FireEye recently discovered a new type of malware called Irongate, which has exhibited some of the same characteristics...
as Stuxnet in targeted attacks on industrial control systems. What are the Stuxnet traits exhibited by the Irongate malware, and what are the risks to enterprises?
All pieces of malware have some similarities with Stuxnet. The Stuxnet malware was designed and targeted at very specific supervisory control and data acquisition (SCADA) systems in Iran for very specific reasons. It was a sophisticated piece of malware when it came out, but had much of the same functionality as other malware, including an initial infection method and dropper. FireEye discovered the Irongate malware while searching VirusTotal, a free malware scanner, for files that use PyInstaller. The Irongate developers have made advancements with their malware's anti-analysis functionality, compared to the Stuxnet malware which just checks for antivirus software. Since the Irongate malware was identified via secondary data analysis on VirusTotal data rather than from investigating compromised systems, it is difficult to establish the full extent of the malware functionality and attack. This is, however, a good use of a community data repository.
Like the Stuxnet malware, Irongate attacks ICSs, looks for a specific process to infect and replaces dynamic link libraries to manipulate the process. Enterprises with ICS or SCADA systems need to continue to maintain the security of their environments, and implement new security controls after risk assessments are performed. As FireEye stated, there is minimal risk to enterprises as Irongate appears to be proof-of-concept malware that doesn't perform malicious actions. Enterprises with Siemens control systems should contact Siemens to find out if their systems are vulnerable to the Irongate malware, because neither FireEye nor Siemens have publicly listed what systems were vulnerable.
FireEye has two recommendations that are common in more mature software development environments -- using code signing for software in use and to include sanity checking in IO data. FireEye released indicators of compromise that an enterprise could check on its ICS or SCADA systems to see if it had been compromised, but it might be more important to just ensure that your enterprise has the capability to check its ICS or SCADA systems for these indicators, rather than performing a search for the Irongate malware.
Find out the possible impact of malware-infected ICS and SCADA systems
Read about BlackEnergy malware attacks on electric companies' ICS software
Learn about the need to increase defensive cybersecurity
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Nick Lewis
The Zealot campaign discovered by F5 Networks uses the same Apache Struts vulnerability exploited in the Equifax breach. Learn how else it performs ... Continue Reading
Facebook Messenger is being used to reach more victims with a cryptojacking bot that Trend Micro researchers named Digimine. Learn how this bot works... Continue Reading
Spider ransomware has been found spreading malicious files via a phishing campaign that gives victims a 96-hour deadline. Learn how this attack is ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.