Sectrio

Author name: Abhay Kottur

OT Attack Path Analysis: A Comprehensive Guide

The convergence of Information technology (IT) and Operational technology (OT) networks, resulting in the exposure of OT networks to threats, paved the way for OT cybersecurity. OT is the use of hardware and software in critical infrastructure industries like, power, energy, water treatment, manufacturing, etc. Compromise to the security in these industries can result in cascading effects. To secure the safety of industries from cyberattacks, organizations come up with many solutions, with attack path analysis being one of them.  What is attack path analysis? Attack path analysis is the graphical representation of pathways to crucial data in your organziation, which cybercriminals adapt to gain access. Through attack path analysis, organizations are structured to think the way a bad actor thinks. It is the simulation of ways used by attackers to implement mitigation strategies.  With the help of attack path analysis, organizations can prioritize threats and take remediation measures accordingly. The need for attack path analysis A typical organization, on an average, has 11,000 exploitable security exposures in just one month. The need for attack path analysis cannot be emphasized more! The following are some more points to highlight the need: Increased spectrum of threats There has been an increase in the kinds of threats, and new ones also emerge every day. Every threat is based on some financial, political and other motives, and cybercriminals work toward the disruption of the OT systems to attain them.  OT systems manage critical infrastructure, and as such, they are easy targets for attackers. This necessitates that you should keep the OT environment alert with an analysis of the possible path taken by hackers and other cybercriminals. The complexity of the OT environment OT environment is complex and depends on different devices, systems, and networks. With high interdependency, an attack on one could lead to devastating effects on the OT environment.  With the help of attack path analysis, you can understand how attacks could surface and ways to tackle them. Some attacks may appear unrelated, but the analysis could lead to insightful findings that could save the organization thousands of dollars. Compromise due to insider attacks OT environments are greatly impacted by insider attacks, as people having access have immense technical knowledge and operational expertise to misuse them. This can be kept under check through attack path analysis. The exploration of ways insiders could use their expertise to scan through systems and exploit them helps to locate threats much before they could happen. This saves the organization from potential attacks that could otherwise be severe. Regulatory requirements Attack path analysis is also needed as a part of compliance with regulatory requirements. Industries with OT systems have certain mandatory requirements. This is required for data protection in view of the increased possibility of attacks on cybersecurity systems.  Keep business operations on track There could be total mayhem when a successful cyberattack disrupts business continuity. This can potentially lead to a loss of several millions of dollars and negatively impact the business’s reputation. With attack path analysis, companies are always on the lookout for attacks, and this helps reduce downtime. The company can also bounce back easily when they are proactive and prepared with an assessment of security. Assess the priority of exposure In many organizations, security concerns that require attention are often overlooked. This is because there are too many assets on their network and identifying risks becomes difficult.  This can be avoided with the help of attack path analysis.  It helps analyze the priority of exposure of assets and thereby to be ready with protection mechanisms before an attack can surface.  Visualize the way a hacker could think Seeing the attack paths like a hacker could provide complete visibility of the risks involved. It helps visualize the potential attack chains so that it is easy to understand the assets that could be targeted. Factors like host reachability, misconfigurations, vulnerabilities, etc., are all risk factors that can be correlated to help fix security issues. Steps to perform OT attack path analysis A series of steps, as listed below, need to be followed for effective attack path analysis: 1. Definition of scope The scope and goals of your analysis must be laid down in clear terms. What are the OT systems, assets, etc., you want to analyze? What is the purpose of your analysis? These are some questions you should answer before you start. List out the possible vulnerabilities and attack vectors that you wish to uncover through this analysis. This definition gives a proper direction to your activity. 2. Identify the critical systems There are several critical assets and systems in the OT environment that are exposed to threats. These should be identified so that the priority of threats can be ascertained. Threats need to be addressed in the order of their criticality so that the most crucial ones can be dealt with first. This can help an organization greatly as serious threats are easily identified and thwarted.  3. Mapping of the flow of data Data moves through multiple points, of which some may be prone to weaknesses. Mapping data flows can help locate the weak points so that they can be addressed. Understanding the flow of data enables the identification of paths attackers may emerge from.  4. Identify threats and vulnerabilities You should conduct a vulnerability assessment and threat analysis that is specific to the OT environment. This helps identify the various weaknesses and probable impacts they could cause. Timely assessment is an important step as it prevents attacks from happening and thereby maintains business continuity. 5. Assess the attack vectors An attack vector is the pathway attackers enter the OT environment. They could be credential theft, malware, social engineering attacks, insufficient protection, etc.  Analysis of the attack vectors helps identify ways to avoid them. For example, the data and network access of every employee have to be assessed to prevent insider attacks.  6. Identify the attack scenario The mode of operation that the attacker might opt has to be defined. All paths that

OT Attack Path Analysis: A Comprehensive Guide Read More »

Deconstructing-the-CL0P-ransomware-group-and-understanding-the-MOVEit-breach-in-2023

