New Ransomware Targets Industrial Control Systems (arstechnica.com) 35
In recent months, researchers have caught ransomware "intentionally tampering with industrial control systems that dams, electric grids, and gas refineries rely on to keep equipment running safely," reports Ars Technica. According to researchers at the security firm Drago, the ransomware tries to kill 64 different processes, the names of which are all hard-coded within the malware.
Long-time Slashdot reader Garabito shared Ars Technica's report: It remains unclear precisely what effect the killing of those processes would have on the safety of operations inside infected facilities... Monday's report described Ekans' ICS targeting as minimal and crude because the malware simply kills various processes created by widely used ICS programs. That's a key differentiator from ICS-targeting malware discovered over the past few years with the ability to do much more serious damage. One example is Industroyer, the sophisticated malware that caused a power outage in Ukraine in December 2016 in a deliberate and well-executed attempt to leave households without electricity in one of the country's coldest months...
Another reason Dragos considers Ekans to be a "relatively primitive attack" is that the ransomware has no mechanism to spread. That makes Ekans much less of a threat than ransomware such as Ryuk, which quietly collects credentials for months on infected systems so it can eventually proliferate widely through almost all parts of a targeted network.
Long-time Slashdot reader Garabito shared Ars Technica's report: It remains unclear precisely what effect the killing of those processes would have on the safety of operations inside infected facilities... Monday's report described Ekans' ICS targeting as minimal and crude because the malware simply kills various processes created by widely used ICS programs. That's a key differentiator from ICS-targeting malware discovered over the past few years with the ability to do much more serious damage. One example is Industroyer, the sophisticated malware that caused a power outage in Ukraine in December 2016 in a deliberate and well-executed attempt to leave households without electricity in one of the country's coldest months...
Another reason Dragos considers Ekans to be a "relatively primitive attack" is that the ransomware has no mechanism to spread. That makes Ekans much less of a threat than ransomware such as Ryuk, which quietly collects credentials for months on infected systems so it can eventually proliferate widely through almost all parts of a targeted network.
Obligatory Industrial Control on the INTERNET ?!?! (Score:2)
Re: (Score:2)
Actually, the SysAdmin is the last one that should get hit. Who should get charged are COEs and CISOs. It is their responsibility to make sure processes and controls are in place that prevent this from happening and to make sure people are hired that actually understand security. Of course, that reduces "management" bonuses, so IT security is often done cheapest-possible. And that includes SysAdmins that do not have a chance to even know how to do this right, because they are incompetent.
Re: (Score:2)
needs to spend some serious time in prison for grotesque negligence.
If we are going to start putting incompetent sysadmins in prison, we are going to need a lot more prisons.
LOL'ed (Score:1)
Okay, I actually LOL'ed [out loud].
SRSLY, though... (Score:1)
https://www.youtube.com/watch?v=htCJTPu8GPE [youtube.com]
Re: Obligatory Industrial Control on the INTERNET (Score:3)
Re: (Score:3)
Well, the security consulting company I work for starts to get requests to also look at ICS security, but only as part of creating and evaluating larer strategies. My take is that the industrial control community at large still has not the faintest clue how bad the threat actually is and nobody is yet willing to spend money. As soon as they find out they absolutely need to get their stuff together and not only do this right, but get external competent review to make sure it is done right, it will still be 1
Re: (Score:2)
Look up industry 4.0 and the IIOT (industrial internet of things). This new tech is the wave of the future, and as a small-scale systems integrator myself, I worry. I can tell you that some of the people in charge of paying for these systems don't care that much about network security and accountability, because it's way way over their heads. For decades industrial control systems were equivalent to your toaster. You don't replace it until it stops making toast, let alone install updates or even perform backups of it. There are many systems running server 2003 or similar and running on the same network as the operators tablets and laptops, etc. Fortunately, most of these are very very small powerplants or other facilities.
This was my experience. I'm retired. I recommended best practices that were shit-canned in favour of articles in The Wall Street Journal.
