Introduction to Sabotage Trojans and Ransomeware
Attempts to destroy information on computers were known from the time of DOS viruses. There were
several viruses which encrypted the harddrives. If the virus was removed the information became
non-accessible/
The first mass epidemic if sabotage virus was CIH, also known as Chernobyl. It is a
Microsoft Windows
computer virus which
first emerged in 1998. It used the fact that the capability to update firmware was present on many motherboards
and using it is can corrupt the system BIOS
making the PC unbootable. The virus was created by Chen Ing-hau who at the time was a student
at Tatung University in Taiwan.
60 million computers were believed to be infected by the virus internationally, resulting
in an estimated $1 billion
US dollars
in commercial damages.
But the most famous case of sabotage Trojans was probably Stuxnet,
which attacked SCADA Vulnerabilities and was designed to target the Iran uranium enrichment program
by destroying centrifuges. It did success in destroying something about 1000 centrifuges which is not
a very impressive number taking into account the size of blowback and the new threats it created and
first of all in Western countries as they used computerized equipment more widely and it is more often
is connected to various networks including sometimes to Internet.
Stuxnet is interesting not only because of unprecedented complexity and targeted attack on industrial
systems, but also because it clearly demonstrated that governments are behind the efforts to develop
malware:
Now widely believed to have been a project of U.S. and Israeli intelligence (U.S. officials have
yet to publicly acknowledge a role but have done so anonymously to the New York Times and
NPR), Stuxnet was carefully designed to infect multiple systems needed to access and control industrial
equipment used in Iran’s nuclear program. The payload was clearly the work of a group with access
to government-scale resources and intelligence, but it was made possible by four zero-day exploits
for Windows that allowed it to silently infect target computers. That so many precious zero-days
were used at once was just one of Stuxnet’s many striking features.
The author is not an expert in SCADA and generally left the security field around year 2003, so information
below is mainly of general nature. SCADA systems have last a long time anywhere from 15 to 30
years, so there is always a set of older systems that are available with multiple vulnerabilities in
the underling OS and software. Because of the steady stream of new technology, most systems tend to
be less then 10 years old. In any case many of those systems are very old and often use long discontinued version
of OS such as NT 4.
One important threat to SCADA system is growing connectivity of internal networks that deploy SCADA
systems. Virus epidemics indirectly affecting SCADA systems started with the first network worms and
some enterprise reacted by installing local firewalls controlling ports and IPs from which SCADA system
are accessible. That that proved to be insufficient for sophisticated malware which was reveled in
Timeline:
- US government recognized the problem and potential offensive and defensive implications probably
around 1998.
- Some steps were taken in 2003
doe.gov
- Regulation issued in 2006. See
Federal security rules fueling
energy company anxiety September 28, 2006
- Stuxnet epidemics discovered in June 2010 was an important wake up call that actually served
tremendously positive role in increasing SCADA security. The first variant of the worm
probably appeared much earlier. Kaspersky researchers suggest that it was launched as early
as June 2009. One of the real "innovations" of Stuxnet was that it not only infected Windows machines,
but also PLCs by a dedicated PLC rootkit (en.wikipedia.org/.../Stuxnet).
It showed really tragic state of SCADA security and just how vulnerable such systems are to a wide
variety of attacks. Most SCADA system are stuck in the 90th. the basic security model underlying
old systems that run critical services such as power, water and others, does take into account
LAN or internet connectivity and as such is completely inadequate. Many don't even bother using
authentication because they consider their systems closed and therefore safe, he says.
State of SCADA Security 'Laughable', Researchers Say threatpost
- These once-isolated systems and networks are increasingly using off-the-shelf products such
as Microsoft-based operating systems and IP-based networking equipment, and have in some form connection
to the Internet to simplify maintenance operations for vendors. Hardware token or smartcards
typically are not used to secure communication.
- Isolation which looks like one of the few viable strategies is not that easy to achieve if
you are using off-the-shelf equipment first of all because vendors do not care or care very little
about security. Also the fact that the system is disconnected can lead to negative side effects.
Fir example, if the certificates with which the Trojan was signed have been revoked, since the test
system is disconnected from the Internet, it is unable to query the Certificate Revocation List
servers.
- Some reasons are related to negligence: for example in many cases PC operators are not
given the second PC and "control PC" are not isolated from the internal corporate network and as
such are a viable target for attacks. Actually return to dumb terminals would be a great improvement
in security ;-).
Stuxnet raised important political and even cultural issues. The first issue is that it made the
term "cyberwarfare" real and launched a spiral of development of "militarized" Trojans. US government
was the first and probably started to pay attention to this problem around 2006. See
Federal security rules fueling energy
company anxiety September 28, 2006
The nation’s energy companies are scrambling to meet government regulations going into effect
as soon as January that in part are designed to safeguard the computer-based control systems for
electricity and gas distribution from cyberattacks.
Top energy IT officials say they are challenged to meet the new rules because the massive systems
control and data acquisition (SCADA) systems used to manage their resources increasingly are based
on Windows and Unix but weren’t really designed with network security in mind. The systems often
don’t work easily with antivirus software and can be tough to patch, they say.
In addition, the SCADA systems increasingly share the same corporate network as other business
applications, but the people running the SCADA and voice/data networks are on separate teams. “In
companies I’ve seen, they choose to be separate," said Evon Salle, senior information systems auditor
at OGE Energy, in Oklahoma City, and a forum participant at the IT Security World Conference here.
Congress took up the cause of greater SCADA security after a massive power blackout in the summer
of 2003, passing legislation that has led to the creation of nine Critical Infrastructure Protection
(CIP) rules.
Related Content These were devised under the aegis of the North American Electric Reliability
Council (NERC), the trade group recently chosen by the Federal Energy Regulatory Commission to set
mandatory security standards for the energy sector. NERC also is expected to be in charge of rules
enforcement, which could include dishing out million-dollar fines for noncompliance.
The CIP rules cover areas such as reporting sabotage, ensuring physical security, monitoring
and running antivirus controls, and doing patch updates on all critical assets, including control
centers, substations and SCADA systems.
Energy companies say they’re prodding SCADA operations groups to
work with the corporate IT departments to impose firewalls, access control, encryption and antivirus
controls if they weren’t there before. But technical challenges remain.
