admin, Author at Securicon

A New Security Risk for ICS Controllers: Triton Malware Explained

April 17, 2019April 23, 2019

Over the past few years, we’ve started to see malware specifically developed to target industrial control systems (ICS). Among the most notable of recent culprits are BlackEnergy, Industroyer and Triton. FireEye was the first security firm responding to the Triton incident, and recently published more information about the Triton Threat Actor TTP profile which we will review in this article.

The Triton Malware

On April 10, 2019, FireEye confirmed that they were “responding to an additional intrusion by the attacker behind Triton at a different critical infrastructure facility,” following an earlier report from December of 2017.

As an attack framework built to interact with the Triconex Safety Instrumented System controllers (SIS), Triton was designed and deployed to manipulate industrial safety systems; specifically, it aimed at systems with the privilege to issue emergency shutdowns over industrial processes.

The malware consisted of two main modules documented by FireEye: trilog.exe and library.zip. Trilog.exe was the main executable that utilized the library.zip, which comprised a custom communication library used to interact with the Triconex controllers.

Anatomy of the Attack

Lateral Movement

The attackers were able to gain access to the network’s ICS layer by moving laterally through the IT network. While moving laterally, they were able to achieve what FireEye calls “prolonged and persistent access to the target environment.” The Threat Actors created custom tools to mirror the functionality of open source commodity tools, allowing Triton to masquerade as a legitimate application and thereby evade anti-virus measures or detection. It seems, however, that this method was only employed during critical phases of the attack, or when evading detection was absolutely necessary.

While moving through the target network, the threat actors utilized many techniques to hide their activities such as:

Renaming their files to appear legitimate
Utilizing native Microsoft Windows tools like RDP and WinRM
Modifying timestamps of their files to blend in with the copious number of files in their payload directories

This offered a further layer of protection rendering security measures completely ineffective.

Persistence

According to FireEye, the Threat Actors maintained a persistent presence on the target networks since 2014 at the latest. The actors demonstrated an interest in the OT network and spent time researching, developing, and weaponizing OT assets for their own purposes. Apparently, custom tools were used to maintain this persistent state, hearkening back to the methods used for lateral movement and evasion of detection.

Asset Owners Need to Prepare

ICS-targeted attacks have gained a discouragingly high profile in recent years. The IT and OT convergence has already happened, and in response, diligent asset owners must prepare for malware threatening both their IT and OT networks.

Blackenergy affected human machine interfaces (HMIs), Industroyer manipulated remote terminal units (RTUs) and Triton affected programmable logic controllers (PLCs), showing vulnerabilities at every level of the ICS stack. If threat actors are learning from each other, it seems that – between these three attacks – they have developed a comprehensive understanding of OT networks.

Asset owners can prepare by doing routine assessments and audits of their IT and OT networks. Performing Red Team exercises, a more targeted assessment than a penetration test, could also help Asset Owners understand possible methods of evasion and how to detect them.

It is important to note that Triton did not adhere to the MITRE ATT&CK framework. Not all threat actors follow this framework, but we utilize it to help build asset owners defenses. Once comfortable, we utilize non-framework techniques to test asset owners’ defensive capabilities against threat actors.

Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.

Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!

Ransomware ‘LockerGoga’ Disrupting Industrial Operations

April 10, 2019April 10, 2019

It has recently been reported that a new breed of ransomware is infecting industrial networks and forcing ICS organizations to switch from digital to manual operations. The malware ‘LockerGoga’ has, within the past few weeks, infiltrated Norwegian aluminum Manufacturer Norsk Hydro. Because of this incident, the organization was forced to execute their business continuity and cybersecurity incident response plans.

In recent history, LockerGoga has hit two other manufacturing companies, Hexion and Momentive. For Momentive, LockerGoga led to a global IT outage that left the company to decommission their infrastructure and start anew.

According to a FireEye report, a new strain of LockerGoga has been forcing systems to shut down entirely, locking user accounts, and making it difficult for organizations to pay the ransom. It is not yet known how attackers are gaining access to the victims’ networks, but evidence shows that their targets’ credentials were known prior to the intrusion.

Anatomy of An ICS Attack

Attackers may be utilizing phishing attacks to gather credentials in a campaign prior to accessing the victim’s network. Once they have access, they use common, open–source tools like Metasploit and Cobalt Strike to move laterally throughout the network. While moving towards the ICS layer of the network, password scrapers like Mimikatz are being used to extract cleartext and hashed passwords from memory to gain escalated system privileges.

