ICS malware FrostyGoop disrupted heating in Ukraine, remains threat to OT worldwide
- by nlqip
Anatomy of the Ukrainian attack
In the Ukrainian attack, investigators believe that hackers broke into the district energy company’s network by exploiting a vulnerability in a Mikrotik router, with the initial access happening in April 2023. They then deployed a webshell on the router’s web server to enable remote access and tunnel into the network.
The attackers then spent time collecting information and planning the next step of their attack until December 2023 when they dropped the Security Account Manager (SAM) registry hive and extracted credentials from the system. While most of the connections to the webshell were done via the Tor anonymity network, the hackers also set up L2TP tunneling to Moscow-based IP addresses.
“The victim network assets, which consisted of a Mikrotik router, four management servers, and the district heating system controllers, were not adequately segmented within the network,” the Dragos researchers concluded. “A forensic examination during the investigation showed that the adversaries sent Modbus commands directly to the district heating system controllers from adversary hosts, facilitated by hardcoded network routes.”
Source link
lol
Anatomy of the Ukrainian attack In the Ukrainian attack, investigators believe that hackers broke into the district energy company’s network by exploiting a vulnerability in a Mikrotik router, with the initial access happening in April 2023. They then deployed a webshell on the router’s web server to enable remote access and tunnel into the network.…
Recent Posts
- Discord rolls out end-to-end encryption for audio, video calls
- Europol takes down “Ghost” encrypted messaging platform used for crime
- Phison President Promises AI Training, Tuning With A $50K Workstation
- Canary Trap’s Bi-Weekly Cyber Roundup – Canary Trap
- Cisco CX Leader Denzil Samuels Leaves For Solution Provider Behemoth NTT Data