{"id":963,"date":"2018-02-06T15:56:37","date_gmt":"2018-02-06T08:56:37","guid":{"rendered":"https:\/\/simenteknindo.com\/news\/?p=963"},"modified":"2018-02-06T15:56:37","modified_gmt":"2018-02-06T08:56:37","slug":"triton-gone-wild","status":"publish","type":"post","link":"https:\/\/simenteknindo.com\/news\/triton-gone-wild\/","title":{"rendered":"Triton Gone Wild"},"content":{"rendered":"

Triton, the malware that became known publicly in December<\/a> for its attack on what has since been revealed was a Saudi oil and gas refinery, has been back in the news lately. Reports released by FireEye<\/a> and Dragos<\/a> last month detailed how the malware\u2014referred to also as Trisis\/Hatman\u2014directly targeted the critical facility\u2019s safety instrumented system (SIS). As it turns out, some files from the malware have\u00a0been publicly available on the Internet for others to copy since late December, about a week after the reports went public.<\/p>\n

The attack, which took place in August, targeted the facility\u2019s Triconex safety system supplied by Schneider Electric<\/a>. Set to reprogram the SIS controllers, the malware triggered a safe shutdown of the industrial process, which was an appropriate response for the safety system. Upon publication of the reports from FireEye and Dragos, Schneider Electric issued a security notification<\/a> to its customers to provide awareness of the attack and to reiterate best safety practices (the attack was made possible not through a vulnerability in Schneider Electric\u2019s system, but rather neglect by the customer facility).<\/p>\n

What Schneider Electric also did, however, was to upload a sensitive file containing the backbone of the Triton framework to VirusTotal<\/a>, a public malware repository. Although Schneider Electric received a request\u00a0to remove the file from the site, and it did so quickly, the file\u00a0had already been copied and made available at other public sites, such as GitHub. The Library.zip file that Schneider Electric gathered during its evidence collection could be combined with another publicly available file called Trilog.exe (uploaded to VirusTotal by the victim company) to recreate the Triton malware.<\/p>\n

Owned by Google, VirusTotal is a free online service that enables anyone to upload a file to be scanned for viruses, worms, trojans and other malware. It also serves as a malware repository. Although what Schneider Electric did was in line with industry protocol\u2014done proactively in the interest of enabling the cyber community to analyze and respond to new malware\u2014it might not always be advisable.\u00a0According to a discussion I had early last year with Ben Miller, director of threat operations for Dragos, it\u2019s not uncommon for files to be uploaded to VirusTotal that would be better left unshared with a public database. During Dragos\u2019s study of mostly publicly available data geared toward developing a quantifiable metric of cybersecurity threats<\/a> on industrial controls systems (ICSs), Miller found Nuclear Regulatory Commission reports with non-public names and finding, for example, and a substation maintenance report with detailed spreadsheets and drawings.<\/p>\n

\n
<\/div>\n<\/section>\n

Miller recommended using VirusTotal as a data source but not to upload files. \u201cWhen you start uploading to it, that\u2019s when things can become more interesting,\u201d he said. \u201cThere are some dos and don\u2019ts that haven\u2019t been communicated.\u201d<\/p>\n

Triton unchained<\/strong><\/p>\n

With parts of\u00a0Triton out the in the wild now, the concern is that it could be easier for variants of the malware to strike again, perhaps even rewritten for safety systems from other industrial automation suppliers.<\/p>\n

Schneider Electric contends, however, that Triton is not exactly out in the wild. \u201cThe complexity of the attack and the malware, and how the attack was conducted, means there is no likely imminent threat to our other customers,\u201d the company told me, clarifying that the malware could be successfully loaded only if all the following conditions are present:<\/p>\n