At a glance.
- A look at industrial control system security.
- Social engineering cryptocurrency exchanges.
- Cyberespionage in Myanmar.
- Eight US city websites compromised by Magecart group.
- GoldenSpy malware comes bundled with Chinese tax software.
- Hybrid Lucifer malware targets vulnerable Windows systems.
A look at industrial control system security.
Earlier today we attended a virtual panel discussion on the state of cybersecurity in critical industrial infrastructure. The panelists were Rob Lee, CEO of Dragos, Annessa McKenzie, VP of IT and CSO at Calpine, Dmitri Alperovitch, Executive Chairman at Silverado Policy Accelerator, and co-founder of CrowdStrike, and Michael Chertoff, now of the Chertoff Group, and former US Secretary of Homeland Security. The panelists said the COVID-19 emergency has "induced a lot of stress" on organizations, revealing the growing extent of interconnection, and hastening the digital transformation of enterprises. That transformation seems effectively inevitable, but it won't proceed happily if it's not conducted on a sound security foundation. Alperovitch noted that as these systems grow more interconnected, attackers are finding it easier to enter the OT side from the IT systems using legitimate but compromised access, although sophisticated threat actors are increasingly able to bypass the IT side entirely by exploiting vulnerabilities in the OT systems themselves.
As Lee put it, ICS isn't IT; it's IT plus physics and mission. The physics and the mission make it different, and more challenging to secure than IT. Alperovitch added that this difference has led to a culture clash between IT and OT operators, saying, "Security needs to speak the language of the operators."
Securing critical infrastructure involves securing an interconnected global commons, as Chertoff pointed out. While Russia and China in particular have been quick and aggressive in moving against their adversaries in cyberspace during the stresses of the pandemic, it will be necessary to work with both allies and rivals to achieve a set of basic norms with respect to critical infrastructure that benefit everyone. This has worked in the financial sector, where action in mutual self-interest has worked to achieve mutual benefit.
Lee argued that states at least ought to be able to agree that they don't want non-state actors to acquire the offensive capabilities the states themselves have. That recognition ought to inhibit them—the more they use such capabilities, the likelier those capabilities are to proliferate. There was agreement on the value of imposing costs on threat actors, and of fostering more effective information sharing, with appropriate anti-trust exemptions. Chertoff also recommended incentivizing security across critical infrastructure.
The panelists also covered supply-chain security, with Alperovitch saying many people don't seem to have grasped the severity of the Ripple20 IoT vulnerabilities disclosed earlier this month. Lee added that those vulnerabilities highlight a wider problem: losing track of the supply chain. He noted that current cyberattacks against industrial control systems aren't scalable, since every system is different. However, he believes that the technology in these environments is becoming more homogenous as we see a technological convergence. That makes sense from a profitability standpoint, but it also opens the systems up to attacks that can work across multiple setups in different organizations. McKenzie concluded that organizations will need to begin fostering partnerships with their suppliers, and that those suppliers will need to be responsible for keeping track of their own supply chain in order to instill confidence in their customers.
Social engineering cryptocurrency exchanges.
Researchers at ClearSky have been tracking a financially motivated group, "CryptoCore," that's stolen an estimated $200 million worth of cryptocurrency since 2018. The group goes after cryptocurrency exchanges with spearphishing attacks after conducting extensive reconnaissance against the targeted organization and its employees. The attackers first target executives' personal and corporate email accounts with messages that purport to come from colleagues or business partners. The phishing emails contain attachments that will install a VBS payload known as "CageyChameleon." They then seek to gain access to the executive's password manager which allows them to move laterally and sometimes contains keys to cryptocurrency wallets. Their next goal is to remove multi-factor authentication from the exchange wallets, at which point they'll transfer the cryptocurrency to their own wallets.
The researchers aren't sure where the group is based, but they "assess with medium level of certainty that the threat actor has links to the East European region, Ukraine, Russia or Romania in particular."
Cyberespionage in Myanmar.
Anomali has observed an unknown but "very likely China-based" threat actor targeting organizations in Myanmar with spearphishing attacks that deliver malicious Windows Shortcut (LNK) files. Based on the names of the files containing the malware, Anomali thinks the possible targets are the Myanmar Police Force, the National Crisis Management Center, the National League for Democracy, and the Office of Chief of Military Security Affairs. The researchers think the campaign was spurred by an investment made by a subsidiary of China’s Yatai Group in the urban development of a region in Myanmar as part of the Belt and Road Initiative.
Eight US city websites compromised by Magecart group.
Trend Micro warns that the websites of eight unnamed US cities across three states have been compromised by Magecart card-skimming malware. The researchers "believe that these attacks started on April 10 of this year, and are still active." All of the affected websites were built using Click2Gov, a web platform used by local governments for online payment processing and other services. The JavaScript skimming code is simple and was designed specifically for use on a Click2Gov payment form. When a victim clicks "submit" on the form, the code steals card numbers, expiration dates, CVV numbers, names, and addresses.
The researchers haven't disclosed which websites were compromised, telling Threatpost that Trend Micro "prioritizes responsible disclosure of security incidents and chooses not to ‘name and shame’ victims. Our primary goal is to help organizations identify and mitigate these incidents. We have notified the breached parties who will be responsible for handling the situation within each city." The researchers have notified the operators of the affected websites, but they don't know whether the code has been removed.
GoldenSpy malware comes bundled with Chinese tax software.
Trustwave has found a new malware family dubbed "GoldenSpy," which is embedded in tax-paying software that companies doing business in China are required to install. The tax software, produced by the Golden Tax Department of Aisino Corporation, functions as expected, but it also installs a backdoor "with SYSTEM level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure." The malware installs two copies of itself, with one lying dormant unless the other stops running. If either version is deleted, another will be downloaded. Uninstalling the tax software will not remove the malware.
The malware is digitally signed by Chenkuo Network Technology, although the researchers stress that they don't have evidence that either Aisino Corporation or Chenkuo Technology were active or willing participants in GoldenSpy's placement.
Trustwave identified GoldenSpy while working for a client organization that had recently opened offices in China. The researchers aren't sure if this instance "was targeted because of their access to vital data, or if this campaign impacts every company doing business in China."
Hybrid Lucifer malware targets vulnerable Windows systems.
Palo Alto Networks Unit 42 has discovered an ongoing cryptojacking campaign involving a new strain of versatile malware dubbed "Lucifer." In addition to dropping XMRig for cryptomining, Lucifer is able to launch DDoS attacks and can spread itself using eleven exploits for unpatched Windows systems or by brute-forcing credentials. Unit 42 urges Windows users to apply patches and use strong passwords.
The researchers note that Lucifer's author named the malware "Satan DDoS," but Unit 42 calls it "Lucifer" to differentiate it from the "Satan" ransomware. Whatever you call them, their name is legion.