As the Internet of Things becomes more and more part of our lives, the security of these devices is imperative, especially because attackers have wasted no time and are continuously targeting them.
Chen Ku-Chieh, an IoT cyber security analyst with the Panasonic Cyber Security Lab, is set to talk about the company’s physical honeypot and about the types of malware they managed to discover through it at HITB CyberWeek on Wednesday (October 18).
In the meantime, we had some questions for him:
Global organizations are increasingly experiencing IoT-focused cyberattacks. What is the realistic worst-case scenario when it comes to such attacks?
The use of IoT is increasingly widespread, from home IoT, office IoT to factory IoT, and the use of automation equipment is increasing. Therefore, the most realistic and worst case for IoT is to affect critical infrastructure equipment, such as industrial control systems (ICS), by attacking IIoT devices.
Hackers can affect the operation of ICSes by attacking IIoT, resulting in large-scale damage. Furthermore, protecting medical IoT devices is also important. Hacked pacemakers, insulin pumps, etc. can affect human lives directly.
What are the main challenges when it comes to vulnerability research of IoT devices?
Expanding from IoT devices to IoT systems. The main challenge is that IoT systems consist of various components. Most components have different software/firmware, hardware, etc. The discovery of vulnerabilities in IoT devices requires expertise in many fields – researchers need to know a lot about chips, applications, communication protocols, network protocols, operation systems, cloud services, and so on.
What advice would you give to an enterprise CISO that wants to make sure the connected devices in use in the organization are as secure as possible?
To start, CISOs should check whether the vendors of the products they plan to use care about product security. How do they deal with vulnerabilities? Do they have a PSIRT? Do they have a point of contact for vulnerability reports? And so on.
Once they settle on a product to use, they should make sure that best practices – e.g., safely configuring the device, applying security updates in a timely manner – are part of the internal processes. They should also check the security of the services the devices use, e.g., network services used by an IP camera. Finally, network defenses should be structured to effectively control the access rights of the various networked devices in the environment.
How do you expect the security of IoT devices to evolve in the near future?
As we move forward, governments will attempt to create security baselines with regulations and certifications (labelling schemes). New security standards for various sectors (automotive, aviation – to name a few) will also be created.
As IoT products use similar network security protocols or hardware components, IoT security will no longer be a unilateral effort by the manufacturers. In the future, manufacturers, suppliers of parts, security organizations and governments will cooperate more closely, and even achieve mutual defense alliances to ensure effective and immediate protection.
The Sandworm Team hacking group is part of Unit 74455 of the Russian Main Intelligence Directorate (GRU), the US Department of Justice (DoJ) claimed as it unsealed an indictment against six hackers and alleged members on Monday.
Sandworm Team attacks
“These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: Ukraine; Georgia; elections in France; efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort,” the DoJ alleges.
“Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.”
At the same time, the UK National Cyber Security Centre says that they asses “with high confidence” that the group has been actively targeting organizations involved in the 2020 Olympic and Paralympic Games before they were postponed.
“In the attacks on the 2018 Games, the GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the opening ceremony. It went on to target broadcasters, a ski resort, Olympic officials and sponsors of the games. The GRU deployed data-deletion malware against the Winter Games IT systems and targeted devices across the Republic of Korea using VPNFilter,” the UK NCSC said.
“The NCSC assesses that the incident was intended to sabotage the running of the Winter Olympic and Paralympic Games, as the malware was designed to wipe data from and disable computers and networks. Administrators worked to isolate the malware and replace the affected computers, preventing potential disruption.”
The UK government confirmed their prior assessments that many of the aforementioned attacks had been the work of the Russian GRU.
Sandworm Team hackers
Sandworm Team (aka “Telebots,” “Voodoo Bear,” “Iron Viking,” and “BlackEnergy”) is the group behind many conspicuous attacks in the last half a decade, the DoJ claims, all allegedly performed under the aegis of the Russian government.
The six alleged Sandworm Team hackers against which the indictments have been brought were responsible for a variety of tasks:
One of them, Anatoliy Kovalev, has been previously charged by a US court “with conspiring to gain unauthorized access into the computers of US persons and entities involved in the administration of the 2016 US elections,” the DoJ noted.
The US investigation into the group has lasted for several years, and had help from Ukrainian authorities, the Governments of the Republic of Korea and New Zealand, Georgian authorities, and the United Kingdom’s intelligence services, victims, and several IT and IT security companies.
Political and other ramifications
Warrants for the arrest of the six alleged Sandworm Team members have been drawn, but chances are slim-to-nonexistent that arrests will be performed in the near or far future.
The Russian government’s official position is that the accusations are unbased and part of an “information war against Russia”.
