Despite widespread reporting that Snake, or EKANS, ransomware—which was discovered last month and allegedly created by Iran—aims to disrupt industrial processes by directly targeting industrial control system (ICS) equipment, Claroty researchers have determined this is not the case.
Unlike ICS-specific malware such as Triton and Industroyer, Snake does not communicate with ICS equipment and is unable to change the logic or tag values of such equipment because it does not utilize the industrial communication protocols required to do so.
The heavy presence of ICS processes in the Snake kill list, however, indicates that the ransomware's intended victims are indeed ICS processes. The key difference is that rather than seeking to disrupt such processes by targeting ICS equipment directly, Snake casts a much wider net by targeting enterprises' entire corporate IT networks—many of which are connected to ICS networks and thus processes. As a result, any damage to ICS processes that does occur is likely to be a byproduct of the ransomware's encryption of HMI configuration and/or other types of IT files critical to ICS processes.
Also noteworthy is that according to Claroty researchers, the ICS process kill list configured in Snake is fully contained in the process kill list included in the MegaCortex ransomware, which was first identified in 2017. But despite the contents of its kill list, Megacortex has historically been known only to target enterprise IT networks—not ICS networks.
There are multiple open questions about the relationship between Megacortex and the analyzed samples of Snake. While both malwares are classic ransomware malwares that share similar behaviors and resources, such as the aforementioned kill list, they are fundamentally different in terms of how they were developed. More specifically, Megacortex is written in c++ while Snake is written in Go, or Golang.
The shared behavior and resources could indicate that Snake and Megacortex were developed by the same group, however this has not been proven and requires further investigation at this time. Another possibility is that parts of the code were taken from malware development resources commonly available on public domains or within private groups. Some attackers have also been known to redevelop their tools in different programming languages while keeping the general logic the same in order to avoid detection by security tools.
Furthermore, a possible explanation as to why certain ICS processes are included in the kill list for Megacortex is that it was an opportunistic decision made by the group behind the malware. It is probable that the group had recently encountered ICS-related servers in action while developing Megacortex and thus opted to include related processes in the kill list in order to target crucial assets such as ICS-related software. This claim is supported by the fact that Megacortex kills licensing-related processes, such as "FLEXNet Licensing Service," that will cause DOS and will not encrypt any process-related files such as Proficy HMI configuration and Historian data.
Moreover, it is crucial to recognize that Snake ransomware is among the latest reminders of the security risks posed by the convergence of IT and ICS or operational technology (OT) networks. While Snake lacks the ability to communicate with ICS equipment using OT protocols, the architecture of many IT and ICS/OT networks within industrial enterprises and critical infrastructure still makes it possible for the ransomware to impact the availability, safety, and reliability of ICS processes.
Claroty researchers recommend taking the following steps to proactively reduce your organization's risk of exposure to Snake, as well as other types of ransomware and destructive malware:
Network Segmentation: Network segmentation is a crucial element of protecting an ICS network. Claroty suggests limiting communication between different segments of the network depending on criticality and usability. This approach helps minimize the extent that malware and attackers can spread within your ICS network.
Data Protection: Frequent data backups are essential and should always be stored offline in a secure location. It can also be beneficial to keep multiple backups of particularly sensitive data in different locations, as well as to test backups by simulating different attack scenarios.
Software and Firmware Updates: Since ransomware is often distributed via exploit kits, ensuring all operating systems, software versions, plugins, and browsers on the network are routinely patched and updated is imperative.
User-Role Policies: Practitioners are strongly encouraged to restrict user permissions by defining user roles, blocking all but trusted and necessary users from installing and running software applications, permitting a "least privilege" policy to all systems and services, and implementing User Access Control (UAC) to prevent unauthorized changes to user privileges. Such policies can help limit malware from executing and/or spreading within a network.
Network Management: It is important to ensure that firewalls are properly configured and updated, unused ports are monitored and closed, and unused protocols are blocked.
Claroty researchers recommend adhering to the following best practices in the event of a ransomware attack on an ICS network:
Identify, isolate, and remove the infected assets: Immediately disconnecting them from the network can help prevent the ransomware from spreading to shared drives and connected systems.
Determine the infection vector: Ensuring a clean restoration of backups requires knowing which backups from what time period need to be restored—and this typically depends on when the ransomware attacker penetrated the network. Attackers have been known to penetrate networks to establish an attack surface as wide as possible days or even weeks before the ransomware is executed and the encryption stage starts.
Notify employees: Ensure employees are aware that a ransomware attack has occurred and is in progress. Next, direct them to the organization's incident response plan and processes needed to protect the data.
Identify a safe point in time: Determine the point in time when the ransomware infected your ICS network. Restore the most recent clean files from a backup just prior to the infection date.
Restore infected systems: If a production database or industrial application has been infected, leverage backup solutions to spin up an image or virtual machine in minutes while taking precautions to minimize the impact on business processes.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
