OT and ICS Industry veteran Paul Smith, author of “Pentesting Industrial Control Systems” has recently joined the SCADAfence team in the role of Field CTO. We interviewed Paul to get his thoughts on the current state of OT security, challenges that need to be addressed and his predictions for the future.

He was interviewed by content marketing manager, Joan Weiner Levin.

Joan Weiner Levin: Hi Paul. Welcome to SCADAfence! We’re so excited to have you on board. Can you start by sharing a little bit about your background and why you are particularly interested in OT security.

Paul Smith: I grew up in Calgary, Alberta, Canada. They call us ‘little Texas’ because the economy is so heavily influenced by oil and gas. After a number of years working in the oil and gas sector, it felt almost natural for my father and I to start our own consulting company. Leveraging his years of experience and my computer science background. We performed forensic audits inside of the measurement space in oil and gas, which is a very niche vertical where we had to solve many interesting technical problems. I had spent my entire career until then looking through data and how systems are interrelated inside oil and gas trying to find answers and solutions to “Red Herring” problems.

During a project that my father and I were working on, I met Austin Scott who presently works at Dragos, Austin at that time was working on a compressor upgrade project and he invited me out to a “CalSec” Calgary Security meetup. I was hooked, I started investing time in understanding how people formulated careers in this space. I then was invited to attend a “Red vs Blue” event that the Department of Homeland security was hosting out of Idaho National labs. While attending this event I met some of the industry’s finest people, I still stay in touch with a number of individuals. It was from this event that I was eventually offered a job to join Lockheed Martin.

 Shortly after this event I decided to attend a SANs conference in Orlando, it was really the only ICS related security course being offered. Justin Searle was the instructor and this is where I met Michael Assante and Rob Lee. Michael dropped in to give us a pep talk and welcome us to the industry as it was either the first class or second that had ever been presented. Rob Lee had just started Dragos at this time. When working at Lockheed Martin I had numerous discussions about buying two specific new startups in industry one being Dragos and the other was Indegy. Both companies were at a very early stage, Dragos hadn’t even commercially released CyberLens yet. Friends of mine were visiting Israel and got very excited by technology they saw created by a Team 8 foundry company, the product was called ICS Ranger, and that company would go on to come out of stealth mode and brand themselves as Claroty, shortly after this I met with one of the Nozomi founders and became enamored by the possibilities of the product and in the end started working for them for a period of time as well.

JL: What are some of your immediate goals in your new role as field CTO for SCADAfence? Like what do you hope to accomplish first?

Paul Smith: The first thing is making sure the SCADAfence Platform is the best performing product in the market.

We are now industry leaders, and I want to make sure that we always stay ahead of our competition. 

JL: Why did you choose to join SCADAfence? You’re a celebrity in our field. You’re a well published author. You’re also very well known in the industry. Why did you decide to be a part of the leadership in SCADAfence?

Paul Smith: I don’t know if I would say celebrity, maybe been around the block once or twice as for SCADAfence, it is a lean team, it’s got the right funding. I like working with a company when it’s small, hungry, scrappy, and people are wearing multiple hats. It’s on the cusp of blowing up to be big, and that’s something really alluring to me. I like it because now I can come in and put an idea on the table and we bat it around as a team and then we shape it, hone it, and finally we implement and run with it. We are in a constant state of innovation while exceeding customers expectations. 

JL: How do you want to work with SCADAfence’s customers? What is your ideal customer relationship? 

Paul Smith: I want to be a trusted advisor. I want our customers to know that they are first and foremost, we are addressing their concerns and features prior to chasing PR. I want SCADAfence to be the first thought in their heads. When they have a problem in their field or network, they can call us up. Queue up the shameful plug, but in all honesty I want the customers to know that they can call either our managed services team or professional service team and will get the answers they seek. Whether it is writing OT protocol rules, testing packet rules, writing yara rules, adding/removing firewall rules, performing firewall swap outs or whatever it happens to be, I want people to start thinking of us as unbiased experts in this field, the trusted advisors of OT Cyber Security.

JL: What are currently the biggest challenges in the world of OT Cyber security. 

Paul Smith: Number one is staff. It’s always been staff. Companies can’t find enough of the best, well-qualified people that they need to hire. 

 Next, I’d say it’s human error. A lot of the OT security issues we see out there are operator error. Someone who is not properly educated on how to execute changes in an environment can accidentally take down an entire facility. We see this all the time.

For the real cyber threats, if we look beyond human error and its operational impact, I would say it’s nation state threats. The threats and attacks that are happening inside of Ukraine as a result of the Russian attacks right now are pretty insane and indicative of what can happen.

JL: Let’s talk for a minute about the current situation in Ukraine. There have been a number of reported attempted cyber attacks against electrical stations and attempts to damage Ukraine’s fragile critical infrastructure. For those of us observing this from the west, from an OT perspective, what about this situation should alarm or concern us? 

Paul Smith: I’ve had this conversation multiple times with people and they think Russia has all this old military hardware, these bombs and tanks and infantry and it’s falling apart.

But what you don’t see is the cyber warfare going on in the back-end. The next world war isn’t going to be fought with guns and traditional weaponry, it’s going to be fought in cyberspace. You can cause a country to essentially implode just by knocking out their critical infrastructure. 

People have asked me, why isn’t Russia just sending more people in on the ground. And I tell them, it’s because you don’t see what’s happening on the back-end. That’s a major part of the war. If you take down a city like New York, and they can’t get power back up in under two weeks, you don’t even have to shoot a single bullet. People will turn on each other, they’ll figure out ways to survive at all costs. Remember no power means no pumps, no pumps no fresh water, and even worse… no Twitter! I’ll say this, you take down critical infrastructure, you can take down a country.

JL: Is this nightmare scenario preventable?

Paul Smith: To a certain degree, yes. But the problem with technology, the beauty and the problem, is that it’s always evolving. And we’re always innovating. But the cost of innovation is security. To be new and leading is great, but it doesn’t always mean it’s new, leading, and secure. Security is usually an afterthought. 

A lot of engineering companies are trying to change that and put security in the design, but you can’t always do that. You don’t know what you’re securing, because if you’re trying to engineer to be secure, then it is near impossible to innovate at the same time.

