The CyberX-Files – Issue #7


Welcome to issue #7 of The CyberX-Files!

In this issue we summarize an in-depth article about NotPetya by Andy Greenberg of Wired magazine, who’ll soon be publishing a book on the Sandworm hacking team that was also behind the Ukrainian grid attacks of 2015 and 2016.

We also cover the North Korean hackers behind WannaCry; ICS zero-day vulnerabilities recently discovered by CyberX’s threat intelligence team; and DoE and DHS news related to grid security.

We’re also excited to announce that CyberX and one of our clients, the CISO of a global CPG manufacturer, will be presenting at the Palo Alto Networks IGNITE Europe conference, in a session titled “Effectively Detecting & Preventing Threats to Your ICS/SCADA Network.”

The session will describe the organizational and technological challenges of integrating IT and OT security in the corporate SOC, and how the integration of CyberX and Palo Alto Networks enables security teams to rapidly change policies and immediately block sources of malicious ICS/SCADA traffic identified by the CyberX platform.

Also, at the ICS Cyber Security Conference in Atlanta, CyberX and Palo Alto Networks will be offering a free, ½-day hands-on workshop on ICS/SCADA security.

Enjoy this issue and please drop me a line at [email protected] with any feedback!

In This Newsletter

ICS/SCADA/OT Security News

The Untold Story of NotPetya, the Most Devastating Cyberattack in History

  • NotPetya, the most devastating malware since the invention of the Internet, spread within hours from a Ukrainian software firm to countless machines around the world, from the British manufacturer of Lysol to a chocolate factory in Tasmania.
  • NotPetya was propelled by two powerful hacker exploits working in tandem: EternalBlue, which was stolen from the NSA and takes advantage of an SMB vulnerability to remotely execute code on any unpatched machine, and a password-stealing tool known as Mimikatz. Once hackers gain initial access, Mimikatz pulls its passwords out of RAM and uses them to hack into other machines with the same credentials, automatically hopping from one machine to the next.
  • “Almost everyone who has studied NotPetya, however, agrees on one point: that it could happen again or even reoccur on a larger scale. Global corporations are simply too interconnected, information security too complex, attack surfaces too broad to protect against state-trained hackers bent on releasing the next world-shaking worm,” says Thomas Rid, a political science professor at Johns Hopkins’ School of Advanced International Studies.
  • US intelligence agencies have confirmed that Russia’s GRU was responsible for launching the malicious code, which resulted in financial sanctions by the US Treasury.
  • According to Cisco, “Anyone who thinks this was accidental is engaged in wishful thinking. This was a piece of malware designed to send a political message: If you do business in Ukraine, bad things are going to happen to you.”
  • Dozens of global companies like Maersk – the world’s largest shipping conglomerate, with close to a fifth of the entire world’s shipping capacity – were affected. Maersk lost $300 million when tens of thousands of trucks were turned away from its port terminals, no new bookings were made, and the company was obliged to compensate customers for sending their cargo last minute via alternative companies.
  • Merck, whose ability to manufacture some drugs was temporarily shut down by NotPetya, lost $870 million. FedEx, whose European subsidiary TNT Express was crippled in the attack and required months to recover some data, took a $400 million blow. French construction giant Saint-Gobain lost around the same amount. Reckitt Benckiser, the British manufacturer of Lysol and Durex condoms, lost $129 million, and Mondelēz, the owner of chocolate-maker Cadbury, took a $188 million hit. Untold numbers of victims without public shareholders counted their losses in secret.

Read the full story in Wired

U.S. Accuses North Korea of Plot to Hurt Economy as Spy Is Charged in Sony Hack

The New York Times
  • The Justice Department officially charged a North Korean spy for computer fraud in a 174-page criminal complaint detailing how WannaCry caused hundreds of millions of dollars’ worth of damage to the global economy and crippled Britain’s health care system.
  • The attackers used Dynamic DNS (DDNS) to embed IP addresses in the malware that could easily be changed for contacting command-and-control servers, compared to using hardcoded IP addresses.
  • The complaint describes a team of hackers from North Korea’s main intelligence agency who also attacked Sony Pictures Entertainment, and stole $81 million from the Bangladeshi central bank. The main motivation seems to be North Korea’s shortage of cash and a desire to control American corporate behavior through fear.
  • The attack on Sony Pictures wiped out 70% of the studio’s computer capability, erasing all the data on about half the company’s personal computers and more than half of its servers. Sony was left without voice mail, email or production systems, essentially crippling operations and leading to the resignation of the studio’s co-chairman. The crime revealed how vulnerable the United States has become to cybercriminals and how malicious actors can remotely cripple American corporations.
  • The DPK targeted victims with spear-phishing emails purporting to be from Facebook, Google, and recruiters.
  • American defense contractors such as Lockheed Martin were also targeted.

Read the full story in The New York Times

DOE to Vet Grid’s Ability to Reboot After a Cyberattack

E&E News
  • The DoE will test the power grid’s ability to recover from outages caused by cyberattacks in a new exercise this autumn dubbed “Liberty Eclipse”.
  • The week-long stress test will simulate the painstaking process of re-energizing the power grid (“blackstart”) while squaring off against a simultaneous cyberattack on electric, oil and natural gas infrastructure.
  • Quote from grid reliability consultant: “There are obviously some cybersecurity concerns, from both sides … the natural gas is pumped up the pipeline by electric pumps. From an interdependency standpoint: Is everybody working together, and does everybody understand where the critical paths might be?”
  • Power companies rely on diesel generators and other blackstart sources to choreograph “cranking paths” for bringing the grid on its feet. Once enough pockets of electricity have been brought online, operators can sync up the islands with the wider grid. The process can take many hours, even in the most favorable circumstances.
  • A leaked administration memo this spring raised concerns that gas pipelines could be more susceptible to pipeline attacks — a theory officials said they would test with the new exercise.
  • During Liberty Eclipse, DOE plans to incorporate simulated cranking paths provided by DARPA, which has been developing ways to speed up grid restoration following a major cyberattack. The exercise will include replicas of substation equipment so the utility industry can rehearse how it would handle a crippling cyberattack aimed at blocking participants from restoring power.

Read the full story in E&E News

Schneider Electric Modicon Vulnerability Impacts ICS Operation in Industrial Settings

  • A security vulnerability discovered in Schneider Electric Modicon M221 controllers has the potential to severely disrupt industrial equipment and networks.
  • The vulnerability could allow unauthorized users to remotely reboot the controller using crafted programming protocol frames, preventing the devices from communicating with the ICS network, and leaving operators without means to control the industrial environment. This could result in factory downtime and further compromises of the ICS network.
  • Schneider Electric released a security update to resolve the flow and it can be found through their Software Update tool.
  • In January, researchers from FireEye revealed the existence of purpose-built ICS malware targeting Triconex SIS controllers. The Triton malware was able to tamper with emergency shutdown systems and was described as “part of a complex malware infection scenario.”

Read the full story in ZDNet

CyberX In The News

The Simplest and Most Comprehensive Way to Address ICS Risk

Brilliance Security Magazine

At Black Hat 2018, CyberX’s VP of Industrial Cybersecurity Phil Neray discussed the state of OT network security and how it’s changed in recent years. CyberX was a pioneer in this segment, you might say “doing IIoT before IIoT was cool.”

  • For many years CISOs and corporate security organizations were only responsible for corporate IT networks, while the security of production networks was overseen by operational personnel. In many organizations, this responsibility has now shifted to the corporate security department that has the expertise to address sophisticated cyberattacks like those driven by nation-states.
  • Industrial networks contain a complex mix of specialized protocols, including proprietary protocols developed for specific families of industrial automation devices.
  • Protocols were originally designed when robust security features such as authentication were not even a requirement. In those days, it was assumed that simply having connectivity to a device was sufficient authentication.
  • Industrial organizations have historically lacked any visibility into OT network activity and assets because IT-focused monitoring tools are typically “blind” to specialized OT protocols.
  • When it comes to protecting these systems, CyberX believes a new approach is required. It must be have zero impact on OT networks and devices. It must be heterogeneous and OT vendor-agnostic, with broad support for specialized ICS protocols and control system equipment from all ICS vendors. And finally, it must be integrated with existing SOC workflows and security tools, including centralized SIEMS, ticketing, firewalls, and security analytics solutions.

Read the full story in Brilliance Security Magazine

DHS unveils National Risk Management Center

SC Magazine
  • The Secretary of the DHS announced the creation of a National Risk Management Center that will “identify, assess and prioritize efforts to reduce risks to national critical functions which enable national and economic anxiety.”
  • Speaking at the DHS Cybersecurity Summit in New York, Nielsen said, “A Category 5 hurricane has been forecast. And now we must prepare.”
  • Phil Neray, VP of Industrial Cybersecurity at CyberX, praised the government for “putting more focus on coordination and information sharing,” but added, “until we define minimum security standards for critical infrastructure, we’ll continue to be vulnerable to nation-state threats.”
  • The center appears to go one step beyond what the FBI created back in 1996 with InfraGard, which took an independent chapter-driven approach linked to local FBI field offices.

Read more in SC Magazine

CyberX Security
Research & Technology News

Flaws in Emerson Workstations Allow Lateral Movement

  • Several critical and high severity vulnerabilities in Emerson DeltaV DCS Workstations were discovered by CyberX security researchers.
  • CVE-2018-14795 is described as an improper path validation issue that allows an attacker to replace executable files.
  • “We were able to analyze the protocol and issue specially crafted commands in order to achieve remote code execution using that vulnerability,” said CyberX VP of Research David Atch. “The vulnerability is a result of a coding error, which means that default Windows security mechanisms such as ASLR and DEP won’t prevent the remote code execution.”
  • The two other “high severity” flaws will allow attackers to move laterally within the targeted network and possibly take control of other DeltaV Workstations.
  • Emerson has provided patches for each of the affected DeltaV Workstation versions.

Read the full story in SecurityWeek

Upcoming Events

About CyberX

Founded by military cyber-experts with nation-state expertise defending critical infrastructure, CyberX provides the most widely-deployed platform for continuously reducing ICS/SCADA/OT risk.

Our ICS-aware self-learning engines deliver immediate insights about assets, vulnerabilities, and threats — in less than an hour — without relying on rules or signatures, specialized skills, or prior knowledge of the environment.

CyberX is a member of the IBM Security App Exchange Community and the Palo Alto Networks Application Framework Community, and has partnered with premier solution providers and MSSPs worldwide including Optiv Security, DXC Technology, and Deutsche-Telekom/T-Systems.