“A lot of times you won’t have virus protection in a SCADA environment," Salle said.
“Virus software, such as from McAfee and Symantec, thinks the SCADA system is a virus and that’s
why you can’t run it."
The biggest risk is “SCADA not having a firewall, while also having Internet access," she added.
Energy companies acknowledge that their SCADA systems haven’t been immune to virus outbreaks.
“We’ve had viruses hit one of our plants," said Charles Simons, manager of firewall integrity
management at BP Global. The company immediately firewalled off its process-control networks and
put corporate IT security in control of industrial systems.
Complying with the CIP guidelines to cordon off SCADA and apply a battery of security controls
is proving difficult for some.
“It’s quite a culture change for us, especially for substations and generators," said Sharon
Edwards, project manager for implementing the cybersecurity guidelines at Duke Energy. So far, Duke
Energy hasn’t been able to identify vendors that would help in implementing the enormous log collection
and management and other requirements dictated by CIP.
“We may have to develop one ourselves," Edwards said.That will involve combining expertise in
the IT and SCADA groups, she said. “But in SCADA, we haven’t gotten to the place of having good
communications," she said, adding, “I don’t think we’re unique in that."
Edwards noted that one idea under discussion for achieving CIP compliance
would entail equipping employees with two PCs on their desktop, one
for access for secure accounts and the other for e-mail and Internet access.
Several energy companies said they are prodding SCADA vendors, such as Honeywell, Foxboro and
Wonderware, to meet the security challenges brought by CIP.
“SCADA systems manage valves and pressures," said Jay White, global architect for information
protection, policies and standards, at Chevron’s IT division. “They’re mission-critical. If you
lose control over them, you could have an irreversible environmental impact."
Upgrading SCADA systems, often designed to last more than a decade and traditionally proprietary
in their underlying software, could prove expensive and energy company customers could wind up footing
much of the bill.
“The electric companies will have to pay to implement the standards and it will reflect in the
rates," predicted Robert Schainker, technical executive for strategic planning in the office of
innovation at Electric Power Research Institute, a nonprofit organization in Palo Alto for research
on energy and the environment.
Enforcing the rules
One of the biggest uncertainties about the new security regime is how NERC will carry out its
newly acquired mission in network security.
“NERC is no longer a volunteer organization, it’s a regulatory organization," Schainker said,
adding that this is appropriate because the industry will benefit from improved network security.
“There will be hackers out there, and more terrorists, and we have to be ready to meet these challenges."
Several industry insiders last week acknowledged that SCADA systems, some now Web-based,
are known to be open enough to be fairly easily hackable, whether by insiders or outsiders. While
some hacking-based disruptions have occurred in SCADA systems, no major cyberattack has occurred.
Schainker predicts that when NERC begins imposing fines for noncompliance, there will be an eruption
of lawsuits. In the end, court decisions will probably guide how this new cybersecurity regulation
evolves.
Some corporations, including Duke Energy, acknowledge they have fought the imposition of CIP.
Their reluctance stems in part from the fact that the Department of Homeland Security is pushing
them to supply detailed proprietary information about how they operate.
“There’s a lot of push-back from industry on this," Edwards said.
Meanwhile, the Department of Defense has long worked under a strict regimen for SCADA systems,
which exist on Navy ships, said Herbert Armstrong, IT security director at the Navy’s Warfare Training
Center in Ingleside, Texas.
Click to see: SCADA timeline
“The SCADA systems are subject to review, and we separate them from the rest of the network,"
Armstrong said. Strong authentication, including the Defense Department's Common Access Card and
biometrics, are needed to prove identity to access SCADA systems. “We’re most concerned about the
insider threat," he said.
Stuxnet changes the rules of the game and helped to improve the security SCADA systems worldwide,
as it become clear that devastating attacks are possible by reprogramming controllers. Later it
became clear that the USA created 13 "cyberattack" teams:(Pentagon’s
13 Offensive ‘Cyberattack’ Teams to Strike Across the World
General Touts New 'Cyber Cadre's' Attack Capabilities
by Jason Ditz, March 13, 2013
Cyber Command chief General Keith Alexander has unveiled some new information about the nation’s
cyberwarfare policy, revealing in a Senate hearing the creation of 13 “cyberattack” teams, which
he dubbed part of the “cyber cadre,” that are
authorized to engage in preemptive
cyberwarfare across the planet.
Alexander sought to downplay the seriousness of this revelation after the fact, insisting that
they are “offensive” units, but are aimed
primarily at deterrence, and are “analogous to battalions in the Army and Marine Corps.”
Except that the Army and Marine Corps don’t try to build deterrence credibility by
launching unilateral attacks on other nations, or at least to the extent that they do, it is
unquestionably an act of war, and done publicly.
The Pentagon has repeatedly made it clear they would view such cyberattacks by other nations
as no different than any other military attack, but at the same time their own cyberwarfare units
are treating offensive operations as a matter of course. Officials have repeatedly complained that
such attacks are on the rise from hackers in other nations, but the US seems to be looking not to
defend against such attacks, but rather to get in on the fun.
Adapted from Ransomware - Wikipedia
Ransomware is a type of
malicious software that carries out the cryptoviral extortion attack from
cryptovirology that blocks access to data until a
ransom is paid and
displays a message
requesting payment to unlock it. Simple ransomware may lock the system in a way which is
not difficult for a knowledgeable person to reverse. More advanced malware
encrypts the
victim's files, making them inaccessible, and demands a ransom payment to decrypt them.[1]
The ransomware may also encrypt the computer's
Master File Table (MFT)[2][3]
or the entire hard drive.[4]
Thus, ransomware is a denial-of-access attack that prevents computer users from accessing
files[5]
since it is
intractable to decrypt the files without the decryption
key.
