Two vulnerabilities in Rockwell programmable logic controllers and engineering workstation software have been disclosed. These vulnerabilities give attackers a way to modify automation processes and potentially disrupt industrial operations, cause physical damage to factories, and perform other malicious actions.

Our research team has put together all of the most relevant news topics in the ICS, IT, Ransomware & OT security fields, as well as their impacts and their expert recommendations:

In this edition, it’s all about ransomware!

Ransomware

1. Title: Lapsus$ Extortion Group – Samsung, Okta, Microsoft, & Vodafone Breaches
   

   
   Description: Over the past few weeks, Lapsus$ group breached a number of international companies, including NVIDIA and Samsung (see previous newsfeed article).
   An analysis of the leaked Samsung source code revealed that more than 6,600 secret keys, including private keys, usernames and passwords, AWS keys, Google keys, and GitHub keys, were leaked[1].
   Okta, an identity management and authentication services provider, was also affected by a cyberattack claimed by the group, by compromising their thin client, a system that connects remotely into a virtual environment to carry out tasks[2].
   The group successfully compromised Microsoft and released the source code of Microsoft’s Azure DevOps server for various internal projects, including for Bing, Cortana, and Bing Maps[3].
   Lapsus$ also claimed to have breached Vodafone, and threatened to leak the Vodafone source code. While this is still under investigation, the company claimed no customer data was stolen[4].
   Attack Parameters: Lapsus$ compromise systems to steal source code, customer lists, databases, and other valuable data, then attempt to extort the victim with ransom demands not publicly to leak the data. They primarily focus on obtaining compromised credentials for initial access using the following methods[5]:
   1. Deploying Redline password stealer to obtain passwords and session tokens.
   2. Buying credentials and session tokens on criminal underground forums.
   3. Paying employees at targeted organizations for access to credentials and MFA approval.
   4. Searching public code repositories for exposed credentials.

The group also uses RDP and VDI to remotely access a business’ environment.

Impact:

1. Samsung – it is unclear whether the keys compromise the TrustZone, which stores sensitive data and creates a security barrier for Android malware attacks.
2. Okta – The company claimed that only 2.5% of the customers were impacted by this attack. Lapsus$ responded to Okta’s announcement and revealed that they did not compromise an Okta employee’s laptop but their thin client[6].
   This attack potentially enables an attacker to provision themselves administrator-level access into Okta’s customers’ applications[7].
3. Microsoft – no customer data was compromised. Microsoft released a statement that viewing the source code does not lead to elevation of risk.

SCADAfence Coverage: RDP connections can be tracked, monitored, and alerted upon with the User Activity Analyzer.

Recommendations: Following are additional best practices recommendations:

1. Make sure that secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

2. Title: Bridgestone America’s Ransomware Attack
   

   
   Description: Bridgestone America was hit by a ransomware attack which caused it to shut down the computer network and production at its factories in North and Middle America for about a week. LockBit claimed this attack[8].
   
   Attack Parameters:
   1. Initial Access – LockBit operators often gain access via compromised servers, RDP accounts, spam email or by brute forcing insecure RDP or VPN credentials.
   2. Execution – LockBit is executed via command line or created scheduled tasks.
   3. Credential Access – LockBit was observed using Mimikatz to gather credentials.
   4. Lateral Movement – LockBit can self-propagate using SMB. PsExec and Cobalt Strike were used to move laterally within the network[9].

Impact: Manufacturing and retreading facilities in Latin America and North America were disconnected to contain the attack and prevent potential impact. Bridgestone is a major supplier of tires for Toyota vehicles, and was a part of a supply chain attack on Toyota.

SCADAfence Coverage:

1. The SCADAfence Platform detects command execution using CMD and the creation of scheduled tasks.
2. The SCADAfence Platform also detects the use of Mimikatz, PsExec, and Cobalt Strike.
3. RDP and SMB connections can be tracked with the User Activity Analyzer.

Recommendations: Following are additional best practices recommendations:

1. Make sure that secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

3. Title: AvosLocker Ransomware is Targeting U.S. Critical Infrastructure
   

   
   Description: The FBI released an advisory which includes IOCs used to detect and block AvosLocker, a RaaS (Ransomware as a Service) affiliate-based group that has targeted multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facility sectors[10].
   Targets: The AvosLocker leak site claims to have hit victims in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom, Canada, China, and Taiwan.
   Attack Parameters: AvosLocker encrypts files and steals sensitive information to convince the victim to pay the ransom. The attackers may also launch DDoS attacks against the victim during negotiations[11].
   Impact: Unknown due to limited information published.
   
