At a glance.
- Predictions for Russia’s war in Ukraine.
- A wiper targets the diamond industry.
- New version of Babuk ransomware hits manufacturing company.
- Cyberattacks against the manufacturing industry.
- Cybersecurity for farms.
- GAO issues report on offshore oil and gas cybersecurity.
- ORNL seeks to secure power grids.
- Boa web server vulnerabilities.
- Sandworm renews ransomware activity against Ukrainian targets.
- CISA's ICS advisories.
Predictions for Russia’s war in Ukraine.
Microsoft has published its predictions for cyberthreats stemming from Russia’s hybrid war against Ukraine throughout the winter. Redmond expects to see a continuation of kinetic attacks against civilian infrastructure, supported by disruptive cyberattacks.
Microsoft states that “[t]he repeated temporal, sectoral, and geographic association of these cyberattacks by Russian military intelligence with corresponding military kinetic attacks indicate a shared set of operational priorities and provides strong circumstantial evidence that the efforts are coordinated.”
Microsoft also warns that Russian operators on social media will likely seek to aggravate concerns about energy shortages and inflation in Europe. The company states, “Russia has and will likely continue to focus these campaigns on Germany, a country critical for maintaining Europe’s unity and home to a large Russian diaspora, seeking to nudge popular and elite consensus toward a path favorable to the Kremlin.”
A wiper targets the diamond industry.
The Iran-linked threat actor Agrius used a supply-chain attack to deploy a new wiper against organizations in the diamond industry in South Africa, Israel, and Hong Kong, according to ESET. The threat actor compromised the update mechanism in “an Israeli software suite used in the diamond industry” to launch the wiper. The researchers note that unlike Agrius’s previous campaigns, the threat actor in this case didn’t attempt to disguise the wiper as ransomware.
New version of Babuk ransomware hits manufacturing company.
Researchers at Morphisec announced last week that they’ve observed a new version of Babuk ransomware in the wild. An infestation was detected at a company which Morphisec describes as “a multibillion-dollar manufacturing company with more than 10,000 workstations and server devices.”
The researchers explain in Morphisec’s blog, “The attackers had network access for two weeks of full reconnaissance prior to launching their attack. They have compromised the company’s domain controller and used it to distribute ransomware to all devices within the organization.” They think that earlier attribution of the attacks to WannaRen are mistaken, and they offer three reasons for concluding that in fact the malicious payload is an upgraded version of Babuk:
First, “ the overall execution flow and code structure correlates to that presented by Babuk ransomware.”
Second, it uses the same encryption algorithm. As the researchers put it, “one of the most characterizing functions of any ransomware is the encryption method. We verified that the payload in our case matches the one in the Babuk source-code .”
Finally, “the configuration and usage of the original and [this] variant overlap.”
The improvements the attackers made to Babuk are, Morphisec thinks, designed to evade much present scanning and detection technology. The new version of the ransomware “implements side-loading, executes within legitimate applications, and implements reflective loading functionality to hide the rest of the execution steps.”
Cyberattacks against the manufacturing industry.
A joint report from BlackBerry and British manufacturers’ organization Make UK has found that 42% of manufacturers in the UK have sustained cyberattacks over the past twelve months. 26% of these organizations lost between £50,000 and £250,000 due to the attacks. The survey also found that 65% of these attacks disrupted or halted production.
Manufacturers cited the maintenance of legacy IT systems as the number one risk to their business, followed by limited cybersecurity skills and providing access to third parties.
Cybersecurity for farms.
Jake Moore at ESET outlines cybersecurity threats to farming equipment. Moore talked to a farmer who fell victim to a phishing attack, which resulted in the loss of access to all of his online accounts used to oversee the farm. This included the system used to track which cows needed milking and which had already been milked. The farmer also lost access to the system that mapped out his tractors’ routes, which took the tractors offline.
Another farmer told Moore that his online tractor monitoring equipment tracks “every detail imaginable that can be analyzed, from which fields have been fertilized to which fields have the most weeds per 50 cm² area in order to know how much pesticide and where to spray it, to reduce consumption compared to a blanket spray.” The tractors can also be controlled and switched off remotely. Moore stresses that if these “systems were hit with ransomware or a DDoS attack, the effects would be financially crippling, especially if it were to happen at harvesting time.”
GAO issues report on offshore oil and gas cybersecurity.
The US Government Accountability Office (GAO) has published a report reviewing the cybersecurity of offshore oil and gas infrastructure.
The GAO recommends that the Department of the Interior’s Bureau of Safety and Environmental Enforcement (BSEE) “immediately develop and implement a strategy to address offshore infrastructure risks.” The GAO says “such a strategy should include an assessment and mitigation of risks; and identify objectives, roles, responsibilities, resources, and performance measures, among other things.” And their report also says the Department of the Interior has generally been receptive to its recommendations.
The GAO notes that the BSEE says the severity of cyberattacks could be mitigated by manual overrides, but the report adds that BSEE officials “were not aware of any assessments confirming that manual controls could mitigate the impacts of cyberattacks.” The GAO points to the 2010 Deepwater Horizon disaster as an example of an incident where even manual safety systems failed (though this event wasn’t caused by a cyberattack).
