US charges Sandworm hackers who mounted NotPetya, other high-profile attacks

The Sandworm Team hacking group is part of Unit 74455 of the Russian Main Intelligence Directorate (GRU), the US Department of Justice (DoJ) claimed as it unsealed an indictment against six hackers and alleged members on Monday.

Sandworm hackers

Sandworm Team attacks

“These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: Ukraine; Georgia; elections in France; efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort,” the DoJ alleges.

“Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.”

At the same time, the UK National Cyber Security Centre says that they asses “with high confidence” that the group has been actively targeting organizations involved in the 2020 Olympic and Paralympic Games before they were postponed.

“In the attacks on the 2018 Games, the GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the opening ceremony. It went on to target broadcasters, a ski resort, Olympic officials and sponsors of the games. The GRU deployed data-deletion malware against the Winter Games IT systems and targeted devices across the Republic of Korea using VPNFilter,” the UK NCSC said.

“The NCSC assesses that the incident was intended to sabotage the running of the Winter Olympic and Paralympic Games, as the malware was designed to wipe data from and disable computers and networks. Administrators worked to isolate the malware and replace the affected computers, preventing potential disruption.”

The UK government confirmed their prior assessments that many of the aforementioned attacks had been the work of the Russian GRU.

Sandworm Team hackers

Sandworm Team (aka “Telebots,” “Voodoo Bear,” “Iron Viking,” and “BlackEnergy”) is the group behind many conspicuous attacks in the last half a decade, the DoJ claims, all allegedly performed under the aegis of the Russian government.

The six alleged Sandworm Team hackers against which the indictments have been brought were responsible for a variety of tasks:

Sandworm hackers

One of them, Anatoliy Kovalev, has been previously charged by a US court “with conspiring to gain unauthorized access into the computers of US persons and entities involved in the administration of the 2016 US elections,” the DoJ noted.

The US investigation into the group has lasted for several years, and had help from Ukrainian authorities, the Governments of the Republic of Korea and New Zealand, Georgian authorities, and the United Kingdom’s intelligence services, victims, and several IT and IT security companies.

Political and other ramifications

Warrants for the arrest of the six alleged Sandworm Team members have been drawn, but chances are slim-to-nonexistent that arrests will be performed in the near or far future.

The Russian government’s official position is that the accusations are unbased and part of an “information war against Russia”.

It’s unusual to see the US mount criminal charges against intelligence officers that were engaged in cyber-espionage operations outside the US, but the rationale here is that many of the attacks resulted in real-world consequences that were aimed at undermining the target countries’ governments and destabilizing the countries themselves, and that they affected individuals, civilian critical infrastructure (including organizations in the US), and private sector companies.

“The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims,” commented US Attorney Scott W. Brady for the Western District of Pennsylvania.

There are currently no laws and norms regulating cyber attacks and cyber espionage in peacetime, but earlier this year Russian Federation president Vladimir Putin called for an agreement between Russia and the US that would guarantee the two nations would not try to meddle with each other’s elections and internal affairs via “cyber” means.

This latest round of indictments by the US is unlikely to act as a deterrent but, as Dr. Panayotis Yannakogeorgos recently told Help Net Security, indictments and public attribution of attacks serve several other purposes.

Another interesting result of this indictment may be felt by insurance companies and their customers that have suffered disruption due to cyber attacks mounted by nation-states. Some of their insurance policies may not cover cyber incidents that could be considered an “act of war” (e.g., the NotPetya attacks).

Critical infrastructure and industrial orgs can test Azure Defender for IoT for free

Azure Defender for IoT – Microsoft’s new security solution for discovering unmanaged IoT/OT assets and IoT/OT vulnerabilities – is now in public preview and can be put to the test free of charge.

The solution can alert administrators about unauthorized devices connected to the network and unauthorized connections to the internet, changes to firmware versions, potentially malicious commands, illegal DNP3 operations, known malware, unauthorized SMB logins, and more.

Azure Defender for IoT

About Azure Defender for IoT

“As industrial and critical infrastructure organizations implement digital transformation, the number of networked IoT and Operational Technology (OT) devices has greatly proliferated. Many of these devices lack visibility by IT teams and are often unpatched and misconfigured, making them soft targets for adversaries looking to pivot deeper into corporate networks,” Phil Neray, Director of Azure IoT Security Strategy at Microsoft, explained.

Azure Defender for IoT enables agentless IoT/OT asset discovery, vulnerability management, and continuous threat monitoring.

The solution can be deployed on-premises and can be integrated with (i.e., send data/alerts to) Azure Sentinel, Microsoft’s cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. It can also be deployed without sending any data to Azure.

After being connected to the existing network, the solution uses IoT/OT-aware behavioral analytics and machine learning to eliminate the need to configure any rules, signatures, or other static IOCs, says Neray.

“To capture the traffic, it uses an on-premises network sensor deployed as a virtual or physical appliance connected to a SPAN port or tap. The sensor implements non-invasive passive monitoring with Network Traffic Analysis (NTA) and Layer 7 Deep Packet Inspection (DPI) to extract detailed IoT/OT information in real-time.”

Azure Defender for IoT

Out-of-the box integration with third-party IT security tools (e.g., Splunk, IBM QRadar, and ServiceNow) is available, and the solution woks seamlessly with diverse automation equipment by Rockwell Automation, Schneider Electric, GE, Emerson, Siemens, Honeywell, ABB, Yokogawa, and so on.

Attackers are exploiting two zero-day flaws in Cisco enterprise-grade routers

A technical support intervention has revealed two zero-day vulnerabilities in the OS running on Cisco enterprise-grade routers that attackers are trying to actively exploit.

zero-day Cisco enterprise routers

Cisco plans to release software updates to plug these security holes, but in the meantime administrators are advised to implement one or all of the provided mitigations.

About the vulnerabilities

The two zero-day flaws – CVE-2020-3566 and CVE-2020-3569 – affect the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software, running on Cisco enterprise-grade routers for service providers, data centers, enterprises, and critical infrastructure.

They can be exploited by an unauthenticated, remote attacker by sending crafted IGMP (Internet Group Management Protocol) traffic to an affected device.

“A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols,” Cisco explained.

Proposed mitigations include:

  • Implementing a rate limiter for IGMP traffic
  • implementing an access control entry (ACE) to an existing interface access control list (ACL). “Alternatively, the customer can create a new ACL for a specific interface that denies DVMRP traffic inbound on that interface,” the company noted.

The company has also provided indicators of compromise, i.e., messages that can be seen in the system logs if a device is experiencing memory exhaustion based on exploitation of these vulnerabilities.

“These vulnerabilities affect any Cisco device that is running any release of Cisco IOS XR Software if an active interface is configured under multicast routing,” they added.

With regard to industrial cyber, we can no longer hide our heads in the sand

The massive attack on national infrastructures in Australia, only recently publicized, as well as the attack on Israel’s water infrastructure, do well to illustrate the threats prevalent in the world.

industrial cyber

Note that when a hostile entity—whether a country or terrorist or criminal organization—wants to launch a cyber attack to collect information, steal data or money, it is successful. These two incidents, from the last month, are just a drop in the sea. Many successful attacks are reported and publicized; however, many more are kept under wraps.

Over the years we have more or less learned to deal with attacks of a criminal nature, such as theft, ransom, etc. We have also learned, although a bit less reliably, with theft of business information and secrets. However, as cyber-attacks expand to the industrial sector and critical national infrastructure (Cyber-Physical attacks), we are compelled to deal with attacks of a different kind, with ramifications and damage on an entirely different scale.

Theft of personal data and credentials so thieves can steal money over the web is one problem. Theft of personal data and credentials so thieves can infiltrate a network running a pharmaceuticals production line is an entirely different problem. Now, instead of a pharmaceuticals production line, say power station, railway network, or airport safety management system, and we have a very serious problem.

In many cases, ordinary cyberattacks are just preliminary steps designed to collect intelligence, user names, and passwords in order to infiltrate existing web security mechanisms – mainly firewalls and user identification systems. It could very well be that the attack reported in Australia was intended just for that. It is also possible that the attack on Israel’s water systems was preceded by attacks that mapped out the control networks, identified users, and located entry points.

Countries, including the State of Israel, cannot risk the potential damage from a combined attack by a hostile entity on their electricity, water, food and pharmaceutical production, their transportation systems, and other infrastructures that modern societies depend on. In the past, such destructive capability involved military assault (with missiles, tanks, and artillery) and all that such assaults entailed — declaration of war, counterattacks, and casualties on both sides. Nowadays, such attacks can be launched from afar, employing virtual weapons to inflict physical damage. Such attacks are hard to locate on time, verify who is behind them, and retaliate against them.

Therefore, at present, when national attack capabilities are clear and imminent, we can no longer hide our heads in the sand and leave critical infrastructures and production facilities without adequate protection. We are targets, vulnerable to attack. The security systems developed for the information age are inadequate for the age of industrial cyberattacks. A revolution is needed with regard to the way we deal with threats and prepare for the next attack.

Cyber attacks only increase in sophistication and severity. Yesterday’s nation-state attack tools and techniques are today’s targeted ransomware and pervasive threat environment. Today’s nation-state attacks are tomorrow’s pervasive threat. This steadily worsening threat environment demands of us a much more rapid improvement, firm decisions, and upgrade of the security of all developed nations’ infrastructure cyber defenses.

For a description of how to secure critical infrastructures defend their sites against even the most sophisticated attacks, request a free copy of the book Secure Operations Technology.

Vulnerable platform used in power plants enables attackers to run malicious code on user browsers

Otorio’s incident response team identified a high-score vulnerability in OSISoft’s PI System. They immediately notified OSIsoft Software of the vulnerability, which OSIsoft filed with ICS-CERT (ICSA-20-163-01).

ICSA-20-163-01

PI System Architecture implmentation

About OSIsoft Software’s PI System

Installed in some of the world’s largest critical infrastructure facilities, OSIsoft Software’s PI System is a data management platform that accesses a broad range of core OT network assets in the sites it serves.

The platform collects, stores, and organizes data from all plant data sources, and is accessed by company operators, engineers, managers, and other plant personnel – who retrieve data from it through various HMIs and client side applications, some of them using the PI Web API.

PI System vulnerability (ICSA-20-163-01)

Otorio’s researchers discovered a vulnerability that, if exploited, could enable attackers to run client-side code on client browsers and trick users to provide their credentials to threat actors.

