Search results

Monday, November 20, 2017 @ 03:11 PM gHale

SecurityMatters and Waterfall Security Solutions inked a global partnership Monday to protect industrial control systems.

The joint solution integrates SecurityMatters’ SilentDefense network monitoring platform with Waterfall’s Unidirectional Security Gateways to enable industrial enterprises to continuously and centrally monitor industrial control networks.

Working to Boost Adaptive Cyber Defense
FireEye, Nozomi Partner to Hike Visibility
Medigate Launches to Fight Medical Device Attacks
Kaspersky Lab’s Threat Hunting Services

SecurityMatters’ SilentDefense is an OT network monitoring and intelligence platform that allows visibility, threat detection capability and control of the network.

Waterfall’s Unidirectional Security Gateways are an alternative to perimeter firewalls that can integrate networks while creating a physical barrier for attacks against the network.

With this joint solution, security operations personnel can centrally monitor industrial network activity, status, and threats, without allowing any cyber attacks back into the industrial network. 

“We are delighted to join the partner program of Waterfall Security, the de facto global standard in its category. By combining our two products, industrial operators will have full visibility and continuous monitoring into their assets, while assuring that no unauthorized communication makes it through,” said Damiano Bolzoni, SecurityMatters’ chief executive.

“Monitoring threats is essential to operational continuity, but central monitoring of our control networks demands interconnectivity with those networks, and such connectivity through firewalls entails unavoidable risks,” said Lior Frenkel, chief executive and co-founder of Waterfall Security Solutions. “Waterfall’s partnership with SecurityMatters comprehensively addresses these risks. The layer of protection provided by Waterfall’s unidirectional gateway technology means industrial enterprises can reap the benefits of central security monitoring, while keeping their industrial networks secure from online attacks.”

Monday, October 23, 2017 @ 12:10 PM gHale

Nozomi Networks Inc. released its SCADAguardian and its Central Management Console (CMC).

With this 17.5 release, Nozomi Networks delivers an advanced ICS threat detection solution coupled with an API that enables OT/IT integration within organizations.

The addition of a multi-tenant CMC opens a new market for Nozomi Networks to empower managed security service providers (MSSP) with ICS monitoring and detection services.

Amid escalating cyber-attacks that threaten critical infrastructure reliability, these capabilities offer visibility to rapidly identify and respond to targeted attacks, ensure uptime and improve resilience.

“With this release, we’ve reinforced our commitment to meeting the needs of the world’s most demanding critical infrastructure operators,” said Andrea Carcano, Nozomi Networks co-founder and chief product officer. “By innovating a hybrid approach to ICS threat detection, we apply machine learning and artificial intelligence to correlate behavior-based anomaly and signature-based detection methods.”

The latest enhancements to SCADAguardian and the CMC include:

Hybrid ICS threat detection: SCADAguardian’s behavior-based anomaly detection is enriched with signature and rules-based threat detection capabilities.

Multi-tenant ICS cybersecurity protection: The new CMC enables Managed Security Service and Managed Detection and Response providers (MSSPs and MDRs) to extend their services to encompass monitoring and protections of industrial control networks.

NeOpen APIs and protocol SDK for IT/OT integration and extensibility: Expanding on its built-in integrations for firewalls, SIEMs and other IT security infrastructure, SCADAguardian now includes an Open API for deeper possible integration with IT and ICS applications. A new SDK for protocol integration makes it possible for operators and partners to support all protocols, proprietary or otherwise.

Friday, October 20, 2017 @ 03:10 PM gHale

Federal Energy Regulatory Commission (FERC) proposed new cyber security management controls to enhance the reliability and resilience of the nation’s bulk electric system.

“FERC proposes to approve Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security ñ Security Management Controls), which is designed to mitigate cyber security risks that could affect the reliable operation of the Bulk-Power System,” FERC officials said.

CIP Reliability Audit Lessons Learned
Utility Execs Fear Grid Attacks: Report
Power Grid Compromise
AI to Prevent Grid Failures

The new standard will particularly improve on existing standards for access control, “by clarifying the obligations that pertain to electronic access control for low-impact cyber systems; adopting mandatory security controls for transient electronic devices, such as thumb drives and laptop computers; and requiring responsible entities to have a policy for declaring and responding to CIP exceptional circumstances related to low-impact cyber systems,” officials said in a post.