Ransomware attacks are typically carried out using a
Trojan that has a payload disguised as a legitimate file.While initially popular in
Russia, the use of
ransomware scams has grown internationally;[6][7][8]
in June 2013,
security software vendor
McAfee released data showing that it had collected over 250,000 unique samples of
ransomware in the first quarter of 2013, more than double the number it had obtained in the
first quarter of 2012.[9]
Wide-ranging attacks involving encryption-based ransomware began to increase through
Trojans such as CryptoLocker, which had procured an estimated US$3 million before it was taken down by
authorities,[10]
and CryptoWall, which was estimated by the US
Federal Bureau of Investigation (FBI) to have accrued over $18m by June 2015.[11]
Ransomware attacks are typically carried out using a
Trojan, entering a system through, for example, a downloaded file or a vulnerability in
a network service. The program then runs a
payload, which locks the system in some fashion, or claims to lock the system but does
not (e.g., a scareware
program). Payloads may display a fake warning purportedly by an entity such as a
law enforcement agency, falsely claiming that the system has been used for illegal
activities, contains content such as
pornography and
"pirated" media.[13][14][15]
Some payloads consist simply of an application designed to lock or restrict the system
until payment is made, typically by setting the
Windows Shell to itself,[16]
or even modifying the
master boot record and/or
partition
table to prevent the operating system from booting until it is repaired.[17]
The most sophisticated payloads
encrypt
files, with many using
strong encryption to
encrypt the victim's files in such a way that only the malware author has the needed
decryption key.[12][18][19]
Payment is virtually always the goal, and the victim is coerced into paying for the
ransomware to be removed—which may or may not actually occur—either by supplying a program
that can decrypt the files, or by sending an unlock code that undoes the payload's changes.
A key element in making ransomware work for the attacker is a convenient payment system
that is hard to trace. A range of such payment methods have been used, including
wire transfers,
premium-rate text messages,[20]
pre-paid voucher
services such as
Paysafecard,[6][21][22]
and the digital currency
Bitcoin.[23][24][25]
A 2016 census commissioned by
Citrix
revealed that larger business are holding bitcoin as contingency plans.[26]
Encrypting ransomware
The first known malware extortion attack, the
"AIDS Trojan" written by Joseph Popp in 1989, had a design failure so severe it was not
necessary to pay the extortionist at all. Its payload hid the files on the hard drive and
encrypted only their names, and displayed a message claiming that the user's license to use a certain piece
of software had expired. The user was asked to pay
US$189 to "PC Cyborg Corporation" in order to obtain a repair tool even though the
decryption key could be extracted from the code of the Trojan. The Trojan was also known as
"PC Cyborg". Popp was declared
mentally unfit to stand trial for his actions, but he promised to donate the profits
from the malware to fund AIDS research.[27]
The notion of using public key cryptography for ransom attacks was introduced in 1996 by
Adam L. Young and Moti
Yung. Young and Yung critiqued the failed AIDS Information Trojan that relied on
symmetric cryptography alone, the fatal flaw being that the decryption key could be
extracted from the Trojan, and implemented an experimental proof-of-concept cryptovirus on
a Macintosh
SE/30 that used
RSA and the
Tiny Encryption Algorithm (TEA) to
hybrid encrypt the victim's data. Since public key crypto is used, the cryptovirus only
contains the encryption key. The attacker keeps the corresponding private
decryption key private. Young and Yung's original experimental cryptovirus had the victim
send the asymmetric ciphertext to the attacker who deciphers it and returns the symmetric
decryption key it contains to the victim for a fee. Long before
electronic money existed Young and Yung proposed that electronic money could be
extorted through encryption as well, stating that "the virus writer can effectively hold
all of the money ransom until half of it is given to him. Even if the e-money was
previously encrypted by the user, it is of no use to the user if it gets encrypted by a
cryptovirus".[12]
They referred to these attacks as being "cryptoviral
extortion", an overt attack that is part of a larger class of attacks in a field called
cryptovirology, which encompasses both overt and covert attacks.[12]
Examples of extortionate ransomware became prominent in May 2005.[28]
By mid-2006, Trojans such as
Gpcode,
TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began utilizing more sophisticated RSA
encryption schemes, with ever-increasing key-sizes. Gpcode.AG, which was detected in June
2006, was encrypted with a 660-bit RSA public key.[29]
In June 2008, a variant known as Gpcode.AK was detected. Using a 1024-bit RSA key, it was
believed large enough to be computationally infeasible to break without a concerted
distributed effort.[30][31][32][33]
Encrypting ransomware returned to prominence in late 2013 with the propagation of
CryptoLocker—using
the Bitcoin
digital
currency platform to collect ransom money. In December 2013,
ZDNet estimated based on
Bitcoin transaction information that between 15 October and 18 December, the operators of
CryptoLocker had procured about US$27 million from infected users.[34]
The CryptoLocker technique was
widely copied
in the months following, including CryptoLocker 2.0 (though not to be related to
CryptoLocker), CryptoDefense (which initially contained a major design flaw that stored the
private key on the infected system in a
user-retrievable location, due to its use of Windows' built-in encryption APIs),[24][35][36][37]
and the August 2014 discovery of a Trojan specifically targeting
network-attached storage devices produced by
Synology.[38]
In January 2015, it was reported that ransomware-styled attacks have occurred against
individual websites via hacking, and through ransomware designed to target
Linux-based
web servers.[39][40][41]
Some ransomware strains have used
proxies tied
to
Tor
hidden services to connect to their
command and control servers, increasing the difficulty of tracing the exact location of
the criminals.[42][43]
Furthermore, dark web
vendors have increasingly started to offer the technology
as a service.[43][44][45]
Symantec has classified ransomware to be the most dangerous cyber threat.[46]
Non-encrypting ransomware
In August 2010, Russian authorities arrested nine individuals connected to a ransomware
Trojan known as WinLock. Unlike the previous Gpcode Trojan, WinLock did not use encryption.
