Sectrio

Threat Intelligence

Complete Guide to Advanced Persistent Threat (APT) Security

Complete Guide to Advanced Persistent Threat (APT) Security

This is what an advanced persistent threat (APT) attack is like. APTs are sophisticated, targeted cyberattacks designed to evade detection and steal sensitive data over a prolonged period. APTs are carried out by well-resourced adversaries, such as nation-state actors or organized crime groups. APTs can devastate organizations, resulting in the theft of intellectual property, financial data, customer information, and other sensitive data. They can also damage an organization’s reputation and lead to financial losses. No organization is immune to the threat of APTs in today’s digital world. That’s why it’s essential to understand what APTs are, how they work, and how organizations can protect themselves. This article will provide a complete overview of APT security, including the different stages of an APT attack, how to detect and respond to APTs, and best practices for APT security. Understanding Advanced Persistent Threat APTs are the most sophisticated and dangerous cyberattacks facing organizations today. Why Are APTs Dangerous? APTs are dangerous because they are challenging to detect and prevent. Attackers often use sophisticated techniques to evade security controls and maintain access to a target network for months or even years. APTs have the potential to wreak havoc on organizations, leading to the pilfering of intellectual property, financial records, customer details, and other confidential information. What Are the Common Characteristics of APT Attacks? APT attacks are typically characterized as follows: Targeted and persistent: APTs are targeted at specific organizations or individuals, and attackers are willing to invest significant time and resources into maintaining access to the target network. Stealthy: APTs are designed to evade detection and remain hidden in a target network for as long as possible. Sophisticated: APTs often use sophisticated techniques like zero-day exploits and social engineering to access a target network. Multi-stage: APTs typically involve multiple stages, such as surveillance, initial access, foothold establishment, internal reconnaissance, lateral movement, and data exfiltration. Historical Examples of APT Attacks Here are some historical examples of advanced persistent threat attacks: Stuxnet (2010): Stuxnet is one of history’s most famous APT attacks. It was a highly sophisticated computer worm designed to target Iran’s nuclear program. Stuxnet manipulated industrial control systems, specifically those used in uranium enrichment centrifuges. This cyberweapon significantly damaged Iran’s nuclear infrastructure. Aurora (2009): The Aurora attacks, also known as Operation Aurora, targeted major technology companies, including Google and several other organizations. The attackers, believed to have ties to China, gained unauthorized access to sensitive data and intellectual property. The incident shed light on the issue of intellectual property theft via APTs. APT28 (Fancy Bear): APT28 is a Russian APT group known for its involvement in various cyber-espionage campaigns. They have targeted government organizations, political groups, and media outlets worldwide. Notable incidents include hacking the Democratic National Committee (DNC) during the 2016 US presidential election. Equifax Data Breach (2017): While not officially confirmed as an APT attack, the Equifax data breach is an example of a large-scale, highly sophisticated intrusion. Hackers exploited a vulnerability in Equifax’s website, gaining access to the sensitive personal information of nearly 147 million people. Operation Shady RAT (2011): This long-term APT campaign targeted various organizations worldwide, including governments, corporations, and nonprofits. The attack, believed to originate from China, aimed at stealing sensitive data and conducting cyber espionage. Operation Aurora Redux (2012): This attack was a continuation of the original Aurora attacks. It targeted the defense industrial base sector and involved spear-phishing emails, exploiting software vulnerabilities, and using remote access tools to exfiltrate sensitive data. Titan Rain (2003–2005): Titan Rain was an APT campaign believed to have Chinese origins. It targeted US government agencies and defense contractors, aiming to steal sensitive military and technology information. These historical examples illustrate the persistence, sophistication, and geopolitical motivations behind APT attacks. They serve as reminders of the ever-present threat that organizations and governments face in the digital age, highlighting the importance of robust cybersecurity measures to defend against APTs. Can your organization endure the impact of an advanced, persistent threat? Let’s understand in detail. APT Attack Lifecycle The APT attack lifecycle is a multi-stage process that attackers use to gain access to a target network, maintain access for an extended period of time, and steal sensitive data. The following is a detailed elaboration of each stage of the APT attack lifecycle: Reconnaissance The first stage of an APT attack is reconnaissance. During this stage, the attacker gathers information about the target organization, such as its employees, systems, and networks. This information can be gathered through various methods, such as social engineering, open-source intelligence (OSINT), and phishing. Once the attacker has gathered enough information, they will begin to identify potential vulnerabilities in the target organization’s systems and networks. These vulnerabilities can be exploited to gain initial access to the target network. Initial Access The initial access stage is the point at which the intruder gains access to the target network. A common tactic is to send phishing emails with malicious attachments or links to unsuspecting employees. Once the attachment or link is clicked or opened, malware is delivered to the victim’s system.  Also Read: Complete Guide to Cyber Threat Intelligence Feeds APT actors compromise websites that their targets visit. When victims access these sites, they unwittingly expose themselves to malware. Once the invader has gained initial access to the target network, they will begin to establish a foothold. This involves deploying malware on the target system and configuring it to give the attacker remote access and control. Explore Sectrio’s malware research here: Malware Reports Foothold Establishment The foothold establishment stage is where the attacker establishes a persistent presence on the target network. This involves deploying malware on the target system and configuring it to give the attacker remote access and control. The attacker may also create backdoors and other methods to maintain access to the target network even if the initial malware is detected and removed. Internal Reconnaissance Once the attacker has established a foothold on the target network, they will begin to conduct internal reconnaissance. This involves gathering information about the target