I did get opt-out decisions sent to me by email to cover my ass. It paid off more than once, especially when the firm vetoed my objections and went to the cloud.
When it rained, it poured and I was ordered to "Invoke Plan B."
I told them, "Plan B is in my computer room and you went off and left it."
They shut the cloud off and gave me back my stuff.
Re: (Score:2)
There comes a point where any Sys Admin [or Pointy-Headed Boss] who places "Industrial Control Systems" on the internet
OK I'll bite. I'm based the USA. In the last 2 months alone I've worked on Industrial Control Systems projects for clients in the USA, Spain and China. And I was even doing remote debugging for Spain. Please tell me how I do this *without* the internet, and *without* racking up $$$$ in plane fares and hotel bills, also jet lag and visa requirements, and not to mention the delay in responding to issues as they unravel in real time?
Re: (Score:2)
Some ideas:
1) have local expertise sufficient to maintain your critical infrastructure.
2) if (1) fails for some reason, rack up plane fares and hotel bills to maintain your critical infrastructure.
3) If you absolutely cannot do (1) and (2), at the very, very least shut all the ports except ssh, disable password login, and give out authorized keys only to absolutely essential personnel.
Re: (Score:3)
1 and 2 are great if you're an oil company, but an absolute non starter for pretty much anyone else.
3 is industry practice. Last time I (different person to the GP) did remote control system work I even had to pass 2FA, except my second factor was at the company for which I was working meaning that every login included a 2nd one time key, and that's just to get a VPN connect to the DMZ, from there only one port was available into the target system.
Re: (Score:2)
1 and 2 are great if you're running critical infrastructure. If it's just important to your company, go nuts. If it's something important, it's important enough to require the laying on of hands.
I doubt very much that #3 is industry practice. It might be recommended practice, but I doubt all the scada hacking you hear about is going through that kind of system.
Re: (Score:2)
Actually, _secure_ remote access (with strong 2-sided authentication, e.g. ssh with certs and password or a VPN with 2FA) is not a problem. But it requires actually competent IT people to set that up and have it be secure and these cost money. Money that then does not go to C-level bonuses.
Nobody with at least some insight into things wants remote access to go away. That is not the problem.
Re: (Score:2)
Actually, _secure_ remote access (with strong 2-sided authentication, e.g. ssh with certs and password or a VPN with 2FA) is not a problem. But it requires actually competent IT people to set that up and have it be secure and these cost money. Money that then does not go to C-level bonuses.
Nobody with at least some insight into things wants remote access to go away. That is not the problem.
Yep, and another trick I did was throw every goddam intrusion scheme I could find or make up at the system.
I often found entry-ways. We weren't large enough to pay for outside security audit.
Re: (Score:2)
There comes a point where people make stupid assumptions about safety, such as that any of these spread via the internet, or that any of the recorded successful attacks on control systems (of which there have been a few) have had anything to do with the internet.
NO USB PORTS (Score:1)
Above here, I'm saying absolutely no USB ports [or DVD drives or floppy drives or external SATA or anything else] on mission critical networks.
Ideally, the entire workstation chassis would be behind a concrete wall, with a tiny hole for the keyboard & mouse & monitor cables.
And trying to stick your hand [or anything else] into the hole for the cables would be not just an immediate termination of employment, but it would also invoke a call to the SBI/FBI to
Windows... enough said (Score:4, Insightful)
Re: (Score:2)
n/t
While windows may well be fucked, very few if any big players in this field support anything other than windows. So we deal with what we have to deal with.
I'd also say that if the boot was on the other foot and the majority of high value ICS were hosted on Linux, your post's topic would have been more like "Linux .. enough said". The criminals go where the money is.
Who was it who was asked "Why do you rob banks?", and the reply was "That's where the money is!"
Re: (Score:2)
I'd also say that if the boot was on the other foot and the majority of high value ICS were hosted on Linux, your post's topic would have been more like "Linux .. enough said". The criminals go where the money is.