FERC also said the North American Electric Reliability Corp (NERC) should develop criteria for mitigations against the risks resulting from any malware that could come from third-party transient devices.

“These modifications will address potential gaps and improve the cyber security posture of entities that must comply with the CIP standards,” FERC said.

“Regulation governing power grid cyber risks is not new as, for almost a decade, the introduction of various controls have sought to keep pace with evolving threats to this sector,” said Edgard Capdevielle, chief executive of Nozomi Networks. “Despite the way in which threats, including malware, are deployed – be it from spear phishing, infected laptops or compromised USB drives, it is unquestionable that it poses a serious risk. Whether compelled by regulation or not, the identification of malware within utilities is prudent and thankfully, due to advances in technology, is now a relatively simple process that grid operators can implement to ensure infections don’t affect their system operations.”

Wednesday, October 11, 2017 @ 04:10 PM gHale

Nozomi Networks inked a partnership pact with FireEye to provide ICS visibility across IT and OT environments.

“Adversaries are increasingly targeting critical infrastructure around the world and operators are prioritizing cybersecurity for industrial control systems and other types of operational technology,” said FireEye CTO Grady Summers. “After extensive review, we chose Nozomi Networks because their platform provides … capabilities which allow us to detect anomalies and proactively hunt for threats within industrial environments.” 

Organizations in industries from energy to manufacturing are becoming increasingly reliant on the interconnection between information technology networks and industrial control systems. Connectivity between these systems introduces new risks and challenges for those looking to manage them with a single enterprise-wide security solution.

FireEye’s solutions for critical infrastructure and industrial control systems offer an integrated suite of security services from initial assessment to outsourced management.

With FireEye, organizations can develop and manage enterprise-wide security programs designed to ensure operational continuity of their most critical assets. With expanded visibility through the Nozomi technology integration, users can increase visibility and improve detection and response capabilities.

Tuesday, September 26, 2017 @ 03:09 PM gHale

By Gregory Hale
Manufacturing is in plain sight for bad guys planning a cyberattack or cyberespionage, a new report found.

And why not, for the most part manufacturing remains low hanging fruit for anyone wanting to get in and abscond with data, money, or intellectual property.

ARC-SANS: Security Education for Industry
ICSJWG: Putting Numbers Behind Risk
ICSJWG: Change in Security Approach Needed
Power Grid Compromise

The scope and diversity of cyber threats to manufacturers have grown from Stuxnet or Shamoon-like attacks to the relatively frequent ransomware risks.

Beyond malware attacks on industrial firms, cyberattacks on manufacturers can include efforts to corrupt data, steal intellectual property, sabotage equipment, and disable networks. The motives and impacts vary widely,  but all such cyberattacks cost time and money to firms and their customers. These growing cyberattacks pose increasing risks to economies and societies at large.

The report said there is a critical need for U.S. government and industry to build an effective cybersecurity framework to safeguard against a future major attack on the U.S. manufacturing industry.

The report, entitled “Cybersecurity for Manufacturers,” came from the Computing Research Association’s Computing Community Consortium (CCC) and MForesight, a federally-funded consortium for the U.S. manufacturing industry.

While cyberattacks still most often target high profile sectors such as financial services, public administration, and utilities, manufacturing as an industry is a significant target.

“In the past, the manufacturing sector has been concerned about cyberattacks that aim to extract intellectual property such as engineering information, formulas, or other proprietary data that might be the target of industrial espionage,” said Edgard Capdevielle, chief executive at Nozomi Networks. “However, recent attacks on a wide range of industries have raised concern about the resiliency and reliability of the supply chain that is critical to manufacturing operations and to other aspects of national security, such as military equipment and supplies. Now manufacturers have joined the ranks of other critical infrastructure industries taking steps to secure not only their intellectual property, but also their operational systems and industrial control systems (ICS) that comprise the foundation of production line operations. Leading edge companies are using technologies that apply artificial intelligence and machine learning for real-time detection and response to cyber-attacks. The frequency and sophistication of cyberattacks targeting manufacturing is likely to accelerate. Fortunately, the latest technological advances are giving manufacturers the tools to help detect and remediate their operations amid an escalating threat landscape.”