Complete Guide to Advanced Persistent Threat (APT) Security Read More »

Analysis of OT cyberattacks and malware

Analysis of OT cyberattacks and malwares

The Digital revolution has transformed our world, and its impact is particularly evident in the realm of Operational Technology (OT), from Industrial Control Systems to power grids and water treatment plants. They all have very critical infrastructure and cyber-attacks on OT industries such as the same has increased in the past few years but how does the attacker get into the Critical environment, how does OT malware work, and what are the possible ways for attackers to get into the OT environment, and how to be protected from the OT attacks? There are many other questions when it comes to Operational technology attacks. So, let’s find the answer to all the questions by looking into some history of OT attacks and malware. We systematically categorize the attacks into direct and indirect vectors. Direct attacks are those that target OT systems through the exploitation of inherent vulnerabilities within the OT devices and protocols themselves. Indirect attack, on the other hand, involve entry points through connected IT systems, supply chain compromises, or human vectors such as phishing or insider threats, so seeing some previous examples of OT malware and how they got into the OT network let’s understand the possible ways the attacker or malware can get into the critical environment. OT MALWARES Our analysis begins with an examination of the infamous Stuxnet incident, Stuxnet is the first infamous OT malware which was discovered in 2010, It was designed to target Industrial control systems, even though Stuxnet is not actively spreading still it is considered a significant threat as it was complex and advanced malware. It was able to compromise systems with infected USBs, once the system gets infected Stuxnet attempts to update its code from the internet, it was also able to bypass firewalls and it was continuously spreading through the local communications network of SCADA systems, even if the compromised device does not have direct access to Internet Stuxnet could update itself. Once the targeted controller gets infected the malware changes its operation, PLC rootkit modifies the controller code to perform an attack and record received data. Once the data has been recorded for some time, the malware starts sabotaging the physical systems. While the malware changes the control signal sent to actuators, it also hides the damage by feeding the previously recorded data to SCADA’s monitoring system. INDUSTROYER Industroyer is a type of OT Malware designed to target Industrial control systems used in electrical substations, it supports four critical industry protocols listed below:  The Threat Actor who developed the Industroyer seems to have a very good understanding of Critical Infrastructure and has built the backdoors depending upon the organization, the backdoor is designed to work only in one specific organization. It was first seen in 2016 when it attacked Ukraine’s power grid and after some years again in 2022 the second variant of Industroyer came to light when it attacked operational technology supporting power grid operations in Ukraine.   Let’s see some technical analysis of INDUSTROYER and Its Variants: INDUSTROYER The attacker first installs the Main Backdoor which connects to a remote Command and control server using HTTPS to receive commands from threat actors and they also use the proxy address. The command-and-control server used by the backdoor uses the Tor software and Once It is connected to its remote C&C server, the Backdoor component sends the below-mentioned data in POST-request:  Once an attacker gains administrator privileges, they upgrade the main backdoor to execute as a window service, it is achieved by replacing the ImagePath registry value of an existing, non-critical Windows service with the path of a new backdoor binary. The attacker also makes some changes in the system like inserting malicious code in Windows Notepad so that each time the application is launched the malicious code will also execute. The inserted malicious code is obfuscated but once the code is decrypted it connects to the Control and command server which is different from the C&C server linked to the main backdoor and then it downloads the payload which is in the form of shellcode that is loaded directly into memory and executes. How to get started with OT security The New Backdoor helps in maintaining persistence and allows the threat actor to regain access if the main backdoor got disabled or detected. Now the two threads are created, one is responsible for loading a payload DLL and another one is responsible for loading the Data wiper.   Industroyer 2 On the other hand, the Industroyer variant uses Logic bomb functionality, It was deployed to the targeted machine as a Windows executable, and execution is scheduled. It is written in C++ and uses only IEC- IEC 60870-5-104 (IEC 104) protocol to modify the state of the Remote terminal unit. Sandworm, The Russian state-sponsored advanced Persistent threat group was behind the Industroyer attacks, The threat group has been active since 2007, and here are the techniques used by Sandworm for Industroyer2: Fig:1 In Addition to carrying out the attack on Ukraine’s Electrical substation Sandworm has used some other malware such as CaddyWiper, AWFULSHRED, SOLOSHRED, and ORCSHRED, where CaddyWiper and Industroyer2 were used for ICS network and ORCSHRED SOLOSHRED and AWFULSHRED was used for Linux and Solaris network, it was deployed as single executable “108_100.exe” file via scheduled task, The new variant of this malware shares some similarities with its older version as they both are built using the same source code of payload 104.dll of the IEC 104 protocol. INDUSTROYER2 is highly configurable and hardcoded, it stores the configuration in separate. INS file and it can communicate with multiple devices at once. Before connecting with the victim system, it terminates the legitimate process and renames the application by adding the extension .MZ. In Coordination with the deployment of Industroyer 2 within the Industrial control system network, the attacker introduced an updated variant of CaddyWiper malware. It is a destructive data wiper that is used to wipe the data in of ICS network and the technique that is used for

Analysis of OT cyberattacks and malwares Read More »

Anatomy of the Yamaha Ransomware Attack

Anatomy of a Ransomware Attack: INC Ransom Breaches Yamaha

Yamaha Motor Philippines Inc. (YMPI), a wholly owned subsidiary of Yamaha Motor Co., Ltd., a global leader in the manufacturing of motorcycles, marine products, power products, and others fell victim to a ransomware in mid-November 2023, and the threat actor involved published the exfiltrated data on a Darkweb forum.  The Perpetrator   A Ransomware group named INC Ransom claimed to have attacked Yamaha Motor Philippines Inc on 15 Nov 2023. The ransomware attack encrypted all their data and vital systems before demanding a ransom payout in exchange for the decryption key.   Who is INC Ransom?   INC Ransom is a Ransomware group which has been active since Aug 2023. They claimed to have attacked 30+ organizations of which, Yamaha Motor Philippines is also one of them. The extent of this attack has reached the depths of a dark web forum where the breached information can easily be sought after. The breached information contains essential employee data, IPs and internal email, and customer information   Dissecting the cyber kill chain:  According to Bleeping Computer, INC Ransom gained access to their target networks via spear phishing (A technique of sending targeted deceptive emails to specific individuals within an organization), and as per SentinelOne, they have also been observed using Citrix NetScaler that is known to have pre-existing vulnerabilities and exploits namely – cve-2023-3519 exploits.  After gaining access to the network, the group traverses laterally to identify, harvest, and download the sensitive information including the backups. At this point, the group deploys the ransomware payload to encrypt and compromise systems and information.  Analysis of the group‘s Darkweb forum:  Fig-1: A snapshot of the groups’ Darkweb presence – A space where the group publishes updates, breached data, and a list of ransomware victims as a trophy shelf for everyone to see.  Fig-2: A Means of Communication with the group to provide feedback and engage in negotiations and data deletion.   Fig:3 – A brief of the victim on INC Ransom    Fig:4  In Figure 3 and Figure 4, the group has published a treasure trove of information on their latest victim, Yamaha Motors. This 37 GB + size of vital information is currently publicly available for download on their site.  Who are their victims? According to our analysis, the primary target appears to be Manufacturers based out of the US, followed by the Netherlands and Australia. A common trend is that all their victims are medium to large enterprises with an IT-OT ecosystem.  Fig:5 – This chart shows the key target countries that INC Ransom has attacked in their past attacks  Fig:6 – This chart shows the most targeted industries by INC Ransom   What’s next for Yamaha Motors, Philippines?  Yamaha Motors, Philippines has no end in sight for their upcoming woes. Here are a few reasons why their current problems are expected to be only the beginning of a series of unfortunate events:  A teardown of the INC Ransomware Attack  As per Team Huntress, the APT (Advanced Persistent Threat) group INC starts with the initial access with reconnaissance and credential compromise, followed by lateral movement, data collection, and malware payload execution.  Here is a breakdown on INC Ransom’s attack pattern:  Fig:7 An image indicating a 7-day playbook that INC Ransom commonly follows to compromise the targeted victim’s Indicator of compromise (IOC)  TTPs (Tactics, Techniques, and Procedures)  Mitigation and Remediation  References 

Anatomy of a Ransomware Attack: INC Ransom Breaches Yamaha Read More »