Russia starts responding to “accusations” of hacking operations. Chairman of the State Parliament committee on international affairs Dmitry Novikov says this is part of “information war against Russia”. https://t.co/ifSuCM23VN
— Lukasz Olejnik (@lukOlejnik) October 20, 2020
It’s unusual to see the US mount criminal charges against intelligence officers that were engaged in cyber-espionage operations outside the US, but the rationale here is that many of the attacks resulted in real-world consequences that were aimed at undermining the target countries’ governments and destabilizing the countries themselves, and that they affected individuals, civilian critical infrastructure (including organizations in the US), and private sector companies.
“The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims,” commented US Attorney Scott W. Brady for the Western District of Pennsylvania.
There are currently no laws and norms regulating cyber attacks and cyber espionage in peacetime, but earlier this year Russian Federation president Vladimir Putin called for an agreement between Russia and the US that would guarantee the two nations would not try to meddle with each other’s elections and internal affairs via “cyber” means.
This latest round of indictments by the US is unlikely to act as a deterrent but, as Dr. Panayotis Yannakogeorgos recently told Help Net Security, indictments and public attribution of attacks serve several other purposes.
Another interesting result of this indictment may be felt by insurance companies and their customers that have suffered disruption due to cyber attacks mounted by nation-states. Some of their insurance policies may not cover cyber incidents that could be considered an “act of war” (e.g., the NotPetya attacks).
More than 70% of ICS vulnerabilities disclosed in the first half of 2020 can be exploited remotely, highlighting the importance of protecting internet-facing ICS devices and remote access connections, according to Claroty.
The report comprises The Claroty Research Team’s assessment of 365 ICS vulnerabilities published by the National Vulnerability Database (NVD) and 139 ICS advisories issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) during 1H 2020, affecting 53 vendors. The research team discovered 26 of the vulnerabilities included in this data set.
Compared to 1H 2019, ICS vulnerabilities published by the NVD increased by 10.3% from 331, while ICS-CERT advisories increased by 32.4% from 105. More than 75% of vulnerabilities were assigned high or critical Common Vulnerability Scoring System (CVSS) scores.
“There is a heightened awareness of the risks posed by ICS vulnerabilities and a sharpened focus among researchers and vendors to identify and remediate these vulnerabilities as effectively and efficiently as possible,” said Amir Preminger, VP of Research at Claroty.
“We recognized the critical need to understand, evaluate, and report on the comprehensive ICS risk and vulnerability landscape to benefit the entire OT security community.
“Our findings show how important it is for organizations to protect remote access connections and internet-facing ICS devices, and to protect against phishing, spam, and ransomware, in order to minimize and mitigate the potential impacts of these threats.”
Prominence of RCE vulns highlights need to protect internet-facing ICS devices
According to the report, more than 70% of the vulnerabilities published by the NVD can be exploited remotely, reinforcing the fact that fully air-gapped ICS networks that are isolated from cyber threats have become vastly uncommon.
Additionally, the most common potential impact was remote code execution (RCE), possible with 49% of vulnerabilities – reflecting its prominence as the leading area of focus within the OT security research community – followed by the ability to read application data (41%), cause denial of service (DoS) (39%), and bypass protection mechanisms (37%).
The prominence of remote exploitation has been exacerbated by the rapid global shift to a remote workforce and the increased reliance on remote access to ICS networks in response to the COVID-19 pandemic.
Vulnerabilities on the rise
The energy, critical manufacturing, and water & wastewater infrastructure sectors were by far the most impacted by vulnerabilities published in ICS-CERT advisories during 1H 2020.
Of the 385 unique Common Vulnerabilities and Exposures (CVEs) included in the advisories, energy had 236, critical manufacturing had 197, and water & wastewater had 171. Compared to 1H 2019, water & wastewater experienced the largest increase of CVEs (122.1%), while critical manufacturing increased by 87.3% and energy by 58.9%.
Assessment of ICS vulnerabilities discovered
The research team discovered 26 ICS vulnerabilities disclosed during 1H 2020, prioritizing critical or high-risk vulnerabilities that could affect the availability, reliability, and safety of industrial operations.
The team focused on ICS vendors and products with vast install bases, integral roles in industrial operations, and those that utilize protocols in which researchers have considerable expertise. These 26 vulnerabilities could have serious impacts on affected OT networks, because more than 60% enable some form of RCE.
Critical vulnerabilities in several industrial VPN implementations for remotely accessing operational technology (OT) networks could allow attackers to overwrite data, execute malicious code or commands, cause a DoS condition, and more.
“Exploiting these vulnerabilities can give an attacker direct access to the field devices and cause some physical damage,” Claroty researchers noted.
