40 global ICS systems attacked malware in 2022. Dive into the details of this significant cybersecurity incident. During the second half of 2022, threats that use scripts and spyware continued to increase. Threat actors also used cryptocurrencyminers.
BEC jumped to fifth place, while vulnerability exploitation dropped 19% from the previous year. These changes may be due to better user awareness, more effective defenses catching malware and better incident response procedures.
Zotob PnP Worm
In August 2005, a new worm was discovered, named Zotob. It targeted unpatched Windows 2000 systems with port 445 open. It spreads by connecting to IRC chat servers, downloading instructions for a remote control backdoor, and scanning IP addresses for vulnerable machines to infect. It also modifies the HOSTS file to prevent antivirus websites from being accessed.
Infected computers are slow to start up, have erratic behavior, and constantly reboot or crash. Many of the attacks are minor and only slow down or disrupt operations, but others can be devastating. The Zotob worm shut down the main customs database in Virginia, and the Navy and Marine bases in Okinawa, Japan. Its infection of Disneyland’s ticketing system forced staff to sell tickets manually. Affected computer systems in the United States caused delays for travelers at several airports, including Atlanta’s Hartsfield International.
Infosec manager Mauri Rosendahl at the University of Helsinki, Finland gets a strange call from his security team: an application was trying to connect to an address outside the network via port 18067. Rosendahl investigates and finds that a Win2K system is infected with the worm Zotob. He sends a copy of the malware to F-Secure, his local antivirus vendor, for analysis. F-Secure discovers that the worm is spreading and can’t be stopped, and a new version of the worm is released.
According to security company Sophos Plc, the worm is based on the HellBot3 backdoor and the MS05-039 exploit code. It appears that a hacker known by the pseudonym ‘Diabl0’ combined these components to create the worm.
The worm’s small fingerprint and backdoor capabilities make it more effective than other recent worms such as Code Red and Blaster. It may act as the progenitor of other, more destructive worms, just as BlueCode spawned the Nimda worm in 2001.
As the worm spreads, Rosendahl struggles to contain it. He installs a patch offered by Microsoft, but the infection is too widespread to contain. Journalists at ABC’s World News Tonight in New York City are working on typewriters, and journalists in the studio are forced to switch to teleprompters for their broadcast.
LockBit
Unlike most ransomware attacks that target corporate networks, LockBit targets operational technology (OT) and industrial control systems. As a result, victims of the malware have reported disruption to business operations and significant financial losses. The ransomware gang’s tactics include a triple extortion strategy: 1) demanding a high amount of money to decrypt the victim’s data; 2) threatening unresponsive victims with humiliating data leaks; and 3) threatening crippling distributed denial-of-service attacks. In the fourth quarter of 2022, LockBit was notably active in delivering on its threats. The gang reportedly redesigned its Tor sites and added a Linux encryptor targeting VMware ESXi servers.
Once the hacker gains a foothold on an infected machine, it tries to gain access to the OT network and any other connected devices. If successful, the hackers escalate their privileges and set up the system to facilitate the release of the encrypted payload. To prepare for the exfiltration/encryption phase, attackers also disable security programs and cripple any infrastructure that would help users with a manual system recovery. The goal of the second stage is to make unassisted recovery so difficult or time-consuming that victims feel compelled to pay the demanded ransom.
The gTIC assesses that it is likely that LockBit, which is attributed to a former Conti developer and affiliates, will continue its aggressive attack campaign throughout 2023. It is also likely that the group will seek to expand its reach by targeting new victims and establishing connections with other ransomware gangs.
In addition to targeting ICS systems, LockBit also targeted companies across a variety of industries, including paper products, automotive, electronics or semiconductors, metal fabrication, and industrial equipment. Despite the fact that many of these companies are global players, it is likely that the gang will target them because of their financial rewards and low levels of defenses.
Education institutions were the most common target of LockBit in 2022, followed by manufacturing, retail, and healthcare. These sectors are likely targets because they possess a high volume of sensitive information. Additionally, education institutions are Often more open and less secure than corporate networks and are Unlikely to be as security conscious.
Black Basta
Black Basta is a ransomware gang that favours double extortion tactics, meaning it first steals sensitive data before encrypting it. The criminals will then release the stolen data on the dark web and demand money for a decryption key. The Black Basta gang has only been active since April 2022, but it has already targeted many companies in the construction, business services, food and beverage, metals and mining, insurance, and chemicals industries.
Attacks typically begin with a targeted spear-phishing campaign to gain initial access. The threat actors then deploy a range of second-stage techniques to acquire Windows Domain credentials, penetrate the network laterally and steal data. This can include using a variety of reconnaissance tools such as Qakbot, MimiKatz, and SystemBC, and exploiting ZeroLogon, NoPac, PrintNightmare, and Cobalt Strike Beacons for privilege escalation and remote control. Black Basta also leverages lateral movement tools such as AnyDesk and AteraAgent to access a network’s remote desktop protocol (RDP).
Until recently, Black Basta has been primarily targeting organisations in the US with hyper focus on the construction, manufacturing, real estate, business services, metals, and mining sectors. However, the gang has now expanded its reach and has begun targeting businesses in Europe. Last summer, Black Basta attacked the building supplies company Knauf, causing significant disruption and impacting operations across the continent.
While some companies have paid the criminals to recover their data, others have resorted to alternative measures such as hiring a data recovery firm or purchasing a ransomware decryptor. These solutions are often ineffective, and they can lead to further damage to a victimised company’s systems and files. SalvageData recommends avoiding paying the ransom, as there is no guarantee that the hackers will return your data after payment.
If your organisation has been hit by Black Basta, contact our experts for a recovery service. We can safely restore your data and ensure that the attack never affects you again. For more information, visit our recovery page or find a centre near you. Our teams are available 24/7 to answer your questions and provide expert advice.
Zotob Trojan
Zotob spreads by exploiting a vulnerability in Microsoft Windows systems. The company warned users of the flaw in a security update issued last Tuesday. But within two days, hackers had created exploits for the hole. “It’s really important to keep up to date with Microsoft patches,” said Mike Hughes, a senior research analyst at the antivirus firm F-Secure Corp.
The worm is spreading quickly on networks that have not applied the MS05-039 patch. It can remotely infect computers running the vulnerable version of Windows 2000. Infected machines then send information about the computers to a bot herder. Microsoft’s updated advisory says other versions of Windows, such as Windows XP Service Pack 2 and Windows Server 2003, are not impacted by the Zotob variants because they do not use the NULL session capability that the attack exploits.
Some of the worm’s code is believed to be from a notorious Russian hacker known as Diabl0, who was arrested earlier this year. He is alleged to have received payments from a criminal organization to hack into financial and other websites.
But while Zotob is spreading rapidly, it is not causing as much damage as the highly destructive Blaster and Code Red worms. The worm is also not as prolific as the multipartite Nimda virus of 2001, which caused massive disruptions in rail, air and post services, as well as bogging up bandwidth and slowing network performance.
The Zotob worm spreads via the PnP protocol, which lets computer hardware and software share files. It tries to infect other systems on the same network, although it can be blocked by firewalls and Internet providers that filter out malicious content. The worm can also infect unpatched systems by attacking TCP port 445, used by the vulnerable Plug and Play component of Windows. The worm can then communicate with an IRC bot herder, who will direct infected machines to download or execute other malware.
Zotob can also block access to websites of antivirus companies and open a backdoor that allows the herder to take control of an infected system. The herder then can send commands to the infected machine over IRC, for example, to download, run or delete files. A message on the worm’s plaintext coding reads: “Made By….. Greetz to good friend Coder.”