OT Attack Path Analysis: A Comprehensive Guide

The convergence of Information technology (IT) and Operational technology (OT) networks, resulting in the exposure of OT networks to threats, paved the way for OT cybersecurity. OT is the use of hardware and software in critical infrastructure industries like, power, energy, water treatment, manufacturing, etc. Compromise to the security in these industries can result in cascading effects. To secure the safety of industries from cyberattacks, organizations come up with many solutions, with attack path analysis being one of them.  What is attack path analysis? Attack path analysis is the graphical representation of pathways to crucial data in your organziation, which cybercriminals adapt to gain access. Through attack path analysis, organizations are structured to think the way a bad actor thinks. It is the simulation of ways used by attackers to implement mitigation strategies.  With the help of attack path analysis, organizations can prioritize threats and take remediation measures accordingly. The need for attack path analysis A typical organization, on an average, has 11,000 exploitable security exposures in just one month. The need for attack path analysis cannot be emphasized more! The following are some more points to highlight the need: Increased spectrum of threats There has been an increase in the kinds of threats, and new ones also emerge every day. Every threat is based on some financial, political and other motives, and cybercriminals work toward the disruption of the OT systems to attain them.  OT systems manage critical infrastructure, and as such, they are easy targets for attackers. This necessitates that you should keep the OT environment alert with an analysis of the possible path taken by hackers and other cybercriminals. The complexity of the OT environment OT environment is complex and depends on different devices, systems, and networks. With high interdependency, an attack on one could lead to devastating effects on the OT environment.  With the help of attack path analysis, you can understand how attacks could surface and ways to tackle them. Some attacks may appear unrelated, but the analysis could lead to insightful findings that could save the organization thousands of dollars. Compromise due to insider attacks OT environments are greatly impacted by insider attacks, as people having access have immense technical knowledge and operational expertise to misuse them. This can be kept under check through attack path analysis. The exploration of ways insiders could use their expertise to scan through systems and exploit them helps to locate threats much before they could happen. This saves the organization from potential attacks that could otherwise be severe. Regulatory requirements Attack path analysis is also needed as a part of compliance with regulatory requirements. Industries with OT systems have certain mandatory requirements. This is required for data protection in view of the increased possibility of attacks on cybersecurity systems.  Keep business operations on track There could be total mayhem when a successful cyberattack disrupts business continuity. This can potentially lead to a loss of several millions of dollars and negatively impact the business’s reputation. With attack path analysis, companies are always on the lookout for attacks, and this helps reduce downtime. The company can also bounce back easily when they are proactive and prepared with an assessment of security. Assess the priority of exposure In many organizations, security concerns that require attention are often overlooked. This is because there are too many assets on their network and identifying risks becomes difficult.  This can be avoided with the help of attack path analysis.  It helps analyze the priority of exposure of assets and thereby to be ready with protection mechanisms before an attack can surface.  Visualize the way a hacker could think Seeing the attack paths like a hacker could provide complete visibility of the risks involved. It helps visualize the potential attack chains so that it is easy to understand the assets that could be targeted. Factors like host reachability, misconfigurations, vulnerabilities, etc., are all risk factors that can be correlated to help fix security issues. Steps to perform OT attack path analysis A series of steps, as listed below, need to be followed for effective attack path analysis: 1. Definition of scope The scope and goals of your analysis must be laid down in clear terms. What are the OT systems, assets, etc., you want to analyze? What is the purpose of your analysis? These are some questions you should answer before you start. List out the possible vulnerabilities and attack vectors that you wish to uncover through this analysis. This definition gives a proper direction to your activity. 2. Identify the critical systems There are several critical assets and systems in the OT environment that are exposed to threats. These should be identified so that the priority of threats can be ascertained. Threats need to be addressed in the order of their criticality so that the most crucial ones can be dealt with first. This can help an organization greatly as serious threats are easily identified and thwarted.  3. Mapping of the flow of data Data moves through multiple points, of which some may be prone to weaknesses. Mapping data flows can help locate the weak points so that they can be addressed. Understanding the flow of data enables the identification of paths attackers may emerge from.  4. Identify threats and vulnerabilities You should conduct a vulnerability assessment and threat analysis that is specific to the OT environment. This helps identify the various weaknesses and probable impacts they could cause. Timely assessment is an important step as it prevents attacks from happening and thereby maintains business continuity. 5. Assess the attack vectors An attack vector is the pathway attackers enter the OT environment. They could be credential theft, malware, social engineering attacks, insufficient protection, etc.  Analysis of the attack vectors helps identify ways to avoid them. For example, the data and network access of every employee have to be assessed to prevent insider attacks.  6. Identify the attack scenario The mode of operation that the attacker might opt has to be defined. All paths that

OT Attack Path Analysis: A Comprehensive Guide Read More »

Fundamentals of attack path analysis in an OT environment

Fundamentals of attack path analysis in an OT environment

At its core, an attack path analysis presents a powerful visual and impactful representation covering a potential path that cyber threat actors or malicious payloads may tread to breach asset or network targets. The benefits justify resource and attention investments in an APA exercise. In addition to helping disrupt the changes of a successful cyberattack, it can also improve the maturity of your OT security team.    The depiction of a compromise path, so to speak, presents a visual dimension to a possible attack and enables security teams, SOC analysts, CISOs, and security decision-makers to derive and deploy countermeasures. Attack Path Analysis also helps prioritize vulnerabilities for action based on a deeper understanding of the impact a possible cyberattack could have.   How to approach Attack Path Analysis in an OT environment  An OT environment can present several challenges to the smooth conduct of an Attack Path Analysis effort. Knowledge of the environment, operational dynamics, asset topology and vulnerabilities are essential. As we have seen many times before, many OT operators do not have such information or lack information at the level required to conduct an APA in a structured manner. The relevance of the outcome of the APA for your organization depends on many factors.    To conduct an APA in an OT environment and to get results that matter, these pre-requisites have to be in place:  Once the above data is in place, a model can be derived to map the possible attacks and the targets along with the path an attack could potentially take. Contextual information that enables a direct correlation between targets, breach points, conduits, and the overall path can then be ascertained.   Reccommended reading: Complete Guide to Cyber Threat Intelligence Feeds APA should not be seen as a drawing board/whiteboard exercise to be conducted on paper. Instead, APA should be conducted as an objective exercise to identify and break existing attack paths and reduce the changes of a new one appearing in the future.    Charting the course of an attack   It is not essential for an attack to move horizontally in a network in a linear manner. Thus, when drawing the attack path, the model must be able to offer multiple paths with the probability of the attacker choosing a specific path to a target and link that with the probable success ratio. This will help security teams focus their attention on breaking the attack path through specific interventions starting with the most probable paths.   When deciding on prioritizing interventions the following aspects can be used to derive a path score:  Benefits of an Attack Path Analysis   Conducting an APA can lead to many benefits for your organization. Some of these include:  Interested in learning more about how you can deploy APA in your organization? Talk to our APA expert.    Watch our On-Demand webinar here: How to conduct OT attack path analysis in your organization

Fundamentals of attack path analysis in an OT environment Read More »