Deconstructing the CL0P RaaS group and understanding the MOVEit breach in 2023

The large-scale incorporation of connected OT/SCADA systems is a growing trend but are you aware of the increasing presence of sophisticated threat actors and rapidly budding ransomware variants? The question you should ask yourself and your peers is “Are my OT/SCADA systems secure against next-generation cyber threats? In this blog, we will be discussing particular instances where CL0P ransomware has been identified in OT/SCADA systems. OT/SCADA systems control physical devices and processes, such as water treatment plants, power grids, and manufacturing plants. These systems are often susceptible to attacks due to their setup, pre-existing vulnerabilities and often targeted as a result of lax security protecting these systems. While the scale of attacks targeting such systems can be analyzed further in our global threat landscape report 2023, it is imperative to understand the motive of the actors behind such attacks. With Sectrio’s ongoing research initiatives, CL0P is one such ransomware that has popped up on our radar multiple times. Its usual methods include infiltration via phishing emails, malicious attachments, and exploit kits. The RaaS group operates methodically and begins its process through meticulous research of its victim on its operations, and understanding how they can be exploited. Recommended Reading: How to get started with OT security CL0P follows this process with social engineering, and spear phishing techniques where they are looking to penetrate the victim’s network and deploy the ransomware exploits. After the successful deployment of the ransomware, CL0P publishes a portal on the dark web for the victim to first verify 3 files to validate the compromise and requests a ransomware payout. The whole ordeal lasts between 3 – 7 days. The victim suffers from operational halts, reputational damages, loss of IP, and financial losses. This report is a comprehensive analysis of CL0P ransomware including attack techniques, verticals targeted, countries targeted, and attack scenarios on OT-specific verticals. Stick around and learn more! Who is CL0P? CL0P is a notorious ransomware as a service (RaaS) operation that a Russian-speaking group operates. CL0P was first seen in February 2019 as a new variant in the Cryptomix family. It was delivered as a payload of a phishing campaign associated with the financially motivated actor TA505. CL0P was able to inject malicious code into the company’s database servers by exploiting a zero-day vulnerability using SQL injection. This allowed the attackers to access and download the data stored in the databases. This ransomware also used a verified and digitally signed binary, making it look like a legitimate executable file that could evade security detection CL0P Ransomware The CL0P ransomware is one of the biggest malware threats in cyberspace today. The attackers once demanded an amount of more than 20+ Million Dollars to restore services from their victim. Targeting SCADA systems with CL0P ransomware presents a grave risk to vital infrastructure, carrying the potential for operational breakdowns, substantial financial damages, and even endangering human safety. Exploiting vulnerabilities within SCADA systems, malicious actors can illicitly infiltrate and encrypt crucial control files, resulting in the cessation of industrial operations or even the discharge of dangerous materials. In June 2023, the CL0P ransomware group exploited a zero-day vulnerability in the MOVEit Transfer tool. This vulnerability was announced on May 31, 2023, by the Progress Software Corporation. Earlier this year, CL0P had used a similar vulnerability to attack the GoAnywhere file transfer product of Fortra, stealing data from more than 130 companies, governments, and organizations. The CL0P attack on MOVEit Transfer is believed to have affected hundreds of organizations worldwide. CL0P Darkweb page On the Dark web page, they upload notes, news, and data published information and steps to contact them. Steps for Companies Attacked by CL0P Ransomware Gang CL0P Gangs uploads published data and victim organization names on their dark web page. Companies name attacked by CL0P Ransomware Gang CL0P Email IDs for communication The ransomware has been known to use Email ID: UNLOCK@RSV-BOX.COM, This was however changed to Email ID: UNLOCK@SUP-BOX.COM. We believe that this change was triggered as a result of technical challenges. Timelines of CL0P Ransomware and MOVEit The CL0P ransomware gang was relatively inactive from November 2022 to February 2023 than in March and April of 2023 as accurately predicted in Sectrio’s Global Threat Landscape Analysis and Assessment Report and stated by the NCC report stated that CL0P went from one of the least active threat groups in March to the fourth most active in April. This significant increase in CL0P ransomware activity is a cause for concern, as it suggests that the gang is becoming more active and successful in its attacks. Businesses and organizations should be aware of the CL0P threat and take steps to protect themselves from ransomware attacks. Affected Countries by CL0P Ransomware Tools, Malwares, and Vulnerabilities Used by CL0P Ransomware Malware FlawedAmmyy SDBOT Get2 Loader Malwares used by CL0P Tools Cobalt Strike TinyMet Tools used by CL0P List of vulnerabilities exploited by CL0P ransomware The exploits built are prepared using the vulnerabilities below: CVE ID Vulnerability Type CVSS Score and Severity CVE-2023-34362 SQL injection vulnerability 9.8 Critical CVE-2023-35036 SQL injection vulnerability 9.1 Critical CVE-2023-0669 Pre-authentication command injection 7.2 High CVE-2021-27101 SQL injection vulnerability 9.8 Critical CVE-2021-27102 OS command execution. 7.8 High CVE-2021-27103 SSRF via a crafted POST request 9.8 Critical CVE-2021-27104 OS command execution 9.8 Critical CVE-2021-35211 Remote code execution (RCE) vulnerability 10.0 Critical vulnerabilities exploited by CL0P ransomware Analysis of CL0P Ransomware TA505 is a threat actor that uses phishing emails to deliver malware to its victims. The malware typically arrives as a macro-enabled document that, when opened, drops a loader named Get2. Get2 can then download other tools used by TA505, such as SDBot, FlawedAmmyy, or FlawedGrace. Once TA505 has gained a foothold on the victim’s system, it will perform reconnaissance, lateral movement, and exfiltration. This will allow them to gather information about the victim’s network and systems and to move laterally to other systems within the network. The final step is to deploy ransomware, encrypting the victim’s files and demand a ransom payment. Sometimes, SDBot has been

Deconstructing the CL0P RaaS group and understanding the MOVEit breach in 2023 Read More »

A Complete Guide to OT/ICS Vulnerability Management in 2023

A Complete Guide to OT/ICS Vulnerability Management

Are Your Operational Technologies Truly Secure? In the present landscape of digital interconnections, where operational technology (OT) serves as the lifeblood of industries, ensuring the robust security of these systems emerges as more crucial than before. Imagine a world where an organization’s crucial infrastructure remains safeguarded from online menaces, ensuring the confidentiality of your information and preserving the integrity of your production procedures.  This reality is within reach, with the solution lying in adept vulnerability management! Welcome to the ultimate guide to managing vulnerabilities in 2023, serving as your guiding light in the cybersecurity domain for OT. Within this all-encompassing exploration, we unveil the mysteries surrounding systems and utilities for vulnerability management. This gives you the information you need to confidently navigate the always-changing environment of potential hazards. Our guide explores vulnerability management in great detail, not just on the surface. From understanding the fundamentals to implementing cutting-edge tools, we’ve got you covered.  We comprehend the nuances of your concerns—balancing system uptime while staying impervious to cyber threats is no easy feat. But fear not, for we bring you actionable insights that empower you to bolster your defenses without sacrificing productivity.   Did you Know? Enterprises that use risk-based vulnerability management will suffer 80% fewer breaches. What is Vulnerability Management? Vulnerability Management in the context of OT is a proactive strategy to safeguard industrial systems from potential cyber threats. It involves systematically identifying, assessing, and mitigating vulnerabilities that could compromise the integrity, availability, or confidentiality of critical assets.  A robust vulnerability management program tailored for OT environments establishes a structured framework for continuously monitoring and addressing vulnerabilities. Vulnerability Management as a Service (VMaaS) takes this further by offering expert assistance and tools to organizations, often including specialized solutions for OT settings. This service-driven approach streamlines vulnerability scanning, risk assessment, and remediation efforts, providing businesses with a comprehensive shield against evolving threats. In essence, Vulnerability Management in OT combines strategic planning, regular assessments, and timely mitigation to identify and address vulnerabilities proactively before they can be exploited.  It ensures that critical industrial systems remain resilient and secure, even in the face of ever-changing cyber challenges. Why is Vulnerability Management Important for Organizations? It’s more crucial than ever to stay one step ahead of potential dangers in the constantly changing world of cybersecurity, especially when it comes to operational technology. OT has advanced into the future as a result of the widespread use of digital technologies, helping firms achieve new levels of productivity and innovation. Threat actors constantly search for gaps to attack within these complex systems.  Therefore, this shift has also cast a shadow. Your organization’s readiness to deal with cyberattacks, not resistance to them, is what matters. So, Are You Ready to Elevate Your OT Security? Let’s Begin. Here’s why effective vulnerability management is non-negotiable in the world of OT: Preserving Operational Continuity Disruptions can lead to catastrophic consequences in OT environments. Vulnerabilities in industrial control systems (ICS) or SCADA systems can not only halt operations but also compromise safety. Implementing a robust vulnerability management strategy ensures that operational processes continue smoothly without compromising the integrity of the systems. Mitigating Cyber Risks Malicious actors constantly seek vulnerabilities to exploit. For OT, this could result in unauthorized access to critical systems or even the manipulation of processes, leading to financial losses and reputational damage. Effective vulnerability management is a proactive shield against cyber threats, reducing the organization’s risk exposure. Compliance and Regulations Many industries operating in the OT sector are subject to stringent regulations and compliance standards. Adhering to these requirements necessitates a comprehensive vulnerability management approach. Failure to do so not only invites legal consequences but also puts the organization at risk of cyber incidents. Let’s explore some notable standards that regulate OT security ISA/IEC 62443 (International Society of Automation/International Electrotechnical Commission) This comprehensive standard outlines the cybersecurity requirements for industrial automation and control systems. With its multi-part framework, IEC 62443 addresses various aspects of OT security, from network design to system lifecycle management. Its global recognition underscores its significance in safeguarding industrial processes against cyber threats. Download Checklist: The IEC 62443 Checklist NCAs OTCC-01: 2022 (National Cybersecurity Agency of Saudi Arabia) The Saudi Arabian regulatory body provides a set of guidelines, OTCC-01, focusing on securing industrial systems against cyber risks. These guidelines encompass risk management, security architecture, incident response, and more, providing organizations with a structured approach to OT security. Read about: Operational Technology Cybersecurity Controls by NCA NIST 800-82R3 (National Institute of Standards and Technology) Specifically tailored for industrial control systems, NIST 800-82R3 offers guidelines for protecting these critical assets. It covers security assessments, access control, and anomaly detection as a crucial reference for OT security practitioners. NIST SP 800-53 Rev. 5 While not exclusively focused on OT, this NIST publication provides an inclusive catalog of security and privacy controls for information systems and organizations. Its relevance also extends to OT security, offering a robust foundation for implementing security measures. NERC CIP Enforced within the North American electricity industry, NERC CIP standards ensure the reliability and security of the bulk power system. It encompasses a range of requirements, from physical security to cybersecurity, to mitigate risks associated with power generation and distribution. EU Mandate NIS 2 (Network and Information Systems Directive) Building upon its predecessor, NIS 2 aims to enhance the cybersecurity posture of essential and digital service providers within the European Union. With specific provisions for OT systems, this directive emphasizes incident reporting, risk management, and cross-border cooperation. Protecting Valuable Assets OT systems manage valuable physical assets, from energy production to manufacturing equipment. A breach could disrupt these operations and lead to permanent damage. Vulnerability management safeguards these high-value assets against potential exploitation. Securing Supply Chains In interconnected industries, a vulnerability in one part of the supply chain can cascade through partners and suppliers, leading to widespread vulnerabilities. A thorough vulnerability management system ensures that the entire ecosystem remains resilient. Building Stakeholder Trust In an era where cybersecurity incidents dominate headlines, organizations that demonstrate a proactive

A Complete Guide to OT/ICS Vulnerability Management Read More »

ics-security-assessment-sectrio

A Complete Guide to ICS Security Assessment

Did you know that the average cost of data breaches worldwide was $4.35 million in 2022, with phishing being the most common form of attack? Demand for ransom, locking critical data files, stealing sensitive data, etc., are common forms of attacks. Many industries bear the brunt in the form of high costs for data recovery, lack of reputation, poor business relationships, legal complications, etc. All these bring to light the need for cyber security assessment and analysis to provide an effective defense against threats. What is ICS security assessment? Industrial Control Systems (ICS) security assessment involves evaluating the ICS of an organization for vulnerabilities and weaknesses and ensuring that effective controls are in place to defend against cybersecurity attacks. The assessment encompasses: Evaluation of safety with cybersecurity audit A cybersecurity audit is an evaluation of the security and strength of the ICS environment of an organization. Some of the essential steps in a cybersecurity audit are: The scope of the audit, the networks that will be assessed, and the standards that must be adhered to are required to be defined as a first step. The relevant ICS security policies and standards should be reviewed to understand what is in place at present. The network architecture for critical and non-critical systems should be analyzed to check the segmentation of networks. Cybersecurity audit also ensures that the ICS environment adheres to the industry standards, like IEC 62443. A thorough network scanning should be done to assess the weaknesses of the ICS environment. Get a free copy of the template here: Incidence response plan & Template Logging of incidents should be as per the best practices for an incident response plan. An audit will review this and provide information on lapses. Once the audit of the ICS environment is complete, an audit report on the findings about vulnerabilities should be prepared. The report should also contain relevant recommendations for further action. On the basis of the report, necessary follow-up actions should be taken to address the issues and weaknesses identified. Effective follow-up also helps keep a watch on emerging threats. CIA triad: The ICS security assessment model The CIA triad is a popular method for security assessment. CIA stands for Confidentiality, Integrity, and Availability. All three aspects carry importance while reviewing the system for vulnerabilities and risk assessment. For safe operations of industrial processes, there should be a balance in confidentiality, integrity, and availability. Confidentiality Maintaining the privacy of the data of an organization and restricting unauthorized access are key parts of confidentiality. In this digital age, there are frequent attempts to compromise the safety of industrial control systems. Maintaining confidentiality involves maintaining safety by way of encryption, multi-factor authentication, labeling data, etc. Integrity Integrity ensures that the data is reliable and trustworthy. Data is protected from unauthorized alteration to maintain the authenticity of the information through non-repudiation. Availability Data that is secure must also be available and accessible to the stakeholders. Timely availability of data without any interruption is of prime importance. Various acts, like natural disasters, ransomware attacks, denial-of-service, etc, can compromise availability.  The CIA triad method offers a comprehensive methodology for the assessment of security lapses. It helps identify what went wrong and how well the existing systems were able to protect the data. The need for ICS cybersecurity assessment Even technology leaders had to mitigate an average of 1,435 Distributed Denial-of-Service (DDOS) attacks daily in 2022.  This statement is an indicator of the gravity of the situation. Cybersecurity assessment is the need of the hour when the digital landscape is deluged with multiple types of cyberattacks. There have been instances of severe losses and compromises in many industries due to overlooking cyber security assessments. Here are some cyber incidents that shook industries due to the lack of assessments. All these necessitate timely intervention by assessments so that potential threats can be identified and defense mechanisms can be put into action. ICS security standards Organizations follow different security standards based on industry requirements. We will discuss some of them here: 1. ISA/IEC 62443 The set of standards in IEC 62443 offers guidelines for securing industrial automation and control systems. Such control systems are found in power plants, oil and gas plants, water treatment plants, etc. These standards provide assistance by way of informing the type of controls to be put in place in ICS platforms. IEC 62443 is mainly used by industries in the industrial automation and control sector. With a comprehensive set of policies, they are considered one of the best to be followed by industries. 2. The North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP)  The NERC CIP are standards that are specific to the power grid sector. They are used to protect the security of electricity industries. These include: Some common ICS tools used for cyber security assessment These tools are widely used by analysts to identify and track vulnerabilities to amplify protection. NMAP With this tool, analysts identify hosts that reside in a network. It helps detect threats and discover open ports and services. It can map an entire network and detect open ports easily.  This is a simple tool with a powerful ability. It can instantly recognize all routers, servers, switches, and mobile devices on single and multiple networks. It helps identify web servers and DNS servers that are running on a system. It has a GUI called Zenmap through which you can develop visual mappings of a network.  Visit Now: NMAP SHODAN Shodan is a search engine that helps find servers, routers, etc., on the internet using various filters. With Shodan, you can identify if any devices on the ICS are accessible through the internet.  Data collected by Shodan is comprehensive. It is in metadata format and contains data like hostname, geographical location, OS, and properties related to application layer protocols. This helps identify insecure devices. Visit Now: Shodan Sectrio you can leverage Sectrio to conduct host discovery and vulnerability analysis and provide solutions to correct the vulnerability detected in the

A Complete Guide to ICS Security Assessment Read More »

QILIN-Ransomware-Report

QILIN Ransomware Report 

QILIN also known as “Agenda” is a Ransomware Group that also provides Ransomware as a service (Raas). Qilin’s ransomware-as-a-service (RaaS) scheme earns anywhere between 80% to 85% of each ransom payment, according to new Group-IB findings. It was first discovered in 2022 when it attacked Australia’s leading Information technology service organization.  Qilin Targets its victims by sending phishing emails that contain malicious links to gain access to their network and exfiltrate sensitive data, as soon as Qilin completes initial access, they commonly circulate laterally across the victim’s infrastructure, attempting to find crucial statistics to encrypt. After encrypting the data Qilin leaves a Ransom note “Your network/system was encrypted, and the encrypted file has a new file extension” and asks for the ransom to pay for the decryption key Ransomware Details & Working  It drops pwndll.dll, detected as a Trojan.Win64.AGENDA.SVT, in the public folder and injects this DLL into svchost.exe to allow continuous execution of the ransomware binary. It takes the advantage of safe mode to evade detection and proceed with its encryption routine unnoticed. Malware is written in Rust and The Rust variant is especially effective for ransomware attacks as, apart from its evasion-prone and hard-to-decipher qualities, it also makes it easier to customize malware to Windows, Linux, and other OS.  Here are some pointer’s to be noted:  Victim Selection   First, it was Randomly targeting the organizations, but Now It seems like they are Mostly Interested in Critical Infrastructure, the OT Companies. In the year 2023, they have targeted 21 companies which include 5 OT victims. Recently in Jun 2023, they Attacked the Dubai Based OT company which specializes in comprehensive industrial and commercial water treatment (Clarity Water Technologies, LLC) and have targeted 6 other companies and leaked some of their data.   As per our Dark web analysis, the Victims they have targeted till now are from different countries which include Argentina, Australia, Brazil, Canada, Colombia, France, Germany, Japan, New Zealand, Serbia, Thailand, The Netherlands, UAE, UK and United States.  Fig1: Victim Countries  As per the Screenshot of the post which was written in the Russian language by Qilin Recruiter for recruiting “teams of experienced pentester for their affiliate program,” the group doesn’t work in CIS countries.  Darkweb Analysis  of Qilin Ransomware Qilin maintains a dedicated dark web page where they publish all the information and details about the Victim which includes the Victim’s name, Date of attack, Description of the victim, some images related to the victim’s sensitive data, and when the ransom is not paid, they also leak victim’s data on their dark web site.   They have Posted about 22 Victims on their Onion sites and some victim’s data has also leaked on their page.   Also Read: How to get started with OT security Let’s go through their Darkweb site  Qilin Darkweb front page where they publish the information about their victims.   Login page present in the Qilin ransomware site  They Normally leak two files; one has the data, and another has the list of all the sensitive files. (As shown in the image)  IOCs  76f860a0e238231c2ac262901ce447e83d840e16fca52018293c6cf611a6807e  fd7cbadcfca84b38380cf57898d0de2adcdfb9c3d64d17f886e8c5903e416039  Mitigation For Securing OT Environment:  Remediations  Reference  https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html https://www.trendmicro.com/en_in/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html https://www.group-ib.com/blog/qilin-ransomware/ Interested in learning more about AI-powered attacks and ways to prevent them on your networks? Talk to our security expert. See our IoT and OT security solution in action through a no-obligation demo Gain Ample visibility into your network and identify gaps today, Sign up for a comprehensive asset discovery with vulnerability assessment today from Sectrio This research report is attributed to Dipanjali Rani and Akshay Jambagi from Sectrio’s threat research team.

