New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure

Date: July 23, 2024

CVE: N/A

Vulnerability Type: Exploitation of Modbus TCP communication

CWE: [[CWE-668]], [[CWE-20]], [[CWE-74]]

Sources: The Hacker News, Yahoo News, Dragos

Synopsis

FrostyGoop is a newly identified malware designed to target Industrial Control Systems (ICS) by exploiting Modbus TCP communication protocols. This malware caused significant disruption to critical infrastructure in Lviv, Ukraine, earlier this year.

Issue Summary

In January 2024, FrostyGoop malware targeted an energy company in Lviv, resulting in a 48-hour loss of heating services to over 600 apartment buildings. This malware interacts directly with ICS devices using Modbus TCP over port 502, making it a serious threat to critical infrastructure.

Technical Key Findings

FrostyGoop, written in Golang, can read and write to ICS device registers and uses JSON-formatted configuration files to target specific IP addresses and Modbus commands. Initial access was likely gained through a vulnerability in Mikrotik routers.

Vulnerable Products

ENCO controllers with TCP port 502 exposed and ICS devices using Modbus TCP are particularly vulnerable to this malware.

Impact Assessment

The malware's ability to manipulate ICS devices can lead to significant operational disruptions, inaccurate system measurements, and potential safety hazards, affecting public safety and industrial operations.

Patches or Workarounds

Currently, there are no specific patches available for FrostyGoop.

#FrostyGoop #ICS #ModbusTCP #CriticalInfrastructure #CyberAttack #EnergySector #Ukraine #Dragos #IndustrialControlSystems #Golang #MikrotikVulnerability