Skip to content

Your Weekly ICS / OT Security News Digest – March 31st

Our research team has put together all of the most relevant news topics in the ICS, IT, Ransomware & OT security fields, as well as their impacts and their expert recommendations:

In this edition, it’s all about ransomware!

Ransomware

  1. Title: Lapsus$ Extortion Group – Samsung, Okta, Microsoft, & Vodafone Breaches


    Description: Over the past few weeks, Lapsus$ group breached a number of international companies, including NVIDIA and Samsung (see previous newsfeed article).
    An analysis of the leaked Samsung source code revealed that more than 6,600 secret keys, including private keys, usernames and passwords, AWS keys, Google keys, and GitHub keys, were leaked[1].
    Okta, an identity management and authentication services provider, was also affected by a cyberattack claimed by the group, by compromising their thin client, a system that connects remotely into a virtual environment to carry out tasks[2].
    The group successfully compromised Microsoft and released the source code of Microsoft’s Azure DevOps server for various internal projects, including for Bing, Cortana, and Bing Maps[3].
    Lapsus$ also claimed to have breached Vodafone, and threatened to leak the Vodafone source code. While this is still under investigation, the company claimed no customer data was stolen[4].
    Attack Parameters: Lapsus$ compromise systems to steal source code, customer lists, databases, and other valuable data, then attempt to extort the victim with ransom demands not publicly to leak the data. They primarily focus on obtaining compromised credentials for initial access using the following methods[5]:
    1. Deploying Redline password stealer to obtain passwords and session tokens.
    2. Buying credentials and session tokens on criminal underground forums.
    3. Paying employees at targeted organizations for access to credentials and MFA approval.
    4. Searching public code repositories for exposed credentials.

The group also uses RDP and VDI to remotely access a business’ environment.

Impact:

  1. Samsung – it is unclear whether the keys compromise the TrustZone, which stores sensitive data and creates a security barrier for Android malware attacks.
  2. Okta – The company claimed that only 2.5% of the customers were impacted by this attack. Lapsus$ responded to Okta’s announcement and revealed that they did not compromise an Okta employee’s laptop but their thin client[6].
    This attack potentially enables an attacker to provision themselves administrator-level access into Okta’s customers’ applications[7].
  3. Microsoft – no customer data was compromised. Microsoft released a statement that viewing the source code does not lead to elevation of risk.

SCADAfence Coverage: RDP connections can be tracked, monitored, and alerted upon with the User Activity Analyzer.

Recommendations: Following are additional best practices recommendations:

  1. Make sure that secure offline backups of critical systems are available and up-to-date.
  2. Apply the latest security patches on the assets in the network.
  3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
  4. Encrypt sensitive data when possible.
  5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.
  1. Title: Bridgestone America’s Ransomware Attack


    Description: Bridgestone America was hit by a ransomware attack which caused it to shut down the computer network and production at its factories in North and Middle America for about a week. LockBit claimed this attack[8].

    Attack Parameters:
    1. Initial Access – LockBit operators often gain access via compromised servers, RDP accounts, spam email or by brute forcing insecure RDP or VPN credentials.
    2. Execution – LockBit is executed via command line or created scheduled tasks.
    3. Credential Access – LockBit was observed using Mimikatz to gather credentials.
    4. Lateral Movement – LockBit can self-propagate using SMB. PsExec and Cobalt Strike were used to move laterally within the network[9].

Impact: Manufacturing and retreading facilities in Latin America and North America were disconnected to contain the attack and prevent potential impact. Bridgestone is a major supplier of tires for Toyota vehicles, and was a part of a supply chain attack on Toyota.

SCADAfence Coverage:

  1. The SCADAfence Platform detects command execution using CMD and the creation of scheduled tasks.
  2. The SCADAfence Platform also detects the use of Mimikatz, PsExec, and Cobalt Strike.
  3. RDP and SMB connections can be tracked with the User Activity Analyzer.

Recommendations: Following are additional best practices recommendations:

  1. Make sure that secure offline backups of critical systems are available and up-to-date.
  2. Apply the latest security patches on the assets in the network.
  3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
  4. Encrypt sensitive data when possible.
  5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.
  1. Title: AvosLocker Ransomware is Targeting U.S. Critical Infrastructure


    Description: The FBI released an advisory which includes IOCs used to detect and block AvosLocker, a RaaS (Ransomware as a Service) affiliate-based group that has targeted multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facility sectors[10].
    Targets: The AvosLocker leak site claims to have hit victims in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom, Canada, China, and Taiwan.
    Attack Parameters: AvosLocker encrypts files and steals sensitive information to convince the victim to pay the ransom. The attackers may also launch DDoS attacks against the victim during negotiations[11].
    Impact: Unknown due to limited information published.

Recommendations: The FBI advised against paying a ransom, and encouraged businesses to report any ransomware attacks to help prevent future incidents. An advisory was published providing IOCs that can be used to detect and defend against this ransomware.
Following are additional best practices recommendations:

  1. Make sure that secure offline backups of critical systems are available and up-to-date.
  2. Apply the latest security patches on the assets in the network.
  3. Use unique passwords and multi-factor authentication on authentication paths to OT assets.
  4. Encrypt sensitive data when possible.
  5. Educate staff about the risks and methods of ransomware attacks and how to avoid infection.

Additional resources to the aforementioned updates:

[1] https://www.securityweek.com/thousands-secret-keys-found-leaked-samsung-source-code

[2] https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/, https://thehackernews.com/2022/03/lapsus-hackers-claim-to-have-breached.html

[3] https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/, https://www.bleepingcomputer.com/news/security/microsoft-investigating-claims-of-hacked-source-code-repositories/

[4] https://securityaffairs.co/wordpress/128903/cyber-crime/vodafone-investigates-data-breach.html?

[5] https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html

[6] https://securityaffairs.co/wordpress/129422/data-breach/okta-says-375-customers-impacted-by-data-breach.html?

[7] https://www.darkreading.com/attacks-breaches/ransomware-group-s-claim-that-it-hacked-okta-prompts-concerns-of-another-solarwinds

[8] https://threatpost.com/bridgestone-hit-as-ransomware-torches-toyota-supply-chain/178998/

[9] https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit#:~:text=LockBit%20first%20emerged%20as%20the,it%20for%20the%20long%20haul.

[10] https://www.bleepingcomputer.com/news/security/fbi-avoslocker-ransomware-targets-us-critical-infrastructure/

[11] https://www.securityweek.com/us-critical-infrastructure-targeted-avoslocker-ransomware

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.