The exploit is implemented when a victim passes the cursor over an infected field in the PI system. This triggers a fake login form that prompts the victim to re-insert his or her user name and password. Researchers created a short video illustrating the exploit:

[embedded content]

“Our industrial cybersecurity experts are trained to identify hard-to-find vulnerabilities just like this one – those which can seriously endanger on-site OT network assets,” said Dor Yardeni, Incident Response Team Leader at Otorio. “Working with OSIsoft, we were able to quickly isolate and remediate the vulnerability, allowing them to continue to provide their customers with smart, and safe, digital production solutions,” he concluded.

OSIsoft recommends affected users upgrade to PI Web API 2019 SP1.

Zero-day flaws in widespread TCP/IP library open millions of IoT devices to remote attack

19 vulnerabilities – some of them allowing remote code execution – have been discovered in a TCP/IP stack/library used in hundreds of millions of IoT and OT devices deployed by organizations in a wide variety of industries and sectors.

“Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors,” say the researchers who discovered the flaws.

flaws TCP/IP library

About the vulnerable TCP/IP software library

The vulnerable library was developed by US-based Treck and a Japanese company named Elmic Systems (now Zuken Elmic) in the 1990s. At one point in time, the two companies parted ways and each continued developing a separate branch of the stack/library.

The one developed by Treck – Treck TCP/IP – is marketed in the U.S. and the other one, dubbed Kasago TCP/IP, is marketed by Zuken Elmic in Asia.

The library’s high reliability, performance, and configurability is what made it so popular and widely deployed.

“The [Treck TCP/IP] library could be used as-is, configured for a wide range of uses, or incorporated into a larger library. The user could buy the library in source code format and edit it extensively. It can be incorporated into the code and implanted into a wide range of device types,” the researchers explained.

“The original purchaser could decide to rebrand, or could be acquired by a different corporation, with the original library history lost in company archives. Over time, the original library component could become virtually unrecognizable. This is why, long after the original vulnerability was identified and patched, vulnerabilities may still remain in the field, since tracing the supply chain trail may be practically impossible.”

The vulnerabilities were discovered by Moshe Kol and Shlomi Oberman from JSOF in the Treck TCP/IP library, and Zuken Elmic confirmed that some of them affect the Kasago library.

About the vulnerabilities

Collectively dubbed Ripple20, the vulnerabilities (numbered CVE-2020-11896 through CVE-2020-11914) range from critical to low-risk. Four enable remote code execution. Others could be used to achieve sensitive information disclosure, (persistent) denial of service, and more.

“One of the critical vulnerabilities is in the DNS protocol and may potentially be exploitable by a sophisticated attacker over the internet, from outside the network boundaries, even on devices that are not connected to the internet,” the researchers noted.

“Most of the vulnerabilities are true zero-days, with 4 of them having been closed over the years as part of routine code changes, but remained open in some of the affected devices (3 lower severity, 1 higher). Many of the vulnerabilities have several variants due to the stack configurability and code changes over the years.”

The researchers plan to release technical reports on some of them and are scheduled to demonstrate exploitation of the DNS vulnerability on a Schneider Electric APC UPS device at Black Hat USA in August.

Coordinated disclosure

The Treck TCP/IP library did not receive much attention from security researchers in the past. After JSOF researchers decided to probe it and discovered the flaws, they also discovered that contacting the many, many vendors who implement it was going to be a time-consuming task.

Treck was made aware of the vulnerabilities and fixed them, but insisted on contacting clients and users of the code library themselves and to provide the appropriate patches directly.

But, since some of the vulnerabilities affect also the Kasago library, JSOF involved multiple national computer emergency response team (CERT) organizations and regulators in the disclosure process.

“CERT groups focus on ways to identify and mitigate security risks. For example, they can reach a much larger target group of potential users with blast announcements, ‘mass-mailings’ that they broadcast to a long list of participating companies to notify them of the potential vulnerability. Once users are identified, mitigation comes into play,” the researchers explained.

“While the best response might be to install the original Treck patch, there are many situations in which installing the original patch is not possible. CERTs work to develop alternative approaches that can be used to minimize or effectively eliminate the risk, even if patching is not an option.”

The Ripple20 vulnerabilities have been dubbed thusly because of extent of its impact.

“The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain ‘ripple-effect’.​ ​A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people,” they noted.

“The inclusion of the number ’20’ denotes our disclosure process beginning in 2020, while additionally symbolizing and giving deference to our belief in the potential for additional vulnerabilities to be found from the original 19,” they told Help Net Security.

The researchers have pointed out that the vulnerability disclosure process, their own efforts to identify users of the Treck library, and the patch/mitigation dissemination process have been immensely aided by Treck, various CERTs, the CISA, and several security vendors (Forescout, CyberMDX).

Risk mitigation

A number of vendors have confirmed that their offerings are affected by the Ripple20 flaws. JSOF has compiled a list of affected and non affected vendors, which will be constantly updated as additional information becomes available.

Device vendors should update the Treck library to a fixed version (6.0.1.67 or higher), while organizations should check their network for affected devices and contact the vendors for more information on how to mitigate the exploitation risk. The researchers will make available, upon request, a script to help companies identify Treck products on their networks.

