Ransomware: attackers infiltrate a fake industrial network in just three days

Ransomware: attackers infiltrate a fake industrial network in just three days Cybersecurity

According to security researchers, industrial control networks are exposed to a series of ransomware attacks. This warning follows an experiment that revealed the speed at which hackers discover vulnerabilities in critical infrastructures.

Setting up the lure

Security company Cybereason has built a decoy designed to resemble an electric company operating in Europe and North America. The network was designed to look authentic in order to attract potential attackers by including technological and operational IT environments, as well as human interface systems.

All infrastructures have been built taking into account the security problems common to critical infrastructures, in particular the ports of remote stations connected to the Internet, passwords of medium complexity, as well as certain usual security controls, including network segmentation.

The decoy went live earlier this year and it only took three days for attackers to discover the network and find ways to compromise it – including a ransomware campaign that infiltrated parts of the network, and who managed to recover the entry of the login credentials.

Course of the attack

“Very soon after the launch of the” honeypot “, the capacity of the ransomware was placed on each compromised machine,” explains Israel Barak, information security manager at Cybereason at ZDNet.

Hackers placed ransomware on the network by using remote administration tools to access the network and cracking the administrator password to log in and control the desktop remotely.

From there, they created a backdoor to a compromised server and used additional PowerShell tools, including Mimikatz, which allowed attackers to steal login credentials, allowing lateral movement across the network – and the possibility to compromise even more machines. The attackers performed analyzes to find as many access points as they wanted, collecting identifiers as they went along.

Double penalty

Ultimately, this means that in addition to deploying ransomware, attackers also have the ability to steal user names and passwords, which they could exploit as additional leverage by threatening to reveal sensitive data if the ransom is not paid.

“It is only after the other stages of the attack are complete that the ransomware spreads to all compromised terminals simultaneously. This is a common feature of multi-stage ransomware campaigns, which aim to amplify the impact of the attack on the victim, ”explains Israel Barak.

Compromised network

Ransomware attacks from different sources have often uncovered the trap, and many have attempted other attacks, while other hackers were more interested in network recognition – as was the case in a previous experience with a decoy.

Even if it doesn’t seem as dangerous, at first glance, as a ransom note, attackers seeking to exploit the network of what they think is an electricity supplier could ultimately have very dangerous consequences.

Nevertheless, it seems that ransomware has become one of the main methods by which attackers try to exploit infrastructure they can easily compromise, which the report describes as a “constant barrage” of attacks on the sector. And the risks are expected to intensify.

Reinforce safety in prevention

Fortunately, these attacks against a decoy will not do any real damage.

However, experience shows how the networks that support critical infrastructure must be resilient enough to resist unwanted intrusion by designing and operating networks for resilience – especially when it comes to separating computer networks and operational technology networks.

Even relatively simple improvements, such as protecting networks with complex and difficult-to-guess passwords, can help, while more complex security initiatives can help strengthen protection.

Source: ZDNet.com

Source: www.zdnet.fr

Rate article