Trend Micro (Tokyo: 4704), a global leader in cybersecurity solutions, released the 2020 ICS Endpoint Threat Report on June 30, pointing out that ransomware attacks specifically targeting industrial plants are causing downtime and sensitive data leakage. The risks are increasing day by day.
Ryan Flores, senior manager of Trend Micro’s forward-looking threat research team, said: “The challenge of protecting industrial control systems has grown, and the increasing number of security breaches has made hackers an obvious target. Given the current US government’s ransomware attack Considered an issue as serious as terrorism, we hope that through this research, companies with industrial plants can refocus their information security measures.”
Key findings of the report:
1. Ransomware remains a worrying and rapidly evolving threat to ICS endpoints globally. Major ransomware families affect ICS endpoints, and the United States is one of the countries targeted by these attacks.
2. Coinminers affect ICSs primarily through unpatched operating systems. As ICS endpoints are still vulnerable to the EternalBlue vulnerability, miners exploiting this vulnerability are rampant in several countries, especially India.
3. Conficker is still spreading on ICS endpoints running updated operating systems. Variants of Conficker with additional routines that enforce shared management can infect ICS endpoints, even if they run on an operating system that is not vulnerable to MS08-067, which Conficker can use as a vector for attack.
4. Traditional malware continues to thrive in IT/OT networks. Despite being a relatively old malware type, worms spread via removable drives, such as Autorun, Gamarue, and Palevo, are still frequently detected in ICS endpoints.
5. Malware detected by ICS endpoints varies from country to country. In percentage terms, Japan has the least number of ICS endpoints affected by malware or potentially risky software, while China (among the top 10 countries) has the most such detections. As mentioned earlier, the US has the most ransomware infections, while India has the most mining miner infections.
Industrial Control Systems (ICS) are the primary elements in hydropower utilities, factories, and other industrial plants that monitor and control industrial processes across IT and OT networks. Once ransomware invades these systems, it may cause the factory to become inoperable and increase the risk of leaking sensitive corporate information/data such as design files and programs to the Dark Web.
The Trend Micro report states that several well-known ransomware such as Ryuk (20%), Nefilim (14.6%), Sodinokibi (13.5%) and LockBit (10.4%) together accounted for half of all ICS ransomware infections in 2020 above.
The report also pointed out that hackers engaged in virtual cryptocurrency mining by infecting ICS endpoints, specifically targeting those operating systems that have not yet patched the EternalBlue vulnerability. Wannacry is more serious in some major countries. Statistics show that the proportion is higher in India and China.
Conficker ransomware can be distributed by brute force logins to the system’s shared folders when facing some newer operating systems.
Some long-standing malicious programs such as Autorun, Gamarue, and Palevo are still continuously distributed across IT/OT networks via mobile storage devices.
The study pointed out that the cooperation between IT security and OT teams is urgent. Both parties should jointly confirm the requirements of key operating system compatibility and operation rate requirements in order to formulate a more effective information security strategy. Trend Micro also provides the following suggestions:
1. Applying the patch as soon as possible is a very important step. If it cannot be implemented, consider adopting the virtual patching technology provided by Trend Micro or reduce the risk through network isolation.
2. Enterprises can use application control software to completely eliminate ransomware that will be implanted when hackers invade, or use threat detection and response tools to search for intrusion indicators (IoCs) on the network.
3. Strengthen the management and control of network sharing, and enforce the use of high-strength account passwords to prevent accounts from being violently logged in.
4. Use intrusion detection/prevention (IDS or IPS) to establish baseline data on normal network activity to help detect suspicious activity.
5. Use a standalone tool to scan ICS endpoints in a standalone non-networked environment.
6. Set up a workstation dedicated to scanning for USB malware to check all removable media that transfer data between separate non-networked endpoints.
7. Adopt the principle of least authorization to control the accounts of OT network system administrators and operators.