QILIN Ransomware Report  Read More »

Ensuring-Secure-Remote-Access-for-Industrial-Control-Systems

Ensuring Secure Remote Access for Industrial Control Systems

You may also be interested in reading: Industrial control systems (ICS) refer to control systems used in a wide range of industrial processes. It’s a component of operation technology that involves hardware, software, and systems that help manage industrial operations. Some basic aspects of ICS include sensors, controllers, local supervisory systems, business systems, and management systems. The need for remote access connectivity for industrial control systems has never been greater as it allows businesses and industries to enjoy more efficient and reliable operations. But for successful remote access, businesses have to establish network connections between the ICS infrastructure and the remote user. This comes with its own set of security risks. Cybercriminals constantly target remote users to steal sensitive information, gain financial advantages, or blatantly cause damage. The consequences of such security breaches can be devastating as they lead to operational disruptions, reputational damage, financial losses, and data corruption. This is why organizations must ensure secure remote access (SRA) for industrial control systems. In this article, we’ll explore some of the best ways to ensure secure remote access for industrial control systems (ICS) Best Practices for Secure Remote Access for Industrial Control Systems Remote users should authenticate with multi-factor authentication (MFA) Multi-factor authentication (MFA) is a form of added security measure that requires users to provide several ‘pieces’ of verification before being granted access to an account. Examples of MFA authentication include one-time passwords (OTPs) and biometric data like fingerprints, voice recognition, or iris scans For most accounts, users require only a password when logging in. But an MFA system combines multiple authentication factors, including a password and other confirmation processes. This adds an extra layer of security, making it hard for unauthorized people to access an account. To ensure secure remote access for industrial control systems, consider a multifactor authentication system done over a secure channel. But when doing so, be careful, as some multifactor solutions can be ineffective because of the speed or process control reliability requirements. Ensure secure communication through encryption tools and tunneling techniques Encryption protocols and secure tunneling techniques ensure the information exchanged between the remote user and the ICS remains confidential and protected from unauthorized access. For example, Secure Socket Layer/Transport Layer Security (SSL/TLS) protocols establish secure encrypted connections between client and server applications. They provide authentication and data encryption. And this is just one example of encryption protocols and secure tunneling techniques. Implementing such protocols ensure secure communication channels for remote access to ICS. Consider dedicated client hardware and software It’s standard for organizations looking for remote access solutions to empower their users with both the software and hardware required to connect. However, even in doing so, cybercriminals still remain a huge concern as they typically target such users. As part of the remote access solution, your organization should issue personal computers or laptops. This PC or laptop should have the appropriate cyber security countermeasures, such as host-based intrusion detection systems and antivirus software. But perhaps one effective solution that has profited most organizations involves using VPNs for secure remote access. The best VPNs establish a secure and encrypted connection between the user and the ICS network. They create a secure “tunnel” over an insecure network, such as public wifi, ensuring that sensitive information remains protected. Employing dedicated client hardware, such as laptops, and dedicated software, such as VPNs and antivirus, ensures that organizations can effectively establish secure remote access for industrial control systems Session Termination Session termination is a fundamental concept when discussing remote access. Session termination is paramount when establishing a remote access solution because it terminates the link between the remote user and the internal network or system. It’s an essential and non-negotiable element of a secure remote access solution. Because of this, organizations need to ensure that sessions are promptly terminated, either upon request or automatically based on system configurations. Conduct regular patching and updates Regular patching and updates are essential in discovering vulnerabilities and security weaknesses in software systems. By promptly applying security patches, you will easily address the vulnerabilities and protect the entire ICS infrastructure from potential cyberattacks. Through proper patch management, it will be easy to close security gaps and strengthen the entire security of the system, significantly reducing the risk of unauthorized access and disruptions. Since ICS is highly critical for an organization, you must be keen to plan and execute updates to minimize disruption of operational continuity. The best approach is to conduct the process in phases, whereby you will test the patch in an isolated environment before distributing it to the entire ICS infrastructure. Ensure you also adopt a redundant architecture and backup system to provide uninterrupted operations. Gain Ample visibility into your network and identify gaps today, Sign up for a comprehensive asset discovery with vulnerability assessment today from Sectrio Outline definitive remote access policies and procedures Most organizations fail to define and communicate clear policies pertaining to rules and procedures for remote access to ICS. It’s important to outline who can access the system clearly, define the circumstances, and indicate the necessary authentication mechanisms. For example, a good place to start would be to adopt a role-based access control (RBAC) policy. This policy framework regulates access to resources and equipment within an organization based on roles. In an RBAC policy, users are assigned specific roles that determine their level of access to systems, applications, and data. As an administrator, you should ensure all users looking to connect remotely use a named account. And not only that, but remote access users should only access systems that are directly associated with their line of work and nothing more. Compliance Kit: OT/ICS Cyber Security Policy template by Sectrio You should go further and assign specific access privileges remote workers require to carry out their duties. This limits accessibility based on job functions and needs. It’s essential in reducing the risk of insider threats and maintaining the overall security of the ICS environment. Schedule security awareness and training sessions A big part of security

Ensuring Secure Remote Access for Industrial Control Systems Read More »

