118. Don’t Let Ransomware You Down
Here are a few highlights from each article we discussed:
- On April 13, The Department of Energy, the Cybersecurity and Infrastructure Agency, the NSA, and the FBI jointly released an advisory about a new hacker toolset potentially capable of meddling with a wide range of industrial control equipment
- There have been reports of Industrial Control System (ICS) malware for years, but this one is sophisticated enough that it warrants some immediate attention
- Dragos is saying, “this is the most expansive industrial control system attack tool that anyone has ever documented.”
- The malware is described as a “Swiss Army Knife” of malware, which is something we have not yet encountered before that we’re aware of
- The advisory identifies multiple pieces of hardware and software, from two significant ICS vendors—Schneider Electric and OMRON—that are targeted by this malware toolkit they’re calling Pipedream
- If you look at what the capabilities are against a framework like ATT&CK for ICS, it’s kind of a scattershot across the whole board
- There are pieces designed for initial access all the way to action on objectives, and most of the stages in between, represented with various components or capabilities
- Having all of these in one package says a couple of things; first, that it expedites the process of compromising the victim, and second, that whoever’s behind this has done a lot of homework
- CISA refers to this group or person as an unnamed “APT actor”
- So we don’t know who exactly is behind this yet, but it’s well-crafted enough that it is highly probable that it’s a state-sponsored actor group, not some privateers (that could turn out to be wrong, but we’d be surprised)
- We can further surmise that this isn’t the US pointing the finger at itself or its allies
- That leaves the usual suspects, Russia, China, Iran, North Korea. It’s likely to be one of those four, but so far we’re not hearing anyone say which
- Is there some circumstantial evidence that sort of suggests it might be Russia? Sure, you can plausibly say that, because we know that as things heated up leading up to the invasion of Ukraine, there was a lot of US intel that a) was accurate and b) was made public, about the impending actions
- You could armchair-speculate that it’s the Russians. But any of those four states that we mentioned could potentially (at least as far as we know) have this capability
- This malware toolkit’s name, Pipedream, seems to be named as such because, at least at the time of this podcast recording, no actual malware has yet been deployed
- We don’t know how it was discovered, and we probably won’t know that for a while, because whatever operations are responsible for the discovery are probably still ongoing
- The name choice could be interpreted a few different ways
- Is it because there’s something about potential victimology—like pipeline operations—that was discovered with the malware?
- There’s no way to know for sure yet, but Dragos is in fact speculating that it may well be targeting the power grid, and possibly even more specifically LNG or liquefied natural gas facilities
- LNG is a major backbone of electricity production in North America. And the Schneider Electric and OMRON equipment that I mentioned earlier is used heavily in that sector
- Some of the mitigations the advisory has suggested come down to best practices – they’ll sound familiar here (and these bullets have been summarized because a more detailed list was provided in the advisory)
- Practice least privilege and strong segmentation of OT and IT networks (not just OT-from-IT but within each of those domains as well)
- Use strong passwords on devices and engineering workstations, and have a password rotation policy
- Have as good visibility into assets as possible; have a strong IR plan and recovery procedures
- The Department of Justice (DOJ) announced the seizure of the RaidForums website on April 12, 2022
- RaidForums, for those who are unfamiliar, was a popular website marketplace founded in 2015 for cybercriminals to buy and sell hacked data
- Additionally, RaidForums supported electronic harassment including “raiding” and “swatting” which was dangerous and resulted in loss of life in certain instances
- Raiding – posting or sending an overwhelming volume of contact to a victim’s online communications medium
- Swatting – the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response
- The website operated with membership tiers
- Users could purchase credits to gain access to privileges areas
- This began at low levels and the more credits a user purchased, more access or privilege was unlocked (for example, having the ability to post your own how-to information on how to hack things)
- The effort to bring charges against those affiliated with this website was multi-national
- Included the US FBI and Secret Service, Joint Cybercrime Action Taskforce (Europol), National Crime Agency (UK), Swedish Police Authority (Sweden), Romanian National Police (Romania), Judicial Police (Portugal), Internal Revenue Service Criminal Investigation, Federal Criminal Police Office (Germany) and other law enforcement partners.
- At this point in time, these are still just allegations and no one has yet been arrested.
- However, because of the cooperation between so many different agencies, there is likely a solid case built that will result in some sort of plea bargain or prosecution
Two Truths and a Lie
Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.
You’ll have to tune in to find out!
This Week’s Hoodie/Goodie Scale
Pipe Dream On!
[Taylor]: 8.5/10 Hoodies
[Tim]: 9/10 Hoodies
Seize the Domain
[Taylor]: 5/10 Goodies
[Tim]: 5/10 Goodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!