I published the following diary on isc.sans.edu: “Private IP Addresses in Malware Samples?“:
I’m looking for some samples on VT that contains URLs with private or non-routable IP addresses (RFC1918). I found one recently and it made me curious. Why would a malware try to connect to a non-routable IP address?
Here is an example of a macro found in a suspicious Word document (SHA256:Â c5226e407403b37d36e306f644c3b8fde50c085e273c897ff3f36a23ca0f1c6a)… [Read more]
Because when infecting/targeting OT networks (industrial/distributed control systems, PLCs, etc.), all traffic passes through a data diode, meaning that comms are (in most cases) unidirectional/filtered, and only allowed to specific internal endpoints that are on the IT network (e.g. decision support systems).
So when an attacker compromises an IT device, and establishes a foothold/persistence, they look to pivot into such a system within the IT landscape that is allowed connection from the OT network (receives data) via the data diode. Then they look to jump over the “air gap” (which normally doesn’t exist – OT are increasingly growing to be connected somehow to other networks via the said data diode) using various infection mechanisms, more often infecting USB drives used by ops/service personnel or maintenance crews.
This is just one of the use cases, there are quite a few other scenarios with similar objective – an IT device that has connection to the Internet is compromised, then used as a C2 proxy of sorts to a system that is otherwise isolated/disconnected.