Researchers set up a tempting honeypot to monitor how cyber criminals would exploit it. Then it came under attack.
Industrial control networks are coming under attack from a range of ransomware attacks, security researchers have warned, after an experiment revealed the speed at which hackers are uncovering vulnerabilities in critical infrastructure.
Security company Cybereason built a ‘honeypot‘ designed to look like an electricity company with operations across Europe and North America. The network was made to look authentic to entice potential attackers by including IT and operational technology environments, as well as human interface systems.
All the infrastructure was built with common security issues found in critical infrastructure including internet-facing remote desktop ports, medium-complexity passwords along with some customary security controls including network segmentation.
The honeypot went live earlier this year and it was only three days until attackers discovered the network and were finding ways to compromise it – including a ransomware campaign that infiltrated chunks of the network, as well as grabbing log-in credentials.
“Very early after launching the honeypot, the ransomware capability was placed on every compromised machine,” Israel Barak, chief information security officer at Cybereason, told ZDNet.
Hackers put ransomware onto the network by exploiting remote administration tools to gain access to the network and cracking the administrator password to log in and remotely control the desktop.
From there, they created a backdoor into a compromised server and used additional PowerShell tools including Mimikatz, which enabled the attackers to steal login credentials, allowing lateral movement across the network – and the ability to compromise even more machines. The attackers performed scans to find as many endpoints to gain access to, harvesting credentials as they went.
Ultimately, this means that as well as deploying ransomware, malicious hackers also have the capability to steal usernames and passwords, something they could exploit by threatening to reveal sensitive data if a ransom isn’t paid, as extra leverage.
“Only after the other stages of the attack were completed, the attack detonated the ransomware across all compromised endpoints simultaneously. This is a common trait to multi-stage ransomware campaigns, that is intended to amplify the impact of the attack on the victim,” said Barak.
Ransomware attacks from multiple different sources frequently uncovered the honeypot and many attempted other ransomware attacks, while other hackers were more interested in performing reconnaissance on the network – as was the case with a previous honeypot experiment.
While that might not sound as dangerous as ransomware, an attacker looking to find ways they could exploit the network of what they thought to be an electricity provider could have potentially dangerous consequences.
Nonetheless, it appears that ransomware has become one of the key methods in which attackers are attempting to exploit infrastructure they can easily compromise with what the report describes as a “constant barrage” of attacks on the sector – and something that’s likely to become more intense.
Fortunately, the attackers targeting the honeypot couldn’t do any real damage – but the experiment demonstrates how networks supporting critical infrastructure need to be resilient enough to fend off unwanted intrusions by designing and operating networks with resiliency in mind – especially when it comes to segregating IT and operational technology networks.
Even relatively basic improvements like ensuring networks are protected by complex passwords that are hard to guess can help, while more complex security initiatives – like red team and blue team exercises – can help build up protection.