| Introduction It is no secret that critical infrastructure is on cyber watch here in the United States. On March 7th, the FBI issued a flash warning regarding a strain of ransomware called RagnarLocker. At least 52 organizations across 10 critical infrastructure sectors have been affected by this variant of ransomware since it was first detected by the FBI in 2020. The list includes government agencies, manufacturing companies, financial services firms, and information technology firms. Threat actors behind RagnarLocker ransomware usually collaborate together, modifying the methods they use to distribute the ransomware constantly. How It Works RagnarLocker ransomware is complex and operates in the following way: 1. It attempts to identify the physical location of the infected machine utilizing Windows API GetLocaleInfoW and terminates the encryption process if the victim location is identified as “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian.” 2. To prevent multiple encryptions and corrupted data, the tool checks for current infections. 3. In the following step, it identifies all attached hard drives and assigns a drive letter to any volume that has not yet been assigned a logical drive letter. They are then accessible and can be encrypted. 4. All services running on infected machines are examined, and any services used for remote administration are terminated. 5. It then attempts to delete all Volume Shadow Copies, which will further disrupt an organization’s ability to retrieve data from the infected computer. 6. Lastly, it encrypts all available files. Instead of choosing files and folders to encrypt, it picks which to not encrypt. In general, it excludes core Windows OS files to prevent the machine from malfunctioning during the encryption process. Many times hackers will utilize the increasingly popular “double extortion” tactic, in which the attacker first exfiltrates sensitive data, then triggers the encryption attack, threatening to leak the stolen data if the target refuses to pay the ransom. Indicators of Compromise The FBI Flash Warning, on page 3, lists a number of Indicators of Compromise (IOC) associated with RagnarLocker Ransomware. Below are some examples of these IOCs. Conclusion Keeping ransom payments away from these threat actors is always the FBI’s recommendation. They believe this emboldens attackers to pursue these techniques against other organizations. They also urge all ransomware attacks to be reported. This provides investigators and analysts with the critical information they need to track ransomware attackers and hopefully prevent future attacks. If your organization has fallen victim to a ransomware attack, nGuard can help. Our incident response team is readily available to assist your organization. Preventative measures such as penetration testing and strategic security assessments can help mitigate risk in the first place and hopefully prevent such types of attacks. |
Products & Services
| Target: Water Utilities Water Utilities play a critical role in our society. They provide fresh, potable water to residents, businesses and industry as well as manage the wastewater from them. As with other utilities and critical infrastructure, they are increasingly a target for hackers, terrorists, and hostile nation states. A successful hack can contaminate the fresh water supply, impair availability or cause an environmental disaster. It’s a direct risk to the health of the local population and supply chains which depend on readily available fresh water and wastewater management. Becoming a Hard Target Managing the risks isn’t trivial, but it’s not rocket science either –the science of cyber security has greatly matured over the past 20 years. The following 5 steps are key to a water utility becoming a hard target that is resistant to cyberattacks. Assess your overall cyber security program. Test your organization’s current readiness to cyber attacks on an annual basis by assessing both your external perimeter and your internal networks. Make sure you include both the IT and the OT (SCADA) sides of the house. Perform ongoing vulnerability management throughout the year. Make sure you have someone watching for suspicious security events. Lastly, make sure you have a Cyber Security Incident Response (CSIR) program in place. Because a cyber security incident is a question of when, not if, you must have a plan in place before it happens. Strength In Numbers Recognizing the critical importance of the water supply, leading water associations in the U.S., along with the U.S. federal government, have become increasingly organized in the defense of this essential infrastructure. A key part of this organization has been the formation of the Water Information Sharing and Analysis Center (WaterISAC). Authorized by the United States’ 2002 Bioterrorism Act, the WaterISAC is the key security information source for all threats impacting water and wastewater systems. In support of their mission, they have developed the 15 Cybersecurity Fundamentals for Water & Wastewater Utilities. As part of their ongoing education and outreach, WaterISAC recently invited nGuard to speak about some of these key cybersecurity concepts at an association meeting. You can watch this webinar below. |
Russia has launched a full-scale military invasion into the country of Ukraine and with that comes the increased risk of cyber-attacks across the globe. Over the last couple weeks, we have seen many of these threats come to fruition as Ukrainian web sites were defaced and taken offline. New strains of data-destroying malware were also found to be deployed on critical government systems. Below are some of the most current cyber incidents that are taking place as a result of recent Russian aggression.
More than 70 Ukrainian government website have been defaced in cyberattacks (npr.org)
In a call conducted by Mary Louise Kelly, NPR’s cyber security correspondent Jenna McLaughlin detailed a series of cyber attacks that left about 70 Ukrainian government websites defaced. Hackers posted concerning messages in multiple languages telling viewers to be afraid and expect the worst. Jenna says these attacks are unsophisticated operations linked to a hacking group located in Russia and Belarus.
Ukrainian crisis: ‘Wiper’ discovered in latest cyber-attacks (bbc.com)
Late last week, BBC reported that while the websites of several Ukrainian banks and government offices became inaccessible, “wiper” malware was also being deployed on compromised systems. This malware aims to locate and destroy data residing on system drives. “ESET telemetry shows that the malware was installed on hundreds of machines in the country.”
Biden has been presented with options for massive cyberattacks against Russia (nbcnews.com)
Last Thursday, NBC News reported that President Biden had been presented with a menu of options for the United States to carry out impactful cyber attacks against Russia in a response to their recent military action against Ukraine. Two U.S. intelligence officials say that while no final decision has been made, all options remain on the table. “You could do everything from slow the trains down to have them fall off the tracks,” one person briefed on the matter said.