Deconstructing-the-CL0P-ransomware-group-and-understanding-the-MOVEit-breach-in-2023

Deconstructing the CL0P RaaS group and understanding the MOVEit breach in 2023

The large-scale incorporation of connected OT/SCADA systems is a growing trend but are you aware of the increasing presence of sophisticated threat actors and rapidly budding ransomware variants? The question you should ask yourself and your peers is “Are my OT/SCADA systems secure against next-generation cyber threats? In this blog, we will be discussing particular instances where CL0P ransomware has been identified in OT/SCADA systems. OT/SCADA systems control physical devices and processes, such as water treatment plants, power grids, and manufacturing plants. These systems are often susceptible to attacks due to their setup, pre-existing vulnerabilities and often targeted as a result of lax security protecting these systems. While the scale of attacks targeting such systems can be analyzed further in our global threat landscape report 2023, it is imperative to understand the motive of the actors behind such attacks. With Sectrio’s ongoing research initiatives, CL0P is one such ransomware that has popped up on our radar multiple times. Its usual methods include infiltration via phishing emails, malicious attachments, and exploit kits. The RaaS group operates methodically and begins its process through meticulous research of its victim on its operations, and understanding how they can be exploited. Recommended Reading: How to get started with OT security CL0P follows this process with social engineering, and spear phishing techniques where they are looking to penetrate the victim’s network and deploy the ransomware exploits. After the successful deployment of the ransomware, CL0P publishes a portal on the dark web for the victim to first verify 3 files to validate the compromise and requests a ransomware payout. The whole ordeal lasts between 3 – 7 days. The victim suffers from operational halts, reputational damages, loss of IP, and financial losses. This report is a comprehensive analysis of CL0P ransomware including attack techniques, verticals targeted, countries targeted, and attack scenarios on OT-specific verticals. Stick around and learn more! Who is CL0P? CL0P is a notorious ransomware as a service (RaaS) operation that a Russian-speaking group operates. CL0P was first seen in February 2019 as a new variant in the Cryptomix family. It was delivered as a payload of a phishing campaign associated with the financially motivated actor TA505. CL0P was able to inject malicious code into the company’s database servers by exploiting a zero-day vulnerability using SQL injection. This allowed the attackers to access and download the data stored in the databases. This ransomware also used a verified and digitally signed binary, making it look like a legitimate executable file that could evade security detection CL0P Ransomware The CL0P ransomware is one of the biggest malware threats in cyberspace today. The attackers once demanded an amount of more than 20+ Million Dollars to restore services from their victim. Targeting SCADA systems with CL0P ransomware presents a grave risk to vital infrastructure, carrying the potential for operational breakdowns, substantial financial damages, and even endangering human safety. Exploiting vulnerabilities within SCADA systems, malicious actors can illicitly infiltrate and encrypt crucial control files, resulting in the cessation of industrial operations or even the discharge of dangerous materials. In June 2023, the CL0P ransomware group exploited a zero-day vulnerability in the MOVEit Transfer tool. This vulnerability was announced on May 31, 2023, by the Progress Software Corporation. Earlier this year, CL0P had used a similar vulnerability to attack the GoAnywhere file transfer product of Fortra, stealing data from more than 130 companies, governments, and organizations. The CL0P attack on MOVEit Transfer is believed to have affected hundreds of organizations worldwide. CL0P Darkweb page On the Dark web page, they upload notes, news, and data published information and steps to contact them. Steps for Companies Attacked by CL0P Ransomware Gang CL0P Gangs uploads published data and victim organization names on their dark web page. Companies name attacked by CL0P Ransomware Gang CL0P Email IDs for communication The ransomware has been known to use Email ID: UNLOCK@RSV-BOX.COM, This was however changed to Email ID: UNLOCK@SUP-BOX.COM. We believe that this change was triggered as a result of technical challenges. Timelines of CL0P Ransomware and MOVEit The CL0P ransomware gang was relatively inactive from November 2022 to February 2023 than in March and April of 2023 as accurately predicted in Sectrio’s Global Threat Landscape Analysis and Assessment Report and stated by the NCC report stated that CL0P went from one of the least active threat groups in March to the fourth most active in April. This significant increase in CL0P ransomware activity is a cause for concern, as it suggests that the gang is becoming more active and successful in its attacks. Businesses and organizations should be aware of the CL0P threat and take steps to protect themselves from ransomware attacks. Affected Countries by CL0P Ransomware Tools, Malwares, and Vulnerabilities Used by CL0P Ransomware Malware FlawedAmmyy SDBOT Get2 Loader Malwares used by CL0P Tools Cobalt Strike TinyMet Tools used by CL0P List of vulnerabilities exploited by CL0P ransomware The exploits built are prepared using the vulnerabilities below: CVE ID Vulnerability Type CVSS Score and Severity CVE-2023-34362 SQL injection vulnerability 9.8 Critical CVE-2023-35036 SQL injection vulnerability 9.1 Critical CVE-2023-0669 Pre-authentication command injection 7.2 High CVE-2021-27101 SQL injection vulnerability 9.8 Critical CVE-2021-27102 OS command execution. 7.8 High CVE-2021-27103 SSRF via a crafted POST request 9.8 Critical CVE-2021-27104 OS command execution 9.8 Critical CVE-2021-35211 Remote code execution (RCE) vulnerability 10.0 Critical vulnerabilities exploited by CL0P ransomware Analysis of CL0P Ransomware TA505 is a threat actor that uses phishing emails to deliver malware to its victims. The malware typically arrives as a macro-enabled document that, when opened, drops a loader named Get2. Get2 can then download other tools used by TA505, such as SDBot, FlawedAmmyy, or FlawedGrace. Once TA505 has gained a foothold on the victim’s system, it will perform reconnaissance, lateral movement, and exfiltration. This will allow them to gather information about the victim’s network and systems and to move laterally to other systems within the network. The final step is to deploy ransomware, encrypting the victim’s files and demand a ransom payment. Sometimes, SDBot has been