Since COVID-19 stepped on the global stage, enterprise-grade VPN installations have become a must for any organization that relies on a remote workforce. Simultaneously, they’ve become great targets for criminals looking for a way into company’s IT networks and assets.
This situation has spurred the researchers to search for vulnerabilities in industrial VPN solutions used by remote operators and third-party vendors for accessing, maintaining and monitoring field controllers, programmable logic controllers (PLCs) and input/output (IO) devices deployed at oil and gas installations, water utilities and electric utilities.
These include Secomea’s GateManager M2M Server, Moxa’s industrial VPN servers with an all-in-one secure router, and HMS Networks’s eCatcher VPN client.
Secomea’s GateManager, which is an ICS remote access server deployed worldwide as a cloud-based SaaS solution with many general-purpose and white-label instances deployed, has been found to have several flaws, all pretty serious:
- CVE-2020-14500 – arising from the improper handling of some of the HTTP request headers provided by the client, it could be exploited – remotely and without authentication – to execute malicious code and effectively gain access to a customer’s internal network
- CVE-2020-14508 – an off-by-one error bug that may allow an attacker to achieve RCE or cause a DoS condition
- CVE-2020-14510 – hardcoded telnet credentials
- CVE-2020-14512 – weak hash type that could reveal users’ passwords
Moxa’s EDR-G902 and EDR-G903 series secure routers/VPN servers sport a stack-based buffer overflow bug (CVE-2020-14511) that could lead to RCE.
Finally, there’s a stack-buffer overflow bug (CVE-2020-14498) in HMS Networks’ eCatcher, a proprietary VPN client that is used to connect to the company’s eWon VPN device, which allows machine builders and factory owners to remotely monitor the performance of their equipment.
This bug can be triggered by tricking targets into visiting a malicious website or opening a malicious email with a specifically crafted HTML element.
“By sending socially engineered emails that embed specifically crafted images capable of exploiting CVE-2020-14498, an attacker could execute code with the highest privileges and completely take over a victim’s machine just by making the victim view the malicious email,” the researchers demonstrated.
“The exploitation phase occurs immediately when the email client (e.g. Outlook) is loading the malicious images.”
With ransomware attackers increasingly looking for ways to disrupt mission-critical systems for force companies to pay hefty sums, we can predict that, sooner or later, they will exploit vulnerabilities in OT-specific solutions.
“We would also like to emphasize that these vulnerabilities reinforce the unique risks inherent to OT remote access,” the researchers noted.
“While the security features of most VPNs make them generally well-suited and secure for IT remote access, such features tend to be less comprehensive than the stringent role- and policy-based administrative controls and monitoring capabilities required to secure OT remote access connections and minimize the risks introduced by employees and third-parties.”
Otorio’s incident response team identified a high-score vulnerability in OSISoft’s PI System. They immediately notified OSIsoft Software of the vulnerability, which OSIsoft filed with ICS-CERT (ICSA-20-163-01).
PI System Architecture implmentation
About OSIsoft Software’s PI System
Installed in some of the world’s largest critical infrastructure facilities, OSIsoft Software’s PI System is a data management platform that accesses a broad range of core OT network assets in the sites it serves.
The platform collects, stores, and organizes data from all plant data sources, and is accessed by company operators, engineers, managers, and other plant personnel – who retrieve data from it through various HMIs and client side applications, some of them using the PI Web API.
PI System vulnerability (ICSA-20-163-01)
Otorio’s researchers discovered a vulnerability that, if exploited, could enable attackers to run client-side code on client browsers and trick users to provide their credentials to threat actors.
The exploit is implemented when a victim passes the cursor over an infected field in the PI system. This triggers a fake login form that prompts the victim to re-insert his or her user name and password. Researchers created a short video illustrating the exploit:
“Our industrial cybersecurity experts are trained to identify hard-to-find vulnerabilities just like this one – those which can seriously endanger on-site OT network assets,” said Dor Yardeni, Incident Response Team Leader at Otorio. “Working with OSIsoft, we were able to quickly isolate and remediate the vulnerability, allowing them to continue to provide their customers with smart, and safe, digital production solutions,” he concluded.
OSIsoft recommends affected users upgrade to PI Web API 2019 SP1.
19 vulnerabilities – some of them allowing remote code execution – have been discovered in a TCP/IP stack/library used in hundreds of millions of IoT and OT devices deployed by organizations in a wide variety of industries and sectors.
“Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors,” say the researchers who discovered the flaws.