“Fixing these vulnerabilities presents its own set of challenges, even once they’ve been identified on the network. Some already have patches available. But there are also complicating factors,” Forescout CEO and President Michael DeCesare noted.

“With these types of supply chain vulnerabilities and embedded components, the vendor that is creating the patch isn’t necessarily the one that will release it. That can delay the issuance of a patch. There are also no guarantees that the device vendor is still in business, or that they still support the device. The complex nature of the supply chain may also mean the device is not patchable at all, even if it needs to remain on the network. In such cases, mitigating controls such as segmentation will be needed to limit its risk.”

The various CERTs and agencies like CISA will surely offer mitigation advice via security advisories.

Only 36% of critical infrastructures have a high level of cyber resilience

Greenbone Networks revealed the findings of a research assessing critical infrastructure providers’ ability to operate during or in the wake of a cyberattack.

critical infrastructures cyber resilience

The cyber resilience of critical infrastructures

The research investigated the cyber resilience of organizations operating in the energy, finance, health, telecommunications, transport and water industries, located in the world’s five largest economies: UK, US, Germany, France and Japan. Of the 370 companies surveyed, only 36 percent had achieved a high level of cyber resilience.

To benchmark the cyber resilience of these critical infrastructures, the researchers assessed a number of criteria. These included their ability to manage a major cyberattack, their ability to mitigate the impact of an attack, whether they had the necessary skills to recover after an incident, as well as their best practices, policies and corporate culture.

Infrastructure providers in the US were the most likely to score highly, with 50 percent of companies considered highly resilient. In Europe, the figure was lower at 36 percent. In Japan, is was just 22 percent.

There were also marked differences between industry sectors, with highly-regulated organizations, such as finance and telecoms, most likely to be cyber resilient (both at 46 percent). Transport providers were the least likely to be considered highly resilient (22 percent), while energy providers (32 percent), health providers (34 percent) and water utilities (36 percent) were all close to the average.

Characteristics of a highly-resilient infrastructure provider

They are able to identify critical business processes, related assets and their vulnerabilities: Highly-resilient organizations thoroughly analyse their critical business processes and know which digital assets underpin these processes. They continuously check for vulnerabilities, taking appropriate measures to mitigate or close them.

They deploy cybersecurity architectures that are tailored to their business processes: This focus places them in a strong position to mitigate damage caused by an attack.

They have well-established and well-communicated best practices: The highest performing organizations have well-defined policies and best practices. For example, in 95 percent of highly-resilient organizations, the person responsible for managing a digital asset is also responsible for securing it. This level of expertise and responsibility allows organizations to close gaps and repair damage quickly.

They are more likely to seek third-party support: These companies are more likely to engage with specialist providers, not only to manage security technologies, but also to obtain advice.

For example, they might employ consultants to help develop a security strategy for the company, select suitable technology, implement managed security services, establish metrics for success or calculate the business case for a security project.

They place greater importance on the ability to respond to cyber incidents and mitigate the impact on critical business processes: The ability to prevent cyber incidents is of secondary importance to highly-resilient organizations as they recognize attacks are inevitable.

They are more likely to focus on procedures that lessen the impact of an attack or accelerate their ability to bounce back after an incident.

They prepare for attacks through simulation: They simulate various what-if scenarios in training sessions and also involve stakeholders outside the IT department. They also apply the same cybersecurity rules to all digital assets.

“Cyberattacks are inevitable so being able to firstly withstand them and then recover from them is vital. Nowhere is this more important than in the critical infrastructure industries where any loss or reduction in service could be devastating both socially and economically, so it’s a concern than only just over a third of providers are what we consider to be highly-resilient,” said Dirk Schrader, cyber resilience architect at Greenbone Networks.

“Being cyber resilient involves much more than having enough IT security budget or deploying the right technologies. We hope that – by highlight the key characteristics of highly-resilient organizations – this research will provide a blueprint for others.”

A closer look at the global threat landscape

60% of initial entries into victims’ networks leveraged either previously stolen credentials or known software vulnerabilities, allowing attackers to rely less on deception to gain access, according to a new IBM report exploring the global threat landscape.

global threat landscape

The top three initial attack vectors

  • Phishing was a successful initial infection vector in less than one-third of incidents (31%) observed, compared to half in 2018.
  • Scanning and exploitation of vulnerabilities resulted in 30% of observed incidents, compared to just 8% in 2018. In fact, older, known vulnerabilities in Microsoft Office and Windows Server Message Block were still finding high rates of exploitation in 2019.
  • The use of previously stolen credentials is also gaining ground as a preferred point-of-entry 29% of the time in observed incidents. Just in 2019, the report states more than 8.5 billion records were compromised— resulting in a 200% increase in exposed data reported year over year, adding to the growing number of stolen credentials that cybercriminals can use as their source material.

“The amount of exposed records that we’re seeing today means that cybercriminals are getting their hands on more keys to our homes and businesses. Attackers won’t need to invest time to devise sophisticated ways into a business; they can deploy their attacks simply by using known entities, such as logging in with stolen credentials,” said Wendi Whitmore, Vice President, IBM X-Force Threat Intelligence.

“Protection measures, such as multi-factor authentication and single sign-on, are important for the cyber resilience of organizations and the protection and privacy of user data.”