I think we both know that's absolute nonsense. The vast majority of Web sites, for example, are hosted on Linux. Yet the vast majority of Web site compromises are those run on Windows. Windows will always be where the money is because Windows is, by far, the least secure operating system in wide use. It's by far the easiest nut to crack.
If the Linux bank protected ten billion dollars, and the Windows bank protected a penny, the criminals would still go after Windows because the payoff would be higher.
Re: (Score:2)
n/t
While windows may well be fucked, very few if any big players in this field support anything other than windows. So we deal with what we have to deal with.
I'd also say that if the boot was on the other foot and the majority of high value ICS were hosted on Linux, your post's topic would have been more like "Linux .. enough said". The criminals go where the money is.
Who was it who was asked "Why do you rob banks?", and the reply was "That's where the money is!"
Good point.
We just have to look at OS market share [netmarketshare.com] to realize that you are correct:
Windows 88.07%
Mac OS 9.44%
Linux 1.87%
Chrome OS 0.41%
Unknown 0.19%
BSD 0.02%
Re: (Score:2)
Re: (Score:2)
What was enough said? All these attacks on industrial control systems have been highly targeted to date. If an attacker is able to target very specific bugs in specific code, execute their attacks over air-gaps, and in some cases load malware onto engineering stations, what makes you think not using windows is anything more than a feel good measure?
Give me a Windows admin who understands network and operational security over some Linux admin who thinks they are invulnerable anyday.
After ransomware against hospitals... (Score:2)
... the only surprise here is how long this took. The people doing this have zero morals and zero restraints. It is time to treat this activity like the severe threat it is and find them. It is also time to make CEOs of vulnerable installations personally responsible and lock them up.
Re: After ransomware against hospitals... (Score:1)
Re: (Score:2)
Nope. Attribution is the problem here, not doing something about these people as soon as you know who they are.
And the other, about as serious problem (and here the ones responsible _are_ known) is IT-dependent organizations with IT security that sucks. I think we need to see a few CEOs and CISOs go to prison for what they did before things will change.
Re: (Score:2)
This is a good use for drones and hellfire missiles.
Yes, and then after you've taken care of the morons running Windows in mission-critical roles, you can go after the people making the ransomware.
Re: (Score:2)
And they are an APT, because ransomware is the way they can get a steady income. Took very long for them to figure this out, but unfortunately too many organizations have cheap, incompetent IT people and are willing to pay the ransom. This needs to stop.
Maybe not a primary attack? (Score:3)
This smells to me like an investigative foray - they kill some processes to see what the consequences are, how long it takes for the processes to be missed, how long it takes for them to be restarted and how they get restarted, etc. If they can characterize the systems sufficiently, they can craft more subtle attacks. Such attacks might allow for substantial theft of electricity and natural gas, or they might enable a degree of destruction that is more difficult to recover from.
You're describing "State Sponsored" hackery... (Score:1)
You're describing state-sponsored actors there.
Mossad/Ukrainians, Chicoms, Norks, Streetshitistans, etc.
The amateurs would just want the quick payout.
Whereas the state-sponsored actors would want to hang around for the long haul.
Re: You're describing "State Sponsored" hackery... (Score:1)
Re: (Score:2)
State-sponsored is the past. They at least have some restraint and are somewhat predictable. As criminal enterprises finally have found a way to monetize attacks via ransomware, that is all about to change and get far, far worse.
It's still an epic fail. (Score:2)
EKANS malware and its attempt to cease particular industrial-related processes is further evolution and context around the growing cyber threat to industrial control systems, but EKANS itself is more a novelty than a discrete and worrying risk.
On top of that it's written in Go. I'm reminded of the days when viruses were written is visual basic.
Hmmm (Score:3)
I found some RansomWare that kills processes called "NuclearMissileLaunchControl" and "ICBMTargetSelector".
Does this mean they are targeting nuclear missile control systems now?
Any asshole can put any string they want in a hunk of software. Many do.
Stuxnet ... (Score:2)
... anyone?