OTORIO's researches revealed that Snake, which was exposed earlier this month has the ability to terminate ICS processes. Snake's encrypted list of processes for termination includes specific ICS processes that belong to GE. GE's industrial automation products are well used in industrial companies around the globe. Moreover, the target of Snake is presumed to be Bahrain’s petrochemical company, Bapco, which was recently attacked by Dustman wiper. Snake may be a sign of a new wave of ransomware, with the ability to compromise industrial control systems.
Continue reading in OTORIO's blog
"ThreatGen” security firm points out that Ryuk was recently used in 5 attacks against different Oil & Gas companies. The tactics, techniques, and procedures (TTP) used against all five victims were similar, indicating that the Ryuk attackers were specifically targeting the oil and gas sector - possibly in a coordinated campaign. Ryuk was first created by Russian hackers and showed up for the first time in December 2018. Since then, over 100 victims from different industries were hit by Ryuk attacks. Ryuk's initial infiltration usually begins with a phishing email or water-hole attack, leading employees on the network to download the Trickbot backdoor. Trickbot propagates within the network and infects as many machines as possible before it deploys Ryuk.
Continue reading in Dark Reading
One of the world's largest electrical equipment manufacturing firms admits it had been breached in June 2019. The hackers gained access to the networks of around 14 departments and stole sensitive data from tens of PCs and servers within Mitsubishi internal network. ~200 MB of files, mostly business documents were stolen and the main suspect is a Chinese cyber espionage group called “Tick”.The incident is being treated with the utmost severity since Mitsubishi Electric is one of Japan's biggest defense and infrastructure contractors, with a big impact on the Japanese military, railways, electrical grids and more.
Continue reading in ZDnet
Security experts from “Recorded Future” reported that a backdoor attack, previously used in by Iran-linked hackers groups, was used to target a key organization in the European energy sector. The malware used by the attackers is PupyRAT, an open-source piece of malware mainly written in Python and is available on GitHub. The previous usage of PupyRAT by APT 33 (hacker group identified as being supported by the government of Iran) and the recent research by the Microsoft threat intelligence team about the current focus of APT 33 on Western energy firms, raises the chance that this group stands behind this attack. The attackers were inside the company’s network between November 2019 and at least January 5, 2020.
Continue reading in Security Affairs