Wednesday, June 7, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

New CosmicEnergy Operational Technology Malware Found

Researcher by Researcher
May 26, 2023
in Cybersecurity
0
FBI: AvosLocker Ransomware Hitting U.S. Critical Infrastructure
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


A new malware called CosmicEnergy has been discovered that targets operational technology. Researchers that found the malware said they believe it was developed by a contractor as part of a red teaming tool for conducting electric power disruption exercises.

Researchers with Mandiant first discovered the malware after it was uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. They believe the malware has been used for simulated power disruption exercises hosted by Russian security company Rostelecom-Solar, which received a government subsidy in 2019 to train cybersecurity experts for conducting emergency response exercises. The discovery of this potential red team-related malware is significant because typically these types of capabilities are limited to state-sponsored actors that have the expertise and resources to launch offensive OT threat activities.

“The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware,” said researchers with Mandiant in a Thursday analysis. “Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets.”

Researchers made the link to Rostelecom-Solar after identifying a comment in CosmicEnergy’s code showing the sample uses a module associated with a project called “Solar Polygon,” which is linked to a cyber range developed by the company. While this link exists, researchers said that it’s also possible that a different actor reused the code associated with the cyber range to develop CosmicEnergy for malicious purposes, though no public targeting has been observed yet.

“Threat actors regularly adapt and make use of red team tools – such as commercial and publicly available exploitation frameworks – to facilitate real world attacks, like TEMP.Veles’ use of METERPRETER during the TRITON attack,” said researchers. “There are also many examples of nation-state actors leveraging contractors to develop offensive capabilities, as shown most recently in contracts between Russia’s Ministry of Defense and NTC Vulkan.”

CosmicEnergy is similar in its capabilities to previous OT malware families Industroyer and Industroyer 2.0, as both variants aim to cause electric power disruption through targeting devices commonly used in electric transmission and distribution operations.

“The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware.”

Industroyer, originally deployed in December 2016 to cause power outages in Ukraine, targeted a network protocol called IEC-104 that is commonly used by devices in industrial control system environments such as remote terminal units (RTUs), which are used to remotely monitor and control various automation systems. Industroyer sent ON/OFF commands through IEC-104 to interact with these RCUs, impacting the operations of power line switches and circuit breakers in order to cause power disruption. CosmicEnergy uses this same capability via two disruption tools: One tool called PieHop written in Python, which connects to a remote MSSQL server to upload files and issue remote ON/OFF commands to an RTU via IEC-104; and another called LightWork, which PieHop uses to execute the ON/OFF commands on remote systems via the IEC-104 protocol before deleting the executable.

“COSMICENERGY is quite comparable to other OT malware families – mainly INDUSTROYER and INDUSTROYERV2 with which it has some similarities in the approach it takes to the attack and the protocol it leverages,” said Daniel Kapellmann Zafra, Mandiant analysis manager with Google Cloud. “We also found some similarities with IRONGATE, TRITON and INCONTROLLER on a lesser level including abuse of insecure by design protocols, use of open source libraries for protocol implementation and use of python for malware development and/or packaging.”

Of note, CosmicEnergy does lack discovery capabilities, so an operator would need to perform internal reconnaissance of MSSQL server IP addresses and credentials, and IEC-104 device IP addresses. The malware’s PieHop tool also includes a number of programming logic errors that may indicate it was still under active development when discovered, said Kapellmann Zafra – however, he said, the fixes required to make the malware usable are minimal.

The discovery of CosmicEnergy is unique because malware families targeting industrial control systems – like Stuxnet, PipeDream and BlackEnergy – are rarely disclosed. However, attackers are starting to focus more on ICS environments with custom-built frameworks and malware targeting these networks. And while critical infrastructure security has been top of mind for the U.S. government over the past year, researchers said CosmicEnergy, like other similar types of malware, will continue to leverage vulnerable pieces of OT environments – including insecure by design protocols like IEC-104 – that are “unlikely to be remedied any time soon.”

“For these reasons, OT defenders and asset owners should take mitigating actions against COSMICENERGY to preempt in the wild deployment and to better understand common features and capabilities that are frequently deployed in OT malware,” said Mandiant researchers. “Such knowledge can be useful when performing threat hunting exercises and deploying detections to identify malicious activity within OT environments.”



Source link

Related articles

Ransomware, DDoS see major upsurge led by upstart hacker group

DDoS attacks dominate and pretexting lead to BEC growth

June 7, 2023
CISA: North Korea-Backed Actors Using Maui Ransomware

North Korean Attackers Target Google Account Credentials

June 7, 2023
Tags: CosmicEnergymalwareOperationalTechnology
Share76Tweet47

Related Posts

Ransomware, DDoS see major upsurge led by upstart hacker group

DDoS attacks dominate and pretexting lead to BEC growth

June 7, 2023
0

In Verizon’s just-released 2023 Data Breach Investigations Report, money is king, and denial of service and social engineering still hold...

CISA: North Korea-Backed Actors Using Maui Ransomware

North Korean Attackers Target Google Account Credentials

June 7, 2023
0

North Korean threat group Kimsuky has recently launched a social engineering campaign against a number of experts specializing in North...

Sentra Raises $30 Million for DSPM Technology

KeePass Update Patches Vulnerability Exposing Master Password

June 6, 2023
0

Open source password manager KeePass was updated over the weekend to patch a vulnerability allowing attackers to retrieve the cleartext...

Zero-day MOVEit Transfer vulnerability exploited in the wild

Zero-day MOVEit Transfer vulnerability exploited in the wild

June 6, 2023
0

Shodan search engine results for internet-facing MOVEit instances. Image: Shodan The Cybersecurity & Infrastructure Security Agency has issued an alert...

New DDoS Attack Vector Abuses Content Filtering Systems

UNC4857 Exploits MOVEit Transfer Flaw in Data Extortion Attacks

June 6, 2023
0

A newly discovered threat campaign has been observed exploiting the recently uncovered, critical-severity MOVEit Transfer vulnerability in order to launch...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
Apple launches Vision Pro & more new products

Apple launches Vision Pro & more new products

June 7, 2023
Ransomware, DDoS see major upsurge led by upstart hacker group

DDoS attacks dominate and pretexting lead to BEC growth

June 7, 2023
Money20/20 Europe 2023: Day One TFT Roundup

Money20/20 Europe 2023: Day One TFT Roundup

June 7, 2023
Release date, price and more

Release date, price and more

June 7, 2023

Recent Posts

Apple launches Vision Pro & more new products

Apple launches Vision Pro & more new products

June 7, 2023
Ransomware, DDoS see major upsurge led by upstart hacker group

DDoS attacks dominate and pretexting lead to BEC growth

June 7, 2023
Money20/20 Europe 2023: Day One TFT Roundup

Money20/20 Europe 2023: Day One TFT Roundup

June 7, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches Payments platform Ransomware RoundUp security Software Stories TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved