Cybereason, a leader in endpoint protection, today published findings from its newest honeypot that was created to analyze the tactics, techniques, and procedures used by hackers to target critical infrastructure providers.
This project has shown hackers have adopted multistage ransomware attacks as part of hacking operations against industrial control systems (ICS).
The honeypot IT and OT (operational technology) environment was built to look like a large electricity company with operations in North America and Europe. Cybereason successfully launched a similar honeypot two years ago looking at the same industry.
The report titled “Cybereason’s Newest Honeypot Shows How Multistage Ransomware Attacks Should Have Critical Infrastructure Providers on High Alert” is based on attacks to a network architecture masquerading as part of an electricity generation and transmission provider’s network, including an IT and OT environment and HMI (human machine interface) management systems. The environment employed customary security controls including segmentation between the different environments.
Once the honeypot went live, hackers compromised the network within three days by brute forcing the admin password, which had medium complexity. Attackers placed ransomware on every compromised machine early in the process but didn’t detonate it immediately. After the other stages of the attack were completed (including data theft, user password stealing and propagation across the network), the attacker detonated the ransomware across all compromised endpoints simultaneously. This is a common trait to multistage ransomware campaigns, that is intended to amplify the impact of the attack on the victim.
“Ransomware threats to critical infrastructure providers should be a top concern for security teams. In the ICS industry, we are seeing fewer strains of ransomware yet the existing strains rake in more gains. Hackers do this by better targeting and making more money from each target. We can expect to see an increase in multistage ransomware embedded into hacking operations in the foreseeable future,” said Israel Barak, Chief Information Security Officer, Cybereason.
Additional Honeypot Highlights:
“Attackers are succeeding in hacking operations against ICS operators by breaking in and debilitating the business and demanding huge ransoms. Because many organizations now purchase cyber insurance, we are seeing an increase in the number of ransoms being paid as opposed to patching the holes in the network that enabled the hackers to gain access in the first place. These brazen intrusions will continue until the cost of the insurance becomes comparable to the cost of fixing the problem,” added Barak.
Cybereason, creators of the leading Cyber Defense Platform, gives the advantage back to the defender through a completely new approach to cybersecurity. Cybereason offers endpoint prevention, detection and response and active monitoring. The solution delivers multi-layered endpoint prevention by leveraging signature and signatureless techniques to prevent known and unknown threats in conjunction with behavioral and deception techniques to prevent ransomware and fileless attacks. Cybereason is a privately held, international company, headquartered in Boston with customers in more than 30 countries.
Senior Director, Global Public Relations