Biomanufacturing facilities are being urged to inspect their industrial networks—many of which are used in the production of critical medicines, vaccines, and other applications—for signs of a newly disclosed advanced attack designed to steal intellectual property.
Nicknamed Tardigrade, the attacks are spreading among biomanufacturing companies, according to the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC). The malware is highly customizable, adapts to the environment it has infected, and can act autonomously if cut off from the attackers' command-and-control server, said researchers from BioBright.
BioBright, a BIO-ISAC member, investigated attacks at two facilities, one this spring, and another in October. Both facilities initially reported ransomware attacks on their respective networks, another strange twist to these incidents given the noisy nature of ransomware attacks, which are in stark contrast to the inherently stealthy nature of the malware.
BIO-ISAC released some technical details about these attacks yesterday; given that the group says the attacks are ongoing, users in this industry need to be vigilant about cutting off the intruders' access to these critical networks.
Here's what you need to know:
Tardigrade is polymorphic malware. This is an advanced malware technique where the code changes depending on its environment as a technique to avoid detection. According to an article in Wired, one BioBright analyst said she conducted dozens of tests on the malware, and each time it compiled differently and communicated uniquely with command-and-control servers. If that backdoor access is somehow cut off, the malware will continue to deploy its payloads.
Polymorphic malware is advanced, but not uncommon. Tardigrade stands out because, according to details released by BIO-ISAC, it is able to recompile its loader from memory and not leave a consistent signature. This would complicate detection efforts.
The malware is delivered via numerous vectors, including phishing emails and infected USB drives. It uses a malware loader known as SmokeLoader, or Dofoil, to inject modules onto compromised machines, including keyloggers, password-stealing utilities. It also creates a backdoor connection that allows for downloading files and commands from the attacker's server, deploying additional attack modules, and remaining hidden on the network. Its purpose is espionage, and BioBright and BIO-ISAC believe it's the work of an advanced persistent threat (APT) group, likely state-sponsored.
SmokeLoader, meanwhile, has been available on underground forums for a decade. It's been linked to numerous attacks, including some involving cryptocurrency mining and data exfiltration attacks. It's armed with numerous plug-ins that enable persistence on compromised networks, and also tools ensure its stealthiness, including some that obfuscate values in the malware, and processes designed to determine if it's executing within a virtual machine, which would indicate that it's been found and quarantined.
According to BIO-ISAC's report, the version of SmokeLoader used by Tardigrade is more autonomous than previous versions and can make decisions on lateral movement or file manipulation based on internal logic. The BIO-ISAC report has made a list of indicators of compromise available, as well as detection statistics; 34 of 69 antimalware vendors detect it as malicious as of yesterday.
The concern is that COVID-19 vaccines and treatments are being developed within this sector, and since the start of the pandemic, espionage efforts targeting these companies have ramped up. BioBright CEO Charles Fracchia declined to connect the victims to Covid-19 research, according to Wired, but said their processes play a role.
Stealing private research related to Covid-19 vaccines, for example, would alleviate an adversary state's research-and-development time and costs significantly.
Biomanufacturing companies should scan their networks for indicators of compromise pointing to a Tardigrade infection.
Proper network segmentation is a key mitigation step for operators of industrial networks, including as a tactic for fending off Tardigrade. Operational technology networks should be segmented from enterprise networks, and any crossover points between IT and OT should be guarded.
Segmentation likely would involve virtual zoning that allows for zone-specific policies that are tailored to engineering and other process-oriented functions. The ability to inspect traffic and OT-specific protocols is also crucial to defend against anomalous behaviors.
Visibility into remote access is also essential. These connections should be monitored and audited for anomalous activity; shared passwords should be discouraged, and two-factor authentication should be enabled.
Secure access solutions must not only alert on suspicious activities, but also provide the capability to investigate specific sessions, either live or on-demand, and allow administrators to respond by either disconnecting a session or taking another action to contain or remediate damage.
BIO-ISAC recommends backups for key segments of the infrastructure, including ladder logic for biomanufacturing instrumentation, SCADA and historian configurations, and the batch record system.
CWE-120 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW'):
A denial-of-service vulnerability exists in the affected product. The vulnerability results in a buffer overflow, potentially causing denial-of-service condition.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-122 HEAP-BASED BUFFER OVERFLOW:
A denial-of-service and possible remote code execution vulnerability exists in the affected product. The vulnerability results in the corruption of the heap memory, which may compromise the integrity of the system, potentially allowing for remote code execution or a denial-of-service attack.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-420 UNPROTECTED ALTERNATE CHANNEL:
A device takeover vulnerability exists in the affected product. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-191 INTEGER UNDERFLOW (WRAP OR WRAPAROUND):
The affected product is vulnerable to an integer underflow. An unauthenticated attacker could send a malformed HTTP Requesty, which could allow the attacker to crash the program.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 5.3
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION'):
The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 9.8