| Introduction It is no secret that critical infrastructure is on cyber watch here in the United States. On March 7th, the FBI issued a flash warning regarding a strain of ransomware called RagnarLocker. At least 52 organizations across 10 critical infrastructure sectors have been affected by this variant of ransomware since it was first detected by the FBI in 2020. The list includes government agencies, manufacturing companies, financial services firms, and information technology firms. Threat actors behind RagnarLocker ransomware usually collaborate together, modifying the methods they use to distribute the ransomware constantly. How It Works RagnarLocker ransomware is complex and operates in the following way: 1. It attempts to identify the physical location of the infected machine utilizing Windows API GetLocaleInfoW and terminates the encryption process if the victim location is identified as “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian.” 2. To prevent multiple encryptions and corrupted data, the tool checks for current infections. 3. In the following step, it identifies all attached hard drives and assigns a drive letter to any volume that has not yet been assigned a logical drive letter. They are then accessible and can be encrypted. 4. All services running on infected machines are examined, and any services used for remote administration are terminated. 5. It then attempts to delete all Volume Shadow Copies, which will further disrupt an organization’s ability to retrieve data from the infected computer. 6. Lastly, it encrypts all available files. Instead of choosing files and folders to encrypt, it picks which to not encrypt. In general, it excludes core Windows OS files to prevent the machine from malfunctioning during the encryption process. Many times hackers will utilize the increasingly popular “double extortion” tactic, in which the attacker first exfiltrates sensitive data, then triggers the encryption attack, threatening to leak the stolen data if the target refuses to pay the ransom. Indicators of Compromise The FBI Flash Warning, on page 3, lists a number of Indicators of Compromise (IOC) associated with RagnarLocker Ransomware. Below are some examples of these IOCs. Conclusion Keeping ransom payments away from these threat actors is always the FBI’s recommendation. They believe this emboldens attackers to pursue these techniques against other organizations. They also urge all ransomware attacks to be reported. This provides investigators and analysts with the critical information they need to track ransomware attackers and hopefully prevent future attacks. If your organization has fallen victim to a ransomware attack, nGuard can help. Our incident response team is readily available to assist your organization. Preventative measures such as penetration testing and strategic security assessments can help mitigate risk in the first place and hopefully prevent such types of attacks. |
Compliance
| Target: Water Utilities Water Utilities play a critical role in our society. They provide fresh, potable water to residents, businesses and industry as well as manage the wastewater from them. As with other utilities and critical infrastructure, they are increasingly a target for hackers, terrorists, and hostile nation states. A successful hack can contaminate the fresh water supply, impair availability or cause an environmental disaster. It’s a direct risk to the health of the local population and supply chains which depend on readily available fresh water and wastewater management. Becoming a Hard Target Managing the risks isn’t trivial, but it’s not rocket science either –the science of cyber security has greatly matured over the past 20 years. The following 5 steps are key to a water utility becoming a hard target that is resistant to cyberattacks. Assess your overall cyber security program. Test your organization’s current readiness to cyber attacks on an annual basis by assessing both your external perimeter and your internal networks. Make sure you include both the IT and the OT (SCADA) sides of the house. Perform ongoing vulnerability management throughout the year. Make sure you have someone watching for suspicious security events. Lastly, make sure you have a Cyber Security Incident Response (CSIR) program in place. Because a cyber security incident is a question of when, not if, you must have a plan in place before it happens. Strength In Numbers Recognizing the critical importance of the water supply, leading water associations in the U.S., along with the U.S. federal government, have become increasingly organized in the defense of this essential infrastructure. A key part of this organization has been the formation of the Water Information Sharing and Analysis Center (WaterISAC). Authorized by the United States’ 2002 Bioterrorism Act, the WaterISAC is the key security information source for all threats impacting water and wastewater systems. In support of their mission, they have developed the 15 Cybersecurity Fundamentals for Water & Wastewater Utilities. As part of their ongoing education and outreach, WaterISAC recently invited nGuard to speak about some of these key cybersecurity concepts at an association meeting. You can watch this webinar below. |
Russia has launched a full-scale military invasion into the country of Ukraine and with that comes the increased risk of cyber-attacks across the globe. Over the last couple weeks, we have seen many of these threats come to fruition as Ukrainian web sites were defaced and taken offline. New strains of data-destroying malware were also found to be deployed on critical government systems. Below are some of the most current cyber incidents that are taking place as a result of recent Russian aggression.
More than 70 Ukrainian government website have been defaced in cyberattacks (npr.org)
In a call conducted by Mary Louise Kelly, NPR’s cyber security correspondent Jenna McLaughlin detailed a series of cyber attacks that left about 70 Ukrainian government websites defaced. Hackers posted concerning messages in multiple languages telling viewers to be afraid and expect the worst. Jenna says these attacks are unsophisticated operations linked to a hacking group located in Russia and Belarus.