Deconstructing the CL0P RaaS group and understanding the MOVEit breach in 2023 Read More »

Unmasking Black Basta Ransomware Group A Closer Look

Unmasking Black Basta: A Closer Look at the Notorious Ransomware Group

The Black Basta threat actor is a sophisticated cyber threat group that has emerged in recent years, targeting various organizations across multiple industries. The primary objective of the Black Basta THREAT ACTOR is to gain unauthorized access to targeted networks and exfiltrate sensitive information for intelligence gathering or financial gain. The group is known to engage in long-term campaigns, establishing a persistent presence within victim networks to maintain access and conduct further malicious activities. Tactics and Techniques: The Black Basta THREAT ACTOR employs a range of sophisticated tactics and techniques to achieve its objectives like, Countermeasures: This report is collective research based on the resources by Trend Micro, BlackBerry, Palo Alto Networks, Bleeping Computer, SOCRadar, DXC Technology etc. Who is Black Basta? Black Basta (AKA Black Basta) is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that first emerged in early 2022 and immediately became one of the most active RaaS threat actors in the world, racking up 19 prominent enterprise victims and more than 100 confirmed victims in its first few months of operation. The group is known for using phishing emails and malicious attachments to deliver ransomware to their victims, and they have targeted organizations in a variety of industries. The group’s ransom tactics use a double extortion tactic, encrypting their victim’s critical data and vital servers and threatening to publish sensitive data on the group’s public leak site. Black Basta is believed to be a Russian-speaking group. It is assumed that Black Basta’s core membership to have spawned from the defunct Conti threat actor group due to similarities in their approach to malware development, leak sites, and communications for negotiation, payment, and data recovery. In addition to these similarities, there have been some reports that Black Basta members have been using Conti-related code in their ransomware attacks. This suggests that there may be some overlap between the two groups, either in terms of membership or collaboration. ABB Ransomware On May 7th, 2023, the Swiss multinational corporation ABB got attacked by a ransomware attack conducted by the Black Basta ransomware gang, a threat actor that came in sight in April 2022. The Black Basta group used a phishing email to deliver the ransomware to an ABB employee. The employee clicked on the malicious attachment, which installed the ransomware on their computer. The ransomware then spread to other computers in ABB’s network, encrypting files on hundreds of devices. The ransomware attack has affected the company’s Windows Active Directory, affecting hundreds of devices located over multiple locations. ABB terminated VPN connections with its customers to contain the ransomware attack and prevent it from spreading to other networks. History of Attacks by Black Basta The distribution by country of Black Basta’s victim organizations from April 1 to July 31, 2022. Black Basta targets chart based on country Analysis Black Basta Ransomware Malware The ransomware is written in C++ and impacts both Windows and Linux operating systems. It encrypts users’ data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions. The ransomware also attempts to delete shadow copies and other backups of files using vssadmin.exe, a command-line tool that manages Volume Shadow Copy Service (VSS), which captures and copies stable images for backups on running systems. Black Basta Attack Chain Black Basta Attack Chain Diagram Tactics, Techniques and Procedures Tactics Techniques Initial Access Valid Accounts Phishing Execution Command and scripting interpreter System services Windows Management Instrumentation Privilege Escalation Exploitation for privilege escalation Defense Evasion Modify registry Domain policy modification Impair defences Reflective code loading Credential Access OS credential dumping Discovery System information discovery Remote system discovery File and directory discovery Lateral Movement Lateral tool transfer Remote services Exfiltration Exfiltration over C&C channel Exfiltration over web service Impact Inhibit system recovery Service stop Data encrypted for impact Defacement Technical Analysis The Black Basta Ransomware, upon successfully executing its malicious payload on the compromised system, alters the desktop wallpaper to display a customized image associated with the ransomware’s activities. The Black Basta Ransomware Malware is known to deploy a text file as part of its malicious activities. This file contains the Login ID that enables the affected company to establish a connection with the Ransomware Group. The purpose of this connection is to facilitate ransomware payment and initiate negotiations for the potential retrieval or release of the compromised data. Dark Web Analysis Black Basta maintains dedicated dark web pages through which they establish communication channels with victims for the purpose of negotiating ransom payments. Security Recommendation To defend against the Black Basta THREAT ACTOR and mitigate the risk of their attacks, organizations are advised to consider the following countermeasures: This article is attributed to Vikas Karunakarn, Aditya Kirit Katpara, Akshay Jambagi & Dipanjali Rani from Sectrio’s threat research team. Check out: The Global OT and IoT Threat Landscape Assessment and Analysis Report 2023 Reference:

Unmasking Black Basta: A Closer Look at the Notorious Ransomware Group Read More »

Role of threat intelligence in OT security Best practices and use cases

Role of threat intelligence in OT security: Best practices and use cases

In today’s interconnected world, operational technology (OT) systems play a crucial role in industries such as manufacturing, energy, and transportation. However, with increased connectivity comes the risk of cyber threats targeting these critical infrastructures. To effectively safeguard OT systems, organizations must employ robust security measures, including threat intelligence. This article explores the role of threat intelligence in OT security, highlighting best practices and providing insightful use cases to demonstrate its effectiveness in mitigating risks and protecting vital industrial operations. Understanding Threat Intelligence in OT Security Threat intelligence involves gathering and analyzing data from various sources to identify potential threats and vulnerabilities. In the context of OT security, threat intelligence provides organizations with valuable information about the tactics, techniques, and procedures (TTPs) employed by threat actors targeting industrial systems. By monitoring and analyzing this intelligence, security teams can enhance their proactive defenses and respond effectively to emerging threats. Best Practices for Implementing Threat Intelligence in OT Security To maximize the benefits of threat intelligence in OT security, organizations should follow these best practices: 1. Comprehensive Data Collection Collecting data from multiple sources, including open-source intelligence (OSINT), dark web monitoring, internal network logs, and threat feeds, helps create a comprehensive threat landscape. 2. Contextual Analysis Analyze collected data in the context of the organization’s OT environment to understand the specific risks and prioritize mitigation efforts accordingly. Consider factors such as critical assets, vulnerabilities, and potential impact on operations. 3. Automated Threat Detection Leverage machine learning and artificial intelligence (AI) technologies to automate the detection of potential threats, enabling real-time monitoring and rapid response. Implement anomaly detection algorithms and behavioral analytics to identify deviations from normal OT system behavior. Also read: Complete Guide to Cyber Threat Intelligence Feeds 4. Collaboration and Information Sharing Foster collaboration within the industry by sharing anonymized threat intelligence with trusted partners, industry-specific Information Sharing and Analysis Centers (ISACs), and government agencies. This collective defense approach helps organizations stay ahead of emerging threats and strengthens the overall security posture. 5. Regular Training and Education Provide ongoing training to OT security teams to ensure they stay updated with the latest threat trends, attack techniques, and mitigation strategies. Build a culture of security awareness among employees to minimize the risk of human error or insider threats. Use Cases Demonstrating the Effectiveness of Threat Intelligence in OT Security 1. Early Detection of Malicious Activities By correlating threat intelligence with network activity logs, organizations can identify anomalous behavior indicative of a potential cyber attack. This early detection allows security teams to respond promptly, minimizing the impact on critical operations. For example, if threat intelligence indicates a rise in ransomware attacks targeting industrial control systems (ICS), security teams can proactively monitor for related indicators and take preventive actions. 2. Proactive Vulnerability Management Threat intelligence enables organizations to stay informed about emerging vulnerabilities affecting OT systems and associated mitigations. By monitoring threat intelligence feeds and vulnerability databases, organizations can prioritize patch management and implement necessary security measures before threat actors exploit vulnerabilities. This proactive approach helps minimize the risk of successful attacks. 3. Incident Response and Threat Hunting In the event of an incident, threat intelligence provides crucial insights into the tactics, tools, and indicators of compromise (IOCs) used by threat actors. This information aids in incident response, facilitating rapid containment, eradication, and recovery. Furthermore, threat intelligence can empower proactive threat hunting activities, allowing organizations to proactively search for threats within their OT environments. 4. Supply Chain Security Threat intelligence helps organizations assess the security posture of their suppliers and vendors. By monitoring potential threats to the supply chain, organizations can mitigate risks and ensure the integrity and security of the OT ecosystem. Threat intelligence enables organizations to identify any vulnerabilities or compromises within their supply chain partners, allowing for timely remediation actions and ensuring a trusted and secure supply chain network. The Evolving Landscape of OT Threats The threat landscape for OT systems is continually evolving, requiring organizations to stay vigilant and adapt their security measures accordingly. Threat intelligence plays a vital role in keeping pace with emerging threats. Some of the notable OT threats include 1. Malware and Ransomware Attacks Malicious software specifically designed to target OT systems can cause disruptions, compromise safety, and demand ransom payments. Threat intelligence helps organizations identify new strains of malware, track their propagation, and develop effective countermeasures. 2. Insider Threats Insiders with privileged access to OT systems can intentionally or unintentionally compromise the security of industrial operations. By leveraging threat intelligence, organizations can detect and mitigate insider threats, including unauthorized access, data exfiltration, or sabotage attempts. 3. Nation-State Attacks OT systems are potential targets for nation-state actors seeking to disrupt critical infrastructure. Threat intelligence provides insights into the tactics and strategies employed by these advanced adversaries, enabling organizations to enhance their defenses and resilience against such attacks. 4. Zero-Day Exploits Zero-day vulnerabilities are unknown to the public and can be exploited by threat actors before a patch is available. Threat intelligence helps organizations stay informed about potential zero-day vulnerabilities in their OT systems, allowing them to develop mitigations and workarounds until official patches are released. 5. Social Engineering Attacks Threat actors often employ social engineering techniques to manipulate employees into divulging sensitive information or performing malicious actions. By analyzing threat intelligence related to social engineering campaigns, organizations can educate employees, implement security awareness programs, and enhance their resilience against such attacks. Summary Threat intelligence plays a critical role in securing OT systems and protecting vital industrial operations from cyber threats. By implementing best practices, including comprehensive data collection, contextual analysis, automated threat detection, collaboration, and regular training, organizations can maximize the benefits of threat intelligence. The use cases discussed highlight the effectiveness of threat intelligence in early detection, proactive vulnerability management, incident response, and supply chain security. In a rapidly evolving threat landscape, organizations must prioritize threat intelligence as a fundamental component of their OT security strategy to safeguard critical infrastructure and ensure business continuity. Wish to learn more about the latest tactics and strategies adopted