Unmasking Black Basta Ransomware Group A Closer Look

Unmasking Black Basta: A Closer Look at the Notorious Ransomware Group

The Black Basta threat actor is a sophisticated cyber threat group that has emerged in recent years, targeting various organizations across multiple industries. The primary objective of the Black Basta THREAT ACTOR is to gain unauthorized access to targeted networks and exfiltrate sensitive information for intelligence gathering or financial gain. The group is known to engage in long-term campaigns, establishing a persistent presence within victim networks to maintain access and conduct further malicious activities. Tactics and Techniques: The Black Basta THREAT ACTOR employs a range of sophisticated tactics and techniques to achieve its objectives like, Countermeasures: This report is collective research based on the resources by Trend Micro, BlackBerry, Palo Alto Networks, Bleeping Computer, SOCRadar, DXC Technology etc. Who is Black Basta? Black Basta (AKA Black Basta) is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that first emerged in early 2022 and immediately became one of the most active RaaS threat actors in the world, racking up 19 prominent enterprise victims and more than 100 confirmed victims in its first few months of operation. The group is known for using phishing emails and malicious attachments to deliver ransomware to their victims, and they have targeted organizations in a variety of industries. The group’s ransom tactics use a double extortion tactic, encrypting their victim’s critical data and vital servers and threatening to publish sensitive data on the group’s public leak site. Black Basta is believed to be a Russian-speaking group. It is assumed that Black Basta’s core membership to have spawned from the defunct Conti threat actor group due to similarities in their approach to malware development, leak sites, and communications for negotiation, payment, and data recovery. In addition to these similarities, there have been some reports that Black Basta members have been using Conti-related code in their ransomware attacks. This suggests that there may be some overlap between the two groups, either in terms of membership or collaboration. ABB Ransomware On May 7th, 2023, the Swiss multinational corporation ABB got attacked by a ransomware attack conducted by the Black Basta ransomware gang, a threat actor that came in sight in April 2022. The Black Basta group used a phishing email to deliver the ransomware to an ABB employee. The employee clicked on the malicious attachment, which installed the ransomware on their computer. The ransomware then spread to other computers in ABB’s network, encrypting files on hundreds of devices. The ransomware attack has affected the company’s Windows Active Directory, affecting hundreds of devices located over multiple locations. ABB terminated VPN connections with its customers to contain the ransomware attack and prevent it from spreading to other networks. History of Attacks by Black Basta The distribution by country of Black Basta’s victim organizations from April 1 to July 31, 2022. Black Basta targets chart based on country Analysis Black Basta Ransomware Malware The ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The ransomware also attempts to delete shadow copies and other backups of files using vssadmin.exe, a command-line tool that manages Volume Shadow Copy Service (VSS), which captures and copies stable images for backups on running systems. Black Basta Attack Chain Black Basta Attack Chain Diagram Tactics, Techniques and Procedures Tactics Techniques Initial Access Valid Accounts Phishing Execution Command and scripting interpreter System services Windows Management Instrumentation Privilege Escalation Exploitation for privilege escalation Defense Evasion Modify registry Domain policy modification Impair defences Reflective code loading Credential Access OS credential dumping Discovery System information discovery Remote system discovery File and directory discovery Lateral Movement Lateral tool transfer Remote services Exfiltration Exfiltration over C&C channel Exfiltration over web service Impact Inhibit system recovery Service stop Data encrypted for impact Defacement Technical Analysis The Black Basta Ransomware, upon successfully executing its malicious payload on the compromised system, alters the desktop wallpaper to display a customized image associated with the ransomware’s activities. The Black Basta Ransomware Malware is known to deploy a text file as part of its malicious activities. This file contains the Login ID that enables the affected company to establish a connection with the Ransomware Group. The purpose of this connection is to facilitate ransomware payment and initiate negotiations for the potential retrieval or release of the compromised data. Dark Web Analysis Black Basta maintains dedicated dark web pages through which they establish communication channels with victims for the purpose of negotiating ransom payments. Security Recommendation To defend against the Black Basta THREAT ACTOR and mitigate the risk of their attacks, organizations are advised to consider the following countermeasures: This article is attributed to Vikas Karunakarn, Aditya Kirit Katpara, Akshay Jambagi & Dipanjali Rani from Sectrio’s threat research team. Check out: The Global OT and IoT Threat Landscape Assessment and Analysis Report 2023 Reference:

Unmasking Black Basta: A Closer Look at the Notorious Ransomware Group Read More »

Complete-Guide-to-Zero-Trust-Security

Complete Guide to Zero Trust Security

Zero Trust Security – Always Verify and Authenticate Zero Trust Security architecture functions on the premise that any connection requires mandatory identification, verification, and authentication. Previously, networks were potentially secure from outside threats. At the same time, those inside the system had complete access to every nook and corner of the network. The security systems back then were dubbed as the ‘castle and moat’ system (or ‘trust but verify’). If someone crosses the moat (manages to intrude on the network), they would have complete access to every network component. All the intruders need to gain are legitimate credentials to enter the system. Likewise, the threat of an insider is always high in such scenarios, leaving troves of data at the mercy of the attacker and is a complete failure of the security architecture. Zero Trust Security architecture is independent of whether the connection is within or outside the network premises. Therefore, enterprises should take a holistic approach to adopting ZTA across every enterprise level. ZTA (Zero Trust Architecture) typically comprises a set of rules, procedures, and techniques to secure the systems. In the future, cyberspace will only get more vulnerable and treacherous. But, despite its drawbacks, cybersecurity researchers feel that Zero Trust Security is the way to go ahead. Contents The Zero Trust Security framework (architecture) can protect every network component if implemented perfectly and with fine-tuning. Moreover, in case of a successful intrusion, it helps minimize the damage. What drives Zero Trust Security? – Key Principles of Zero Trust Security Framework Zero Trust Security framework relies heavily on the ‘assume breach, verify explicitly’, and continuous trust verification and authentication mechanism. At all times, all connections need to be periodically verified, irrespective of their previous interactions. The key principles that drive the Zero Trust Security Framework are as follows: What makes ZTA so unique? – Advantages of Zero Trust Security The world has been catapulted 5-7 years into the future regarding digitalization, using cloud services, and remote work. The call for security has been at its epitome with data flowing across various networks. To ensure the workforce and clients operate in sync without giving much thought about security concerns, we must adopt strict security measures that protect data, identities, networks, and infrastructure. The need led to the fast-track adoption of Zero Trust Security globally. Moreover, complying with industry standards and government requisites plays a big part in running an enterprise. Implementing Zero Trust Security Establishing Zero Trust Security is a challenging exercise requiring experience, expertise, and time. Usually, enterprises see ZTA as a turnkey cybersecurity solution thinking of it as a plug-and-play product. But, in reality, ZTA comprises various elements, with each element unique in its way and serving a specific purpose. Therefore, enterprises should hire an expert cybersecurity solution provider, like Sectrio, to implement and monitor ZTA. But, how to implement ZTA helps enterprises understand the platform in more detail, paving the way for better security practices. There are two ways one can approach the implementation of Zero Trust Security: 1. Rip and Replace: Only a very select few enterprises take this option. As the name suggests, replacing the existing infrastructure with modern infrastructure makes it easy to implement ZTA. Going ahead with this approach requires a thorough understanding of the following: 2. Build around and replace Most enterprises might have a potpourri of security installations spread across various timelines. Most security offerings are either incomplete or incompetent at the same level of expertise across multiple domains. Opting for ZTA requires a thorough analysis of the security posture and every element that is a part of it. There might be a case for replacing infrastructure, given the lack of compatibility due to modern security protocols. Similarly, the administrator can revoke permissions due to implementing the Privileged Access Management / Least Privileged Access policy. Finally, the workforce needs to get habituated to Multifactor authentication, as ZTA works on the core principle of ‘assume breach, verify explicitly’ for every new connection request. Similarly, ZTA focuses on protecting data and successfully thwarting intrusions rather than concentrating on the attack surface and external perimeter (alone). Implementing Zero Trust Security in 7 Steps The network of any enterprise involves securing its devices, dataflow paths, user authentication, network connection, and applications in use. Additionally, ZTA heavily relies on network connectivity, which can be affected during a DDoS attack or a surge in user traction. These two scenarios can strain the network, with processes slowing down before a complete collapse. Only with time can an enterprise understand the extent of strict protocols they might require for a particular set of data and network. With this understanding and UEBA (User and Entity Behavior Analytics) tools, one can strengthen Zero Trust Security, thereby improving security posture.  Zero Trust Security Challenges Nothing is a fairytale in cybersecurity. Adopting ZTA or Zero Trust Security framework is no exception in that. To adopt a security product like Zero Trust Architecture by an enterprise, everyone involved in the company, regardless of whether they belong to the IT department, should be a part of the exercise. It requires significant man-hours to create awareness and train people to implement the best ZTA practices. Unfortunately, few enterprises see this as an investment, while others see it as a dent in their balance sheet. Let us learn about common challenges an enterprise faces with adopting ZTA.  Overcoming Zero Trust Security Challenges Like every other cybersecurity product, Zero Trust Architecture has flaws and drawbacks. However, irrespective of anything, ZTA is the best option that can effectively tackle the current cybersecurity threat landscape. It is so comprehensive that it brings many aspects of a network’s security into play and supplements the monitoring team with analytical data, helping them have a detailed granular view on every process on the network. Therefore it is essential to understand how to overcome Zero Trust Security challenges to make the best use of the product. Zero Trust Security Best Practices Having a protocol sheet is always helpful in cybersecurity. The rules, guidelines,