   

Recommendations: The FBI advised against paying a ransom, and encouraged businesses to report any ransomware attacks to help prevent future incidents. An advisory was published providing IOCs that can be used to detect and defend against this ransomware.
Following are additional best practices recommendations:

1. Make sure that secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

Additional resources to the aforementioned updates:

[1] https://www.securityweek.com/thousands-secret-keys-found-leaked-samsung-source-code

[2] https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/, https://thehackernews.com/2022/03/lapsus-hackers-claim-to-have-breached.html

[3] https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/, https://www.bleepingcomputer.com/news/security/microsoft-investigating-claims-of-hacked-source-code-repositories/

[4] https://securityaffairs.co/wordpress/128903/cyber-crime/vodafone-investigates-data-breach.html?

[5] https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html

[6] https://securityaffairs.co/wordpress/129422/data-breach/okta-says-375-customers-impacted-by-data-breach.html?

[7] https://www.darkreading.com/attacks-breaches/ransomware-group-s-claim-that-it-hacked-okta-prompts-concerns-of-another-solarwinds

[8] https://threatpost.com/bridgestone-hit-as-ransomware-torches-toyota-supply-chain/178998/

[9] https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit#:~:text=LockBit%20first%20emerged%20as%20the,it%20for%20the%20long%20haul.

[10] https://www.bleepingcomputer.com/news/security/fbi-avoslocker-ransomware-targets-us-critical-infrastructure/

[11] https://www.securityweek.com/us-critical-infrastructure-targeted-avoslocker-ransomware

Our research team has put together all of the most relevant news topics in the ICS, IT, Ransomware & OT security fields, as well as their impacts and their expert recommendations:

ICS:

1. Title: Access:7 Vulnerabilities Impact SCADA, Medical and IoT Devices
   Description: Seven vulnerabilities, tracked as Access:7, have been found in Parametric Technology Corporation’s (PTC) Axeda agent, used for remote access and management of over 150 connected devices from more than 100 vendors. Three of these flaws can be exploited to achieve remote code execution1.
   Besides healthcare-related technologies, these flaws also affect SCADA systems, asset monitoring technologies, IoT gateways, and more2.
   These are supply chain vulnerabilities, as Access:7 affects a solution sold to device manufacturers that did not develop their remote servicing system.

Attack Parameters: These vulnerabilities can be exploited by command injection, buffer overflow, and directory traversal.
Impact: Up to full compromise (RCE, DoS, sensitive data exposure, configuration modification, and specific services shut down)
SCADAfence Coverage: The SCADAfence Platform detects OS command injection and path traversal.

Recommendations: PTC has released patches for these vulnerabilities3.

2. Title: TLStorm Vulnerabilities Impact APC Smart-UPS
   Description: Three critical vulnerabilities in smart uninterruptible power supply (UPS) devices, dubbed TLStorm, could allow for remote takeover. APC is a subsidiary of Schneider Electric, one of the leading vendors of UPS devices. UPS devices provide emergency backup power for mission-critical assets that require high availability4.

Attack Parameters: These vulnerabilities can be exploited remotely. Two zero-click vulnerabilities are in the implementation of the TLS protocol that connects the devices to the Schneider Electric management cloud.
Impact: Up to full compromise (information theft, configuration modification, RCE).
This could allow attackers to disrupt business services or cause physical damage by taking down critical infrastructure.
Recommendations: Schneider Electric released patches for these vulnerabilities.

Additional mitigations include:

1. Deploying access control lists in which the UPS devices are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communication.
2. Changing the default NMC password and installing a publicly-signed SSL certificate.

IT:

1. Title: Microsoft March Patch Tuesday

Description: Microsoft fixed 71 vulnerabilities, three of these critical, as they allow remote code execution. This Patch Tuesday also included fixes for three zero-day vulnerabilities5.

While these vulnerabilities haven’t been used in attacks, there are public PoC exploits for two of the zero-day vulnerabilities, one of them allowing remote code execution.

The remote code execution flaws which are more likely to be targeted are CVE-2022-23277 (Microsoft Exchange Server), CVE-2022-21990 (Remote Desktop Client), and CVE-2022- 24508 (Windows SMBv3 Client/Server)6.