JL: You mean security is an afterthought of design?

Paul Smith: Yes. But from a technology perspective, I don’t see this as a problem. Because if you try to put security into your engineering design, it will actually stifle innovation. For example, if an organization tried to create certain things to be completely secure, they would never be able to build them. Because they could have never innovated past the security boundaries that would have to be put into place. If you always put boundaries there, and say you can’t go past these boundaries then you’ll never innovate past the boundaries.

We haven’t invented the next thing that you have to secure yet. If you don’t innovate past that, then there’s no chance of ever seeing what the next wave of security is going to have to be, and that’s why I say it’s a mixed bag. Can we secure things? Absolutely. But as we innovate we have this lag until we find the security gaps. So we invent a new thing, and then, there’s the gaps. Now we have to invent something to secure that, because we’ve never had to secure this before.

A good example is self-driving cars with AI. There is this vision of what those self-driving cars need to be. But if someone puts some obstacle there, like a little orange dot, extended symbols on signage or something no one ever considered, it throws the whole self-driving car off course or can change a stop sign into a 45 m/hr speed sign, this is called adversarial ML attacks. No one could have predicted this because the fundamental technology for ML vision models had never been invented before.

JL: Let’s talk about legacy equipment, the older technology that is still running in manufacturing plants and critical infrastructure facilities. Is there technology still in place that is just too old to be secure, or is the older technology more secure because we’ve had more time to make it secure?

Paul Smith: I talk a lot about this topic, because I say the people who could actually fix the older technology are no longer with us and that is a major risk. So it’s so archaic, that it’s secure by nature. But just don’t look at it, don’t touch it, because if it falls down, we’ll never be able to fix it again. The old legacy stuff is hyper vulnerable. But more from an obsolescence perspective. Now if we talk moderate to old equipment, this is where you will find the highest most vulnerable assets. This technology was first/second generation adoption of ethernet cards, moving away from serial communications. It has become a major issue in industry where companies feel that if it is producing, don’t mess with it. The cost benefit analysis isn’t there for them to justify implementing new technologies yet. This is why we haven’t seen solutions such as GE predicts and Siemens Mindsphere eclipse the market, new technologies just come with price tags that executive teams feel aren’t warranted.

JL: Why aren’t more people choosing an OT cyber security career?
Paul Smith: The reason people don’t go into OT is because really OT security is two, maybe two-and-a-half different roles. Often, companies put up a job posting with a certain salary rate. My reaction is, “well, that’s an interesting salary. The rate is lower than either an automation specialist or an IT specialist.” So they’re trying to pay someone who has to know both job roles less than either singular job.

If you combine the salary for both, then you could have more interesting opportunities for people to grow into. Someone would say to themselves, I’ve had to learn all the OT background, and now I have to learn all the IT cyber elements, like all the networking gear, all the endpoint technology, all the frameworks and security standards, and you only want to pay me same or even less than this other person, I’m just gonna do that other job, because I’ll get paid the exact same.

 The market still hasn’t adjusted salary rates for what it really means to do the job of OT cyber security.

JL: Let’s talk about the relationship between IT and OT. How should those two sides be working together, and what are they currently missing in that relationship?

Paul Smith: We’ve been talking about IT-OT convergence for a long time. And I think the gaps are slowly fading. I always said that it’s easier to take an automation person, and maybe it’s biased because I come from that side, and teach them the security side. As opposed to taking an IT security individual and teaching the automation side, because the automation side is more finicky, it’s not straightforward programming and implementation. Every decision being made inside the controllers can cause millions of dollars of impact.

There has to be more open conversations. For more mature companies, I would say, take one of your automation guys and put him right in your SOC and have him talk directly with all the IT staff there. A lot of these products feeding up data into a SOC use language that the IT analysts don’t fully understand. Whereas if you put an automation guy there, he will be able to translate it. One of the value points for all this technology is we need to change the language to make sure we can communicate both to an automation specialist and an IT security specialist. Because if we put both languages in a security alert, it’s easier for them to communicate and talk to each other.

JL: What is the role of governments in securing the OT? What is the ideal collaboration between the government and the private sector in securing public critical infrastructure?

Paul Smith: When it comes to private companies securing public critical infrastructure, there should be a lot of vetting and a lot of oversight, especially as it relates to major city centers. So if we’re discussing water treatment plants, or electrical facilities, if you’re a third party vendor, you need to be subject to governance. Governments should have a big stick to use for enforcement because one bad incident can impact millions of lives. 

There needs to be a heavier influence of government mandates and sanctions on third parties. And I know for a company like SCADAfence as an Israel-based company, selling into critical infrastructure in North America, that would put a little bit of a hamper on some sales, but it would also force us to comply with standards. Then everyone would feel safe, and there would be full transparency. And then once you have that stamp of approval facilities would be more comfortable working with approved third party vendors. 

JL: What about governments encouraging private companies to do more for their OT security. Should the government be telling private manufacturers that they should do more to protect their OT?

Paul Smith: Yes. I do feel that the government needs to have more say in the manufacturing of  products that impact people on a whole. Pharmaceuticals are a great example. If you have a disruption in drug supply, how many people is that impacting? If a company manufactures insulin pens for diabetics and their production goes down because of an OT security incident, and people miss their shots, you’re killing people because of that cyber incident. So anything that can critically impact people’s lives needs to have a little bit more government oversight. I don’t like a lot of government controls. But I do feel in the case where people’s lives can be impacted, government enforcement for companies to maintain a dedicated level of security practice is necessary.

JL: What is the future of OT security? What do the next three to five years look like?

Paul Smith: Oh, yes, that crystal ball stuff. Where we are now is still pretty immature in terms of OT security. From an industrial OT security perspective there were companies that were ahead of their time, and they owned the market share and then they just stopped innovating, and they fell apart. But I think we’re coming full circle.

