Read below for more information on the attack vector as well as detection, response, and best practices for prevention.
Manufacturers are increasingly under threat from cyberattacks. This is a real concern not just because of the typical business vulnerabilities (e.g., stolen intellectual property, ransomware) but because in today’s increasingly connected world, a successful infiltration from a cybercriminal could shut down a plant's operations or start making equipment produce faulty products without the knowledge of managers, among other things.
Additionally, most manufacturers are small businesses that do not have established IT security practices to combat or cope with a cyber incident. This lack of preparedness not only makes it easier for cybercriminals to attack, it also increases the likelihood that impacted companies will experience longer periods of downtime as they scramble to restore operations following a cybersecurity issue.
While some manufacturers may still be a ways off from creating a mature cybersecurity practice, every manufacturer should be aware of the five main cybersecurity threats to their company. Familiarizing yourself and your employees with them is the first step in reducing the risks they pose.
Attackers will initially gain entry into a network via phishing. Specifically, attackers will send phishing emails via one of two methods:
An encrypted ZIP. Specifically, the attacker will say in the email, "The password to the attachment is 1234" (or something similar).
A macro-embedded Word Document. The Document will display an image or text saying, "This document is encrypted. Please enable macros to view the content" (or something similar).
If the victim executes the attachments above, they will become infected with one of a couple of different infections, including Emotet, Ursnif, or just straight Cobalt Strike.
Subsequently, attackers will begin laterally moving to systems in an attempt to propagate malicious software, typically banking trojans, to any accessible and Windows-based system. They perform this by harvesting the credentials of privileged users (e.g. domain administrators) or privilege abuse (e.g. all domain users are local administrators). In more rare cases, they will exploit vulnerabilities such as MS17-010 (EternalBlue).
Between 2 hours and 2 years (this depends on different factors), attackers will deploy ransomware, typically in the form of the variant Ryuk. This time delay is how organizations can actually determine whether they may be at higher risk for this ransomware.
Assuming an organization has not yet been impacted by this specific variant of ransomware, they can take steps to validate whether they may become impacted. Below is a list of "things to look for" on endpoints within their environment. This list is intentionally user-friendly for IT staff. No additional technology is needed to perform these tasks:
Look for PowerShell execution. Specifically, the script may be a base64 encoded, and further, G-Zip compressed, and XOR encrypted. Identification of this can be manually completed by viewing the Windows PowerShell event log. This may also be installed as a service or Autorun. The names of this will be random (e.g. eFGKGIdsj84).
Look for Scheduled Tasks which are unknown/not normal. For example, we have observed random characters, as well as random words (e.g. Save windows tool). They will point to the Windows or %appData% directory.
Look for Autoruns. The key is HKEY_USERS\[SID]\Software\Microsoft\Windows\CurrentVersion\Run and RunOnce
Aggregation of logs to a centralized system will make this detection process easier.
There have been releases of IOCs (IPs, hashes, etc.). Although these can be useful, take these with a grain of salt. These underlying infections will continuously change IOCs.
Ryuk ransomware typically has higher ransom demands ($500,000+). There is no free decryption method.
Backups are key to restoring data.
Don't assume that the incident is over once data is restored. An impacted organization will likely have an underlying infection that is still present.
Prevention Best Practices
Gain visibility into your endpoints
Blocking foreign IP addresses (if possible)
The best way to fight back against these five threats and others is to implement a formal cybersecurity practice at your company. The NIST 800-171 Cybersecurity Framework provides an excellent starting point, taking a simple, five-pronged approach to tackle threats. Each step is accessible and affordable, making it feasible for small manufacturers.
If you believe you are experiencing a security incident, call our incident response hotline immediately: (860)-785-0614.
We're Here To Help
Cybersecurity incidents can ruin a manufacturer's reputation. In the manufacturing sector, reputation is everything. At Cymonix, we understand how overwhelming the NIST standard can be. That's why we are ready to help you stay in compliance and protect your reputation.