About the vulnerable TCP/IP software library
The vulnerable library was developed by US-based Treck and a Japanese company named Elmic Systems (now Zuken Elmic) in the 1990s. At one point in time, the two companies parted ways and each continued developing a separate branch of the stack/library.
The one developed by Treck – Treck TCP/IP – is marketed in the U.S. and the other one, dubbed Kasago TCP/IP, is marketed by Zuken Elmic in Asia.
The library’s high reliability, performance, and configurability is what made it so popular and widely deployed.
“The [Treck TCP/IP] library could be used as-is, configured for a wide range of uses, or incorporated into a larger library. The user could buy the library in source code format and edit it extensively. It can be incorporated into the code and implanted into a wide range of device types,” the researchers explained.
“The original purchaser could decide to rebrand, or could be acquired by a different corporation, with the original library history lost in company archives. Over time, the original library component could become virtually unrecognizable. This is why, long after the original vulnerability was identified and patched, vulnerabilities may still remain in the field, since tracing the supply chain trail may be practically impossible.”
The vulnerabilities were discovered by Moshe Kol and Shlomi Oberman from JSOF in the Treck TCP/IP library, and Zuken Elmic confirmed that some of them affect the Kasago library.
About the vulnerabilities
Collectively dubbed Ripple20, the vulnerabilities (numbered CVE-2020-11896 through CVE-2020-11914) range from critical to low-risk. Four enable remote code execution. Others could be used to achieve sensitive information disclosure, (persistent) denial of service, and more.
“One of the critical vulnerabilities is in the DNS protocol and may potentially be exploitable by a sophisticated attacker over the internet, from outside the network boundaries, even on devices that are not connected to the internet,” the researchers noted.
“Most of the vulnerabilities are true zero-days, with 4 of them having been closed over the years as part of routine code changes, but remained open in some of the affected devices (3 lower severity, 1 higher). Many of the vulnerabilities have several variants due to the stack configurability and code changes over the years.”
The researchers plan to release technical reports on some of them and are scheduled to demonstrate exploitation of the DNS vulnerability on a Schneider Electric APC UPS device at Black Hat USA in August.
The Treck TCP/IP library did not receive much attention from security researchers in the past. After JSOF researchers decided to probe it and discovered the flaws, they also discovered that contacting the many, many vendors who implement it was going to be a time-consuming task.
Treck was made aware of the vulnerabilities and fixed them, but insisted on contacting clients and users of the code library themselves and to provide the appropriate patches directly.
But, since some of the vulnerabilities affect also the Kasago library, JSOF involved multiple national computer emergency response team (CERT) organizations and regulators in the disclosure process.
“CERT groups focus on ways to identify and mitigate security risks. For example, they can reach a much larger target group of potential users with blast announcements, ‘mass-mailings’ that they broadcast to a long list of participating companies to notify them of the potential vulnerability. Once users are identified, mitigation comes into play,” the researchers explained.
“While the best response might be to install the original Treck patch, there are many situations in which installing the original patch is not possible. CERTs work to develop alternative approaches that can be used to minimize or effectively eliminate the risk, even if patching is not an option.”
The Ripple20 vulnerabilities have been dubbed thusly because of extent of its impact.
“The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain ‘ripple-effect’. A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people,” they noted.
“The inclusion of the number ’20’ denotes our disclosure process beginning in 2020, while additionally symbolizing and giving deference to our belief in the potential for additional vulnerabilities to be found from the original 19,” they told Help Net Security.
The researchers have pointed out that the vulnerability disclosure process, their own efforts to identify users of the Treck library, and the patch/mitigation dissemination process have been immensely aided by Treck, various CERTs, the CISA, and several security vendors (Forescout, CyberMDX).
A number of vendors have confirmed that their offerings are affected by the Ripple20 flaws. JSOF has compiled a list of affected and non affected vendors, which will be constantly updated as additional information becomes available.
Device vendors should update the Treck library to a fixed version (22.214.171.124 or higher), while organizations should check their network for affected devices and contact the vendors for more information on how to mitigate the exploitation risk. The researchers will make available, upon request, a script to help companies identify Treck products on their networks.
“Fixing these vulnerabilities presents its own set of challenges, even once they’ve been identified on the network. Some already have patches available. But there are also complicating factors,” Forescout CEO and President Michael DeCesare noted.
“With these types of supply chain vulnerabilities and embedded components, the vendor that is creating the patch isn’t necessarily the one that will release it. That can delay the issuance of a patch. There are also no guarantees that the device vendor is still in business, or that they still support the device. The complex nature of the supply chain may also mean the device is not patchable at all, even if it needs to remain on the network. In such cases, mitigating controls such as segmentation will be needed to limit its risk.”
The various CERTs and agencies like CISA will surely offer mitigation advice via security advisories.
