IoT

While reports were coming in of hackers using company forms to trick employees to download a variant of BazarLoader malware, Sectrio’s research team has come across another method that hackers are using to push this malware. What is BazarLoader? It is a very stealthy and sophisticated malware that serves as the level one infector to drop multiple payloads. Since it serves to push for multiple malware payloads once installed, it is a much sought out malware among hackers. It is by design a highly resilient and complex malware that has been used extensively in multiple campaigns including those associated with Ryuk and Conti.  BazarLoader utilizes the EmerDNS domain name and record system which is based on blockchain. This renders it safe from any form of censorship and modification from non-author entities. So, shutting the associated domains is a tough proposition. Since the last few weeks, security teams have been discussing hackers using company forms to push infected links. WeTransfer, TransferNow, and in some instances even Dropbox links were being used to transfer a .ISO file with a .LNK shortcut and a masked DLL file after the hacker established a line of communication with the purported victim. Sectrio’s researchers intercepted an email earlier today that claimed to be coming from a prominent software review site. A look at the email address revealed that it was from another domain altogether and was being pushed through many server loops to improve its authenticity. On clicking any link, the attack chain is activated with the download of an .ISO file with the shortcut and the masked DLL file. Since this email was targeting a team that would usually be interested in such communication, this was likely a targeted attack through a spoofed ID.    Such variation in phishing methods within just a couple of weeks indicates that hackers are working hard to improvise their tactics to push BazarLoader. For more informational content, subscribe to our weekly updates and stay tuned with updates from Sectrio. Try our rich OT and IoT-focused cyber threat intelligence feeds for free, here: IoT and OT Focused Cyber Threat Intelligence Planning to upgrade your cybersecurity measures? Talk to our IoT and OT security experts here: Reach out to sectrio. Visit our compliance center to advance your compliance measures to NIST and IEC standards: Compliance Center Get access to enriched IoT-focused cyber threat intelligence for free for 15 days  

On Monday, a large European wind turbine manufacturer confirmed that satellite connections to thousands of wind turbines in Europe have been disrupted significantly. According to various news reports, over 5000 units accounting for a combined output of nearly 11 GW were affected by the incident. The company also confirmed that the wind turbines that were impacted could operate independently and manage their functions without connectivity. Remote maintenance was however not possible without connectivity. The company had to thus send its staff over to check on these turbines to ensure that they were functioning within their operational parameters. The broadband services provider in this case offers custom location-independent connectivity services for industrial applications and safety-critical infrastructures. This company has not yet provided any update on the incident to the media and its website also doesn’t contain any reference to the incident. The cause of the incident though unknown is widely attributed to a cyberattack. Speculations are rife that KA-SAT satellite internet services started facing problems around the time of the Russian attack on Ukraine. We will not add to the speculation. However, it is worth noting that cyber attacks on renewable energy systems have been growing in the last 5 years. A combination of the usage of new and untested systems based on remote connectivity and operations enabled by the Internet of Things, increased hacker interest and less than adequate cybersecurity measures have created an ideal environment for cyberattacks to thrive and grow. Sectrio has been tracking cyberattacks on this sector since 2016. We have seen the attacks grow in stealth and sophistication with a steep 287 percent rise in cyberattacks logged in 2021 over those recorded in 2020 (according to Sectrio’s IoT and OT Threat Landscape Assessment and Analysis report released recently). In addition to IoT, some of the control systems powered by OT and HMI systems are also at risk as hackers want to create health and safety problems along with disruption. Cyberattacks on renewable energy projects also increase the dependence on traditional sources of energy such as fossil fuels. Some of the APT actors that were activated during the ongoing Ukraine-Russia conflict were also tasked with targeting renewable energy projects in Europe. Sectrio has been providing threat intelligence to some of the businesses to help them hunt and eliminate active and passive threats. The convergence of a large number of threat actors on a few projects will create a significant security challenge for operators of renewable energy infrastructure in the days to come. Coming back to the cyber incident, this could present renewable energy companies to take another look at their cybersecurity practices and work towards addressing postural weakness at the earliest. For more informational content, subscribe to our weekly updates and be notified at the latest. Try our rich OT and IoT-focused cyber threat intelligence feeds for free, here: IoT and OT Focused Cyber Threat Intelligence Planning to upgrade your cybersecurity measures? Talk to our IoT and OT security experts here: Reach out to sectrio. Visit our compliance center to advance your compliance measures to NIST and IEC standards: Compliance Center Get access to enriched IoT-focused cyber threat intelligence for free for 15 days  

