Users Learning, But Ransomware Still a Problem

Wednesday, August 16, 2017 @ 12:08 PM gHale


Email was the entry point for ransomware to get into a North Carolina transmission plant’s computer network a year ago.

Once it was in, it quickly spread and threatened to lock up production until the company paid a ransom. Luckily, the Durham, NC-based company was able to catch and block the malicious code as it was about to head back to its command and control center.

RELATED STORIES
Black Hat: ICS Security Movement
Black Hat: Hacking a Wind Farm
Black Hat: Human Side of Grid Attack
Black Hat: Security Needs to Change

From a financial perspective, Durham, NC-based AW North Carolina stood to lose $270,000 in revenue on top of wages for idled employees for every hour the factory wasn’t shipping its auto parts to nine Toyota car and truck plants across North America, said John Peterson, the plant’s information technology manager in an Associated Press report.

AW North Carolina is just one of a growing number of firms facing ransomware, which gives the bad guys a quick financial boost and costs manufacturers lost time and money if they don’t pay up.

With the WannaCry attack that hit multiple industries in May and the follow up Petya attack in June, ransomware is becoming a big threat for manufacturers today, and with increased connectivity becoming more of the norm, it has the potential to be a bigger issue in the years to come.

Production lines that integrate automation into production for products — whether it is transmissions, gasoline, chemicals, pharmaceuticals or paper clips — face a greater potential for attack. That is also why increased visibility on to a network is becoming one of the fastest growing trends manufacturers are starting to pick up on.

Last August at the 2,200-worker transmission factory, the computer virus flowed through the plant’s network like a raging river, flooding machines with data and stopping production for about four hours, Peterson said. Add the cost of downtime at $270,000 an hour that adds up to $1.08 million for a four-hour shut down.

Blocked Attack
Data on some laptops was lost, but the malicious ransomware ended up blocked by a firewall when it tried to exit the plant’s network and put the hackers’ lock on the plant’s computer network.

The plant was hit again in April, this time different bad guys used an alternative type of ransomware, Peterson said. Learning from the previous attack, the attack ended up contained before affecting production. No ransom was paid to either group, he said.

Industrial sites, along with other industries, continue to undergo attacks from new versions of ransomware all the time. One that hit the industry hard occurred this past in June with the Petya ransomware, which encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate the ransomware exploits vulnerabilities in Server Message Block (SMB). 

At the time, Chris Da Costa, global operations cyber security manager at Air Products and Chemicals said during a presentation at the Siemens Automation Summit 2017 in Boca Raton, FL, he had to rush to a conference call to discuss with his team and bosses how his company was protected against Petya.

“Version 2 of WannaCry is on the loose,” Da Costa said. “A large pharmaceutical company was shut down. I am going back to talk to the team to understand what we have to do.”

Petya was compared to the WannaCry outbreak that struck computers in more than 150 countries in May — but so far, at least, Petya seems to have spread to only 64 countries.

Like WannaCry, the Petya ransomware demanded a $300 bitcoin payment to retrieve encrypted files and hard drives. Back in June, the account had received only $10,000. German email company Posteo blocked the email address the Petya hackers were using to confirm ransom payments.

Industry Players Hit
Qute a few companies suffered from the attack like shipping company A.P. Moller-Maersk reported a computer systems outage.

Russia’s top oil producer Rosneft said its servers had been hit in a large-scale cyber attack, but its oil production was unaffected.

Renault and Honda also felt the affects of the attack.

Petya was similar to WannaCry, but leveraged other techniques to propagate and encrypt systems, said Patrick McBride from Claroty.

Our initial analysis, McBride said, found Petya’s impact on ICS networks appeared to be more severe than WannaCry due to the following:
• Impact on ICS Windows machines: Petya did not encrypt files one by one per a matching extension list, but encrypted the master file table (MFT) so the file system was not accessible-effectively bricking the machine. This means any infected HMI would end up locked immediately. While this would not directly impact the underlying process, it would deprive all visibility and monitoring capabilities which would lead in most to all cases to shut down. The OT network would have to stay in manual mode until recovery of the infected Window endpoints. Further, other SCADA components e.g., historians, backup servers and engineering stations would also end up impacted.
• Propagation: Petya’s propagation capabilities surpassed those of WanaCry, as it leveraged the user’s privilege to propagate throughout the network (using PSexec). It also utilizes WMI as a propagation vector.

When Petya first burst on to the scene, David Zahn, GM of ICS Cybersecurity at PAS said, “Like the Wannacry attack, critical infrastructure was caught in the cross hairs with early reports identifying oil & gas and power as victims. Banking and pharmaceuticals also experienced issues.

“Within critical infrastructure companies, such as chemical processing, there are proprietary industrial control systems responsible for production reliability and safety. Compromising these systems could impact the environment, cause injury, or disrupt production. It’s also possible the effect would be less noticeable. Imagine the process at a pharmaceutical plant being altered instead of halted,” he said.

“It would seem we have arrived at the dawn of the ICS (Industrial Control System) attack,” said Bryan Singer, director of security services at IOActive. “For the past ten years any attacks to industrial control systems have been one off, specifically targeted attacks by insiders; or otherwise had very limited visibility. But it seems like over the last few weeks we have hit a new era, it is now impossible to say that can’t happen to us anymore.”



Leave a Reply

You must be logged in to post a comment.