The general availability of ICS-specific intrusion and attack tools is widening the pool of attackers capable of targeting operational technology (OT) networks and industrial control systems (ICS).
“As ICS are a distinct sub-domain to information and computer technology, successful intrusions and attacks against these systems often requires specialized knowledge, establishing a higher threshold for successful attacks. Since intrusion and attack tools are often developed by someone who already has the expertise, these tools can help threat actors bypass the need for gaining some of this expertise themselves, or it can help them gain the requisite knowledge more quickly,” FireEye researchers point out.
The tools can also come in handy to experienced actors who might want to conceal their identity or maximize their budget.
ICS attack tools: What’s out there?
The researchers have been tracking a large number of publicly available ICS-specific cyber operation tools for a while now, and here’s what they can tell us about them:
- Most of them have been developed in the last ten years
- Most tools are vendor agnostic
- Not unexpectedly, developers mostly concentrate on creating tools to target the most widely used solutions by the largest ICS original equipment manufacturers such as Siemens, Schneider Electric, GE, ABB, Digi International, Rockwell Automation, and Wind River Systems.
Some tools are “standalone”, others come in the form of modules for popular exploitation frameworks.
Over half of the “standalone” tools are aimed at learning about ICS devices attached to a network and software exploitation tools:
To create some of the tools, such as ICS-specific malware and ransomware, creators have to have a high degree of knowledge about the target systems as well as coding skills – something that is out of reach for many aspiring attackers.
ICS-specific exploit modules
There is a variety of ICS-specific exploit modules for exploitation framework such as Metasploit (free), Core Impact and Immunity Canvas (both commercial), as well as more recent ICS-specific exploit frameworks: Autosploit, Industrial Exploitation Framework (ICSSPLOIT), and the Industrial Security Exploitation Framework.
“We currently track hundreds of ICS-specific exploit modules related to more than 500 total vulnerabilities, 71 percent of them being potential zero-days,” the researchers noted.
Of the three non-ICS-specific frameworks, Metasploit has the fewest number of ICS-specific exploits, but due to the fact that it’s freely available, these exploits may currently represent the highest danger for defenders.
They mostly target products by these vendors:
“Awareness about the proliferation of ICS cyber operation tools should serve as an important risk indicator of the evolving threat landscape,” the researchers noted.
“Organizations that do not pay attention to available ICS cyber operation tools risk becoming low-hanging fruit for both sophisticated and unexperienced threat actors exploring new capabilities.”
An unnamed US gas pipeline operator has falled victim to ransomware, which managed to encrypt data both on its IT (information technology) and operational technology (OT) networks and led to a shutdown of the affected natural gas compression facility, the Cybersecurity and Infrastructure Security Agency (CISA) has revealed.
“At no time did the threat actor obtain the ability to control or manipulate operations,” CISA’s advisory noted.
“Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days.”
The attackers started by sending a spearphishing email containing a malicious link. Whether that link lead to malware or a phishing page is unknown, but it allowed the attackers to gain access to the target facility’s IT network.
Next, they pivoted to the OT network, and deployed “commodity ransomware” on both networks. It affected human machine interfaces (HMIs), data historians, and polling servers, making it impossible to read and aggregate real-time operational data reported from low-level OT devices and, consequently, resulted in a partial loss of view for human operators.
Programmable logic controllers (PLCs), which read and manipulate physical processes at the facility, were now affected because the ransomware was only capable to affect Windows-based systems.
The attack was successful because the facility IT/security operators failed to implement robust segmentation between the IT and OT networks, and the extent and length of the shutdown was partly because the operator’s emergency response plan did not take into consideration the risk posed by cyberattacks.
“Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks,” the agency pointed out. “The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”
The ransomware used in the attack has not been named, so we don’t know whether it’s EKANS, the recently uncovered ransomware that’s able of stopping a number of processes related to industrial control system operations.
CISA advised asset owner operators across all sectors to learn from these mistakes and implement a number of planning, operational, technical and architectural mitigations to prevent becoming the next victim.
Among these are:
- Robust network segmentation between IT and OT networks
- Use of multi-factor authentication for remote access to the networks
- A better organization of access rights
- Conducting regular scans of IT network assets with AV programs
- Limiting access to resources over the network
- The implementation of application whitelisting
- The integration of cybersecurity into the organization’s safety training program
- Ensuring the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, and more.
The Transportation Security Administration (TSA) – an agency of the US Department of Homeland Security (DHS) – is tasked with developing broad policies to protect US pipelines, and offers resources and assessments (along with CISA) to help pipeline operators enhance their cybersecurity posture – though there have been calls for an increased mandatory oversight of cybersecurity for gas pipelines and for transferring the oversight responsibility for gas pipelines from the TSA to the US Department of Energy (DOE).
