Vulnerabilities / Threats

8/7/2018
08:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Even 'Regular Cybercriminals' Are After ICS Networks

A Cybereason honeypot project shows that ordinary cybercriminals are also targeting weakly secured environments.

Contrary to what some might perceive, state-backed groups and advanced persistent threat (APT) actors are not the only adversaries targeting industrial control system (ICS) environments.

A recent honeypot project conducted by security firm Cybereason suggests that ICS operators need to be just as concerned about ordinary, moderately skilled cybercriminals looking to take advantage of weakly secured environments as well.

"The biggest takeaway is that the threat landscape extends beyond well-resourced nation-state actors to criminals that are more mistake-prone and looking to disrupt networks for a payday," says Ross Rustici, senior director of intelligence services at Cybereason. "The project shows that regular cybercriminals are interested in critical infrastructure, [too]."  

Cybereason's honeypot emulated the power transmission substation of a major electricity provider. The environment consisted of an IT side, an operational technology (OT) component, and human-machine interface (HMI) management systems. As is customary in such environments, the IT and OT networks in Cybereason's honeypot were segmented and equipped with security controls that are commonly used by ICS operators.

To lure potential attackers to its honeypot, Cybereason used bait such as Internet-connected servers with weak passwords and remote access services such as RDP and SSH enabled. But the security firm did not do anything else besides that to promote the honeypot.

Even so, just two days after the honeypot was launched a threat actor broke into it and installed a toolset designed to allow an attacker and a victim use the same access credentials to log into a machine via Remote Desktop Protocol (RDP). The toolset, commonly found on compromised systems advertised on xDedic, a Russian-language cybercrime market, suggested that the threat actor planned to sell access to Cybereason's honeypot to others.

The threat actor also created additional user accounts on the honeypot in another indication that the servers were being prepared for sale to other criminals. "The backdoors would allow the asset's new owner to access the honeypot even if the administrator passwords were changed," Cybereason said in a blog describing the results of its honeypot project.

Cybereason deliberately set up the honeypot with relatively weak controls so it would take little for the attacker to break into it by brute-forcing the RDP, Rustici says. The skill level to prepare the server for sale was also fairly rudimentary and could have been accomplished by a high-level script kiddie.

Slightly more than a week after the initial break-in, Cybereason researchers observed another threat actor connecting to the honeypot via one of the backdoor user accounts. In this instance, the attacker was focused solely on gaining access to the OT environment. The threat actor's scanning activities and lateral movement within the honeypot environment was focused on finding a way to access the HMI and OT environments.

The threat actor showed no interest in activities such as using the honeypot for cryptomining, launching DDoS attacks, or any of the other activities typically associated with people who buy and sell access to compromised networks.

The adversary's movements in the honeypot suggested a high degree of familiarity with ICS networks and the security controls in them, Cybereason said. At the same time, the attackers, unlike more sophisticated adversaries, also raised several red flags that suggested a certain level of amateurishness on their part.

"The way they operated makes us think this group was a mid- to high-level cybercrime group," Rustici says. "Based on their capabilities, it is likely they were either trophy hunting to improve their reputation or looking for a ransom payday."

The data from the honeypot project shows attackers have a new way of sourcing ICS assets, Cybereason noted. Rather than select, target, and attack a victim on their own, adversaries can simply buy access to an already compromised network.

The threat group that purchased access to the honeypot also lived entirely off the land for lateral movement and for scanning for systems with access to HMI and OT systems, Rustici says. "They never uploaded a tool to the network," he noted.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8903
PUBLISHED: 2019-02-18
index.js in Total.js Platform before 3.2.3 allows path traversal.
CVE-2019-6453
PUBLISHED: 2019-02-18
mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on browser-specific URI handling (Chrome is not exploitable).
CVE-2019-8372
PUBLISHED: 2019-02-18
The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes functionality that allows low-privileged users to read and write arbitrary physical memory via specially crafted IOCTL requests and elevate system privileges. This occurs because the device object has an associated symbolic link an...
CVE-2019-8902
PUBLISHED: 2019-02-18
An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI.
CVE-2019-8423
PUBLISHED: 2019-02-18
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.