
Ransom
> While so far there is no indication that Norsk Hydro has any plans to pay the ransom
Depends on how afjordable it is.
Norwegian power and metals giant Norsk Hydro is battling an extensive ransomware outbreak on its computers. The biz, one of the world’s biggest makers of aluminum with sites in 50 countries, said on Tuesday that file-scrambling malware had infected its IT systems in the US and Europe. This cyber-intrusion forced a shutdown of …
They cut costs in IT to save money? IT departments are always seen as unimportant for some reason. When nothing is happening they are accused of "Not being required. Everything runs fine and you never seem to be doing anything" or "we keep having outages since cutting your budget so we'll outsource you".
Anyone know of an example?
Will will know in the next TheRegister installment of "To Pay or not to pay -- Insurance escapes (again) paying out Cyber Insurance claim".
I would thnk so. Ransomware is a pretty well established risk. Before the insurance pays out you need to have taken all reasonsable steps to avoid the incidnt in the first place. If they'd done that then almost certainly they wouldn't have an incident in the first place.
Usual suspects -
No money for training of staff on phishing or spotting other malware
Basic AV only
Internal network flat because reconfiguration would cause downtime
Servers and desktops unpatched for the same reason
No internal IT staff other than screwdriver techs
Backups either unprotected so encrypted as well or non-functional because they've never been tested
If any of that is the case they'll get fuck all money. Still not to worry it's still IT's fault somehow.
"No money for training of staff on phishing or spotting other malware"
should that really be a factor?
we have 8000 totally I.T illterate doctors and nurses. busy ones.
There is no way in hell one of the 8000 isnt going to click on a dodgy email, no matter how much training you force feed them.
"Cyber insurance" sounds like premium quality snake oil. I assume that any payouts would be in some obscure and valueless blockchain currency?
(Also, a pet peeve of mine: "cyber"-anything really does not mean what most people think the word means. It's one of those annoying stupid phrases from around 1995 that should really have gone away to "surf the web" long long ago, with an anchor (boat, not HTML) chained to its ankle...)
“Phil Neray .. told The Register that it was inevitable hackers would look to get ransomware onto networks at manufacturing and power giants, given how valuable system uptime is in those environments”
Then why not connect your valuable system environments using VPNs runing on read-only embedded hardware. If you don't know how to do that then maybe you're not tempermentally suitable for a career in IT.
-------
19.01.2019
Cyber Attack Against the Hydro Network
Please do not connect any devices to the Hydro Network. Do not turn on any devices connected to the Hydro Network.
Please disconnect any device (Phone/Tablet etc.) from the Hydro Network.
Await new update.
- Security
"Then why not connect your valuable system environments using VPNs runing on read-only embedded hardware."
What?
Your embedded hardware will be logging data from the equipment, even if they're read only, they need to send information somewhere. And VPN's generally don't help as you will likely be in full control of your network - adding a VPN on top will just mean the virus/malware propagates via encrypted tunnels rather than directly over the wire within your buildings.
Traditionally, good practice has been to fully isolate SCADA-type systems from office LAN's as they tend to receive less frequent patching (i.e. once or twice a year managed by the vendor) and often won't have AV installed due to either vendor recommendations or conflicts with fragile applications. As management of those systems is centralised or outsourced, the desire for more connectivity makes them harder to protect.
Having said that, it sounds like the SCADA-type systems aren't affected but have been isolated as a precaution. Based on previous organisations experiences with ransomware, if you aren't patched against the vulnerability it uses to spread, your only hope is shutting down the network until you have a solid plan for containment and rebuilding. And that solid plan better include isolation of any networks that you're unsure of - something that is often easier said than done when management of the devices is off-site.
"Traditionally, good practice has been to fully isolate SCADA-type systems from office LAN's as they tend to receive less frequent patching (i.e. once or twice a year managed by the vendor) and often won't have AV installed due to either vendor recommendations or conflicts with fragile applications."
This may have been the case in the past but these days many departments within an organisation need access to data from the process control systems for their day-to-day duties. I work for a large automation supplier where the typical system architecture consists of various layers (Plant/Process Control/Operator HMI/Servers/DMZ/Business LAN) separated by firewalls. Most modern control systems (rightly or wrongly) are windows based these days so there is a server that regularly rolls out Hotfixes, Windows Updates, and Virus Definitions.
A few specific examples of how the control system data is used are: Maintenance can interrogate or even re-calibrate field instruments from a workstation in the maintenance shop; Accounts can review tank inventories in real time; Process Engineers can optimise plant performance by reviewing data from the history servers; Corporate can compare production rates in real time between different plants all over the world.
Isolating a SCADA or Process Control System might seem like a good idea but even an air-gapped system can be susceptible e.g. as in the Stuxnet virus that could be introduced via a USB thumb drive.
At least am air-gapped system only has an intermittent and narrow channel to the rest if it's managed properly. That should exclude plugging in USB drives that haven't been checked, let alone plugging in the thumb drive you found lying in the car park. It would help to use more than one operating system, even if it's just on one extra box that you use for relaying between the two worlds.