Ukrainian crisis: ‘Wiper’ discovered in latest cyber-attacks (bbc.com)
Late last week, BBC reported that while the websites of several Ukrainian banks and government offices became inaccessible, “wiper” malware was also being deployed on compromised systems. This malware aims to locate and destroy data residing on system drives. “ESET telemetry shows that the malware was installed on hundreds of machines in the country.”
Biden has been presented with options for massive cyberattacks against Russia (nbcnews.com)
Last Thursday, NBC News reported that President Biden had been presented with a menu of options for the United States to carry out impactful cyber attacks against Russia in a response to their recent military action against Ukraine. Two U.S. intelligence officials say that while no final decision has been made, all options remain on the table. “You could do everything from slow the trains down to have them fall off the tracks,” one person briefed on the matter said.
Russian ransomware gang threatens countries that punish Moscow for Ukraine invasion (politico.com)
Last Friday, Politico reported that a Russian ransomware gang, Conti, was making threats to hack the critical infrastructure of any nation or organization that retaliates against Russia for its recent military operations in Ukraine. The Conti gang issued its full support for the Russian government. This group is well known for launching government sponsored cyber attacks across the globe that have had devastating impacts.
Anonymous Hacking Group Declares “Cyber War” Against Russia (infosecurity-magazine.com)
The hacking group Anonymous has made it known that they will be launching a retaliatory cyber campaign against the Russian government following the special military operation launched by President Putin in Ukraine. Posted on their official Twitter account last Thursday read “The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine.” Shortly after this tweet was posted, the group claimed to have taken down multiple Russian government websites.
The United States government has issued strong warnings to organizations that reiterate the need to have a strong security posture during these times of uncertainty. nGuard account executives are ready to discuss any and all cyber security needs to help boost the readiness of your organization.
If you are not familiar with NSO Group, nGuard released a Security Advisory in August detailing the history of the NSO Group and their spyware platform, Pegasus. If you haven’t read the advisory, check it out here, or you can watch the summary video below:
In late November, Apple announced that it is suing the Israeli spyware firm NSO Group and its parent company OSY Technologies for targeting its users with their spyware. This is the second lawsuit against NSO Group with the first coming from Facebook, now owned by Meta, for targeting its users on the message application WhatsApp.
In addition to the lawsuit, which is seeking unspecified damages, Apple is requesting the NSO Group be banned from using Apple software, services, or devices. NSO Group created over 100 fake Apple IDs used to deploy their spyware Pegasus, which violates the iCloud terms of service. NSO Group still states they only sell spyware to government for lawful interceptions and says, “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers.” Although the NSO group states it has ethical purposes, evidence has shown otherwise and has led to the United States implementing sanctions and a blacklist on them for enabling “transnational repression.”
Apple did release software updates to patch the vulnerabilities exploited by NSO Group and has not seen any indications of Pegasus or any other NSO tools being used against their latest software, iOS 15. Apple has strongly urged iOS users to upgrade to the latest version of software to protect themselves from these types of attacks.
Yesterday afternoon Bleeping Computer reported on a critical Windows zero-day affecting all flavors of Windows client and server operating systems. A flaw in Microsoft’s patch for CVE-2021-41379 led to a post-authentication privilege escalation vulnerability that allows an attacker to pivot from a standard user account to NT AUTHORITY\SYSTEM with ease. Considering that there is currently no patch, it is essential that organizations begin alerting on this before breaking for Thanksgiving. Inform yourself and your team by reviewing the materials below.
Resources:
On Monday, CNN reported that nine organizations spread across multiple sectors have been breached by what is believed to be foreign hackers. Palo Alto made it known to CNN that organizations within health care, technology, education, defense, and energy had all been the target of recent security breaches. It is also being reported that officials from the NSA and CISA are actively tracking the threat and working to mitigate it.
By exploiting a vulnerability in ManageEngine ADSelfService Plus which corporations utilize for password management and stealing those passwords from targeted organizations, attackers have been able to maintain persistent access on internal networks. This buys the attackers time to further their attack vectors and compromise more endpoints, as well as work to compromise high privilege accounts and increase their chances of accessing critical information. The official from Palo Alto that provided this information to CNN believe this is just the “tip of the spear” of the likely spying campaign that is taking place by foreign adversaries.
While it is currently unknown who is responsible for this attack, Palo Alto is reporting that many of the tactics and toolkits discovered are consistent with a suspected Chinese hacking group. The NSA and CISA, when asked to comment on the likely identity of these hackers, refused to comment. Officials from Palo Alto are stressing that it is extremely important to stay on top of software updates. Attackers are exploiting well known software vulnerabilities that could have been easily patched by the target organization. They are also encouraging organizations that utilize Zoho software to update their systems and search for signs of potential breach.
Vulnerable software is one of the top things attackers looks for when attempting to target an organization. Many times, these vulnerabilities and their corresponding exploits are widely known and easily preventable if you are aware of them. Conducting periodic penetration testing on both the external perimeter and internal network can prevent this vulnerabilities from being present in your environment. Additionally, having vulnerability scans run on a regular basis can make you aware of these critical vulnerabilities and your security team can eliminate them from the environment.
