Industrial control systems under imminent threat from new malware, according to Dragos' warning
A new malware named FrostyGoop has been identified, targeting industrial control system (ICS) environments with potentially dangerous consequences for global industrial systems. The malware, discovered by Dragos researchers in April 2023, poses a risk due to its reliance on the Modbus protocol, a standard used in over 46,000 systems worldwide across all industrial sectors.
In the Ukraine attack in January, hackers exploited Modbus commands to disrupt heating systems in multiple buildings. FrostyGoop follows a similar pattern, using Modbus transmission control protocol communications for its attacks. The malware, written in the Golang programming language, can be accessed easily on the internet by regular users, according to cybersecurity expert Magpie Graham.
FrostyGoop can attack targets exposed to the public internet, requiring no prior compromise. In the Ukraine incident, the attackers gained entry to the municipal district energy company's systems by exploiting a vulnerability in a Mikrotik router. Once inside, they deployed a webshell and later gained access to user credentials.
The known vulnerabilities exploited by FrostyGoop primarily involve weaknesses in the ModbusTCP protocol, which lacks authentication and encryption, making it vulnerable to man-in-the-middle attacks and injection attacks. These attacks enable eavesdropping, command interception, and the ability to send spoofed or malicious Modbus commands that can directly affect physical processes.
To mitigate these risks, it is recommended to segment and isolate ModbusTCP devices, use secure gateways or proxies, deploy intrusion detection and anomaly detection systems, implement strict access controls and whitelisting, regularly patch and update systems, and replace legacy ModbusTCP equipment with more secure alternatives. Additionally, employee cybersecurity training is crucial to raise awareness of social engineering vectors that could lead to initial compromise.
Deploying multi-layered monitoring solutions, using OT-aware endpoint detection and response (EDR) tools, and focusing on protocol hardening, network architecture improvements, and advanced detection mechanisms are also essential strategies for protecting against FrostyGoop and similar malware.
The use of Modbus in malware like FrostyGoop and Pipedream (another malware discovered in 2022) underscores the need for increased security measures in ICS environments. As the threat landscape evolves, it is crucial for organizations to stay vigilant and proactive in protecting their systems from these potential risks.
The malware FrostyGoop, targeting industrial control systems, relies on the Modbus protocol, a common standard in industrial sectors, similar to the Modbus-exploited attack in Ukraine that disrupted heating systems. Given FrostyGoop can be easily accessed by regular users, its known vulnerabilities exploit weaknesses in the ModbusTCP protocol, making it susceptible to man-in-the-middle and injection attacks. To mitigate this risk, organizations should segment and isolate ModbusTCP devices, deploy intrusion detection systems, implement strict access controls, regularly patch systems, and focus on protocol hardening and network architecture improvements. The use of Modbus in malware like FrostyGoop emphasizes the necessity for enhanced ICS cybersecurity, especially as the threat landscape continues to evolve.
