The Hacker’s View
We often see companies posting fun pictures of everyone in the office in their favorite Halloween costume, but in doing so are you jeopardizing security? While reading the recently issued Technical Alert (TA17-293A) Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors, one detail jumped off the report. Within all the technical detail, threat analysis, detective and preventive measures, and best practices, there was the revelation that a seemingly innocent picture on a target’s website was downloaded and expanded to reveal control system equipment models and status information in the background. It is no surprise that hackers gathered information from a target’s website. Information security professionals should routinely review websites and social media from the viewpoint of the attacker and remove any information that may aid an attacker.
In the midst of National Cyber Security Awareness Month, a rare security alert was issued outlining Advanced Persistent Threat activity targeting critical infrastructure sectors. Generally, attacks on the energy sector have diverse results ranging from reconnaissance to disruption of energy systems; however, perpetrators often attack other sectors including financial institutions with similar campaigns. So, before we carve our pumpkins, turn into zombies, and extort candy from our neighbors, we should make sure we are aware of what cyber threats lie ahead.
The United States Computer Emergency Readiness Team (US-CERT) issued the fifteen (15) page joint Technical Alert (TA17-293A) on October 20, 2017. Using analysis from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), the public alert offers alarming details of ongoing activity designed to target government entities and critical sectors of energy, water, aviation, nuclear power, and manufacturing. These advanced persistent threat actions, based on analysis and observation, appear to be an ongoing and long-term campaign.
Targeted networks have been in attackers’ sights since May 2017, and in some cases, victims’ networks have been compromised. Analysis has identified two distinct groups of targets: Staging and Intended. Trusted third-party vendors with less secure networks are used as initial staging targets. Once compromised, these networks are used as pivot points and malware repositories for attacking the intended targets. Analysis of these multi-stage attacks has identified the following tactics, techniques, and procedures utilized to compromise targeted networks:
- open-source reconnaissance
- spear-phishing emails from compromised legitimate accounts
- watering-hole domains
- host-based exploitation
- industrial control system (ICS) infrastructure targeting
- ongoing credential gathering
The alert contains indicators of compromise and technical details to educate network security professionals and enable organizations to identify and reduce risk exposure to malicious activity. The indicators of compromise contained in this alert include a list of file names, MD5 hashes, web shells, URLs, IP addresses, PCAP repositories, and much more regarding the malware used in these attacks. Security professionals who identify the use of tools or techniques outlined in the alert are encouraged to report to DHS or law enforcement immediately.
In total, the alert offers approximately fifteen (15) detection and prevention measures and twenty-eight (28) general best practices applicable to this attack campaign. As a best practice, management is encouraged to develop a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis, and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.
How SBS Can Help
SBS has partnered with KnowBe4, the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. Through this partnership, your organization now has access to the tools needed to help manage and provide training around the urgent IT security problems posed by social engineering, spear-phishing, and ransomware. SBS will assist in setting up a security awareness program for your organization using the KnowBe4 phishing tool and online training modules to raise awareness and mitigate risk around and hacker’s top weapon of choice: phishing emails.
Additionally, SBS’ Network Security Team performs hundreds of network security assessments for organizations of all shapes and sizes across the US on a regular basis. If you are interested in ensuring your network is not vulnerable internally or externally, our team of skilled hackers can help you strengthen your cybersecurity posture to help prevent attacks from gaining access to your network and your customer information.
Written by: Shane Daniel
Senior Information Security Consultant
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.