Dragos Report on Cybersecurity Vulnerabilities In Manufacturing

Cybersecurity firm Dragos recently published a report on what it describes as the rising cybersecurity threat to manufacturing organizations.

The report discusses threat actors targeting industrial control systems (ICS) to pull of ransomware and IP-theft attacks,

Ransomware adversaries are adopting ICS-aware functionality with the ability to stop industrial related processes and cause disruptive – and potentially destructive – impacts. Dragos has not observed ICS-specific malware targeting manufacturing operations on the same scale or sophistication as that used in the disruptive TRISIS and CRASHOVERRIDE malware attacks that targeted energy operations in Saudi Arabia and Ukraine, respectively. However, known and ongoing threats to manufacturing can have direct and indirect impact to operations. This report provides a snapshot of the threat landscape as of October 2020 and is expected to change in the future as adversaries and their behaviors evolve.

. . .

The most common threat to manufacturing is ransomware. Dragos observed a significant rise in the number of non-public and public ransomware events that have affected ICS environments and operations over the last two years.

This year, Dragos identified multiple ransomware strains adopting ICS-aware functionality, including the ability to “kill” (i.e., stop) industrial processes if identified in the environment, with activity dating back to 2019. EKANS, Megacortex, and Clop are just a few ransomware strains that contain this type of code. Past concerns with ransomware in ICS focused on propagation. IT-focused ransomware could impact control system environments if it is able to migrate into Windows-based portions of control system networks and disrupt operations.

In 2020, the number of publicly reported ransomware attacks on manufacturing entities has more than tripled compared to 2019, based on data tracked by Dragos. Although most ransomware strains impacting ICS and related entities are IT focused, ransomware can have indirect impacts on operations and process control networks by impacting resources such as logistics, fleet management, sales operations and fulfillment, or loss of view to enterprise resource management tools. For example, enterprise technologies like Enterprise Resource Planning (ERP) software are integrated with data historians containing process data to distribute information across a company. By encrypting ERP and related files on a workstation, a ransomware adversary could stop vital communication and record keeping, indirectly impacting manufacturing process and logistics operations.

The report includes recommendations for manufacturers to implement mitigation strategies, including a critical examination of network assets to understand and harden potential weaknesses, mandating multi-factor authentication wherever possible, ensure network segmentation wherever possible, etc.

ID Ransomware

ID Ransomware is a service where you upload a ransom note and/or sample file encrypted by ransomware, and the ID Ransomware service tries to pinpoint exactly which ransomware you’ve been hit with.

This service is strictly for identifying what ransomware may have encrypted your files. It will attempt to point you in the right direction, and let you know if there is a known way of decrypting your files. 

Currently ID Ransomware can identify 750 known strains of ransomware.

Pennsylvania Democrats Hit By Ransomware Attack

NBC News reports that Pennsylvania State Senate Democrats have had been locked out of their computer network by a ransomware attack,

The Pennsylvania Senate Democrats have been hit by a ransomware attack that has locked senators and employees out of their computer network since the early morning hours of Friday, state officials told NBC News.

In a statement, Sen. Jay Costa, the Democratic leader, said the Democrats were working with law enforcement agencies and Microsoft to resolve the problem. He did not say what payment has been demanded to unlock the data, or whether the attackers had suggested any political motive.

. . .

The Democratic senators in the state capital of Harrisburg are on their own computer network and there is no indication that other state agencies of the Republicans have been affected, said a state official who declined to be identified. The official said the Democrats had no idea whether they were targeted for any specific reason.