Automated cybersecurity solutions provider Fortinet® recently released the findings of the latest semiannual FortiGuard Labs Global Threat Landscape Report. According to the report, cyber adversaries are exploiting the global pandemic to compromise systems.
“The first six months of 2020 witnessed an unprecedented cyber threat landscape,” Derek Manky, Chief, Security Insights & Global Threat Alliances, FortiGuard Labs, said in a press release. “The dramatic scale and rapid evolution of attack methods demonstrate the nimbleness of adversaries to quickly shift their strategies to maximize the current events centered around the COVID-19 pandemic across the globe. There has never been a clearer picture than now, of why organizations need to adjust their defense strategies going forward to fully take into account the network perimeter extending into the home. It is critical for organizations to take measures to protect their remote workers and help them secure their devices and home networks for the long term. It is also wise to consider adopting the same strategy for cyber viruses that we are adopting in the real world. Cyber social distancing is all about recognizing risks and keeping our distance.”
In addition to the trends impacting cybersecurity across the board, Fortinet researchers also identified threats cyber adversaries are using to target industrial environments. For example, ransomware and attacks targeting Internet-of-Things devices as well as operational technology have continued to increase and are evolving to become more targeted and more sophisticated.
“June marked the 10th anniversary of Stuxnet, which was instrumental in the evolution of threats to, and security of, operational technology. Now, many years later, OT networks remain a target for cyber adversaries,” Fortinet said in the release. “The EKANS ransomware from earlier this year shows how adversaries continue to broaden the focus of ransomware attacks to include OT environments. Also, the Ramsay espionage framework, designed for the collection and exfiltration of sensitive files within air-gapped or highly restricted networks, is an example of threat actors looking for fresh ways to infiltrate these types of networks. The prevalence of threats targeting supervisory control and data acquisition (SCADA) systems and other types of industrial control systems (ICS) is less in volume than those affecting IT, but that does not diminish the importance of this trend.”
According to the report, in June, a cyber attack on a well-known manufacturer interfered with operations and caused temporary production interruptions at several of the company’s facilities.
“Security researchers identified the malware used in the attack as EKANS (which is sometimes referred to publicly as Snake), a ransomware sample with several features tailored to attack systems in ICS,” the report says. “Our analysis of the malware showed it to be heavily obfuscated, written in the GO programming language, and not very different from other ransomware tools except for its targeting of OT and ICS systems. The attack—and the use of EKANS—was troubling because it suggested that adversaries might be broadening the focus of ransomware attacks to OT environments as well.”
In January, Fortinet saw a surge across it’s IPS sensors in the U.S., Brazil, and Germany, in activity involving Modbus TCP servers and programmable logic controllers that could result in information leakage. Out of all of the IPS detections involving industrial systems in the first half of 2020, Modbus-related detections were the most voluminous.
“Note, however, that all triggers of this signature aren’t necessarily malicious,” the report says. “But it’s worth monitoring because an attacker infiltrating the SCADA network could certainly cause trouble by accessing the Modbus controller.”
In May Fortinet researchers uncovered Ramsay, an espionage framework used by cyber adversaries for the collection and exfiltration of sensitive files within air-gapped or highly restricted networks which include OT environments.
“It’s not quite clear how long Ramsay has been active, but it’s been tied to an older APT group, Darkhotel,” the report says. “As their name suggests, Darkhotel is more known for exploiting hotel Wi-Fi networks than industrial facilities, but we’re more interested in Ramsay’s potential than its progenitors.”