Secure With Celerity Episode 7
DAVID TAYLOR [00:00:26] Hello and welcome to Secure With Celerity, the show where we digest the week’s top cyber security news stories. My name is David Taylor and I’m your host today. I’m joined, as ever, with the Celerity’s cyber security duo, Steve Laidler and Josh Read. Hey, guys. Not too bad. So, yeah, a bit of a big week with some big stories. So let’s just launch straight into it. First one, as most people probably seen, Honda was hit by a ransomware attack. The EKANs ransomware attack. And I believe there was another South American energy provider that was also hit that provides energy to city of rhinoceros. So quite a deep one. Josh you want to kick us off?
JOSHUA READ [00:01:07] Yeah. So Tuesday this week Honda was shut down in production. Obviously due to EKANs ransomware. It’s vehicle plants in Turkey and motorcycle plants in India and Brazil will back up and running by Wednesday. So although from the outset from an outsider who hasn’t got experience in production and factory floor system and management doesn’t really seem impactful. But I can guarantee you that it would have been an absolute nightmare for that factory to get back up and running enough to been having an emergency shut down for 24 hours due to the ransomware. No mention was affected in the ransomware attack, thankfully. But, you know, not long after the announcement from Honda, the security researcher Milk Cream took to Twitter and provided the virus total samples and analysis of the amount. The ransomware supposedly of the EKANs variant. Now, another similar attack was also disclosed in Twitter by EDSA, one of the company’s belonging to Angle at Argentina, which oppresses its business in the energy sector that manages energy distribution for the city have been of Buenos Aires. So both very high profile attacks. Some big, big wins in terms of the cyber security attacker. And two very high profile and almost dependable companies hit with ransomware. The interesting thing about this EKANs variant is when it was initially announced back in January, February time when it was first found and analysed. Groups like Telus were able to identify that it was a ransomware that was designed for OT Environments, Operational Technologies. It’s a worrying sign as it has been over the past few years. Ransomware has been a very…
STEVE LAIDLER [00:03:29] Lucrative.
JOSHUA READ [00:03:30] Yeah, it’s been a lucrative area for a cyber attack. Obviously, if you can lock down systems, but then as time’s gone on, the I.T. sector is caught back of with regular backups, isolated networks, and those types of infrastructural security measures just don’t ransomware. But now essentially they’re going after the crown jewels of these organisations and if you have the ability to hit the factory floor network, which should be isolated and should have security measures around its posterior. Then you’re bringing down the how the organisation essentially to Honda, the factory floor is what makes them money, and that’s their biggest importance. You know, the I.T. systems can be replaced. The data on them can be backed-up and retrieved from a back-up. But, you know, if they’ve had 24 hours where they’ve not been able to produce cars, and especially in this environment as well with what’s happening with Coronavirus, it is incredibly impactful. Oh, yeah. Well, relatively straight forward ransomware, simple in terms of its encrypted ability.
STEVE LAIDLER [00:04:48] It was targeted specifically at specific demands within Honda as well, wasn’t it? So it was targeting specific OT systems. And I suppose the other thing, as well as a lot of it, when a plant shut down, especially for something like a car manufacturer. You know, they operate on a just in time. Parts coming into the organisation are specifically targeted for the building of a specific cars, you know, that are being controlled by that by the computer systems. If that line shuts down, you know, you’re gonna have parts arriving at the plant and being held on site at the plant. That didn’t cause, you know, a kind of a space premium. They’ve got to be held on site and also potentially things like insurance premiums as well, because you’ve got to make sure that if anything happens to those parts, you’re covered. Which is why manufacturing organisations typically, you know, operate that way. They don’t want large volumes of stock and pieces of equipment that are going to be, you know, put on money actually on something. Held for long periods of time. They just want it rolling up to the plant as often when it’s needed. And also, you know, you don’t want to stop the line because effectively that’s your cash flow is building towards cars. Getting them out the door and getting them moved to wherever, you know, like you say, COVID-19 is probably had done a bit of an impact on the movement of manufactured goods and on of that. So, you know, plants that are coming back on stream now are then suffering some sort of cyber attack. You know, it’s extent slowing things down even further and impacting you financially, they are the sort of operation of those businesses as well. Yeah, but certainly it’s not a good one.
DAVID TAYLOR [00:06:41] Would the manufacturers be worried about this type of ransomware attack, the fact that it was so targeted?
STEVE LAIDLER [00:06:46] Right. And know, I think they already are. All you know, we’ve seen that the impact of things Iike wanna cry and that kind of stuff in the past. So I think the fact that Honda, if you know, I’ve got this seemingly under control, back-up and running, you know, so quickly, they’ve had a good response and a good plan in place to mitigate it. So, you know, taking the risk out of it a bit and then but obviously investigating how it got into the organisation in the first place. Whether it was through writing or a mechanism.
JOSHUA READ [00:07:20] Well, interestingly enough, when Milk Cream put the tweet, the school researcher who provided the variant of malware, the analysis of what the what he suspected to be the malware after scouring through virus total, it was a tweet back to him in the replies, and it was another school researcher that was linking to RDP portals that were available on the World Wide Web, which essentially, you know, I mean, not just wasn’t able to attack and down but, you know, if if there wasn’t RDP web portal available to attackers, then, you know, could possibly be the entry point and the attack vector in which they chose to attack. And, you know, that’s yet to be confirmed. Both you know, it seems very suspicious that whilst this attack happened, there was also people that variable to find this out this publicly available at RDP poll. Yeah, it’s I think more worryingly in this, though, is how it was bespoke, we designed for the organisations in question and there were specific processes in the ransomware which were able to shut down ICS processes, which is obviously not very nice. And on top of that, I also encrypts and applies the ransom effects. So it’s a bit of a nasty one.
STEVE LAIDLER [00:09:00] It’s really playing on the sort of that the old, you know. What? How much of an impact financially is the downtime vs. how much the ransom is to recover the systems? And again, you know when these things are encrypted, there’s no guarantee you’ll get your data back after you’ve paid the ransom.
DAVID TAYLOR [00:09:23] I think, they were kind of ransomware attacked, they refused to pay and just kind of put back-up on the road, didn’t they?
STEVE LAIDLER [00:09:29] Yeah they did. But it took them a long time to do that. The impact was quite, quite, quite large, probably from a, you know, time and effort to get it back. And also the obvious financial impacts as well. But I guess, you know, some people choose to do that because it’s more of a you know, it’s more of a we’re not giving in kind of mentality.
DAVID TAYLOR [00:09:50] And you’re not funding cyber criminals, I guess, at the end of the day.
STEVE LAIDLER [00:09:53] Yeah, that’s right. I’m going to go on and hit another manufacturer them lines
DAVID TAYLOR [00:09:59] So we should crack down on our next story then guys? So a second story of the week is, I guess it’s four for four in terms of Microsoft Patch releases and being over 100. And so this is quite a bit of a whopper as well. 129 fixes released in that Microsoft patch Tuesday for June. And I think I believe of those 118 were ranked as important and 11 down as critical. So all needs addressing. I would’ve thought.
JOSHUA READ [00:10:32] It’s a bit of a headache for IT in terms of the volume of patches that are being released. Obviously, it’s good that though funded release in these many patches, but then it’s also about at the same time because it means that the platforms are insecure technically and they’re vulnerable by design. And the I think more interest me, would be interesting to see if the volume of patches are visibility is found on Microsoft products drops after COVID-19. My guess is probably not. And then this is the new norm. The volume of patches. Don’t just affect remote working softwares the same thing from our west down to the individual DLLs on the system that needs change and configuration and registry changes. So it’s you know. Yes, there are. It could possibly be to do with COVID 19. There’s a lot of external factors at play when it comes into developing patches and vulnerability analysis and identifying runnable age. Thankfully, cyber attackers don’t don’t appear to be exploiting any of the vulnerabilities in zero day attacks at this moment time but I think, more worryingly is there was a notable flaw with SMB version 3, which is a protocol which is used for like file sharing certain communication essentially service message block. Which was the variance of the eternal blue exploit, which was used in the one to cry type used SMB protocol to spread sideways lateral movement. So again, this was not a lot of analysis done on this venerability. And it was so called the assembly lead, which affects Windows 10, version 1903 and 1909. And obviously last month the two Windows 10, 2004 edition was release at date to that version fixes the issue or play the individual cabi patches for this removal will also fix this issue. All this coupled with a loan on a new patch system. This SMB s.m blades learnability a patch applied with us and beat ghost can lead to remote code execution and a lot of paying for system admins. It’s essentially SMB runs over TCP 445, which is a network protocol that provides the basis for file sharing network browsing, print and sharing, printing services in a process communication over network. It’s quite a fundamental and quite fundamental element and process that you see. You just can’t block it. It’s dependent. There’s a lot dependency on it. Might as stay, an attacker who successfully exploits the vulnerability could obtain information to further compromised the user system that is renewability against a server and unauthenticated attacker would send a specially crafted packet to a targeted SMB version 3 server and to exploit it for anybody against the client and on an authenticated attacker would need to configure a malicious SMB version 3 server and configure a use it to connect to it. So it’s important to understand the context of this, remember. As I’ve said before, it’s quite easy just to jump in. Look at the CVSS score and go, oh, no need to fix this. Well, essentially, you need to read it around renewability and understand exactly what is required for an attacker to exploit this and the impact of an attack or exploit it as well.
