Industrial Security Bulletin - Week 29 - July 21, 2020

Industrial Security Bulletin - Week 29 - July 21, 2020

21 Jul 2020

Industrial Cyber Attacks - Attacks against industries, productive infrastructures and OT

This week, data leaks of industrial companies that recently suffered ransomware attack include:

  • Schramm, a hydraulic drilling manufacturer was attacked by Sodinokibi ransomware
  • Indoco Remedies Ltd, an Indian manufacturer of pharmaceutical products was hit by maze ransomware

Non-Industrial Cyber Attacks - Covering notable, interesting attacks worldwide

Orange, the giant French telecommunications company has confirmed that it suffered a “Nephilim” ransomware attack exposing the data of twenty of their enterprise customers.

Throughout 2020, APT29, which is part of the Russian intelligence services, has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States, and the United Kingdom. APT29 is using custom malware known as ‘WellMess’ and ‘WellMail’ that is designed to execute arbitrary shell commands, upload, and download files.

3 cybersecurity companies have recently suffered security incidents:

ICS Vulnerabilities

New ICS-cert advisories this week include Moxa EDR Routers and 16 advisories for different Siemens products. The most critical vulnerabilities within these advisories are remote code executions with cvss score 9.8 in Siemens SICAM and Siemens LOGO! Web Server. Another CVE can lead to a denial of service condition in Siemens PCS7 DCS.

IOT

Trend Micro Research is warning consumers of a major new wave of attacks attempting to compromise their home routers for use in IoT botnets. The three main source codebases that have spawned numerous pieces of botnet malware are Mirai, Kaiten, and Qbot and users need to protect their routers and other connected devices from these malwares.

IT Vulnerabilities

Microsoft patch Tuesday for July includes CVE-2020-1350, a remote code execution vulnerability in the Windows DNS server with CVSS score of 10. Dubbed SIGRed, this vulnerability affects all Windows Server versions 2003 through 2019 and if exploited, could be used to compromise a company’s entire IT infrastructure. The vulnerability was classified as “wormable” which means it has the potential to spread between vulnerable computers without user interaction.

Breaches & Credential Leaks

A malicious actor called “cryptan” put up for sale unauthorized access to a mining company in a dark web forum. The actor claims to have obtained unauthorized access to the network through VPN.

Advanced Reading Suggestions of the Week

Cybereason team investigated the emergence of a new “Bazar” loader and backdoor that first emerged in April 2020 and has evolved continuously since. Bazar can be used to deploy additional malware, ransomware, and ultimately steal sensitive data from organizations. It appears to have strong ties to Trickbot campaigns and is delivered by the same infection chain. “Bazar” infections are targeting healthcare, manufacturing, logistics, and some more sectors across the US and Europe.

IBM's X-Force got hold of nearly five hours worth of video recordings of the Iranian state-sponsored group - APT35 that provide a rare insight into the "behind-the-scenes" of their methods. 

New PhishingKitTracker repository holds a collection of Phishing Kits used by criminals to steal user information.

Ran Finkelstein
Threat Intelligence Researcher

For more information contact us at [email protected].

04 May 2020 Industrial Cyber-Security During COVID-19: From a Hackers’ Paradise to Resilient Remote Operations more...
26 Mar 2020 Coronavirus: Time for Remote Connection Solutions for ICS more...
18 Mar 2020 COVID-19 is a Wake-up Call for Manufacturing SMBs more...
loader
×

OTORIO website uses cookies. By continuing to browse the site you are agreeing to our use of cookies. For more details about cookies and how to manage them, see our cookie policy.

Continue