As multiple reports stated over the past several weeks, Norsk Hydro AS suffered a crippling cyber-attack. The Norwegian aluminum producer is estimating that total losses from the incident have already reached over $40 million USD. The attack at Norsk Hydro looks to have been precisely executed to attack systems that run on production networks. These industrial control networks are common across various industries and malicious cyber activities on ICS computers are considered an extremely dangerous threat. We have also found that very often passwords for production machines are shared widely, left at default values, or are completely absent; leaving the machine unprotected and placing a welcome mat out for the bad actors to enter.
Recently, security researchers have reported that an Iran-linked cyber-espionage group (known as APT33, which Symantec calls Elfin) that was found targeting critical infrastructure, energy and military sectors in Saudi Arabia and the United States two years ago; continues targeting organizations in the two nations. Groups started monitoring the attacks in 2016 and found that the group launched a heavily targeted campaign against multiple organizations with 42% most recent attacks observed against Saudi Arabia and 34% against the United States. They have targeted a total of 18 American organizations in the engineering, chemical, research, energy consultancy, finance, IT and healthcare sectors over the past three years, including several Fortune 500 companies. In December 2018, the same group was linked to a wave of Shamoon attacks targeting the energy sector, one of which infected a company in Saudi Arabia with the Stonedrill malware used by Elfin.
Now researchers have uncovered a new variant of the infamous Mirai botnet, this time targeting embedded devices intended for use within business environments. The focus is an attempt to gain control over larger bandwidth to carry out large scale DDoS attacks. The Mirai variant adds 11 new exploits to its multi-exploit battery, making it a total of 27 exploits, as well as a new set of unusual default credentials to use in brute force attacks against Internet-connected devices. Specifically targeting various routers, network storage devices, NVRs and IP Cameras. After scanning and identifying vulnerable devices, the malware fetches the new Mirai payload, from a compromised website, downloads it on a target device, which is then added to the botnet network and can be used to launch HTTP Flood DDoS attacks. These developments underscore the importance for enterprises to be aware of the IoT devices on their network.
Without clear compartmentalized comprehensive security, as soon as a virus has breached the system, it can spread quickly and cross-infect every device on the network. IT and OT share wires and VPNs, Firewalls, SDNs don’t adequately separate IT from OT, allowing for easy “cross-over” breaches. Putting OT into a network that wasn’t designed to handle the diversity or volume of devices is expensive and doesn’t solve the security problem – it just complicates the IT network and increases the cost of managing it. Unfortunately, until now CIOs and CISOs had no affordable option to separate IT and OT, prevent cross-over breaches and provide continuous monitoring for all OT. Secure IoT® platform from Onclave creates a truly secure and separate private network and prevents cross-over breaches. The platform reduces costs by eliminating certificates, access control lists and management overhead. Implemented enterprise-wide – protects all OT regardless of age, operating system, manufacturer, protocol and comes with built-in continuous monitoring of all OT for anomalous communications behavior and no third-party solutions or major changes to the infrastructure needed. The platform is fast and easy to deploy and is HIPAA / HITECH and FIPS compliant.