Instead, WinLock trivially restricted access to the system by displaying pornographic
images, and asked users to send a
premium-rate SMS (costing around US$10) to receive a code that could be used to unlock
their machines. The scam hit numerous users across Russia and neighboring
countries—reportedly earning the group over US$16 million.[15][47]
In 2011, a ransomware Trojan surfaced that imitated the
Windows Product Activation notice, and informed users that a system's Windows
installation had to be re-activated due to "[being a] victim of fraud". An online
activation option was offered (like the actual Windows activation process), but was
unavailable, requiring the user to call one of six
international numbers to input a 6-digit code. While the malware claimed that this call
would be free, it was routed through a rogue operator in a country with high international
phone rates, who placed the call on hold, causing the user to incur large
international
long distance charges.[13]
In February 2013, a ransomware Trojan based on the Stamp.EK
exploit kit
surfaced; the malware was distributed via sites hosted on the project hosting services
SourceForge and
GitHub that claimed to
offer "fake nude pics" of celebrities.[48]
In July 2013, an
OS X-specific
ransomware Trojan surfaced, which displays a web page that accuses the user of downloading
pornography. Unlike its Windows-based counterparts, it does not block the entire computer,
but simply exploits the behavior of the web browser itself to frustrate attempts to close the page
through normal means.[49]
In July 2013, a 21-year-old man from Virginia, whose computer coincidentally did contain
pornographic photographs of underaged girls with whom he had conducted sexualized
communications, turned himself in to police after receiving and being deceived by
ransomware purporting to be an FBI message accusing him of possessing child pornography. An
investigation discovered the incriminating files, and the man was charged with
child
sexual abuse and possession of child pornography.[50]
Leakware (also called Doxware)
The converse of ransomware is a
cryptovirology attack that threatens to publish stolen information from the victim's
computer system rather than deny the victim access to it.[51]
In a leakware attack, malware exfiltrates sensitive host data either to the attacker or
alternatively, to remote instances of the malware, and the attacker threatens to publish
the victim's data unless a ransom is paid. The attack was presented at
West Point in 2003 and was summarized in the book Malicious Cryptography as follows,
"The attack differs from the extortion attack in the following way. In the extortion
attack, the victim is denied access to its own valuable information and has to pay to get
it back, where in the attack that is presented here the victim retains access to the
information but its disclosure is at the discretion of the computer virus".[52]
The attack is rooted in game theory and was originally dubbed "non-zero sum games and
survivable malware". The attack can yield monetary gain in cases where the malware acquires
access to information that may damage the victim user or organization, e.g., reputational
damage that could result from publishing proof that the attack itself was a success.
Mobile ransomware
With the increased popularity of ransomware on PC platforms, ransomware targeting
mobile operating systems have also proliferated. Typically, mobile ransomware payloads
are blockers, as there is little incentive to encrypt data since it can be easily restored
via online synchronization.[53]
Mobile ransomware typically targets the
Android platform, as it allows applications to be installed from third-party sources.[53][54]
The payload is typically distributed as an
APK
file installed by an unsuspecting user; it may attempt to display a blocking message
over top of all other applications,[54]
while another used a form of
clickjacking
to cause the user to give it "device administrator" privileges to achieve deeper access to
the system.[55]
Different tactics have been used on
iOS devices, such as exploiting
iCloud accounts and using
the Find My
iPhone system to lock access to the device.[56]
On iOS 10.3, Apple patched a bug in the handling of JavaScript pop-up windows in
Safari that had been exploited by ransomware websites.[57]
Notable examples
Reveton
A Reveton payload, fraudulently claiming that the user must pay a fine to the
Metropolitan Police ServiceIn 2012, a major ransomware Trojan known as Reveton began to spread. Based on the
Citadel
Trojan (which itself, is based on the
Zeus Trojan), its payload displays a warning purportedly from a law enforcement agency
claiming that the computer has been used for illegal activities, such as downloading
unlicensed software or
child
pornography. Due to this behaviour, it is commonly referred to as the "Police Trojan".[58][59][60]
The warning informs the user that to unlock their system, they would have to pay a fine
using a voucher from an anonymous prepaid cash service such as
Ukash or Paysafecard. To
increase the illusion that the computer is being tracked by law enforcement, the screen
also displays the computer's
IP address, while
some versions display footage from a victim's
webcam to give the
illusion that the user is being recorded.[6][61]
Reveton initially began spreading in various European countries in early 2012.[6]
Variants were localized with templates branded with the logos of different law enforcement
organizations based on the user's country; for example, variants used in the United Kingdom
contained the branding of organizations such as the
Metropolitan Police Service and the
Police National E-Crime Unit. Another version contained the logo of the
royalty collection society
PRS for Music,
which specifically accused the user of illegally downloading music.[62]
In a statement warning the public about the malware, the Metropolitan Police clarified that
they would never lock a computer in such a way as part of an investigation.[6][14]
In May 2012, Trend Micro threat researchers discovered templates for variations for the
United States
and Canada, suggesting
that its authors may have been planning to target users in North America.[63]
By August 2012, a new variant of Reveton began to spread in the United States, claiming to
require the payment of a
$200 fine to the FBI using a
MoneyPak card.[7][8][61]
In February 2013, a Russian citizen was arrested in
Dubai by Spanish
authorities for his connection to a crime ring that had been using Reveton; ten other
individuals were arrested on
money
laundering charges.[64]
In August 2014,
Avast
Software reported that it had found new variants of Reveton that also distribute
password stealing malware as part of its payload.[65]
CryptoLocker
Main article:
CryptoLockerEncrypting ransomware reappeared in September 2013 with a Trojan known as
CryptoLocker,
which generated a 2048-bit RSA key pair and uploaded in turn to a command-and-control
server, and used to encrypt files using a
whitelist of
specific
file extensions. The malware threatened to delete the private key if a payment of
Bitcoin or a pre-paid
cash voucher was not made within 3 days of the infection. Due to the extremely large key
size it uses, analysts and those affected by the Trojan considered CryptoLocker extremely
difficult to repair.[23][66][67][68]
Even after the deadline passed, the private key could still be obtained using an online
tool, but the price would increase to 10 BTC-which cost approximately US$2300 as of
November 2013.[69][70]
CryptoLocker was isolated by the seizure of the
Gameover ZeuS
botnet as part of
Operation
Tovar, as officially announced by the
U.S. Department of Justice on 2 June 2014. The Department of Justice also publicly
issued an indictment
against the Russian hacker Evgeniy Bogachev for his alleged involvement in the botnet.[71][72]
It was estimated that at least US$3 million was extorted with the malware before the
shutdown.[10]
CryptoLocker.F and
TorrentLocker
In September 2014, a wave of ransomware Trojans surfaced that first targeted users in
Australia, under
the names CryptoWall and CryptoLocker (which is, as with CryptoLocker 2.0,
unrelated to the original CryptoLocker). The Trojans spread via fraudulent e-mails claiming
to be failed parcel delivery notices from
Australia
Post; to evade detection by automatic e-mail scanners that follow all links on a page
to scan for malware, this variant was designed to require users to visit a web page and
enter a CAPTCHA code
before the payload is actually downloaded, preventing such automated processes from being
able to scan the payload. Symantec determined that these new variants, which it identified as
CryptoLocker.F,
were again, unrelated to the original CryptoLocker due to differences in their operation.[73][74]
A notable victim of the Trojans was the
Australian Broadcasting Corporation; live programming on its television
news channel
ABC News 24 was disrupted for half an hour and shifted to
Melbourne studios
due to a CryptoWall infection on computers at its
Sydney studio.[75][76][77]
Another Trojan in this wave,
TorrentLocker,
initially contained a design flaw comparable to CryptoDefense; it used the same
keystream for every
infected computer, making the encryption trivial to overcome. However, this flaw was later
fixed.[35]
By late-November 2014, it was estimated that over 9,000 users had been infected by
TorrentLocker in Australia alone, trailing only Turkey with 11,700 infections.[78]
CryptoWall
Another major ransomware Trojan targeting Windows, CryptoWall, first appeared in 2014.