The scale and variety of cyberattacks on U.S. manufacturers have been growing in recent years and are quickly approaching a critical level.

The lack of recognition of the threat may represent the greatest risk of cybersecurity failure for U.S. manufacturers, since they are the targets of nearly half the known global cyberattacks on manufacturing, the report found.

Manufacturers are often the targets of cyber-espionage attacks that sought to steal intellectual property (IP) and trade secrets.

Citing research done by Symantec, the report found more than half of successful IP thefts involved state-affiliated actors, and 57 percent of these attacks had their origins in China—although detection of Chinese-origin malware has fallen following a 2015 cyber agreement signed between the United States and China.

There are no simple solutions, but the report discussed a few options:
• Manufacturers need trusted third-party partners, and there’s space for the creation of a new public-private partnership focused on manufacturing supply chain cybersecurity.
• Public and private partners can expand and coordinate manufacturing cybersecurity “boot camps” to boost awareness of best practices and train key manufacturing personnel to mitigate risks.
• There is a need for R&D investment in solving near-term security challenges and seizing opportunities, including: Automated risk assessment tools, tools to audit the extent of attacks, robust parts and data validation.
• There’s also need for long-term research investments  like the creation of “security reference architectures” for manufacturing. This means working to define Information Technology and Operational Technology functions as well as consistent standards and integration requirements for diverse players and system “touchpoints.”
• Information-sharing matters. An Information Security Advisory Council (ISAC) or similar body could facilitate fault-free, anonymous sharing on incidents, threats, vulnerabilities, best practices, and solutions. Existing ISACs provide useful models.

Thursday, September 21, 2017 @ 02:09 PM gHale

Iran seems to be a hotbed of cyber espionage activity as researchers linked one group focusing on aerospace and energy companies.

The group, which security firm FireEye is calling APT33, has been linked to the Iranian government and in existence for at least four years and is now targeting companies in the U.S., Saudi Arabia and South Korea.

ICSJWG: Putting Numbers Behind Risk
ICSJWG: Change in Security Approach Needed
Power Grid Compromise
Fighting FUD from DC

Since mid-2016, the security firm has spotted attacks aimed by this group at the aviation sector, including military and commercial aviation, and energy companies with connections to petrochemical production, FireEye researchers said in a blog post, written by Jaqueline O’Leary, Josiah Kimble, Kelli Vanderlee, and Nalani Fraser.

“APT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea,” the researchers said. “APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.”

The attackers focused on a U.S. aerospace company, a Saudi Arabian business with aviation holdings, and a South Korean firm involved in oil refining and petrochemicals.

In addition, the hackers used job vacancies at a Saudi Arabian petrochemical firm to target the employees of organizations in South Korea and Saudi Arabia.

“We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia,” the researchers said.

“We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies,” the company added.

“The emergence of the Iranian hacker group APT33 reinforces the concerns of cybersecurity stakeholders that have been highlighted in the 2017 SANS Survey, regarding the fact that this hacking group seems to be state-funded and is actively targeting industrial networks using conventional IT network channels,” said Edgard Capdevielle, chief executive of Nozomi Networks. “In the case of APT33, the group attacks their targets using job recruitment phishing emails aimed at the aerospace industry. While the geo-political motivations of APT33 are targeted against Saudi Arabian interests for now, global aerospace and energy organizations should take notice of APT33’s methods of attack to implement proper detection and remediation strategies.”

According to FireEye, the cyber espionage group sent hundreds of spear phishing emails last year. They set up several domains made to look as if they belonged to Saudi aviation firms and international organizations that work with them, including Alsalam Aircraft Company, Boeing and Northrop Grumman Aviation Arabia.

The malware used by the group includes a dropper tracked by FireEye as DROPSHOT, a wiper named SHAPESHIFT, and a backdoor called TURNEDUP. DROPSHOT was previously analyzed by Kaspersky, which tracks it as StoneDrill.

“We assess an actor using the handle “xman_1365_x” may have been involved in the development and potential use of APT33’s TURNEDUP backdoor due to the inclusion of the handle in the processing-debugging (PDB) paths of many of TURNEDUP samples,” the researchers said.

In short, FireEye researchers said the attackers were seeking information to help the government’s various causes.

“Based on observed targeting, we believe APT33 engages in strategic espionage by targeting geographically diverse organizations across multiple industries,” the researchers said. “Specifically, the targeting of organizations in the aerospace and energy sectors indicates that the threat group is likely in search of strategic intelligence capable of benefitting a government or military sponsor. APT33’s use of multiple custom backdoors suggests that they have access to some of their own development resources, with which they can support their operations, while also making use of publicly available tools. The ties to SHAPESHIFT may suggest that APT33 engages in destructive operations or that they share tools or a developer with another Iran-based threat group that conducts destructive operations.

Tuesday, August 8, 2017 @ 05:08 PM gHale

A new reference to support a workforce capable of meeting an organization’s cybersecurity needs just released from the National Initiative for Cybersecurity Education (NICE).

Special Publication 800-181, the NICE Cybersecurity Workforce Framework, provides organizations with a common, consistent lexicon that categorizes and describes cybersecurity work by category, specialty area, and work role.

NIST Guidance on Assessing Risk
‘Cybersecuring’ Internet of Things
Electronic Authentication Guidelines Release
Securing Wireless Infusion Pumps

It is a resource from which organizations or sectors can develop additional publications or tools that meet their needs to define or provide guidance on different aspects of workforce development, planning, training, and education.

The NICE Cybersecurity Workforce Framework (NICE Framework) improves communication about how to identify, recruit, develop, and retain cybersecurity talent. It is a resource from which organizations or sectors can develop additional publications or tools that meet their needs to define or provide guidance on different aspects of workforce development, planning, training, and education.

It also provides a superset of cybersecurity knowledge, skills, and abilities (KSAs) and tasks for each work role. The NICE Framework supports consistent organizational and sector communication for cybersecurity education, training, and workforce development.

“The first draft of the National Institute of Standards and Technology (NIST)  National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework will help critical infrastructure companies like oil and gas, power, water, manufacturing etc., to accelerate its hiring practices to close the skills gap in cybersecurity,” said Edgard Capdevielle, chief executive at Nozomi Networks. “They will now be able to articulate cybersecurity roles, area of specialty, category of work, and describe the knowledge, skills, and abilities of cybersecurity professionals that are needed. While it will take time to expand the workforce, new technologies are being applied that use Machine Learning (ML) and artificial intelligence (AI) to automate aspects of cybersecurity monitoring and detection.  In areas of cybersecurity specialization such as industrial control systems where a cyberattack could have catastrophic effects, the combo of training and automation are speeding efforts to combat and remediate cyberattacks.”

The concept for the NICE Framework began before the establishment of NICE and grew out of the recognition the cybersecurity workforce in the public and private sectors could not be defined and assessed.

To address this challenge, more than 20 departments and agencies, the private sector, and academia came together to provide a common understanding of cybersecurity work. The common understanding developed has been expressed in two previous version of the NICE Framework and has evolved with further engagement between the government, private sector, and academia.

The audience for the framework are:
Employers — To help define their cybersecurity workforce, identify critical gaps in cybersecurity staffing, and create position descriptions consistent with national language.
Current and future cybersecurity workers — To help explore tasks and work roles and assist with understanding the KSAs being valued by employers for in-demand cybersecurity jobs and positions. Staffing specialists and guidance counselors are also enabled to use the NICE Framework as a resource to support these employees or job seekers.
Training and certification providers — To help current and future members of the cybersecurity workforce gain and demonstrate the KSAs.
Education providers — To help develop curriculum, certificate or degree programs, and research that cover the KSAs and tasks described.
Technology providers — To identify cybersecurity Work Roles and specific Tasks and KSAs associated with services and hardware or software products they supply.

Click here to view the publication.

Tuesday, August 8, 2017 @ 04:08 PM gHale

By Thomas Nuth
In the last decade market and cost pressures have driven significant technological advances in automation and industrial connectivity across all aspects of petroleum extraction, pipeline transport and refining.

While technological advances are delivering business benefits, systems now end up exposed to more cyber risks than ever before.

WannaCry: Revisit (or Create) ICS Security Plan
Fighting for Holistic OT/IT Security
WannaCry Vulnerability Checker Released
WannaCry Decryptor Tool Available

Yet, according to a 2017 survey by the Ponemon Institute, the deployment of cybersecurity measures in the oil and gas industry isn’t keeping pace with the growth of digitalization in operations.

In fact, 35 percent of respondents in the Ponemon survey rate their organization’s OT cyber readiness as high while 61 percent said their organization’s industrial control systems (ICS) protection and security is not adequate.

One way to overcome the ICS cybersecurity gap is to utilize next generation technology that leverages machine learning and artificial intelligence (AI) to deal with system complexity and deliver immediate benefits.

Here are two cases of how a passive ICS anomaly detection and monitoring solution secures pipeline networks.

While the oil and gas sector, including pipeline operators, are embracing technological advancements, risks from cyber threats are outpacing cybersecurity measures.

Efficiency of Equipment Commissioning
Quality assurance and quality control (QA/QC) is big business — and a big undertaking for oil and gas operations teams.

Typically, within the command structure between DCS/SCADA, each controller and endpoint must be tested under various process stress-factors and reported in a full-loop test. For example, a test engineer must command a valve to turn a certain percentage under various operational circumstances and record the impact on latency, availability, failure risk etc. This must be done in compliance with various regulations and the results reported.

If a network or device is added into the DCS/SCADA, the process must be repeated. This is arduous and resource-intensive; even more so for remote pipeline networks. However, a passive industrial cybersecurity and operational visibility solution deployed in the industrial network makes these processes more efficient.

How? Let’s first take a step back and explain how the solution is deployed and works:
• Passive ICS cybersecurity modules are deployed in the industrial network by being attached to mirror or SPAN ports of networking equipment at key segment points.
• The modules copy network traffic to themselves for rapid learning and analysis.
• No out-of-network data is added to the ICS network, and production is not impacted. There is no impact on latency, no risk of intrusion and no risk of network downtime.
• The ICS cybersecurity appliance leverages machine learning and AI techniques to rapidly analyze huge volumes of network communication and process variable data that are extremely difficult to evaluate any other way.
• This “smart” data analysis is used to model the pipeline system, and develop process and security profiles specific to it.
• Once baselines are established, high speed behavioral analytics are used to constantly monitor it.
• The result is the rapid detection of anomalies, including cyberattacks, cyber incidents and critical process variable irregularities.

In the commissioning scenario, new devices added to the network are quickly identified and highlighted in dashboards and reports using a central management console. Device information such as location, protocols, connections, manufacturer and model number is all available from the remote location.

A test engineer can check device performance by running queries and monitoring the values of process variables against established baselines to detect anomalies. This improves operator productivity and shortens the time to deployment of new equipment.

Schematic showing the deployment of passive ICS security modules at various oil and gas sites. Real-time anomaly detection data and monitoring information from these sites can be monitored at central controls rooms or SOCs.

How to Improve ICS Cybersecurity
Good ICS cybersecurity solutions provide operators the ability to monitor networks and security risks across multiple site locations. This is important for achieving robust cybersecurity monitoring and operational excellence in any large-scale oil and gas control endeavor.

Typically, this is achieved with a multi-tiered ICS cybersecurity approach whereby geo-distributed networks with passive ICS cybersecurity appliances link together with a centralized console or virtual interface. This allows offsite, centralized, real-time monitoring of cyber threats and risks, anomalous changes to pipeline flow variables and network communication irregularities.

If cyber risks or new nodes end up detected, field operations and centralized control can work in concert to identify, evaluate and consistently improve operations and mitigate risk. This is directly applicable to pipeline networks where small changes in traffic flows or device behavior could indicate a cyber threat or potential point of failure.

An enterprise-ready passive ICS cybersecurity solution allows OT and IT users alike to clone useful dashboards and network queries for use on new appliances. Items like table views, compliance metrics and report templates are quickly duplicated and achieve a unified approach to ICS security and operational management. Device and network traffic can easily compare from site to site, significantly reducing mitigation, troubleshooting and forensic efforts.

Cybersecurity Gap
To deal with the challenges of increasing digitization and cyber risks, oil and gas operators need to be aware of how new technology solutions can help. Passive ICS anomaly detection tools can utilize machine learning and AI to quickly learn complex pipeline systems and monitor them in real-time.

This solution is non-intrusive, simple to deploy, and immediately starts providing useful, actionable information that reduces cyber risks and improves operational efficiency.

Furthermore, with flexible data aggregation available via the enterprise-ready CMC, real-time cybersecurity and operational visibility is available across decentralized and geographically dispersed operations.
Thomas Nuth is global director, product and solutions technology at Nozomi Networks. This was an excerpt from a Nozomi Networks blog.

Monday, July 10, 2017 @ 05:07 PM gHale

While they have been going on for a little bit, attacks gaining news lately focused on energy facilities in the U.S. used an approach called template injection, researchers said.

While attacks against energy companies like nuclear plants are nothing new, they did garner some attention when The New York Times obtained a joint report issued by the Department of Homeland Security and the FBI warning of cyberattacks targeting manufacturing plants, nuclear power stations and other energy facilities in the U.S. and elsewhere.

Ransomware Attack Part II
WannaCry Shuts Honda Plant
‘Hidden Cobra’ Warning Issued by Feds
ICS Malware Linked to Grid Attack

The attacks hit the business and administrative side of systems at least a dozen power firms in the United States, including the Wolf Creek nuclear facility in Kansas.

The campaign has been active since at least May and an initial investigation showed the techniques used by the hackers were similar to ones associated with a Russia-linked threat actor tracked as Crouching Yeti, Energetic Bear and Dragonfly, according to the FBI/DHS report the Times obtained.

“The U.S. has to assume that all parts of critical infrastructure are being probed for vulnerabilities 24 by 7 from a risk management point of view,” said Andrea Carcano, co-founder and chief product officer at Nozomi Networks said. “While Information Technology (IT) and Operation technology (OT) that control the electric grid systems and other critical infrastructure are separated, there have been increasing connections that warrant the use of real-time anomaly detection and machine learning. Risk management is an ongoing process. Up to date patching and the use of artificial intelligence and machine learning helps to harden the security that guards industrial control systems.”

The FBI/DHS alert said the attackers sent malicious emails to senior industrial control engineers in an effort to deliver malware designed to harvest credentials and allow them to access the targeted organization’s network.

Researchers at Cisco Talos viewed these attacks and found some of the malicious Word documents used by the hackers to gain access to the targeted organization’s network. The attacks focused on critical infrastructure firms around the world, but the primary targets appear to be the United States and Europe.

The malicious documents, disguised as resumes and environmental reports, don’t rely on traditional methods, such as VBA macros or other embedded scripts, to deliver malware, the researchers said. Instead, when the victim opens the phony document, while the Word application is in progress of launching, a template file is loaded from an attacker-controlled SMB server.

Loading the template file in what is known as a template injection attack allowed the attackers to silently harvest SMB credentials.

Wednesday, June 28, 2017 @ 02:06 PM gHale

By Gregory Hale
Industrial sites, along with other industries, are undergoing an attack from a new version of ransomware that is being called quite a few different names, but is infecting networks in countries across the globe.

Petya ransomware, which is what it is mainly called, encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate the ransomware exploits vulnerabilities in Server Message Block (SMB).

WannaCry Shuts Honda Plant
‘Hidden Cobra’ Warning Issued by Feds
ICS Malware Linked to Grid Attack
WannaCry: Time to Implement Holistic Security

Chris Da Costa, global operations cyber security manager at Air Products and Chemicals said during a presentation at the Siemens Automation Summit 2017 in Boca Raton, FL, Wednesday, he had a meeting coming up after his talk regarding how his company is protected against this latest assault.

“Version 2 of WannaCry is on the loose,” Da Costa said. “A large pharmaceutical company was shut down. I am going back to talk to the team to understand what we have to do.”

This malware is being compared to the WannaCry outbreak that struck computers in more than 150 countries last month — but so far, at least, Petya seems to be spreading more slowly in only about 64 countries.

Like WannaCry, the Petya ransomware demands a $300 bitcoin payment to retrieve encrypted files and hard drives. As of Wednesday morning, the account had received around $10,000. German email company Posteo blocked the email address the Petya hackers were using to confirm ransom payments.

Some of the victims so far are the Ukrainian government, its National Bank and biggest power companies, also airports and metro services in the country are also feeling the effect.

“The Ukraine continues to be in the cross-hairs of persistent cyber attackers,” said Edgard Capdevielle, chief executive of Nozomi Networks. “Whether you believe the Ukraine is a test-bed for nation state aggression or an issue between two specific countries, the continued barrage of attacks against Ukrainian infrastructure is disturbing.”

Companies Fall Victim
Shipping company A.P. Moller-Maersk reported a computer systems outage on Tuesday which it said could be a global issue.

“We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation,” Maersk said on Twitter.

A Maersk spokeswoman said the cause of the breakdown was not yet known, but that it could extend across the company’s global operations.

Russia’s top oil producer Rosneft said Tuesday its servers had been hit in a large-scale cyber attack, but its oil production was unaffected.

The malware is similar to WannaCry but leverages other techniques to propagate and encrypt systems, said Patrick McBride from Claroty in a blog post.

More Severe
Our initial analysis suggests that Petya’s potential impact on ICS networks appears to be more severe than WannaCry due to the following:
• Impact on ICS Windows machines: Petya does not encrypt files one by one per a matching extension list, but encrypts the master file table (MFT) so that the file system is not accessible-effectively bricking the machine. This means any infected HMI would be locked immediately. While this would not directly impact the underlying process, it would deprive all visibility and monitoring capabilities which would lead in most to all cases to shut down. The OT network would have to stay in manual mode until recovery of the infected Window endpoints. Further, other SCADA components e.g., historians, backup servers and engineering stations would also be impacted.
• Propagation: Petya’s propagation capabilities surpass those of WanaCry, as it leverages the user’s privilege to propagate throughout the network (using PSexec). It also utilizes WMI as a propagation vector.

McBride also said the mitigation steps are similar to those used in WannaCry. Patch the following CVEs, he said: CVE-2017-0199 and CVE-2017-0144.

McBride added some additional protection and recovery steps:
• Block SMB & WMI port 135, 139, 445,1024-1035 TCP – if possible
1. NOTE: Some ICS software relies on these services so this can impact operations.
2. Customers can use the Claroty Platform to determine if their current ICS environments are leveraging these ports/protocols.
• Block execution of .exe within %AppData% and %Temp% as a temporary measure to avoid infection until other mitigation steps can be taken. This may cause issues – for example it will impact installers, but provides temporary relief until other mitigation steps can be taken.
• Check logs for IOCs below
• If infected:
1. Try to avoid reboot. Shutdown –a to abort the shutdown and preserve a copy of the MFT table from memory for recovery. (cmd /k shutdown -a)
2. Try not to format the encrypted systems but rather get its image for use in recovery steps.

Need Protection
“Although details are still emerging, one thing is clear, attacks such as these do not discriminate between geography or industry,” said David Zahn, GM of ICS Cybersecurity at PAS. “Like the Wannacry attack, critical infrastructure was caught in the cross hairs with early reports identifying oil & gas and power as victims. Banking and pharmaceuticals also experienced issues. 

“Prima facie, the motive behind this attack looks financial. But, were the motivation different, we’d face a much more serious situation today. Within critical infrastructure companies, such as chemical processing, there are proprietary industrial control systems responsible for production reliability and safety,” Zahn said. “Compromising these systems could impact the environment, cause injury, or disrupt production. It’s also possible the effect would be less noticeable. Imagine the process at a pharmaceutical plant being altered instead of halted.”

New Era of Attacks
“It would seem we have arrived at the dawn of the ICS (Industrial Control System) attack,” said Bryan Singer, director of security services at IOActive. “For the past ten years any attacks to industrial control systems have been one off, specifically targeted attacks by insiders; or otherwise had very limited visibility. For instance, we still talk about Vitek Boden from 2001 and Stuxnet in 2010. But it seems like over the last few weeks we have hit a new era, it is now impossible to say ‘that can’t happen to us’ any more.”

“The ransomware appears to be a new version of Petya that could possibly have similar characteristics to WannaCry, employing Eternal Blue to spread to other systems before encrypting files and demanding payment,” Singer said. “One major difference between this outbreak and WannaCry though, is the possible inclusion of exploit code for another known vulnerability CVE-2017-0199, affecting Microsoft Office to further spread the payload.”

“If rumors prove true that this attack was initiated by the External Blue Exploit, it is a well-known vulnerability using SMB v1,” said Andrea Carcano, co-founder and chief product officer of Nozomi Networks. “SMB is a protocol used often in the industrial networks. Therefore, security staff should be identifying any Microsoft systems in their ICS that could be exploited and take immediate remediation steps to patch them.”