This posting is here to collect cyber security news in April 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
425 Comments
Tomi Engdahl says:
Former DHS Acting IT Chief Convicted in Software, Database Theft Scheme
https://www.darkreading.com/attacks-breaches/former-dhs-acting-it-chief-convicted-in-software-database-theft-scheme
Former DHS employees targeted confidential, proprietary software and personally identifying information (PII) for hundreds of thousands of federal employees.
The former acting branch chief of the US Department of Homeland Security’s Information Technology Division today was convicted on several federal charges related to pilfering government proprietary software and databases.
Tomi Engdahl says:
Android banking malware intercepts calls to customer support
https://www.bleepingcomputer.com/news/security/android-banking-malware-intercepts-calls-to-customer-support/
A banking trojan for Android that researchers call Fakecalls comes with a powerful capability that enables it to take over calls to a bank’s customer support number and connect the victim directly with the cybercriminals operating the malware.
Disguised as a mobile app from a popular bank, Fakecalls displays all the marks of the entity it impersonates, including the official logo and the customer support number.
When the victim tries to call the bank, the malware breaks the connection and shows its call screen, which is almost indistinguishable from the real one.
While the victim sees the bank’s real number on the screen, the connection is to the cybercriminals, who can pose as the bank’s customer support representatives and obtain details that would give them access to the victim’s funds.
Fakecalls mobile banking trojan can do this because at the moment of installation it asks for several permissions that give it access to the contact list, microphone, camera, geolocation, and call handling.
The malware emerged last year and has been seen targeting users in South Korea, customers of popular banks like KakaoBank or Kookmin Bank (KB), security researchers at Kaspersky note in a report today.
Fakecalls: a talking Trojan
https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/
A Trojan that masquerades as a banking app and imitates phone conversations with bank employees.
Tomi Engdahl says:
New Android banking malware remotely takes control of your device
https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/
A new Android banking malware named Octo has appeared in the wild, featuring remote access capabilities that allow malicious operators to perform on-device fraud.
Octo is an evolved Android malware based on ExoCompact, a malware variant based on the Exo trojan that quit the cybercrime space and had its source code leaked in 2018.
Tomi Engdahl says:
Windowsiin tuli kriittisiä päivityksiä, syytä asentaa pian – Mikko Hyppönen pelkää matoepidemiaa https://www.is.fi/digitoday/tietoturva/art-2000008750173.html
Tomi Engdahl says:
Gergely Orosz / The Pragmatic Engineer:
An Atlassian outage that began on April 4 left ~400 companies without access to Atlassian’s cloud services; only 45% of companies have since regained access — Hundreds of companies have no access to JIRA, Confluence and OpsGenie. What can engineering teams learn from the poor handling of this outage?
The Scoop: Inside the Longest Atlassian Outage of All Time
https://newsletter.pragmaticengineer.com/p/scoop-atlassian?s=r
We are in the middle of the longest outage Atlassian has ever had. Close to 400 companies and anywhere from 50,000 to 400,000 users had no access to JIRA, Confluence, OpsGenie, JIRA Status page, and other Atlassian Cloud services. The outage is its 9th day, having started on Monday, 4th of April. Atlassian estimates many impacted customers will be unable to access their services for another two weeks. At the time of writing, 45% of companies have seen their access restored.
For most of this outage, Atlassian has gone silent in communications across their main channels such as Twitter or the community forums. It took until Day 9 for executives at the company to acknowledge the outage.
While the company stayed silent, outage news started trending in niche communities like Hacker News and Reddit. In these forums, people tried to guess causes of the outage, wonder why there is full radio silence, and many took to mocking the company for how it is handling the situation.
Atlassian did no better with communicating with customers during this time. Impacted companies received templated emails and no answers to their questions.
