The CyberX-Files – Issue #5
Digest of notable ICS cybersecurity content — curated by CyberX’s ICS security geeks
Welcome to the 5th edition of the CyberX-Files! In this issue we discuss: VPNFilter malware that captures MODBUS traffic and destroys routers; how the Iranian government has contracted 50 separate hacking groups to strike Western targets; why North Korean hackers are treated like Olympic athletes by the DPRK; and the DHS’s new cyber strategy.
At the Palo Alto Networks IGNITE Conference in May, CyberX was featured in a main stage presentation about our integration with Palo Alto’s Application Framework — an industry-first for OT security (you can view the recorded demo here). We’ve also integrated with their next-generation firewall to enable immediate blocking of malicious traffic detected by the CyberX platform.
In other CyberX news, Deutsche-Telekom/T-Systems and CyberX recently hosted an executive seminar in Frankfurt, Germany, on the topic of “Emerging ICS/SCADA Threats — and How to Maximize Operational Resilience.” The 1/2-day seminar featured ICS cyber experts from EWZ Energy and T-Systems, along with a Deloitte risk expert describing how a global pharmaceutical company implemented CyberX for continuous ICS asset discovery, vulnerability management, and threat monitoring.
Finally, be sure to “Save the Date” for our Black Hat/House of Blues event in Las Vegas, Tuesday, August 7th from 5-8pm (registration info to follow shortly).
As always, please drop me a line at [email protected] if you have any feedback on this newsletter.
In This Newsletter
- How North Korea’s Hackers Became Dangerously Good
- U.S. Expects Resurgence in Iranian Cyberattacks, Including to Critical Infrastructure
- DHS Releases Cybersecurity Strategy to Strengthen Country’s Security Posture
- Iran’s Hacker Hierarchy Exposed, Critical Infrastructure at Risk
- VPNFilter: New Router Malware with Destructive Capabilities
- CyberX Unveils New App for Palo Alto Networks Application Framework
- CyberX Upcoming Events
ICS/SCADA/OT Security News
The Wall Street Journal
- North Korea’s cyber army, long considered a mid-level security threat, is turning into one of the world’s most sophisticated and dangerous hacking machines. It has about 7,000 hackers and support staffers. The A team, called “Lazarus,” attacks foreign entities and is associated with North Korea’s most headline-grabbing campaigns, such as the WannaCry and Sony attacks.
- Experts point to numerous signs that the hackers have become better. North Koreans are acting on security glitches in widely used software only days after the vulnerabilities first appear, and crafting malicious code so advanced it isn’t detected by antivirus programs. When firms plug holes, the hackers are adapting within days or weeks, fine-tuning their malware much as Apple would release an update to iOS.
- The WSJ notes that North Korea is cultivating elite hackers much like other countries train Olympic athletes. North Korean trainees get roomier apartments and undergo intense training, participate in highly competitive hackathons, and are even sent overseas to master foreign languages or participate in international coding competitions.
The New York Times & Security Week
- Cybersecurity experts believe that President Trump’s decision to pull out of the Iran nuclear deal in May will result in cyber retaliation from Iran.
- “Given the history of Iranian cyberactivity in response to geopolitical issues, the American energy sector has every reason to expect some type of response from Iran,” said Matt Olsen, the former general counsel of the National Security Agency and a former director of the National Counterterrorism Center.
- American officials suspect that Iranian hackers played a role in the attack on a Saudi petrochemical plant in August that compromised the facility’s operational safety controls, which level of sophistication makes analysts suspect that Russia may have provided assistance.
- Phil Neray of CyberX expects Iran to continue escalating its cyberattacks on US targets: “We should expect Iran to conduct phishing and cyber espionage attacks against US-based industrial and critical infrastructure firms — as we’ve seen with Russian threat actors — with the goal of establishing footholds in OT networks that could later be used for more destructive attacks.”
- The DHS released a cybersecurity strategy that places strong emphasis on risk and vulnerability management. The framework is expected to help strengthen the entire cybersecurity ecosystem in a time when “90 percent of the nation’s power infrastructure [is] privately held” and “utilities currently have less mature tools for threat detection.”
- According to CyberX: “While the DHS reminds us that continuous risk assessment and vulnerability management are key elements of an active cyber defense strategy, many business leaders don’t realize that the DHS has neither the resources nor the legal standing to defend civilian assets before they’re attacked. More top-down commitment and budget dollars from senior management are required to give CISOs the resources they need to defend critical infrastructure from ever-more sophisticated threats.”
- Since 2009, Iran has regularly responded to economic sanctions with offensive cyber campaigns, such as the DoS attacks on America’s largest financial services companies in 2012 and the destructive attack on the Sands Las Vegas Corporation in 2014 that caused significant network damage.
- Future cyberattacks on Western businesses will likely be executed by capable, but less trusted contractors and universities — acting as proxies for the Iranian government — which may result in the state having difficulty controlling the scope and scale of the destructive cyberattacks once they have begun.
- There are 50 estimated contractors vying for government-sponsored offensive projects.
- The businesses likely to be at greatest risk are in many of the same sectors that were victimized by Iranian cyberattacks between 2012 and 2014: critical infrastructure providers, oil and energy, banks and financial services, and government departments.
CyberX In The News
Help Net Security
- Cisco Talos has identified VPNFilter multi-stage malware that targets routers and captures MODBUS traffic, harvests privileged credentials, and launches cyberattacks.
- Estimates show that there are currently at least 500,000 infected devices in some 54 countries around the world.
- The code similarities with BlackEnergy malware and the recent focus on Ukrainian hosts seem to point to Russian-backed actors (particularly Cozy Bear/APT28).
- According to Phil Neray of CyberX: “While the recent burst of Russian activity also targets the Ukraine, the malware exploits vulnerabilities in devices that are widely used around the world — which means the same attack infrastructure could easily be used to target critical infrastructure networks in the US, the UK, Germany, and any other countries seen as enemies of the attackers.”
Read the full story in Help Net Security
Read the full story in Symantec blog post
Read the Cisco Talos blog post
Register for SANS webinar describing VPNFilter and implications for protecting ICS networks.
Research & Technology News
- At IGNITE’18, CyberX announced its new “ICS Asset Visibility & Threat Monitoring” app for the Palo Alto Networks Application Framework. It uses the PAN infrastructure that customers already have deployed to provide granular visibility into all OT assets and communication patterns between them.
- The new CyberX app auto-discovers and immediately classifies all OT devices based on Network Traffic Analysis (NTA), enabling security teams to easily implement fine-grained policies to prevent malicious or unauthorized activities; identify vulnerable or compromised OT devices; and alert on suspicious or risky behaviors such as PLC programming changes and network scanning.
SANS webinar about VPNFilter titled “All Your Network Traffic Are Belong to Us — VPNFilter Malware and Implications for ICS,” on Wednesday, July 28 at 3:30pm ET. Featuring Tim Conway, SANS Technical Director for ICS & SCADA Programs, and Doug Wylie, SANS Director of Industrials and Infrastructure Practice Area. Register here.
Later in the month, CyberX and GrayMatter Systems (GMS) will host an Industrial Cybersecurity Briefing and Whiskey Tasting event in Pittsburgh, PA. Keith Mularski, FBI Unit Chief for the Cyber Division, will discuss securing OT and dissecting the anatomy of an attack. Join us to learn about new industrial attacks and what you can do to defend against them.
Black Hat 2018 — House of Blues: We’re pleased to invite you to an invitation-only Happy Hour at the House of Blues in Las Vegas. This is a unique opportunity to hang out with your security peers in a cool setting with great food and drinks. Mark your calendars for Tuesday, August 7 from 5-8pm and stay tuned for registration details to follow shortly.
Founded by military cyber-experts with nation-state expertise defending critical infrastructure, CyberX provides the most widely-deployed platform for continuously reducing ICS and IIoT risk.
Our ICS-specific self-learning engines deliver immediate insights about assets, vulnerabilities, and threats — in less than an hour — without relying on rules or signatures, specialized skills, or prior knowledge of the environment.
CyberX is a member of the IBM Security App Exchange Community and the Palo Alto Networks Application Framework Community, and has partnered with other best-of-breed security suppliers including CyberArk for secure remote access. CyberX’s partners include premier solution providers and MSSPs worldwide including Optiv Security, DXC Technology, and Deutsche-Telekom/T-Systems.