{"id":89283,"date":"2024-08-02T09:54:53","date_gmt":"2024-08-02T16:54:53","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=89283"},"modified":"2024-08-05T07:04:14","modified_gmt":"2024-08-05T14:04:14","slug":"ics-malware-frostygoopbustleberm-insights-others-missed","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/ics-malware-frostygoopbustleberm-insights-others-missed\/","title":{"rendered":"ICS Malware \u2018FrostyGoop\/BUSTLEBERM\u2019: Insights Others Missed"},"content":{"rendered":"

In the last few weeks, there have been a few announcements made about a new malware threat known as FrostyGoop or BUSTLEBERM (as it was originally tracked by Mandiant). It is being recognized as the first custom malware to integrate Modbus for the purpose of causing physical damage. An associated incident has been reported where the malware was used to disrupt heating in Ukrainian homes in the context of a Russian cyberattack.<\/p>\n

The news has rightfully garnered significant attention within the cybersecurity community, as attacks like the one where the malware was reportedly used are far reaching and could result in significant disruptions to business, financial loss, and in some cases a danger to human lives, depending on the critical nature of the targeted infrastructure.<\/p>\n

Reports by Dragos<\/a> and other industry leaders emphasize the uniqueness of this threat as something new. Yet, upon further investigation, the underlying techniques used are far from unique. In fact, FrostyGoop\/BUSTLEBERM is a variation or continuation of well-documented tactics, techniques and procedures (TTPs) that we and other researchers have observed in previous cyber incidents.<\/p>\n

Examining the ICS Malware FrostyGoop\/BUSTLEBERM News: Should You Care?<\/h2>\n

The potential for widespread disruption and the real risk to human lives make it imperative for businesses and organizations to stay ahead of OT-specific malware and threats, but also to ensure that they are not caught off guard by what may appear to be new but is, in fact, a well-established method of attack that could be detected or prevented.<\/p>\n

Although FrostyGoop\/BUSTLEBERM is a real threat, well-known researchers<\/a> have raised some questions about the malware and reported incident. Here\u2019s why:<\/p>\n

    \n
  1. The impact of the attack was probably different than what has been widely stated in the media. <\/strong><\/li>\n<\/ol>\n

    While there were reports of 600 households with no hot water and heating for a couple of days, the actual incident in Ukraine \u2013 based on public information shared by Marina Krotofil<\/a> \u2013 may have affected fewer homes for a shorter period of time.<\/p>\n

      \n
    1. There is a discrepancy between the technical capabilities of the actual malware and what happened in the stated incident.<\/strong><\/li>\n<\/ol>\n

      The incident report mentions things like firmware downgrade and exploiting routers for initial access that are not part of the malware capability and that are not detailed at all. Overall, it is challenging to connect the publicly available piece of malware \u2013 found on VirusTotal as described below \u2013 to the described incident.<\/p>\n

      Organizations should be aware of and take action to mitigate attacks abusing OT protocols, but understanding real impacts and capabilities is important to take appropriate decisions on which controls to prioritize and which risks to mitigate.<\/p>\n

      FrostyGoop\/BUSTLEBERM: Under the Hood<\/h2>\n

      While FrostyGoop\/BUSTLEBERM is reported as the first malware intentionally crafted to exploit the Modbus protocol for destructive purposes, this is not the whole story. The use of Modbus in cyber-attacks is far from new. Historically, hacktivist groups including GhostSec have leveraged tools, such as Metasploit and custom scripts (KillBus<\/a> and theComposer.py<\/a>) to target OT environments, including in Russia as early as 2022.<\/p>\n

      Additionally, Forescout Research \u2013 Vedere Labs research has consistently highlighted Modbus as the most scanned and attacked OT protocol we observe<\/strong>. In 2023, 33% of OT protocol interactions observed on our Adversary Engagement Environment<\/a> targeted Modbus, underscoring its appeal to threat actors. This makes the Modbus-related capabilities of FrostyGoop\/BUSTLEBERM less groundbreaking and more a natural evolution of existing threats.<\/p>\n

      \"\"
      \nFigure 1 \u2013 Attacks to OT protocols on Forescout\u2019s       Adversary Engagement Environment (AEE)<\/a>. From our Threat Roundup 2023<\/a>.<\/small>\n

      Soon after the publication of the FrostyGoop report, Florian Roth shared with the community<\/a> a YARA rule used to find the sample on VirusTotal. That rule currently matches two executable files:<\/p>\n