Configure it out

Of the more than 8.5 billion breached records reported in 2019, seven billion of those, or over 85%, were due to misconfigured cloud servers and other improperly configured systems — a stark departure from 2018 when these records made up less than half of total records.

Banking on ransomware

Some of the most active banking trojans found in this year’s report, such as TrickBot, were increasingly observed to set the stage for full-on ransomware attacks. In fact, novel code used by banking trojans and ransomware topped the charts compared to other malware variants discussed in the report.

Tech trust takeover for phishing

Tech, social media and content streaming household brands make up the “Top 10” spoofed brands that cyber attackers are impersonating in phishing attempts.

This shift could demonstrate the increasing trust put in technology providers over historically trusted retail and financial brands. Top brands used in squatting schemes include Google, YouTube and Apple.

Ransomware attacks evolve

The report revealed trends in ransomware attacks worldwide, targeting both the public and private sectors.

While over 100 U.S. government entities were impacted by ransomware attacks last year, there were also significant attacks against retail, manufacturing and transportation —which are known to either hold a surplus of monetizable data or rely on outdated technology and, thus, face the vulnerability sprawl.

In fact, in 80% of observed ransomware attempts, attackers were exploiting Windows Server Message Block vulnerabilities, the same tactic used to propagate WannaCry, an attack that crippled businesses across 150 countries in 2017.

With ransomware attacks costing organizations over $7.5 billion in 2019, adversaries are reaping the rewards and have no incentive to slow down in 2020. New malware code was observed in 45% of banking trojans and 36% of ransomware. This suggests that by creating new code attackers are continuing to invest in efforts to avoid detection.

Concurrently, a strong relationship between ransomware and banking trojans has been observed, with the latter being used to open the door for targeted, high-stakes ransomware attacks, diversifying how ransomware is being deployed.

For example, the most active financial malware according to the report, TrickBot, is suspected of deploying Ryuk on enterprise networks, while various other banking trojans, such as QakBot, GootKit and Dridex are also diversifying to ransomware variants.

Adversaries spoof tech and social media companies in phishing schemes

As consumers become more aware of phishing emails, phishing tactics themselves are becoming more targeted. There has been a squatting trend in phishing campaigns, wherein attackers are impersonating consumer tech brands with tempting links – using tech, social media and content streaming companies to trick users into clicking malicious links in phishing attempts.

Nearly 60% of the top 10 spoofed brands identified were Google and YouTube domains, while Apple (15%) and Amazon (12%) domains were also spoofed by attackers looking to steal users’ monetizable data. IBM X-Force assesses that these brands were targeted primarily due to the monetizable data they hold.

Facebook, Instagram and Netflix also made the list of top 10 spoofed brands observed but at a significantly lower use rate. This may be due to the fact that these services don’t typically hold directly monetizable data.

As attackers often bet on credential reuse to gain access to accounts with more lucrative payouts, frequent password reuse may be what potentially made these brands targets. In fact, 41% of millennials surveyed reuse the same password multiple times and Generation Z averages use of only five passwords, indicating a heavier reuse rate.

Discerning spoofed domains can be extremely difficult, which is exactly what attackers bet on. With nearly 10 billion accounts combined , the top 10 spoofed brands listed in the report offer attackers a wide target pool, increasing the likelihood that an unsuspecting user clicks an innocent-seeming link from a spoofed brand.

Retail rebounds in targeted industry rankings

Retail has jumped to the second most attacked industry in this year’s report, in a very close race with financial services which remained at the top for the fourth year in a row. Magecart attacks are among the most prominent attacks observed against retail, impacting a reported 80 e-commerce sites in the summer of 2019.

Cybercriminals seem to have set their sights on consumers’ PII, payment card data and even valuable loyalty program information. Retailers also experienced a large amount of ransomware attacks based on insights from IBM’s incident response engagements.

global threat landscape

ICS and OT attacks soar

In 2019, OT targeting increased 2000% year over year with more attacks on ICS and OT infrastructure than any of the prior three years. Most observed attacks involved a combination of known vulnerabilities within SCADA and ICS hardware as well as password-spraying.

North America and Asia: Most targeted regions

These regions experienced the highest number of observed attacks as well as suffered the largest reported data losses over the past year, over 5 billion and 2 billion records exposed respectively.

How to detect and prevent issues with vulnerable LoRaWAN networks

IOActive researchers found that the LoRaWAN protocol – which is used across the globe to transmit data to and from IoT devices in smart cities, Industrial IoT, smart homes, smart utilities, vehicle tracking and healthcare – has a host of cyber security issues that could put network users at risk of attack. Such attacks could cause widespread disruption or in extreme cases even put lives at risk.

vulnerable LoRaWAN networks

Session Keys and Functions in LoRaWAN v1.0.3

Vulnerable LoRaWAN networks

The researchers found the root keys used for encrypting communications between smart devices, gateways and network servers are often poorly protected and easily obtainable through several methods.

This could leave the network vulnerable to attackers who could be able to compromise the confidentiality and integrity of the data flowing to and from connected devices, in order to:

  • Conduct Denial of Service attacks: Once hackers have the encryption keys, they can gain access to the network and cause DoS attacks, disrupting communications between connected devices and the network server, so companies can’t receive any data.
  • Send false data: Alternatively, attackers could intercept communications and replace these with false data, such as fake sensor and meter readings. This could create several issues by allowing hackers to hide malicious activity or cause industrial equipment to damage itself, potentially halting operations and putting company infrastructure at risk.

