(SecurityWeek – Eduard Kovacs) – An unusually high volume of malicious internal reconnaissance and lateral movement have been observed in the manufacturing industry, which experts believe is a result of the rapid convergence between IT and OT networks.
The data comes from the 2018 Spotlight Report on Manufacturing released on Wednesday by threat detection company Vectra. The report is based on observations from another report released on Wednesday by the company, the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which shows attacker behavior and trends across nine industries.
The Attacker Behavior Industry Report shows that Vectra has detected a significant number of threats in manufacturing companies. This industry has generated the third highest number of detections, after the education and energy sectors.
The cybersecurity firm has focused on botnets, command and control (C&C) traffic, data exfiltration, reconnaissance and lateral movement.
In the case of manufacturing organizations, it discovered a significant volume of malicious internal behavior, which suggests that adversaries are already inside the network. For example, Vectra noted that in many instances there was twice as much lateral movement as C&C traffic.
“These behaviors reflect the ease and speed with which attacks can proliferate inside manufacturing networks due to the large volume of unsecured IIoT devices and insufficient internal access controls,” Vectra said in its report. “Most manufacturers do not invest heavily in security access controls for business reasons. These controls can interrupt and isolate manufacturing systems that are critical for lean production lines and digital supply chain processes.”
Register for SecurityWeek’s 2018 ICS Cyber Security Conference
Many factories connect their industrial internet of things (IIoT) systems to regular computers and enterprise applications for data telemetry and remote management purposes. The use of widely used protocols instead of proprietary protocols makes it easier for malicious actors to infiltrate networks, spy on the targeted organization, and steal data, Vectra said.
According to the company, a recently observed spike in internal reconnaissance in the manufacturing sector was the result of internal darknet scans and SMB account scans. Internal darknet scans are when a device on the network looks for internal IP addresses that do not exist, while SMB account scans occur when a host quickly uses multiple accounts via the SMB protocol.
“Manufacturing networks consist of many gateways that communicate with smart devices and machines. These gateways are connected to each other in a mesh topology to simplify peer-to-peer communication. Cyberattackers leverage the same self-discovery used by peer-to-peer devices to map a manufacturing network in search of critical assets to steal or damage,” Vectra said.
As for lateral movement, the company has seen a wide range of activities, but the most common are SMB brute-force attacks, suspicious Kerberos clients, and automated replication, which occurs when an internal host sends similar payloads to multiple systems on the network.
“IIoT systems make it easy for attackers to move laterally across a manufacturing network, jumping across non-critical and critical subsystems, until they find a way to complete their exploitative missions,” the firm explained.
Reconnaissance, Lateral Movement Rise in Manufacturing Firms
(SecurityWeek - Eduard Kovacs) - An unusually high volume of malicious internal reconnaissance and lateral movement have been observed in the manufacturing industry, which experts believe is a result of the rapid convergence between IT and OT networks. The data comes from the 2018 Spotlight Report on Manufacturing released on Wednesday by threat detection company Vectra. The report is based on observations from another report released on Wednesday by the company, the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which shows
ICS Honeypot Highlights Danger to Critical Systems From Criminal Hackers
(SecurityWeek - Kevin Townsend) - Security firm Cybereason established a sophisticated honeypot masquerading as a power transmission substation for a major electricity provider. The purpose was to attract attackers and analyze how they operate against the energy sector of the critical infrastructure. Within two days of going live on June 17, the honeypot developed and operated by Cybereason was found, prepped by a black-market reseller, and sold on in the dark web underworld. xDedic RDP Patch was found in the environment.
Conference Speakers: The Importance of Knowing Your Audience
(SecurityWeek - Joshua Goldfarb) - If you’re like me, you’ve likely sat through some pretty painful conference talks, meetings, industry sessions, or other gatherings over the course of your career. In my experience, these events can generally be broken up into three categories: Those that are good. Those that are so-so. Those that are painful. While it’s unrealistic to expect every event to be a good one, I don’t think it’s unrealistic to expect them not to be painful. This begs the