Rewterz Threat Alert – Malicious Covid-19 URLs
May 27, 2021Rewterz Threat Advisory – Apache Fineract man-in-the-middle
May 28, 2021Rewterz Threat Alert – Malicious Covid-19 URLs
May 27, 2021Rewterz Threat Advisory – Apache Fineract man-in-the-middle
May 28, 2021Severity
High
Analysis Summary
The imminent cyber threats to operational technology (OT) systems are looming around constantly. However, these threats come from trained professionals and well-funded threat groups. It is not the case in the latest trend of unsophisticated, low-level, and simple attacks attempted by hackers for financial gain.
These unsophisticated attacks target industrial systems connected to the internet, with an arsenal of known techniques, tactics, and procedures. The threat actors are motivated to achieve financial, ideological, and egotistical objectives by compromising internet-accessible industrial control systems and OT assets. An increase in the frequency of these simple attacks has been noted this year, although these activities have been recorded for many years.
Widely known commodity tools and tactics, techniques, and procedures (TTPs) are being used to interact with, access, or gather information from these online systems. One consistent trend in these low sophistication attacks is the exploitation of unsecured remotely accessible services. For instance, virtual network computing (VNC) connections to access the victim control system remotely.
Since Graphical user interfaces (GUI) and human-machine interfaces (HMI) present a user-friendly view of highly complex industrial processes, they become an easy target for the actors to modify control variables without a large quantity of knowledge on the processes and systems. Images of IP addresses, GUIs, and system timestamps of compromised control processes have been shown by the actors in these latest attacks.
Pro-Palestine/anti-Israel hacktivist groups have shared evidence of a successful attack via social media. The group claimed that they had compromised OT assets in Israel including, the webserver of a datalogger and solar energy assets used for different applications like dam surveillance and mining exploration.
In other cases, threat actors have shared screenshots of “allegedly successful” attacks on the German-language rail control system that later proved to be a command station designed for model trains.
Impact
Whys do these attacks pose a growing risk?
- The attacks may seem inconsequential now, but they give hackers more and more confidence and practice to learn about the underlying technology, operations, and physical processes of OT.
- Although their aptitude may be low, nevertheless, low sophistication attacks also pose a threat for OT environments because they cause disruptions and risks to the physical processes.
- Cyber operations against OT also gain publicity and P.R. and may encourage others to carry out more sophisticated and impactful attacks.
Remediation
- OT systems must not be connected to publicly accessible networks.
- To safeguard asset information and minimize unintended interaction, monitor traffic for unusual activity and deploy access controls.
- Edge and remotely accessible devices must be protected by applying network-restricting techniques.
- Disable unused services, change the default credentials (also use strong passwords), and create whitelists for access.
- Penetration testing and checking if the assets can be discovered or accessed through online scanners is also a good security measure.