Schneider Electric has confirmed that a recently uncovered malware program that was used to attack industrial infrastructure exploited a vulnerability in its Triconex safety controllers.
The malware, dubbed Triton, was uncovered in December by researchers from security firm FireEye after it triggered an emergency shutdown event at a critical infrastructure organization. It was the first case of malware designed to specifically infect industrial controllers after Stuxnet, which was used to destroy uranium enrichment centrifuges at Iran’s Natanz nuclear plant in 2010.
The FireEye team found that Triton was able to reprogram Triconex safety instrumented system (SIS) controllers, which are used to monitor industrial processes and initiate safety shutdowns when certain parameters are exceeded. The researchers noted at the time that the malware’s authors reverse-engineered the undocumented proprietary protocol used by the legitimate TriStation software application to reprogram the controllers.
However, at the S4x18 ICS/SCADA conference Jan. 18, Schneider Electric revealed that Triton exploited a previously unknown vulnerability in the firmware of older versions of Triconex Tricon safety controllers.
“During our extensive investigation, Schneider Electric identified a vulnerability in the Tricon firmware, which is limited to a small number of older versions of the Tricon,” the company said in a security advisory. “This vulnerability was a part of a complex malware infection scenario.”
Also making the attack possible was the affected customer leaving the Tricon controller’s key switch in the “PROGRAM” position, which is against the product’s security recommendations provided by Schneider. This might have been done out of convenience, to allow remote reprogramming of the controller instead of sending a person to unlock the switch every time such an operation would have had to be performed.
Schneider is developing a security enhancement for the Tricon controllers, a tool to detect the malware’s presence and a procedure to remove it when discovered. These are expected to be released in February.
Malicious Browser Extensions Block Manual Removal
Browser extensions have always been an interesting attack vector for hackers, who have used them to steal data, inject unwanted advertisements into web pages and even to mine cryptocurrency using victims’ computers. Lately, attackers have also found a way to make malicious extensions more persistent and difficult to remove for users.
Researchers from antivirus firm Malwarebytes have come across a rogue extension for Google Chrome that, once installed, prevents users from accessing the browser’s list of extensions and removing it. It does so by redirecting the chrome://extensions page to chrome://apps, a different page that doesn’t list extensions, but a different type of add-ons called Apps.
Users have the option of starting Chrome with the –disable-extensions switch to re-enable access to the chrome://extensions/ page, but that page will then be empty because the browser instance will be started without any loaded extensions.
A similar self-protecting extension was found for Mozilla Firefox. It monitored for the about:addons page in the background and quickly closed the tab when detected to prevent users from disabling extensions. The Firefox fix is easier, because users can start the browser in Safe Mode by keeping the Shift key pressed when opening it. In this mode, all extensions are disabled, but they are still listed and can be removed.
“Unfortunately, since both the Chrome and Firefox extensions mostly add themselves through forced installs, it’s not always possible to avoid getting them,” the Malwarebytes researchers said in a blog post. “The best we can offer is to stay vigilant as you surf and use an adblocker (that could help with blocking the Firefox extension).”