Sandworm targets Ukrainian power grid.
Sandworm, also known as Voodoo Bear, and in the org charts Unit 74455 of Russia’s GRU, has deployed CaddyWiper destructive malware and an Industroyer variant being called, simply, “Industroyer2.” ESET tweeted the results of its findings early Tuesday morning, and provided additional details in a report also published Tuesday. “ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company. The destructive actions were scheduled for 2022-04-08 but artifacts suggest that the attack had been planned for at least two weeks. The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems. We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine. We assess with high confidence that the APT group Sandworm is responsible for this new attack.”
The incident seems, at first look, an attempted repetition of the 2016 Russian cyberattacks against the Ukrainian grid that ESET mentioned in its report. CERT-UA offered a further description of the attack. It intended to use Industroyer2 against “high-voltage electrical substations” in a fashion tailored to the individual substations. CaddyWiper was used against Windows systems (including automated workstations), and other “destructive scripts” (OrcShred, SoloShred, and AwfulShred) were deployed against Linux systems.
The GRU’s attempt against the Ukrainian power grid appears to be the cyberattack most people were expecting back in February, especially because of the way it tracked earlier GRU takedowns of sections of Ukraine’s power grid. It also appears to have failed, and that failure may be attributed in part to successful Ukrainian defenses as well as to the methods Russia chose to use. In cyberspace as well as on the ground, Ukraine appears to have proved a tougher opponent than Russia expected.
CISA warns of ICS malware.
Late Wednesday the US Cybersecurity and Infrastructure Security Agency (CISA) announced that, with its partners in “the Department of Energy (DOE), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI)” CISA had issued a joint Cybersecurity Advisory (CSA). It warns that “certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices using custom-made tools.” The vulnerable systems include at least Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers. The advisory recommends familiar best practices for protecting ICS/SCADA systems, and explains the threat actor’s tools as follows:
“The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”
The immediate actions CISA recommends are to implement multifactor authentication, change system passwords (especially any default passwords), and use “a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors.”
Mandiant and Dragos have published analyses of the malware. Dragos calls the malware “PIPEDREAM,” and states that “the tooling may be used to target and attack controllers from hundreds of additional vendors. PIPEDREAM can target a variety of PLCs in multiple verticals due to its versatility.” Mandiant, which tracks the malware as “INCONTROLLER,” says, “The tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction.”
EU officials targeted with spyware.
A Reuters exclusive reports that senior European Union officials were targeted by an unknown actor using spyware thought to have been developed by one of two Israeli vendors. Didier Reynders, since 2019 European Justice Commissioner, is the most prominent official believed to have been affected. A small number of staffers at the European Commission are also said to have been affected. The exploit used to deploy the spyware is thought to have been ForcedEntry. NSO Group denies that its products would have been capable of the exploitation reported. The other vendor, QuaDream, which is said to offer a virtually identical product, did not comment to Reuters.
Malicious apps removed from the Play Store.
Recent Sharkbot Trojan infestations tracked by Check Point researchers and earlier noted by NCC Group as representing “a ‘new’ generation Android banking Trojan,” have been found in Android antivirus apps distributed through Google Play. Security Affairs reports that Sharkbot’s code employs a geofencing feature to prevent it from executing in China, India, Romania, Russia, Ukraine, and Belarus. Google has removed the malicious apps.
Vulnerabilities in hospital robots.
Cynerio on Tuesday announced its discovery of vulnerabilities in Aethon TUG hospital robots that “could allow attackers to circumvent security and remotely surveil and interact with patients, tamper with medication distribution, and disrupt day-to-day hospital operations.” Cynerio disclosed the bugs, collectively called “JekyllBot:5,” to the manufacturer under the CISA Coordinated Vulnerability Disclosure process, and the issues have now been remediated, and patches are available.
A Cyber Civil Defense initiative.
The Global Cyber Alliance reports that the Craig Newmark Philanthropies has “committed to donating more than $50 million total to support a broad coalition of organizations dedicated to educating and protecting Americans amid escalating cybersecurity threats.” Craig Newmark (who is the “Craig” in Craigslist) characterizes the effort as a “Cyber Civil Defense” initiative. It will focus on cyber education, cybersecurity career opportunities, development of cybersecurity tools for community protection, usability and customer service for security tools and services, and championing “equitable cybersecurity.”