If you look at the way our technologies evolved, passive detection became super hot, super silver bullet, we’re all in that market. Venture capital money was just being dumped into it. And now executives are concerned that they don’t get full visibility that way. So we needed to add an active component, but everyone was staying away from active at that time. Now people are more open to active. Ten years ago, that’s how companies were doing this, and they had a massive install base. And they lost market share to passive companies. Now passive companies are supplying an active component/device as part of their product offering, which is where these other guys were 10 years ago. So it comes full circle.

I think you’re gonna see a lot of IT implementations like XDR, and SOAR. Customers are going to start utilizing and coordinating their various security tools. There is a shortage in experienced individuals and the only way to offset that is more intelligence and more automation. Also companies are going to be a lot more open to agents installed out there in their OT environment, telling them what they see so they can be more secure. Agents in OT doesn’t sound very sexy to me, because it’s been done forever ago, but it’s how the industry is maturing and evolving. So that is what I see in the next 3ish years, I predict that in the next 5 years there will be an adoption of AI at the edge providing interesting ML model solutions. I don’t want to give away too much of our secret sauce! 

JL: Finally, because we always need to know. Do you have any pets?

Paul Smith: I do. I have a very sweet German Shepherd. Her name is Bailey, like the Irish cream, we named her because she is the same color as Baileys.

OT and ICS Industry veteran Paul Smith, author of “Pentesting Industrial Control Systems” has recently joined the SCADAfence team in the role of Field CTO. We interviewed Paul to get his thoughts on the current state of OT security, challenges that need to be addressed and his predictions for the future.

He was interviewed by content marketing manager, Joan Weiner Levin.

On April 27, the Cybersecurity and Infrastructure Security Agency (CISA), published a joint advisory in collaboration with CSA/NSA/FBI/ACSC and other cybersecurity authorities, providing details on the top 15 vulnerabilities routinely exploited by threat actors in 2021,and other CVEs frequently exploited.

Nine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, potentially allowing threat actors to remotely take over systems. 

Unpatched devices and systems can serve as an easy network entry point for threat actors, as they provide attackers with a reliable and efficient Initial Access method. A number of these vulnerabilities were seen as a part of ransomware attack vectors, one of today’s top threats to operational technology.

Many of these vulnerabilities share characteristics that make them widely exploitable: They affect widely used systems, where the vulnerability can be present in multiple systems.

In the past year, threat actors targeted internet-facing systems, such as email servers and VPN servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, a proof of concept code was released within two weeks of the vulnerability’s disclosure. (Read more about when to patch or not patch, here).  

Malicious threat actors continued exploiting publicly known vulnerabilities, demonstrating the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.

The Top 15 Routinely Exploited Vulnerabilities

The top vulnerabilities detail how threat actors exploited newly disclosed vulnerabilities in popular services, aiming to create a massive and extended impact on organizations.

Nine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses.

Following are the most exploited vulnerabilities:

• CVE-2021-44228 – this vulnerability, known as Log4Shell, affects the Apache Log4j library, an open-source logging framework. Exploiting this vulnerability allows threat actors to control java-based web servers and launch remote code execution attacks. 
• CVE-2020-1472 – this vulnerability, known as ZeroLogon, affects Microsoft’s Active Directory Netlogon Remote Protocol. Exploiting this vulnerability allows an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller.
• CVE-2019-11510 – this vulnerability affects Pulse Connect Secure. Successful exploitation of this vulnerability allows an unauthenticated remote attacker to perform an arbitrary file reading.
• CVE-2018-13379 – this vulnerability affects Fortinet’s FortiGate SSL VPN. Exploitation of this vulnerability could allow an unauthenticated attacker to read arbitrary files.
• CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065 – these vulnerabilities, known as ProxyLogon, affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities allows unauthenticated attackers to execute arbitrary code on vulnerable Exchange Servers and compromise trust and identity in a vulnerable network.
• CVE-2021-34523, CVE-2021-34473, CVE-2021-31207 – these vulnerabilities, known as ProxyShell, also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination enables a remote actor to execute arbitrary code. 

As our customers are well aware, The SCADAfence Platform protects against these vulnerabilities, detects any unexpected connections to and from external devices, and detects unexpected connections to and from the Internet. These connections would trigger alerts indicating a malicious threat actor might be attempting to exploit a vulnerability.

The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.

The SCADAfence Platform can help identify where the network is exposed to potential risks and match between exposed assets and their relative vulnerabilities.

Additionally, the User Activity Analyzer can be utilized to track any propagation attempts by malicious actors.

Detecting Exploitation Attempts

The SCADAfence Platform detects exploitation attempts of the following vulnerabilities:

• CVE-2021-44228 (Log4Shell) – this vulnerability was widely exploited, thousands of products use Log4j and were vulnerable to the Log4Shell exploitation.
• CVE-2020-1472 (ZeroLogon) – this vulnerability has been observed in the attack chain of ransomware actors such as Ryuk.
• CVE-2019-11510 (Pulse) – while patches for this vulnerability were released April 2019, multiple incidents have occurred where compromised AD credentials were used months after victim organizations patched their VPN appliance.
• CVE-2018-13379 (Fortinet) – this vulnerability has been exploited routinely for over four years, and has often been used to deploy ransomware.

The SCADAfence research team is constantly monitoring newly disclosed vulnerabilities, as well as routinely exploited ones, and working to continuously improve the platform’s vulnerability detection abilities.

SCADAfence Researchers’ Recommendations for Reducing Risk

Our researchers recommend taking the following measures to minimize the risk of exploitation:

• Limit Network Exposure – minimize network exposure for all of your control system devices and/or systems, and ensure they are not accessible from the Internet.
• Monitor Network Traffic – monitor access to the production segments. In your network monitoring tool (and we know a really good one), create logical groups of the affected devices and define traffic rules to alert on suspicious access to them.
• Monitor User Activity – If you’re a customer, you can use the SCADAfence Platform to monitor access to the affected devices and track all of your user activities using the User Activity View.
• Connect to the SCADAfence Cloud – Again, If you’re a customer, connect your SCADAfence Platform to the SCADAfence Cloud to get the latest signature and CVE updates.

Additional recommendations include updating your software, operating systems, applications, and firmware on IT network assets in a timely manner, while prioritizing patching known exploited vulnerabilities. 

If you’re not a customer yet and would like to see how this works from up close, you can watch a short demo here.

Our research team has put together all of the most relevant news topics in the Ransomware and IoT security fields, as well as their impacts and their expert recommendations:

IT

Title: Bumblebee Malware Loader

Description: A new malware loader, Bumblebee, is being used as a replacement for the BazarLoader and IcedID to deliver ransomware payloads. Phishing campaigns were observed in which threat actors used Bumblebee to drop shellcode and the Cobalt Strike, Sliver, and Meterpreter frameworks. 

Attack Parameters: The campaigns are delivered via phishing emails containing a link to a malicious file. For persistence, the malware uses scheduled tasks and WMI execution.
Many similarities were found between the loader and TrickBot, including the web-inject module and the evasion technique.

Impact: As BazarLoader was used in attacks in the past, Bumblebee is likely to become a popular tool for ransomware groups.

Recommendations: Following are best practices recommendations to minimize the chances of being infected by ransomware:

• Apply the latest security patches on the assets in the network.
• Use unique passwords and multi-factor authentication on authentication paths to OT assets.
• Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
The SCADAfence Platform also detects scheduled tasks and WMI process creation, as well as the use of Cobalt Strike and Meterpreter. 

 

Ransomware

Title: Lapsus$ Extortion Group – T-Mobile Breach

Description: Lapsus$ group breached T-Mobile’s network using stolen VPN credentials and gained access to internal systems. The stolen credentials, found on illicit platforms, allowed the attackers to access the company’s internal tools, which allowed them to conduct sim-swapping attacks.
The credentials used in the hack were disabled after discovering the breach.

Attack Parameters: Lapsus$ compromises systems to steal source code, customer lists, databases, and other valuable data, then attempts to extort the victim with ransom demands that threaten to publicly leak the data. They primarily focus on obtaining compromised credentials for initial access using the following methods:

• Deploying Redline password stealer to obtain passwords and session tokens.
• Buying credentials and session tokens on criminal underground forums.
• Paying employees at targeted organizations for access to credentials and MFA approval.
• Searching public code repositories for exposed credentials.
• The group also uses RDP and VDI to remotely access a business’ environment.

Impact: No sensitive customer data was stolen.

Recommendations:  Following are best practices recommendations:

• Make sure secure offline backups of critical systems are available and up-to-date.
• Apply the latest security patches on the assets in the network.
• Use unique passwords and multi-factor authentication on authentication paths to OT assets.
• Encrypt sensitive data when possible.
• Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
RDP connections can be tracked with the User Activity Analyzer.

 SCADAfence Platform – User Activity Analyzer

Title: Black Basta Ransomware

Description: A new ransomware operation, Black Basta, uses a double-extortion scheme, where the threat actors demand a ransom to receive a decryptor and prevent the publishing of the victim’s stolen data.

Targets: Among the operation’s victims are the American Dental Association (ADA) and the German wind turbine giant Deutsche Windtechnik.

Attack Parameters: The malware requires administrator privileges to work, and hijacks the Windows Fax service for persistence on the infected systems. Similarities were found between Black Basta and Conti.

Impact: The ADA took affected systems offline, which disrupted various online services, telephones, email, and webchat.
Deutsche Windtechnik switched off the remote data monitoring connections to the wind turbines, but claimed the wind turbines did not suffer any damage.

Recommendations:  Following are best practices recommendations:

• Make sure secure offline backups of critical systems are available and up-to-date.
• Apply the latest security patches on the assets in the network.
• Use unique passwords and multi-factor authentication on authentication paths to OT assets.
• Encrypt sensitive data when possible.
• Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.

Title: Stormous – Coca-Cola Breach

Description: Stormous gang claimed it has successfully breached some of Coca-Cola’s servers and stole over 160GB of data. There is no indication that Stormous deployed file-encrypting malware on their victims’ networks, making them closer to a data extortion group, than a ransomware group.

Attack Parameters: The group works with the tactic of double extortion, which is encryption and data theft.  The stolen files are leaked if the victim does not pay the ransom.

Impact: Among the files listed, there are compressed documents, text files with admin, emails, and passwords, account and payment ZIP archives, and other types of sensitive information.

Recommendation:  Following are best practices recommendations:

• Make sure secure offline backups of critical systems are available and up-to-date.
• Apply the latest security patches on the assets in the network.
• Use unique passwords and multi-factor authentication on authentication paths to OT assets.
• Encrypt sensitive data when possible.
• Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.

 

IoT

Title: DNS Vulnerability in uClibc IoT Library (CVE-2022-30295)
Description: A new vulnerability affecting the DNS implementation of all versions of uClibc and uClibc-ng (CVE-2022-30295). This could allow an attacker to mount DNS poisoning attacks against IoT devices and routers to potentially take control of them.

Affected vendors: Both uClibc and uClibc-ng are widely used by vendors such as Netgear, Axis, and Linksys, as well as Linux distributions.

Attack Parameters: The vulnerability is caused by the predictability of transaction IDs included in the DNS requests, which may allow attackers to perform DNS poisoning attacks.

Impact: Successful exploitation could allow an attacker to alter or intercept network traffic to compromise connected devices.
This vulnerability has a broad scope not only because of the devices it potentially affects, but also because of the inherent importance of DNS to any device connecting over IP.
Recommendations: An official patch or workarounds have not yet been released.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
DNS connections can be tracked with User Activity Analyzer.

Dangerous New Malware Can Shut Down, Sabotage Industrial Sites

Pipedream, or Incontroller, is a custom-made, modular ICS attack framework that could be leveraged to cause disruption, degradation, and possibly even destruction depending on targets and the environment.

Pipedream can manipulate a wide variety of PLCs and industrial software, including Omron and Schneider Electric controllers, and can attack ubiquitous industrial technologies including CODESYS, Modbus, and OPC UA.

The framework’s capabilities include performing system enumeration, issuing WMI commands, executing host-based commands, and manipulating the registry. It exploits the known-vulnerable ASRock-signed motherboard driver to execute malicious code in the Windows kernel (CVE-2020-15368).