This may have been the case in the past but these days many departments within an organisation need access to data from the process control systems for their day-to-day duties.
Eee, it meks y' wunder 'ow we did it before we filled t' place wi' computers, dunnit?
Totally agree but that's the connected world we now live in.
You could air-gap your home PC to protect yourself from online threats but that kind of makes surfing the web a little difficult.
Responsible home users can keep their software and AV up to date.
Because of the greater attack surface, responsible businesses have to take this to a whole new level https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
We aren't talking about home users or desktops, we are talking about control servers for vital national infrastructure.
I see no problem with airgapping such equipment, enabling one-way push to VERY locked down reporting servers for the shiny-brigade and requiring someone be on site to push in the moderator rods with their own fair hands (suitably gloved).
>How much do you want to bet they were using Windows 7 / 10 on Intel systems?
Instead of Norsk Data
Actually they might be, we had real time control systems in the late 90s running on Norsk data mini computers - with no plans to replace them.
Ever since Shodan came along, we will be seeing more of this in industrial settings. The big issue is the industrial controls that control material handling, processing, and manufacturing. These systems/networks MUST be air gapped (although that is not full proof as we have seen with the Stuxnet worm) to increase the difficulty level of performing a breach to very difficult to impossible for hackers, crackers, and state sponsored actors. Additionally, epoxy the USB ports and disconnect the optical drives so that nobody can slip something onto the network (not fool proof, but it does help).
Air gaped networks force an intruder to perform a up-front intrusion (they have to be on site). Physical security is another matter though.
They MUST be air-gapped - however the execs often demand network connection as when things are going well they can make a bit more profit by having faster response to changes - then they lose all that profit (and more) when things like this happen.
Having the control networks connected to the internet is like making more profit on ships by not having enough lifeboats (as on the Titanic).
"Having the control networks connected to the internet is like making more profit on ships by not having enough lifeboats (as on the Titanic)."
although correct thats the weakest analogy i've ever heard, the only thing the 2 have in common is "its a bad idea"
I'd have gone with:
"Having the control networks connected to the internet is like leaving your car permanently unlocked so your friends and family can easily access it."
And, with a truckload of luck, some other heavy-industry companies will take this as a heads-up and start moving their ass on the subject as well.
Yeah, it's gonna cost money. The only question is, are you going to pay that money before the enforced shutdown and cleanup, or after ?
I mean seriously, to be hit with Ransomware and to have that an effect on your production systems you must have been violating "best practices" a _LOT_.
It's not like such a thing or the cheap mitigations against it are new. Simply splitting your network and limiting what your clients have access to can bring a lot of additional security while only costing a few Euros per department.
If I was in the IT department of that company, I'd quickly try my best to fake notes I sent upstream to warn about this.
I cant see any indication that this was a wormable version of ransomware, so if they have had 000s of devices infected (rather than just the fileshares between the devices encrypted) then it implies they've been hit by a massive phishing campaign, failed to filter their email and been hammered for it.
Realistically, if they'd met the almost joke-like standards of Cyber Essentials, they'd probably have been ok.
LockerGoga is not a worm.
Norsk was hit by someone sh1t bombing their systems with it - possibly using AD logon scripts and/or their own patching system.
Unlikely to be mass emailing, but they were targeted by someone...
So its either an inside job or network penetration - both possible!
As part of the company’s digitalization strategy, security is a major focus for Hydro. In order to minimize risks to Hydro’s data and infrastructure, the Fujitsu Computer Security Incident Response Team (CSIRT) will provide global monitoring and response services to identify and stop security incidents around the clock. The services delivered by Fujitsu will include Security Information and Event Management (SIEM), vulnerability scanning, threat intelligence, and incident management.
http://www.fujitsu.com/fts/about/resources/news/press-releases/2017/emeai-20170120-fujitsu-to-provide-security-solutions-to.html
In brief Google on Friday pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted.
In this post-Roe era of America, there is concern that cops and other law enforcement will demand the web giant hand over information about its users if they are suspected of breaking the law by seeking an abortion.
Google keeps a log of its users whereabouts, via its Location History functionality, and provides some controls to delete all or part of those records, or switch it off. Now, seemingly in response to the above concerns and a certain US Supreme Court decision, we're told Google's going to auto-delete some entries.
If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.
RansomHouse says it obtained the files from an intrusion into AMD's network on January 5, 2022, and that this isn't material from a previous leak of its intellectual property.
This relatively new crew also says it doesn't breach the security of systems itself, nor develop or use ransomware. Instead, it acts as a "mediator" between attackers and victims to ensure payment is made for purloined data.
Microsoft is extending the Defender brand with a version aimed at families and individuals.
"Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."
The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.
The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.
Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.
The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.
Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.
The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.
"While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.
Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.
Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.
The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil.
Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.
The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.
This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.
The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.
The deployment of this "PingPull" RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks' Unit 42 threat intelligence group.
The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control (C2) system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.
While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.
Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.
In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.
The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.
What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.
The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.
Biting the hand that feeds IT © 1998–2022