Year 2022 in numbers

Global threat statistics

In H2 2022, the percentage of ICS computers on which malicious objects were blocked increased by 3.5 percentage points compared to the previous six-month period, reaching 34.3%. This was higher than the percentages for 2021 and even 2020.

Percentage of ICS computers on which malicious objects were blocked, 2020 – 2022

In H2 2022 the percentage of ICS computers on which malicious objects were blocked increased in the automotive industry (+4.6 p.p.) and in the energy sector (+1 p.p.). In other industries tracked, the percentage decreased.

Percentage of ICS computers on which malicious objects were blocked in some industries, H2 2022

Geography

In different regions of the world, the percentage of ICS computers on which malicious activity was prevented ranged from 40.1% in Africa and Central Asia, which led the ranking, to 14.2% and 14.3%, respectively, in Western and Northern Europe, which were the most secure regions.

Regions of the world ranked by percentage of ICS computers on which malicious objects were blocked, H2 2022

African and Central Asian countries were prevalent among the 15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked in H2 2022.

15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked, H2 2022

In the Top 10 ranking of countries with the lowest percentage of ICS computers on which malicious objects were blocked, all countries, with the exception of Israel, were European.

10 countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked, H2 2022

In H2 2022, the most significant increase among all countries in the percentage of ICS computers on which malicious objects were blocked was observed in Russia, where that percentage increased by 9 p.p.

Russia. Percentage of ICS computers on which malicious objects were blocked, 2020 – 2022

Variety of the malware detected

In H2 2022, Kaspersky security solutions blocked malware from 7,684 different families on industrial automation systems.

Percentage of ICS computers on which the activity of malicious objects from different categories was prevented, H2 2022

Main threat sources

The internet, removable devices and email clients remained the main sources of threats for computers in the operational technology infrastructure of organizations.

Percentage of ICS computers on which malicious objects from different sources were blocked, 2021 – 2022

In H2 2022, a very significant growth in the percentage of ICS computers on which internet threats were blocked – 12 p.p. and 7.8 p.p., respectively – was recorded in the regions of Russia and Central Asia.

Regions ranked by percentage of ICS computers on which internet threats were blocked, H2 2022

As per tradition, Africa topped the ranking of regions based on the percentage of ICS computers on which malware was blocked when removable devices were connected.

Regions ranked by percentage of ICS computers on which malware was blocked when removable devices were connected, H2 2022

Southern Europe topped the ranking of regions based on the percentage of ICS computers on which malicious email attachments and phishing links were blocked. Northern Europe was the only region in which the percentage increased (+0.3 p.p.) in H2 2022.

Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H2 2022

The full report has been published on the Kaspersky ICS CERT website.

UMAS (Unified Messaging Application Services) is a proprietary Schneider Electric (SE) protocol used to configure and monitor Schneider Electric PLCs. Schneider Electric controllers that use UMAS include Modicon M580 CPU (part numbers BMEP* and BMEH*) and Modicon M340 CPU (part numbers BMXP34*). Controllers are configured and programmed using engineering software – EcoStruxure™ Control Expert (Unity Pro), EcoStruxure™ Process Expert, etc.

In 2020, CVE-2020-28212, a vulnerability affecting this software, was reported, which could be exploited by a remote unauthorized attacker to gain control of a PLC with the privileges of an operator already authenticated on the controller. To address the vulnerability, Schneider Electric developed a new mechanism, Application Password, which should provide protection against unauthorized access to PLCs and unwanted modifications.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism also has flaws. The CVE-2021-22779 vulnerability, identified in the course of the research, could allow a remote attacker to make changes to the PLC, bypassing authentication.

It was established that the UMAS protocol, in its implementation prior to the version in which the CVE-2021-22779 vulnerability was fixed, had significant shortcomings that had a critical effect on the security of control systems based on SE controllers.

As of the middle of August 2022, Schneider Electric has released an update for the EcoStruxure™ Control Expert software, as well as for Modicon M340 which fixes the vulnerability. In March 2023, the vendor released an update for the Modicon M580 PLC.

This report describes:

• the implementation of the UMAS protocol that does not use the Application Password security mechanism;
• authentication bypass if Application Password is not enabled;
• the principles on which the Application Password security mechanism is based;
• mechanisms that can be used to exploit the CVE-2021-22779 vulnerability (authentication bypass where Application Password is configured);
• operating principles of the updated device reservation mechanism.

A detailed report on the research, Schneider Electric measures designed to fix the authentication bypass vulnerability, and Kaspersky ICS CERT recommendations can be found in the full version of the article published on the Kaspersky ICS CERT website.

Object of research

UMAS (Unified Messaging Application Services) is Schneider Electric’s proprietary protocol used to configure, monitor, collect data and control Schneider Electric industrial controllers.

UMAS is based on a client-server architecture. During the research process, we used the EcoStruxure™ Control Expert PLC configuration software as the client part and a Modicon M340 CPU controller as the server part.

UMAS protocol

Network packet structure

UMAS is based on the Modbus/TCP protocol.

Structure of the UMAS protocol

Specifications of the Modbus/TCP protocol include reserved Function Code values that developers can use according to their needs. A complete list of reserved values can be found in the official documentation.

Schneider Electric uses Function Code 90 (0x5A) to define that the value in the Data field is UMAS compliant.

The network packet structure is shown below, using a request to read a memory block (pu_ReadMemoryBlock) on the PLC as an example:

• Red: Function Code 90 (0x5A)
• Blue: Session Key 0 (0x00)
• Green: UMAS Function 20 (0x20)
• Orange: Data

Network packet structure

Each function includes a certain set of information in the Data field, such as offset from the base memory address, size of the data sent, memory block number, etc. For more details on the functions and session key, see the full version of the article.

Network communication

UMAS also inherits the Modbus client-server architecture. A structural diagram of the communication between the client and the server is provided below.

Communication between the client (EcoStruxure™ Control Expert) and server (PLC)

In a UMAS network packet, Function Code 0x5A is immediately followed by the Session Key.

UMAS network packet structure

Let’s examine the communication between a client and a server (a PLC, also referred to as “device” below) by analyzing a real-world traffic fragment. The screenshot below shows a packet containing the function umas_QueryGetComInfo(0x01) sent from the client (EcoStruxure™ Control Expert) to the server (the PLC).

Structure of the function:
TCP DATA – Modbus Header – 0x5A – session – 01(UMAS function code) – 00(data).

Network packet containing the function umas_QueryGetComInfo(0x01)

The device should send a response to each request received. The screenshot below shows the device’s response to the client’s request:

Server response

The status code is the status of the device’s execution of the function sent to it by the client in the previous request. The value “fe” corresponds to successful execution of the function; “fd” indicates an error. The status code is present in each response sent by the device to thecontaining a function. It is always located immediately after the session key.

Reservation procedure

A “reservation” procedure is required to make changes to a PLC. The procedure acts as authentication. Only one client (e.g., an engineering workstation) can reserve a device at any specific time for configuration or status monitoring. This is required to prevent changes from being made to a device in parallel without coordination.

The screenshot below shows a request from the engineering software to the PLC to perform the device reservation procedure in its basic variant that does not use the Application Password security mechanism.

Device reservation

The umas_QueryTakePLCReservation(0x10) function is used to reserve a device. The request containing this function includes the name of the client reserving the device and a value equal to the length of that name.

CVE-2020-28212: authentication bypass without Application Password

The main issue with the basic reservation mechanism that does not use Application Password is that an attacker can use the session key to send requests and change the device’s configuration.

In firmware versions prior to 2.7 for Modicon M340 devices, the session key has the same value each time the device is reserved, and is equal to “0x01”. This means that attackers can make changes on the device by calling the relevant functions after the device has been reserved by a legitimate user.

The attack workflow is shown in the diagram below:

Remote threat actor attack workflow. Modicon M340 firmware prior to version 2.7, device reserved by an engineer

If the device has not been reserved at the time of an attack, the attacker can use the umas_QueryTakePLCReservation(0x10) function to reserve the device in order to make changes to it.

With Modicon M340 firmware version 2.7 or later, the session key takes a random value after device reservation. However, the session key is one byte in length, which means there are only 256 possible session ID values. This enables a remote unauthorized attacker to brute-force an existing ID of a session between a legitimate user and the PLC.

To carry out this type of attack, a remote attacker needs to send a series of network requests on port 502/TCP of the PLC with different session ID values and look at responses returned by the PLC. If the correct session ID was sent, the attacker will get the status code 0xfe, which means the request was fulfilled successfully. Otherwise, the attacker will get the status code 0xfd.

The operations described above can be implemented using any programming language – an attacker does not have to use EcoStruxure™ Control Expert or any other dedicated software to communicate with the device.

Application Password

To mitigate the CVE-2020-28212 vulnerability, exploitation of which could allow a remote unauthorized attacker to gain control of the PLC with the privileges of an operator already authenticated on the PLC, Schneider Electric developed a new security mechanism that used cryptographic algorithms to compute the session ID and increased the session ID length. Schneider Electric believed implementing this security mechanism would prevent brute-force attacks that could be used to crack single-byte session IDs.

The new mechanism was introduced starting with firmware version 3.01 for Modicon M340 devices. To implement authentication between the client and the device, Application Password needs to be enabled in project settings (“Project & Controller Protection”). The mechanism is designed to provide protection against unauthorized access, unwanted changes, as well as unauthorized downloading or uploading of PLC strategies.

After activating the mechanism using EcoStruxure™ Control Expert, the client needs to enter the password when connecting to a device as part of the reservation procedure. Application Password also makes changes to the reservation mechanism itself.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism was, unfortunately, also flawed. Its main shortcoming is that during the authentication process, all computations are performed on the client side, i.e., on the side of EcoStruxure™ Control Expert engineering software. The vulnerability identified during research, CVE-2021-22779, could allow a remote attacker to bypass authentication and use functions that require reservation to make changes to the PLC.

For more details on the implementation of Application Password and on the security flaws identified by Kaspersky ICS CERT researchers, read the full version of the article published on the Kaspersky ICS CERT website. For more information, you can also contact us at ics-cert@kaspersky.com.

H1 2022 in numbers

Geography

• In H1 2022, malicious objects were blocked at least once on 31.8% of ICS computers globally.

  

  Percentage of ICS computers on which malicious objects were blocked

• For the first time in five years of observations, the lowest percentage in the ‎first half of the year was observed in March.‎ During the period from January to March, the percentage of attacked ICS computers decreased by 1.7 p.p.

  

  Percentage of ICS computers on which malicious objects were blocked, January – June 2020, 2021, and 2022

• Among regions, the highest percentage of ICS computers on which malicious objects were blocked was observed in Africa (41.5%). The lowest percentage (12.8%) was recorded in Northern Europe.

  

  Percentage of ICS computers on which malicious objects were blocked, in global regions

• Among countries, the highest percentage of ICS computers on which malicious objects were blocked was recorded in Ethiopia (54.8%) and the lowest (6.8%) in Luxembourg.

  

  15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked, H1 2022

  

  10 countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked, H1 2022

Threat sources

• The main sources of threats to computers in the operational technology infrastructure of organizations are internet (16.5%), removable media (3.5%), and email (7.0%).

  

  Percentage of ICS computers on which malicious objects from different sources were blocked

Regions

• Among global regions, Africa ranked highest based on the percentage of ICS computers on which malware was blocked when removable media was connected.

  

  Regions ranked by percentage of ICS computers on which malware was blocked when removable media was connected, H1 2022

• Southern Europe leads the ranking of regions by percentage of ICS computers on which malicious email attachments and phishing links were blocked.

  

  Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H1 2022

Industry specifics

• In the Building Automation industry, the percentage of ICS computers on which malicious email attachments and phishing links were blocked (14.4%) was twice the average value for the entire world (7%).

  

  Percentage of ICS computers on which malicious email attachments and phishing links were blocked, in selected industries

• In the Oil and Gas industry, the percentage of ICS computers on which threats were blocked when removable media was connected (10.4%) was 3 times the average percentage for the entire world (3.5%).

  

  Percentage of ICS computers on which threats were blocked when removable media was connected

• In the Oil and Gas industry, the percentage of ICS computers on which malware was blocked in network folders (1.2%) was twice the world average (0.6%).

  

  Percentage of ICS computers on which threats were blocked in network folders

Diversity of malware

• Malware of different types from 7,219 families was blocked on ICS computers in H1 2022.

  

  Percentage of ICS computers on which the activity of malicious objects from different categories was prevented

Ransomware

• In H1 2022, ransomware was blocked on 0.65% of ICS computers. This is the highest percentage for any six-month reporting period since 2020.

  

  Percentage of ICS computers on which ransomware was blocked

• The highest percentage of ICS computers on which ransomware was blocked was recorded in February (0.27%) and the lowest in March (0.11%). The percentage observed in February was the highest in 2.5 years of observations.

  

  Percentage of ICS computers on which ransomware was blocked, January – June 2022

• East Asia (0.95%) and the Middle East (0.89%) lead the ransomware-based ranking of regions. In the Middle East, the percentage of ICS computers on which ransomware was blocked per six-month reporting period has increased by a factor of 2.5 since 2020.

  

  Regions ranked by percentage of ICS computers on which ransomware was blocked, H1 2022

• Building Automation leads the ranking of industries based on the percentage of ICS computers attacked by ransomware (1%).

  

  Percentage of ICS computers on which ransomware was blocked, in selected regions, H1 2022

Malicious documents

• Malicious documents (MSOffice+PDF) were blocked on 5.5% of ICS computers. This is 2.2 times the percentage recorded in H2 2021. Threat actors distribute malicious documents via phishing emails and actively use such emails as the vector of initial computer infections.

  

  Percentage of ICS computers on which malicious documents (MSOffice+PDF) were blocked

• In the Building Automation industry, the percentage of ICS computers on which malicious office documents were blocked (10.5%) is almost twice the global average.

  

  Percentage of ICS computers on which malicious office documents (MSOffice+PDF) were blocked, in selected industries

Spyware

• Spyware was blocked on 6% of ICS computers. This percentage has been growing since 2020.

  

  Percentage of ICS computers on which spyware was blocked

• Building Automation leads the ranking of industries based on the percentage of ICS computers on which spyware was blocked (12.9%).

  

  Percentage of ICS computers on which spyware was blocked, in selected industries

Malware for covert cryptocurrency mining

• The percentage of ICS computers on which malicious cryptocurrency miners were blocked continued to rise gradually.

  

  Percentage of ICS computers on which malicious cryptocurrency miners were blocked

• Building Automation also leads the ranking of selected industries by percentage of ICS computers on which malicious cryptocurrency miners were blocked.

  

  

  Percentage of ICS computers on which malicious cryptocurrency miners were blocked, in selected industries

The full text of the report has been published on the Kaspersky ICS CERT website.

2021 is the second year we have spent living and working in the pandemic. By 2021 everyone got used to pandemic limitations – industrial organization employees and IT security professionals and threat actors. If we compare the numbers from 2020 and 2021, we see that 2021 looks more stable, particularly in H2.

H2 2021 Report at a glance

The full report is available on the Kaspersky ICS CERT website.

Percentage of ICS computers on which malicious objects were blocked

The percentage of ICS computers on which malicious objects were blocked in 2021 increased by 1 percentage point from 2020 – from 38.6% to 39.6%.

In H2 2021 this percentage decreased by 1.4 p.p. for the first time in 1.5 years.

>Percentage of ICS computers on which malicious objects were blocked (download)

As we can see from the graph depicting the monthly dynamics of the percentage of attacked ICS computers, the numbers in H2 2021 were more stable than in H1 – the numbers were lower and there were no sharp fluctuations.

Percentage of ICS computers on which malicious objects were blocked, January – December 2018 – 2021 (download)

It is also worth noting that in 2021 the vectors of monthly fluctuations (increases and decreases) are the same as those in 2019 and, particularly, in 2018 more often than in 2020. Specifically, we can see decreases in July and August that we believe are due to the traditional vacation periods. However, compared to 2018 and 2019, the summer decrease in the percentage of ICS computers on which malicious objects were blocked was less pronounced in 2021.

Selected industries

Percentage of ICS computers on which malicious objects were blocked in selected industries (download)

Malicious objects

In H2 2021 Kaspersky security solutions blocked over 20,000 malware variants from 5,230 families on ICS computers.

Number of malware families blocked on ICS computers (download)

Number of malware variants blocked on ICS computers (download)

The results of our analysis revealed the following estimated percentages of ICS computers on which the activity of malicious objects from different categories had been prevented:

Percentage of ICS computers on which malicious objects from various categories were blocked (download)

Since H1 2020, we have seen increases in the percentages of ICS computers on which the following types of objects were blocked:

Spyware – by a factor of 1.4 — from 5.6% to 8.1%.

Percentage of ICS computers on which spyware was blocked (download)

Malicious scripts and phishing pages – by a factor of 1.4 – from 6.5% to 9.3%.

Percentage of ICS computers on which malicious scripts and phishing pages (JS and HTML) were blocked (download)

Cryptocurrency miners (Windows executable files) – more than doubled – from 0.9% to 2.1%.

Percentage of ICS computers on which cryptocurrency miners were blocked (download)

Ransomware

In H2 2021 ransomware was blocked on 0.50% of ICS computers.

Percentage of ICS computers on which ransomware was blocked (download)

The percentage of ICS computers attacked by ransomware increased in half of the world’s regions. The most significant increases were recorded in Southeast Asia, East Asia and Africa, which are thus the leaders in this ranking.

Regions ranked by percentage of ICS computers on which ransomware was blocked, H2 2021 (download)

Main threat sources

The internet, removable devices and email continue to be the main sources of threats for computers in the OT infrastructures of companies and organizations.

Percentage of ICS computers on which malicious objects from various sources were blocked (download)

Shared network folders are one of the minor threat sources. Only on 0.57% of attacked ICS computers malicious objects were blocked in network shares in H2 2021. However, this percentage is slowly growing and is over 1% in a few countries and territories.

Percentage of ICS computers on which malicious objects were blocked in shared network folders (download)

Countries and territories with the largest percentage of ICS computers on which malicious objects were blocked in shared network folders in H2 2021 (download)

2021 in numbers

For more information, visit the Kaspersky ICS CERT website

In June 2021, Kaspersky ICS CERT experts identified malware whose loader has some similarities to the Manuscrypt malware, which is part of the Lazarus APT group’s arsenal. In 2020, the group used Manuscrypt in attacks on defense enterprises in different countries. These attacks are described in the report “Lazarus targets defense industry with ThreatNeedle“.

Curiously, the data exfiltration channel of the malware uses an implementation of the KCP protocol that has previously been seen in the wild only as part of the APT41 group’s toolset. We dubbed the newly-identified malware PseudoManuscrypt.

The PseudoManuscrypt loader makes its way onto user systems via a MaaS platform that distributes malware in pirated software installer archives. One specific case of the PseudoManuscrypt downloader’s distribution is its installation via the Glupteba botnet (whose main installer is also distributed via the pirated software installer distribution platform). This means that the malware distribution tactics used by the threat actor behind PseudoManuscrypt demonstrate no particular targeting.

During the period from January 20 to November 10, 2021, Kaspersky products blocked PseudoManuscrypt on more than 35,000 computers in 195 countries of the world. Such a large number of attacked systems is not characteristic of the Lazarus group or APT attacks as a whole.

Targets of PseudoManuscrypt attacks include a significant number of industrial and government organizations, including enterprises in the military-industrial complex and research laboratories.

According to our telemetry, at least 7.2% of all computers attacked by the PseudoManuscrypt malware are part of industrial control systems (ICS) used by organizations in various industries, including Engineering, Building Automation, Energy, Manufacturing, Construction, Utilities, and Water Management.

The main PseudoManuscrypt module has extensive and varied spying functionality. It includes stealing VPN connection data, logging keypresses, capturing screenshots and videos of the screen, recording sound with the microphone, stealing clipboard data and operating system event log data (which also makes stealing RDP authentication data possible), and much more. Essentially, the functionality of PseudoManuscrypt provides the attackers with virtually full control of the infected system.

More information on PseudoManuscrypt is available on the Kaspersky ICS CERT website.

The H1 2021 ICS threat report at a glance

Percentage of ICS computers attacked

1. During the first half of 2021 (H1 2021), the percentage of attacked ICS computers was 8%, which was 0.4 percentage points (p.p.) higher than that for H2 2020.

   Percentage of ICS computers on which malicious objects were blocked (download)

   Numbers per country varied from 58.4% in Algeria to 6.8% in Israel.

   Top 15 countries and territories with the largest percentages of ICS computers on which malicious objects were blocked in H1 2021 (download)

   Top 10 countries and territories with the lowest percentages of ICS computers on which malicious objects were blocked in H1 2021 (download)

   When we look at regional numbers, Africa led with 46.1%, followed by Southeast Asia at 44.1%, East Asia at 43.1% and Central Asia at 42.1%.

   Percentage of ICS computers on which malicious objects were blocked, by region (download)

2. The largest increases in the percentage of attacked ICS computers during H1 2021 were as follows:
   • Over 10 p.p. in Belarus (50.4%) and Ukraine (33.1%);
   • 7.4 p.p. in the Czech Republic (20.2%) and Slovakia (24.3%);
   • 6.5 p.p. in Hong Kong (20.8%);
   • 6 p.p. in Australia (23%) and Cameroon (45.2%).

   The internet was the main source of threats causing these increases.

3. The percentage of ICS computers on which threats were blocked decreased in all monitored industries. This was especially noticeable in the oil and gas (36.5%) and building automation (40.3%) sectors (-7.5 p.p. and -6.3 p.p., respectively).

Percentage of ICS computers on which malicious objects were blocked in selected industries (download)

Major threat sources

The internet, removable media and email continue to be the main sources of threats to computers in ICS environments.

Percentage of ICS computers on which malicious objects from various sources were blocked (download)

1. Threats from the internet were blocked on 18.2% of ICS computers
2. (+1.5 p.p.).

   In H1 2021, the largest increases in this indicator were observed in Belarus (+12.2 p.p.), Ukraine (+8 p.p.) and Russia (+6.7 p.p.)

   Russia led the regional rankings with 27.6%.

   Percentage of ICS computers on which malicious objects from the internet were blocked, by region (download)

   Belarus leads in the country rankings with 32.8%.

   Top 15 countries and territories with the highest percentages of ICS computers on which internet threats were blocked in H1 2021 (download)

3. Threats arriving via removable media were blocked on 5.2% of ICS computers (-0.2 p.p.), which continued a downward trend that began in H2 2019.
   Africa leads noticeably in the regional rankings with 15.6%. In H1 2021, the percentage of ICS computers on which threats were blocked when removable media were connected decreased in Asian regions.

   Regions ranked by percentage of ICS comuters on which malware was blocked when removable media was connected in H1 2021 (download)

   Algeria leads among individual countries with 24%.

   Fifteen countries and territories with the largest percentage of ICS computers on which malware was blocked when removable media was connected in H1 2021 (download)

5. Malicious email attachments were blocked on 3.4% of ICS computers (-0.6 p.p.).
   Southern Europe ranked the highest with 6.4%. The only region where the percentage increased was Australia and New Zealand (+1.3 p.p.).

   Regions ranked by percentage of ICS computers on which malicious email attachments were blocked in H1 2021 (download)

   Bangladesh led among individual countries with 8.8%.

   Top 15 countries with the highest percentages of ICS computers on which malicious email attachments were blocked in H1 2021 (download)

   The variety of malware detected

   In H1 2021, Kaspersky security solutions blocked more than 20.1 thousand malware variants from 5,150 families in ICS environments.

6. Denylisted internet resources were the main threat source and were blocked on 14% of ICS computers.
   Threat actors use malicious scripts on various media resources and sites hosting pirated content. These scripts redirect users to websites that spread spyware and/or cryptocurrency miners. The percentage of computers where this type of threats was blocked has grown since 2020.
7. Malicious scripts and redirects (JS and HTML) were blocked on 8.8% of ICS computers (+0.7 p.p.).
   Australia and New Zealand (+3.8 p.p.), as well as Russia (+4.4 p.p.) saw a noticeable growth in the percentage of computers where malicious scripts used for downloading spyware were blocked.
8. Spyware (backdoors, trojan spies and keyloggers) were blocked on 7.4% of ICS computers (+0.4 p.p.).
   This figure was highest in East Asia (14.3%), Africa (13.4%) and Southeast Asia (11.2%).
9. Ransomware was blocked on 0.40% of ICS computers (-0.1 p.p.)
   This figure was highest in East Asia with 0.82%.

   In the Middle East, we saw an increase in the percentage of computers on which worms (+0.4 p.p.) and ransomware (+0.3 p.p.) were blocked.

   Percentage of ICS computers on which malicious objects from various categories were blocked (download)

The full report is available on the Kaspersky ICS CERT website.
]]> https://securelist.com/threat-landscape-for-industrial-automation-systems-in-h1-2021/104017/feed/ 1 full large medium thumbnail https://securelist.com/threat-landscape-for-industrial-automation-systems-statistics-for-h2-2020/101299/ https://securelist.com/threat-landscape-for-industrial-automation-systems-statistics-for-h2-2020/101299/#comments Thu, 25 Mar 2021 10:00:27 +0000 https://kasperskycontenthub.com/securelist/?p=101299

Figures

Indicator	H1 2020	H2 2020	2020
Global percentage of attacked ICS computers	32.6%	33.42%	38.55%
Percentage of attacked ICS computers by region
Northern Europe	10.1%	11.5%	12.3%
Western Europe	15.1%	14.8%	17.6%
Australia	16.3%	17.0%	18.9%
United States and Canada	17.2%	16.5%	19.6%
Eastern Europe	26.4%	28.0%	30.5%
Southern Europe	27.6%	29.6%	33.1%
Latin America	33.6%	34.3%	38.8%
Russia	32.2%	34.6%	39.5%
Middle East	34.0%	34.6%	40.2%
South Asia	38.8%	41.3%	47.0%
East Asia	42.9%	41.8%	46.3%
Central Asia	43.7%	43.9%	48.8%
Africa	45.6%	46.4%	51.2%
Southeast Asia	49.8%	47.5%	53.9%
Main threat sources globally
Internet	16.7%	16.7%	20.5%
Removable media	5.8%	5.4%	7.0%
Email clients	3.4%	4.1%	4.4%

Traits

1. There is no longer a downward trend in the percentage of ICS computers on which malicious objects were blocked.
   Starting with the second half (H2) of 2019, we observed a decline in the percentages of ICS computers on which malicious objects were blocked. This was observed in industrial control systems (ICS) as well as in corporate and personal computing environments. This downward trend was not observed in the second half of 2020.
   • Globally, the percentage of attacked ICS computers in the second half of the year was 33.4%, which was 0.85 percentage points (p.p.) higher than the first half (H1) of the year.

     Percentage of ICS computers on which malicious objects were blocked, by half-year, 2017 – 2020 (download)

   • The percentage of attacked ICS computers increased in 62% of countries.
     In H2 2020, the percentage of ICS computers on which malicious objects were blocked increased in relation to H1 in 62% of countries. In comparison, this trend was observed in 7% of countries in 2019, and the same was seen in H1 2020 compared to H2 2019.

     Change in the percentage of attacked computers in countries of the world (p.p.) in H2 compared to H1, 2019 vs 2020 (download 1, 2)

     The maximum growth of this indicator in a country was 8.2 p.p. (in Saudi Arabia), while most countries observed no more than a 4 p.p. increase. Therefore, the global average change over the half-year was insignificant.

2. The seasonal fluctuations typical of past years were not observed this year
   In previous years, the percentage of ICS computers on which malicious objects were blocked was at its maximum in March/April and October, while this indicator sagged between those months.In 2020, this indicator behaved differently. It reached its maximum in February and dropped almost to its minimum in May. In the first two months of summer, it grew to its near-maximum in July. In October, the percentage of attacked ICS computers was one of the lowest.

   Percentage of ICS computers on which malicious objects were blocked, by month, 2018 – 2020 (download)

3. The percentage of ICS computers on which malicious email attachments were blocked increased
   • Globally, in H2 2020, the percentage of ICS computers on which malicious email attachments were blocked increased by 0.7 p.p. compared to H1.

     Percentage of ICS computers on which malicious email attachments were blocked (download)

   • This indicator increased in all regions except East Asia, the US and Canada, Western Europe, and Russia.
   • In 73.4% of all countries in H2 2020, the percentage of ICS computers on which malicious email attachments were blocked increased compared to H1 2020.This is three times larger than the equivalent indicator for 2019 (23.6%).
     

     Change in the percentage of ICS computers (p.p.) on which malicious email attachments were blocked in H2 compared to H1, countries and territories, 2019 vs 2020 (download 1, 2)

4. There was a rise in the percentage of ICS computers on which threats distributed over the internet and email, and spyware and miners were blocked
   • Malicious objects from the internet – web resources involved in the distribution or management of malware (+2.5 p.p.), and malicious scripts and redirects on web resources (JS and HTML) (+1.6 p.p.).
   • Typical threats distributed by email (+1.2 p.p.). – malicious MS Office and PDF documents (+1.2 p.p.).
   • Spyware (+1.4 p.p.) – Trojans, backdoors, and keyloggers.
   • Miners (+0.7 p.p.) – executable files for Windows.

   For all these threats, the indicators of H2 2020 exceeded the equivalent results of not only H1 2020 but also H2 2019.

   Percentage of ICS computers on which various types of malicious objects were blocked, H2 2019 – H2 2020 (download)

5. In developed countries, the percentage of ICS computers attacked by ransomware increased
   Globally, the percentage of ICS computers on which ransomware was blocked decreased from 0.63% in H1 to 0.49% in H2.At the same time, this indicator increased in regions with developed countries:
   • +0.25 p.p. in the US and Canada
   • +0.23 p.p. in Australia
   • +0.13 p.p. in Western Europe

   Change in the percentage of ICS computers (p.p.) on which ransomware was blocked in H2 2020 compared to H1 (download)

Impact of the COVID-19 pandemic

In our H1 2020 report, we wrote about the impact of the COVID-19 pandemic on the changes that we observed in the attack surface and threat landscape for industrial enterprises and industrial automation systems. In H2 2020, we continued our observations and identified a number of trends that could, in our opinion, be due to circumstances connected with the pandemic in one way or another, as well as the reaction of governments, organizations and people to these circumstances.

Changes in seasonal fluctuations in the percentage of attacked computers

It can be seen in the ‘Percentage of ICS computers on which malicious objects were blocked’ diagram that in the past years the percentage of attacked ICS computers significantly decreased in summer months and in December. It is likely that this decrease was associated with traditional vacation periods: an infected USB drive cannot transfer malware from one computer to another all by itself, nor can an engineering workstation click on a link leading to a phishing website when the engineer is not there.

However, there was a noticeable change in the situation in 2020: we saw no significant seasonal fluctuations in the percentage of attacked computers. It is likely that this was due to changes in employee vacation schedules, since many people decided to go without vacations in the time of lockdown, travel restrictions, and closed borders.

Attacks on RDP remote connection services

Another effect of the pandemic was a noticeable increase in the percentage of ICS computers that could be accessed remotely via the RDP protocol.

Percentage of ICS computers accessible via RDP, by months of 2020 (download)

It can be seen in the diagram above that the percentage grew continuously from January to April – the time when many organizations were dealing with the challenges of organizing work under an impending and actual lockdown. Then, after some fluctuations, the percentage decreased somewhat and stabilized at a slightly higher level than before the pandemic.

We do not have sufficient data to make conclusions as to what proportion of these computers could only be accessed from the industrial network of the enterprise, what part could be accessed from the corporate segment of the network and what percentage was available even outside the organization’s perimeter. However, we can state with confidence that the increase in the availability of ICS computers certainly affected the attack surface. Threat actors clearly took advantage of that – this is obvious from the following diagram, which shows the percentages of ICS computers on which brute force attacks on credentials used to access the RDP service were detected and blocked:

Percentage of ICS computers on which attempts to brute force RDP passwords were detected, by months of 2020 (download)

It is easy to notice a certain synchronism in the changes occurring in these two parameters: the percentage of attacked RDP connections follows the percentage of UCS computers available via RDP almost all through the year (from January to October) with a delay of approximately one month, catching up (i.e., the changes are synchronized) in October and November.

Percentage of ICS computers on which brute force attacks on RDP passwords were detected and percentage of ICS computers available via RDP (download)

We can only guess whether the one-month ‘delay’ in changes occurring in the percentage of attacked computers had to do with the speed with which attacks propagated on the enterprise network or the speed with which threat actors responded to changes in the opportunity landscape (attack surface).

Changes in ransomware priorities

One more potential consequence of the pandemic can be identified by analyzing the dynamics of ransomware attacks on industrial enterprises in different regions, which can be indirectly assessed based on the percentage of ICS computers attacked by ransomware. It can be seen in the ‘Change in the percentage of ICS computers (p.p.) on which ransomware was blocked’ diagram, as well as the diagram below that this percentage decreased in H2 2020 in all regions of the world except North America, Western Europe and Australia, where it did not just fail to decrease but increased several times over!

Percentage of ICS computers on which ransomware was blocked, H2 2019 – H2 2020 (download)

We believe that these curious dynamics could indicate the response of threat actors to the economic consequences of the pandemic. In those countries where the ‘creditworthiness’ of organizations decreased as a result of the pandemic, the number of attacks on industrial enterprises also fell (and so did the percentage of attacked ICS computers). At the same time, in countries where industrial organizations were generally more financially stable and were still able to pay ransom, the activity of attackers increased (and the percentage of attacked ICS computers surged). It can be hypothesized that the changes that we observed were due, among other things, to a shift in some groups’ focus when choosing victims towards organizations in more economically stable countries.

The full report is available on Kaspersky ICS CERT.

]]> https://securelist.com/threat-landscape-for-industrial-automation-systems-statistics-for-h2-2020/101299/feed/ 2 full large medium thumbnail https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer-new-data/99206/ https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer-new-data/99206/#respond Thu, 05 Nov 2020 10:00:48 +0000 https://kasperskycontenthub.com/securelist/?p=99206

 Download full report (PDF)

Executive Summary

In summer 2019, Kaspersky ICS CERT identified a new wave of phishing emails containing various malicious attachments. The emails target companies and organizations from different sectors of the economy that are associated with industrial production in one way or another.

We reported these attacks in 2018 in an article entitled “Attacks on industrial enterprises using RMS and TeamViewer“, but recent data shows that the attackers have modified their attack techniques and that the number of enterprises facing the threat of infection is growing.

Before publishing this report, we waited for the vendor of the RMS software to make changes to its services to ensure that the results of this research could not be used to exploit vulnerabilities.

This report in a nutshell:

• From 2018 to at least the early fall of 2020, attackers sent phishing emails laced with malware.
• The attacks make use of social engineering techniques and legitimate documents, such as memos and documents detailing equipment settings or other industrial process information, which have apparently been stolen from the company under attack or its business partners.
• The attacks still use remote administration utilities. The graphical user interface of these utilities is hidden by the malware, enabling the attackers to control infected systems without their users’ knowledge.
• In the new version of the malware, the attackers changed the notification channel used after infecting a new system: instead of malware command-and-control servers, they use the web interface of the RMS remote administration utility’s cloud infrastructure.
• Stealing money from the organization under attack remains the main objective of the attackers.
• During an ongoing attack, the cybercriminals use spyware and the Mimikatz utility to steal authentication credentials that are subsequently used to infect other systems on the enterprise network.

The full article is available on Kaspersky Threat Intelligence.

For more information please contact: ics-cert@kaspersky.com.

Technical Analysis

Since we described the technical details of this series of attacks in our previous report, Attacks on industrial enterprises using RMS and TeamViewer, in this document we only list the main stages of an attack and describe the changes to the attackers’ tactics and toolset that have been implemented since the publication of the previous report.

Spreading

Phishing emails used in this attack are in most cases disguised as business correspondence between organizations. Specifically, the attackers send claim letters on behalf of a large industrial company.



Phishing email disguised as a claim letter

In the earlier attack series, the attackers used a sender email address with a domain name that was similar to the official website address of the organization on whose behalf their phishing emails were sent. Now they use public email services to send their phishing emails and they use a different technique to mislead message recipients and persuade them to open a malicious attachment: they pretend to be a real business partner or to represent a real subsidiary of the company under attack and ask the recipient to view the documents attached by the deadline specified in the email, explaining the request by the approaching end of a purchase tender, possible penalties or the need to review equipment configuration data as soon as possible.

It should also be emphasized that the phishing emails are individually crafted for each specific company that is attacked. This is demonstrated by the fact that the name of the company under attack is mentioned in the email text, as well as by the documents used by the attackers as attachments (descriptions of the documents are provided below). In some of the cases identified earlier, the attackers also addressed the recipient by his or her full name.



Phishing email sent on behalf of a contractor

Attachments used in phishing emails are password-protected archives, with the password provided in the message body. The attackers explain this method of sending information by referring to confidentiality considerations in the message body, but in reality password protection prevents files stored in the archive from being scanned with antivirus tools.

Malware Features

The archive attached to a phishing email contains several malicious obfuscated JS scripts that have an identical functionality but slightly different structure due to different code obfuscation techniques being used. The script names are usually disguised as document names.

If a user runs one of these scripts, two files are unpacked and opened: a malicious program detected as HEUR:Backdoor.Win32.Generic, and a legitimate PDF file. Some JS script variants found in phishing emails download these files from a remote server rather than extracting them from the script’s body.

In earlier attacks, to ensure that the user didn’t have questions regarding the absence of the documents mentioned in the message body and to distract the user while installing the malware, the attackers opened a damaged PDF document or image or launched a legitimate software installer.



Image opened by the malware in earlier attacks

In their later attacks, the threat actor began to use actual documents related to the attacked organization’s area of work. A document can look like one created by a business partner or even the attacked organization itself. Specifically, documents used in attacks include scan copies of memos, letters to subsidiaries and contractors, as well as procurement documentation forms that were apparently stolen earlier.



PDF document containing instructions for subsidiaries, used by the attackers

A fact of particular interest is that in some cases, the attackers used documents containing industrial equipment configuration data and other information related to the industrial process.

Specifically, screenshots from the DIGSI application have been used. The application is designed to configure relay systems manufactured by Siemens.



DIGSI software screenshot 1

DIGSI is used by electric power facilities, such as substations, to configure their relay protection systems.



DIGSI software screenshot 2



Screenshot of a relay system’s configuration matrix. List of setpoints

We also found screenshots with transformer oscillograms in documents used by the attackers:



Vector diagrams with oscillograms

It is worth noting that the last screenshot shows oscillograms for a system at the moment of an accident.

Phishing emails with such screenshots do not call for the settings shown in attached documents to be implemented. It is most likely that the attackers use documents with the above screenshots to distract the personnel while the malware is being installed. Since the data mentioned above can provide a relay protection expert with information on standard settings used at the facility, the fact that the attackers have such screenshots at their disposal is cause for concern.

The JS script then launches the malware, which installs a version of TeamViewer, a remote administration tool (RAT), modified by the attackers. As in earlier attacks, the attackers use a malicious DLL library to hide the graphical user interface in order to control the infected system without the user’s knowledge.

If additional information needs to be collected, the attackers download an additional set of malware selected specifically for each victim. This can be spyware designed to collect credentials for a variety of programs and services, including email clients, browsers, SSH/FTP/Telnet clients, as well as recording keypresses and making screenshots. In some cases, the Mimikatz utility is used to collect account credentials for Windows accounts entered on the compromised system. The use of Mimikatz poses a particular danger, because it can provide the attackers with access to a large number of systems on the enterprise’s network.

In most cases, the attackers disguise malware components as Windows components to hide traces of malicious activity on the system.

Infrastructure

While analyzing the new series of attacks, we noticed two ways in which the infrastructure is organized differently from that used in earlier attacks.

First, the attackers use resources disguised as websites of existing Russian-speaking companies to store files downloaded by malicious JS scripts at the system infection stage.

The second and more important difference is that the attackers no longer use a malware command-and-control server in their communication with infected systems.

The main reason for having a malware command-and-control server in this type of attack was the need to get the infected machine’s ID in the TeamViewer system. The attackers already had any other information they needed (the password required to connect was provided in a special configuration file). In the new series of attacks, the attackers sent the infected machine’s TeamViewer ID using the legitimate infrastructure of the RMS remote administration system.

This was possible because the RMS remote administration infrastructure has a dedicated web service designed to notify the administrator that an RMS distribution package has been installed on a remote system. To send the notification, the RMS server generates an email message that contains the machine’s ID in the RMS system in the message body. For the message to be generated, it is sufficient for the RMS client to send an HTTP POST request to the dedicated web page, providing the following data: product name, ID of the language pack used in the system, user name, computer name, email address to which the notification should be delivered, and the machine’s ID in the RMS system assigned after installing the program.



Attack kill chain

The underlying mechanism of the web service contained a vulnerability: it did not use any kind of authorization procedure. The malicious DLL responsible for hiding the TeamViewer graphic interface included code for sending the request described above to the RMS server. However, it sent the machine’s ID in the TeamViewer system instead of its ID in the RMS system. The ID length in the TeamViewer system is different from the ID length in the RMS system; however, since there is no verification of the contents of fields sent to the server in the HTTP POST request, a notification message with information on a newly infected machine was successfully delivered to the attacker’s address.

Kaspersky ICS CERT has notified RMS developers that their infrastructure is being used for criminal purposes, providing them with all the technical details needed to close the vulnerability. To date, the vulnerability has not been closed by the developers, but a workaround, filtration based on an address allowlist, has been implemented.

In other words, the functionality still works, but notification emails are only sent to email addresses included in a special list of customers ‘verified’ by RMS developers.

For technical details about this vulnerability please contact: ics-cert@kaspersky.com

Victims

As mentioned above, the vast majority of attacked systems are industrial enterprises in Russia representing various sectors of the economy. We identified attacks on companies from the following industries:

• Manufacturing
• Oil and gas
• Metal industry
• Engineering
• Energy
• Construction
• Mining
• Logistics

Consequently, this is not a case of an attack narrowly targeting one specific industry; however, since most legitimate documents used in the attacks are from the energy sector, it can be assumed that the attackers have a particular interest in the sector.

Attribution

We are convinced that a Russian-speaking group is behind these attacks.

The main arguments in favor of this theory were offered in our previous report, “Attacks on industrial enterprises using RMS and TeamViewer“.

Note also that the code used to send requests to the RMS server, which was identified in the process of analyzing the new version of the malicious DLL, contains a language ID for the Russian localization of the operating system.

According to available information, the main objective of the criminals is to steal money from victim organizations’ accounts. This means that the attackers must have a good understanding of the financial workflow, which differs in some of its aspects from country to country, and support the appropriate infrastructure for cash withdrawal.

The group does not use any sophisticated tactics or technologies, but it carefully prepares each attack and expertly uses social engineering techniques, as well as technologies that are already known from attacks staged by other criminal groups.

We believe that the group includes people responsible for the technical aspect of infecting victims’ systems, as well as people responsible for financial operations, i.e., for stealing money from the group’s victims.

Conclusions

The threat actor continues to attack industrial enterprises successfully using relatively simple techniques, but its methods are evolving. To persuade users of the legitimacy of phishing emails, criminals have begun to use documents that were apparently stolen during earlier attacks. It is worth noting that some of the documents used for this purpose contain information on industrial equipment settings and industrial process parameters. This is one more reason to believe that these attacks specifically target industrial enterprises.

The main technical change in the attacks is that the attackers have discarded the most vulnerable stage in data collection and transmission – that is, malware command-and-control servers, which can be disconnected by the hosting provider or blocked by information security systems. Instead, new system infection notifications are delivered via the legitimate web interface of the RMS remote administration utility’s cloud infrastructure. Resources disguised as legitimate websites of existing organizations are used to store malware samples.

The attackers have full control of an infected system from the moment it becomes infected. Stealing money from the organization’s accounts remains their main objective. When the attackers connect to a victim’s computer, they look for financial and accounting software (1C accounting software, bank-client, etc.). In addition, they find and analyze procurement-related accounting documents and peruse the email correspondence of the enterprise’s employees. After that, the attackers look for various ways in which they can commit financial fraud. We believe that the criminals are able to substitute the bank details used to pay invoices.

Clearly, the attackers’ remote access to infected systems also poses other threats, such as the organization’s sensitive data being leaked, systems being put out of operation, etc. As the latest events have shown, the attackers use documents that were probably stolen from organizations to carry out subsequent attacks, including attacks on victim companies’ partners.

If you have encountered an attack of this kind, you can report it to us through a form on our website.

Recommendations

• Train employees at enterprises in using email securely and, specifically, in identifying phishing messages
• Restrict the ability of programs to gain SeDebugPrivilege privileges (wherever possible)
• Install antivirus software with support for centrally managing the security policy on all systems; keep the antivirus databases and program modules of security solutions up to date
• Use accounts with domain administrator privileges only when necessary. After using such accounts, restart the system on which the authentication was performed
• Implement a password policy with password strength and regular password change requirements
• If it is suspected that some systems are infected: remove all third-party remote administration utilities, scan these systems with antivirus software and force a change of passwords for all accounts that have been used to log on to compromised systems
• Monitor network connections for any traces of remote administration utilities installed without proper authorization. Make a special emphasis on the use of RMS and TeamViewer utilities
• Use network activity filtration systems to block connections to servers and IP addresses listed in Appendix I – Indicators of Compromise
• Never use obsolete versions of the TeamViewer utility (versions 6.0 and earlier). To discover any instances of obsolete versions of TeamViewer being used, the YARA rule provided in Appendix I – Indicators of Compromise can be used
• It should be noted that, since the attack uses legitimate remote administration software, that software can remain on the victim’s computer and continue operating even when the malicious downloader has been removed. If remote administration software has been identified at the stage of scanning corporate systems, it should be determined in each case whether it was installed legitimately

For more information please contact: ics-cert@kaspersky.com

Appendix I – Indicators of Compromise

File Hashes (malicious documents, malware, emails etc.)

• 386a1594a0add346b8fbbebcf1547e77
• 203e341cf850d7a05e44fafc628aeaf1
• 3b79aacdc33593e8c8f560e4ab1c02c6
• ea1440202beb02cbb49b5bef1ec013c0
• 1091941264757dc7e3da0a086f69e4bb
• 72f206e3a281248a3d5ca0b2c5208f5f
• da4dff233ffbac362fee3ae08c4efa53
• d768a65335e6ca715ab5ceb487f6862f
• 9219e22809a1dff78aac5fff7c80933c
• 86e14db0bcf5654a01c1b000d75b0324

File Names

• Акт.js
• Запрос 17782-09-1.js
• Перечень документов.js
• спецификация на оборудование xls.js
• tv.dll
• tv.ini

Some malware modules installed on the system have randomly generated names that follow a specific format. The following regular expression can be used to search for such files:

%TEMP%\\[a-z]{2,3}[0-9]{2}.exe

These files are saved in the temporary file directory (%TEMP%); the first part of the file name consists of two or three Roman characters; the second is a two-digit number followed by the extension .exe

Domains and IPs

• timkasprot.temp.swtest[.]ru (RemoteAdmin.Win32.RemoteManipulator.vpj)
• 77.222.56[.]169 (RemoteAdmin.Win32.RemoteManipulator.vpj)
• z-wavehome[.]ru (RemoteAdmin.Win32.RemoteManipulator.vpj)
• dncars[.]ru (RemoteAdmin.Win32.RemoteManipulator.vpj)

Yara Rules

rule TeamViewer_ver6_and_lower {
meta:
    description = "Rule to detect TeamViewer ver 6.0 and lower"  
    hash = "4f926252e22afa85e5da7f83158db20f"
    hash = "8191265c6423773d0e60c88f6ecc0e38"
    version = "1.1"    
condition:
                uint16(0) == 0x5A4D and 
                pe.version_info["CompanyName"] contains "TeamViewer" and 
                (pe.version_info["ProductVersion"] contains "6.0" or
                pe.version_info["ProductVersion"] contains "5.1" or
                pe.version_info["ProductVersion"] contains "5.0" or
                pe.version_info["ProductVersion"] contains "4.1" or
                pe.version_info["ProductVersion"] contains "4.0" or
                pe.version_info["ProductVersion"] contains "3.6" or
                pe.version_info["ProductVersion"] contains "3.5" or
                pe.version_info["ProductVersion"] contains "3.4" or
                pe.version_info["ProductVersion"] contains "3.3" or
                pe.version_info["ProductVersion"] contains "3.2" or
                pe.version_info["ProductVersion"] contains "3.1" or
                pe.version_info["ProductVersion"] contains "3.0")
}

The attackers use outdated versions of the TeamViewer client that contain a vulnerability enabling them to hide the utility’s graphic interface. This YARA rule can be used to determine whether there are outdated versions of the TeamViewer software installed on the system. Checking whether any such software found was installed legitimately is a first-priority task.

If instances of outdated versions of the TeamViewer client being used legitimately are identified, it is recommended that the software in question be updated to the latest version.

Registry keys

• Key:
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\rundll32
  Value:
  rundll32.exe shell32.dll,ShellExec_RunDLL
  “%AppData%\Roaming\TeamViewer\5\TeamViewer.exe”
• Key:
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\CCFTray
  Value:
  rundll32.exe shell32.dll,ShellExec_RunDLL “%temp%\TeamViewer.exe”

Threat actors’ email addresses

• timkas@protonmail.com
• smoollsrv@gmail.com
• nataly@z-wavehome.ru
• info@dncars.ru

Appendix II – MITRE ATT&CK Mapping

Tactic	Technique/Subtechnique	Description
Initial Access	T1566.001	Phishing: Spearphishing Attachment The attackers use phishing emails with archives containing malicious scripts
Execution	T1204.002	User Execution: Malicious File Malicious software is executed when the user opens the file
	T1059.007	Command and Scripting Interpreter: JavaScript/Jscript Used to execute malicious PE and open bait PDF files
Persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder The malware creates a registry value to run automatically after system restart
Defense Evasion	T1027.002	Obfuscated Files or Information: Software Packing To make analysis more difficult, files of the malware are packed and its code is obfuscated
	T1564.001	Hide Artifacts: Hidden Files and Directories The attributes “hidden” and “system” are assigned to malware files
	T1574.001	Hijack Execution Flow: DLL Search Order Hijacking To hide the GUI of the TeamViewer remote administration utility, a malicious program is loaded into the process instead of a system library
	T1036.005	Masquerading: Match Legitimate Name or Location In most cases, attackers disguise malware components as Windows operating system components to hide the traces of malicious activity in the system
Credential Access	T1003.001	OS Credential Dumping: LSASS Memory The attackers use the Mimikatz utility in cases where they need authentication credentials to infect other systems in an organization
	T1056.001	Input Capture: Keylogging In some cases, malware (class: Spyware) designed to collect logins and passwords for various different programs and services, record keypresses and capture screenshots is downloaded to an infected system
Discovery	T1057	Process Discovery The malware collects information on antivirus software running on the system
	T1018	Remote System Discovery The attackers explore the organization’s other systems to which they can gain access over the network
	T1518	Software Discovery The attackers take notes on which software associated with financial operations is installed on an infected system
Lateral Movement	T1021.001	Remote Services: Remote Desktop Protocol RDP connections with account credentials obtained earlier using the Mimikatz utility are used for lateral movement
Collection	T1005	Data from Local System The attackers analyze documents found on infected systems; these documents can be used in subsequent attacks
	T1114.001	Email Collection: Local Email Collection The attackers analyze the business correspondence of the organization under attack in order to use it for subsequent attacks on the victim’s business partners
	T1056.001, T1113	Input Capture: Keylogging and Screen Capture In some cases, malware (class: Spyware) designed to collect logins and passwords for various different programs and services, record keypresses and capture screenshots is downloaded to an infected system
Command And Control	T1071.001	Application Layer Protocol: Web Protocols To send the TeamViewer ID, an HTTP POST request is sent to the RMS server
	T1071.003	Application Layer Protocol: Mail Protocols The RMS server sends an email to an address controlled by the attackers. The email contains the infected machine’s TeamViewer ID
	T1219	Remote Access Software The attackers use the TeamViewer remote administration utility to connect to the infected system
Exfiltration	T1020	Automated Exfiltration The attackers use malware to receive information collected on the infected system
Impact	T1565.001	Data Manipulation: Stored Data Manipulation Substitution of bank details in payment forms

]]> https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer-new-data/99206/feed/ 0 full large medium thumbnail https://securelist.com/threat-landscape-for-industrial-automation-systems-h1-2020-highlights/98427/ https://securelist.com/threat-landscape-for-industrial-automation-systems-h1-2020-highlights/98427/#respond Thu, 24 Sep 2020 08:00:21 +0000 https://kasperskycontenthub.com/securelist/?p=98427

Overall downward trend for percentages of attacked computers globally

Beginning in H2 2019 we have observed a tendency for decreases in the percentages of attacked computers, both in the ICS and in the corporate and personal environments.

• In H1 2020 the percentage of ICS computers on which malicious objects were blocked has decreased by 6.6 percentage points to 32.6%.
• The number was highest in Algeria (58.1%), and lowest in Switzerland (12.7%).
• Despite the overall tendency for the percentages of attacked computers to decrease, we did see the number grow in the Oil & Gas sector by 1.6 p.p. to 37.8% and by 1.9 p.p. to 39.9 % for computers used in building automation systems. These numbers are higher than the percentages around the world overall.



Percentage of ICS computers on which malicious objects were blocked (download)

Variety of malware

Threats are becoming more targeted and more focused, and as a result, more varied and complex.

• Kaspersky solutions in ICS environments blocked over 19.7 thousand malware modifications from 4,119 different families.
• We are seeing noticeably more families of backdoors, spyware, Win32 exploits and malware built on the .Net platform.
• Ransomware was blocked on 0.63% of ICS computers. This is very similar to the total of 0.61% in H2 2019.

Main threat sources

The internet, removable media and email continue to be the main sources of threats in the ICS environment. Predictably, the percentages in the rankings for these threats have decreased.

• Internet threats were blocked on 16.7% of ICS computers (-6.4 p.p.).
• Threats penetrating when removable media are connected were blocked on 5.8% of computers (-1.9 p.p.).
• Malicious email attachments were blocked on 3.4% of ICS computers (-1.1 p.p.).



Main sources of threats blocked on ICS computers* (download)

* percentage of ICS computers on which malicious objects from different sources were blocked

Regional differences

Asia and Africa were the least secure.

• Asian regions occupy 4 out of the TOP 5 positions in the regional rankings based on the percentage of ICS computers which were attacked. Africa comes second.
• Southeast Asia is the worst hit – it leads in several ratings:
  1. Percentage of ICS computers where malicious activity was blocked – 49.8%.
  2. percentage of ICS computers where internet threats were blocked – 14.9%.
  3. Percentage of ICS computers where malicious email attachments were blocked – 5.8%.
• Africa leads in the ranking of regions by percentage of ICS computers where malicious activity was blocked when removable media were connected with (14.9%).

The situation is best in Australia, Europe, USA and Canada, which are in at the bottom in all of the rankings except by malicious email attachments.

• Northern Europe is the most secure region with the lowest positions in rankings in H1 2020:
  1. by percentage of ICS computers attacked – 10.1%,
  2. by percentage of ICS computers on which internet threats were blocked – 4.6%,
  3. By percentage of ICS computers where malicious email attachments were blocked (1.1%).
• The lowest percentage of ICS computers on which threats were blocked when removable media were connected was in Australia – 0.8%. Northern Europe came in with a close second of 0.9%.
• In Australia, Europe, USA and Canada the percentages in the rankings by malicious email attachments were higher than by threats on removable media with Eastern Europe as the exception – 3.5% and 3.7% respectively.

Southern and Eastern Europe were the least secure regions in Europe.

• Southern and Eastern Europe were in the TOP 5 of the rankings by percentages of ICS computers where malicious email attachments were blocked. Southern Europe came in second with 5.2% and Eastern Europe fifth with 3.5%.
• Eastern Europe was the only region in the world where we saw an increase of 0.9 p.p. in the percentage of computers where threats were blocked when removable media were connected, coming in with 3.7%.

Full version of the report.

]]> https://securelist.com/threat-landscape-for-industrial-automation-systems-h1-2020-highlights/98427/feed/ 0 full large medium thumbnail https://securelist.com/smart-buildings-threats/93322/ https://securelist.com/smart-buildings-threats/93322/#respond Thu, 19 Sep 2019 06:45:04 +0000 https://kasperskycontenthub.com/securelist/?p=93322

The Kaspersky Industrial Cybersecurity Conference 2019 takes place this week in Sochi, the seventh such conference dedicated to the problems of industrial cybersecurity. Among other things, the conference will address the security of automation systems in buildings — industrial versions of the now common smart home. Typically, such a system consists of various sensors and controllers to manage elevators, ventilation, heating, lighting, electricity, water supply, video surveillance, alarm systems, fire extinguishing systems, etc.; it also includes servers that manage the controllers, as well as computers of engineers and dispatchers. Such automation systems are used not only in office and residential buildings, but in hospitals, shopping malls, prisons, industrial production, public transport, and other places where large work and/or living areas need to be controlled.

We decided to study the live threats to building-based automation systems and to see what malware their owners encountered in the first six months of 2019.

Malware and target systems

According to KSN, in H1 2019 Kaspersky products blocked malicious objects on 37.8% of computers in building-based automation systems (from a random sample of more than 40,000 sources).


Share of smart building systems on which malware was blocked, 2018-2019

It should be mentioned right away that most of the blocked threats are neither targeted, nor specific to building-based automation systems. In other words, it is ordinary malware regularly found on corporate networks unrelated to automation systems. This does not mean, however, that such malware can be ignored — it has numerous side effects that can have a significant impact on the availability and integrity of automation systems, from file encryption (including databases) to denial of service on network equipment and workstations as a result of malicious traffic and unstable exploits. Spyware and backdoors (botnet agents) pose a far greater threat, since stolen authentication data and the remote control it provides can be used to plan and carry out a targeted attack on a building’s automation system.

What are the threats of a targeted attack? First off, there is disruption of the computers that control the automation systems, and subsequent failure of the systems themselves, since not all of them are totally autonomous. The result may be a disruption of the normal operation of the building: electricity, water, and ventilation are likely to continue to work as before, but there may be problems with opening/closing doors or using elevators. There may also be problems with the fire extinguishing system, for example, a false alarm or, worse, no signal in the event of a fire.

Geographical distribution of threats



Share of smart building systems on which malware was blocked, by country, H1 2019

Top 10 countries

Country	%*
Italy	48.5
Spain	47.6
Britain	44.4
Czech Republic	42.1
Romania	41.7
Belgium	38.5
Switzerland	36.8
India	36.8
China	36.0
Brazil	33.3

^{*Share of computers on which malware was blocked}


Sources of threats to building-based automation systems

When studying the sources of threats to building-based automation systems, we decided to compare them with similar statistics on industrial systems that we regularly compile and publish. Here’s the result:


Sources of threats to building-based automation systems by share of attacked computers, H1 2019

The graph shows that in building-based automation systems the share of attacked computers is consistently higher than in industrial systems. That being the case, the total share of attacked computers over the same period is greater in industrial systems (41.2%). This is due to the fact that building-based automation systems are more similar to systems in the IT segment — on the one hand, they are better protected than industrial ones, so the overall percentage is lower; on the other, they have a large attack surface (i.e. the majority have access to the Internet and often use corporate mail and removable drives), so each computer is exposed to more threats from different sources.


Types of malware detected in building-based automation systems, by share of users attacked, H1 2019

Note that it is not only the networks of automation systems in specific buildings (stations, airports, hospitals, etc.) that face threats. The networks of developers, integrators, and operators of such systems, who have (often privileged) remote access to a huge number and variety of objects, are also subjected to “random” and targeted attacks. Having gained access to computers in the network of an integrator or dispatcher, the cybercriminals can, theoretically, attack many remote objects simultaneously. At the same time, the remote connection to the automation object on the side of the integrator/operator is considered trusted and often effectively uncontrolled.

The threat landscape for smart buildings and how to minimize it will be discussed in more detail at the conference. One final note is to mention the importance of monitoring network communications on the perimeter and inside the network of automation systems. Even minimal monitoring will reveal current issues and violations, the elimination of which will significantly increase the object’s level of security.

]]> https://securelist.com/smart-buildings-threats/93322/feed/ 0 full large medium thumbnail