One strain of CryptoWall was distributed as part of a
malvertising
campaign on the Zedo ad
network in late-September 2014 that targeted several major websites; the ads redirected to
rogue websites that used browser plugin exploits to download the payload. A
Barracuda Networks researcher also noted that the payload was signed with a
digital
signature in an effort to appear trustworthy to security software.[79]
CryptoWall 3.0 used a payload written in
JavaScript as
part of an email attachment, which downloads executables disguised as
JPG images.
To further evade detection, the malware creates new instances of
explorer.exe and
svchost.exe to
communicate with its servers. When encrypting files, the malware also deletes volume shadow
copies, and installs spyware that steals passwords and
Bitcoin wallets.[80]
The FBI reported in June 2015 that nearly 1,000 victims had contacted the bureau's
Internet Crime Complaint Center to report CryptoWall infections, and estimated losses
of at least $18 million.[11]
The most recent version, CryptoWall 4.0, enhanced its code to avoid antivirus detection,
and encrypts not only the data in files but also the file names.[81]
Fusob
Fusob is one of the major mobile ransomware families. Between April 2015 and March 2016,
about 56 percent of accounted mobile ransomwares was Fusob.[82]
Like a typical mobile ransomware, it employs scare tactics to extort people to pay a
ransom.[83]
The program pretends to be an accusatory authority, demanding the victim to pay a fine from
$100 to $200
USD or otherwise face a fictitious charge. Rather surprisingly, Fusob suggests using
iTunes gift cards for payment. Also, a timer clicking down on the screen adds to the users'
anxiety as well.
In order to infect devices, Fusob
masquerades as a pornographic video player. Thus, victims, thinking it is harmless,
unwittingly download Fusob.[84]
When Fusob is installed, it first checks the language used in the device. If it uses
Russian or certain Eastern European languages, Fusob does nothing. Otherwise, it proceeds
on to lock the device and demand ransom. Among victims, about 40% of them are in Germany
with the United Kingdom and the United States following with 14.5% and 11.4% respectively.
Fusob has lots in common with Small, which is another major family of mobile ransomware.
They represented over 93% of mobile ransomwares between 2015 and 2016.
WannaCry
Main article:
WannaCry ransomware attackIn May 2017, the
WannaCry ransomware attack spread through the Internet, using an exploit vector that
Microsoft had issued a "Critical" patch for (MS17-010)
two months before on March 14, 2017.
The purported infection vector,
EternalBlue, was
released by the hacker group
The Shadow
Brokers on 14 April 2017,[22][23]
along with other tools apparently leaked from
Equation Group,
which is believed to be part of the
United States
National Security Agency.[24][25]
On 12 May 2017, WannaCry began affecting computers worldwide.The attack
affected Telefónica
and several other large companies in Spain, as well as parts of the British
National Health Service (NHS), where at least 16 hospitals had to turn away patients or
cancel scheduled operations,[85]
FedEx,
Deutsche Bahn,
as well as the
Russian Interior Ministry and Russian telecom
MegaFon.[
The initial infection might have been either through a
vulnerability in the network defenses or a very well-crafted
spear phishing attack.
When executed, the malware first checks the "kill switch" website. If it is
not
found, then the ransomware
encrypts
the computer's
hard disk
drive, then attempts to exploit the SMB vulnerability to spread out to random computers
on the Internet, and "laterally" to computers on the same Local Area Network (LAN). As with
other modern ransomware, the payload displays a message informing the user that files have
been encrypted, and demands a payment of $300 in
bitcoin within three
days.
The Windows
vulnerability is not a
zero-day flaw, but one for which Microsoft had made available a
security patch on 14 March 2017, nearly two months before the attack. The patch was to
the Server Message Block (SMB) protocol used by Windows. Organizations that lacked this
security patch were affected for this reason, although there is so far no evidence that any
were specifically targeted by the ransomware developers. Any organization still running the
older Windows XP]
was at particularly high risk because until 13 May, no security patches had been released
since April 2014. Following the attack, Microsoft released a security patch for Windows XP
Although another ransomware was spread through messages from a bank about a money
transfer around the same time,
On 12 May 2017, WannaCry began affecting computers worldwide.
[30]
The initial infection might have been either through a
vulnerability in the network defenses or a very well-crafted
spear phishing
attack.
[31]
When executed, the malware first checks the "kill switch" website. If it is
not
found, then the ransomware
encrypts the computer's
hard disk drive,
[32][33]
then attempts to exploit the SMB vulnerability to spread out to random computers
on the Internet,
[34]
and "laterally" to computers on the same Local Area Network (LAN).
[35]
As with other modern ransomware, the payload displays a message informing the user
that files have been encrypted, and demands a payment of $300 in
bitcoin within
three days.
The Windows
vulnerability is not a
zero-day flaw, but one for which Microsoft had made available a
security patch on 14 March 2017,[18]
nearly two months before the attack. The patch was to the Server Message Block (SMB)
protocol used by Windows.[36][37]
Organizations that lacked this security patch were affected for this reason,
although there is so far no evidence that any were specifically targeted by the
ransomware developers.[36]
Any organization still running the older
Windows XP[38]
was at particularly high risk because until 13 May,[2]
no security patches had been released since April 2014.[39]
Following the attack, Microsoft released a security patch for Windows XP.[2]
Although another ransomware was spread through messages from a bank about a
money transfer around the same time, no evidence for an initial email phishing
campaign has been found in this case.