Trusting LoRaWAN

“Organizations are blindly trusting LoRaWAN because it’s encrypted, but that encryption can be easily bypassed if hackers can get their hands on the keys – which our research shows they can do in several ways, with relative ease, ” explains Cesar Cerrudo, CTO at IOActive. “Once hackers have access, there are many things they could potentially do – they could prevent utilities firms from taking smart meter readings, stop logistics companies from tracking vehicles, or prohibit hospitals from receiving readings from smart equipment. In extreme cases, a compromised network could be fed false device readings to cover up physical attacks against infrastructure, like a gas pipeline. Or to prompt industrial equipment containing volatile substances to overcorrect; causing it to break, combust or even explode.”

Worryingly, IOActive researchers found that there is currently no way for an organization to know if a LoRaWAN network is being or has been attacked, or if an encryption key has been compromised. In response, IOActive has released a LoRaWAN Auditing Framework, which will allow users to audit and pentest the security of their infrastructure and reduce the impact of an attack and ensure that potentially vulnerable LoRaWAN networks are deployed securely.

vulnerable LoRaWAN networks

LoRaWAN PHYPayload Structure

“In any LoRaWAN network, root keys should be properly protected and vendor default keys should be replaced with random and different keys for each device. If possible, Secure Element and Hardware Security Module should be used so keys are never exposed. It’s also important to constantly monitor LoRaWAN networks for detecting and preventing attacks. Finally, all LoRaWAN infrastructure needs to have security audited two or three times a year in order to identify and fix security problems,” Cesar Cerrudo, CTO at IOActive, told Help Net Security.

Honeywell Maxpro VMS/NVR systems vulnerable to hijacking

Honeywell’s Maxpro VMS and NVR, network video recorders and video management systems deployed in commercial, manufacturing and energy facilities around the world, sport critical vulnerabilities that may allow attackers to take control of them.

Honeywell Maxpro vulnerabilities

Patches available for the Honeywell Maxpro vulnerabilities

Two vulnerabilities have been discovered and reported by Joachim Kerschbaumer:

  • CVE-2020-6959, stemming from an unsafe deserialization of untrusted data, which could allowed an attacker to remotely modify deserialized data using a specially crafted web request, resulting in remote code execution
  • CVE-2020-6960, a SQL injection vulnerability that could be exploited by attackers to achieve remote access to the devices’ web user interface with administrator-level privileges.

Both vulnerabilities have been deemed to be critical by the ICS-CERT, as they can be exploited remotely without authentication by low-skilled attackers.

Honeywell assigned somewhat lesser CVSS scores to the vulnerabilities, as it claims they can be exploited only by skilled hackers.

The good news is that there is no public PoC that could help them craft an exploit and no ready-to-use public exploit. Also: Honeywell had already plugged the security holes.

Users are advised to upgrade MAXPRO VMS and NVR to versions R560 and 5.6, respectively, before applying the T2-Patch.

The updates and patches are available at the Honeywell’s MyWebTech site (you have to have a user account/access credentials).

Researchers create OT honeypot, attract exploits and fraud

Trend Micro announced the results of research featuring a honeypot imitating an industrial factory. The highly sophisticated Operational Technology (OT) honeypot attracted fraud and financially motivated exploits.

OT honeypot

Hardware equipment that ran the factory

Complex investigation

The six-month investigation revealed that unsecured industrial environments are primarily victims of common threats. The honeypot was compromised for cryptocurrency mining, targeted by two separate ransomware attacks, and used for consumer fraud.

“Too often, discussion of cyber threats to industrial control systems (ICS) has been confined to highly sophisticated, nation-state level attacks designed to sabotage key processes. While these do present a risk to Industry 4.0, our research proves that more commonplace threats are more likely,” said Greg Young, vice president of cybersecurity for Trend Micro.

“Owners of smaller factories and industrial plants should therefore not assume that criminals will leave them alone. A lack of basic protections can open the door to a relatively straightforward ransomware or cryptojacking attack that could have serious consequences for the bottom line,” Young added.

OT honeypot

Honeyfiles placed in the file server to make it look realistic

Sophisticated OT honeypot

To better understand the attacks targeting ICS environments, Trend Micro Research created a highly realistic, industrial prototyping company. The honeypot consisted of real ICS hardware and a mix of physical hosts and virtual machines to run the factory, which included several programmable logic controllers (PLCs), human machine interfaces (HMIs), separate robotic and engineering workstations and a file server.

Trend Micro urges smart factory owners to minimize the number of ports they leave open and to tighten access control policies, among other cybersecurity best practices. In addition, implementing cybersecurity solutions designed for factories can help further mitigate the risk of attack.

All the details regarding this investigation are available in a PDF, no registration required.

A look at cybersecurity for rail systems, building automation and the future of critical infrastructure

Waterfall Security Solutions announced a major expansion into new markets and industry verticals. In support of this expansion, Waterfall has secured a significant new funding round to enable aggressive growth. We caught up with Lior Frenkel, CEO and co-founder of the company, to find out more.

Lior Frenkel Waterfall Security Solutions

So Lior, you folks just announced a big new expansion and investment. What are your main priorities for Waterfall Security in the next 5 years?