Complete Guide to Zero Trust Security Read More »

Complete guide to OT network segmentation

Complete guide to OT network segmentation

As industrial businesses connect their OT and IT networks, network segmentation is becoming an increasingly important approach. Using this method, it is feasible to successfully secure industrial assets while maintaining their important characteristics. Data reigns supremacy in the era of the Industrial 4.0 Revolution. In some of our most important industries, it catalyzes IT/OT convergence. IP subnet-based VLANs and utility infrastructure are being combined in smart cities like Dallas to detect water use and leaks, enabling intelligent water saving. The industrial and manufacturing sectors are also implementing IoT solutions to gather crucial data from machinery and production lines. Companies are cutting project schedules, limiting unplanned downtime, lowering operational costs, and witnessing growth never seen before. Security considerations must, however, moderate the desire for efficiency and profitability since the security of an entire organization’s vital infrastructure is on the line. In an OT environment, traditional IT segmentation is inadequate. We have depended on strong perimeter security for many years to monitor communications related to north-south traffic at the network level. However, the construction of traditional IT segmentation including intricate VLAN and firewall setups takes time. Additionally, OT settings have a low tolerance for extended downtimes, particularly when it comes to pipelines, power plants, or ports of call. Additionally, IT firewalls can’t completely reveal which set of packet exchanges are permitted in an OT context. Micro segmentation is becoming more and more of a realistic option for lowering OT attack surfaces as a result of the sophistication of cyberattack methods. Current statistics show that “connectivity to external systems continues to be the predominant root cause of…incidents, a sign that enterprises still fail to adopt network segmentation best practices.” Micro-segmentation allows for fine-grained workload visibility. It offers improved breach containment for OT settings, zero trust security, SDN-based control, granular control of systems that must adhere to regulatory standards, and SDN-based control.     What is OT Network Segmentation?   OT networks from IT networks, guest networks from corporate networks, and essential industrial networks are all separated from one another via network segmentation, a physical security measure. Within essential infrastructures including oil and gas, electricity, utilities, aircraft, transportation, manufacturing, and other important verticals recognized by the US government, segmentation is frequently used. Why? Because ICS devices and the computers used to monitor and control them require increased attention due to the increasing attack rates and degrees of competence needed to access them.   Why are OT network segmentation and segregation essential?   The significance of segregation has been underlined frequently over the past few years, particularly in light of the recent spate of significant data breaches, including those at Marriott, Equifax, WannaCry, and many more. Network isolation can prevent malware, but how? Segregation enables you to separate the infection and stop it before it gets to the network’s core if your first virus or ransomware defenses are breached. By doing so, you and the IT staff at your company will be able to limit the breach to a single host before you need to take manual action. Using advanced methods, an attacker may attempt to connect straight from a compromised host to a more susceptible host. The Australian Cyber Security Centre reports that once a workstation has been compromised, the hacker frequently attempts to establish a remote connection to a server, map a network resource, or use authorized network administration tools to access sensitive data or run malicious code on that server. Therefore, the key to assisting you in preventing such assaults is a well-planned and implemented network segregation and segmentation. Some preventative measures include setting servers to restrict file sharing, forbid remote desktop connections, and limit the server’s capacity to interact with distant connections.   The risk of Unsegmented OT-IT Networks   Flat Network – All of the equipment in the facility is interconnected and forms a flat network. There is no compartmentalization, segmentation, distinction, or prioritizing since any device can “speak” to any other device, from the telephones at the help desk to the webcams at the point of sale to the desktops in accounting. No incline, so flat. Although flat networks are quite popular, there are several significant concerns that you should be aware of. Shopify Inc., a multinational Canadian e-commerce business, published a security incident alert on its website on September 22, 2020. Two workers were discovered to have illegally accessed documents about some of the company’s merchants. According to estimates, the issue exposed customer information from 200 vendors, including names, email addresses, addresses, and order details. Shopify released the following statement in response to the incident: “We promptly revoked these people’s access to our networks and reported the situation to police enforcement. In the investigation into these criminal activities, we are presently collaborating with the FBI and other foreign organizations. Although there is currently no proof that the private data was utilized, the company has informed the impacted merchants of the occurrence. One of the largest security issues that businesses are currently experiencing is insider threats. User behavior analytics (UBA) is used by ManageEngine ADAudit Plus to assist IT, and security teams, in identifying insider threat signs such as numerous unsuccessful login attempts, unusual user behavior such as a spike in file accesses, or privilege escalations. ADAudit Plus uses machine learning to establish a baseline of typical user behavior and only alerts security staff when this baseline is violated.   Implementing OT Network Segmentation: 5 Best Practices   Threat actors now view OT factories as simple, low-effort ventures with a good probability of significant payouts during the past 10 years. Factory owners put a lot on the line when there are lockouts, and they frequently dive deep into their coffers to pay ransoms rather than accept the chance of losing days of availability. The foundation of current OT security trends is the illusion of protection that perimeter firewalls and air gaps provide. They are unable to stop hackers with the dexterity to travel laterally who are ready to observe and wait for months to finally get access to