The report finishes, “BSEE has struggled to address cybersecurity risks to offshore oil and gas infrastructure and only recently has taken steps to start a new initiative. This effort remains in the earliest stages of development. Accordingly, it is not guided by an overarching strategy that identifies cybersecurity risks; relevant practices to address those risks; the bureau’s role in addressing them; milestones for activities such as formalizing relationships with other federal agencies and industry organizations; resource needs, such as appropriate staffing levels; and performance measures to assess results.”
ORNL seeks to secure power grids.
The US Department of Energy’s Oak Ridge National Laboratory (ORNL) is researching ways to use high-fidelity sensors and blockchain technology to secure electric grids against cyberattacks. The project, dubbed “DarkNet,” is focused on securing grid equipment communications. ORNL stated, “DarkNet researchers are developing a private network architecture that grid operators can scale up and use to quickly and accurately control power generation and transmission equipment that may sit hundreds or thousands of miles away from a central operational control center— without fear of cyberintrusion. The scientists are testing the architecture on ORNL’s own grid equipment; next they will demonstrate communication on a regional scale and, later, on a national scale.”
Boa web server vulnerabilities.
Microsoft has expanded on an attack earlier described by Recorded Future back in April, in which Chinese state-sponsored actors targeted Indian power grid organizations, an Indian national emergency response system, and the Indian subsidiary of a multinational logistics company. Microsoft says the attackers exploited Boa, an open-source web server that was discontinued in 2005. The researchers note that Boa is still used “by different vendors across a variety of IoT devices and popular software development kits (SDKs).”
Microsoft determined that all of the IP addresses published as IOCs by Recorded Future were connected to Boa servers, and half of these IP addresses returned suspicious headers.
The researchers explain, “Investigating the headers further indicated that over 10% of all active IP addresses returning the headers were related to critical industries, such as the petroleum industry and associated fleet services, with many of the IP addresses associated to IoT devices, such as routers, with unpatched critical vulnerabilities, highlighting an accessible attack vector for malware operators. Most of the suspicious HTTP response headers were returned over a short timeframe of several days, leading researchers to believe they may be associated with intrusion and malicious activity on networks.”
Microsoft found that there are currently over a million Boa servers exposed to the Internet, the majority of which are located in India.
The researchers conclude, “The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network. Updating the firmware of IoT devices does not always patch SDKs or specific SOC components and there is limited visibility into components and whether they can be updated. The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials.”
Microsoft adds that this reconnaissance is particularly important when launching attacks against ICS environments:
“In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people.”
Sandworm renews ransomware activity against Ukrainian targets.
ESET reports a surge in a ransomware variant the company calls RansomBoggs. Deployed against Ukrainian targets, the malware is written in .NET and represents a new strain of ransomware, but the deployment, ESET says, is similar to what they've observed in Sandworm activity in the past. Sandworm has been associated with Russia's GRU. The researchers tweeted, "There are similarities with previous attacks conducted by #Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the #Industroyer2 attacks against the energy sector." ESET also sees similarities between RansomBoggs and Iridium, Microsoft's name for the GRU operation the company detected in "Prestige" ransomware attacks against Polish and Ukrainian targets in October.
CISA updates its Infrastructure Resilience Planning Framework.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released an updated version of its Infrastructure Resilience Planning Framework (IRPF) to help state, local, tribal, and territorial (SLTT) planners. The new version of the IRPF includes:
- “[A] new tool for identifying critical infrastructure, the Datasets for Critical Infrastructure Identification guide. This dataset provides users with guidance on how and where to find publicly accessible geospatial information system (GIS) on critical infrastructure assets via the Homeland Infrastructure Foundation-Level Data (HIFLD) site, as well as several other GIS sites.
- “Guidance on the challenges of getting a diverse set of opinions when planning. It can be challenging to get all the right stakeholders together and ensure that a diverse range of opinions and interests are considered. The IRPF 1.1 expands on the process of gathering stakeholders.
- “New drought resilience information via CISA’s National Drought Resilience Partnership. This includes a new guide that provides an overview of the drought hazard, examples of direct and indirect impacts it can have on infrastructure systems, and federal resources for assessing and mitigating drought risk.
- “Revised resilience concepts that incorporate CISA’s Methodology for Assessing Regional Infrastructure Resilience. It provides additional detail on analytic methods that planners can use to improve their understanding of infrastructure systems in their community.”
CISA's ICS advisories.
On Tuesday, November 29th, the US Cybersecurity and Infrastructure Security Agency (CISA) issued advisories for Mitsubishi Electric GOT2000, Hitachi Energys IED Connectivity Packages and PCM600 Products, Hitachi Energys MicroSCADA ProX SYS600 Products, Moxa UC Series, Mitsubishi Electric FA Engineering Software, Mitsubishi MELSEC and MELIPC Series (Update E), and Omron PLC CJ and CS Series (Update A).
CISA also issued eight advisories for ICS vulnerabilities affecting AVEVA Edge, Digital Alert Systems DASDEC, Phoenix Contact Automation Worx, GE Cimplicity, Moxa Multiple ARM-Based Computers, Hillrom Medical Device Management, Mitsubishi Electric Factory Automation Engineering Products, and Mitsubishi Electric FA Engineering Software Products. The agency also issued advisories for vulnerabilities affecting Red Lion Controls’ Crimson software and Cradlepoint’s IBR600 routers.