FrostyGoop's Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
Summary:
In July 2024, the operational technology (OT)-centric malware FrostyGoop/BUSTLEBERM became publicly known, after attackers used it to disrupt energy infrastructure for over 600 apartment buildings, leaving people without heat for 2 days in Lviv in April 2024 due to an ICS attack on a municipal energy company. Details of the attack were disclosed by Ukraine’s Cyber Security Situation Center (CSSC), highlighting an uptrend in the deployment of ICS-centric malware globally and the prevalence of psychological warfare cyberattacks on Ukraine’s critical infrastructure from Russia-aligned groups like Sandworm.
According to the Dragos report from July 2024, in this particular attack on heating systems in Ukraine, the adversary leveraged a vulnerability in a MikroTik router as the initial access vector. However, Palo Alto’s Unit 42 could not confirm this and believes the threat actors could have delivered the malware using OT devices exposed to the internet as well. FrostyGoop makes use of the Modbus TCP protocol to interact directly with ICS/OT devices. During this attack, the adversaries dispatched Modbus commands to ENCO control devices, leading to inaccurate measurements and system malfunctions that caused the two-day outage. The attacker can establish a Modbus TCP connection and remotely send commands using a JSON configuration file or from a Command Line Interface (CLI). ForstyGoop is compiled using Golang. The ENCO devices discovered from the attack all have TCP port 23 exposed for the Telnet, allowing the threat actors to probe for ENCO PLC devices on the internet.
Analyst Comments:
FrostyGoop is a notable example of the growing threat of OT malware that can help defenders develop mitigations and protections for similar threats. The use of Modbus TCP protocol to conduct attacks is concerning for organizations. Modbus is one of the most common protocols used in critical infrastructure. Although they targeted ENCO control devices in this particular attack, FrostyGoop is capable of attacking any device that speaks Modbus TCP. According to Unit 42 telemetry, 1,088,175 Modbus TCP devices were exposed to the internet from Sept. 2 to Oct. 2, 2024, and 6,211,623 devices were exposed overall. The drastic increase of OT and IoT devices exposed to the internet as organizations connect OT to IT networks to increase facilities management efficiency underscores the importance of organizations maintaining a comprehensive security posture, including robust ICS/OT protections that minimize operational disruption.
Suggested Corrections:
IOCs can be found here.
To protect against ICS malware like FrostyGoop, organizations should employ threat detection solutions to identify abnormal connections and communications over Modbus. Remain vigilant for any updates on ICS malware and TTPs utilized in similar attacks to update your security posture accordingly.
SANS 5 ICS Critical Controls:
https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/
https://sansorg.egnyte.com/dl/R0r9qGEhEe
In July 2024, the operational technology (OT)-centric malware FrostyGoop/BUSTLEBERM became publicly known, after attackers used it to disrupt energy infrastructure for over 600 apartment buildings, leaving people without heat for 2 days in Lviv in April 2024 due to an ICS attack on a municipal energy company. Details of the attack were disclosed by Ukraine’s Cyber Security Situation Center (CSSC), highlighting an uptrend in the deployment of ICS-centric malware globally and the prevalence of psychological warfare cyberattacks on Ukraine’s critical infrastructure from Russia-aligned groups like Sandworm.
According to the Dragos report from July 2024, in this particular attack on heating systems in Ukraine, the adversary leveraged a vulnerability in a MikroTik router as the initial access vector. However, Palo Alto’s Unit 42 could not confirm this and believes the threat actors could have delivered the malware using OT devices exposed to the internet as well. FrostyGoop makes use of the Modbus TCP protocol to interact directly with ICS/OT devices. During this attack, the adversaries dispatched Modbus commands to ENCO control devices, leading to inaccurate measurements and system malfunctions that caused the two-day outage. The attacker can establish a Modbus TCP connection and remotely send commands using a JSON configuration file or from a Command Line Interface (CLI). ForstyGoop is compiled using Golang. The ENCO devices discovered from the attack all have TCP port 23 exposed for the Telnet, allowing the threat actors to probe for ENCO PLC devices on the internet.
Analyst Comments:
FrostyGoop is a notable example of the growing threat of OT malware that can help defenders develop mitigations and protections for similar threats. The use of Modbus TCP protocol to conduct attacks is concerning for organizations. Modbus is one of the most common protocols used in critical infrastructure. Although they targeted ENCO control devices in this particular attack, FrostyGoop is capable of attacking any device that speaks Modbus TCP. According to Unit 42 telemetry, 1,088,175 Modbus TCP devices were exposed to the internet from Sept. 2 to Oct. 2, 2024, and 6,211,623 devices were exposed overall. The drastic increase of OT and IoT devices exposed to the internet as organizations connect OT to IT networks to increase facilities management efficiency underscores the importance of organizations maintaining a comprehensive security posture, including robust ICS/OT protections that minimize operational disruption.
Suggested Corrections:
IOCs can be found here.
To protect against ICS malware like FrostyGoop, organizations should employ threat detection solutions to identify abnormal connections and communications over Modbus. Remain vigilant for any updates on ICS malware and TTPs utilized in similar attacks to update your security posture accordingly.
SANS 5 ICS Critical Controls:
- ICS Incident Response
- Operations-informed IR plan with focused system integrity and recovery capabilities during an attack. Exercises designed to reinforce risk scenarios and use cases tailored to the ICS environment.
- Defensible Architecture
- Architectures that support visibility, log collection, asset identification, segmentation, industrial DMZs, process-communication enforcement.
- ICS Network Visibility Monitoring
- Continuous network security monitoring of the ICS environment with protocol-aware toolsets and system of systems interaction analysis capabilities used to inform operations of potential risks to control.
- Secure Remote Access
- Identification and inventory of all remote access points and allowed destination environments, on-demand access and MFA where possible, jump host environments to provide control and monitor points within secure segment
- Risk-based Vulnerability Management
- Understanding of cyber digital controls in place and device operating conditions that aid in risk-based vulnerability management decisions to patch for the vulnerability, mitigate the impact, or monitor for possible exploitation.
https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/
https://sansorg.egnyte.com/dl/R0r9qGEhEe