October 2014 – Sandworm and SCADA

October 2014 – Sandworm and SCADA

Systems Affected

Windows PCs running the GE Intelligent Platform’s CIMPLICITY HMI

Overview

These attacks target Microsoft Windows PCs running the GE Intelligent Platform’s CIMPLICITY HMI solution suite with a spear phishing email. The email has a malicious attachment that is opened by the CIMPLICITY application and attempts to exploit the “sandworm” vulnerability in Microsoft Windows. If the attack against the Microsoft Windows system running CIMPLICITY is successful it attempts to download the Black Energy malware on to the system.

Description

Microsoft Windows Update applied a correction for this vulnerability in the October update. The correction cause no issues with SCADA.

Concerned users might consult Microsoft Security Bulletin MS14-060 (KB3000869) and apply the correct patch for their operating system.

Update

Although this particular vulnerability concerns the proprietary files of Cimplicity HMI and Survalent HMI, Gateway and SCADA solutions are not affected. Survalent recommends that the following best practices are implemented:

  1. Survalent advises against the use of email clients on the Servers (Host) machines.
  2. Microsoft Security Bulletin MS14-060 (KB3000869) should be installed
  3. Users should execute the “Disable WebClient Service” workaround on the Host Machines