The Triton Trojan which targeted core industrial systems in the Middle East last year exploited a zero-day flaw in Triconex controllers to carry out its attack.
Triton was first detected in the wild in August 2017 and hit the spotlight in December after the malware was used in an attempt to close down industrial systems in the Middle East.
Researchers from FireEye's Mandiant said Triton was able to manipulate emergency shutdown systems at an unnamed critical infrastructure firm in the region.
The malware is one of only a handful of known examples which have been developed for the purpose of attacking companies in the core industrial sector, including oil, gas, and electricity.
According to Symantec, Triton was developed to tamper with safety instrumented systems (SIS) controllers produced by Triconex used in industrial control systems (ICS).
An updated security advisory from Schneider Electric says the vulnerability is limited to older versions of the Tricon SIS controller and, in the December attack, was "part of a complex malware infection scenario."
In an attack against the customer, the malware utilized a zero-day bug in the Tricon firmware to scan and map the industrial control system and conduct reconnaissance.
The safety network is accessible through either physical access or a remote conduit -- and as the Tricon key switch was in "Program" mode -- the malware is able to deploy its payload.
"Once the malware was inside the controller, it injected the RAT into memory by exploiting a zero-day vulnerability in the firmware, and escalating its privileges," Paul Forney, global cybersecurity architect for Schneider Electric's US product security office told Dark Reading. "It's running in the highest privilege of the machine, and that's going to allow an attacker to interface with that RAT to do what it wants."
Triton, a Remotely Accessible Trojan (RAT), then controls the system, tampering with controls and potentially causing havoc by disrupting core services and emergency controls.
In this case, the attack failed due to issues with the malware itself including a bug in the payload script. This mistakenly caused the emergency system to shift into safe mode. preventing further compromise.
"To date, the information gathered indicates that if the Tricon key switch had been left in the correct position per our recommended guidelines, the injection of malware would not have been successful," Schneider says.
It is not known who was behind this attack, or why.
In order to prevent Triton from successfully striking other uses of the controller, the company plans to roll out a detection tool and removal procedure as part of a patch update to 10X firmware in February.
Previous and related coverage
A report has warned that ransomware, Internet of Things hacks, and industrial attacks could be almost as big a problem as natural disasters and extreme weather.
Attackers are particularly interested in industrial control systems -- and they're still at it right now.
'Shocking' flaws show apps for industrial control systems are being built without enough thought for security, according to researchers.