Updates on Hafnium activity.
The Microsoft Threat Intelligence Center (MSTIC) has published an update to earlier research by both Microsoft and Palo Alto Networks describing the Chinese threat actor Hafnium. The malware it’s been observed using recently, called “Tarrask,” evades detection by using hidden scheduled tasks whose attributes it subsequently removes. This has succeeded in concealing it from many common forms of detection and identification.
Microsoft stated, “As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. The Microsoft Detection and Response Team (DART) in collaboration with the Microsoft Threat Intelligence Center (MSTIC) identified a multi-stage attack targeting the Zoho Manage Engine Rest API authentication bypass vulnerability to initially implant a Godzilla web shell with similar properties detailed by the Unit42 team in a previous blog. Microsoft observed HAFNIUM from August 2021 to February 2022, target those in the telecommunication, internet service provider and data services sector, expanding on targeted sectors observed from their earlier operations conducted in Spring 2021. Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates “hidden” scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.”
Keksec threat actor launches new botnet.
Fortinet’s Fortiguard Labs describes a botnet used by the Keksec group, a criminal gang specializing in distributed denial-of-service and cryptojacking. The researchers call the botnet “Enemybot,” and, while it appears to be still under development, it incorporates elements of older botnets. ZDNet describes Enemybot as a “Mirai, Gafgyt hybrid.”
Qbot shifts delivery tactics.
Prompted by recent Microsoft security moves against malware delivered by VBA Office macros, Qbot’s operators are changing tactics. Instead of using malicious Microsoft Office documents as the hook in phishing emails, they’re switching to delivering malicious MSI Windows Installer packages by password-protected zip files, BleepingComputer reports.
The Lazarus Group targets South Korea’s chemical sector.
North Korea’s Lazarus Group has resurfaced with an industrial espionage campaign directed against the chemical sector. Symantec researchers on Thursday outlined their findings, which conclude that Pyongyang is running a continued version of Operation Dream Job. First observed in August 2020, Operation Dream Job, as its name suggests, is a social engineering campaign that uses bogus job offers as the phishbait to lure the unwary quarry to bite on a malicious attachment that installs an information-stealing payload on the victims’ devices. The operation’s goal is believed to be theft of intellectual property for the benefit of North Korea’s chemical industry.
Symantec’s researchers stated, “In January 2022, Symantec detected attack activity on the networks of a number of organizations based in South Korea. The organizations were mainly in the chemical sector, with some being in the information technology (IT) sector. However, it is likely the IT targets were used as a means to gain access to chemical sector organizations. There is sufficient evidence to suggest that this recent activity is a continuation of Operation Dream Job. That evidence includes file hashes, file names, and tools that were observed in previous Dream Job campaigns. A typical attack begins when a malicious HTM file is received, likely as a malicious link in an email or downloaded from the web. The HTM file is copied to a DLL file called scskapplink.dll and injected into the legitimate system management software INISAFE Web EX Client.”
OldGremlin ransomware gang hits Russian organizations.
Group-IB reports that an unusual ransomware gang, OldGremlin, has resumed attacks against Russian targets. OldGremlin is an outlier in several ways. For one thing, it’s careful and selective, watching the news closely as it shapes its phishbait. Its episodic activity may indicate that its members are part-timers working a side-hustle. But the most unusual thing about OldGremlin is that it’s a Russophone gang targeting Russian organizations. Most Russian ransomware gangs operate, effectively, as privateers, and scrupulously avoid hitting Russian enterprises. Its recent campaign, run last month, impersonated a senior accountant at a large Russian financial institution. The phishbait promised details on a coming suspension of Visa and Mastercard payment processing in Russia. The payload, located in a Dropbox, was the TinyFluff backdoor.
Wind turbine manufacturer sustains “cyber incident.”
The Nordex Group, a major wind turbine manufacturer based in Germany, continues its recovery from a “cyber incident” the company sustained on March 31st. BleepingComputer reports that the incident was a ransomware attack, and the Conti gang has claimed responsibility. Only Nordex internal systems are believed to have been affected.
