During the June 2020, Rail Information Exchange, organised by the NCSC, members expressed disquiet at the lack of information forthcoming from Stadler, the Swiss Rail manufacturer, following their recent security breach. Back in May, Stadler announced that its IT network was attacked by a malware. The extent of the leak is still being analysed and it is suspected to be a professional attack but from unidentified offenders. “The scale of this leak has to be further analysed.” While the firm did not disclose the number of systems and locations affected, the local media reports said that the cyber-attack has affected the entire IT system of the company.
Furthermore, while the company said that the offenders tried to extort a large amount of money and threatened them with a potential publication of data to harm Stadler and thereby also its employees, their concern for all the victims of the attack, its customer/supplier/partner commercial and personal details kept in Stadler databases.
Stadler is headquartered in Bussnang, in Eastern Switzerland and has over 40 service locations globally. The company specialises in manufacturing high-speed trains, commuter heavy rail trains, underground trains, intercity trains, tram trains, shunting locomotives, main-line locomotives and passenger carriages.
Following the discovery of the malware, the firm has taken various measures to contain the attack. It called in a team of external cyber security experts and also informed the responsible authorities.
This incident raises a number of questions?
There is obviously some disquiet in the rail industry that these attacks can target rail and cyber-readiness is required. Cyber security agencies are currently advising organisations to strengthen their security measures as a large number of APT and other hacking groups are currently trying to target organisation involved in providing critical services in their countries amid COVID-19 pandemic. Interpol also issued a ‘purple notice’ last month to alert police forces around the world of an increasing number of ransomware attacks targeting critical system.
I have taken a recent study on Ransomware by CrowdStrike to give some insight into how such criminality might affect the Transport Sector. GTR recently installed Crowdstrike Anti-Virus as the old signature-based AV was vulnerable to some elements of ransomware such as RobbinHood, a new strain of ransomware that emerged in April 2019 – it operates by shutting down an organisation’s signature-based antivirus (AV) and backup services that would prohibit its encryption. Most Ransomware operates through phishing attacks and GTR have experienced floods of these since around the time of the disastrous timetable change of 2018. So much so that they have rolled out a massive security awarenerss programme using ProofPoint.
What is Ransomware and how does it work?
Even though ransomware has been in the headlines consistently over the past five years or so, the idea of taking users’ files or computers hostage by encrypting files, hindering system access or other methods — and then demanding a ransom to return them — is quite old. In the late 1980s, criminals were already holding computers or files hostage in exchange for cash sent via the postal service. One of the first ransomware viruses ever documented was the AIDS trojan (PC Cyborg Virus) that was released via floppy disk in 1989. Victims needed to send $189 to a P.O. box in Panama to restore access to their systems, even though it was a simple virus that utilized symmetric cryptography.
Despite its long history, ransomware attacks were still not that widespread well into the 2000s — probably due to difficulties with payment collection. However, the emergence of cryptocurrencies, such as Bitcoin in 2010, changed all that. By providing an easy and untraceable method for receiving payment from victims, virtual currencies created the opportunity for ransomware to become a lucrative business.
eCrime — a broad category of malicious activity that includes all types of cybercrime attacks, including malware, banking trojans, ransomware, mineware (cryptojacking) and crimeware — seized the monetization opportunity that Bitcoin created. This resulted in a substantial proliferation of ransomware beginning in 2012. However, this ransomware business model is still imperfect, because while Bitcoin payments are easy transactions for criminals to use, they are not always so easy for their non-tech-savvy targets to navigate. To ensure payment, some criminals have gone so far as to open call centers to provide technical support and help victims sign up for Bitcoin — but this takes time and costs money.
There are many points of entry for ransomware, with phishing emails and website pop-ups among the most common vectors. Another entry route involves using exploit kits that take advantage of specific vulnerabilities. Technology and human nature are two sides of the same coin when it comes to ransomware attacks. In one case observed by CrowdStrike, a CEO’s email was spoofed and the attacker used social engineering to trick employees into clicking a link in a fake email from the executive. To succeed, this attack required methodical research into the company’s management, its employees and the industry. As BGH attacks increase, social engineering is becoming a more intensive presence in phishing attacks. Social media also plays a huge role, not only enabling attackers to discover information on potential victims but also as a conduit for deploying malware.
