Our research team has put together all of the most relevant news topics in the Ransomware and IoT security fields, as well as their impacts and their expert recommendations:

IT

Title: Bumblebee Malware Loader

Description: A new malware loader, Bumblebee, is being used as a replacement for the BazarLoader and IcedID to deliver ransomware payloads. Phishing campaigns were observed in which threat actors used Bumblebee to drop shellcode and the Cobalt Strike, Sliver, and Meterpreter frameworks. 

Attack Parameters: The campaigns are delivered via phishing emails containing a link to a malicious file. For persistence, the malware uses scheduled tasks and WMI execution.
Many similarities were found between the loader and TrickBot, including the web-inject module and the evasion technique.

Impact: As BazarLoader was used in attacks in the past, Bumblebee is likely to become a popular tool for ransomware groups.

Recommendations: Following are best practices recommendations to minimize the chances of being infected by ransomware:

• Apply the latest security patches on the assets in the network.
• Use unique passwords and multi-factor authentication on authentication paths to OT assets.
• Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
The SCADAfence Platform also detects scheduled tasks and WMI process creation, as well as the use of Cobalt Strike and Meterpreter. 

 

Ransomware

Title: Lapsus$ Extortion Group – T-Mobile Breach

Description: Lapsus$ group breached T-Mobile’s network using stolen VPN credentials and gained access to internal systems. The stolen credentials, found on illicit platforms, allowed the attackers to access the company’s internal tools, which allowed them to conduct sim-swapping attacks.
The credentials used in the hack were disabled after discovering the breach.

Attack Parameters: Lapsus$ compromises systems to steal source code, customer lists, databases, and other valuable data, then attempts to extort the victim with ransom demands that threaten to publicly leak the data. They primarily focus on obtaining compromised credentials for initial access using the following methods:

• Deploying Redline password stealer to obtain passwords and session tokens.
• Buying credentials and session tokens on criminal underground forums.
• Paying employees at targeted organizations for access to credentials and MFA approval.
• Searching public code repositories for exposed credentials.
• The group also uses RDP and VDI to remotely access a business’ environment.

Impact: No sensitive customer data was stolen.

Recommendations:  Following are best practices recommendations:

• Make sure secure offline backups of critical systems are available and up-to-date.
• Apply the latest security patches on the assets in the network.
• Use unique passwords and multi-factor authentication on authentication paths to OT assets.
• Encrypt sensitive data when possible.
• Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
RDP connections can be tracked with the User Activity Analyzer.

 SCADAfence Platform – User Activity Analyzer

Title: Black Basta Ransomware

Description: A new ransomware operation, Black Basta, uses a double-extortion scheme, where the threat actors demand a ransom to receive a decryptor and prevent the publishing of the victim’s stolen data.

Targets: Among the operation’s victims are the American Dental Association (ADA) and the German wind turbine giant Deutsche Windtechnik.

Attack Parameters: The malware requires administrator privileges to work, and hijacks the Windows Fax service for persistence on the infected systems. Similarities were found between Black Basta and Conti.

Impact: The ADA took affected systems offline, which disrupted various online services, telephones, email, and webchat.
Deutsche Windtechnik switched off the remote data monitoring connections to the wind turbines, but claimed the wind turbines did not suffer any damage.

Recommendations:  Following are best practices recommendations:

• Make sure secure offline backups of critical systems are available and up-to-date.
• Apply the latest security patches on the assets in the network.
• Use unique passwords and multi-factor authentication on authentication paths to OT assets.
• Encrypt sensitive data when possible.
• Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.

Title: Stormous – Coca-Cola Breach

Description: Stormous gang claimed it has successfully breached some of Coca-Cola’s servers and stole over 160GB of data. There is no indication that Stormous deployed file-encrypting malware on their victims’ networks, making them closer to a data extortion group, than a ransomware group.

Attack Parameters: The group works with the tactic of double extortion, which is encryption and data theft.  The stolen files are leaked if the victim does not pay the ransom.

Impact: Among the files listed, there are compressed documents, text files with admin, emails, and passwords, account and payment ZIP archives, and other types of sensitive information.

Recommendation:  Following are best practices recommendations:

• Make sure secure offline backups of critical systems are available and up-to-date.
• Apply the latest security patches on the assets in the network.
• Use unique passwords and multi-factor authentication on authentication paths to OT assets.
• Encrypt sensitive data when possible.
• Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.

 

IoT

Title: DNS Vulnerability in uClibc IoT Library (CVE-2022-30295)
Description: A new vulnerability affecting the DNS implementation of all versions of uClibc and uClibc-ng (CVE-2022-30295). This could allow an attacker to mount DNS poisoning attacks against IoT devices and routers to potentially take control of them.