What compensation can customers expect? Customers have not received details on compensation for the outage. Atlassian compensates using credits, which are discounts in pricing. These are issued based on what uptime their service has over the past month. Most customers impacted in the outage have a 73% uptime for the past 30 days, as we speak, and this is going down with every passing day. Atlassian’s credit compensation works like this:
99 – 99.9%: 10% discount
95-99%: 25% discount
Below 95%: 50% discount
As it stands, customers are eligible for a 50% discount for their next, monthly bill. Call me surprised if Atlassian does not offer something far more generous, given they are at zero 9’s availability for these customers for the rolling 30 days’ window.
The impact of the outage on Atlassian’s business
Atlassian claims the customers impacted were “only” 0.18% of its customer base at 400 companies. They did not share the number of seats impacted. I estimate seats are between 50,000 – 400,000, based on the fact that I have not talked with any impacted customers smaller than 250 employees, most of them with seats.
Hundreds of companies have no access to JIRA, Confluence and OpsGenie. What can engineering teams learn from the poor handling of this outage?
Tomi Engdahl says:
Advanced hackers have shown they can take control of an array of devices that help run power stations and manufacturing plants, the U.S. government said in an alert on Wednesday, warning of the potential for cyber spies to harm critical infrastructure.
U.S. says advanced hackers have shown ability to hijack critical infrastructure
https://www.reuters.com/technology/us-says-advanced-hackers-have-demonstrated-ability-hijack-multiple-industrial-2022-04-13/
Advanced hackers have shown they can take control of an array of devices that help run power stations and manufacturing plants, the U.S. government said in an alert on Wednesday, warning of the potential for cyber spies to harm critical infrastructure.
The U.S. Cybersecurity and Infrastructure Security Agency and other government agencies issued a joint advisory saying the hackers’ malicious software could affect a type of device called programmable logic controllers made by Schneider Electric (SCHN.PA) and OMRON Corp (6645.T).
Alert (AA22-103A)
APT Cyber Tools Targeting ICS/SCADA Devices
https://www.cisa.gov/uscert/ncas/alerts/aa22-103a
The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:
Schneider Electric programmable logic controllers (PLCs),
OMRON Sysmac NEX PLCs, and
Open Platform Communications Unified Architecture (OPC UA) servers.
The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.
Technical Details
APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices, including the following:
Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and
OPC Unified Architecture (OPC UA) servers.
The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.
The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.
APT Tool for OPC UA
The APT actors’ tool for OPC UA has modules with basic functionality to identify OPC UA servers and to connect to an OPC UA server using default or previously compromised credentials. The client can read the OPC UA structure from the server and potentially write tag values available via OPC UA.
DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:
Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.
Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
Implement robust log collection and retention from ICS/SCADA systems and management subnets.
Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP).
Ensure all applications are only installed when necessary for operation.
Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.
Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system.
Tomi Engdahl says:
US agencies warn of custom-made hacking tools targeting energy sector systems
https://therecord.media/us-agencies-warn-of-custom-made-hacking-tools-targeting-energy-sector-systems/
Several advanced persistent threat (APT) actors have created custom-made tools designed to breach IT equipment used in critical infrastructure facilities, according to a new advisory from multiple US agencies.
In an alert released on Wednesday, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) warned critical infrastructure operators of potential attacks targeting multiple industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.
The alert says the tools used in the attacks were designed specifically for Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.
Eric Byres, chief technology officer of ICS cybersecurity software firm aDolus Technology, told The Record that Schneider Electric MODICON PLCs and OPC Unified Architecture (OPC UA) servers are incredibly common and are used widely within many major industrial facilities across the US.
“The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the alert explained.
“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”
Tomi Engdahl says:
https://www.securityweek.com/silverfort-banks-65-million-identity-threat-protection-platform
Tomi Engdahl says:
SAP Releases Patches for Spring4Shell Vulnerability
https://www.securityweek.com/sap-releases-patches-spring4shell-vulnerability
German software maker SAP announced on Tuesday that more than 30 new and updated security notes were released on its April 2022 Security Patch Day, including notes that deal with the Spring4Shell vulnerability.
Tracked as CVE-2022-22965, the vulnerability dubbed Spring4Shell impacts Spring, the most popular Java application development framework in the world, and could lead to the execution of code remotely. Security researchers have already observed attempts to exploit the flaw in the wild.
