Manufacturing Attacks Continue to Rise

Thursday, August 10, 2017 @ 05:08 PM gHale

Manufacturers are a key target for cyber attacks – and they are continuing to rise, new research found.

In addition, the sophistication of cyber attacks continues to rise across all corners of the world, according to the Q2 Threat Intelligence Report released by NTT Security.

Malicious Content on Rise: Research
Insiders a Cause for System Harm
Long DDoS Attacks Back in Action
Black Hat: AI as an Attack Method

The survey focused on four findings:
• Manufacturers continue to be a key target for cybercriminals
• Cyber attacks were up 24 percent globally during Q2 2017
• 67 percent of malware attacks were delivered by phishing emails
• The speed of attacks continues to increase exponentially once proof of concept code releases

The manufacturing industry was the most heavily targeted industry across NTT Security clients during Q2 ’17, accounting for 34 percent of attack activity, the report found.

The following is the attack profile of the manufacturing industry:
• The manufacturing industry was the most heavily targeted industry across NTT Security clients during Q2 ’17, accounting for 34 percent of attack activity.
• The manufacturing industry was also heavily targeted across NTT Security client networks throughout 2016, appearing in the “top three” in five of the six geographic regions. No other industry appeared in the top three more than twice
• 58 percent of malware distribution in manufacturing environments was via web-based downloads.
• 86 percent of malware in the manufacturing industry were variants of Trojans and droppers.
• Reconnaissance accounted for 33 percent of all activity aimed at manufacturing clients in Q2 ’17.

Manufacturing Recon
Reconnaissance accounted for 33 percent of all activity aimed at manufacturing clients in Q2 ‘17, the report said. Analysis suggests cyber criminals used several different scanning tools such as ZmEu, Metasploit and Muieblackcat to scan public-facing systems. These tools come equipped with several plugins, allowing for even beginner cyber criminals to scan and find vulnerabilities in systems and applications.

PHP-based applications accounted for 75 percent of all reconnaissance efforts against the manufacturing industry, according to the report.

A majority of this traffic was via the use of ZmEu and Muieblackcat scanning tools, which scan for vulnerabilities in common PHP files and plugins behind web applications and content management systems (CMS) like WordPress.

In 2016, WordFence1 conducted a survey which indicated roughly 56 percent of all hacked WordPress sites were compromised via exploited plugins. The phpMyAdmin plugin was developed to simplify database administration, is the front-end to MySQL databases, and a popular target to gain full access over a database. Although these scans are common, they can be effective if web applications, websites, etc. are not configured following best security practices. This becomes a larger issue if the website or web server being used in a manufacturing organization sets up the web server in a “security unaware” manner, or does not apply automatic updates potentially leaving the company or organization blind to its vulnerabilities, the report said.

Brute-forcing traffic accounted for 22 percent of all attacks against the manufacturing industry, the report said. NTT Security focused on the server/application targets of this traffic, discovering FTP servers were of highest interest at 64 percent, followed by HTTP (18 percent) and SSH (11 percent).

Download Technique
In addition, NTT Security discovered 86 percent of malware in the manufacturing industry were Trojan/dropper variants, which his software or applications that drop additional malicious binaries whether they appear to be legitimate or not. NTT Security analyzed the distribution efforts for delivering malware to systems in the manufacturing industry. The most common technique used to distribute malware was drive by downloads

“Most manufacturing systems today were made to be productive – they were not made to be secure. Every manufacturer is at risk – it isn’t a matter of if they will be targeted, it’s a matter of when,” Rebecca Taylor, senior vice president for NCMS, said in the report.

Intellectual property is at a premium, and in a market where fractions of market shares can mean millions – or billions – of dollars, competition is fierce. Industrial control systems (ICS) are often left unguarded, and worse yet, they are often built with little to no thought for security, sometimes making protection of the device itself impractical. There is a lack of investment in cybersecurity, as funds are being spent upgrading systems to be more productive or more efficient. In fact, almost half of top executives in manufacturing firms neither feel confident in their technology to protect their networks, nor do they feel they have adequate funding.

Perhaps the most influential of all trends results in one of the greatest emerging cyber threats to the manufacturing industry: Smart factories, the report said. Hoping to add efficiency, productivity, quality of products and flexibility to the process, connected – or “smart” – factories are expected to add $500 billion to the global economy in the next five years, adding yet another avenue for threat actors to target the manufacturing industry.

This connectivity is expected to drive a 27 percent increase in efficiency during that timeframe, and by the end of 2022, manufacturers expect that 21 percent11 of all factories will be fully connected. But all these additional tools, devices, and robots are redefining the attack surface in the manufacturing industry, the report found.

Vast Attack Surface
Despite the benefits of connected devices, this creates an environment with a continually broadening attack landscape due to endpoint expansion, the report said. As these devices multiply, they can become crucial access points for an attacker to infiltrate a network, or become pawns in a botnet or even be victims of ransomware themselves. Simply put, the more systems you have, the more likely it is that an attacker is going to find something in your environment.

NTT Security recommends manufacturing organizations consider the following preventative and mitigation strategies:
• Educate users on identifying and avoiding phishing emails – particularly since employees are the most often targeted, and may be the first, or only, line of defense.
• Ensure computers, network and other Internet-connected devices, particularly industrial control systems, are running the most current versions of operating systems and software. Please note that the most current software versions are typically the most secure, but this is not always the case.
• In addition to outside actors, don’t forget to secure against the rogue insider – someone trusted within your organization, who perhaps has “the keys to the kingdom.”
• Enforce “least privilege” – vary the level of individual access, granted based on specific user needs and scenarios.
• To every practical extent, isolate sensitive systems and network functions. Group associated sensitive functions onto protected networks whenever possible, to include segmenting ICS from other network functions.
• Industrial networks are often not well segmented between IT/OT, so an infection in the former can easily spread to the latter.
• Let malware such as WannaCry serve as a recent lesson: Although the manufacturing industry seemed almost immune to WannaCry, many Windows machines inside ICS environments are not fully patched, and are often running outdated, unsupported versions.

Click here to download the survey.

Leave a Reply

You must be logged in to post a comment.