Affected vendors: Both uClibc and uClibc-ng are widely used by vendors such as Netgear, Axis, and Linksys, as well as Linux distributions.

Attack Parameters: The vulnerability is caused by the predictability of transaction IDs included in the DNS requests, which may allow attackers to perform DNS poisoning attacks.

Impact: Successful exploitation could allow an attacker to alter or intercept network traffic to compromise connected devices.
This vulnerability has a broad scope not only because of the devices it potentially affects, but also because of the inherent importance of DNS to any device connecting over IP.
Recommendations: An official patch or workarounds have not yet been released.

SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
DNS connections can be tracked with User Activity Analyzer.

OT and ICS Industry veteran Paul Smith, author of “Pentesting Industrial Control Systems” has recently joined the SCADAfence team in the role of Field CTO. We interviewed Paul to get his thoughts on the current state of OT security, challenges that need to be addressed and his predictions for the future.

He was interviewed by content marketing manager, Joan Weiner Levin.

On April 27, the Cybersecurity and Infrastructure Security Agency (CISA), published a joint advisory in collaboration with CSA/NSA/FBI/ACSC and other cybersecurity authorities, providing details on the top 15 vulnerabilities routinely exploited by threat actors in 2021,and other CVEs frequently exploited.

Nine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, potentially allowing threat actors to remotely take over systems. 

Unpatched devices and systems can serve as an easy network entry point for threat actors, as they provide attackers with a reliable and efficient Initial Access method. A number of these vulnerabilities were seen as a part of ransomware attack vectors, one of today’s top threats to operational technology.

Many of these vulnerabilities share characteristics that make them widely exploitable: They affect widely used systems, where the vulnerability can be present in multiple systems.

In the past year, threat actors targeted internet-facing systems, such as email servers and VPN servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, a proof of concept code was released within two weeks of the vulnerability’s disclosure. (Read more about when to patch or not patch, here).  

Malicious threat actors continued exploiting publicly known vulnerabilities, demonstrating the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.

The Top 15 Routinely Exploited Vulnerabilities

The top vulnerabilities detail how threat actors exploited newly disclosed vulnerabilities in popular services, aiming to create a massive and extended impact on organizations.

Nine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses.

Following are the most exploited vulnerabilities:

• CVE-2021-44228 – this vulnerability, known as Log4Shell, affects the Apache Log4j library, an open-source logging framework. Exploiting this vulnerability allows threat actors to control java-based web servers and launch remote code execution attacks. 
• CVE-2020-1472 – this vulnerability, known as ZeroLogon, affects Microsoft’s Active Directory Netlogon Remote Protocol. Exploiting this vulnerability allows an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller.
• CVE-2019-11510 – this vulnerability affects Pulse Connect Secure. Successful exploitation of this vulnerability allows an unauthenticated remote attacker to perform an arbitrary file reading.
• CVE-2018-13379 – this vulnerability affects Fortinet’s FortiGate SSL VPN. Exploitation of this vulnerability could allow an unauthenticated attacker to read arbitrary files.
• CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065 – these vulnerabilities, known as ProxyLogon, affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities allows unauthenticated attackers to execute arbitrary code on vulnerable Exchange Servers and compromise trust and identity in a vulnerable network.
• CVE-2021-34523, CVE-2021-34473, CVE-2021-31207 – these vulnerabilities, known as ProxyShell, also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination enables a remote actor to execute arbitrary code. 

As our customers are well aware, The SCADAfence Platform protects against these vulnerabilities, detects any unexpected connections to and from external devices, and detects unexpected connections to and from the Internet. These connections would trigger alerts indicating a malicious threat actor might be attempting to exploit a vulnerability.

The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.

The SCADAfence Platform can help identify where the network is exposed to potential risks and match between exposed assets and their relative vulnerabilities.

Additionally, the User Activity Analyzer can be utilized to track any propagation attempts by malicious actors.

Detecting Exploitation Attempts

The SCADAfence Platform detects exploitation attempts of the following vulnerabilities:

• CVE-2021-44228 (Log4Shell) – this vulnerability was widely exploited, thousands of products use Log4j and were vulnerable to the Log4Shell exploitation.
• CVE-2020-1472 (ZeroLogon) – this vulnerability has been observed in the attack chain of ransomware actors such as Ryuk.
• CVE-2019-11510 (Pulse) – while patches for this vulnerability were released April 2019, multiple incidents have occurred where compromised AD credentials were used months after victim organizations patched their VPN appliance.
• CVE-2018-13379 (Fortinet) – this vulnerability has been exploited routinely for over four years, and has often been used to deploy ransomware.