Financial services institutions and manufacturers linked to diverse supply chains should brace themselves for targeted cyberattacks from APT groups. In the last 48 hours, we have seen a significant rise in reconnaissance attacks on firms in these sectors indicating the mobilizations of APT, sub-APT groups, and independent hackers. Here are the key trends we have recorded in our global honeypots over the weekend:  All honeypots have registered a rise in inbound cyberattacks   13 honeypots in Europe across Finland, Germany, Estonia, and Lithuania register the biggest rise in cyberattacks   Most of the attacks are emerging from Western Russia (it is hard to pinpoint the exact geographical location as the epicenter keeps shifting)    Target include payments infrastructure, connected device eco-systems across the shop floors, supply chains, and industrial control systems   Most of the attacks are oriented towards creating large scale disruption of supply chains as well as financial systems to keep regional CERT teams occupied   As we enter March 2022, the potential for a major cyberattack occurring in various parts of the world has grown exponentially. As we had predicted in the 2022 IoT and OT Threat Landscape and Assessment Report, the cyberattacks on manufacturing entities and financial institutions along with oil storage and transportation infrastructure are expected to see a massive spike this week.      We are witnessing a phase of increased adversarial activity across the surface and Dark Web with more than 5 major APT groups working in tandem across 3 continents. All this translates into a need to ramp up internal and external security measures immediately.  Sectrio advises financial services and manufacturing businesses to adopt the following measures immediately:  Conduct a complete audit of their entire digital footprint with a special emphasis on IoT and OT infrastructure including devices and networks that connect.   Deploy multi-factor authentication (MFA) and reduce access and other privileges across the infrastructure for the next 20 days   If any vendors are allowed into the digital perimeters or beyond, such accesses should be monitored or limited   Advise employees to avoid opening any suspicious emails and delete spam mails   Hackers are also expected to circulate spoofed links asking them to revalidate their login credentials through SMS. Ask them not to comply and report such instances   Fragment networks wherever possible to gain greater operational visibility and control   Industrial Control Systems and SCADA systems should be monitored and checked for any unusual network activity   A sudden or even diffused spike in data consumption among IoT devices could point to a potential cyberattack and should be attended to immediately   Limit BYOD access, if possible   Hackers will try and use reply chain phishing in case of previously compromised networks. In case of any suspicious communication activity, employees should be requested to check with the sender and try and validate the communication through a call or other non-email means and share the emails for investigation    Senior leadership could be targeted through LinkedIn or other social media platforms    Lastly, we advise all businesses across sectors to conduct an immediate review of their cybersecurity posture.    For more informational content, subscribe to our weekly updates and be notified at the latest. We promise not to spam you!  Try our rich OT and IoT-focused cyber threat intelligence feeds for free, here: IoT and OT Focused Cyber Threat Intelligence Planning to upgrade your cybersecurity measures? Talk to our IoT and OT security experts here: Reach out to sectrio. Visit our compliance center to advance your compliance measures to NIST and IEC standards: Compliance Center Get access to enriched IoT-focused cyber threat intelligence for free for 15 days  

IoT, ICS, and OT security should be your highest priority if you are a professional working in at least one of the sixteen critical infrastructure sectors. The United States of America is currently on high alert after issuing joint advisory from 4 different agencies for 3 different countries, A cautionary alert on attempts of rising ransomware attacks, and the latest alert raised by CISA on February 14th, 2022, warning all businesses – small, mid-sized and enterprises to stay on their guard (“shields up”). On the 26th of February two days following the official announcement by the Russian president indicating his intentions with Ukraine, the Department of Justice (DOJ and Cybersecurity and Infrastructure Security Agency (CISA) jointly issued a cybersecurity advisory of two destructive malwares known as WhisperGate and HermeticWiper that are currently being used to target organizations in Ukraine and Europe. Counties in North America, the Middle East, and the Asia Pacific have been facing persistent cyber-attacks for a long time and in light of the escalating Ukraine crises and geopolitical tensions, the number of cyberattacks continues to grow significantly. Considering an added layer of involvement of certain countries in the Russia – Ukraine Crisis, we have analyzed a few key attack surfaces in critical infrastructure that are easily targeted. This includes: Exploiting existing vulnerabilities Stealthy reconnaissance attacks Persistent attacks by Botnets Sophisticated APT on Critical Infrastructure sectors Ransomware attacks on businesses regardless of size Why will such cyberattacks continue to rise amidst the Ukraine crisis? This is a question you already know the answer to. A long-drawn battle against an old enemy has continued since the culmination of the cold war but this time it’s online, a hybrid tactical cyber warfare where the enemy has proven to have the added advantage of the necessary skillset from attacks in the past. Kudos to you if you guessed the country we are talking about right. For others, it’s Russia. In the past and the digital era, Russia has extensively leveraged tactical methods of cyber warfare to add additional pressure. Disruptions or permanent damage be it a cryptic lock via ransomwares, damage to health and safety by disabling SIS systems, or even a complete system override and shut down in critical infrastructure operations of energy sectors and telecommunications. Such attempts in the past have proven to be effective in swaying and accelerating decisions of a nation’s government, military, and even the general population, which fits the Russian agenda. Such events stay hidden from the limelight as most don’t want to admit to a security failure or the lack of security measures. With attacks brazenly targeted regardless of your size or affiliations, all organizations globally must realize the looming threat and take immediate actions to safeguard themselves.  As immediate steps, here are a few steps you can take to safeguard from cyberattacks: Enable multi-factor authentication (MFA) org-wide and ensure that passwords are reset frequently Ensure that softwares used org-wide is updated with the latest security patches available. Doing this prevents lateral movement of malwares Conduct rigorous and regular vulnerability audits and drills to identify gaps in your security Raise awareness with your immediate clients and partners to heighten security measures as risks of chain attacks have been witnessed in the past. Such as the infamous SolarWinds attack Complete visibility on your network, logging the devices that are connected, and are actively using your network Monitor any abnormal functions of the devices connected to your network and raise immediate red flags for immediate investigation.  Segment your network and comply with industrial compliance mandates. Read more about Sectrio’s Microsegmentaion module. Re-check/rework your remediation and mitigation playbooks to ensure that you are taking an updated approach during an incident.  Isolate traffic from unverified sources that are deemed suspicious for a deep monitoring Build and assign resources to incident response teams. Ensure that your resources and SOC teams are not fatigued from overworking Build substitute teams if you are not functional at an optimal level.  Ensure that you comply with compliance regulations such as NIST CSF, IEC 62443, Zero Trust framework, and other compliance mandates that apply to you. Head over to the compliance kits section on the website to get started Self-assess your preparedness for a cyber incident, conduct mock drills Working with actionable threat intelligence that can help you assess your cyber threat landscape If you do not have access to threat intelligence feeds, do not trust OSINT as they can often mislead your teams. Go for a credible and trusted source. Read the CISO guide in selecting the right threat intelligence vendor if you are unsure of what is best for your organization  Subscribe to the latest updates from trust sources that you can rely on. Sectrio is currently offering free weekly subscriptions to key personnel that opts in Working with a small cybersecurity budget can be extremely difficult. Not all organizations get the same budget as industrial leaders. Leverage the threat landscape reports to bring awareness to the organization for a higher cybersecurity budget. Read our guide in deriving a higher cybersecurity budget to improve value ROI Understand organizational dynamics and align your goals for a secure environment Understand complexities involved in the integration of IT-IoT and OT technology as each brings its own challenges Organizations undergoing a digital transformation must take extra precautions and is often better to opt-in for a security tool that can provide you with the necessary visibility, detailed analysis without overburdening your SecOps teams with branded jargon when it comes to dealing with the convergence of technologies Always document and log changes to the system, this will help you in forensic analysis and identifying gaps These 20+ point guidelines will help you get headed in the right direction for improved resilience and cyber vigilance.  Why the escalating Ukraine crisis can be a new frontier for APT actors? In the past, we have witnessed APTs with ties to Russia, and other countries inflicting maximum damage by exploiting known vulnerabilities using spear-phishing attacks, brute force, and sophisticated malwares Such

Sectrio released the findings of its 5th OT and IoT Cybersecurity Threat Landscape Assessment and Analysis report today. The comprehensive report covers details such as threat actors, malware, breach tactics, at-risk sectors, quantum and quality of cyberattacks, and specific threats to OT and IoT deployments and critical infrastructure around the world.  The section on North America offers some insightful data points on the OT and IoT threat landscape in the region:  Ransom cost per GB of data held by hackers is now $39000   Energy, Healthcare, manufacturing, utilities, maritime, and defense are among the most targeted sectors   Overworked SOC teams and lack of visibility into some of the infrastructure played some businesses right into the hands of hackers   Mining sector could be targeted in 2022 as there is rising hacker interest in this sector  756 major cyber incidents reported in the region in 2021   Highest remote ransom demand $50/70 Mn (Various sources)  Ransom recovered: $6 Mn (Forbes, Nov 2021)   The rise in average ransom demand: 71 percent (Sectrio)  Hack campaign cycles intercepted: 71 (Sectrio)   Hackers are now targeting widespread disruption and huge ransoms through targeted cyberattacks. While the geopolitical motivation in many of these attacks remains at a very high level, the expansion of botnets in Mexico poses a new security risk to businesses in the region. Manufacturing facilities in Mexico are also being subject to high levels of reconnaissance probes by hackers.   Some actors are carrying out localized attacks from within the region using sophisticated phishing kits developed in parts of Eastern Europe and the Middle East. We came across many such kits that were modified to some extent to target businesses in US and Mexico. These kits are now freely available on the web but sophisticated APT groups such as Lazarus and Fancy Bear could be embedding them with trojans to control the networks and data in businesses targeted by these local hackers.   This is a new tactic that APT groups are using to widen their net. By offering free phishing kits, they are allowing other groups to conduct the initial hacking work while they lurk in the background waiting to jump networks or digital assets to reach a target asset which could be a critical infrastructure facility or a defense installation.   In all, the malware load in the traffic analyzed by our team has grown significantly in the last 6 months of 2021. This over-the-board increase will definitely put an additional strain on the already overworked SOC teams managing the security needs of businesses in sectors such as manufacturing, utilities, and others. Hackers are specifically targeting control systems and connected IoT devices. The former to cause disruption and the latter to target third-party infrastructure such as websites, critical servers, and even mobile phones.   Supply chains, the new target  Supply chains are presenting hackers with a moving and lucrative target. In addition to large-scale disruption, such attacks also offer more return on investment. In addition, other factors make supply chains a favorite for hackers:  The opportunity to strike businesses from multiple entry points  Once infected, malware can move across the connected infrastructure crossing not just organizational but even political boundaries   The entry of start-ups with high valuation and risk appetite but with low appetite or patience rather bring systems online in a foolproof way after a cyber incident. This means that these companies may be more susceptible to paying a ransom to get things back on track faster    Workflows, responsibilities, and systems are not aligned towards cybersecurity imperatives today     Hackers may also be aware of zero-day vulnerabilities across vendors that are yet to be discovered   Specific challenges with OT in North America   While investments in IT security have grown, OT cybersecurity investments and attention are still lagging. Businesses that are hosting complex hybrid environments or are connected to IT, OT, and the Internet of Things are now gradually understanding the importance of ramping up their cybersecurity measures to align them with the complexity involved in securing such environments. However, the hackers are miles ahead of them as they are well aware of these cybersecurity gaps than the cybersecurity teams protecting them.   Businesses hosting complex environments without adequate security cover are closer to a massive cyber disruption than they can imagine.   Some businesses have upgraded their OT environments by adding new devices. Such devices are however invisible to standard off-the-shelf vulnerability scanners.   OT vulnerability scans are not done frequently and many businesses fail to fall back on a more disciplined approach that requires regular scans and remediation   The ever-evolving OT and IoT threat landscape throws up new threats including malware that evade detection   Visibility into threat surfaces is not adequate. Some of the solutions used by businesses are prone to misconfiguration and new vulnerabilities.   OT security teams in many instances are less empowered than their IT counterparts and if the same security team is handling both IT and OT cybersecurity, OT doesn’t get as much attention as it should   Such critical gaps in addressing OT cybersecurity across the infrastructure leave the room wide open for hackers or other adversarial entities to exploit.  You can read more about such threats in the 2022 Threat Landscape Assessment and Analysis Report prepared by Sectrio’s research team.   What is the 2022 IoT and OT Threat Landscape Assessment and Analysis Report all about?  The 2022 Threat Landscape Assessment Report prepared by Sectrio’s Threat Research team tracks and documents the evolution of IoT, OT, and IT cyber threats and their implications for businesses across the globe. It answers many questions that are puzzling cybersecurity decision-makers and other stakeholders alike. Where are the threats coming from? Why are certain sectors getting attacked more often? Which groups and countries are behind these attacks and more importantly what tactics are they using and what impact could such attacks have on businesses in 2022?   It is a must-read for everyone who wishes to understand how the cyber OT and IoT threat landscape changes around the world can impact them and their business. You can download the report here.  

Report documents a staggering rise in cyberattacks on critical infrastructure and supply chains Sectrio today released the latest edition of its Global OT and IoT Threat Landscape Assessment Report covering the evolving cybersecurity environment surrounding sectors such as manufacturing, oil and gas, smart cities, maritime projects, and critical infrastructure. The report prepared by Sectrio’s threat research and analysis team covers data from over 75 cities across the globe covering over a billion attacks and 10,000 (collective and cumulative) hours of analysis of cyberattacks, malware, hacking tactics, network breaches, Dark Web chatter, data leaks, and other important aspects related to enterprise and critical infrastructure cybersecurity.    The comprehensive threat landscape assessment report has analyzed cybersecurity from five perspectives viz., the evolution of threat vectors, mode of attacks, cyberattacks logged, targets attacked, and cybersecurity gaps exploited. It covers the analysis of stolen data released on the Dark Web and other forums as well.   Key findings from the IoT and OT threat landscape assessment report:  To access the IoT and OT threat landscape assessment report, visit this link: The 2022 Threat Landscape Assessment Report To request additional information, visit this link: Contact Us To try our threat intelligence feeds for free, visit this link: Sign up for free threat Intelligence