Vulnerabilities / Threats

8/7/2018
08:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Even 'Regular Cybercriminals' Are After ICS Networks

A Cybereason honeypot project shows that ordinary cybercriminals are also targeting weakly secured environments.

Contrary to what some might perceive, state-backed groups and advanced persistent threat (APT) actors are not the only adversaries targeting industrial control system (ICS) environments.

A recent honeypot project conducted by security firm Cybereason suggests that ICS operators need to be just as concerned about ordinary, moderately skilled cybercriminals looking to take advantage of weakly secured environments as well.

"The biggest takeaway is that the threat landscape extends beyond well-resourced nation-state actors to criminals that are more mistake-prone and looking to disrupt networks for a payday," says Ross Rustici, senior director of intelligence services at Cybereason. "The project shows that regular cybercriminals are interested in critical infrastructure, [too]."  

Cybereason's honeypot emulated the power transmission substation of a major electricity provider. The environment consisted of an IT side, an operational technology (OT) component, and human-machine interface (HMI) management systems. As is customary in such environments, the IT and OT networks in Cybereason's honeypot were segmented and equipped with security controls that are commonly used by ICS operators.

To lure potential attackers to its honeypot, Cybereason used bait such as Internet-connected servers with weak passwords and remote access services such as RDP and SSH enabled. But the security firm did not do anything else besides that to promote the honeypot.

Even so, just two days after the honeypot was launched a threat actor broke into it and installed a toolset designed to allow an attacker and a victim use the same access credentials to log into a machine via Remote Desktop Protocol (RDP). The toolset, commonly found on compromised systems advertised on xDedic, a Russian-language cybercrime market, suggested that the threat actor planned to sell access to Cybereason's honeypot to others.

The threat actor also created additional user accounts on the honeypot in another indication that the servers were being prepared for sale to other criminals. "The backdoors would allow the asset's new owner to access the honeypot even if the administrator passwords were changed," Cybereason said in a blog describing the results of its honeypot project.

Cybereason deliberately set up the honeypot with relatively weak controls so it would take little for the attacker to break into it by brute-forcing the RDP, Rustici says. The skill level to prepare the server for sale was also fairly rudimentary and could have been accomplished by a high-level script kiddie.

Slightly more than a week after the initial break-in, Cybereason researchers observed another threat actor connecting to the honeypot via one of the backdoor user accounts. In this instance, the attacker was focused solely on gaining access to the OT environment. The threat actor's scanning activities and lateral movement within the honeypot environment was focused on finding a way to access the HMI and OT environments.

The threat actor showed no interest in activities such as using the honeypot for cryptomining, launching DDoS attacks, or any of the other activities typically associated with people who buy and sell access to compromised networks.

The adversary's movements in the honeypot suggested a high degree of familiarity with ICS networks and the security controls in them, Cybereason said. At the same time, the attackers, unlike more sophisticated adversaries, also raised several red flags that suggested a certain level of amateurishness on their part.

"The way they operated makes us think this group was a mid- to high-level cybercrime group," Rustici says. "Based on their capabilities, it is likely they were either trophy hunting to improve their reputation or looking for a ransom payday."

The data from the honeypot project shows attackers have a new way of sourcing ICS assets, Cybereason noted. Rather than select, target, and attack a victim on their own, adversaries can simply buy access to an already compromised network.

The threat group that purchased access to the honeypot also lived entirely off the land for lateral movement and for scanning for systems with access to HMI and OT systems, Rustici says. "They never uploaded a tool to the network," he noted.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
8 Security Tips to Gift Your Loved Ones For the Holidays
Steve Zurier, Freelance Writer,  12/18/2018
How to Engage Your Cyber Enemies
Guy Nizan, CEO at Intsights Cyber Intelligence,  12/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16883
PUBLISHED: 2018-12-19
sssd versions from 1.13.0 to before 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.
CVE-2018-17192
PUBLISHED: 2018-12-19
The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on th...
CVE-2018-17193
PUBLISHED: 2018-12-19
The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior ...
CVE-2018-17194
PUBLISHED: 2018-12-19
When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and even...
CVE-2018-17195
PUBLISHED: 2018-12-19
The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, a...