SAP published three Spring4Shell-related security notes, all rated “Hot News” – the highest rating in the company’s books –, two of which address CVE-2022-22965 in HANA Extended Application Service and Customer Checkout.
The third note, however, is a central note for Spring4Shell, which suggests that SAP expects the impact from this vulnerability to be wider.
Tomi Engdahl says:
ICS Patch Tuesday: Siemens, Schneider Fix Several Critical Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-fix-several-critical-vulnerabilities
Tomi Engdahl says:
https://www.securityweek.com/citrix-patches-vulnerabilities-several-products
Tomi Engdahl says:
Flaws in ABB Network Interface Modules Expose Industrial Systems to DoS Attacks
https://www.securityweek.com/flaws-abb-network-interface-modules-expose-industrial-systems-dos-attacks
Industrial technology giant ABB is working on patches for three high-severity vulnerabilities discovered by researchers in some of the company’s network interface modules.
The vulnerabilities affect Symphony Plus SPIET800 and PNI800, which are network interface modules that enable communications between a control network and a host computer running an engineering tool or a human-machine interface (HMI).
Due to the way these products handle certain packets, an attacker who has local access to the control network or remote access to a system server can cause a denial-of-service (DoS) condition that can only be addressed with a manual reboot.
The vulnerabilities, discovered by researchers at OT cybersecurity firm Verve Industrial, have been assigned the CVE identifiers CVE-2021-22285, CVE-2021-22286 and CVE-2021-22288, and they have all been rated “high severity.”
ABB published an advisory for these vulnerabilities in February and the US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory last week to inform organizations using the affected products about the risks.
ICS Advisory (ICSA-22-097-02)
ABB SPIET800 and PNI800
https://www.cisa.gov/uscert/ics/advisories/icsa-22-097-02
SECURITY – Denial of Service Vulnerabilities in SPIET800 INFI-Net to Ethernet Transfer module and PNI800 S+ Ethernet communication interface module
CVE ID: CVE-2021-22285, CVE-2021-22286, CVE-2021-22288
https://library.e.abb.com/public/0e2620afd4ec4cd88894d2669672f4c3/7PAA001353_en_Cyber%20Security%20Advisory%20ABB_SPIET800_PNI800_Firmware.pdf?x-sign=AKJrxPXeIG3wJPzf6MIcYtDymeynp4o9hbeyK0vUDBe6apjd57Fbi1O1VsxbhrO7
Tomi Engdahl says:
Wind Turbine Giant Nordex Scrambling to Recover From Cyberattack
https://www.securityweek.com/wind-turbine-giant-nordex-scrambling-recover-cyberattack
Nordex says cyber incident limited to internal IT infrastructure, wind turbine farms unaffected
Wind turbines manufacturing giant Nordex Group this week announced that it is still working on restoring systems after a crippling cyberattack on March 31.
The incident was publicly disclosed in early April, when the company announced that it shut down “IT systems across multiple locations and business units” to contain the issue.
The company also said that the cyberattack was detected in its early stages, and that it immediately set up an incident response team to investigate and address the breach.
On Tuesday, the wind turbine maker published an updated incident notification, saying that it was still working on restoring systems to “enable business continuity and resume normal operations as soon as reasonably practicable.”
However, the company also announced that, while it disabled remote access from its infrastructure for turbines under contract, wind turbine farms were not affected by the attack and continued to operate normally.
“Nordex turbines continued operating without restrictions and wind farm communication with grid operators and energy traders was and remains unaffected,” the company announced.
Furthermore, Nordex announced that it has implemented alternative remote control services for most of its fleet, to ensure business continuity.
The investigation conducted by the company’s emergency response team in collaboration with relevant authorities has shown that only internal systems within Nordex’s environment were affected by the attack.