Attack Parameters: Different for each vulnerability, though many can be exploited remotely. Impact: Up to full compromise (privilege escalation, information disclosure, DoS, RCE) SCADAfence Coverage:

1. The SCADAfence Platform provides the ability to detect anomalous SMB activity.
2. The CVEs mentioned above will be added to the Roadmap upon available POCs.

SCADAfence Recommendations:

1. Microsoft has released patches for these vulnerabilities.
2. RDP and SMB connections can be tracked with User Activity Analyzer.

Ransomware:

1. Title: Conti Ransomware Operation Leaks
   Description: A Ukrainian researcher leaked messages taken from the Conti and Ryuk ransomware gang’s private chat server. The information in these messages included bitcoin addresses, evading law enforcement, how they conduct their attacks, the source code for the administrative panel, the BazarBackdoor API, screenshots of storage servers, and more. A password-protected archive containing the source code for the Conti ransomware encryptor, decryptor, and builder was leaked as well. While the leaker did not share the password, another researcher cracked it, allowing everyone access to the source code7.

Impact: The source code provides insight into how the malware works. However, the availability of the source code could lead to the attempt of other threat actors to launch their own operations using the leaked code.
It is unclear yet how this data breach will affect Conti’s operation.

2. Title: Lapsus$ Extortion Group – NVIDIA and Samsung Breaches
   Description: Over the past two weeks, Lapsus$ extortion gang breached two international companies – NVIDIA and Samsung Electronics.
   Lapsus$ gang broke into NVIDIA’s network, stole information and threated to leak it unless the company removes the LHR limitations in the GeForce RTX 30 Series. The gang stole confidential information, the source code of its Deep Learning technology (DLSS), and more8. Employee credentials were leaked and two expired code signing certificates were stolen. These were used to sign malwares and tools, such as Cobalt Strike and Mimikatz9.
   A week later, the gang hit Samsung Electronics and exfiltrated data, including internal company data, the source code related to its Galaxy devices, the source code for trusted applets installed within TrustZone, algorithms for biometric authentication, and confidential data from its chip supplier Qualcomm10.
   Targets: NVIDIA, Samsung Electronics, Qualcomm
   Impact: Part of NVIDIA’s business was offline for two days. In the case of Samsung, the breach could provide a pathway into Samsung devices, rendering them vulnerable11.

SCADAfence Coverage: The SCADAfence Platform detects the use of Cobalt Strike and Mimikatz. Further investigation is pending the publication of additional technical information. Recommendations: Following are additional best practices recommendations:

1. Make sure secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

3. Title: RagnarLocker Ransomware
   Description: Ragnar Locker ransomware gang has breached the networks of at least 52 organizations from multiple US critical infrastructure sectors12.
   Targets: Entities in the critical manufacturing, energy, financial services, government, and information technology sectors.

Attack Parameters: RagnarLocker frequently change obfuscation techniques to avoid detection and prevention. IOCs associated with RagnarLocker activity include information on attack infrastructure, Bitcoin addresses used to collect ransom demands, and email addresses used by the gang’s operators, were released.
Impact: Unknown due to limited information published.

SCADAfence Coverage: The SCADAfence Platform detects the use of CMD to execute commands and the attempt to stop services, both techniques used by the gang.
Recommendations: The FBI advised against paying a ransom, and encouraged businesses to report any ransomware attacks to help prevent future incidents. An advisory was published providing IOCs that can be used to detect and defend against this ransomware.
Following are additional best practices recommendations:

1. Make sure secure offline backups of critical systems are available and up-to-date.
2. Apply the latest security patches on the assets in the network.
3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
4. Encrypt sensitive data when possible.
5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

4. Title: Toyota Production Affected by Cyberattack
   Description: A system failure at one of Toyota’s suppliers of vital parts, Kojima Industries, caused Toyota to suspend the operation of 28 production lines in 14 plants in Japan13. Although Kojima has not published any official information, the company’s website was offline and Japanese news outlets claimed that the disruption is a result of a cyberattack. This attack could be linked to Japan’s sanctions on Moscow, though there is no confirmation of a Russian connection.
   Attack Parameters: Unknown due to limited information published.

Impact: The expected impact is a 5% drop in Toyota’s monthly production in Japan, which translates to roughly 13,000 units.
Recommendations: Unknown due to limited information published.

