ICS malware FrostyGoop disrupted heating in Ukraine, remains threat to OT worldwide
- by nlqip
Anatomy of the Ukrainian attack
In the Ukrainian attack, investigators believe that hackers broke into the district energy company’s network by exploiting a vulnerability in a Mikrotik router, with the initial access happening in April 2023. They then deployed a webshell on the router’s web server to enable remote access and tunnel into the network.
The attackers then spent time collecting information and planning the next step of their attack until December 2023 when they dropped the Security Account Manager (SAM) registry hive and extracted credentials from the system. While most of the connections to the webshell were done via the Tor anonymity network, the hackers also set up L2TP tunneling to Moscow-based IP addresses.
“The victim network assets, which consisted of a Mikrotik router, four management servers, and the district heating system controllers, were not adequately segmented within the network,” the Dragos researchers concluded. “A forensic examination during the investigation showed that the adversaries sent Modbus commands directly to the district heating system controllers from adversary hosts, facilitated by hardcoded network routes.”
Source link
lol
Anatomy of the Ukrainian attack In the Ukrainian attack, investigators believe that hackers broke into the district energy company’s network by exploiting a vulnerability in a Mikrotik router, with the initial access happening in April 2023. They then deployed a webshell on the router’s web server to enable remote access and tunnel into the network.…
Recent Posts
- Windows 10 KB5046714 update fixes bug preventing app uninstalls
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’