Well, let me first say that our priorities are unchanged as a result of this new investment. CPMG and our other investors made their decisions because they liked what they saw in our vision and plans. We will be doing more and faster, expanding into new markets and innovating more in our fields of expertise.

We serve the most secure industrial sites on the planet. Some of the markets we are planning to expand into are rail transport and Building Automation Systems (BAS) markets.

OK, let’s dig a little deeper. What is the state of cybersecurity for the world’s rail systems, and why do you see an opportunity there?

The rails industry is very focused on safety. In most of the world, the industry is also increasingly focused on physical security. The entire industry though, is only just waking up to cyber threats. Starting only one or two years ago, we saw the entire industry kind of look around and say “Safety is job one, and cybersecurity is essential to safety. Oh rats!” And we saw a lot of operators start looking seriously at cybersecurity. Standards are starting to emerge, and best practice guidance.

And so very recently we have seen many inquiries from rail companies, from North America, Europe, and APAC. We have a bunch of big installations protecting rail systems already, in all these regions, and we see a huge opportunity for our Unidirectional Security Gateway technology in this industry. There is a big push building in this market to really, thoroughly protect safe, reliable and efficient rail systems operations from cyber attacks.

And how about building automation? That’s a huge market and really diverse, isn’t it?

That’s right, and as in any large market, we are setting our targets and priorities. We are focused on the mid and high end of the market – think airports, casinos and large government and office campuses. Medium-sized and large airports, for example, are not really buildings – it’s more accurate to think of them as small cities. They have everything from lighting, escalators, elevators and air conditioning to runway lights, baggage systems and radar systems. A lot of this is safety-critical, like the elevators and runway lights. A lot of this is operations-critical – if the baggage systems go down customers get very unhappy, very quickly, and very publicly.

And like rails, these industries are only starting to look up from what they’re doing and saying “Cybersecurity? Well rats,” and are starting to put some serious security in place. Airports have long had robust physical security programs and even robust cybersecurity for things like personally identifiable information. But physical operations have historically been ignored cybersecurity-wise.

In this market too, we have already many successes for our Unidirectional Gateway technology at some of the world’s largest airports. As you said, this is a huge market and we see a huge opportunity for expansion in the next couple of years.

How do you see the critical infrastructure market more generally evolving in the near future?

It is hard to give one answer for such a large, global and diverse market. One of the interesting changes we see is the involvement of enterprise IT teams in OT environments. People have been talking the talk of IT/OT integration for 15 years now, but in the last 1-2 years we see enterprise security teams not just kicking tires, but for the first time starting to act in large numbers. The first big investment many such teams make is in security and network monitoring – extending the reach of the enterprise SOC into operations. This lets the SOC finally see what’s happening on some of the most important networks in the business.

The problem with effective monitoring though, is that to monitor industrial networks you need to connect from deep inside those networks to a central SOC. We have technology that enables this, but without the risks of interconnecting all of your industrial networks, and connecting them to an external, Internet accessible network.

From the threat angle, the trend of the last decade continues: our adversaries and their attack tools continue to become steadily more powerful and more sophisticated. We see an increase in ransomware propagation into industrial networks, extortion related attacks on OT networks, as well as rapid growth of state-backed reconnaissance and infiltration campaigns.

Industrial enterprises are steadily increasing the strength of their security programs to address the steadily increasing threat. And so, a lot of industrial enterprises are looking hard at the example of the world’s most secure industrial sites and are adopting some or all the techniques that those sites use. These are of course the techniques Waterfall has been pioneering the last 15 years, and so again, we see huge opportunity here.

ATT&CK for ICS: Knowledge base of techniques used by cyber adversaries

MITRE released an ATT&CK knowledge base of the tactics and techniques that cyber adversaries use when attacking ICS that operate some of the nation’s most critical infrastructures including energy transmission and distribution plants, oil refineries, wastewater treatment facilities, transportation systems, and more.

The impacts from these attacks range from disruption to operational productivity to serious harm to human life and the surrounding environment.

ATT&CK for ICS

Building on strong foundations

ATT&CK for ICS builds on the foundation of the globally accessible, freely available MITRE ATT&CK knowledge base, which has been widely adopted by sophisticated cybersecurity teams from around the world to understand adversary behavior and tradecraft and systematically advance defensive capabilities.

“Asset owners and defenders want deep knowledge of the tradecraft and technology that adversaries use in affecting industrial control systems to help inform their defenses,” said Otis Alexander, a lead cybersecurity engineer focusing on ICS cybersecurity at MITRE. “Adversaries may try to interrupt critical service delivery by disrupting industrial processes. They may also try to cause physical damage to equipment. With MITRE ATT&CK for ICS, we can help mitigate the catastrophic failures that affect property or human life.”

Threats to ICS systems

Recent threats to ICS systems include cyber attacks on the Ukrainian grid that shut down power over short periods in 2015 and 2016. The NotPetya campaign in 2017 caused an estimated $10 billion in damage to Ukrainian energy firms as well as airports, banks, other major companies, and government agencies.

Other examples include a former employee of a firm that installed radio-controlled sewage equipment in Australia who used a laptop and radio transmitter to cause pumping station failures that spilled more than 200,000 gallons of raw sewage into parks, waterways, and the grounds of a resort, killing marine life, damaging the waters, and creating a terrible stench.