With the ransomware threat is surging unstoppably in the last few years, it was just a matter of time until ICS-specific ransomware became a reality.
Researchers from various security outfits have been analyzing EKANS (aka Snake) since it emerged in mid-December 2019 and found that, among other things, it’s capable of stopping a number of processes (applications) related to ICS (industrial control system) operations.
“While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static ‘kill list’ shows a level of intentionality previously absent from ransomware targeting the industrial space,” Dragos researchers pointed out.
How does this ICS-specific ransomware work?
Analyzed by researchers from the MalwareHunterTeam, SentinelOne and Dragos, the EKANS ransomware presents many characteristics of general-purpose ransomware targeting Windows-based systems: when delivered on target systems, it first checks whether it’s already present then, if not, it forcefully stops a long list of processes and then begins executing encryption operations and removes Volume Shadow Copy backups on the victim machine.
“While some of the referenced processes appear to relate to security or management software (e.g., Qihoo 360 Safeguard and Microsoft System Center), the majority of the listed processes concern databases (e.g., Microsoft SQL Server), data backup solutions (e.g., IBM Tivoli), or ICS-related processes,” Dragos researchers noted.
“ICS products referenced include numerous references to GE’s Proficy data historian, with both client and server processes included. Additional ICS-specific functionality referenced includes GE Fanuc licensing server services and Honeywell’s HMIWeb application. Remaining ICS-related items consist of remote monitoring (e.g., historian-like) or licensing server instance such as FLEXNet and Sentinel HASP license managers and ThingWorx Industrial Connectivity Suite.”
EKANS isn’t capable of injecting commands into or manipulating ICS-related processes, so its destructive capabilities are limited to making administrators lose view of what’s happening with control systems and on the network. How much this will impact the actual industrial environment will depend on its specific setup, configurations, process links, etc.
According to Dragos researchers, the malware is incapable of spreading by itself and relies on the attackers to launch it either interactively or via script.
It’s also less disruptive than most ransomware, as “user access to the encrypted system is maintained throughout the process, and the system does not reboot, shutdown, or close remote access channels.”
Who’s using it?
On the other hand, it seems that EKANS has similarities with version 2 of the MegaCortex ransomware, which also sports a process “kill list” containing – among others – the processes EKANS stops.
“Based on this information, it appears EKANS is not unique, or at least not first, in targeting ICS-related processes,” Dragos researchers noted.
The MegaCortex ransomware has been used to target large corporate networks and workstations in the United States, Canada and parts of Europe.
Dragos researchers did not offer an opinion of who might be deploying EKANS.
Trend Micro announced the results of research featuring a honeypot imitating an industrial factory. The highly sophisticated Operational Technology (OT) honeypot attracted fraud and financially motivated exploits.
Hardware equipment that ran the factory
The six-month investigation revealed that unsecured industrial environments are primarily victims of common threats. The honeypot was compromised for cryptocurrency mining, targeted by two separate ransomware attacks, and used for consumer fraud.
“Too often, discussion of cyber threats to industrial control systems (ICS) has been confined to highly sophisticated, nation-state level attacks designed to sabotage key processes. While these do present a risk to Industry 4.0, our research proves that more commonplace threats are more likely,” said Greg Young, vice president of cybersecurity for Trend Micro.
“Owners of smaller factories and industrial plants should therefore not assume that criminals will leave them alone. A lack of basic protections can open the door to a relatively straightforward ransomware or cryptojacking attack that could have serious consequences for the bottom line,” Young added.
Honeyfiles placed in the file server to make it look realistic
Sophisticated OT honeypot
To better understand the attacks targeting ICS environments, Trend Micro Research created a highly realistic, industrial prototyping company. The honeypot consisted of real ICS hardware and a mix of physical hosts and virtual machines to run the factory, which included several programmable logic controllers (PLCs), human machine interfaces (HMIs), separate robotic and engineering workstations and a file server.
Trend Micro urges smart factory owners to minimize the number of ports they leave open and to tighten access control policies, among other cybersecurity best practices. In addition, implementing cybersecurity solutions designed for factories can help further mitigate the risk of attack.
All the details regarding this investigation are available in a PDF, no registration required.
A look at cybersecurity for rail systems, building automation and the future of critical infrastructure
Waterfall Security Solutions announced a major expansion into new markets and industry verticals. In support of this expansion, Waterfall has secured a significant new funding round to enable aggressive growth. We caught up with Lior Frenkel, CEO and co-founder of the company, to find out more.
