Security Experts:

Schneider Electric Warns Customers of Drovorub Linux Malware

One of the security bulletins released this week by Schneider Electric warns customers about Drovorub, a piece of Linux malware that was recently detailed by the NSA and the FBI.

The U.S. agencies issued a joint advisory in mid-August to warn organizations that the cyber-espionage group known as APT28, which has been linked to Russia’s General Staff Main Intelligence Directorate (GRU), has been using a piece of Linux malware named Drovorub.

Drovorub includes an implant, a kernel module rootkit, file transfer and port forwarding tools, and a C&C server. Once it has been deployed on a device, the malware allows its operators to download and upload files, execute commands with root privileges, and conduct port forwarding. It also has mechanisms for persistence and evading detection.

Drovorub impacts systems with Linux kernel versions 3.7 or lower (due to the lack of adequate kernel signing enforcement), and it cannot achieve persistence on systems where the UEFI secure boot is enabled in Full or Thorough mode.

Schneider Electric has advised customers to implement defense-in-depth recommendations in order to protect their Trio Q Data Radio and Trio J Data Radio devices against the malware.Schneider Trio Data Radio products vulnerable to Drovorub malware

These products are ethernet and serial data radios designed to provide long-range wireless data communications for SCADA and remote telemetry applications.

According to Schneider, installing the malware on these devices “could result in an attacker gaining direct communications capability with actor-controlled command and control infrastructure, file download and upload capabilities, execution of arbitrary commands, port forwarding of network traffic to other hosts on the network, and implement hiding techniques to evade detection.”

The French industrial giant told SecurityWeek that while Drovorub can pose a threat to its devices, it’s not actually aware of any incident involving the malware.

“When we learned how Drovorub worked, we looked to all of our Linux devices to see if they had the same vulnerabilities. Out of an abundance of caution, we elected to let our users know of the potential issue and offered a mitigation while a fix to the OS was prepared,” Andrew Kling, product security officer at Schneider Electric, said via email.

“By default, the Trio radios are not vulnerable because malware in this form cannot be loaded onto them without modification. A user would have to use unsecured protocols and fail to implement role-based access control to get the radios to be potentially vulnerable,” Kling added.

Learn more about threats to industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Schneider Electric has advised customers to apply recommended mitigations to reduce the risk of attacks and says it’s working on rolling out a fix that should further reduce the risk, but the company told SecurityWeek that it is not aware of any actual vulnerability that could be exploited by the malware so it does not expect to assign a CVE identifier.

Related: Encryption Vulnerabilities Allow Hackers to Take Control of Schneider Electric PLCs

Related: Another Stuxnet-Style Vulnerability Found in Schneider Electric Software

Related: Schneider Electric Patches Vulnerabilities in Modicon, EcoStruxure Products

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.