After they have attained Domain Administrator – the highest privilege for network users – they utilize Microsoft Active Directory tools to deploy their ransomware on target machines. Payloads are then signed to appear legitimate prior to execution of the code used that encrypts files, blocking an organization from access unless they pay up. The hackers are also killing processes to forcibly disable antivirus on the target machines.

The newest strain of LockerGoga has been disabling network adapters attached to organizational computers, removing them from the network. This forces the system to cease any communication, causing widespread network disruptions.

A New Breed

It’s worth noting that LockerGoga is different from previous ransomware that have affected ICS systems. NotPetya utilized fewer extreme methods of disrupting operational processes. NotPetya did showcase that malware could be created to migrate laterally through the network autonomously.

Although, LockerGoga has some manual direction from the attackers, it is more precisely targeted than NotPeya. Crucially, this attack is not limited to ICS organizations: it is also infecting other industries through crimes of opportunity. Any networks that have publicly exploitable vulnerabilities may end up as victims.

Takeaway

Norsk Hydro fell victim to LockerGoga, but never included Cybersecurity Incident Response Plan in their Business Continuity Plan. This leading them to have a longer recovery time because they were unsure how to proceed. Organizations should include CIRP in their BCP and plan to undergo routine vulnerability assessments/penetration tests of both their IT and ICS networks. If you fail to plan, then you plan to fail.

Resources:

https://www.hydro.com/en-US

https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

https://blog.talosintelligence.com/2019/03/lockergoga.html

Answering Risk Requests from Third-Party Partners with Standardized Documentation and Response

March 27, 2019April 10, 2019

As CISOs become increasingly aware of the risks surrounding third-party relationships – and with a shift in focus towards supply chain risk management – there is mounting pressure from partners and clients to maintain a security posture centered on a mature information security program.

In order to demonstrate compliance with these goals to the satisfaction of shareholders, companies are fulfilling their due diligence with the use of questionnaires, required documentation and evidence of security controls. However, the burden of proof can be overwhelming.

Additionally, companies who are just beginning the shift towards Third-Party and supply chain security can find themselves inundated with requests for documentation from their clients and partners, often submitted with challenging time constraints.

Without a standardized response, fielding these requests is a challenge. So what’s the solution?

Securicon’s Approach to Due Diligence Requests

Securicon provides a streamlined response protocol allowing companies to demonstrate due diligence in key areas of information security program documentation. This “response” package simplifies report generation by cutting down on preparation time, providing a template for assessment and establishing clear communication policies.

We provide several areas of support to clients who struggle with these types of requests:

Guidance for existing third-party risk request processes
Establishment of documentation and evidence to share with partners
Creation or standardization of questionnaires based on company standards
Methodology to update and share content as security posture develops over time

Managing and responding to your third-party requests can be overwhelming and places undue burdens on internal resources. To maintain a competitive advantage and solidify established business relationships, quick turnaround is nevertheless an imperative.

Let Securicon ease this challenge and all your other Third-Party Risk Management pain points. For more information on these services and others, please contact Bo Wheeler at Bo.Wheeler@Securicon.com.

Click here for more information on Securicon’s GRC offerings.

Jason Pellino is a senior level cyber security consultant with success in developing and implementing information security programs while providing leadership and guidance pertinent to information security program governance; risk management and compliance for local enterprises and global environments. In Jason’s down time, he also likes to dabble with new audio\visual gadgets; barbecuing; and being a youth football coach in his town of Cumming, GA.

Preparing For Data Breaches: 5 Lessons From 2018

March 6, 2019August 2, 2019

2018 will likely go down in history for the sheer scale of consumer data that was hacked, leaked, stolen and otherwise compromised by cyberattacks throughout the year. Estimates show that during the first six months alone, 4.5 billion records were exposed over 945 data breaches leading to mass identify theft and financial fraud.

On the one hand, this is deeply concerning. On the other hand, it’s not very surprising at all.

Among the biggest breaches which occurred during 2018, Facebook, Quora and Marriot Hotels stood out for the simple reason that these were the very companies that should have been safe. When industry giants fall to attackers, small firms and businesses don’t stand a significantly better chance.

As regulators turn a critical eye to data breaches and consumer privacy, the time for businesses to pay sharp attention has come. If protecting the good faith of consumers isn’t enough incentive, financial loss in the form of penalties and theft should be.

