Vulnerabilities / Threats

8/7/2018
08:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Even 'Regular Cybercriminals' Are After ICS Networks

A Cybereason honeypot project shows that ordinary cybercriminals are also targeting weakly secured environments.

Contrary to what some might perceive, state-backed groups and advanced persistent threat (APT) actors are not the only adversaries targeting industrial control system (ICS) environments.

A recent honeypot project conducted by security firm Cybereason suggests that ICS operators need to be just as concerned about ordinary, moderately skilled cybercriminals looking to take advantage of weakly secured environments as well.

"The biggest takeaway is that the threat landscape extends beyond well-resourced nation-state actors to criminals that are more mistake-prone and looking to disrupt networks for a payday," says Ross Rustici, senior director of intelligence services at Cybereason. "The project shows that regular cybercriminals are interested in critical infrastructure, [too]."  

Cybereason's honeypot emulated the power transmission substation of a major electricity provider. The environment consisted of an IT side, an operational technology (OT) component, and human-machine interface (HMI) management systems. As is customary in such environments, the IT and OT networks in Cybereason's honeypot were segmented and equipped with security controls that are commonly used by ICS operators.

To lure potential attackers to its honeypot, Cybereason used bait such as Internet-connected servers with weak passwords and remote access services such as RDP and SSH enabled. But the security firm did not do anything else besides that to promote the honeypot.

Even so, just two days after the honeypot was launched a threat actor broke into it and installed a toolset designed to allow an attacker and a victim use the same access credentials to log into a machine via Remote Desktop Protocol (RDP). The toolset, commonly found on compromised systems advertised on xDedic, a Russian-language cybercrime market, suggested that the threat actor planned to sell access to Cybereason's honeypot to others.

The threat actor also created additional user accounts on the honeypot in another indication that the servers were being prepared for sale to other criminals. "The backdoors would allow the asset's new owner to access the honeypot even if the administrator passwords were changed," Cybereason said in a blog describing the results of its honeypot project.

Cybereason deliberately set up the honeypot with relatively weak controls so it would take little for the attacker to break into it by brute-forcing the RDP, Rustici says. The skill level to prepare the server for sale was also fairly rudimentary and could have been accomplished by a high-level script kiddie.

Slightly more than a week after the initial break-in, Cybereason researchers observed another threat actor connecting to the honeypot via one of the backdoor user accounts. In this instance, the attacker was focused solely on gaining access to the OT environment. The threat actor's scanning activities and lateral movement within the honeypot environment was focused on finding a way to access the HMI and OT environments.

The threat actor showed no interest in activities such as using the honeypot for cryptomining, launching DDoS attacks, or any of the other activities typically associated with people who buy and sell access to compromised networks.

The adversary's movements in the honeypot suggested a high degree of familiarity with ICS networks and the security controls in them, Cybereason said. At the same time, the attackers, unlike more sophisticated adversaries, also raised several red flags that suggested a certain level of amateurishness on their part.

"The way they operated makes us think this group was a mid- to high-level cybercrime group," Rustici says. "Based on their capabilities, it is likely they were either trophy hunting to improve their reputation or looking for a ransom payday."

The data from the honeypot project shows attackers have a new way of sourcing ICS assets, Cybereason noted. Rather than select, target, and attack a victim on their own, adversaries can simply buy access to an already compromised network.

The threat group that purchased access to the honeypot also lived entirely off the land for lateral movement and for scanning for systems with access to HMI and OT systems, Rustici says. "They never uploaded a tool to the network," he noted.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11358
PUBLISHED: 2019-04-20
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2019-11359
PUBLISHED: 2019-04-20
Cross-site scripting (XSS) vulnerability in display.php in I, Librarian 4.10 allows remote attackers to inject arbitrary web script or HTML via the project parameter.
CVE-2018-20817
PUBLISHED: 2019-04-19
SV_SteamAuthClient in various Activision Infinity Ward Call of Duty games before 2015-08-11 is missing a size check when reading authBlob data into a buffer, which allows one to execute code on the remote target machine when sending a steam authentication request. This affects Call of Duty: Modern W...
CVE-2019-11354
PUBLISHED: 2019-04-19
The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices ...
CVE-2019-11350
PUBLISHED: 2019-04-19
CloudBees Jenkins Operations Center 2.150.2.3, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page.