Website pop-ups and exploit kits can be used together to propagate ransomware that allows attackers to create “Trojan pop-ups” or advertisements containing hidden malicious code. If users click on one of them, they are surreptitiously redirected to the exploit kit’s landing page. There, a component of the exploit kit will discreetly scan the machine for vulnerabilities that the attacker can then exploit. If the exploit kit is successful, it sends a ransomware payload to infect the host. Exploit kits are popular with eCrime organizations due to their automated nature. In addition, exploits are an efficient fileless technique, as they can be injected directly into memory without requiring anything to be written to disk, making them undetectable by traditional antivirus software. Exploits kits are also proliferating among less sophisticated attackers, because they do not require a great deal of technical know-how to deploy. With a modest investment on the darknet, virtually anyone can get into the online ransom business.
Fileless ransomware techniques are increasing. These are attacks in which the initial tactic does not result in an executable file written to the disk. Fileless ransomware uses pre-installed operating system tools, such as PowerShell or WMI, to allow the attacker to perform tasks without requiring a malicious executable file to be run on the compromised system. This technique is popular because fileless attacks are able to bypass most legacy AV solutions.
Because cybercriminals are always looking for ways to optimize their operations and generate more profits, they have been inspired by the SaaS (software-as-a-service) model to create a RaaS (ransomware-as-a-service) model. RaaS providers offer all of the attack components needed to run ransomware campaigns — from malicious code to results dashboards. Some even include a customer service department, putting ransomware within the reach of non-technically savvy criminals. In addition, the subscription cost is usually covered as a portion of the proceeds from the campaign — making this a cost-efficient model for cybercriminals to adopt. An example of this type is a famous RaaS called “Hermes,” which was first distributed in 2017 and sold on darknet forums for $300 USD. A Hermes purchaser typically received a build supporting two email addresses, a decryptor and a unique RSA key pair. Other eCrime groups using Hermes attacks began popping up once its success was established. Another example is PINCHY SPIDER, a RaaS operation and criminal group that was first observed in 2018*. Operating on a 60-40 profit split with its customers, the adversary group increased the pace of its releases to provide updated versions every two weeks. This acceleration in the development cycle is linked to the fact that the adversary group had to frequently morph its code to prevent security vendors from blocking it.
Backups are a good defence but must be protected as well, as they often are the first thing attackers prohibit or try to destroy in an environment. Making sure backups are secure and can be accessed separately, even in a compromised environment, is a standard precautionary measure. In September 2019, the U.S. Department of Homeland Security published an article outlining additional measures organizations should take to handle the threat of ransomware. The article provides advice on how to protect against ransomware, prepare for a potential incident, and recover from an attack, and where to find help. It includes practical recommendations ranging from keeping systems patched and up to date, to training end users and creating and executing an incident response plan.
BitPaymer: Targets enterprise organizations using the Dridex loader module to gain an initial foothold in the victim’s network
Dridex: A strain of banking malware that leverages macros in Microsoft Office to infect systems Hermes: RaaS first distributed in 2017 — in mid-August 2018, a modified version of Hermes, dubbed Ryuk, started appearing in a public malware repository
KeRanger: First ransomware targeting Mac OS X, was also able to encrypt Time Machine backup files Petya: Encrypts the master file table (MFT) to make the entire system inaccessible
Ryuk: Similar to Samas and BitPaymer because it targets enterprise organizations and uses PowerShell — PsExec is used to push out its binary
Samas: Leverages vulnerable JBOSS systems to spread across a network and even attack backup files on the network — targets large organizations per BGH WannaCry: Ransomware worm that takes advantage of the Microsoft Windows exploit
EternalBlue — encrypts using the AES cipher