Additional Resources:

1 https://www.bleepingcomputer.com/news/security/access-7-vulnerabilities-impact-medical-and-iot-devices/, https://www.ptc.com/en/support/article/CS363561

2 https://www.darkreading.com/vulnerabilities-threats/medical-and-iot-devices-from-more-than-100-vendors-vulnerable-to-attack

3 https://www.forescout.com/resources/access-7-supply-chain-vulnerabilities-can-allow-unwelcomed-access-to-your-medical-and-iot-devices/

4 https://threatpost.com/zero-click-flaws-ups-critical-infratructure/178810/, https://info.armis.com/rs/645-PDC-047/images/Armis-TLStorm-WP%20%281%29.pdf

5 https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2022-patch-tuesday-fixes-71-flaws-3-zero-days/, https://threatpost.com/microsoft- zero-days-critical-bugsmarch-patch-tuesday/178817/

6 https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-critical-exchange-server-flaw

7 https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/

8 https://thehackernews.com/2022/03/hackers-who-broke-into-nvidias-network.html, https://www.bleepingcomputer.com/news/security/hackers-to-nvidia- remove-mining-cap-or-we-leak-hardware-data/,

9 https://www.securityweek.com/credentials-71000-nvidia-employees-leaked-following-cyberattack, https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/

10 https://thehackernews.com/2022/03/samsung-confirms-data-breach-after.html , https://www.bleepingcomputer.com/news/security/samsung-confirms-hackers-stole-galaxy-devices-source-code/

11 https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/

12 https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/

13 https://www.bleepingcomputer.com/news/security/toyota-halts-production-after-reported-cyberattack-on-supplier/ , https://threatpost.com/toyota-to-close-japan-plants-after-suspected-cyberattack/178686/

In recent weeks, Ukraine has been hit with numerous cyberattacks targeting its government and banking sector as a part of the Russo-Ukrainian crisis. Several Ukrainian government departments and banks were knocked offline by a DDoS attack, and multiple wiper malwares have been observed targeting Ukrainian organizations.

For its part, Russia claimed it has never conducted and does not conduct any malicious operations in cyberspace.

These attacks resulted in fear of a wider cyber conflict, with western governments bracing for Russian cyberthreats and considering their response.

The Russia-Ukraine Cyber Conflict

In January, about 70 government websites were taken offline by a DDoS attack. Shortly after, a destructive malware infected government, non-profit, and IT organization devices in Ukraine. This malware, dubbed WhisperGate, was designed to look like ransomware, but lacks a recovery feature, indicating that their goal was to destroy files rather than to encrypt them for ransom.

Hours prior to the beginning of the Russian invasion of Ukraine, a new wiper malware was discovered. This attack leveraged at least three components: HermeticWiper for data wiping, HermeticWizard for spreading in the network, and HermeticRansom acting as a decoy ransomware. HermeticWiper was seen conducting malicious activity as early as November 2021, indicating that the attack was prepared months in advance. 

As the invasion began, the second wiper malware, IsaacWiper, surfaced. IsaacWiper and HermeticWiper have no code similarities, the former is less sophisticated than the latter.

While it cannot be confirmed whether Russia is behind these attacks, it is believed they are part of Russia’s “hybrid warfare”, which consists of a combination of conventional and advanced methods.

Ukraine’s cyber activity has not been solely defensive, with the Ukrainian government forming an “IT Army”. Since the crisis began, several Russian government and media websites have been intermittently offline. Some of these attacks were carried out by the Anonymous hacktivist movement, which has pledged allegiance to Ukraine. The group and its affiliates also claimed to have compromised the Russian Nuclear Institute and the Control Center of the Russian Space Agency ‘Roscosmos’.

Russian APT Groups and Known Attacks

There are a number of APT groups affiliated with Russian organizations:

APT28

• Attribution: Russia’s General Staff Main Intelligence Directorate (GRU)
• Active since: 2004
• Targets: The defense and energy sectors and government organizations
• Associated attacks: The Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016
• Tools used: Koadic, Mimikatz, Net, Responder, Tor, USBStealer, Zebrocy

APT29

• Attribution: Russia’s Foreign Intelligence Service (SVR)
• Active since: 2008
• Targets: Government networks in Europe and NATO member countries, research institutes, and think tanks
• Associated attacks: The SolarWinds supply chain compromise cyber operation was attributed to the SVR, public statements included citations to APT29
• Tools used: Mimikatz, Net, Cobalt Strike, PsExec, CosmicDuke, FatDuke, GeminiDuke, PowerDuke, SeaDuke, SUNBURST

Sandworm Team

• Attribution: Russia’s General Staff Main Intelligence Directorate (GRU)
• Active since: 2009
• Targets: Ukrainian electrical companies and government organizations, Georgia
• Associated attacks: The 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the NotPetya attack, the 2018 Olympic Destroyer attack, and attacks against Georgia in 2018 and 2019
• Tools used: Mimikatz, Net, PsExec, BlackEnergy, Industroyer, NotPetya, KillDesk

Wizard Spider

• Attribution: Russia-based financially motivated threat group
• Active since: 2016
• Targets: The group has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals
• Associated attacks: The group is originally known for the creation and deployment of TrickBot
• Tools used: Mimikatz, Net, Cobalt Strike, PsExec, Empire, Bazar, Conti, Dyre, Emotet, GrimAgent, Ryuk, TrickBot

Dragonfly 2.0

• Attribution: A suspected Russian threat group
• Active since: 2015
• Targets: Government entities and multiple U.S. critical infrastructure sectors and parts of the energy sector within Turkey and Switzerland
• Associated attacks: 
• Tools used: Net, PsExec, Reg, CrackMapExec, Impacket

Additional Russian APT groups include ALLANITE, Indrik Spider, Nomadic Octopus, TEMP.Veles, and Turla.

Tools and Vulnerabilities

These APT groups use various tools and malwares in their attacks, ranging from commercial, open-source software, to custom software designed for malicious purposes.

Tools:

1. Mimikatz – Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
2. Net – The Net utility is a component of the Windows operating system, which can be useful for an adversary, such as gathering system and network information for discovery, moving laterally through SMB/Windows admin shares, and interacting with services.
3. Cobalt Strike – Cobalt Strike is an adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors.
4. PsExec – PsExec is a tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.
5. Empire – Empire is a post-exploitation tool which was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.

ICS Malwares:

1. BlackEnergy – BlackEnergy is a malware toolkit that was originally designed to create botnets for use in conducting DDoS attacks. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions.
2. Industroyer – Industroyer is a sophisticated malware framework designed to impact the working processes of industrial control systems (ICS), specifically components used in electrical substations. It was used in the attacks on the Ukrainian power grid in December 2016.
   
   

Additional Malwares and Ransomwares:

1. NotPetya – While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems. It contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.
2. Bazar – Bazar is a downloader and backdoor with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe.
3. Conti – Conti is a ransomware-as-a-service that has been used against major corporations and government agencies, particularly those in North America.
4. Emotet – Emotet is a modular malware variant used as a downloader for other malwares such as TrickBot. It has been primarily used to target the banking sector.
5. Ryuk – Ryuk is a ransomware designed to target enterprise environments.
6. TrickBot – TrickBot is a Trojan spyware program used for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of “big game hunting” ransomware campaigns.
   
   

How SCADAfence Helps Industrial Organizations

We provide a comprehensive solution – The SCADAfence platform which was built to protect industrial organizations like yours from industrial cyber attacks (including ransomware). It also helps you implement better security practices amongst its built-in features. Some of these include:

• Asset Management 
• Network Maps
• Traffic Analyzers

The platform, which is also the highest-rated OT & IoT security platform, also monitors the network traffic for any threats, including ones that are found in typical ransomware attacks; such as:

• Security exploits being sent across the network.
• Lateral movement attempts using the latest techniques.
• Network scanning and network reconnaissance.
  
  

SCADAfence’s security research team is constantly tracking events and incidents, analyzing them, and implementing different ways to detect those events.

• The SCADAfence Platform detects the use of WMI and SMB, used by HermeticWizard for spreading across the network.
• The Platform also detects various tools and vulnerabilities used by Russian APTs, attacks and malware such as: EternalBlue & EternalRomance, BlueKeep, Metasploit, Cobalt-Strike, Remote Services, Remote Scheduled Tasks, OS Credential Dumping (Mimikatz), BITSAdmin and SMB brute-force.
• The Platform provides an up to date reputation service to track malicious files, IPs and domains associated with Russian APTs and malware.

Recommendations & Best Practices

SCADAfence team recommends following the best practices:

• Make sure secure offline backups of critical systems are available and up-to-date.
• Apply the latest security patches on the assets in the network.
• Use unique passwords and multi-factor authentication on authentication paths to OT assets.
• Enable strong spam filters to prevent phishing emails from reaching end users.
• Disable ports and protocols that are not essential.
• Encrypt sensitive data when possible.
• Educate staff about the risks and methods of ransomware attacks and how to avoid infection.
• Recommendation for HermeticWizard: Monitor traffic on the ports HermeticWizard uses to worm through networks – ports 20, 21, 80, 135, 137, 139, 443, and 445.
• Recommendation for HermeticRansom: Consider using the Go script in the following link for decryption purposes.