Some aspects of the existing ATT&CK knowledge base for enterprise IT systems are applicable to ICS, and in many cases may represent an entry point into those ICS systems for adversaries.

The focus of ATT&CK for ICS

ATT&CK for ICS adds the behavior adversaries use within ICS environments. It highlights the unique aspects of the specialized applications and protocols that ICS system operators typically use, and adversaries take advantage of, to interface with physical equipment.

The knowledge base can play several key roles for defenders, including helping establish a standard language for security practitioners to use as they report incidents. With expertise in this domain in short supply, it can also help with the development of incident response playbooks, prioritizing defenses as well as finding gaps, reporting threat intelligence, analyst training and development, and emulating adversaries during exercises.

Austin Scott, principal ICS security analyst at Dragos, said, “ATT&CK for ICS shines a light into the unique threat behaviors leveraged by adversaries targeting Industrial Control System environments. We understand the critical importance ICS threat behaviors play in an effective cybersecurity strategy and we’re proud to contribute to this program and community resource. It is a huge win for the front-line ICS network defenders who now have a common lexicon for categorizing ICS specific techniques to support reporting and further analysis.”

More than 100 participants from 39 organizations reviewed, provided comments, or contributed to ATT&CK for ICS prior to launch. These organizations consisted of a wide range of private and public entities including cyber intelligence and security companies that focus on ICS, industrial product manufacturers, national labs, research institutes, universities, Information Sharing and Analysis Centers, and government agencies supporting public and private critical infrastructure.

Christopher Glyer, chief security architect at FireEye, said, “The ATT&CK framework has been instrumental for cyber defense teams in codifying a lexicon describing how cyber attacks are conducted as well as centralizing examples of research and threat intelligence reports regarding real-world use of attacker techniques. The ICS ATT&CK framework creates a forum for establishing how ICS intrusions are unique/different from enterprise IT intrusions and will enable ICS operations and security teams to better protect these mission critical systems.”

Oil and gas industry risks escalate, cybersecurity should be prioritized

The oil and gas industry and its supply chain face increased cybersecurity risks from advanced threat groups and others as they continue to build out digitally connected infrastructure, Trend Micro reveals.

oil gas industry cybersecurity

The latest in-depth report draws on insights into almost a decade’s worth of cyberattacks against the sector, finding geopolitics and espionage motivate attackers targeting the oil and gas industry. While these attacks are not always sophisticated, they are often targeted and impact production, which can cause real-world damage.

“Industrial cybersecurity is not hopeless. We sometimes forget that in complex environments with appropriate security controls, the attacker is the one who has to get everything right,” said Bill Malik, vice president of infrastructure strategies for Trend Micro.

“ICS manufacturers and integrators are beginning to understand the value of a comprehensive, layered approach to information security. In tandem, information security firms are expanding their integration and analytical capabilities.

“As the IIoT market consolidates, enterprises will have a clearer choice identifying superior, well-integrated and proven technology to protect their systems.”

Oil and gas companies typically run sprawling operations with sites in hard-to-reach locations. Remote monitoring for performance, quality control and safety is therefore essential, but with bandwidth limitations and the focus on availability, communications are often left unencrypted.

Ransomware attacks posing a critical risk

The focus on data availability makes financially motivated ransomware attacks a critical risk for the industry. Carefully planned and well-executed ransomware attacks can cost millions of dollars in damages and down time.

Known cases of ransomware infecting oil and gas companies were designed to create the most havoc, which results in a higher likelihood of the perpetrators being paid.

Additionally, oil and gas companies have increasingly come under the scrutiny of advanced threat groups which usually attack military and defense organizations with geopolitical agendas. The sector is also at risk from attacks designed to steal sensitive information and financially motivated ransomware.

Mitigating oil and gas cybersecurity threats

Firms can use the following strategies to mitigate modern threats:

  • Domain name security, like two factor authentication for changes to DNS settings
  • Data integrity checks
  • Implementing DNSSEC
  • SSL certificate monitoring
  • Two factor authentication for webmail
  • Improved employee training
  • Comprehensive risk assessment of cloud services

European cybersecurity market to exceed $65 billion by 2025

The European cybersecurity market is determined to exceed $65 billion by 2025, according to Graphical Research. This growth is attributed to strong government initiatives to promote data safety and hefty investments in cybersecurity solutions. Industry sectors and cybersecurity The increasing cases of data breaches and cyber attacks on critical business infrastructure have driven several business enterprises toward partnering with government agencies for enhanced cybersecurity. For instance, in July 2016, the EU Commission announced a Public-Private … More

The post European cybersecurity market to exceed $65 billion by 2025 appeared first on Help Net Security.

Insight into NIS Directive sectoral incident response capabilities

An analysis of current operational incident response (IR) set-up within the NIS Directive sectors has been released by ENISA. The NIS Directive and incident response The EU’s NIS Directive (Directive on security of network and information systems) was the first piece of EU-wide cybersecurity legislation. It aims to achieve a high common level of network and information system security across the EU’s critical infrastructure by bolstering capacities, cooperation and risk management practices across the Member … More

The post Insight into NIS Directive sectoral incident response capabilities appeared first on Help Net Security.