedure to remove it when discovered. These are expected to be released in February.

Malicious Browser Extensions Block Manual Removal

Browser extensions have always been an interesting attack vector for hackers, who have used them to steal data, inject unwanted advertisements into web pages and even to mine cryptocurrency using victims’ computers. Lately, attackers have also found a way to make malicious extensions more persistent and difficult to remove for users.

Researchers from antivirus firm Malwarebytes have come across a rogue extension for Google Chrome that, once installed, prevents users from accessing the browser’s list of extensions and removing it. It does so by redirecting the chrome://extensions page to chrome://apps, a different page that doesn’t list extensions, but a different type of add-ons called Apps.

Users have the option of starting Chrome with the –disable-extensions switch to re-enable access to the chrome://extensions/ page, but that page will then be empty because the browser instance will be started without any loaded extensions.

One solution is be to manually rename a .js (JavaScript) file from the extension’s folder on the hard disk. This will cause the rogue behavior to stop and will show the extension in the browser as corrupted, allowing for its removal. However, this assumes the user has knowledge of which particular extension is causing the problem and how to identify it in the file system.

A similar self-protecting extension was found for Mozilla Firefox. It monitored for the about:addons page in the background and quickly closed the tab when detected to prevent users from disabling extensions. The Firefox fix is easier, because users can start the browser in Safe Mode by keeping the Shift key pressed when opening it. In this mode, all extensions are disabled, but they are still listed and can be removed.

“Unfortunately, since both the Chrome and Firefox extensions mostly add themselves through forced installs, it’s not always possible to avoid getting them,” the Malwarebytes researchers said in a blog post. “The best we can offer is to stay vigilant as you surf and use an adblocker (that could help with blocking the Firefox extension).”

Featured eBook
Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Digital transformation requires new approaches to security, demanding the protection of machine identities that enable authentication and encryption required for secure machine-to-machine communication. Solving machine identity protection challenges within DevOps environments, requires a fundamentally new approach. Information Security teams must deliver a frictionless, automated solution that allows DevOps engineers to seamlessly provision and manage certificates ... Read More

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

One thought on “Triton Malware Exploited Zero-Day Flaw in Schneider Electric Safety Controllers

Comments are closed.