STEVE LAIDLER [00:14:41] I think they were 11 critical vulnerabilities within those fixes. Yeah. I think with patching, basically the rule is apply your patches, isn’t it? As soon as possible and safely possible as well. With the COVID-19 and everybody working remotely, there is probably some fear or, you know, a bit more caution required just to ensure that those patches don’t cause any impact on production systems. But the general rule of thumb is to keep your patches moving. I keep them applying and get them on.
JOSHUA READ [00:15:24] This is one of the problems that I’ve spoke about previous days, that the method of categorising a vulnerability based on a CVSS score is all well and good. But you’ve got to remember who’s reading these CVSS scores and beyond. It’s very easy to look at CVSS score, C10, start worrying and then rushing into patching and yes, essentially you should be patching all your critical important. Well, it’s learning how to prioritise those patches. If you’ve got a you know, if you don’t have the ability to push out early patches at once or you’ve got systems where you’ve got to that you deem more critical than others do follow a different patching cycle to your laptops, or your so let’s say you’ve got a criticality group right in on your domain controllers and although the critical assets that are required for our business to function and then you’ve got some nice to have servers that just that provides functionality, whether it’s company could be examples of nothing worth it every step of the way.
STEVE LAIDLER [00:16:44] It comes down to manpower, you know, if you’ve only got a certain amount of manpower that’s available, then pushing up or managing environments and prioritising what tasks based on how much time and effort it takes to do it. So if you need to concentrate on critical and high vulnerability to get boards on, to patch the most critical and. As systems, if you know, automated systems are great because they can effectively play these patches for you. But there are still some people who work around the environment and potentially lots of end points. Clicking the update, you know, apply updates now on individual systems. So it’s a case of looking at what you know, what the potential attack factors are, how critical they are, what what else is going on in the environment. And, you know, basically just prioritising the most critical. And as we’ve seen and talked about in the previous kind of stories over and over the weeks, you know, people do exploit these loopholes and these these vulnerabilities to take advantage of them and can cause mayhem and real real destruction with them.
DAVID TAYLOR [00:17:58] It’ll be interesting to see how many patches were in July
STEVE LAIDLER [00:18:14] What could be a case is everybody’s working from home now. Nobody has to travel into the office and have got more time to to spot more inabilities and write more patches. So maybe we see more patches because, you know, everybody’s got a little bit extra time on their hands that they can make for a son on fixing things.
DAVID TAYLOR [00:18:33] Can we move on to our third story of the week?
STEVE LAIDLER [00:18:34] Yeah.
DAVID TAYLOR [00:18:35] So this one is essentially BLM, Black Lives Matter as MALSPAM emails is a delivering trickbot malware to people. So, again, cyber criminals jumping on the hot topic. Something that’s very, very relevant to some people, very emotive and would definitely be to some people doing an action in this case. I believe it was a survey that they wanted to take part in. Which by clicking into what sort of enables some macros which downloaded the trickbot malware. Josh have you got a bit more on this one?
JOSHUA READ [00:19:10] Yeah. So it’s MALSPAM email, spam campaign. The definition of MALSPAM, phishing emails is very shrouded. Well, the essentially MALSPAM is really, really broad term used for emails that are just sent out to the majority of people that have malintent. They have no specific targets apart from humans. People usinf computers and the apps campaign was used to deliver a supposed survey on Black Lives Matter campaign. Well, in reality, that delivered the infamous bank intrusion, trickbot, nasty piece of work. And again, it’s not the social engineering technique utilised in the very current and relevant topic. And it’s, as I’ve said with the Coronavirus still fits. It’s gonna repeat itself. Cyber attack, as will always look to exploit real world happenings, to make the drive the click rate of their emails or drive the draughting of downloads and malicious activities taken, respectively. But the mistake of activities that people take not understand in the email. It’s the same way that market in emails, the design market and emails the designed to engage the audience. And, you know, phishing MALSPAM, they’re all engaged now to engage the audience. And it’s all about the congruency to the individuals. How relevant and how interesting is it to the individual? You know, I can receive an email on the process of I don’t know, filtering rocket fueling would interest me because I’m not a rocket scientist but something that is, you know, related to cyber security is going to drive interest and make me read into it a little bit more. Well, according to the Swiss security firm Abusable CH, three actors posing as government officials in this campaign in an effort to lure a socially minded victims into clicking non-malicious attachments in emails. Now, the malicious attachment in this campaign is a word document. It’s your typical enable content. You know, the old, you open the document and at the top is a big yellow bar saying and it will come. Then you click enable content, in turn, the macros run contact to see to server, they pulled down the trickbot Trojan. The trickbot Trojan does its thing. Steals your information. And just a real annoyance. But according to a sample company, documents obtained by bleeping computer and the attachment if opened surfaces the button And then you click the button and activates the macro and in turn down those trickbot in the form of the malicious library.dll file . It’s using a very common malware delivery technique that’s been around for five or six years. On the on the site as a common threat on the cyber security front. It’s a long winded way of getting people to get malware on the pc. You know, sometimes a link and talked to a malicious website can be enough. I wish they the action of opening the document and getting people to enable content. There’s a lot of points of failure that could stop the malware attack. IT open the document and not click and enable content. All just might even open the document also. It won’t be a massively successful through chapter. Well, if it’s used in bulk like it is in these campaigns to this context, of course, it’s gonna be successful. And I’m not surprised at all that they’ve chosen to use this tactic, especially in the context of current happenings.
DAVID TAYLOR [00:23:39] Definitely,I think it’s about time, not probably the bad wording, but, you know, it was expected that cyber criminals we’re gonna jump on this because lots of people are getting emails. You know, there’s so many petitions going around. So people, you know, follow up emails tell you like what’s going on in the petition. So I’m not surprised some jumped on it. And I reckon there will be a few people who have signed petitions in the past or signed up to things along this topic, they’ll probably be more inclined to pick the numbers. Should we go on to our last story of the week? So one for the Marvel lovers out there and the Thanos ransomware weaponise is the replaced tactic. Bit of an apt name for it. You got any more on this one, Josh? Do you want to explain a bit more?
JOSHUA READ [00:24:30] Potentially this ransomware is about as nasty as Thanos was. Thanos was a bad guy but this is some bad ransomware as well. Ransomware is one of the, but it is the first to feature the weaponised Rip placed tactic, which is they believe there’s a proof of concept released last year around this rip place tactic. It’s an evasion technique that’s used by the ransomware. So they append this evasion technique into the code of the ransomware. And it doesn’t get to the technical details of it because it is really complicated. But they essentially it it can evades Microsoft’s ransomware protection services very, very easily. And the proof of concept that was done by Niotron demonstrate a quick 30 second video of how it works. They didn’t go into great detail. Some say they didn’t want people to weaponise it back. But six months ago. But eventually someone’s worked out. Now he’s being used in Thanos ransomware. But I think more interesting with this Thanos ransomware is appearing to be more and more like a ransomware as a service. The Dark Web, the underworld, wherever you want to call it, there’s a lot of activity around this Thanos ransomware. And this is almost like a project. They consistently add in stuff, whether it’s evasion techniques, new stuff. And essentially, you can buy it, as you know, and deploy it to whomever you wish to be it to be deployed to.
STEVE LAIDLER [00:26:24] I think it’s interesting as well, because it’s as a service, you don’t necessarily have to have great skill in the development of it or management of it or anything like that. You know, it is provided to you. So there’s less skill required for the people who want to who want to use it. And also, it looks like, given the fact that there were different tiers, you can pick your price point, any capabilities that you want and just take those that you fit for whatever activities you want to engage in. So this service is effectively delivered around the customer and their needs. So it’s a common model that’s used in everywhere else in the world. And it has been used in these kinds of scenarios for a while as well. So, you know, putting fairly malicious some tools and services into the hands of cyber criminals in cost effective model. You know, effectively.
DAVID TAYLOR [00:27:24] Is it like open source to some extent? You know how you say people keep all of us sort of evolving it and adding to it like, is it just out there for cyber criminals to be able to add stuff to it? Is that how it works?
JOSHUA READ [00:27:35] Well, I think it’s an organised group that were adding stuff to it. And they see monetary value being the ability to able to sell this on to smaller actors who are just wishing to cause pain to organizations. I think beyond its utilisation of rip place, . Thanos does not incorporate any novel functionality so it is a simple ransomware but it his ability to consistently have additional things added to it in it’s almost like a project, like mini sprints, projects. It’s a very adaptive and very hard to keep track of. I think it’s only just come to fruition like that is such a deadly threat because of its use of rip place. It’s a very, very damaging flaw, especially in the light of ransomware. If ransomware has the ability to disable the security features in place to stop it, then essentially you’re left with your trousers down. If that ransomware managed to get into your network.
STEVE LAIDLER [00:28:54] And of course, it also is a couple of other features, doesn’t it, can do you know, things like exfiltration so it can get data out of the organisation. And it’s got lateral movement capability. So it can get itself around the network as well.
JOSHUA READ [00:29:04] Yeah. And they were all things that were added to it. Right. And they released the roadmap, unfortunately. So we can’t say was due to come. It would be nice if they did. So it could. Yeah.
STEVE LAIDLER [00:29:19] Yeah. Right. That’s the problem. Yeah. You don’t want your enemies to see where you’re coming from.
JOSHUA READ [00:29:26] You want to watch. Especially in its developments. Oh yeah. It’s gonna be a threat of ransomware and shamefully they’ve proven and they’ve now turned ransomware to a project.
DAVID TAYLOR [00:29:40] Do you think this sort of like as a service feature or model that’s applied to ransomware do you think that’s going to spread to other sort of cyber attacks?
STEVE LAIDLER [00:29:49] It probably already has. I’m sure this is a common way of operating.
JOSHUA READ [00:29:55] There are models of botnets as a service. Phishnets acts as a service. If you’ve got money and you’ve got the hatred of certain targets, you can go and pay someone to go and do it for you.
STEVE LAIDLER [00:30:17] All the financial motivation here. Ultimately, you know, you can make a lot of money off this because probably the primary driver to it. Well, you know, invest. It’s like anything else. It’s a business, isn’t it? Invest something to get, you know, to get something back in. And while that’s the case, then it’s in the interests to keep evolving these tools and techniques and methodologies to make them more efficient and better so that you can effectively drive greater financial gain or you know, or, you know, access to greater information. Whether that’s industrial secrets or anything else. Or like we’ve seen potentially the likes of the Honda scenario where, you know, if you can encrypt some particularly important control systems that can shut down manufacturing sites, you know, you can then, basically name your price, because as long as it’s under the cost of that, the amount of money that manufacturing plant will lose. You’re gonna be in a strong position to actually get something. So, yeah, you understand why people do it.
DAVID TAYLOR [00:31:29] Well, that’s what were we saying the other week? It’s the third largest economy? The cyber criminal economy. It is. So obviously lots of money in it to be read well,. Thanks alot guys. That’s all we’ve got time for today, unfortunately. But I think we come some really good stories. I think it be interesting to watch the EKANs ransomware and see how fun US ransomware as a service seems to develop as well. So thanks, guys. And everyone else, we catch you next week for your overfill of cyber security stories. Catch you then.