Tomi Engdahl says:
Microsoft Seizes Control of Notorious Zloader Cybercrime Botnet
https://www.securityweek.com/microsoft-seizes-control-notorious-zloader-cybercrime-botnet
Microsoft has disrupted the operation of one of the most notorious cybercrime botnets and named a Crimean hacker as an alleged perpetrator behind the distribution of ransomware to the network of infected machines.
The Zloader botnet has been a thorn in Microsoft’s side for many years, infecting Windows-powered computing devices in businesses, hospitals, schools, and homes around the world. The gang behind the botnet runs a malware-as-a-service operation designed to steal and extort money.
Tomi Engdahl says:
U.S. Warns New Sophisticated Malware Can Target ICS/SCADA Devices
https://www.securityweek.com/us-warns-new-sophisticated-malware-can-target-icsscada-devices
The U.S government is sounding a loud alarm after discovering new custom tools capable of full system compromise and disruption of ICS/SCADA devices and servers.
A joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation.
“The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the agencies warned.
“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” according to the joint advisory [PDF].
The government warning comes on the heels of a series of wiper malware attacks linked to Russia’s invasion of Ukraine and a software supply chain compromise that effectively crippled Viasat’s satellite internet service.
APT Cyber Tools Targeting ICS/SCADA Devices
https://www.cisa.gov/uscert/sites/default/files/publications/Joint_Cybersecurity_Advisory_APT%20Cyber%20Tools%20Targeting%20ICS%20SCADA%20Devices.pdf
Tomi Engdahl says:
VMware Confirms Workspace One Exploits in the Wild
https://www.securityweek.com/vmware-confirms-workspace-one-exploits-wild
Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited in the wild.
VMware updated a security bulletin issued on April 4 to add a single line: “VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild.”
The update adds to the urgency for organizations to apply patches and mitigations to say ahead of attackers. VMware products have become a common target for nation-state APT actors and ransomware criminals.
“A malicious actor with network access can trigger a server-side template injection that may result in remote code execution,” the company warned in the advisory.
https://core.vmware.com/vmsa-2022-0011-questions-answers-faq#sec19795-sub17
Tomi Engdahl says:
DHS investigators say they foiled cyberattack on undersea internet cable in Hawaii
https://www.cyberscoop.com/undersea-cable-operator-hacked-hawaii/
Federal agents in Honolulu last week “disrupted” an apparent cyberattack on an unnamed telecommunication company’s servers associated with an underwater cable responsible for internet, cable service and cell connections in Hawaii and the region, the agency said in a statement Tuesday.
Hawaii-based agents with Homeland Security Investigations, an arm of the Department of Homeland Security, received a tip from their mainland HSI counterparts that led to the disruption of a “significant breach involving a private company’s servers associated with an undersea cable.” The investigation revealed that “an international hacking group” was behind the attack, and “HSI agents and international law enforcement partners in several countries were able to make an arrest.”
The statement did not identify the type of cyberattack alleged to have occurred, the hacking group responsible, the other law enforcement agencies or where any arrests took place. No damage or disruption occurred, and there is no immediate threat, the statement said.
As much as 95% of intercontinental internet data flows via hundreds of “submarine” internet cables, according to the National Oceanic and Atmospheric Administration. The cables are owned and operated by combinations of private and state-owned entities, and are facing increasing risks to their security and resilience, according to an Atlantic Council report published in September 2021.
That report’s author, Justin Sherman, outlines concerns such as authoritarian governments’ desire to control internet access, in part, by manipulating physical infrastructure such as the submarine lines. The lines are also attractive targets for surreptitious monitoring by government or criminal groups looking to steal sensitive data.
But another threat, Sherman wrote in a blog post summarizing his report, is that more cable operators are using remote management systems for cable networks. “Many of these systems have poor security, which exposes cables to new levels of cybersecurity risk,” he wrote. “Hackers could break into these internet-connected systems from anywhere in the world and physically manipulate cable signals, causing them to drop off entirely — undermining the flow of internet data to specific parts of the world.”
Sherman added that the ever-present ransomware threat is acute with respect to these lines: “One can even imagine a threat actor (state or non-state) hacking into a cable management system and trying to hold the infrastructure hostage.”