As 2021 draws to a close, it is time for our customary round-up of the year’s industry-changing cyber attacks, product and company updates, and SCADAfence’s achievements.

A Landmark Year for SCADAfence

Before we get into the year’s industry and product news, 2021 has been an astonishing year for us at SCADAfence. To start off the year, we unveiled our strategic partnership with Rapid7 which was followed up with many partnerships with industry leaders such as Keysight Technologies, BDO, Fujitsu, NCC and others. Then came recognition from SC media naming SCADAfence the Best SCADA Security Solution for 2021 and Frost & Sullivan announcing SCADAfence as a leader in the Frost Radar for Critical Infrastructure Cyber Security Market report for 2021. On that note, we want to thank all our employees, customers, partners, distributors, investors, for helping us reach new milestones we couldn’t have dreamed of.

OT Security in the Spotlight

2021 started out with the entire security community recovering from the aftermath of the massive SolarWinds campaign. Just a few weeks later news broke that a water treatment plant in Oldsmar, Florida, was under attack but the security team quickly thwarted the attack. The attacker briefly pumped up sodium hydroxide, the main ingredient in liquid drain cleaners, from 100 parts per million to 11,100 parts per million into the water supply. That control was undone almost immediately and the public was never at risk in this case, but it’s a quick lesson at just how important OT security is in 2021 and beyond.

Over the next six months, the OT security industry was reminded that 2021 was the year of ransomware. Some of the ransomware attacks were so colossal, they grabbed national headlines for the impact they had on civilians’ daily lives. In early May, a ransomware attack on Colonial Pipeline, a major East Coast fuel supplier presented the different security risks of exploiting IT networks to reach OT infrastructures. Shortly after in June, meat producer JBS USA paid an $11 million ransom after attackers shut down operations at five of their beef-processing plants.

And now suddenly, it’s been a crazy year of attacks that have affected the OT security landscape but just two weeks ago we have moved onto another threat that could last for years. There’s really no way to predict where threat actors will head in 2022, but we expect to still see more attacks on critical infrastructure via ransomware to be on the rise.

Major SCADAfence Product Updates  

With SCADAfence product, R&D teams, and security researchers working tirelessly, SCADAfence development saw several milestones. Perhaps most importantly, enhancing our Governance Portal with a complete UI facelift that offers faster and more advanced results and more coverage of compliance regulations. Today, our Governance Portal has become a significant contributor to the company’s revenue growth, which was driven by customer and market demand and the cybersecurity executive order by United States President Joe Biden.

SCADAfence’s Multi-Site portal also saw a major update, customers now can distribute their configurations to all their sites from the Multi-Site Portal to the distributed SCADAfence Platforms. The security configuration is managed via profiles and covers many security aspects including alerts policy, IP groups, central licensing, 3rd Party tools integrations, and more. By deploying the central configuration, administrators will now save more time while increasing productivity and efficiency while using the SCADAfence Platform in their multiple sites.

An additional product offering that we launched near the end of 2021 was SCADAfence’s Managed Services for OT security. Now industrial organizations can enable their OT security with minimal effort. Our OT security experts deliver the expertise and technology that is needed to effectively control OT networks with visibility, risk management, and vulnerability detection.

And, as usual, there were many equally important additions, such as feature updates, new integrations, performance improvements, and more.

2021, A Banner Year for SCADAfence

With 2022 right around the corner, we can’t forget the trend-setting year that was 2021. Here at SCADAfence, 2021 was a fruitful year of growth and opportunity which included quadrupling our yearly revenue and doubling our customer base over the last year. We accelerated our expanding global customer base across a diverse set of industries – including manufacturing, water treatment, critical infrastructure, oil and gas, pharmaceuticals, chemicals, and building management systems (BMS).

As a company, we moved to a beautiful new office in Ramat Gan and we recruited several industry-leading OT security experts from leading cybersecurity organizations to grow our sales, sales engineering and strategy team. We’ll share some more on that in future posts.

To a More Secure Year Ahead 

We hope this recap of 2021 at SCADAfence helps you to see the larger trends of OT security and what our product has to offer. Stay tuned for more blog, news articles and innovative product updates in the upcoming year that will continue to examine new and emerging OT security trends we should all focus on.

As we conclude, we’d like to thank all our customers, employees, partners, investors and everyone who supported us this year. We couldn’t have done it without you, and look forward to continuing to collaborate with you!

Happy New Year!