The rise of opportunistic hacking and information sharing…


Since 2020, security researchers at Mandiant have seen an increasing wave of relatively simple attacks involving ICS systems-attackers sharing discoveries with each other.

Earlier this year, an attacker in a water supply system at a water treatment plant in Aldesma, Florida, unceremoniously hijacked him. This is not a Stuxnet or Triton-level vulnerability. However, the relative simplicity of the attack (the intruder seems to have somehow obtained system credentials to remotely control settings through the TeamViewer application) summarizes the typical threats faced by most OT networks today: mainly inadvertent use of industrial control systems (ICS) basic attacks are exposed to the open Internet or long-term abuse of weak or shared credentials.

In many cases, although industrial organizations can be said to be valuable catches, they did not initially become the targets of attackers, and cyber-physical attacks were not the targets. According to researchers from the Mandiant Cyber ​​Physics Intelligence team, this trend was emphasized last year. They found that OT-related incidents have increased significantly since 2020, and most actors do not want to turn off the lights, poison stagnant water, or perform any physical consequences. Their tactics are not complex enough, usually they are not even looking for Old Testament targets, but accidentally found these victims.

Mandiant’s research was published today, involving publicly reported and unprecedented public OT incidents, indicating that there has been an increase in the number of incidents of attackers trying to monetize exposed ICS systems through it in the past year, and that attackers have shared Video and screen snapshots have set off a wave of information sharing. The industrial systems they can access and how they operate-more frequently than Mandiant has seen before.

These incidents affected solar panels and water control systems, as well as building automation systems (BAS) and home security systems. The attackers used known search tools such as Shodan and Censys, as well as commonly used tactics, techniques, and procedures (TTP).

Nathan Brubaker, senior manager of analytics at Mandiant Threat Intelligence, said: “These problems are terrible, but not at the Triton level.” He said that even so, cybercriminals, hacktivists and novices By increasing the sharing of information in underground networks, the hybrid has gained insights and knowledge in the complex ICS environment.

“There are some tutorials that show you Shodan and how to research around it and find a water company, then click from there and go to that HMI [human machine interface] That is exposed. And if you don’t need to authenticate it, then you can do whatever you want,” he said.

Brubaker, who worked on the Mandiant incident response team in the Tridian attack, said he was worried.

“These actors are building expertise and willingness [to make] Get in touch with other actors. He asked, what should they do if they meet with the ransomware group and unite? “This will make ransomware more influential in the old time.” This worries him.

Sergio Caltagirone, vice president of threat intelligence at Dragos’ ICS security company, said the Oldsmar attack is a “perfect example” of the type of ICS attack that the company often sees. What hackers in nation-states with more resources worry about is not complicated and sophisticated ICS customized malware attacks, but that threats break into the public Internet through unknown ports, or their identity is weak or damaged, so they cannot invade.

“Although this network is not prepared and defended, it is done by the organization, but in order to protect itself, long-term resources are scarce and insufficient funds… This is a convergence [more adversaries]Caltagirone said: “It is necessary to catch up with ICS networks so that these networks cannot run the most basic security measures.

He said that once a half-open door or an unlocked door is found, they can usually enter via the Internet, and “they can press the button.”

Dragos released its annual report on ICS threats and attack trends earlier this year. Researchers and incident responders have seen this: In all incident response cases handled, attackers can access the victim’s data through the Internet. ICS network, and share IT and OT credentials for lateral movement in the network.

The Mandiant researchers found that low-complexity compromises often make use of remote access services, including virtual network connections that are not properly secured. HMI usually comes with a user-friendly graphical user interface that allows experienced OT hackers to obtain a convenient view of the industrial process. In an incident discovered by the team, the attacker shared images and videos (in Dutch) where he had tampered with the temperature control system he could use; he boasted of invading dozens of control systems in North America, Europe, and East Asia.

Some of the threat actors observed by Mandiant appear to be hacktivists. The Israeli OT network is most often found to be victims in the posts it has seen, including a solar company and a data logger used for mining exploration and dam monitoring. One incident involved the use of a building automation system at the location of a major international hotel chain in Australia.

But they also saw several cases of “green” threats to participants. They did not know what they had compromised: a group falsely claimed that they had hacked the German-language railway control system, but the screenshot they posted was actually a The interface of the web interface. Researchers discovered a set of model trains. Other attackers boasted that they had retaliated against the Israeli gas system in retaliation for the recent explosion at an Iranian missile facility, but their video showed that they had actually invaded the kitchen ventilation system of an Israeli restaurant.

The attacker who claimed to have hacked into Israel’s gas system actually damaged the kitchen ventilation system of this Israeli restaurant. Source: Mandiant

Upcoming pipeline regulation
At the same time, the US federal government will double the protection of critical infrastructure through some new rules.

The Washington Post reported today that following the ransomware attack on colonial pipelines, the U.S. Department of Homeland Security (DHS) is advancing a plan to regulate cybersecurity in the pipeline industry. In response to ransomware attacks on IT systems, the company closed 11-day pipelines this month and eventually paid the attackers $4.4 million to decrypt the locked systems. The closure of colonial pipelines led to gasoline shortages in certain areas and rush purchases in parts of the southeastern United States. The FBI has linked DarkSide, a ransomware-as-a-service (RaaS) group, to the attack.

According to a report in the Washington Post, the Transportation Security Administration (TSA) of the Department of Homeland Security is expected to issue a security directive this week, requiring pipeline companies to report cyber attacks to the Federal Reserve and assess and remediate their security posture.

The Colonial Pipeline ransomware attack hints at what the critical infrastructure might be like, and more ransomware threats are about to appear on public utilities. According to Kaspersky researchers, a rapidly growing ransomware family JSWorm now appears to be targeting key infrastructure organizations around the world. Approximately 41% of JSWorm attacks hit engineering and manufacturing companies, followed by energy and utilities (10%), finance (10%), professional and consumer services (10%), transportation (7%), and healthcare (7%). %).

Over the past two years, the JSWorm criminal group has created more than eight malware faces, which were previously known for its Nemty, Milihpen and Gangbang variants. The researchers found that the organization behind the organization initially operated under the ransomware-as-a-service model. Last year, the organization closed the organization and launched targeted activities for high profile targets, demanding large ransoms.

OT defense
The key to keeping the OT system away from the public Internet is: Mandiant recommends locking down remote access, monitoring traffic for any malicious activity, and disabling any unused network or other services, as well as changing any default credentials, whitelisting access and checking the device and Other system configuration. Mandiant recommends in its report that HMI and ICS systems should be set to enforce a specific range of inputs to prevent dangerous physical results, and organizations should ensure that Shodan and Censys tools cannot “discover” their devices.

Kelly Jackson Higgins (Kelly Jackson Higgins) is the executive editor of “Dark Reading”. She is an award-winning senior technical and business news reporter, reporting and editing various publications (including network computing, security enterprise…

Recommended reading:

More insights

Related Articles

Back to top button