A decoy set up by the cybersecurity company Cybereason, simulating the equipment constituting the information system of a site belonging to an electricity company, has made it possible to identify a new trend in cyberattacks on critical infrastructures: ransomware attacks are becoming more complex.
Ransomware targeting industry is becoming more complex. This is the alarming observation that emerges from a study made public on June 11 by Cybereason, an American specialist in the detection and response to cyber attacks targeting terminals.
For several months, Cybereason research teams have set up a honeypot, a simulation of an entire office automation (IT) and industrial (OT) information system for an electrical substation belonging to a company of electricity operating in North America and the UK. The goal of this decoy, which is based “ partly on virtual machines but also on some real equipment, all both interconnected and connected to the internet ”, specifies Israel Barak, Head of Security at Cybereason, is to attract potential cyber-attackers in order to analyze their strategies and hence current trends in the field.
The most classic attack in 4 steps
Thanks to this experiment, which the firm repeats every two years or so, Cybereason researchers have observed an increase in the complexity of attacks compared to 2018. The most classic ransomware attack process is deployed in four steps, as follows:
- Phase 1: The initial compromise of the troubleshooting protocol (RDP) administration interface, which after obtaining the user account password via a brute force attack, then downloading and running a Windows PowerShell script, to create a backdoor.
- Phase 2: Downloading new tools through the compromised server using PowerShell, such as Mimikatz, a widely used self-service tool by hackers to steal user credentials. Information then used to attempt to move laterally to domain controllers, the backbone of the operation. ” The lateral movement attempt failed in the honeypot environment because none of the stolen user accounts were allowed to access the domain controller ”, indicates Cybereason.
- Phase 3: Lateral displacement of the malware in the network using a network scanner to discover other endpoints.
- Phase 4: Triggering the ransomware after the end of the preliminary operations, to ensure the maximum compromise number of terminals and maximize the impact of the attack.
” Even modest hacker groups are resorting to increasingly sophisticated attacks ”
” Today, cyber attackers tend to take their time to move from one stage to another , in order to remain as discreet as possible but also to save time to steal all the data in all corners of the targeted network
, says Israel Barak. This is why you need to let the honeypot run for at least a few months, if not a whole year. ”
Combined, the complexity of intrusion techniques and the discretion of cyber-attackers make attacks particularly difficult to detect. All the more so since this modus operandi is not only the work of sophisticated malicious groups linked to a nation-state – which is called APT for “Advanced Persistent Threat”. “ Despite the complexity of the attacks we identified, the tools used were relatively easy to access. Nothing that was used had been developed specifically to break into the target’s network. We can therefore think that the attackers were not APT groups but that, quite simply, even the most modest hacker groups resort to more and more sophisticated attacks. ”
Integrate IT-OT convergence into cyber defense strategies
For this security specialist, this study shows that manufacturers must completely get over the idea that they will be able to prevent intrusions on their network. ” We must assume that we can be attacked and act accordingly ”, he insists. With, for him, three priorities: segmenting the network, multiplying the authentication points and, above all, preparing to respond quickly as soon as an attack is identified, in particular by increasing redundancy (system backups, data backups, etc.).
“ It is also necessary to ensure that the cyber response center (Security operation center, or SOC) is able to detect anomalies and react for both the IT network and the OT. IT-OT convergence is a trend for systems administration and attackers have understood it well.”