Nordex stated, “To safeguard customer assets, remote access from Nordex Group IT infrastructure was disabled for turbines under contract. Nordex turbines continued operating without restrictions and wind farm communication with grid operators and energy traders was and remains unaffected. As part of immediately initiated business continuity measures, alternative remote control services have been set-up and are now successfully implemented for most of the fleet. In close cooperation with relevant authorities, the emergency response team of internal and external IT experts has been performing extensive investigations and forensic analysis. Preliminary results of the analysis suggest that the impact of the incident has been limited to internal IT infrastructure. There is no indication that the incident spread to any third-party assets or otherwise beyond Nordex’ internal IT infrastructure. While investigations are ongoing, the company is continuing to restore its IT systems such as to enable business continuity and resume normal operations as soon as reasonably practicable.”
(In related news, Infinitum IT says it’s determined that the data extortion operation Karakurt is really just an arm of the Conti gang, though it’s not clear if any data were stolen in the Nordex incident.)
CISA’s Shields Up recommendations.
During the current Shields Up condition, CISA has released a brief crib sheet on how organizations should “observe, act,” and “report” when they undergo a cyber incident. CISA recommends reporting the following ten key elements of information:
- “Incident date and time”
- “Incident location”
- “Type of observed activity”
- “Detailed narrative of the event”
- “Number of people or systems affected”
- “Company/Organization name”
- “Point of Contact details”
- “Severity of event”
- “Critical Infrastructure Sector if known”
- “Anyone else you informed”
On Patch Tuesday. Microsoft released over a hundred fixes, including two that address zero-days. One of the zero-days, CVE-2022-24521, permits privilege-escalation exploitation of the Windows Common Log File system driver, and Microsoft credits the National Security Agency with tipping it off to the issue. Citrix published four advisories, and Apache upgraded Struts. On Monday Google issued an update for Chrome, which included eleven security fixes.
CISA issued five industrial control system (ICS) advisories on Tuesday, for Valmet DNA, Mitsubishi Electric MELSEC-Q Series C Controller Module, Inductive Automation Ignition, Mitsubishi Electric GT25-WLAN, and Aethon TUG Home Base Server.
And on Thursday, CISA released another, unusually large, batch of ICS advisories: forty-one notes. Thirty-eight of them apply to Siemens products; the other three are for Delta Electronics DMARS, Johnson Controls Metasys, and Red Lion DA50N. (Generally, vulnerabilities and remediations CISA describes in its advisories are discovered and reported by the companies themselves.)
Crime and punishment.
Europol on Tuesday announced the takedown of RaidForums, the large cybercriminal forum and souk where techniques were discussed, and tools and stolen data were traded. The forum’s infrastructure was seized, and its administrator and “two accomplices” were arrested in Operation TOURNIQUET. This was a year-long international effort coordinated by Europol to support the separate investigations of law enforcement agencies in Portugal, Romania, Sweden, the United Kingdom, and the United States. Europol credits effective information-sharing with enabling investigators “to define the different roles the targets played within this marketplace, i.e.: the administrator, the money launderers, the users in charge of stealing/uploading the data, and the buyers.”
The Head of Europol’s European Cybercrime Centre, Edvardas Šileris, stated, “Disruption has always been a key technique in operating against threat actors online, so targeting forums that host huge amounts of stolen data keeps criminals on their toes. Europol will continue working with its international partners to make cybercrime harder – and riskier –to commit.”
A Russian legislator, Aleksandr Mikhaylovich Babakov, Deputy Chairman of the State Duma, and two of his staffers, Aleksandr Nikolayevich Vorobev and Mikhail Alekseyevich Plisyuk, face US Federal charges connected to sanctions evasion and illegal influence operations. The US Department of Justice has unsealed an indictment filed with the US District Court for the Southern District of New York that alleges three violations of Federal law: “one count of conspiring to have a U.S. citizen act as a Russian agent in the United States without notifying the Attorney General,” “one count of conspiring to violate and evade U.S. sanctions, in violation of the International Emergency Economic Powers Act,” and “one count of conspiring to commit visa fraud.”
Having attributed the $540 million theft from DeFi platform Ronin to North Korea’s Lazarus Group, the US Treasury Department has updated its North Korean entries on OFAC’s list of sanctioned persons and organizations.