Tomi Engdahl says:
LockBit ransomware gang lurked in a U.S. gov network for months
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-lurked-in-a-us-gov-network-for-months/
A regional U.S. government agency compromised with LockBit ransomware had the threat actor in its network for at least five months before the payload was deployed, security researchers found.
Logs retrieved from the compromised machines showed that two threat groups had compromised them and were engaged in reconnaissance and remote access operations.
Initial compromise
The initial access allowing the attack was a protective feature that one of the agency’s technicians left disabled following a maintenance operation.
According to researchers at cybersecurity company Sophos, the actor accessed the network through open remote desktop (RDP) ports on a misconfigured firewall and then used Chrome to download the tools needed in the attack.
The toolset included utilities for brute-forcing, scanning, a commercial VPN, and free tools that allow file management and command execution, such as PsExec, FileZilla, Process Explorer, and GMER.
Additionally, the hackers used remote desktop and remote management software like ScreenConnect, and later in the attack, AnyDesk.
From there, the attackers spent time laying low and just tried to steal valuable account credentials to expand their compromise of the network.
At some point, they snatched the credentials of a local server admin who also had Domain Administrator permissions, so they could create on other systems new accounts with administrator privileges.
Upping the game
In the second phase of the attack, initiated five months after the initial compromise, a more sophisticated actor appears to have taken over, leading Sophos to assume that a higher-level actor was now in charge of the operation.
The new phase started with installing the Mimikatz and LaZagne post-exploitation tool for extracting credentials sets from the compromised server.
The attackers made their presence more evident by wiping logs and performing system reboots via remote commands, alerting the system admins who took 60 servers offline and segmented the network.
A second error during this incident response disabled endpoint security. From this point, the two parties engaged in an open confrontation of measures and countermoves.
“On the first day of the sixth month of the attack, the attacker made their big move, running Advanced IP Scanner and almost immediately beginning lateral movement to multiple sensitive servers. Within minutes, the attacker has access to a slew of sensitive personnel and purchasing files,” informs the report from Sophos.
Tomi Engdahl says:
Feds Uncover a ‘Swiss Army Knife’ for Hacking Industrial Control Systems
https://www.wired.com/story/pipedream-ics-malware/
The malware toolkit, known as Pipedream, is perhaps the most versatile tool ever made to target critical infrastructure like power grids and oil refineries.
MALWARE DESIGNED TO target industrial control systems like power grids, factories, water utilities, and oil refineries represents a rare species of digital badness. So when the United States government warns of a piece of code built to target not just one of those industries, but potentially all of them, critical infrastructure owners worldwide should take notice.
On Wednesday, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI jointly released an advisory about a new hacker toolset potentially capable of meddling with a wide range of industrial control system equipment. More than any previous industrial control system hacking toolkit, the malware contains an array of components designed to disrupt or take control of the functioning of devices, including programmable logic controllers (PLCs) that are sold by Schneider Electric and OMRON and are designed to serve as the interface between traditional computers and the actuators and sensors in industrial environments. Another component of the malware is designed to target Open Platform Communications Unified Architecture (OPC UA) servers—the computers that communicate with those controllers.
“This is the most expansive industrial control system attack tool that anyone has ever documented,” says Sergio Caltagirone, the vice president of threat intelligence at industrial-focused cybersecurity firm Dragos, which contributed research to the advisory and published its own report about the malware. Researchers at Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric also contributed to the advisory. “It’s like a Swiss Army knife with a huge number of pieces to it.”
Dragos says the malware has the ability to hijack target devices, disrupt or prevent operators from accessing them, permanently brick them, or even use them as a foothold to give hackers access to other parts of an industrial control system network. He notes that while the toolkit, which Dragos calls “Pipedream,” appears to specifically target Schneider Electric and OMRON PLCs, it does so by exploiting underlying software in those PLCs known as Codesys, which is used far more broadly across hundreds of other types of PLCs. This means that the malware could easily be adapted to work in almost any industrial environment. “This toolset is so big that it’s basically a free-for-all,” Caltagirone says. “There’s enough in here for everyone to worry about.”
