The National Cybersecurity and Communications Integration Center is warning the private sector and government agencies about an ongoing malware campaign that began about a year ago and uses multiple malware implants to put critical systems at risk in sectors like energy, healthcare, and critical manufacturing.
The attackers appear to be using stolen administrative local and domain credentials, and placing sophisticated malware implants on critical systems, according to the NCCIC.
"While NCCIC continues to work with a variety of victims across different sectors, the adversaries in this campaign continue to affect several IT service providers," the NCCIC wrote in an alert distributed on April 27. "To achieve operational efficiencies and effectiveness, many IT service providers often leverage common core infrastructure that should be logically isolated to support multiple clients. Intrusions into these providers create opportunities for the adversary to leverage stolen credentials to access customer environments within the provider network."
NCCIC rated the cyber incident as "medium," meaning that it may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The Department of Homeland Security unit said that the threat actors in the campaign use variety of tactics, techniques, and procedures – including malware implants to acquire the user's credentials and then leverage those credentials to pivot throughout the local environment.
One such unique implant attackers are using is the REDLEAVES malware. This malware is a remote administration Trojan, built in Visual C++, which makes use of thread generation during its execution. The implant contains some functions typical of RATs, including system enumeration and creating a remote shell back to the C2.
Another technique being used is PLUGX, a sophisticated Remote Access Tool that allows remote users to perform malicious and data theft acts on a system, including setting connections, copying and modifying files, logging off the current user and rebooting the affected system, and terminating processes.
"Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments," according to the NCCIC. "Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools."
NCCIC stressed that organizations across the technology, energy, healthcare and public health, communications, and critical manufacturing sectors should conduct a dedicated investigation to identify any related activity. Meanwhile, organizations leveraging external IT service providers should check in to find the level of risk to their company.
Meanwhile, "all organizations that provide IT services as a commodity for other organizations should evaluate their infrastructure to determine if related activity has taken place," according to the NCCIC. For instance, companies can conduct frequency analysis to determine any unusual fluctuation in bandwidth that may indicate potential data exfiltration; as well as evaluate their management and client systems.
Channel companies hope that more manufacturers and customers in vertical markets, especially the industrial space, become more aware of the risks and challenges behind IoT security vulnerabilities.
"I hope there will be more publicity about getting [systems] secured in a timely fashion," said one solution provider, who wished to remain anonymous. "We're seeing some changes in IoT device manufacturers being more receptive to input from the security community and taking that advice to heart, but we still have a long way to go ... it's especially important in the healthcare and manufacturing sectors."
“IoT Security is front and center on everyone’s requirements and concerns,” Scott Udell, vice president of IoT Solutions at Boston-based Cloud Technology Partners, said in an email. “The need to balance adequate security with the often conflicting needs for low-cost and low-power, and limited computing power for sensors and devices, can be challenging. However, an end-to-end system is only as strong as its weakest link … that is often the low-cost devices that are core to many IoT solutions.”