Role of threat intelligence in OT security: Best practices and use cases Read More »

Dissecting the cyber incident at All India Institute of Medical Sciences (AIIMS)

Dissecting the cyber incident at All India Institute of Medical Sciences (AIIMS) 

The news of the All India Institute of Medical Sciences (AIIMS) servers being breached is making headlines across India. While the full extent of the data that was compromised and the actors who are behind it are still unknown, we do have some clues on what this attack entails for the healthcare segment in India and beyond. Our threat research team has drawn the following inferences after studying the attack on AIIMS and its aftermath. Disclaimer: these inferences are based on the data and the information we have gathered from published sources on the surface and dark web as of December 5th. Some inferences are subject to change based on new data made available. Since the breach is under investigation from CERT-in, the inferences drawn may be subject to change after the investigation report is made public.

Dissecting the cyber incident at All India Institute of Medical Sciences (AIIMS)  Read More »

Increasingly visible nation-state actor footprint forces APT groups to increase stealth (1)

Increasingly visible nation-state actor footprint forces APT groups to increase stealth

2022 is turning out to be the year of nation-state actors. With attacks on wind turbine operations and public transit services in the Netherlands, utility firms in India, retail businesses in Taiwan, and stock markets in the US being traced to APT groups, this year has logged more APT activity than ever before. With the increasing realization of their capabilities as a source of rich data and disruption, nations are now growing increasingly comfortable with the use of APT groups to settle scores. This trend has had a complex impact on the security of cyberspace and the ramifications will play out more visibly in the days to come. 2022 – a year of brazen APT attacks The attacks on many retail businesses, websites of government departments, and the presidential office and tram stations in Taiwan in August following the visit of US House Speaker Nancy Pelosi to the island were clearly linked to Chinese and Russian IP addresses. The hackers involved didn’t even try to hide their origins in what was seen as an attempt to convey a geopolitical message to Taiwan. Russian APT groups were also found meddling with critical infrastructure in Germany, the Netherlands, Ukraine, Norway, and the US. Also Read: Complete Guide to Cyber Threat Intelligence Feeds Transparent Tribe AKA APT36 went as far as to develop and deploy a fake version of an Indian government-mandated two-factor authentication solution required for accessing email services to target Indian government and defense personnel. Transparent Tribe also used fake domains and traffic redirecting mechanisms to divert traffic to spurious sites hosting malware. Even here, the hackers made no serious attempt to hide their trail.     Such levels of visible aggression are not frequent in cyberspace. Room of plausible denial is always left by APT groups so that the nation-state backing them can deny all allegations of support or sponsorship. While acting in a noiseless manner in the networks they are targeting, APT groups are also becoming noisier when it comes to claiming credit. The reasons for such brazen and aggressive attacks could be: Whatever be the motivation for such transparency, it is clear that APT playbooks have changed this year. Even among the industrial cyberattacks on OT and IoT-based infrastructure and systems perpetuated by APT groups, the attacks were done in a more systematic and transparent manner. While the attacks including scans are becoming more sophisticated while APT groups involved are leaving digital tracks behind making attribution easier. Impact on IoT and OT security in 2023       Overall, this trend clearly indicates a period of increasing APT activity that could spill over into segments that are not directly connected with the government including manufacturing, retail, extended supply chains, aviation, and shipping. Such brazen attacks also mean that APT groups are now more confident about their capabilities and are not shy of showcasing them in the digital space even if it could attract some form of retribution.       Also Read: Why IoT Security is Important for Today’s Networks? In 2023, the time to attack post a geopolitical incident will shrink and we will enter an era of lightening fast attacks on critical infrastructure that could lead to prolonged disruption. Public transportation systems and financial institutions (especially stock markets) could be the potential targets for such attacks. Among defense systems, hardware and systems linked to base security, air traffic control and temperature control within underground storage systems will be targeted. APT groups will also go for greater monetization of attacks by targeting businesses for ransom. Most APT groups are moving towards generating their funding sources outside their state sponsors to prevent disruption in R&D and ongoing projects due to a fund crunch. Such attacks will be running in parallel with attacks on their conventional targets. We are giving away threat intelligence for free for the next 2 weeks. Find out how you can sign up and try out our threat intelligence feeds Find out what is lurking in your network. Go for a comprehensive 3-layer threat assessment now

Increasingly visible nation-state actor footprint forces APT groups to increase stealth Read More »

Scroll to Top