Threat Report

Thursday February 20th 2020

This week we’ve got a warning from CISA on threats to critical U.S. infrastructure, we’re going phishing in Puerto Rico, celebrating Valentine’s day with the FBI, and listening to chatter on the dark Web for upcoming threats. Let’s get this party started.

CISA warning for critical U.S. infrastructure

On February 18, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations across all U.S. critical infrastructure sectors about a recent ransomware attack that affected a natural gas compression facility. The attacks initially used a spearphishing link to obtain access to the organization’s Information Technology (IT) network before pivoting to the Operational Technology (OT) network.

After infiltrating the network, the attackers deployed an unspecified ransomware payload to encrypt the IT and OT networks, which impacted the availability of human-machine interfaces (HMIs), polling servers, and data historians. CISA confirmed that the attack did not impact any Programmable Logic Controllers (PLCs) on the affected networks because the malware only infected Windows devices. The targeted organization was able to get replacement equipment following the ransomware attack and load configurations that made it easier to recover.

According to CISA there are 16 critical infrastructure sectors:

  • Chemical Sector
  • Commercial Facilities Sector
  • Communications Sector
  • Critical Manufacturing Sector
  • Dams Sector
  • Defense Industrial Base Sector
  • Emergency Services Sector
  • Energy Sector
  • Financial Services Sector
  • Food and Agriculture Sector
  • Government Facilities Sector
  • Healthcare and Public Health Sector
  • Information Technology Sector
  • Nuclear Reactors, Materials, and Waste Sector
  • Transportation Systems Sector
  • Water and Wastewater Systems Sector

Puerto Rico phishers land $2.6M haul

On February 13, 2020, Puerto Rico’s Industrial Development Company lost more than $2.6M after falling for an email phishing scam. According to the news, the government agency transferred the money on January 17, 2020 after receiving an email about a change to a banking account tied to remittance payments. Manuel Laboy, executive director of the agency, told The Associated Press that officials found out about the incident earlier this week and immediately reported it to the FBI.

According to the FBI IC3 annual reports, phishing attacks were a top crime complaint reported to the FBI in 2019. Users and organizations should check the URL of the website before clicking a link sent via email, be aware of suspicious attachments, disable macros, keep the computer systems up-to-date, and provide security awareness training especially for those that are likely to be targeted such as finance, HR, IT, and C-Suite.

According to the annual report, Business email compromise (BEC) also known as email account compromise, has been a major concern for years. In 2019, IC3 recorded 23,775 complaints about BEC, which resulted in more than $1.7B in losses.

Happy Valentine’s day from the FBI

On Valentine’s day, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) gifted us with new details on North Korean malware with six new and updated Malware Analysis Reports (MARs) related to malicious cyber activity from North Korea. According to the Cyber National Mission Force (CNMF), the malware is being distributed via a North Korean phishing campaign. CISA attributed the malware to a North Korean-state threat group tracked as HIDDEN COBRA, also known as the Lazarus Group, North Korea’s largest and most active hacking division.

The following malware was identified:

  • Bistromath – described as a full-featured RAT
  • Slickshoes – described as a malware dropper
  • CROWDEDFLOUNDER - designed to unpack and execute a Remote Access Trojan (RAT)
  • Hotcroissant – described as a beaconing implant with backdoor capabilities
  • ARTFULPIE – which is used to load and execute a DLL from a hardcoded URL
  • Buffetline – described as beaconing implant with backdoor features
  • HOPLIGHT – a Trojan developed by the Lazarus Group

The information contained in the most recent malware analysis reports provides detailed malware descriptions, suggested response actions, and recommended mitigation techniques to help organizations to detect and reduce exposure to HIDDEN COBRA malicious cyber activity.

Indicators of compromise were released with CISA’s report.

IPs

137[.]139.135.151
128[.]200.115.228
218[.]255.24.226
84[.]49.242.125
210[.]137.6.37
195[.]158.234.60
197[.]211.212.59
47[.]206.4.145
112[.]175.92.57
181[.]39.135.126
186[.]169.2.237
221[.]138.17.152
119[.]18.230.253
97[.]90.44.200
217[.]117.4.110
21[.]252.107.198
81[.]94.192.10
26[.]165.218.44
117[.]239.241.2
14[.]140.116.172
113[.]114.117.122
70[.]224.36.194
81[.]94.192.147

Dark Web talk

By listening to the underground channels that threat actors operate in, Perch is able to pick up valuable intelligence that helps us protect our customers from evolving threats.

Unknown (UNKN), the operator of Sodinokibi (REvil) ransomware, was recently searching for partners to write reflective PE injection for their DLL file, a morpher written in C, and another morpher and obfuscator written in Python and executable in PowerShell. In a follow-up post, UNKN stated that they had found a partner to fill these requests. Keep an eye out, it is expected that these techniques will be incorporated into Sodinokibi (REvil) ransomware in the near future.

Threat actor, “MrShdw,” is auctioning access to a U.S.-based payroll company, including access to 2.2M+ email, passwords, and social security numbers. MrShdw claims the buyer will be able to access the company website as an administrator and download employee W-2s. The bidding starts at $50K, or access can be purchased directly for $100K.

Threat actor, “network,” is selling access to the network of an unspecified U.S. hospital for $5K. The threat actor stated that the hospital made $311M in annual revenue and has 6,000 PCs. It is common for threat actors to specialize in selling access to companies they’ve infiltrated. If this access was leveraged to install ransomware on the hospital, you could expect to see a ransom of more than $1.2M.

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn