STE WILLIAMS

S4x20 CONFERENCE – Miami – For seven months, researchers at Trend Micro ran a legitimate-looking phony industrial prototyping company with an advanced interactive honeypot network to attract would-be attackers.

The goal was to create a convincing-looking network that attackers wouldn’t recognize as a honeypot so the researchers could track and study attacks against the phony factory in order to gather intel on the real threats to the industrial control system (ICS) sector today.

The faux company’s factory network, which they purposely configured with some ports exposed to the Internet from May through December of last year, was mostly hit with the same types of threats that IT networks face: ransomware, remote access Trojans (RATs), malicious cryptojacking, and online fraud, as well as botnet-style beaconing malware that infected its robotics workstation for possible lateral movement.

But there also were a few more alarming incidents with shades of more targeted intent. In one attack on Aug. 25, 2019, for instance, an attacker worked its way around the robotics system, closed the HMI application, and then powered down the system. Later that month, an attacker was able to start up the factory network, stop the phony conveyer belt – and then shut down the factory network. Attackers via the HMI shut down the factory and locked the screen, while another opened the log view of the robot’s optical eye.

“Yes, your factories will be attacked if they are directly connected to the” Internet, says Stephen Hilt, who will present Trend Micro’s findings from the research here today. But the majority of the attacks and incidents the pretend factory suffered were the same-old, same-old threats facing other industries, notes Hilt, who previously worked on a honeypot for Trend Micro called GasPot in 2015 that was set up to simulate a gas-tank monitoring system to study what attacks would hit those gas tank systems. 

“From our stance, traditional IT threats are what we saw, plain and simple,” says Hilt. But, he says the team can’t be sure they didn’t face any targeted ICS threats that didn’t get very far. Either way, it’s a far cry from Trend Micro’s 2013 water utility honeypot that counted 39 attacks, 12 of which were identified as targeted.

The phony factory network was made up of real ICS hardware and a combination of physical hosts and virtual machines, including two Allen-Bradley Micrologix 1100 PLCs, a Siemens S7-1200 PLC, and an Omron CP1L PLC. The engineering workstation was kept inside the factory network, but the researchers used the same administrative password for the HMI and robotics workstation, which were left exposed on the public Internet – a common mistake made in ICS environments – as a lure.

The PLCs were configured to run the tasks for the “plant”: agitator, burner control, conveyer belt control, and palletizer for stacking pallets using a robotic arm. Hilt says the PLCs were programmed to vary the start and stop of a motor, for example, to emulate real processes. The plant network included three VMs – an HMI for controlling the factory, a robotics workstation to control the palletizer, and an engineering workstation to program the logic for the PLCs. The file server ran on a physical machine.  

After about a month, they opened Remote Desktop Protocol and Virtual Network Connection ports, as well as EtherNet/IP, to attract would-be attackers to the phony industrial prototyping company – dubbed MeTech – which on its website said it serves large military, avionics, and manufacturing clients.

One of the first attacks Hilt and his fellow Trend Micro researchers Federico Maggi, Charles Perine, Lord Remorin, Martin Rösler, and Rainer Vosseler, spotted was a RAT, but it turned out to be for Monero cryptocurrency mining, not a nation-state cyberattack. Even so, the cryptojacking attack heavily drained the server capacity.

Crysis
The network was hit with the infamous Crysis ransomware in September, and the entire process of negotiating with the attackers on the ransom kept the network down for four days. Hilt says that’s an example of how devastating everyday ransomware could be for a real ICS network. “The system was down for a week because it [the malware] spread,” he says. While the PLCs weren’t affected, they lost visibility into the plant operations while the HMI files were locked down by the attackers.

“A loss of production for four days is really bad. We had backups we could restore to, so we restored our VMs and had to rebuild our file server,” he says. But they were able to document all of the steps of the attack as well as the back-and-forth ransom negotiation, where the Trend researchers posed as one of the phony employees on MeTech’s website, Mike Wilson, who emailed the attackers’ with the subject line that read, “MeTech: THIS IS NOT COOL” and lamented: “Not cool we are running a production run of something for an important client and can’t use our robot with out that machine, also all of our files on our file server” and “give us back our files.”

Hilt says they negotiated the ransom down from $10,000 in bitcoin to $6,000 in the email exchange, but didn’t actually pay the ransom. They were able to reset the systems via their backups and eradicate the malware.

There was a second ransomware attack later that month, this time with Crysis variant Phobos, and then in November, a “fake” ransomware attack that basically was a data destruction attack. In that later attack, the hacker wrote scripts targeting MeTech’s ABB Robotics folder, renaming them and demanding ransom. “What I found was more interesting is when we didn’t pay it,”  Hilt says, noting that the attacker deleted the entire folder, “then he wrote a script so that on startup, it opens a bunch of browsers to porn sites.”

Hilt’s theory was that attacker had hoped to resell access to the network in the Dark Web, and that when the ransom wasn’t paid, the attacker lost some potential revenue and decided to destroy the data.

