Attackers Exploit Corporate Infrastructure for Credentials on ICS Networks

Attackers-Exploit-Corporate-Infrastructure-for-Credentials-on-ICS-Networks.

While the ever-changing technological landscape has brought the IT and OT sides of the organisation closer together, it has also exposed ICS networks to vulnerabilities that affect IT systems.

On this point, Kaspersky ICS CERT discovered a number of spyware attacks aimed at businesses.

These assaults are designed to steal company credentials, which can then be used for financial theft or sold to other threat actors are also used as a one-way C2 to exfiltrate data stolen by spyware.

Getting into the intricacies

  • From compromised mailboxes, the attackers send spear-phishing emails with harmful attachments to their contacts.
  • While the attackers utilise well-known spyware such as Agent Tesla, HawkEye, Snake Keylogger, and Azorult, each sample has a limited lifespan and scope. Anomaly attacks are the name given to these types of attacks.
  • The stolen data is initially used to spread the virus over the local network and target other firms in order to obtain more credentials, according to Kaspersky specialists.
  • The majority of the attacks are carried out by low-skilled, tiny gangs that specialise in financial fraud. However, a tiny number of these organisations are on the lookout for credentials that would grant them access to corporate network services like SMTP, RDP, VPN, and SSH, which they can then sell on dark web marketplaces.
  • As a one-way C2, industrial businesses’ SMTP services are also used to exfiltrate data stolen by spyware.

Here are some numbers for you.

  • More than 2,000 business email accounts belonging to industrial companies were discovered to have been stolen and misused.
  • ICS-related infections accounted for over 45 percent of all afflicted computers.
  • Over 7,000 business email accounts, according to Kaspersky, have already been hacked and sold on online marketplaces.
  • Around 20% of the malware samples were only good for 25 days before being swapped with new ones.
  • More than 25 marketplaces dedicated to selling stolen data were discovered by researchers.

There’s more to come.

  • A cyberespionage effort centred on renewable energy targeted certain major ICS vendors and other companies.
  • This campaign has been running since at least 2019 and collects usernames and passwords using a standard “Mail Box” phishing kit.
  • Honeywell, Huawei, Schneider Electric, HiSilicon, and the Kardzhali power plant are among the industrial targets.
  • Utah State University, the University of Wisconsin, and California State University were among the universities targeted in the attack.
  • The California Air Resources Board, Taiwan Forestry Research Institute, Morris County Municipal Utilities Authority, the Carbon Disclosure Program, and many Bulgarian banks are among the other targets.
  • While attribution has been challenging, analysts have discovered linkages to two previously linked activity groups, APT28 and Konni.
  • Conclusion

The majority of the attacks are carried out by low-skilled, tiny gangs that specialise in financial fraud. However, a tiny number of these organisations are on the lookout for credentials that would grant them access to corporate network services like SMTP, RDP, VPN, and SSH, which they can then sell on dark web marketplaces.

As a one-way C2, industrial businesses’ SMTP services are also used to exfiltrate data stolen by spyware.

 

By IEMA IEMLabs

IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.

This site is under maintenance,
some features might not work!!!