The new Lemon Duck malware campaign, recently found by TrapX Security, targets global manufacturers who are still dependent on Windows 7 subsystems.
The malware exploits operating systems’ vulnerabilities by the EternalBlue exploits and eventually turns devices into a “slave army” of crypto-mining devices focused on generating Monero coins via the XMRig mining tool. Researchers warn that the mining process can lead to safety issues, disruption of supply chains, and data loss. The campaign is similar to a Lemon Duck campaign spotted in October 2019. However, this one targets large manufacturers. Windows 7, which stopped receiving security updates from Microsoft on January 14, (which year?) is a warning sign for manufacturers, as there are still around 200 million operating devices worldwide.
continue reading in ThreatPost
A CISA advisory reported a ransomware attack that hit an American gas compression plant and caused a two-day disruption.
Spearfishing initially gave the attackers access to the IT network. Due to a lack of segmentation with the OT network, the attack leads to disruptions of HMIs, data historians, and polling servers. The ransomware was targeting Windows-running devices and luckily the PLCs in the plant remained safe.
Continue reading in Threat Post
Another ransomware attack hit a Canadian pulp and paper manufacturer, Paper Excellence, which impacted the company’s email capabilities and enterprise at Crofton, Port Alberni, and Powell River.
While pulp manufacturing continued unabated throughout the attack period, paper operations were curtailed as orders could not be planned and manufactured because of interruptions to the system. The likelihood and severity of such incidents can be reduced by managing your digital footprint, reducing attack surfaces, raising awareness and keeping the OT segmented. As more cyber attacks are being published, attackers encourage the sharing of ideas to make ransomware and other forms of malware more powerful and capable. Sodinokibi recently held/sponsored a Dark Web hacking competition that garnered the attention of hackers worldwide. Sodinokibi ransomware was behind a recent attack on the German automotive supplier GEDIA that caused a shutdown of IT systems in production plants and the theft of 50GB of confidential data.
Continue reading in CBC
A new report by ClearSky reveals that Iranian APTs were showing large activity last year, creating exploits for recently published VPN vulnerabilities in order to infiltrate and plant backdoors in companies worldwide. The latter serve as “future assets” for clandestine invasion and lateral movement in valuable targets, including oil and gas companies.
There are two main worries about what the backdoors can lead to: First, is the risk of a future deploying of data-wiping malware like the attack in December against Bapco, Bahrain's national oil company. The attack started after breaching VPN servers and conducting lateral movement lead to the deploying of “Dustman”, a new strain of Iranian wiper. Another risk is the chance for supply chain attacks against other victims. This theory is supported by the fact that earlier this month, the FBI sent out a security alert to the US private sector warning from cyberattacks with the use of Kwampire RAT on software supply chain companies. According to the warning, “software supply chain companies are targeted in order to gain access to strategic partners, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution.” The same FBI alert noted links between malware deployed in these attacks and code previously used by Iran's APT33 group, strongly suggesting that Iranian hackers might be behind these attacks.
This Iranian campaign that began last summer is still relevant in 2020. Unlike previous campaigns, in this one Iranian groups: APT33, APT34 (OilRig), and APT39 seem to cooperate and act as one unit. Security lessons learned: VPN services are recently prone to exploit by nation-state financial threat actors. Version updates and patches are vital and should be prioritized in any case the VPN can be exploited to a rapid lateral movement from the IT infrastructure to the OT one.
Continue reading in ZDNet