The framework includes three tools that enable the attacker to send instructions to ICS devices using industrial network protocols:

• The first tool has multiple capabilities, such as the ability to scan for and enumerate OPC UA servers, suggesting a reconnaissance role.
• The second tool communicates with ICS devices using the Modbus protocol, which potentially gives it the ability to interact with devices from different manufacturers. However, the tool contains a specific module to interact with, scan, and attack Schneider Electric’s Modicon M251 PLC using Codesys.
• The third tool is designed to obtain shell access to Omron PLCs. It primarily operates using the HTTP protocol, however it also utilizes Omron’s proprietary FINS over UDP protocol for scanning and device identification.

CISA’s Alert to this also recommends using a tool such as SCADAfence

CISA’s Alert (AA22-103A) states “DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:

“Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic…”

SCADAfence has been on the forefront, defending organizations around the world from attacks on industrial control systems, both with our products, and as a managed service.

The Impact Of The INCONTROLLER / Pipedream Malware

The intent is to leverage the access to ICS systems to elevate privileges, move laterally within the networks, and sabotage mission-critical functions in liquified natural gas and electric power environments.
It has not yet been seen deployed in target networks.

How SCADAfence Detects INCONTROLLER / Pipedream

• The SCADAfence Platform detects new connections, connections from external devices and from the Internet, and unauthorized connections to OT assets.
• Furthermore, the Platform detects start, restart, and stop commands sent to PLCs in the network, as well as remote mode change commands which are needed steps to alter programs in PLCs.
• The Platform additionally detects system enumeration scans and HTTP command execution.

Our Experts Recommend

• Isolate ICS systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving the perimeter.
• Limit ICS systems’ network connections to allowed management and engineering workstations.
• Enforce multi-factor authentication for all remote access to ICS networks and devices whenever possible.
• Change all passwords to ICS devices, especially all default passwords, to unique, strong passwords.
• Apply the latest security patches on the OT assets in the network.
• Maintain offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
• Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates. 
• Monitor systems for loading of unusual drivers, especially for ASRock drivers if no ASRock driver is normally used on the system.

Since the DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices to work with a continuous network monitoring solution going forward, let our experts help you keep your networks & industrial devices secure.

Russian-backed Group Attempts to Compromise Ukrainian Power Grid Using Industroyer2 Malware

As part of their ongoing military assault against neighboring Ukraine, Russian-backed hacker group Sandworm launched a series of cyber attacks that threaten the critical infrastructure of the beleaguered country. 

Two vulnerabilities in Rockwell programmable logic controllers and engineering workstation software have been disclosed. These vulnerabilities give attackers a way to modify automation processes and potentially disrupt industrial operations, cause physical damage to factories, and perform other malicious actions.

Our research team has put together all of the most relevant news topics in the ICS, IT, Ransomware & OT security fields, as well as their impacts and their expert recommendations:

In this edition, it’s all about ransomware!

Ransomware

1. Title: Lapsus$ Extortion Group – Samsung, Okta, Microsoft, & Vodafone Breaches
   

   
   Description: Over the past few weeks, Lapsus$ group breached a number of international companies, including NVIDIA and Samsung (see previous newsfeed article).
   An analysis of the leaked Samsung source code revealed that more than 6,600 secret keys, including private keys, usernames and passwords, AWS keys, Google keys, and GitHub keys, were leaked[1].
   Okta, an identity management and authentication services provider, was also affected by a cyberattack claimed by the group, by compromising their thin client, a system that connects remotely into a virtual environment to carry out tasks[2].
   The group successfully compromised Microsoft and released the source code of Microsoft’s Azure DevOps server for various internal projects, including for Bing, Cortana, and Bing Maps[3].
   Lapsus$ also claimed to have breached Vodafone, and threatened to leak the Vodafone source code. While this is still under investigation, the company claimed no customer data was stolen[4].
   Attack Parameters: Lapsus$ compromise systems to steal source code, customer lists, databases, and other valuable data, then attempt to extort the victim with ransom demands not publicly to leak the data. They primarily focus on obtaining compromised credentials for initial access using the following methods[5]:
   1. Deploying Redline password stealer to obtain passwords and session tokens.
   2. Buying credentials and session tokens on criminal underground forums.
   3. Paying employees at targeted organizations for access to credentials and MFA approval.
   4. Searching public code repositories for exposed credentials.

The group also uses RDP and VDI to remotely access a business’ environment.

Impact:

1. Samsung – it is unclear whether the keys compromise the TrustZone, which stores sensitive data and creates a security barrier for Android malware attacks.
2. Okta – The company claimed that only 2.5% of the customers were impacted by this attack. Lapsus$ responded to Okta’s announcement and revealed that they did not compromise an Okta employee’s laptop but their thin client[6].
   This attack potentially enables an attacker to provision themselves administrator-level access into Okta’s customers’ applications[7].
3. Microsoft – no customer data was compromised. Microsoft released a statement that viewing the source code does not lead to elevation of risk.

SCADAfence Coverage: RDP connections can be tracked, monitored, and alerted upon with the User Activity Analyzer.

Recommendations: Following are additional best practices recommendations:

1. Make sure that secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

2. Title: Bridgestone America’s Ransomware Attack
   

   
   Description: Bridgestone America was hit by a ransomware attack which caused it to shut down the computer network and production at its factories in North and Middle America for about a week. LockBit claimed this attack[8].
   
   Attack Parameters:
   1. Initial Access – LockBit operators often gain access via compromised servers, RDP accounts, spam email or by brute forcing insecure RDP or VPN credentials.
   2. Execution – LockBit is executed via command line or created scheduled tasks.
   3. Credential Access – LockBit was observed using Mimikatz to gather credentials.
   4. Lateral Movement – LockBit can self-propagate using SMB. PsExec and Cobalt Strike were used to move laterally within the network[9].

Impact: Manufacturing and retreading facilities in Latin America and North America were disconnected to contain the attack and prevent potential impact. Bridgestone is a major supplier of tires for Toyota vehicles, and was a part of a supply chain attack on Toyota.

SCADAfence Coverage:

1. The SCADAfence Platform detects command execution using CMD and the creation of scheduled tasks.
2. The SCADAfence Platform also detects the use of Mimikatz, PsExec, and Cobalt Strike.
3. RDP and SMB connections can be tracked with the User Activity Analyzer.