The SCADAfence research team is constantly monitoring newly disclosed vulnerabilities, as well as routinely exploited ones, and working to continuously improve the platform’s vulnerability detection abilities.

SCADAfence Researchers’ Recommendations for Reducing Risk

Our researchers recommend taking the following measures to minimize the risk of exploitation:

• Limit Network Exposure – minimize network exposure for all of your control system devices and/or systems, and ensure they are not accessible from the Internet.
• Monitor Network Traffic – monitor access to the production segments. In your network monitoring tool (and we know a really good one), create logical groups of the affected devices and define traffic rules to alert on suspicious access to them.
• Monitor User Activity – If you’re a customer, you can use the SCADAfence Platform to monitor access to the affected devices and track all of your user activities using the User Activity View.
• Connect to the SCADAfence Cloud – Again, If you’re a customer, connect your SCADAfence Platform to the SCADAfence Cloud to get the latest signature and CVE updates.

Additional recommendations include updating your software, operating systems, applications, and firmware on IT network assets in a timely manner, while prioritizing patching known exploited vulnerabilities. 

If you’re not a customer yet and would like to see how this works from up close, you can watch a short demo here.

Dangerous New Malware Can Shut Down, Sabotage Industrial Sites

Pipedream, or Incontroller, is a custom-made, modular ICS attack framework that could be leveraged to cause disruption, degradation, and possibly even destruction depending on targets and the environment.

Pipedream can manipulate a wide variety of PLCs and industrial software, including Omron and Schneider Electric controllers, and can attack ubiquitous industrial technologies including CODESYS, Modbus, and OPC UA.

The framework’s capabilities include performing system enumeration, issuing WMI commands, executing host-based commands, and manipulating the registry. It exploits the known-vulnerable ASRock-signed motherboard driver to execute malicious code in the Windows kernel (CVE-2020-15368).

The framework includes three tools that enable the attacker to send instructions to ICS devices using industrial network protocols:

• The first tool has multiple capabilities, such as the ability to scan for and enumerate OPC UA servers, suggesting a reconnaissance role.
• The second tool communicates with ICS devices using the Modbus protocol, which potentially gives it the ability to interact with devices from different manufacturers. However, the tool contains a specific module to interact with, scan, and attack Schneider Electric’s Modicon M251 PLC using Codesys.
• The third tool is designed to obtain shell access to Omron PLCs. It primarily operates using the HTTP protocol, however it also utilizes Omron’s proprietary FINS over UDP protocol for scanning and device identification.

CISA’s Alert to this also recommends using a tool such as SCADAfence

CISA’s Alert (AA22-103A) states “DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:

“Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic…”

SCADAfence has been on the forefront, defending organizations around the world from attacks on industrial control systems, both with our products, and as a managed service.

The Impact Of The INCONTROLLER / Pipedream Malware

The intent is to leverage the access to ICS systems to elevate privileges, move laterally within the networks, and sabotage mission-critical functions in liquified natural gas and electric power environments.
It has not yet been seen deployed in target networks.

How SCADAfence Detects INCONTROLLER / Pipedream

• The SCADAfence Platform detects new connections, connections from external devices and from the Internet, and unauthorized connections to OT assets.
• Furthermore, the Platform detects start, restart, and stop commands sent to PLCs in the network, as well as remote mode change commands which are needed steps to alter programs in PLCs.
• The Platform additionally detects system enumeration scans and HTTP command execution.

Our Experts Recommend

• Isolate ICS systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving the perimeter.
• Limit ICS systems’ network connections to allowed management and engineering workstations.
• Enforce multi-factor authentication for all remote access to ICS networks and devices whenever possible.
• Change all passwords to ICS devices, especially all default passwords, to unique, strong passwords.
• Apply the latest security patches on the OT assets in the network.
• Maintain offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
• Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates. 
• Monitor systems for loading of unusual drivers, especially for ASRock drivers if no ASRock driver is normally used on the system.

Since the DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices to work with a continuous network monitoring solution going forward, let our experts help you keep your networks & industrial devices secure.

Russian-backed Group Attempts to Compromise Ukrainian Power Grid Using Industroyer2 Malware

As part of their ongoing military assault against neighboring Ukraine, Russian-backed hacker group Sandworm launched a series of cyber attacks that threaten the critical infrastructure of the beleaguered country.