Mitigation
As with other forms of malware, security software might not detect a ransomware payload,
or, especially in the case of encrypting payloads, only after encryption is under way or
complete, particularly if a
new version unknown to the protective software is distributed.[87]
If an attack is suspected or detected in its early stages, it takes some time for
encryption to take place; immediate removal of the malware (a relatively simple process)
before it has completed would stop further damage to data, without salvaging any already
lost.[88][89]
Alternately, new categories of security software, specifically
deception technology, can detect ransomware without using a signature-based approach.
Deception technology utilizes fake SMB shares which surround real IT assets. These fake SMB
data shares deceive ransomware, tie the ransomware up encrypting these false SMB data
shares, alert and notify cyber security teams which can then shut down the attack and
return the organization to normal operations. There are multiple vendors[90]
that support this capability with multiple announcements in 2016.[91]
Security experts have suggested precautionary measures for dealing with ransomware.
Using software or other security policies to block known payloads from launching will help
to prevent infection, but will not protect against all attacks. Keeping "offline" backups
of data stored in locations inaccessible to the infected computer, such as external storage
drives, prevents them from being accessed by the ransomware, thus accelerating data
restoration.[23][92]
There are a number of tools intended specifically to decrypt files locked by ransomware,
although successful recovery may not be possible.[2][93]
If the same encryption key is used for all files, decryption tools use files for which
there are both uncorrupted backups and encrypted copies (a
known-plaintext attack in the jargon of
cryptanalysis);
recovery of the key, if it is possible, may take several days.[94]
The article is mostly PR, but some tidbits are interesting. The author is incompetent and uses
phrases like "agencies were compromised by a Distributed Denial of Service Attack"
So far, the truth about the extent of the U.S.'s offensive attacks against other countries has
been shadowy at best. There's Stuxnet, which has yet to be officially attributed to the U.S. (or
Israel), and NSA leaker Edward Snowden's recent claim the U.S. has launched widespread cyberattacks
against China. Beyond that, the closest we've come was Hillary Clinton's admission last year of
a State Department attack on an Al Qaeda propaganda site in Yemen.
Related: Julian Assange Opens Up About Wikileaks Battle, House Arrest and the Future of Journalism
The tensions around this topic are partly because the laws governing cyberwar are still being
determined. As Rear Adm. Margaret Klein, chief of staff of Cyber Command, the Ft. Meade-based defense
center for U.S. military networks, put it last year,
"Attorneys and scholars face a variety of complex
legal issues arising around the use of this new technology."
But experts are pushing for more offensive
measures regardless. The Commission on the Theft of American Intellectual Property concluded that
"new options need to be considered." It seems our government is already heeding the call.
A June leak of a presidential directive from Obama, which had been issued in
October, reveals that the U.S. is, at the very least, getting its cyberwarriors
in line. In addition to calling for a list of international targets, the
directive argued that
"Offensive Cyber Effects Operations... can offer unique and
unconventional capabilities to advance U.S. national objectives around the
world with little or no warning to the adversary or target and with
potential effects ranging from subtle to severely damaging."
But while the government remains quiet about the existence or extent of their
offensive measures, hackers and contractors I spoke with are, albeit cautiously,
more forthcoming.
... ... ...
But the government hires private contractors to do such attacks on its behalf
as well. The cyberwar underworld is rife with contractors who fashion themselves
to be "the Blackwater of the Internet," as Heid puts it, "information
mercenaries…private sector guys who are going on the offensive, but you don't
hear about it." At least not usually.
The former second-ranking officer in the United States military, retired Gen. James E. Cartwright
of the Marines, is a target of an investigation into the leak of classified information about American
cyberattacks on Iran's nuclear program, a person familiar with the investigation confirmed Thursday
night.
The leak investigation, being carried out by the United States attorney for Maryland, Rod J.
Rosenstein, was announced by Attorney General Eric H. Holder Jr. after articles in The New York
Times described an ambitious series of cyberattacks under the code name Olympic Games that were
intended to slow Iran's progress toward a nuclear bomb. That General Cartwright is a focus of the
leak inquiry was first reported by NBC News.
The general, 63, who served as vice chairman of the Joint Chiefs of Staff from 2007 to 2011,
became a favorite adviser of President Obama and was considered an influential voice in the White
House on security matters.
A lawyer for General Cartwright, Gregory B. Craig, who served as White House counsel early in
the Obama administration, declined to comment.
Marcia Murphy, a spokeswoman for Mr. Rosenstein, declined to confirm or deny whether General
Cartwright was being investigated. "We don't have any comment at all," Ms. Murphy said.
Since his retirement in 2011, General Cartwright has joined the Center for Strategic and International
Studies and has spoken in favor of major cuts in nuclear weapons and warned of possible "blowback"
from the use of drone aircraft by the United States in Pakistan and Yemen.
Asked about the NBC News report, Jill Abramson, executive editor of The New York Times, said,
"We don't comment on our confidential sources."
Since President Obama took office in 2009, seven current or former government officials or contractors
have been charged under the Espionage Act with leaking classified information, compared with three
under all previous presidents. The seventh person charged was Edward J. Snowden, the former National
Security Agency contractor who has acknowledged giving classified documents to The Guardian and
The Washington Post.
Press advocates have criticized the unprecedented crackdown on leaks, in which F.B.I. investigators
have used e-mail and telephone records to track exchanges between reporters and sources, saying
it endangers reporting on national security. But Mr. Obama and Mr. Holder have said that leaks can
put American security at risk.
Given the many reports circulating about a new type of malware that uses the .lnk vulnerability
in Microsoft Windows and Siemens SCADA systems, we provide a short overview of what is known, at
the moment, about these targeted attacks. A list of suggested information sources to consult is
included.
This sophisticated new type of malware [1], targeting command-and-control software installed
in certain critical infrastructures and production environments throughout the world uses a known
default password that the software maker, Siemens, hard-coded into its systems. Coding a password
into software makes that third-parties can retrieve it by analyzing the code, though obfuscation
techniques can make this task more difficult. The password has been available since at least 2008.