So Lior, you folks just announced a big new expansion and investment. What are your main priorities for Waterfall Security in the next 5 years?
Well, let me first say that our priorities are unchanged as a result of this new investment. CPMG and our other investors made their decisions because they liked what they saw in our vision and plans. We will be doing more and faster, expanding into new markets and innovating more in our fields of expertise.
We serve the most secure industrial sites on the planet. Some of the markets we are planning to expand into are rail transport and Building Automation Systems (BAS) markets.
OK, let’s dig a little deeper. What is the state of cybersecurity for the world’s rail systems, and why do you see an opportunity there?
The rails industry is very focused on safety. In most of the world, the industry is also increasingly focused on physical security. The entire industry though, is only just waking up to cyber threats. Starting only one or two years ago, we saw the entire industry kind of look around and say “Safety is job one, and cybersecurity is essential to safety. Oh rats!” And we saw a lot of operators start looking seriously at cybersecurity. Standards are starting to emerge, and best practice guidance.
And so very recently we have seen many inquiries from rail companies, from North America, Europe, and APAC. We have a bunch of big installations protecting rail systems already, in all these regions, and we see a huge opportunity for our Unidirectional Security Gateway technology in this industry. There is a big push building in this market to really, thoroughly protect safe, reliable and efficient rail systems operations from cyber attacks.
And how about building automation? That’s a huge market and really diverse, isn’t it?
That’s right, and as in any large market, we are setting our targets and priorities. We are focused on the mid and high end of the market – think airports, casinos and large government and office campuses. Medium-sized and large airports, for example, are not really buildings – it’s more accurate to think of them as small cities. They have everything from lighting, escalators, elevators and air conditioning to runway lights, baggage systems and radar systems. A lot of this is safety-critical, like the elevators and runway lights. A lot of this is operations-critical – if the baggage systems go down customers get very unhappy, very quickly, and very publicly.
And like rails, these industries are only starting to look up from what they’re doing and saying “Cybersecurity? Well rats,” and are starting to put some serious security in place. Airports have long had robust physical security programs and even robust cybersecurity for things like personally identifiable information. But physical operations have historically been ignored cybersecurity-wise.
In this market too, we have already many successes for our Unidirectional Gateway technology at some of the world’s largest airports. As you said, this is a huge market and we see a huge opportunity for expansion in the next couple of years.
How do you see the critical infrastructure market more generally evolving in the near future?
It is hard to give one answer for such a large, global and diverse market. One of the interesting changes we see is the involvement of enterprise IT teams in OT environments. People have been talking the talk of IT/OT integration for 15 years now, but in the last 1-2 years we see enterprise security teams not just kicking tires, but for the first time starting to act in large numbers. The first big investment many such teams make is in security and network monitoring – extending the reach of the enterprise SOC into operations. This lets the SOC finally see what’s happening on some of the most important networks in the business.
The problem with effective monitoring though, is that to monitor industrial networks you need to connect from deep inside those networks to a central SOC. We have technology that enables this, but without the risks of interconnecting all of your industrial networks, and connecting them to an external, Internet accessible network.
From the threat angle, the trend of the last decade continues: our adversaries and their attack tools continue to become steadily more powerful and more sophisticated. We see an increase in ransomware propagation into industrial networks, extortion related attacks on OT networks, as well as rapid growth of state-backed reconnaissance and infiltration campaigns.
Industrial enterprises are steadily increasing the strength of their security programs to address the steadily increasing threat. And so, a lot of industrial enterprises are looking hard at the example of the world’s most secure industrial sites and are adopting some or all the techniques that those sites use. These are of course the techniques Waterfall has been pioneering the last 15 years, and so again, we see huge opportunity here.
MITRE released an ATT&CK knowledge base of the tactics and techniques that cyber adversaries use when attacking ICS that operate some of the nation’s most critical infrastructures including energy transmission and distribution plants, oil refineries, wastewater treatment facilities, transportation systems, and more.
The impacts from these attacks range from disruption to operational productivity to serious harm to human life and the surrounding environment.
Building on strong foundations
ATT&CK for ICS builds on the foundation of the globally accessible, freely available MITRE ATT&CK knowledge base, which has been widely adopted by sophisticated cybersecurity teams from around the world to understand adversary behavior and tradecraft and systematically advance defensive capabilities.
“Asset owners and defenders want deep knowledge of the tradecraft and technology that adversaries use in affecting industrial control systems to help inform their defenses,” said Otis Alexander, a lead cybersecurity engineer focusing on ICS cybersecurity at MITRE. “Adversaries may try to interrupt critical service delivery by disrupting industrial processes. They may also try to cause physical damage to equipment. With MITRE ATT&CK for ICS, we can help mitigate the catastrophic failures that affect property or human life.”