Complete guide to OT network segmentation Read More »

Threat Modeling Using the Purdue Model for ICS Security

Threat Modeling Using the Purdue Model for ICS Security

For organizations today, it’s essential to use the right threat modeling methodology for network defense and risk management. The Purdue Model for ICS (Industrial Control Systems) Security is a great solution for threat modeling. Threat modeling for ICS security is a challenging task. As a solution, the Purdue Common Model for ICS Security provides structure, but it’s important to understand its implementation. This article aims to define and clarify the Purdue model for securing ICS from modern cyber threats. What Is the Purdue Model for ICS Security? The Purdue industrial control system (ICS) security model is a segmented approach to protecting physical processes, supervisory controls and operations, sensors, and logistics. Despite the rise of edge computing and direct-to-cloud connectivity, the ICS network segmentation model remains a crucial framework for protecting operational technology (OT) from attacks like malware. Industrial Control System (ICS) security has a lot to consider. Security professionals have to put processes and procedures in place based on the general risks involved in the industry. However, it is recommended that organizations specializing in ICS security should implement best practices as outlined by NSA and CISA for the Purdue Model for ICS Security. The model is a reference model for manufacturing data flows. As part of the Purdue Enterprise Reference Architecture (PERA), it helps organizations more efficiently transition to completely automated processes. It maintains a hierarchical flow of data throughout interconnected layers of the network. Six zones isolate ICS/OT from industrial technology (IT) systems, enabling improved access controls. Today the model is the standard for ICS network architecture that supports OT security. Breaking Down the Zones of the Purdue Model The OT system resides at the lower levels of the model, and the IT system takes up the higher levels. The systems interact in a “demilitarized zone” (DMZ). Let’s examine each zone of the Purdue reference model: Enterprise Zone: Levels 4 and 5 This is where you’ll find the IT network. These levels include storage, databases, and servers used to run manufacturing operations. In this zone, enterprise resource planning (ERP) systems control inventory levels, shipping, plant production schedules, and material use. Disruptions at this location can lead to extended downtime, which can cause damage to the economy, infrastructure failure, and loss of critical resources. Demilitarized Zone (DMZ): Level 3.5 Here you find security systems like proxies and firewalls. They protect against attacks on both the OT and IT environments. With increased automation and the need for bidirectional data flow between IT and OT systems, organizations can have new cybersecurity vulnerabilities in their system. However, the convergence layer can help mitigate this risk and increase organizational efficiency. Manufacturing Operations Systems Zone: Level 3 Here you find OT devices that manage workflows on the shop floor. Manufacturing operations management (MOM) systems provide a platform for companies to manage their production operations, while manufacturing execution systems collect real-time data. This can then be used to optimize production. Also on this level are data historians, which collect and store process data and conduct a contextual analysis. Disruptions at Levels 4 and 5 can lead to economic damage, infrastructure failures, and revenue loss. Control Systems Zone: Level 2 On this level, you’ll find systems that control physical processes and monitor their status. These include supervisory control and data acquisition (SCADA) software that monitors physical processes. The software collects this data and sends it to historians or other users. Distributed control systems (DCS) are on this level, and they perform SCADA functions locally. These systems are less expensive than other methods of implementing SCADA. Finally, human-machine interfaces connect directly to DCSs and PLCs. This allows for primary equipment control and monitoring. Intelligent Devices Zone: Level 1 This level contains instruments that transmit instructions to the devices at Level 0. These include programmable logic controllers (PLCs) that help monitor automated or human input in industrial processes and adjust output. And remote terminal units (RTUs) that connect hardware in Level 0 to systems in Level 2. This provides a reliable conduit for data to pass from one level to another. Physical Process Zone: Level 0 Here you’ll find sensors, actuators, and other machinery that monitor the assembly line’s condition and suggest adjustments in real-time. Many modern sensors use cellular networks to communicate directly with monitoring software in the cloud. How the Purdue Model Applies Today Since it was introduced by the Purdue University Consortium in the 1990s, the Purdue model has been used as an information hierarchy for CIM. At that time, few other models had outlined a straightforward way to organize CIM. Today, with IT and OT networks integrated through the industrial internet of things (IIoT), it would be reasonable to doubt if the Purdue model applies to modern ICS networks. For example, its data segmentation framework is irrelevant, as Level 0 data is sent directly to the cloud. But it isn’t time to throw out this model just yet. One advantage of the Purdue model that makes it still relevant today is its hierarchical structure. The model divides system components into distinct layers and clearly defines each component. Network segmentation is a logical way to control access between the layers in an OT network. Although the model won’t necessarily fit your current OT network, it still presents a good starting point for securing such a network. As new cybersecurity risks continually emerge, methods that have proven to be effective — even if they don’t perfectly match today’s systems — continue to have value. The Purdue model is a worthy asset to keep in your arsenal of cybersecurity tools. Final Thoughts Segmenting an OT network into layers allows you to control access between the layers. The model may not fit your current OT network exactly, but starting from the model is still an excellent way to secure an OT network. While historically the Purdue model has been used to secure ICS technology, as more of these systems have been connected to the internet they have become less resistant to intrusion. At Sectrio, we provide a service that helps fill the gaps in the Purdue model opened by internet

Threat Modeling Using the Purdue Model for ICS Security Read More »

Scroll to Top