Thursday, September 16, 2021

Industrial automation makers and utilities facing spear phishing probes, says Kaspersky

At least 500 industrial organizations in 50 countries including Canada have been targeted by in a spear phishing attack that includes tools for stealing data, according to Kaspersky Labs.

The report comes in a company blog, which says the attacks began in August and are continuing. “The worst affected were companies in the smelting, electric power generation and transmission, construction, and engineering industries. Most of the organizations attacked were vendors of industrial automation solutions and system support contractors.”

Of note is that the emails had subject lines that could convince unsuspecting recipients that they were from a legitimate source, including fake commercial suppliers or shipping companies sending an updated price list, banks asking customers to validate banking information, or confirmation of equipment delivery.

Documents attached in the emails are RTF files containing an exploit for the CVE-2015-1641 Microsoft Office vulnerability which allows an attacker to remotely run code. It was patched in April,2015.

Experts have been warning for years that supervisory control and data acquisition (SCADA) and industrial control (ICS) systems have weaknesses that can be exploited by attackers, making critical infrastructure open to manipulation.

Kaspersky notes that most of the emails it has seen were sent from legitimate email addresses belonging to valid organizations — in fact in some the subject line contained the actual text used in an organization’s correspondence. “That can only happen if the source emails were accessible to hackers and were, possibly, compromised earlier,” says the analysis.

The malicious apps used in the attachment includes specific VB and MSIL packers that can diminish the ability of antivirus to detect the malware used. They include the FareIT/Pony 2.0 loader that steals credentials from a number of applications including Google Chrome, Internet Explorer, and numerous FTP (file transfer protocol) uploaders.

After gathering information the data is sent to a command and control server, which downloads more malware, including the Luminosity RAT, which includes a file manager for searching and removing victims’ files; and the HawkEye Keylogger, which collects system and networking parameters from compromised systems and steals passwords from email clients, web browsers, P2P clients and password managers; and the Zeus Atmos trojan, a variant of the Zeus banking malware, which can inject code into web applications and web pages, grab data from forms, steals security certificates and does other nasty things.

The post includes indicators of compromise for security teams to watch for.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News