Recommendations: Following are additional best practices recommendations:

1. Make sure that secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

3. Title: AvosLocker Ransomware is Targeting U.S. Critical Infrastructure
   

   
   Description: The FBI released an advisory which includes IOCs used to detect and block AvosLocker, a RaaS (Ransomware as a Service) affiliate-based group that has targeted multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facility sectors[10].
   Targets: The AvosLocker leak site claims to have hit victims in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom, Canada, China, and Taiwan.
   Attack Parameters: AvosLocker encrypts files and steals sensitive information to convince the victim to pay the ransom. The attackers may also launch DDoS attacks against the victim during negotiations[11].
   Impact: Unknown due to limited information published.
   
   

Recommendations: The FBI advised against paying a ransom, and encouraged businesses to report any ransomware attacks to help prevent future incidents. An advisory was published providing IOCs that can be used to detect and defend against this ransomware.
Following are additional best practices recommendations:

1. Make sure that secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

Additional resources to the aforementioned updates:

[1] https://www.securityweek.com/thousands-secret-keys-found-leaked-samsung-source-code

[2] https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/, https://thehackernews.com/2022/03/lapsus-hackers-claim-to-have-breached.html

[3] https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/, https://www.bleepingcomputer.com/news/security/microsoft-investigating-claims-of-hacked-source-code-repositories/

[4] https://securityaffairs.co/wordpress/128903/cyber-crime/vodafone-investigates-data-breach.html?

[5] https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html

[6] https://securityaffairs.co/wordpress/129422/data-breach/okta-says-375-customers-impacted-by-data-breach.html?

[7] https://www.darkreading.com/attacks-breaches/ransomware-group-s-claim-that-it-hacked-okta-prompts-concerns-of-another-solarwinds

[8] https://threatpost.com/bridgestone-hit-as-ransomware-torches-toyota-supply-chain/178998/

[9] https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit#:~:text=LockBit%20first%20emerged%20as%20the,it%20for%20the%20long%20haul.

[10] https://www.bleepingcomputer.com/news/security/fbi-avoslocker-ransomware-targets-us-critical-infrastructure/

[11] https://www.securityweek.com/us-critical-infrastructure-targeted-avoslocker-ransomware

Our research team has put together all of the most relevant news topics in the ICS, IT, Ransomware & OT security fields, as well as their impacts and their expert recommendations:

ICS:

1. Title: Access:7 Vulnerabilities Impact SCADA, Medical and IoT Devices
   Description: Seven vulnerabilities, tracked as Access:7, have been found in Parametric Technology Corporation’s (PTC) Axeda agent, used for remote access and management of over 150 connected devices from more than 100 vendors. Three of these flaws can be exploited to achieve remote code execution1.
   Besides healthcare-related technologies, these flaws also affect SCADA systems, asset monitoring technologies, IoT gateways, and more2.
   These are supply chain vulnerabilities, as Access:7 affects a solution sold to device manufacturers that did not develop their remote servicing system.

Attack Parameters: These vulnerabilities can be exploited by command injection, buffer overflow, and directory traversal.
Impact: Up to full compromise (RCE, DoS, sensitive data exposure, configuration modification, and specific services shut down)
SCADAfence Coverage: The SCADAfence Platform detects OS command injection and path traversal.

Recommendations: PTC has released patches for these vulnerabilities3.

2. Title: TLStorm Vulnerabilities Impact APC Smart-UPS
   Description: Three critical vulnerabilities in smart uninterruptible power supply (UPS) devices, dubbed TLStorm, could allow for remote takeover. APC is a subsidiary of Schneider Electric, one of the leading vendors of UPS devices. UPS devices provide emergency backup power for mission-critical assets that require high availability4.

Attack Parameters: These vulnerabilities can be exploited remotely. Two zero-click vulnerabilities are in the implementation of the TLS protocol that connects the devices to the Schneider Electric management cloud.
Impact: Up to full compromise (information theft, configuration modification, RCE).
This could allow attackers to disrupt business services or cause physical damage by taking down critical infrastructure.
Recommendations: Schneider Electric released patches for these vulnerabilities.

Additional mitigations include:

1. Deploying access control lists in which the UPS devices are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communication.
2. Changing the default NMC password and installing a publicly-signed SSL certificate.

IT:

1. Title: Microsoft March Patch Tuesday

Description: Microsoft fixed 71 vulnerabilities, three of these critical, as they allow remote code execution. This Patch Tuesday also included fixes for three zero-day vulnerabilities5.

While these vulnerabilities haven’t been used in attacks, there are public PoC exploits for two of the zero-day vulnerabilities, one of them allowing remote code execution.

The remote code execution flaws which are more likely to be targeted are CVE-2022-23277 (Microsoft Exchange Server), CVE-2022-21990 (Remote Desktop Client), and CVE-2022- 24508 (Windows SMBv3 Client/Server)6.

Attack Parameters: Different for each vulnerability, though many can be exploited remotely. Impact: Up to full compromise (privilege escalation, information disclosure, DoS, RCE) SCADAfence Coverage:

1. The SCADAfence Platform provides the ability to detect anomalous SMB activity.
2. The CVEs mentioned above will be added to the Roadmap upon available POCs.

SCADAfence Recommendations:

1. Microsoft has released patches for these vulnerabilities.
2. RDP and SMB connections can be tracked with User Activity Analyzer.

Ransomware:

1. Title: Conti Ransomware Operation Leaks
   Description: A Ukrainian researcher leaked messages taken from the Conti and Ryuk ransomware gang’s private chat server. The information in these messages included bitcoin addresses, evading law enforcement, how they conduct their attacks, the source code for the administrative panel, the BazarBackdoor API, screenshots of storage servers, and more. A password-protected archive containing the source code for the Conti ransomware encryptor, decryptor, and builder was leaked as well. While the leaker did not share the password, another researcher cracked it, allowing everyone access to the source code7.

Impact: The source code provides insight into how the malware works. However, the availability of the source code could lead to the attempt of other threat actors to launch their own operations using the leaked code.
It is unclear yet how this data breach will affect Conti’s operation.

