Our research team has put together all of the most relevant news topics in the ICS, IT, Ransomware & OT security fields, as well as their impacts and their expert recommendations:

In this edition, it’s all about ransomware!

Ransomware

1. Title: Lapsus$ Extortion Group – Samsung, Okta, Microsoft, & Vodafone Breaches
   

   
   Description: Over the past few weeks, Lapsus$ group breached a number of international companies, including NVIDIA and Samsung (see previous newsfeed article).
   An analysis of the leaked Samsung source code revealed that more than 6,600 secret keys, including private keys, usernames and passwords, AWS keys, Google keys, and GitHub keys, were leaked[1].
   Okta, an identity management and authentication services provider, was also affected by a cyberattack claimed by the group, by compromising their thin client, a system that connects remotely into a virtual environment to carry out tasks[2].
   The group successfully compromised Microsoft and released the source code of Microsoft’s Azure DevOps server for various internal projects, including for Bing, Cortana, and Bing Maps[3].
   Lapsus$ also claimed to have breached Vodafone, and threatened to leak the Vodafone source code. While this is still under investigation, the company claimed no customer data was stolen[4].
   Attack Parameters: Lapsus$ compromise systems to steal source code, customer lists, databases, and other valuable data, then attempt to extort the victim with ransom demands not publicly to leak the data. They primarily focus on obtaining compromised credentials for initial access using the following methods[5]:
   1. Deploying Redline password stealer to obtain passwords and session tokens.
   2. Buying credentials and session tokens on criminal underground forums.
   3. Paying employees at targeted organizations for access to credentials and MFA approval.
   4. Searching public code repositories for exposed credentials.

The group also uses RDP and VDI to remotely access a business’ environment.

Impact:

1. Samsung – it is unclear whether the keys compromise the TrustZone, which stores sensitive data and creates a security barrier for Android malware attacks.
2. Okta – The company claimed that only 2.5% of the customers were impacted by this attack. Lapsus$ responded to Okta’s announcement and revealed that they did not compromise an Okta employee’s laptop but their thin client[6].
   This attack potentially enables an attacker to provision themselves administrator-level access into Okta’s customers’ applications[7].
3. Microsoft – no customer data was compromised. Microsoft released a statement that viewing the source code does not lead to elevation of risk.

SCADAfence Coverage: RDP connections can be tracked, monitored, and alerted upon with the User Activity Analyzer.

Recommendations: Following are additional best practices recommendations:

1. Make sure that secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

2. Title: Bridgestone America’s Ransomware Attack
   

   
   Description: Bridgestone America was hit by a ransomware attack which caused it to shut down the computer network and production at its factories in North and Middle America for about a week. LockBit claimed this attack[8].
   
   Attack Parameters:
   1. Initial Access – LockBit operators often gain access via compromised servers, RDP accounts, spam email or by brute forcing insecure RDP or VPN credentials.
   2. Execution – LockBit is executed via command line or created scheduled tasks.
   3. Credential Access – LockBit was observed using Mimikatz to gather credentials.
   4. Lateral Movement – LockBit can self-propagate using SMB. PsExec and Cobalt Strike were used to move laterally within the network[9].

Impact: Manufacturing and retreading facilities in Latin America and North America were disconnected to contain the attack and prevent potential impact. Bridgestone is a major supplier of tires for Toyota vehicles, and was a part of a supply chain attack on Toyota.

SCADAfence Coverage:

1. The SCADAfence Platform detects command execution using CMD and the creation of scheduled tasks.
2. The SCADAfence Platform also detects the use of Mimikatz, PsExec, and Cobalt Strike.
3. RDP and SMB connections can be tracked with the User Activity Analyzer.

Recommendations: Following are additional best practices recommendations:

1. Make sure that secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

3. Title: AvosLocker Ransomware is Targeting U.S. Critical Infrastructure
   

   
   Description: The FBI released an advisory which includes IOCs used to detect and block AvosLocker, a RaaS (Ransomware as a Service) affiliate-based group that has targeted multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facility sectors[10].
   Targets: The AvosLocker leak site claims to have hit victims in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom, Canada, China, and Taiwan.
   Attack Parameters: AvosLocker encrypts files and steals sensitive information to convince the victim to pay the ransom. The attackers may also launch DDoS attacks against the victim during negotiations[11].
   Impact: Unknown due to limited information published.
   
   

Recommendations: The FBI advised against paying a ransom, and encouraged businesses to report any ransomware attacks to help prevent future incidents. An advisory was published providing IOCs that can be used to detect and defend against this ransomware.
Following are additional best practices recommendations:

1. Make sure that secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

Additional resources to the aforementioned updates:

[1] https://www.securityweek.com/thousands-secret-keys-found-leaked-samsung-source-code

[2] https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/, https://thehackernews.com/2022/03/lapsus-hackers-claim-to-have-breached.html

[3] https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/, https://www.bleepingcomputer.com/news/security/microsoft-investigating-claims-of-hacked-source-code-repositories/

[4] https://securityaffairs.co/wordpress/128903/cyber-crime/vodafone-investigates-data-breach.html?

[5] https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html

[6] https://securityaffairs.co/wordpress/129422/data-breach/okta-says-375-customers-impacted-by-data-breach.html?

[7] https://www.darkreading.com/attacks-breaches/ransomware-group-s-claim-that-it-hacked-okta-prompts-concerns-of-another-solarwinds

[8] https://threatpost.com/bridgestone-hit-as-ransomware-torches-toyota-supply-chain/178998/

[9] https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit#:~:text=LockBit%20first%20emerged%20as%20the,it%20for%20the%20long%20haul.

[10] https://www.bleepingcomputer.com/news/security/fbi-avoslocker-ransomware-targets-us-critical-infrastructure/

[11] https://www.securityweek.com/us-critical-infrastructure-targeted-avoslocker-ransomware