CISA, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, has responded to and reported a ransomware incident at an unnamed natural gas compression facility in the US. While the plant didn’t lose control of operations at any time, it did experience a partial loss of visibility into real-time operational data. Facility managers elected to “implement a deliberate and controlled shutdown,” which cost two days of lost productivity (and revenue). ZDNet suggests that the malware involved may have been EKANS, but CISA is silent on this point, and any report of EKANS remains speculation.
Trend Micro has found what it considers a hitherto unidentified threat actor--they call it “DRBControl”--working against gambling and betting operations in Southeast Asia. DRBControl’s techniques aren’t entirely unfamiliar, however, as Trend Micro discerns some connections with the Winnti and Emissary Panda APTs, both of which have been associated with the Chinese government. The Emissary Panda link is particularly interesting: DRBControl uses the HyperBro backdoor, which until now had been observed only in Emissary Panda operations. Trend Micro considers the campaign an espionage effort.
Eclypsium recommends, based on research that showed widespread unsigned firmware in peripherals, that signatures be verified every time firmware is loaded into memory, and not just upon initial installation. The researchers note that Apple products routinely do this, whereas Windows and Linux systems do not. But the researchers also argue that verification is better seen as the device manufacturer’s responsibility, and not something to be left up to the operating system.