Ransomware targeting the industry is becoming more complex. This is the alarming finding that emerges from a study released on June 11 by Cybereason, an American specialist in the detection and response to cyberattacks targeting terminals.
For several months, Cybereason’s research teams have set up a honey pot (honeypot), a simulation of an entire office information system (IT) and industrial (OT) of an electrical substation belonging to an electricity company operating in North America and the United Kingdom. The purpose of this lure, which builds ” partly on virtual machines but also on some real equipment, all both interconnected and connected to the internet “Said Israel Barak, security manager at Cybereason,” is to attract potential cyber attackers to analyze their strategies and, therefore, current trends in the field.
The most classic 4-step attack
Thanks to this experience, which the firm reiterates approximately every two years, the Cybereason researchers observed a more complex attack compared to 2018. The most classic ransomware attack process is carried out in four stages, as follows:
Phase 1: The initial compromise of the problem solving protocol (RDP) administration interface, which follows the obtaining of the password of the user account via a brute force attack, then the download and execution of a Windows PowerShell script, to create a backdoor.
Phase 2: Downloading new tools via the compromised server using PowerShell, such as Mimikatz, a self-service tool widely used by hackers to steal user credentials. Information then used to try to move sideways to the domain controllers, the backbone of the operation. ” The lateral movement attempt failed in the honeypot environment because none of the stolen user accounts were allowed to access the domain controller Says Cybereason.
Phase 3: Lateral movement of malware in the network using a network scanner to discover other terminals.
Phase 4: Triggering of the ransomware after the end of the preliminary operations, to ensure the compromise of a maximum of terminals and to maximize the impact of the attack.
“Even modest hacker groups are resorting to increasingly sophisticated attacks”
” Today, cyber-attackers tend to take their time to move from one stage to another, in order to remain as discreet as possible but also to save time to steal all the data in all the corners of the targeted network, says Israel Barak. This is why you need to let the honeypot work for at least a few months, or even an entire year. “
Combined, the complexity of intrusion techniques and the discretion of cyber attackers make attacks particularly difficult to detect. Especially since this modus operandi is not only the work of sophisticated, nation-state malicious groups – known as APT for “Advanced Persistent Threat”. ” Despite the complexity of the attacks we identified, the tools used were relatively easy to access. Nothing that has not been used has been developed specifically to break into the target’s network. We can therefore think that the attackers were not APT groups but that, even, even the most modest hacker groups are resorting to increasingly sophisticated attacks. “
Integrate IT-OT convergence into cyber defense strategies
For this security specialist, this study shows that manufacturers must completely get out of their minds that they can prevent intrusions on their network. ” We have to assume that we can be attacked and act accordingly “, He insists. With three priorities for him: segment the network, multiply authentication points and, above all, prepare to respond quickly as soon as an attack is identified, in particular by increasing redundancy (system backups, data backups, etc.).
” It is also necessary to ensure that the cyber response center (Security operation center, or SOC) is capable of detecting anomalies and reacting both for the IT network and for the OT. IT-OT convergence is a trend for systems administration and attackers have understood this. “