Ransomware: Hackers Took Just Three Days To Find This Fake Industrial Network And Fill It With Malware
Industrial control networks are coming under attack from a range of ransomware attacks, security researchers have warned, after an experiment revealed the speed at which hackers are uncovering vulnerabilities in critical infrastructure.
Security company Cybereason built a 'honeypot' designed to look like an electricity company with operations across Europe and North America. The network was made to look authentic to entice potential attackers by including IT and operational technology environments, as well as human interface interface systems.
All the infrastructure was built with common security issues found in critical infrastructure including internet-facing remote desktop ports, medium-complexity passwords along with some customary security controls including network segmentation.
The honeypot went live earlier this year and it was only three days until attackers discovered the network and were finding ways to compromise it – including a ransomware campaign which infiltrated chunks of the network, as well as grabbing log-in credentials.
"Very early after launching the honeypot, the ransomware capability was placed on every compromised machine," Israel Barak, chief information security officer at Cybereason told ZDNet.
Hackers put ransomware onto the network by exploiting remote administration tools to gain access to the network and cracking the administrator password to log in and remotely control the desktop.
SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
From there, they created a backdoor into a compromised server and used additional PowerShell tools including Mimikatz, which enabled the attackers to steal login credentials, allowing lateral movement across the network – and the ability to compromise even more machines. The attackers performed scans to find as many endpoints to gain access to, harvesting credentials as they went.
Ultimately, this means that as well as deploying ransomware, malicious hackers also have the capability to steal usernames and passwords, something they could exploit by threatening to reveal sensitive data if a ransom isn't paid, as extra leverage.
"Only after the other stages of the attack were completed, the attack detonated the ransomware across all compromised endpoints simultaneously. This is a common trait to multi-stage ransomware campaigns, that is intended to amplify the impact of the attack on the victim," said Barak.
Ransomware attacks from multiple different sources frequently uncovered the honeypot and many attempted other ransomware attacks, while other hackers were more interested in performing reconnaissance on the network – as was the case with a previous honeypot experiment.
While that might not sound as dangerous as ransomware, an attacker looking to find ways they could exploit the network of what they thought to be an electricity provider could have potentially dangerous consequences.
Nonetheless, it appears that ransomware has become one of the key methods in which attackers are attempting to exploit infrastructure they can easily compromise with that the report describes as a "constant barrage" of attacks on the sector – and something that's likely to become more intense.
Fortunately, the attackers targeting the honeypot couldn't do any real damage – but the experiment demonstrates how networks supporting critical infrastructure needs to be resilient enough go fend off unwanted intrusions by designing and operating networks with resiliency in mind – especially when it comes to segregating IT and operational technology networks.
Even relatively basic improvements like ensuring networks are protected by complex passwords which are hard to guess can help while more complex security initiatives - like red team and blue team exercises - can help build up protection.
READ MORE ON CYBER SECURITY
- How Panasonic is using internet honeypots to improve IoT device security
- Your smart air conditioner could help bring down the power grid CNET
- These hacking groups are eyeing power grids, says security company
- Industrial IoT company gets $8M and vote of confidence from Qualcomm TechRepublic
- Ransomware, snooping and attempted shutdowns: See what hackers did to these systems left unprotected online
Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals
The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more
AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments
Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more
Technology Sector Fuels U.S. Economic Growth In Q2
The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more
Tech Start-Ups Advised To Guard Against Foreign Investment Risks
The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more
Global IT Outage Threatens To Cost Insurers Billions
Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more
Global IT Outage Disrupts Airlines, Financial Services, And Media Groups
On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more