In this article, we’ll look at five key lessons that stand out from the past year of cyberattacks, and what businesses can learn from them.

Complacency Kills

Marketing firm Exactis has comprehensive data on nearly every citizen in the U.S – 340 million records, to be exact. Last year, security researcher Vinny Troia discovered that all those records had been stored on a publicly accessible database which was easily found with a simple search query.

Soon after the leak was publicized, the company made its records private: something which should have been done the moment they were created. Exactis justly received large amounts of negative publicity for failing to take this crucial step earlier.

Similarly, when data was stolen from 500 million patrons of the Marriot hotel chain, an investigation revealed that hackers had been in Marriot’s system for four whole years before they were discovered. Alarm bells had warned security administrators of this activity on several occasions, but never resulted in adequate measures to assess the full level of intrusion.

Takeaway: Nothing does more for attackers than a simple lack of vigilance across the board. A robust risk prevention protocol coupled with serious attention to every red flag is key to avoiding and addressing cyberattacks.

Never Postpone Disclosure

In the past, companies have been reluctant to admit a data breach occurred. Last year, ride-sharing company Uber settled for $148 million dollars in court after failing to disclose a data breach which occurred in 2016, compromising the personal information of 600,000 drivers. Similarly, the U.K’s Ticketmaster knew about a breach for seven months before finally revealing it.

Hiding a breach doesn’t do a company any favors – if the intention is to avoid bad publicity, it only prolongs and exacerbates the inevitable. In the meantime, fixing existing issues and mitigating the damage becomes more difficult.

In the wake of GDPR which mandates that companies must reveal a breach within 72 hours of its occurrence, the number of reports coming out of the U.K have quadrupled, showing just how common delayed acknowledgment was before the legislation.

Takeaway: Companies should take a hint from Quora, which immediately disclosed a vulnerability that had exposed 100 million of its users, responded to the incident by resetting account passwords and created an informational site in the wake of the breach – all within a 72-hour window.

Anything Can Be A Flaw

Data breaches take many unexpected forms. Last year, Facebook turned off – and has not yet turned back on – a seemingly benign feature which allowed users to view their profiles as a visitor would. The “view as” feature contained a critical bug enabling hackers to access 50 million user accounts.

Meanwhile in New York City, Saks Fifth Avenue and Lord & Taylor found that a device had been inserted into their card readers which stole the account information of nearly 5 million customers.

These exploits couldn’t be more different – one completely physical, and one involving complex digital hijinks. But they show that attacks can come in many forms, and no detail should be overlooked when it comes to data.

Takeaway: Web designers should eliminate unnecessary features that could constitute a vulnerability user experience. Businesses should also invest in penetration testing for digital properties, while businesses should regularly monitor their facilities and point-of-sale (POS) systems for malicious hardware.

Beware of Third-Party Apps

Third party applications have become an indispensable part of the digital ecosystem, as businesses depend on them to process transactions and provide essential functions to their websites. Unfortunately, third party applications have also become a primary route that hackers use to compromise businesses.

2018 saw two high-profile breaches of third-party apps. Mobile linking platform Branch.io was attacked, potentially exposing the information of 685 million users across services like Tinder, Shopify and Yelp. MacAfee reports that the sales support platform [24]7.ai may have leaked credit card info and social security numbers from thousands of users.

As long as they are in charge of building their services, a business can defend them. But third-party apps are controlled on the outside, and often reflect a different set of security prerogatives. For instance, a website may securely encrypt its traffic while an unsecured plugin transmits it in plain text.

Takeaway: Businesses must be especially wary of the third-party apps which support their site. In some cases, they may not even realize how many dependencies they employ and should conduct regular inventories to ensure the safety of their users.

Pay Attention to Insider Threats

In April of last year, SunTrust Bank announced that 1.5 million customer records had been stolen with criminal intent. The culprit, the institution claimed, was likely one of its own employees.

Insider threats are one of the biggest and most unpredictable threats an organization can face, and they aren’t always malicious. Simple user error can cost an organization billions of dollars. As Verizon’s 2018 Data Breach Investigations Report states:

Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education.

As an example, the average cost of a phishing attack – which occurs when a user clicks on an illegitimate email – was $1.6 million dollars in 2018. When such a simple action can cause such devastating consequences, no organization is safe from risk.

Takeaway: In order to stay safe, companies must be looking in both directions. Educating personnel on security protocol is one important way to monitor insider threats; monitoring behavior for signs of malignancy is also essential.