
CrashOverride Malware Threat: Proper Context
The alerts certainly put the U.S. utilities and those connected to the power grid on notice. But there's no initial cause for panic. N-Dimension, for instance, is careful to put the risks and potential solutions in proper context."Firstly, it’s important to note that the samples of CrashOverride that were analyzed were tailored for a specific network environment," Kapadia says. "The malware contained specific proxy addresses and IPs and so in it’s current form it would not affect other networks. However, the real risk is that CrashOverride could be modified to have more widespread impact and also points to a sophisticated capability to disrupt utility Industrial Control System (ICS) networks." Among the key points Kapadia also shared with MSSP Alert:
- The protocols that the malware targeted (IEC-101, IEC-104, IEC-61850, OPC) are typically used outside of North America, but the threat is that CrashOverride could be easily modified to leverage the DNP3 protocol -- which is widely used in North American utility environments.
- N-Dimension recommends that utilities ensure their infrastructure is regularly patched with the latest firmware updates. CrashOverride utilizes a module that exploits CVE-2015-5374 on Siemens SIPROTEC relays. That vulnerability has been patched since 2015-07-07. Information on patching the vulnerability can be found in Siemens Security Advisory 73254.