2. Title: Lapsus$ Extortion Group – NVIDIA and Samsung Breaches
   Description: Over the past two weeks, Lapsus$ extortion gang breached two international companies – NVIDIA and Samsung Electronics.
   Lapsus$ gang broke into NVIDIA’s network, stole information and threated to leak it unless the company removes the LHR limitations in the GeForce RTX 30 Series. The gang stole confidential information, the source code of its Deep Learning technology (DLSS), and more8. Employee credentials were leaked and two expired code signing certificates were stolen. These were used to sign malwares and tools, such as Cobalt Strike and Mimikatz9.
   A week later, the gang hit Samsung Electronics and exfiltrated data, including internal company data, the source code related to its Galaxy devices, the source code for trusted applets installed within TrustZone, algorithms for biometric authentication, and confidential data from its chip supplier Qualcomm10.
   Targets: NVIDIA, Samsung Electronics, Qualcomm
   Impact: Part of NVIDIA’s business was offline for two days. In the case of Samsung, the breach could provide a pathway into Samsung devices, rendering them vulnerable11.

SCADAfence Coverage: The SCADAfence Platform detects the use of Cobalt Strike and Mimikatz. Further investigation is pending the publication of additional technical information. Recommendations: Following are additional best practices recommendations:

1. Make sure secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

3. Title: RagnarLocker Ransomware
   Description: Ragnar Locker ransomware gang has breached the networks of at least 52 organizations from multiple US critical infrastructure sectors12.
   Targets: Entities in the critical manufacturing, energy, financial services, government, and information technology sectors.

Attack Parameters: RagnarLocker frequently change obfuscation techniques to avoid detection and prevention. IOCs associated with RagnarLocker activity include information on attack infrastructure, Bitcoin addresses used to collect ransom demands, and email addresses used by the gang’s operators, were released.
Impact: Unknown due to limited information published.

SCADAfence Coverage: The SCADAfence Platform detects the use of CMD to execute commands and the attempt to stop services, both techniques used by the gang.
Recommendations: The FBI advised against paying a ransom, and encouraged businesses to report any ransomware attacks to help prevent future incidents. An advisory was published providing IOCs that can be used to detect and defend against this ransomware.
Following are additional best practices recommendations:

1. Make sure secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

4. Title: Toyota Production Affected by Cyberattack
   Description: A system failure at one of Toyota’s suppliers of vital parts, Kojima Industries, caused Toyota to suspend the operation of 28 production lines in 14 plants in Japan13. Although Kojima has not published any official information, the company’s website was offline and Japanese news outlets claimed that the disruption is a result of a cyberattack. This attack could be linked to Japan’s sanctions on Moscow, though there is no confirmation of a Russian connection.
   Attack Parameters: Unknown due to limited information published.

Impact: The expected impact is a 5% drop in Toyota’s monthly production in Japan, which translates to roughly 13,000 units.
Recommendations: Unknown due to limited information published.

Additional Resources:

1 https://www.bleepingcomputer.com/news/security/access-7-vulnerabilities-impact-medical-and-iot-devices/, https://www.ptc.com/en/support/article/CS363561

2 https://www.darkreading.com/vulnerabilities-threats/medical-and-iot-devices-from-more-than-100-vendors-vulnerable-to-attack

3 https://www.forescout.com/resources/access-7-supply-chain-vulnerabilities-can-allow-unwelcomed-access-to-your-medical-and-iot-devices/

4 https://threatpost.com/zero-click-flaws-ups-critical-infratructure/178810/, https://info.armis.com/rs/645-PDC-047/images/Armis-TLStorm-WP%20%281%29.pdf

5 https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2022-patch-tuesday-fixes-71-flaws-3-zero-days/, https://threatpost.com/microsoft- zero-days-critical-bugsmarch-patch-tuesday/178817/

6 https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-critical-exchange-server-flaw

7 https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/

8 https://thehackernews.com/2022/03/hackers-who-broke-into-nvidias-network.html, https://www.bleepingcomputer.com/news/security/hackers-to-nvidia- remove-mining-cap-or-we-leak-hardware-data/,

9 https://www.securityweek.com/credentials-71000-nvidia-employees-leaked-following-cyberattack, https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/

10 https://thehackernews.com/2022/03/samsung-confirms-data-breach-after.html , https://www.bleepingcomputer.com/news/security/samsung-confirms-hackers-stole-galaxy-devices-source-code/

11 https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/

12 https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/

13 https://www.bleepingcomputer.com/news/security/toyota-halts-production-after-reported-cyberattack-on-supplier/ , https://threatpost.com/toyota-to-close-japan-plants-after-suspected-cyberattack/178686/

In recent weeks, Ukraine has been hit with numerous cyberattacks targeting its government and banking sector as a part of the Russo-Ukrainian crisis. Several Ukrainian government departments and banks were knocked offline by a DDoS attack, and multiple wiper malwares have been observed targeting Ukrainian organizations.

For its part, Russia claimed it has never conducted and does not conduct any malicious operations in cyberspace.

These attacks resulted in fear of a wider cyber conflict, with western governments bracing for Russian cyberthreats and considering their response.

The Russia-Ukraine Cyber Conflict

In January, about 70 government websites were taken offline by a DDoS attack. Shortly after, a destructive malware infected government, non-profit, and IT organization devices in Ukraine. This malware, dubbed WhisperGate, was designed to look like ransomware, but lacks a recovery feature, indicating that their goal was to destroy files rather than to encrypt them for ransom.

Hours prior to the beginning of the Russian invasion of Ukraine, a new wiper malware was discovered. This attack leveraged at least three components: HermeticWiper for data wiping, HermeticWizard for spreading in the network, and HermeticRansom acting as a decoy ransomware. HermeticWiper was seen conducting malicious activity as early as November 2021, indicating that the attack was prepared months in advance. 

As the invasion began, the second wiper malware, IsaacWiper, surfaced. IsaacWiper and HermeticWiper have no code similarities, the former is less sophisticated than the latter.

While it cannot be confirmed whether Russia is behind these attacks, it is believed they are part of Russia’s “hybrid warfare”, which consists of a combination of conventional and advanced methods.

