Cyber Pulse: Edition 122 | 27 July 2020

Here is our cyber security round-up of the week:

Garmin faces outage as ransomware attack looks likely

Computer networks of smartwatch and electronics firm Garmin were offline in an incident which raised concerns of a ransomware attack affecting both its aviation and fitness app services. Garmin said on Twitter its website and Garmin Connect fitness app had been offline since Thursday. It said the "flyGarmin" site used for aviation databases was also down. Garmin offered no explanation for the outage but security analysts said a likely reason could be ransomware, a technique used by hackers to encrypt data and extort funds.

"We are currently experiencing an outage that affects Garmin Connect," the company tweeted. Garmin Aviation, which provides cockpit navigation and communication services, said on its Facebook page its "flyGarmin" website and mobile app were down. "We are working to resolve this issue as quickly as possible and apologize for this inconvenience," the company stated. The security news website Bleeping Computer reported that a source familiar with the incident said Garmin was attacked by the WastedLocker ransomware. Some reports have linked the malware to a Russian cybercriminal group known as Evil Corp.

Energy sectors targeted by Fancy Bear

Researchers report that APT28 (also known as Fancy Bear), a unit of Russia's GRU military intelligence agency, has been running "a broad hacking campaign against US targets" from December 2018 until at least May 2020. It states that the threat actor has been targeting "a wide range of US-based organidations, state and federal government agencies, and educational institutions."

Researchers observed that one of APT28's IP addresses listed in the alert also appeared in a Department of Energy advisory issued earlier this year. That advisory said the IP address had been used to probe login portals belonging to a US energy entity on Christmas Eve last year. They note that while another GRU unit (tracked as "Sandworm") has historically been very active against the energy sector, APT28 hasn't previously focused on this area.

"Just given what we understand about how APT28 operates and its typical victimology, identifying that group interacting with the US energy sector would be substantially different from how this group has behaved previously ... This is a concerning data point. It’s the first time in a while that this group has targeted US critical infrastructure."

Hackers improve Advanced Malware Frameworks

According to researchers, North Korea's Lazarus Group has put "significant resources" into improving its toolset over the past two years. The security firm analysed an "advanced malware framework," dubbed "MATA", which the Lazarus Group has used against various industries in Poland, Germany, Turkey, South Korea, Japan and India. Specific targets have included "a software development company, an e-commerce company, and an internet service provider."

The group has been using MATA since at least April 2018. MATA is designed to run on Windows, macOS, and Linux. The malware seems to be primarily used for exfiltrating databases, but in at least one case it was observed delivering the VHD ransomware to a victim's network, suggesting that the attackers are using the tool for both espionage and financial gain. The report further notes:

"This series of attacks indicates that Lazarus was willing to invest significant resources into developing this toolset and widening the reach of organizations targeted – particularly in hunting for both money and data. Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that they have more than enough tools for the Windows platform, which the overwhelming majority of devices are run on."

Ransomware targets Operational Technologies

Latest information form confirms that at least six ransomware families – DoppelPaymer, LockerGoga, Maze, MegaCortex, Nefilim and SNAKEHOSE (also known as "Snake" or "Ekans") – are using the same process kill list consisting of more than 1,000 processes, including "a couple dozen processes related to OT executables. This kill list was observed and described by Dragos and others earlier this year, and raised concerns that attackers were increasingly incorporating OT-specific capabilities into their toolsets.

Notably, however, is an entirely separate process kill list being used by the CLOP ransomware that targets more than 1,425 processes, at least 150 of which are related to OT software suites. Stopping these processes "may directly impact the operator’s ability to both visualise and control production. This is especially true in the case of some included processes that support HMI and PLC supervision."

The researchers don't believe the operators of these ransomware families are explicitly seeking out OT environments, and they think the process kill lists are "the result of coincidental asset scanning in victim organisations." However, the presence of the OT-related processes on the list "suggests that sophisticated financially motivated actors, such as FIN6, have had at least some visibility into a victim’s OT network."

While exploiting these systems doesn't seem to be a priority for them at the moment, ransomware operators are growing increasingly sophisticated and well-funded, and opportunistically targeting an organisation's most critical systems is central to their strategy. As a result, we expect to see more criminal hackers displaying an interest in gaining access to operational environments, particularly as IT and OT systems converge.

ICS Security Advisory warnings for critical infrastructure

The US National Security Agency and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on Thursday recommending that operators of critical infrastructure take "immediate actions" to secure OT assets and industrial control systems. The agencies stress:

"Internet-accessible OT assets are becoming more prevalent across the 16 U.S. CI sectors as companies increase remote operations and monitoring, accommodate a decentralised workforce, and expand outsourcing of key skill areas such as instrumentation and control, OT asset management/maintenance, and in some cases, process operations and maintenance. It is important to note that while the behavior may not be technically advanced, it is still a serious threat because the potential impact to critical assets is so high."

The alert adds:

"Legacy OT assets that were not designed to defend against malicious cyber activities, combined with readily available information that identifies OT assets connected via the internet ... are creating a 'perfect storm' of 1) easy access to unsecured assets; 2) use of common, open-source information about devices; and 3) an extensive list of exploits deployable via common exploit frameworks."

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.