White-Hat to the Rescue
It’s not uncommon for researchers to run into other researchers in the trenches of their honeypots or other work, and Trend Micro’s phony and not secured ICS network caught the attention of researcher Dan Tentler, aka @Viss on Twitter, who is well-known for finding exposed ICS equipment via Shodan searches. Tentler had reported his findings of exposed ICS equipment to the ICS-CERT and “all of the appropriate parties,” according to Trend Micro in a report on the honeypot published today.

Hilt says he and his team contacted Tentler to apprise him of their operation and to “stand down,” noting that his reporting the issue is how a real such ICS event should be handled.

“Part of the reason we see less attacks than in previous honeypots is you have people like Dan doing good work to take down critical devices exposed on the Net,” Hilt says.

Worries of possible threats to critical infrastructure rose earlier this year in the wake of US military action in Baghdad, with the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warning US organizations of the potential for retaliatory attacks against US organizations. Iranian nation-state hacking groups “have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and, potentially, cyber-enabled kinetic attacks,” CISA said in its advisory in early January.

What (Not) to Do
Hilt says MeTech’s network is a lesson on how not to secure an ICS environment.

Among the no-no’s: the VNC left open online with no password and a lack of least-privilege, shared and reused passwords across systems, and not deploying the trust feature in industrial routers, which specifies which hosts can go through the device.

The ICS honeypot network could be resurrected, however: Hilt plans to encourage the ICS community to join forces with Trend Micro to expand the research project.

Related Content:

• Iranian, Syrian Hackers Hit ‘Gas Gauges’ 
• RF Hacking Research Exposes Danger to Construction Sites
• 2019 Online Malware and Threats: A Profile of Today’s Security Posture
• DHS Warns of Potential Iranian Cyberattacks 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “With International Tensions Flaring, Cyber Risk is Heating Up for All Businesses.”

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/elaborate-honeypot-factory-network-hit-with-ransomware-rat-and-cryptojacking/d/d-id/1336842?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Data attacks reached an all-time high in 2019 as we continued to transform our lives digitally — moving our work, health, financial, and social information online. In response, businesses must meet hefty data and information protection regulatory and compliance requirements. There’s no room for error. Protections are required for everything from simple user mistakes, such as downloading a file on the corporate network and sending it to a personal account, to malicious insider behavior and nation-state attacks. This task and associated fines are daunting.

Governments worldwide are also addressing these challenges by mandating new data protection regulations and privacy acts, including the Global Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Regulations are introducing stricter information protection standards and unprecedented fines companies must plan for and comply with — up to 4% of their annual revenue — for handling business and customer data.

To keep up with these regulations and the global demand for security and privacy, compliance and data risk officer roles are increasing. They create policies and implement tools to track how data is collected, used, managed and stored across its life cycle so businesses remain compliant and earn customers’ trust.

Security and Compliance Are Two Different Worlds
Even with heightened focus on reducing risk, security and compliance teams have different backgrounds and responsibilities, and historically they have not worked together, which means they don’t always understand the other’s business needs.

When it comes to information protection and compliance, most companies focus on thwarting data leaks by locking down data within their perimeter, which can be a device, file server, or network boundary. Data leakage prevention (DLP) identifies sensitive content and defines policies to prevent data egress across the network, devices, and applications.

In parallel, companies’ security teams operate disconnected threat protection solutions — EPP, EDR, SEG, CASB, UEBA, NTA, etc. — designed to prevent, detect, and respond to attacks on companies’ intellectual property. But often these tools — separate from the information protection and DLP tools — don’t know where this intellectual property and sensitive content resides.

Most data protection solutions focus on prevention and ignore a key aspect of risk management and compliance: attackers’ access to sensitive data, which can reside on devices, applications, and/or in the cloud. Threat protection solutions, by contrast, identify attackers in the network but ignore the key aspect of security incidents: the sensitivity of data accessed during an attack.

So, how should we as an industry eliminate the walls between them to deliver a higher level of protection?

Create a Better Security Posture
Unifying security and compliance under a new model of data-aware threat protection will enable businesses to create trust while reducing risk to users and data. By integrating and sharing signals between the DLP and threat protection solutions, companies can determine the business context and impact of each security incident, and the actual risk to each piece of sensitive data. Security teams and data officers can then work in tandem, instead of in silos, to respond to and address incidents faster and more reliably.

This new data-aware threat-protection model has four key advantages:

Risk-based incident prioritization: Security operators typically prioritize incident response based on severity, but that neglects the overall business impact. Data classification awareness by threat protection solutions contributes to how alerts, incidents, and vulnerabilities are prioritized. It helps better determine the risk of the activity, which influences its prioritization. An alert on a corporate device that stores sensitive data is more important than an alert on a device that doesn’t. Even if the security threat on its own is lower, sensitive data in a compromised environment is a reason to act — fast.