Russian ransomware gang threatens countries that punish Moscow for Ukraine invasion (politico.com)
Last Friday, Politico reported that a Russian ransomware gang, Conti, was making threats to hack the critical infrastructure of any nation or organization that retaliates against Russia for its recent military operations in Ukraine. The Conti gang issued its full support for the Russian government. This group is well known for launching government sponsored cyber attacks across the globe that have had devastating impacts.
Anonymous Hacking Group Declares “Cyber War” Against Russia (infosecurity-magazine.com)
The hacking group Anonymous has made it known that they will be launching a retaliatory cyber campaign against the Russian government following the special military operation launched by President Putin in Ukraine. Posted on their official Twitter account last Thursday read “The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine.” Shortly after this tweet was posted, the group claimed to have taken down multiple Russian government websites.
The United States government has issued strong warnings to organizations that reiterate the need to have a strong security posture during these times of uncertainty. nGuard account executives are ready to discuss any and all cyber security needs to help boost the readiness of your organization.
NSO Group continues to stay at the top of the headlines as 2022 carries on. There have been 3 noteworthy updates since the last nGuard Security Advisory, let’s look into each. If you haven’t seen the prior Security Advisories covering the NSO Group they can be found here, here, and a video summary here.
FBI discloses it tested the Pegasus spyware in 2019
Earlier this month, the FBI and the Justice Department confirmed they had tested Pegasus but stated it had not been deployed for use in any of their investigations. The FBI stated, “The FBI works diligently to stay abreast of emerging technologies and tradecraft — not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties,” the statement said. “That means we routinely identify, evaluate, and test technical solutions and problems for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands. There was no operational use in support of any investigation, the FBI procured a limited license for product testing and evaluation only.” The NSO Group has since been blacklisted from the United States, however The New York Times reported the FBI ran up roughly $5 million in charges in its contract with the NSO Group prior to this occurring.
Although the NSO Group has stated they cannot deploy their software Pegasus against U.S. based phones with a +1 number, they have created another product called Phantom which allows the monitoring of those types of numbers. A company called Westbridge, NSO’s North American branch, was handing out this brochure to law enforcement for Phantom. It looks very similar to the one leaked for Pegasus when this story originally broke last year.
NYPD Received Demo of Pegasus
The NYPD intel group was in communication to receive a demo of the Pegasus software, as seen in the email below courtesy of Motherboard. This is a very similar brochure the FBI received from Westbridge.
The email came from James Sheehan who is a program manager for Northern New Jersey-Newark and Jersey City Urban Area Security Initiative, which is administered by the United States Department of Homeland Security (DHS). Others that were invited to attend the demonstration were Bergen County Prosecutor’s Office, Jersey City’s public safety agency, and the Paterson Police Department. The NYPD has not responded to these revelations, so it is still unknown if they took any steps to acquire the Pegasus software.
The Israeli Government Announced its Investigation into Domestic Use of Pegasus
As more and more eyes have focused on the NSO Group, Israel has announced they are investigating reports of the Israeli police illegally using Pegasus against its own citizens without a court order. One individual that has been reported to have been spied on is a witness in the trial of former Israeli Prime Minister Benjamin Netanyahu. Pegasus continues to draw negative attention and is being labeled as a “threat to democracy” with Aylet Shaked, a cabinet minister, saying, “I am shocked,” she added. “I cannot believe this is my country.”
The police in Israel have been using Pegasus since 2015 and deployed it on over 100 phones each year since. In a list recently revealed, it seems as if nobody was immune. The list includes protesters, Ministry CEOs, and journalists. It was also used to determine witness credibility. When the news about Pegasus initially broke last year we discovered Pegasus was used on all types of individuals throughout the world, but nobody knew it was used domestically in Israel against its own people.
If you are not familiar with NSO Group, nGuard released a Security Advisory in August detailing the history of the NSO Group and their spyware platform, Pegasus. If you haven’t read the advisory, check it out here, or you can watch the summary video below:
In late November, Apple announced that it is suing the Israeli spyware firm NSO Group and its parent company OSY Technologies for targeting its users with their spyware. This is the second lawsuit against NSO Group with the first coming from Facebook, now owned by Meta, for targeting its users on the message application WhatsApp.
In addition to the lawsuit, which is seeking unspecified damages, Apple is requesting the NSO Group be banned from using Apple software, services, or devices. NSO Group created over 100 fake Apple IDs used to deploy their spyware Pegasus, which violates the iCloud terms of service. NSO Group still states they only sell spyware to government for lawful interceptions and says, “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers.” Although the NSO group states it has ethical purposes, evidence has shown otherwise and has led to the United States implementing sanctions and a blacklist on them for enabling “transnational repression.”
Apple did release software updates to patch the vulnerabilities exploited by NSO Group and has not seen any indications of Pegasus or any other NSO tools being used against their latest software, iOS 15. Apple has strongly urged iOS users to upgrade to the latest version of software to protect themselves from these types of attacks.
Yesterday afternoon Bleeping Computer reported on a critical Windows zero-day affecting all flavors of Windows client and server operating systems. A flaw in Microsoft’s patch for CVE-2021-41379 led to a post-authentication privilege escalation vulnerability that allows an attacker to pivot from a standard user account to NT AUTHORITY\SYSTEM with ease. Considering that there is currently no patch, it is essential that organizations begin alerting on this before breaking for Thanksgiving. Inform yourself and your team by reviewing the materials below.
Resources:
