SamSam, GandCrab and Orangeworm make it perfectly clear that ransomware and medical malware are alive and well. The cybercriminals behind the malware continue to collect revenue and evolve their technology. Healthcare, government, ICS and critical infrastructure operators are impacted.
Meanwhile, a series of issues in ICS and OT products, including SCADA/HMI systems by Schneider Electric, resulted in multiple ICS-CERT advisories against a backdrop of nation-state cyber activity targeting energy and critical infrastructure. Schneider Electric devices were recently targeted in the Hatman malware TRITION/TRISIS ICS cyberattack.
Recent ransomware attacks exploited known vulnerabilities against common business software. In the lineup were Windows network protocols, browsers, Adobe Flash and the Java JBoss Enterprise Application Platform. And there’s every reason to think that today’s missing patches will become the next ransomware disaster. Even in the case of Schneider Electric InduSoft Web Studio and InTouch Machine Edition, the same hygiene principles for managed devices apply.
Guidance for Forescout customers
A vigilant defense has common rules for critical infrastructure, government and healthcare. One objective, as usual, is to minimize exposure by patching systems where updates are available, and applying network segmentation where they are unavailable or undesirable. Defenders enforce IT compliance through network segmentation, which safeguards long-lived devices, like X-Ray machines on Windows XP and end-of-life industrial controllers. Vulnerable legacy Windows devices require especially tender care. Port-based monitoring of custom and networked TCP/IP protocols assists in profiling devices. Practical guidance includes:
- Know what’s on the network. Maintain an inventory of all the “things” that connect to the network through central, agentless visibility.
- Keep insecure devices off the network. Enforce security policies through automatic network segmentation.
- Require updates, when possible. Inform end users of software update requirements, especially for users of managed Windows devices. Identify out-of-compliance software versions running on managed devices.
- Use network segmentation to restrict old (unsupported) Windows operating systems. Microsoft Windows XP is long-lived and requires tender care.
- Group and inventory devices based on network port activity. Simple port-based policies are also useful in a variety of ICS and OT settings.
- Act upon network SPAN traffic using security policies. This helps group devices susceptible to protocol abuse and identify Internet-facing endpoints.
SamSam Ransomware: Java JBoss and Microsoft RDP
In response, Forescout has released VR JBoss to help prevent SamSam and other attacks that target vulnerable Java JBoss servers. This Security Policy Template demonstrates how to implement third-party detection scripts on the Forescout CounterACT® platform. Out of the box, CounterACT can also be used to monitor Microsoft RDP and Internet exposure.
- Deploy CounterACT VR JBoss. In this case, the Jexboss detection tool by researcher Joao Matos can be used in CounterACT deployments to group impacted JBoss endpoints.
- Apply custom port policies and SPAN network traffic monitoring rules. Use the CounterACT Packet Engine to identify endpoints exposing RDP to the Internet or experiencing spikes in RDP remote desktop protocol abuse.
- Deploy CounterACT VR Exposed Servers. Adapt this security policy’s Packet Engine for monitoring whether a network segment is exposed to Internet traffic. The policy template includes definitions for identifiable ports that are classified as potentially vulnerable. Users can customize the policy rules to add or exclude ports, server addresses or IP address ranges.
- Load SamSam known indicators of compromise in the CounterACT IOC Scanner. A growing set of IOCs is available from multiple sources. The American Hospital Association and Healthcare Cybersecurity Integration and Communications Center (HCICC) are reporting updates.
- Identify vulnerable IoT devices with weak credentials. Use CounterACT IoT Posture Assessment Engine to identify devices with weak Telnet or SSH passwords or poor SNMP community string hygiene.
GandCrab Ransomware: Internet Explorer and Adobe Flash
A long-standing hacking group has changed its attack framework, and GandCrab ransomware has subsequently triggered alerts from KRCERT and other emergency response teams.
Like a lot of ransomware, the exploits involve phishing with recent Internet Explorer and Flash Player vulnerabilities. That includes exploits for CVE-2016-0189 and CVE-2018-4878. Exploits are publicly available in Exploit-DB for both the Internet Explorer and Adobe Flash issues.
- The best defense is proactive patching. And when there’s no way to patch, use network segmentation and host isolation for at-risk assets (think legacy systems running Windows XP).
- Segment vulnerable devices. CounterACT administrators can enforce network segmentation until vulnerable devices are remediated. Using CounterACT, end-users on managed devices can be directly informed of the need to upgrade.
- Load GandCrab known indicators of compromise in the CounterACT IOC Scanner. CounterACT administrators can use known file hashes (for example, 9daf74238f0f7d0e64f8bb046c136d7e61346b4c084a0c46e174a2b76f30b57a) for identifying and enforcing segmentation of devices infected by the GandCrab DLL.
Orangeworm Medical Malware: Isolating Vulnerable Windows Systems
The age-old guidance of “patch, patch, patch” doesn’t always apply to legacy systems in healthcare environments. In these cases, network administrators must cope with always-vulnerable devices and multiple protocol holes. This is the case with Orangeworm, a medical malware that targets devices like X-ray and MRI machines running legacy Windows operating systems.
UK’s GCHQ recently issued a threat report, including Orangeworm, in its roundup. Whether it’s OT or healthcare, maintaining legacy and end-of-life systems is a challenge.
From a high level, network administrators can use CounterACT to prevent medical malware like Orangeworm:
- Implement Windows-based device compliance. Apply device compliance policy templates to provide an extra layer of defense.
- Restrict vulnerable endpoint capabilities. Apply network segmentation policies to limit both device exposure and potential impact of compromise.
Schneider Electric SCADA/HMI Systems: Securing the Supervisor
April and May were hot for ICS and industrial suppliers. Schneider Electric, GE, Siemens, Rockwell Automation and Advantech all disclosed critical weaknesses. In addition, vulnerabilities are streaming in popular tracking portals such as ICS-CERT and nvd.nist.gov for SCADA/HMI systems, safety controllers and other PLCs. Of particular interest was the ICS-CERT advisory for Schneider Electric SCADA/HMI supervisory systems.
In response, Forescout has released a product content update for the recent Schneider Electric SCADA/HMI issues on managed Windows endpoints. The Security Policy Templates content plugin v18.0.5 includes templates to identify:
- Schneider Electric InduSoft Web Studio vulnerable endpoints
- Schneider Electric InTouch Machine Edition vulnerable endpoints
The SPT content plugin goes beyond the out-of-the-box CounterACT capabilities for incident response. CounterACT helps prevent the primary ICS cybersecurity failures, including:
- Not patching assets
- No inventory of ICS and operational technology devices
- Lack of network segmentation
- Internet-facing devices
Use CounterACT to Isolate, Restrict or Block High-Risk Devices
Forescout has published Security Policy Template v18.0.5, which helps classify devices susceptible to ransomware, medical malware and industrial sabotage.
If you’re enforcing policies like automatic OS updates, you can use CounterACT to isolate non-compliant devices and initiate remediation actions.
For more information, refer to the Forescout Knowledge Base article # 5324 or contact Forescout support at firstname.lastname@example.org.
Related Forescout Solution Briefs
For more information on the CounterACT use cases outlined in this post, please see these Forescout solution briefs: