Operations at U.S. Natural Gas Facilities Disrupted by Ransomware Attack

Operations at U.S. Natural Gas Facilities Disrupted by Ransomware Attack

A ransomware infection at a natural gas compression facility in the United States resulted in a two-day operational shutdown of an entire pipeline asset, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) revealed on Tuesday.

The targeted organization has not been named and it’s unclear exactly when the incident occured. According to CISA, the cyberattack affected control and communication assets on the victim’s operational technology (OT) network.

A compression facility helps transport natural gas from one location to another through a pipeline. Natural gas needs to be highly pressurized during transportation, and compression facilities along the pipeline help ensure that it remains pressurized.Natural gas compression facility hit by ransomware

The agency said the attackers used spear-phishing to gain initial access to the facility’s IT network, after which they managed to make their way to the OT network. The hackers then deployed commodity ransomware that encrypted files to Windows machines on both the IT and OT networks.

This led to a disruption of human-machine interfaces (HMIs), data historians, and polling servers, which were no longer able to process data from low-level industrial control systems (ICS). Human operators could no longer monitor processes, but CISA said the attack did not affect programmable logic controllers (PLCs) and the targeted organization never lost control of operations.

Nevertheless, the victim decided to respond to the attack by shutting down operations. While the ransomware only directly affected one facility, other compression facilities were also forced to suspend operations due to pipeline transmission dependencies. CISA said the incident resulted in an operational shutdown of the entire pipeline asset for roughly two days.

Learn More About Attacks on Critical Infrastructure at SecurityWeek’s 2020 ICS Cyber Security Conference

“The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process,” the agency said in its alert.

According to CISA, the victim had an emergency response plan in place, but it focused on physical safety and it did not specifically cover cyberattacks.

“Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks,” CISA said. “The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”

The agency published an alert to warn gas and other critical infrastructure operators about the risk of cyberattacks, and provide recommendations for mitigating the threat.

Source: Operations at U.S. Natural Gas Facilities Disrupted by Ransomware Attack

New Ransomware Process Leverages Native Windows Features

New Ransomware Process Leverages Native Windows Features

A new methodology for instigating ransomware makes use of Windows’ own Encrypting File System (EFS). EFS has been a part of Windows since Windows 2000. Unlike Windows’ BitLocker — which is a full disk encryption feature — EFS can selectively encrypt individual files or folders. It does this transparently to the user, using a key that is partly stored in an accessible file, and partly computed from the user’s account password. Once set up, the user does not need to provide a password for EFS to work.

A potential ransomware process using EFS was discovered by researchers at SafeBreach. This approach entirely uses Windows features — and can consequently be defined as a form of ‘living off the land’ — although the primary difference with traditional ransomware is that this process uses different Windows features that are less likely to be monitored. Eight steps are required for attackers to use EFS ransomware.

Firstly, the ransomware will generate the key to be used by EFS, using AdvApi32!CryptGenKey. It then generates a certificate using Crypt32!CertCreateSelfSignCertificate, and adds it to the certificate store. It sets the current EFS key to this store, and then invokes AdvApi32!EncryptFile on every file to be encrypted.

The ransomware saves the key file (whose name was recorded in step 1) to memory, and deletes it from the two folders %APPDATA% MicrosoftCryptoRSAsid (where sid is the user SID), and %ProgramData% MicrosoftCryptoRSAMachineKeys.

The attacker then flushes the EFS data from memory leaving the files unreadable to either the user or the operating system; and wipes the slack parts of the disk to ensure that no temporary files can be salvaged. Finally, the ransomware can encrypt the key file data, and send the decryption key to the attacker. If asymmetric encryption is used for this, the only way to decrypt the files will be through use of the attacker’s private key.

“The EFS ransomware was tested with Windows 10 64-bit versions 1803, 1809 and 1903, but should also work on Windows 32-bit operating systems, and on earlier versions of Windows (probably Windows 8.x, Windows 7 and Windows Vista),” state the researchers.

They tested the methodology against ESET Internet Security, Kaspersky Anti Ransomware Tool for Business, and MS Windows 10 Controlled Folder Access on Windows 10 64-bit version 1809 (Build 17763). None of these solutions would detect this form of ransomware; however, it should be stressed that this is not a flaw in any security product, nor even a vulnerability in Windows (the Windows code works exactly as it was intended to). It is possibly best described as a potential adversarial manipulation of designed logic — or a form of living off the land.

The researchers sent their findings to 17 of the major vendors of Windows endpoint protection, anti-malware and anti-ransomware. The majority, ten of the 17, accepted the issue and have developed workarounds for their products. A few did not accept the argument. Avira, for example, replied, “We believe that this potential bypass which is dependent upon a customized use scenario is not a realistic ‘failure point’.”

Microsoft replied, “We assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows (https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria…).”

One vendor — Panda — said that its own protection methodology would or could block the approach. “Only processes classified as goodware at our Panda detection cloud can modify the included/protected files,” it said.

Only one of the vendors, F-Secure, said ‘thank you, we already detect this’. Anthony Joe Melgarejo, service owner in F-Secure’s tactical defense unit, gave SecurityWeek further details. “In July 2019,” he said, “we were contacted by a researcher at SafeBreach regarding a potential security bypass technique in multiple anti-ransomware vendors’ products. SafeBreach had not specifically tested against F-Secure SAFE, but had found that the ‘vast majority’ of competing products it had tested were vulnerable.”

When F-Secure tested the technique, it found that its product already detected and blocked it (detection name Trojan.TR/Ransom.Gen) through its backend AI and heuristic file analysis. However, his colleague, principal security consultant Antti Tuomi, pointed to the importance of SafeBreach’s research. “By using tools that exist on the target, such as the Windows EFS in this case, you are more likely to avoid the logistics and potential compatibility issues of bringing in your tooling without getting caught. Seeing the same concept used by more manual attackers be successfully used in more automated malware is an interesting (although not completely unexpected) development. On the defensive side,” he continued, “and from an incident response/detection tooling point-of-view, this underlines the need for detecting not just potentially malicious software and tools, but malicious behavior regardless of what tools are used.”

The threat from EFS ransomware is greater for individual users than for corporations. “Machines that are joined to a domain,” Amit Klein, VP security research at SafeBreach, told SecurityWeek, “have the EFS key automatically backed up to the domain controller, and the domain controller could restore the key without reference to the attacker.”

There is also a relatively simple workaround for individual users. If EFS is not required, explain the researchers, “A user with administrator rights for a Windows machine can turn off EFS by setting the registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionEFSEfsConfiguration to 0. Group Policy can be used for enterprise-wise disabling of EFS.”

The Windows OS developers, as opposed to the anti-ransomware app developers, could solve the problem entirely by adding a new feature to stand-alone Windows. It would simply require the EFS keys to be backed up safely — similar to backing up to the domain controller — in a place or manner that is inaccessible to the ransomware attacker.

In the meantime, individual users should check with their anti-ransomware vendor that their product will detect this type of EFS attack, and use the registry solution if it does not.

Silicon Valley-based SafeBreach was founded in 2014 by Guy Bejerano and Itzik Kotler. It offers a breach and attack simulation platform. It raised $15 million in a Series B funding round in May 2018, bringing the total raised to $34 million.

Source: New Ransomware Process Leverages Native Windows Features

Large Hospital System Hit by Ransomware Attack

Large Hospital System Hit by Ransomware Attack

New Jersey’s largest hospital system said Friday that a ransomware attack last week disrupted its computer network and that it paid a ransom to stop it.

Hackensack Meridian Health did not say in its statement how much it paid to regain control over its systems but said it holds insurance coverage for such emergencies.

The attack forced hospitals to reschedule nonemergency surgeries and doctors and nurses to deliver care without access to electronic records.

The system said it was advised by experts not to disclose until Friday that it had been the victim of a ransomware attack. It said that its network’s primary clinical systems had returned to being operational, and that information technology specialists were working to bring all of its applications back online.

Hackensack Meridian said it had no indication that any patient information was subject to unauthorized access or disclosure.

It quickly notified the FBI and other authorities and spoke with cybersecurity and forensic experts, it said.

Hackensack Meridian operates 17 acute care and specialty hospitals, nursing homes, outpatient centers, and the psychiatric facility Carrier Clinic.

Related: The Case for Cyber Insurance


Source: Large Hospital System Hit by Ransomware Attack

Cyberattack, Ransomware Hobbles New Orleans City Government

Cyberattack, Ransomware Hobbles New Orleans City Government

Ransomware was detected after a suspected cyberattack prompted a shutdown of city government computers in New Orleans on Friday, officials said.

The city had not received any ransom demands as of Friday afternoon, however, Mayor LaToya Cantrell said at a news conference. City officials said the shutdown was done out o f “an abundance of caution.”

Cantrell said city employees were ordered to shut down computers around 11 a.m. — an order that rang out through th e speakers of a public address system in City Hall. City officials said suspicious activity was noticed as early as 5 a.m. They didn’t go into detail but said the activity included “phishing” emails designed to obtain passwords.

As of Friday afternoon, there was no indication that any city employee had provided passwords or other information that might have inadvertently led to a breach, said City IT director Kim LaGrue.

Officials said they couldn’t say when computers would be back online or whether any important files were compromised. They stressed that city financial records are backed up through a cloud-based system, and said all city emergency services were operating with telephones and radios.

State officials are investigating along with the FBI and Secret Service, Cantrell said.

The hurricane-vulnerable city is prepared for the loss of internet, said the city’s homeland security director, Collin Arnold.

“We will go back to marker boards. We will go back to paper,” he said.

The governor’s office said in an email that the Louisiana National Guard and state police were helping the city gauge the effects of the suspected attack, the second in a matter of days. Last week, a suspected cyberattack was reported in the city of Pensacola, Florida. City officials there confirmed Friday that hackers had tried to extort the city for money, but they have not said whether they planned to pay.

Last month, the Louisiana Office of Motor Vehicle operations was hobbled by a cyberattack.


Source: Cyberattack, Ransomware Hobbles New Orleans City Government

New Technique Allows Ransomware to Operate Undetected

New Technique Allows Ransomware to Operate Undetected

A recently discovered technique allows ransomware to encrypt files on Windows-based systems without being detected by existing anti-ransomware products, Nyotron security researchers warn.

Dubbed RIPlace, the technique allows malware to bypass defenses using the legacy file system “rename” operation, and the security researchers say it is effective even against systems that are timely patched and run modern antivirus solutions.

RIPlace, the researchers say, can be used to alter files on any computers running Windows XP or newer versions of Microsoft’s operating system.

In a detailed report covering the findings (PDF), the researchers note that most ransomware operates by opening and reading the original file, encrypting content in memory, and then destroying the original file by writing encrypted content to it/saving the encrypted file and then erasing the original/or by saving the encrypted file and then leveraging Rename to replace it.

When a Rename request is called (IRP_MJ_SET_INFORMATION with FileInformationClass set to FileRenameInformation), the filter driver gets a callback.

What the researchers discovered was that, if DefineDosDevice (a legacy function that creates a symlink), is called before Rename, one could pass an arbitrary name as the device name, along with the original file path as the target to point on.

The issue, they explain, is that the callback function filter driver “fails to parse the destination path when using the common routine FltGetDestinationFileNameInformation.” Although an error is returned when passing a DosDevice path, the Rename call succeeds.

“Using this technique, it is possible to maliciously encrypt files and bypass antivirus/anti-ransomware products that do not properly handle IRP_MJ_SET_INFORMATION callback. We believe that malicious actors may abuse this technique in order to bypass security products that rely on FltGetDestinationFileNameInformation routine as well as avoid any recording of such activity by EDR products,” the researchers explain.

The researchers discovered the technique in spring 2019 and have been in contact with Microsoft, security vendors, and law enforcement and regulatory authorities. Unfortunately, they say only a handful of security vendors have acknowledged a fix, despite dozens being impacted.

Nyotron published two videos demonstrating how RIPlace can bypass Symantec Endpoint Protection (SEP) and Microsoft Defender Antivirus (Defender AV) and also released a free tool that allows anyone to test their system and security products against RIPlace evasion technique.

Related: Organizations Warned of Dual Threat Posed by RDP and Disruptive Ransomware

Related: Open Source-Based Ransomware Targets Fortnite Players

Related: The Growing Threat of Targeted Ransomware

Ionut Arghire is an international correspondent for SecurityWeek.


Source: New Technique Allows Ransomware to Operate Undetected

DopplePaymer Ransomware Spreads via Compromised Credentials: Microsoft

DopplePaymer Ransomware Spreads via Compromised Credentials: Microsoft

The DopplePaymer ransomware spreads via existing Domain Admin credentials, not exploits targeting the BlueKeep vulnerability, Microsoft says.

The malware, which security researchers believe to have been involved in the recent attack on Mexican state-owned oil company Petróleos Mexicanos (Pemex), has been making the rounds since June 2019, with some earlier samples dated as far back as April 2019.

Initially detailed in July this year, DopplePaymer is said to be a forked version of BitPaymer, likely the work of some members of the TA505 threat group (the hackers behind Dridex and Locky) who decided to leave the cybercrime gang and start their own illegal operation.

In a new blog post, Dan West and Mary Jensen, both senior security program managers at Microsoft’s Security Response Center, explain that while DopplePaymer represents a real threat to organizations, information on its spreading method is misleading.

Specifically, the tech company says that information regarding DopplePaymer spreading across internal networks via Microsoft Teams and the Remote Desktop Protocol (RDP) vulnerability BlueKeep is incorrect.

“Our security research teams have investigated and found no evidence to support these claims. In our investigations we found that the malware relies on remote human operators using existing Domain Admin credentials to spread across an enterprise network,” Microsoft’s researchers explain.

The company recommends that security administrators enforce a good credential hygiene, apply the principle of least privilege, and implement network segmentation to keep their environments protected.

These best practices, Microsoft notes, can help prevent not only DopplePaymer attacks, but also other malware from compromising networks, disabling security tools, and leveraging privileged credentials to steal or destroy data.

Microsoft, which has already included protection from DopplePaymer and other malware in Windows Defender, says it will continue to enhance protections as new emerging threats are identified.

“Globally, ransomware continues to be one of the most popular revenue channels for cybercriminals as part of a post-compromise attack,” Microsoft warns.

Attackers, the company says, typically use social engineering to compromise enterprises. The practice involves tricking an employee to visit a malicious site or to open downloaded or emailed documents that drop malware onto their computers.

Related: Cyber Hygiene 101: Implementing Basics Can Go a Long Way

Related: Mexican Oil Company Pemex Hit by Ransomware

Related: The Growing Threat of Targeted Ransomware

view counter

Ionut Arghire is an international correspondent for SecurityWeek.


Source: DopplePaymer Ransomware Spreads via Compromised Credentials: Microsoft