It was at that time posted to a product forum in Germany [2]. The password itself appeared to be
deleted from this Siemens Technical Forum by a Siemens moderator soon after. This didn't prevent
however the fact that the password has been published on a Russian-language Siemens forum [3] where
it would remain for two years. The password is used by the system to connect to its MS-SQL database.
Some of the forum posts claim that a password change would cause the system to stop working.
The password should protect the database being used in Siemens' Simatic WinCC SCADA system [4].
SCADA stands for Supervisory Control and Data Acquisition. A SCADA system is generally an industrial
control system installed in utilities and manufacturing facilities. It's a system monitoring and
controlling a certain process. These SCADA systems have been the focus of much controversy lately
for being potentially vulnerable to e.g. remote attacks by malicious outsiders, trying to get in
control of the processes for purposes of f.e. espionage and sabotage, as these systems are mostly
critical. A good read on how to protect these systems is from the UK Centre for the Protection of
National Infrastructure (CPNI). They provide some good practice guidelines for SCADA systems [5].
A German Security Expert, Frank Boldewin, found the hard-coded password in a new and sophisticated
piece of malware [6]. The malware is designed to be spread through a USB thumb drive to attack the
Siemens SCADA system. It exploits a new vulnerability in all versions of Windows [7], more specific
in the part where it handles shortcut files (.lnk-files). The code would be launched by itself when
a file-manager (e.g. Windows Explorer) is used to view the contents of the stick (or any infected
drive, including network shares).
This malware was first reported by security blogger Brian Krebs [8] who says that a security
firm in Belarus, VirusBlokAda [9], had discovered it somewhere in June. His analysis of the malware
shows that when a system gets infected, it first searches the presence of Simatic WinCC. If found,
it uses the hard-coded password, to access the database. If Simatic WinCC isn't present, e.g. on
a home user system, the malware shouldn't harm the system much. This doesn't mean it will stay harmless.
The backdoor provided by the malware will be used for other malicious purposes by hackers eventually.
This is actually already going on. According to Eset, two new malware families, exploiting the same
.lnk vulnerability, have been detected.
Siemens is said to have assembled a team of experts to evaluate the problem. They have also devoted
a portion of their support website to this specific problem [10]. The security issue is a big problem
for critical infrastructures but the vulnerability that the malware exploits is of a much greater
immediate concern for the average user.
Microsoft issued a mitigation workaround to address the vulnerability. The users should modify
their Windows registry to disable the WebClient service and should disable the display of shortcut
icons. Some security experts have criticized Microsoft for these suggestions, noting that these
workarounds are not easy to do in some environments and that disabling the WebClient would possibly
break other services. Microsoft provides a 'fix me' download which can be executed [11].
A trusted source from Microsoft indicates that the use of Microsoft RDP (Remote Desktop Protocol)
to fix a remote server doesn't have any impact on the machine being used as a start for the RDP
session. It seems the .lnk files are being transmitted as bitmaps to the starting machine and in
doing so they can not impact it. Strange or unexpected icon behaviour (again) using RDP to check
the treated remote server after the mandatory reboot is more than likely due to caching mechanisms.
This may not be the case with other remote desktop solutions. Basically this is a result of the
way links are presented. In Microsoft RDP the links are presented by bitmaps, this way they don't
trigger the vulnerability.
An interesting article is one from M-unition [13]. It describes the way the malware was signed
by a legitimate certificate. The first problematic driver was one from RealTek. A new variant of
Stuxnet is already seen where a compromised driver for JMicron is used. Verisign did already revoke
the certificates but this doesn't seem to prevent the malware from infecting systems.
New variants have already been spotted. Organizations that are victim of a related malware should
contact their anti-virus malware for assistance to guarantee the continuity of the organizations'
processes after the cleanup.
Related or not, according to the Dutch security website Security.nl [14] a well known Dutch dairy
cooperative got attacked too. The attackers tried to infiltrate into the SCADA-systems but a network
protection appliance detected the targeted attack. This happened whilst the cooperative tried to
get a ISA-99 certification [15] for security of systems in a production environment.
Apparently, the firmware update (also) contained an adapted version of the well known Conficker
worm [16].
Possible motives for this attack could be a competitor trying to get hold of sensitive information
or to disrupt the production.
More profound information can be read on the original blog article [14].
For more info about Stuxnet one could read the posts from Kaspersky Lab Expert Costin Raiu. He
also provided some FAQs about Stuxnet [17]. The Microsoft Malware Protection Center blogpost should
also be seen as a good reference about Stuxnet [18].
[1]
http://www.wired.com/threatlevel/2010/07/siemens-scada/
[2]
http://www.automation.siemens.com/forum/guests/PostShow.aspx?PostID=1612...
[3]
http://iadt.siemens.ru/forum/viewtopic.php?p=2974&sid=58cedcf3a0fc7a0b6c...
[4]
http://nl.wikipedia.org/wiki/Supervisory_control_and_data_acquisition
[5]
http://www.cpni.gov.uk/ProtectingYourAssets/scada.aspx
[6]
http://www.wilderssecurity.com/showthread.php?p=1712146
[7]
http://www.microsoft.com/technet/security/advisory/2286198.mspx
[8]
http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-...
[9]
http://www.anti-virus.by/en/index.shtml
[10]
http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&l...
[11]
http://support.microsoft.com/kb/2286198
[12]
http://blog.didierstevens.com/2010/07/18/mitigating-lnk-exploitation-wit...
[13]
http://blog.mandiant.com/archives/1236
[14]
http://www.security.nl/artikel/33906/Gerichte_hackeraanval_op_zuivelco%C...
[15] http://www.isa-99.com/
[16]
http://www.confickerworkinggroup.org/
[17]
http://www.securelist.com/en/blog/2236/Stuxnet_signed_certificates_frequ...
[18]
http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx
The nation's energy companies are scrambling to meet government regulations going
into effect as soon as January that in part are designed to safeguard the computer-based control
systems for electricity and gas distribution from cyberattacks.
Top energy IT officials say they are challenged to meet the new rules because the massive systems
control and data acquisition (SCADA) systems used to manage their resources increasingly are based
on Windows and Unix but weren't really designed with network security in mind. The systems often
don't work easily with antivirus software and can be tough to patch, they say.
In addition, the SCADA systems increasingly share the same corporate network as other business
applications, but the people running the SCADA and voice/data networks are on separate teams. "In
companies I've seen, they choose to be separate," said Evon Salle, senior information systems auditor
at OGE Energy, in Oklahoma City, and a forum participant at the IT Security World Conference here.
Congress took up the cause of greater SCADA security after a massive power blackout in the summer
of 2003, passing legislation that has led to the creation of nine
Critical Infrastructure Protection (CIP) rules.
- Related Content
These were devised under the aegis of the North American Electric Reliability Council (NERC),
the trade group recently chosen by the
Federal Energy Regulatory Commission to set mandatory security standards for the energy sector.
NERC also is expected to be in charge of rules enforcement, which could include dishing out million-dollar
fines for noncompliance.
The CIP rules cover areas such as reporting sabotage, ensuring physical security, monitoring
and running antivirus controls, and doing patch updates on all critical assets, including control
centers, substations and SCADA systems.
Energy companies say they're prodding SCADA operations groups to work with the corporate IT departments
to impose firewalls, access control, encryption and antivirus controls if they weren't there before.
But technical challenges remain.
"A lot of times you won't have virus protection in a SCADA environment," Salle said.
"Virus software, such as from McAfee and Symantec, thinks the SCADA system is a virus and that's
why you can't run it."
The biggest risk is "SCADA not having a firewall, while also having Internet access," she added.
Energy companies acknowledge that their SCADA systems haven't been immune to virus outbreaks.
"We've had viruses hit one of our plants," said Charles Simons, manager of firewall integrity
management at BP Global. The company immediately firewalled off its process-control networks and
put corporate IT security in control of industrial systems.
Complying with the CIP guidelines to cordon off SCADA and apply a battery of security controls
is proving difficult for some.
"It's quite a culture change for us, especially for substations and generators," said Sharon
Edwards, project manager for implementing the cybersecurity guidelines at Duke Energy. So far, Duke
Energy hasn't been able to identify vendors that would help in implementing the enormous log collection
and management and other requirements dictated by CIP.
03.22.11
The security of critical infrastructure is in the spotlight again this week after
a researcher released attack code that can exploit several vulnerabilities found in systems used
at oil-, gas- and water-management facilities, as well as factories, around the world.
The 34 exploits were published by a researcher on a computer security mailing list
on Monday and target seven vulnerabilities in SCADA systems made by Siemens, Iconics, 7-Technologies
and DATAC.
Computer security experts who examined the code say the vulnerabilities are not
highly dangerous on their own, because they would mostly just allow an attacker to crash a system
or siphon sensitive data, and are targeted at operator viewing platforms, not the backend systems
that directly control critical processes. But experts caution that the vulnerabilities could still
allow an attacker to gain a foothold on a system to find additional security holes that could affect
core processes.
SCADA, or Supervisory Control and Data Acquisition, systems are used in automated
factories and in critical infrastructures. They came under increased scrutiny last year after the
Stuxnet worm infected more than 100,000 computers in Iran and elsewhere.
The worm was designed to target a specific component known as a programmable logic
controller, or PLC, used with a specific Siemens SCADA system. It was widely believed to be aimed
at a PLC controlling centrifuges at the Natanz uranium-enrichment plant in Iran.
The exploit codes released this week
were posted to the Bugtraq mailing list on
Monday by security researcher Luigi Auriemma who wrote that he knew nothing about SCADA before uncovering
the vulnerabilities in a series of tests.
Auriemma told the Register
that he published the vulnerabilities and attack codes to draw attention to security problems with
SCADA systems.
His move got the attention of U.S.
ICS-CERT, or Industrial Control Systems–Computer Emergency Response Team, which subsequently
published advisories for the
vulnerabilities.
The systems that are affected include
Siemens Tecnomatix FactoryLink,
Iconics, Genesis32 and Genesis64,
DATAC RealWin, and 7-Technologies IGSS.
The Iconics and DATAC systems are
most heavily used in the United States, according to Joel Langill, a
control-systems security specialist. Langill
says the Iconics systems are used in the oil and gas industry in North America, and the DATAC system
is often found in municipal wastewater management facilities. He is not aware of any of the programs
being used at important nuclear facilities.
"Most of these don't tend to be high-reliability products," he said. "And in nuclear
you need high reliability."
Of the 34 attacks Auriemma published, seven of them target three buffer-overflow
vulnerabilities in the Siemens system, an old legacy system that Siemens plans to stop supporting
next year. One of the attacks against the Siemens system would simply result in a denial-of-service,
but the other two would allow an attacker to remote-copy files into the file systems, according
to Langill.
"As a proof of concept, that could actually be very dangerous, because it would
allow you to drop in a malicious payload," he said. "I would want to patch that fairly fast."
The Iconics system involves 13 attacks - all targeting one vulnerable process.
Langill said these were the least-developed attack codes Auriemma released. None of them would allow
an intruder to execute code on the system.
The 7-Technologies IGSS attack involves eight different exploits targeting two
vulnerabilities in that system. Langill considered these the most impressive, noting that at least
one of the attacks would allow remote execution of malicious code on the system.
"It was very easy to drop files onto the host," he said about his test of the
code.
The DATACS system involves seven attack codes targeting one vulnerability.
Although the attacks don't target programmable logic controllers directly, they
would allow an attacker to mask what an operator sees on his monitor, by changing data that appears
on his screen. Therefore, if an attacker can find and attack vulnerabilities in a PLC connected
to these systems, he could make it appear to the operator that everything is functioning on the
PLC correctly.
"I could download operator graphics to my system, modify them and then upload
those modified graphics to the operator," Langill said. "Idaho National Labs has shown that to be
a very effective attack vector to fake out the operator."
Langill said, however, that the likelihood that any of these vulnerabilities would
be attacked remotely is low, because such systems are generally not connected to the internet.
But the bottom line, Langill says, is that Auriemme showed that even someone with
no knowledge of SCADA could, in a very short time, take SCADA software that is easily obtained by
anyone and generate exploits that could reasonably impact operations.
"He's done the hard part to give someone a way into the system," Langill said.
"Someone else who knows the system can now go in and find a way around in it, to launch the malicious
act."
UPDATE: Story updated to correct the misspelling of Langill's name.
Softpanorama Recommended
SCADA - Wikipedia, the free encyclopedia
2006 rewamp of SCADE security in the USA
Stixnet attack