Ukraine’s cyber activity has not been solely defensive, with the Ukrainian government forming an “IT Army”. Since the crisis began, several Russian government and media websites have been intermittently offline. Some of these attacks were carried out by the Anonymous hacktivist movement, which has pledged allegiance to Ukraine. The group and its affiliates also claimed to have compromised the Russian Nuclear Institute and the Control Center of the Russian Space Agency ‘Roscosmos’.

Russian APT Groups and Known Attacks

There are a number of APT groups affiliated with Russian organizations:

APT28

• Attribution: Russia’s General Staff Main Intelligence Directorate (GRU)
• Active since: 2004
• Targets: The defense and energy sectors and government organizations
• Associated attacks: The Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016
• Tools used: Koadic, Mimikatz, Net, Responder, Tor, USBStealer, Zebrocy

APT29

• Attribution: Russia’s Foreign Intelligence Service (SVR)
• Active since: 2008
• Targets: Government networks in Europe and NATO member countries, research institutes, and think tanks
• Associated attacks: The SolarWinds supply chain compromise cyber operation was attributed to the SVR, public statements included citations to APT29
• Tools used: Mimikatz, Net, Cobalt Strike, PsExec, CosmicDuke, FatDuke, GeminiDuke, PowerDuke, SeaDuke, SUNBURST

Sandworm Team

• Attribution: Russia’s General Staff Main Intelligence Directorate (GRU)
• Active since: 2009
• Targets: Ukrainian electrical companies and government organizations, Georgia
• Associated attacks: The 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the NotPetya attack, the 2018 Olympic Destroyer attack, and attacks against Georgia in 2018 and 2019
• Tools used: Mimikatz, Net, PsExec, BlackEnergy, Industroyer, NotPetya, KillDesk

Wizard Spider

• Attribution: Russia-based financially motivated threat group
• Active since: 2016
• Targets: The group has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals
• Associated attacks: The group is originally known for the creation and deployment of TrickBot
• Tools used: Mimikatz, Net, Cobalt Strike, PsExec, Empire, Bazar, Conti, Dyre, Emotet, GrimAgent, Ryuk, TrickBot

Dragonfly 2.0

• Attribution: A suspected Russian threat group
• Active since: 2015
• Targets: Government entities and multiple U.S. critical infrastructure sectors and parts of the energy sector within Turkey and Switzerland
• Associated attacks: 
• Tools used: Net, PsExec, Reg, CrackMapExec, Impacket

Additional Russian APT groups include ALLANITE, Indrik Spider, Nomadic Octopus, TEMP.Veles, and Turla.

Tools and Vulnerabilities

These APT groups use various tools and malwares in their attacks, ranging from commercial, open-source software, to custom software designed for malicious purposes.

Tools:

1. Mimikatz – Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
2. Net – The Net utility is a component of the Windows operating system, which can be useful for an adversary, such as gathering system and network information for discovery, moving laterally through SMB/Windows admin shares, and interacting with services.
3. Cobalt Strike – Cobalt Strike is an adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors.
4. PsExec – PsExec is a tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.
5. Empire – Empire is a post-exploitation tool which was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.

ICS Malwares:

1. BlackEnergy – BlackEnergy is a malware toolkit that was originally designed to create botnets for use in conducting DDoS attacks. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions.
2. Industroyer – Industroyer is a sophisticated malware framework designed to impact the working processes of industrial control systems (ICS), specifically components used in electrical substations. It was used in the attacks on the Ukrainian power grid in December 2016.
   
   

Additional Malwares and Ransomwares:

1. NotPetya – While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems. It contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.
2. Bazar – Bazar is a downloader and backdoor with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe.
3. Conti – Conti is a ransomware-as-a-service that has been used against major corporations and government agencies, particularly those in North America.
4. Emotet – Emotet is a modular malware variant used as a downloader for other malwares such as TrickBot. It has been primarily used to target the banking sector.
5. Ryuk – Ryuk is a ransomware designed to target enterprise environments.
6. TrickBot – TrickBot is a Trojan spyware program used for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of “big game hunting” ransomware campaigns.
   
   

How SCADAfence Helps Industrial Organizations

We provide a comprehensive solution – The SCADAfence platform which was built to protect industrial organizations like yours from industrial cyber attacks (including ransomware). It also helps you implement better security practices amongst its built-in features. Some of these include:

• Asset Management 
• Network Maps
• Traffic Analyzers

The platform, which is also the highest-rated OT & IoT security platform, also monitors the network traffic for any threats, including ones that are found in typical ransomware attacks; such as:

• Security exploits being sent across the network.
• Lateral movement attempts using the latest techniques.
• Network scanning and network reconnaissance.
  
  

SCADAfence’s security research team is constantly tracking events and incidents, analyzing them, and implementing different ways to detect those events.

• The SCADAfence Platform detects the use of WMI and SMB, used by HermeticWizard for spreading across the network.
• The Platform also detects various tools and vulnerabilities used by Russian APTs, attacks and malware such as: EternalBlue & EternalRomance, BlueKeep, Metasploit, Cobalt-Strike, Remote Services, Remote Scheduled Tasks, OS Credential Dumping (Mimikatz), BITSAdmin and SMB brute-force.
• The Platform provides an up to date reputation service to track malicious files, IPs and domains associated with Russian APTs and malware.

Recommendations & Best Practices

SCADAfence team recommends following the best practices:

• Make sure secure offline backups of critical systems are available and up-to-date.
• Apply the latest security patches on the assets in the network.
• Use unique passwords and multi-factor authentication on authentication paths to OT assets.
• Enable strong spam filters to prevent phishing emails from reaching end users.
• Disable ports and protocols that are not essential.
• Encrypt sensitive data when possible.
• Educate staff about the risks and methods of ransomware attacks and how to avoid infection.
• Recommendation for HermeticWizard: Monitor traffic on the ports HermeticWizard uses to worm through networks – ports 20, 21, 80, 135, 137, 139, 443, and 445.
• Recommendation for HermeticRansom: Consider using the Go script in the following link for decryption purposes.