While the toolkit’s adaptability means it could be used against practically any industrial environment, from manufacturing to water treatment, Dragos points out that the apparent focus on Schneider Electric and OMRON PLCs does suggest that the hackers may have built it with power grid and oil refineries—particularly liquified natural gas facilities—in mind, given Schneider’s wide use in electric utilities and OMRON’s broad adoption in the oil and gas sector. Caltagirone suggests the ability to send commands to servo motors in those petrochemical facilities via OMRON PLCs would be particularly dangerous, with the ability to cause “destruction or even loss of life.”
The CISA advisory doesn’t point to any particular vulnerabilities in the devices or software the Pipedream malware targets, though Caltagirone says it does exploit multiple zero-day vulnerabilities—previously unpatched hackable software flaws—that are still being fixed. He notes, however, that even patching those vulnerabilities won’t prevent most of Pipedream’s capabilities, as it’s largely designed to hijack the intended functionality of target devices and send legitimate commands in the protocols they use.
The discovery of the Pipedream malware toolkit represents a rare addition to the handful of malware specimens found in the wild that target industrial control systems (ICS) software. The first and still most notorious example of that sort of malware remains Stuxnet, the US- and Israeli-created code that was uncovered in 2010 after it was used to destroy nuclear enrichment centrifuges in Iran. More recently, the Russian hackers known as Sandworm, part of the Kremlin’s GRU military intelligence agency, deployed a tool called Industroyer or Crash Override to trigger a blackout in the Ukrainian capital of Kyiv in late 2016.
The next year, Kremlin-linked hackers infected systems at the Saudi Arabian oil refinery Petro Rabigh with a piece of malware known as Triton or Trisis, which was designed to target its safety systems—with potentially catastrophic physical consequences—but instead triggered two shutdowns of the plant’s operations. Then, just last week, Russia’s Sandworm hackers were detected using a new variant of their of Industroyer code to target a regional electrical utility in Ukraine, though Ukrainian officials say they managed to detect the attack and avert a blackout.
Tomi Engdahl says:
Microsoft Patches Windows Flaw Under Attack and Reported by NSA
https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-windows-flaw-under-attack-and-reported-by-nsa
“Go patch your systems before” the exploit spreads more widely, ZDI warns.
Microsoft today issued 128 patches in a total of 145 CVEs this month for security vulnerabilities in Windows, Defender, Edge, Exchange Server, Office, SharePoint, DNS server, Windows Print Spooler, and other software.
An elevation of privilege flaw in Windows Common Log File System Driver CVE-2022-24521 is already being exploited in the wild, and was reported to Microsoft by the National Security Agency and researchers from CrowdStrike. “Since this vulnerability only allows a privilege escalation, it is likely paired with a separate code execution bug,” ZDI wrote in its analysis of the April batch of Microsoft patches. “It’s not stated how widely the exploit is being used in the wild, but it’s likely still targeted at this point and not broadly available. Go patch your systems before that situation changes.”
There are 10 critical vulns among the security updates today, including two that ZDI says could be abused as worms: a remote code execution bug in RPC Runtime Library (CVE-2022-26809) and a remote code execution flaw in Windows Network File System (CVE-2022-24491/24497).
Tomi Engdahl says:
https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-lurked-in-a-us-gov-network-for-months/
Tomi Engdahl says:
https://arstechnica.com/information-technology/2022/04/trend-says-hackers-have-weaponized-springshell-to-install-mirai-malware/
Tomi Engdahl says:
China ‘Decodes’ An Orbiting US Satellite; Claims Expertise In Automatically Detecting & Fixing Security Flaws In Outer Space
https://eurasiantimes.com/china-decodes-an-orbiting-us-satellite-claims-expertise-in-automatically-detecting-fixing-security-flaws-in-outer-space/
Tomi Engdahl says:
Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity
https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/mirai-malware-now-delivered-using-spring4shell-exploits/
Tomi Engdahl says:
https://www.the-sun.com/lifestyle/5023165/cyber-security-employers-discover-personal-life-online-social-media/
Tomi Engdahl says:
https://spacenews.com/space-force-to-shore-up-cybersecurity-as-threats-proliferate/
Tomi Engdahl says:
https://thehackernews.com/2022/04/beastmode-ddos-botnet-exploiting-new.html
Tomi Engdahl says:
https://www.zdnet.com/article/these-ten-hacking-groups-have-been-targeting-critical-infrastructure-and-energy/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/vmware-warns-of-critical-vulnerabilities-in-multiple-products/
Tomi Engdahl says:
https://www.lahitapiola.fi/tietoa-lahitapiolasta/uutishuone/blogit/blogit/blogi/1509576926928
Jokainen meistä voi olla kyberhyökkäyksen kohde
Tomi Engdahl says:
https://eurasiantimes.com/china-decodes-an-orbiting-us-satellite-claims-expertise-in-automatically-detecting-fixing-security-flaws-in-outer-space/
Tomi Engdahl says:
Why You Must Factory Reset Everything: A Privacy 101 For 2022
https://www.forbes.com/sites/daveywinder/2022/03/19/why-you-should-factory-reset-everything-a-privacy-101-for-2022/
Tomi Engdahl says:
https://www.gadgethacks.com/how-to/use-invisible-zero-width-characters-hide-secret-messages-plain-sight-0385009/
Tomi Engdahl says:
https://thehackernews.com/2022/04/nginx-shares-mitigations-for-zero-day.html
Tomi Engdahl says:
https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-windows-flaw-under-attack-and-reported-by-nsa
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/
Tomi Engdahl says:
Feds Uncover a ‘Swiss Army Knife’ for Hacking Industrial Control Systems
The malware toolkit, known as Pipedream, is perhaps the most versatile tool ever made to target critical infrastructure like power grids and oil refineries.
https://www.wired.com/story/pipedream-ics-malware/
Tomi Engdahl says:
https://www.theregister.com/2022/04/05/mahesh_bank_no_firewall_attack/
Tomi Engdahl says:
U.S. says advanced hackers have shown ability to hijack critical infrastructure
https://www.reuters.com/technology/us-says-advanced-hackers-have-demonstrated-ability-hijack-multiple-industrial-2022-04-13/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-to-patch-actively-exploited-windows-lpe-bug/
Tomi Engdahl says:
https://techcrunch.com/2022/04/14/docontrol-raises-30m-for-no-code-security-tools-for-cloud-app-log-ins/?tpcc=tcplusfacebook
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/vmware-patches-spring4shell-rce-flaw-in-multiple-products/
Tomi Engdahl says:
Borat RAT malware: A ‘unique’ triple threat that is far from funny
The malware combines remote access, spyware, and ransomware into one nasty package.
https://www.zdnet.com/article/borat-rat-malware-a-unique-triple-threat-that-is-far-from-funny/
Tomi Engdahl says:
Hackers build like-for-like open-source app to try and steal crypto
By Hope Corrigan published 9 days ago
Just enter that incredibly important key phrase here, thank you.
https://www.pcgamer.com/uk/hackers-build-like-for-like-open-source-app-to-try-and-steal-crypto/
Tomi Engdahl says:
Leaked documents show notorious ransomware group has an HR department, performance reviews and an ‘employee of the month’
https://www.cnbc.com/2022/04/14/conti-ransomware-leak-shows-group-operates-like-normal-tech-company.html
A huge leak of internal documents — thought to be an act of revenge over Conti’s pro-Russia stance — revealed details about the notorious hacker group’s size, leadership and operations.
The messages show that Conti operates much like a regular company, with salaried workers, bonuses, performance reviews and even “employees of the month.”
Cybersecurity experts say some workers were told they were working for an ad company and likely were unaware who was employing them.
A Russian group identified by the FBI as one of the most prolific ransomware groups of 2021 may now understand how it feels to be the victim of cyber espionage.