Threats to ICS systems
Recent threats to ICS systems include cyber attacks on the Ukrainian grid that shut down power over short periods in 2015 and 2016. The NotPetya campaign in 2017 caused an estimated $10 billion in damage to Ukrainian energy firms as well as airports, banks, other major companies, and government agencies.
Other examples include a former employee of a firm that installed radio-controlled sewage equipment in Australia who used a laptop and radio transmitter to cause pumping station failures that spilled more than 200,000 gallons of raw sewage into parks, waterways, and the grounds of a resort, killing marine life, damaging the waters, and creating a terrible stench.
Some aspects of the existing ATT&CK knowledge base for enterprise IT systems are applicable to ICS, and in many cases may represent an entry point into those ICS systems for adversaries.
The focus of ATT&CK for ICS
ATT&CK for ICS adds the behavior adversaries use within ICS environments. It highlights the unique aspects of the specialized applications and protocols that ICS system operators typically use, and adversaries take advantage of, to interface with physical equipment.
The knowledge base can play several key roles for defenders, including helping establish a standard language for security practitioners to use as they report incidents. With expertise in this domain in short supply, it can also help with the development of incident response playbooks, prioritizing defenses as well as finding gaps, reporting threat intelligence, analyst training and development, and emulating adversaries during exercises.
Austin Scott, principal ICS security analyst at Dragos, said, “ATT&CK for ICS shines a light into the unique threat behaviors leveraged by adversaries targeting Industrial Control System environments. We understand the critical importance ICS threat behaviors play in an effective cybersecurity strategy and we’re proud to contribute to this program and community resource. It is a huge win for the front-line ICS network defenders who now have a common lexicon for categorizing ICS specific techniques to support reporting and further analysis.”
More than 100 participants from 39 organizations reviewed, provided comments, or contributed to ATT&CK for ICS prior to launch. These organizations consisted of a wide range of private and public entities including cyber intelligence and security companies that focus on ICS, industrial product manufacturers, national labs, research institutes, universities, Information Sharing and Analysis Centers, and government agencies supporting public and private critical infrastructure.
Christopher Glyer, chief security architect at FireEye, said, “The ATT&CK framework has been instrumental for cyber defense teams in codifying a lexicon describing how cyber attacks are conducted as well as centralizing examples of research and threat intelligence reports regarding real-world use of attacker techniques. The ICS ATT&CK framework creates a forum for establishing how ICS intrusions are unique/different from enterprise IT intrusions and will enable ICS operations and security teams to better protect these mission critical systems.”
The oil and gas industry and its supply chain face increased cybersecurity risks from advanced threat groups and others as they continue to build out digitally connected infrastructure, Trend Micro reveals.
The latest in-depth report draws on insights into almost a decade’s worth of cyberattacks against the sector, finding geopolitics and espionage motivate attackers targeting the oil and gas industry. While these attacks are not always sophisticated, they are often targeted and impact production, which can cause real-world damage.
“Industrial cybersecurity is not hopeless. We sometimes forget that in complex environments with appropriate security controls, the attacker is the one who has to get everything right,” said Bill Malik, vice president of infrastructure strategies for Trend Micro.
“ICS manufacturers and integrators are beginning to understand the value of a comprehensive, layered approach to information security. In tandem, information security firms are expanding their integration and analytical capabilities.
“As the IIoT market consolidates, enterprises will have a clearer choice identifying superior, well-integrated and proven technology to protect their systems.”
Oil and gas companies typically run sprawling operations with sites in hard-to-reach locations. Remote monitoring for performance, quality control and safety is therefore essential, but with bandwidth limitations and the focus on availability, communications are often left unencrypted.
Ransomware attacks posing a critical risk
The focus on data availability makes financially motivated ransomware attacks a critical risk for the industry. Carefully planned and well-executed ransomware attacks can cost millions of dollars in damages and down time.
Known cases of ransomware infecting oil and gas companies were designed to create the most havoc, which results in a higher likelihood of the perpetrators being paid.
Additionally, oil and gas companies have increasingly come under the scrutiny of advanced threat groups which usually attack military and defense organizations with geopolitical agendas. The sector is also at risk from attacks designed to steal sensitive information and financially motivated ransomware.
Mitigating oil and gas cybersecurity threats
Firms can use the following strategies to mitigate modern threats:
- Domain name security, like two factor authentication for changes to DNS settings
- Data integrity checks
- Implementing DNSSEC
- SSL certificate monitoring
- Two factor authentication for webmail
- Improved employee training
- Comprehensive risk assessment of cloud services