French power engineering company Schneider Electric has warned its customers about the Drovorub malware, which allows taking control of Trio radio.Drovorub is malware developed for Linux by the Russian cybercriminal group APT28 (also known as Fancy Bear, Pawn Storm, Sednit and Strontium).
The malware contains an implant, a kernel module rootkit, file transfer and port forwarding tools, and a C&C server.
“Once installed on a device, the malware allows operators to upload and download files, execute commands with superuser privileges, and perform port forwarding. The malware also has mechanisms to ensure persistence and evade detection”, – said representatives of Schneider Electric.
Drovorub runs on systems with Linux 3.7 and later kernels (due to lack of proper kernel signature enforcement) and cannot provide persistence on systems where UEFI Secure Boot is enabled in Full or Thorough mode.
Schneider Electric has recommended that customers use comprehensive protection guidelines to keep Trio Q Data Radio and Trio J Data Radio devices safe from malware.
These products are radios designed to provide long-range wireless transmission for SCADA and remote telemetry applications.
“Installing malware allows an attacker to interact directly with the C&C server, execute arbitrary commands, redirect network traffic through a port, and use special techniques to evade detection”, – information security specialists report.
By default, Trio radios are not vulnerable to malware and it cannot be downloaded to devices without modification. Radios can only be potentially vulnerable if the user uses insecure protocols and refuses to implement role-based access control.
Schneider Electric strongly recommend following industry cybersecurity best practices such as:
- Enable user access control
- Use SSH or HTTPS and avoid Telnet or HTTP
- Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
- Install physical controls so no unauthorized personnel can access your industrial controland safety systems, components, peripheral equipment, and networks.
- Never connect programming software to any network other than the network for the devices that it is intended for.
- Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
- Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
- Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
Let me also remind you that the US Cyber Command uploaded to VirusTotal new versions of the ComRAT and Zebrocy malware, the authorship of which are attributed to Russian government hackers.