More precise threat hunting: By tracing each attacker action and intertwining it with data classification context, analysts can better understand attackers’ motivations and searches. This also arms hunters with the ability to reference data severity. For example, analysts can create a hunting query to address a request like, “Get all PowerShell processes that accessed a sensitive Word doc.” Such context also enables better hunting for data exfiltration threats by understanding whether activity is malicious or benign. For example, reading a file, copying a file to another folder, or taking a screen capture are legitimate actions most times. However, sensitive data is different. Reading such a file may indicate anomalous access to sensitive data, copying a file may be part of staging for exfiltration, and screen capturing may be a way to steal sensitive data.

Automatic remediation across security and compliance boundaries: Automation allows often understaffed security and compliance teams to do more and react more quickly. But missing the incident’s context makes all response playbooks the same. Data classification awareness allows defenders to become more effective by defining customized response actions based on data sensitivity. For example, automatically locking access to sensitive data on at-risk devices until the risk is mitigated or blocking a process performing anomalous access from accessing sensitive files until it’s determined whether the activity is benign or malicious.

More effective security posture management: Security and compliance teams should not just respond to data leaks or data exfiltration incidents after they occur; they should think about being proactive to reduce leaks. Visibility is key. Do you know where your sensitive data is, where it’s stored? Knowing that and combining the compliance (data sensitivity) and security (risk) disciplines enable us to proactively reduce the chance and impact of data breaches. For example, you can prioritize patching devices with sensitive documents, or force two-factor authentication to access sensitive document folders.

Old-school data leakage prevention is not enough for businesses facing a dynamic threat landscape. Adversaries are sophisticated, and no matter how high the wall, they will find a way around. Then, it’s game over. Trust is lost. The industry should recognize that data-aware threat protection is essential to proactively protecting customers’ data and establishing trust and consistency across privacy and security.

Related Content:

• 13 Security Pros Share Their Most Valuable Experiences
• Answer These 9 Questions to Determine if Your Data Is Safe
• Rethinking Enterprise Data Defense
• How SD-WAN Helps Achieve Data Security and Threat Protection

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “With International Tensions Flaring, Cyber-Risk Is Heating Up for All Businesses.”

Moti Gindi is the Corporate Vice President for Microsoft Defender Advanced Threat Protection (ATP). In his role, he manages an engineering team that is responsible for Microsoft’s endpoint security, specifically Microsoft Defender ATP (recently recognized as a leader in … View Full Bio

Article source: https://www.darkreading.com/risk/data-awareness-is-key-to-data-security/a/d-id/1336823?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Nearly three-quarters (74%) of businesses deploying SD-WAN have “significantly” less confidence in their networks following digital transformation initiatives, a new study finds.

Researchers with Cato Networks polled 1,333 IT professionals around the world to learn about their budgets, challenges, and readiness to change their digital environments. Nearly half (43%) work for companies with more than 2,500 employees, all have some cloud presence, and 82% work for organizations with at least two physical data centers. More than half (56%) expect their networking budget to increase in the next year; 73% say the same for their security budgets.

Thirty-five percent of respondents have an SD-WAN deployment and 30% are planning to deploy SD-WAN within the next year. Researchers found most businesses adopt SD-WAN for financial reasons: Fifty-six percent say excessive WAN costs are their primary reason to switch. Other drivers include better Internet access (55%), improved last-mile availability (50%), need for more bandwidth (48%), broader WAN modernization effort (45%), and cloud migration (42%).

Respondents’ low confidence in their networks following digital transformation could be linked to the issues they find during the transformation process, researchers say. “The results suggest that only as organizations roll out digital initiatives, they uncover the weaknesses in their networks,” the study states. The high costs of MPLS drive many to adopt SD-WAN; however, once an organization requires cloud or mobile access, IT pros realize their network limitations.

Cloud connectivity was a major issue among respondents. Sixty percent say cloud applications will be the most critical to their organizations over the next 12 months, more so than applications hosted in private data centers. However, 69% of SD-WAN owners expressed lower confidence in cloud connectivity following digital transformation efforts.

Researchers also learned SD-WAN does little from a security perspective. While most (66%) respondents cite malware and ransomware as their primary security challenge for 2020, only 37% say their SD-WAN help defend locations from these types of threats.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “With International Tensions Flaring, Cyber Risk is Heating Up for All Businesses.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/nearly-75--of-sd-wan-owners-lack-confidence-post-digital-transformation/d/d-id/1336844?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The nightmare continues for victims of FTCode ransomware. In addition to encrypting critical information, the PowerShell malware now steals user credentials from common web browsers and email clients.

According to researchers Rajdeepsinh Dodia, Amandeep Kumar, and Atinderpal Singh from Zscaler ThreatLabZ, FTCode version 1117.1 can skim user credentials from Internet Explorer, Firefox, and Chrome as well as email clients Thunderbird and Outlook. The new version uses a different method to steal credentials in each of the targeted applications, something the researchers point to as being one of the advantages of the scripting language in which FTCode is written.

For more, read here and here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “With International Tensions Flaring, Cyber-Risk Is Heating Up for All Businesses.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ransomware-upgrades-with-credential-stealing-tricks/d/d-id/1336846?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple