Thursday February 20th 2020
This week we’ve got a warning from CISA on threats to critical U.S. infrastructure, we’re going phishing in Puerto Rico, celebrating Valentine’s day with the FBI, and listening to chatter on the dark Web for upcoming threats. Let’s get this party started.
On February 18, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations across all U.S. critical infrastructure sectors about a recent ransomware attack that affected a natural gas compression facility. The attacks initially used a spearphishing link to obtain access to the organization’s Information Technology (IT) network before pivoting to the Operational Technology (OT) network.
After infiltrating the network, the attackers deployed an unspecified ransomware payload to encrypt the IT and OT networks, which impacted the availability of human-machine interfaces (HMIs), polling servers, and data historians. CISA confirmed that the attack did not impact any Programmable Logic Controllers (PLCs) on the affected networks because the malware only infected Windows devices. The targeted organization was able to get replacement equipment following the ransomware attack and load configurations that made it easier to recover.
According to CISA there are 16 critical infrastructure sectors:
On February 13, 2020, Puerto Rico’s Industrial Development Company lost more than $2.6M after falling for an email phishing scam. According to the news, the government agency transferred the money on January 17, 2020 after receiving an email about a change to a banking account tied to remittance payments. Manuel Laboy, executive director of the agency, told The Associated Press that officials found out about the incident earlier this week and immediately reported it to the FBI.
According to the FBI IC3 annual reports, phishing attacks were a top crime complaint reported to the FBI in 2019. Users and organizations should check the URL of the website before clicking a link sent via email, be aware of suspicious attachments, disable macros, keep the computer systems up-to-date, and provide security awareness training especially for those that are likely to be targeted such as finance, HR, IT, and C-Suite.
According to the annual report, Business email compromise (BEC) also known as email account compromise, has been a major concern for years. In 2019, IC3 recorded 23,775 complaints about BEC, which resulted in more than $1.7B in losses.
On Valentine’s day, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) gifted us with new details on North Korean malware with six new and updated Malware Analysis Reports (MARs) related to malicious cyber activity from North Korea. According to the Cyber National Mission Force (CNMF), the malware is being distributed via a North Korean phishing campaign. CISA attributed the malware to a North Korean-state threat group tracked as HIDDEN COBRA, also known as the Lazarus Group, North Korea’s largest and most active hacking division.
The following malware was identified:
The information contained in the most recent malware analysis reports provides detailed malware descriptions, suggested response actions, and recommended mitigation techniques to help organizations to detect and reduce exposure to HIDDEN COBRA malicious cyber activity.
Indicators of compromise were released with CISA’s report.
137[.]139.135.151 128[.]200.115.228 218[.]255.24.226 84[.]49.242.125 210[.]137.6.37 195[.]158.234.60 197[.]211.212.59 47[.]206.4.145 112[.]175.92.57 181[.]39.135.126 186[.]169.2.237 221[.]138.17.152 119[.]18.230.253 97[.]90.44.200 217[.]117.4.110 21[.]252.107.198 81[.]94.192.10 26[.]165.218.44 117[.]239.241.2 14[.]140.116.172 113[.]114.117.122 70[.]224.36.194 81[.]94.192.147
By listening to the underground channels that threat actors operate in, Perch is able to pick up valuable intelligence that helps us protect our customers from evolving threats.
Unknown (UNKN), the operator of Sodinokibi (REvil) ransomware, was recently searching for partners to write reflective PE injection for their DLL file, a morpher written in C, and another morpher and obfuscator written in Python and executable in PowerShell. In a follow-up post, UNKN stated that they had found a partner to fill these requests. Keep an eye out, it is expected that these techniques will be incorporated into Sodinokibi (REvil) ransomware in the near future.
Threat actor, “MrShdw,” is auctioning access to a U.S.-based payroll company, including access to 2.2M+ email, passwords, and social security numbers. MrShdw claims the buyer will be able to access the company website as an administrator and download employee W-2s. The bidding starts at $50K, or access can be purchased directly for $100K.
Threat actor, “network,” is selling access to the network of an unspecified U.S. hospital for $5K. The threat actor stated that the hospital made $311M in annual revenue and has 6,000 PCs. It is common for threat actors to specialize in selling access to companies they’ve infiltrated. If this access was leveraged to install ransomware on the hospital, you could expect to see a ransom of more than $1.2M.