In what may be a first for watering hole attacks, we’ve now seen an attack that targeted watering holes, or at least water utilities. The way this was discovered is a bit bizarre — it was found by Dragos during an investigation into the February incident at Oldsmar, Florida. A Florida contractor that specializes in water treatment runs a WordPress site that hosted a data-gathering script. The very day that the Oldsmar facility was breached, someone from that location visited the compromised website.
You probably immediately think, as the investigators did, that the visit to the website must be related to the compromise of the Oldsmar treatment plant. The timing is too suspect for it to be a coincidence, right? That’s the thing, the compromised site was only gathering browser fingerprints, seemingly later used to disguise a botnet. The attack itself was likely carried out over Teamviewer. I will note that the primary sources on this story have named Teamviewer, but call it unconfirmed. Assuming that the breach did indeed occur over that platform, then it’s very unlikely that the website visit was a factor, which is what Dragos concluded. On the other hand, it’s easy enough to imagine a scenario where the recorded IP address from the visit led to a port scan and the discovery of a VNC or remote desktop port left open.
One Weird Ransomware Trick
This time it’s not clickbait, we promise. This really is a weird trick, and it really does prevent some ransomware infections. Blame [Brian Krebs] for the clickbait title, because he made this oddity well known.
A sizable chunk of ransomware campaigns are run out of Russia, including the Colonial Pipeline attack by DarkSide. Historically, Russian officials have been somewhat laissez-faire towards computer crime committed by Russian nationals, so long as the victims were not Russian, or from an allied state. (Though there is news about that, we’ll cover in a moment.) How does a Russian criminal check where their potential victim lives? One way is to check for the languages installed on the machine, as part of the ransomware install. So the trick? Install the Russian language and Cyrillic virtual keyboard. It’s not a guaranteed solution, by any means, but it might just keep you out of trouble, and it won’t hurt.
QNAP
We have even more bad news for QNAP and their users. First, a new pair of vulnerabilities were just announced, one in the MusicStation app, and the other, ironically, in the MalwareRemover app. The initial report was in September of last year, and the fixed versions were published on or before May 6.
And secondly, the Qlocker ransomware campaign has been taken down. That sounds like a good thing, but with the end of the campaign also comes the end of the opportunity to pay for decryption keys. So far, there hasn’t been a decryption program released, and this looks like the end of the line for decrypting the ransomed data, until someone can crack it.
The Pipeline
News continues to come in regarding the Colonial Pipeline, some of which was rumored last week. First off, it’s been confirmed that it was the corporate network that was hit with the Ransomware, and not the pipeline operations itself. I know many have been quite frustrated by the news that the outage was actually caused by the billing systems going down. Before you get your pitchforks out, remember that a bankrupt company doesn’t pump gasoline down the pipeline, either.
In what is welcome news, DarkSide seems to be disbanded, some of their accounts seized, and at least some of their bitcoin drained, probably by law enforcement. In other words, the pipeline attack achieved political critical mass, and a chain reaction was kicked off, leading to law enforcement action, maybe even by Russian authorities. Regardless of the details, it sounds like decryption tools will be released, and this particular ransomware gang is done.
International Insurer and Ransomware
One of the big international insurers, AXA, was hit by a triple-threat ransomware campaigns over the past weekend. It doesn’t appear to be the entire company, but a handful offices in Asia were compromised. After the compromise, a coordinated DDoS attack was launched against their websites. The worst part of the attack is that data, some of it very personal, was exfiltrated in addition to being encrypted. This includes medical reports and legal identification documents. The ironic part is that AXA had announced a new policy just a week earlier, that their French policies would no longer reimburse for ransom payments.
Ironic AXA case, hope they learn :D
Bankruptcy doesn’t necessarily stop pipeline pumping, depending on how it was filed. Enron still exists and has made a profit since 2000
I think the point was it does stop in the immediate. In the long term sure the assets of the company will be sold and the pipeline will continue but there is a period of time where no one who controls the pipeline has the money to move the oil.
I’m struggling to see how the data-gathering script on the WP site was in any way targeted at the water industry. Wasn’t it just a typical drive-by infection that targets any WP site which hasn’t been updated?
That is the conclusion that Dragos reached, yes. The site belongs to a contractor that specializes in water treatment plants, though, so a lot of the traffic would be related.
We should nationalize our soon-to-be dying petroleum industry NOW, Before they start whinging about solar and wind having adverse effects on their profits. Future oil disasters will be blamed on low oil profits. Pipeline companies will blame low profits for their inability to thwart malware.
So that politicians can blame lack of funding for the same problems?
They can be added to Amtrack to make it really impossible to be sustainable.
Pretty funny, criticism from someone who can’t even spell.
Who is ‘we’?
Windows 10 comes with Cyrillic font and keyboard, so that idea is a non-starter. A simpler more basic method would be to look at the IP address.