Skip to main content
The Dragos Blog

03.01.22 | 1 min read

New Knowledge Pack Released (KP-2022-002-J)

Dragos, Inc.

Each Knowledge Pack contains the latest insight from the Dragos team, automating the detection of devices and potential malicious activity across industrial networks. They provide regular updates related to protocols, threat analytics, ICS/OT device data, and investigation playbooks to equip customers with comprehensive visibility into their environments.

This Knowledge Pack (KP-2022-002-J) contains a collection of detections to identify exploitation attempts against the remote code execution vulnerability in Apache Log4j (CVE-2021-44228). More information provided by Dragos analysts on Log4j is available in this blog post and the webinar replay. Dragos Platform customers were invited to an exclusive walkthrough of what a Log4j exploit looks like and the new detections and exploitation attempts dashboard updates that are available.

Here’s a quick summary of key updates in this Knowledge Pack:

Characterizations:

  • SEL – serial devices behind a Schweitzer Engineering Laboratories Port Server and dissection/summary of the SEL Fast Messaging protocol.
  • iFix2010/iFix Historian– dissects and summarizes traffic to improve asset visibility
  • GE iFix2010/GE iFix Historian – checks for protocol versions in network traffic and sets username/software version on associated assets
  • VNetIP Extended Info Message – Characterizes VNet informational report based on captured Record Type

Detections:

  • Log4Shell – Collection of signatures for Log4Shell exploit attempts against Log4j 2, a Java logging library. Used against vulnerable services, successful exploit attempts allow for Remote Code Execution.
  • CRASHOVERRIDE – a composite detection of four steps that are required for the CRASHOVERRIDE IEC61850 attack
  • Exaramel – C2 followed by new DNP3 or IEC104 master then commands
  • File Transfers – including to an Engineering Workstation (EWS) within a timeframe of 30 minutes after a new baseline communication pairing occurs, downloads from external networks, externally sourced files transferred to a PLC, or remote file downloads after an RDP session is established
  • Metasploit Meterpreter HTTPS C2 Client Hello – identifies the attempt by the compromised machine to reach back to the attacker to set up a TLS encrypted C2 session
  • Ransomware – Transfer of a file that includes features associated with RansomEXX or Doppelpaymer Dridex payloads, plus examples like Promethus or Spook that were created with Thanos builder

Dragos Platform Knowledge Packs are available for download from the Dragos Customer Portal.  Registered users get access to Platform documentation, integration guides, tech notes, best practices, Dragos Academy online learning center, and support case creation.  Users with additional Dragos subscriptions, including Neighborhood Keeper and WorldView Threat Intelligence, access those services using their Customer Portal credentials.  Customers can login or register for a Customer Portal account at portal.dragos.com.

For more background on Dragos Knowledge Packs and how we continuously incorporate our expertise into the Dragos Platform, we invite you to read this overview or contact sales@dragos.com.

CTA Image
< class="mini-cta__header heading--3"> Implications of Log4j Vulnerability for Operational Technology Networks
Watch the on-demand webinar with Dragos experts discussing the Log4j vulnerability and learn about: Potentially impacted software and equipment within OT networks | OT-relevant mitigation strategies | Dragos Intelligence recommendations

Ready to put your insights into action?

Take the next steps and contact our team today.