A series of document leaks reveal details about the size, leadership and business operations of the group known as Conti, as well as what’s perceived as its most prized possession of all: the source code of its ransomware.
Shmuel Gihon, a security researcher at the threat intelligence company Cyberint, said the group emerged in 2020 and grew into one of the biggest ransomware organizations in the world. He estimates the group has around 350 members who collectively have made some $2.7 billion in cryptocurrency in only two years.
Conti “most frequently victimized the Critical Manufacturing, Commercial Facilities, and Food and Agriculture sectors,” the bureau said.
“They were the most successful group up until this moment,” said Gihon.
Act of revenge?
In an online post analyzing the leaks, Cyberint said the leak appears to be an act of revenge, prompted by a since-amended post by Conti published in the wake of Russia’s invasion of Ukraine. The group could have remained silent, but “as we suspected, Conti chose to side with Russia, and this is where it all went south,” Cyberint said.
The leaks started on Feb. 28, four days after Russia’s invasion of Ukraine.
Soon after the post, someone opened a Twitter account named “ContiLeaks” and started leaking thousands of the group’s internal messages alongside pro-Ukrainian statements.
The impact of the leak on the cybersecurity community was huge, said Gihon, who added that most of his global colleagues spent weeks poring through the documents.
The American cybersecurity company Trellix called the leak “the Panama Papers of Ransomware” and “one of the largest ‘crowd-sourced cyber investigations’ ever seen.”
The messages showed Conti has physical offices in Russia, said Finkelstein, adding that the group may have ties to the Russian government.
“Our … assumption is that such a huge organization, with physical offices and enormous revenue would not be able to act in Russia without the full approval, or even some cooperation, with Russian intelligence services,” he said.
“When communicating with employees, higher management would often make the case that working for Conti was the deal of a lifetime — high salaries, interesting tasks, career growth(!),” according to Check Point Research.
However, some of the messages paint a different picture, with threats of termination for not responding to messages quickly enough — within three hours — and work hours during weekends and holidays, Check Point Research said.
The hiring process
Conti hires from both legitimate sources, such as Russian headhunting services, and the criminal underground, said Finkelstein.
Hiring was important because “perhaps unsurprisingly, the turnover, attrition and burnout rate was quite high for low-level Conti employees,”
Some hires weren’t even computer specialists, according to Check Point Research. Conti hired people to work in call centers, it said. According to the FBI, “tech support fraud” is on the rise, where scammers impersonate well-known companies, offer to fix computer problems or cancel subscription charges.
Employees in the dark
“Alarmingly, we have evidence that not all the employees are fully aware that they are part of a cybercrime group,” said Finkelstein. “These employees think they are working for an ad company, when in fact they are working for a notorious ransomware group.”
The messages show managers lied to job candidates about the organization, with one telling a potential hire: “Everything is anonymous here, the main direction of the company is software for pentesters”
the group kept coders in the dark by having them work on one module, or part of the software
If employees eventually figure things out, Stern said, they’re offered a pay raise to stay
Days before the leak, an internal message stated: “There have been many leaks, there have been … arrests … there is no boss, there is no clarity … there is no money either … I have to ask all of you to take a 2-3 month vacation.”
Though the group has been hobbled, it will likely rise again
Tomi Engdahl says:
The Tricky Aftermath of Source Code Leaks
Lapsus$ hackers leaked Microsoft’s Bing and Cortana source code. How bad is that, really?
https://www.wired.com/story/source-code-leak-dangers/
Tomi Engdahl says:
New EnemyBot DDoS Botnet Borrows Exploit Code from Mirai and Gafgyt
https://thehackernews.com/2022/04/new-enemybot-ddos-botnet-borrows.html
Tomi Engdahl says:
OpenSSH goes Post-Quantum, switches to qubit-busting crypto by default
https://nakedsecurity.sophos.com/2022/04/11/openssh-goes-post-quantum-switches-to-qubit-busting-crypto-by-default/