In a marine security bulletin issued in December, the US Coast Guard. UU. He warned the maritime community to harden defenses against phishing and cyber attacks after a new outbreak of encryption ransomware in a maritime facility.
In the bulletin, the USCG revealed a recent virus attack in an unnamed facility regulated by the Maritime Transportation Security Act (MTSA). As the US implementation UU. From the ISPS code, the MTSA It covers a wide range of maritime facilities, including fleeting areas of barges, commercial ports and terminals. In the IT security industry press, the attack has been poorly reported as a malware infection in a facility operated by the US Coast Guard. UU.
Forensic analysis is still ongoing, but the virus, identified as "Ryuk" ransomware, may have entered the MTSA installation network through an email phishing campaign. Once an employee clicked on the malicious link embedded in the phishing email, the ransomware allowed the attacker to access the installation's commercial (business) network files and encrypt them, preventing access to critical information.
In addition, and more worrisome, the virus was introduced into the industrial control systems of the facility, which monitor and control the load transfer. In the control system network, the virus encrypted critical files to process operations.
In total, impacts on the installation operator included an interruption of the entire corporate IT network (beyond the installation footprint), disruption of physical and camera access control systems and loss of monitoring systems. Critical process control. These combined effects required the company to close the main operations of the facility for more than 30 hours for a response to a cyber incident.
According to the Coast Guard, several measures may have prevented or limited the violation and reduced the time needed for recovery:
– Intrusion detection and prevention systems to monitor network traffic in real time
– Updated virus detection software and industry standard
– Centralized and monitored host and server registration
– Network segmentation to prevent IT systems from accessing the Operational Technology (OT) environment
– Updated IT / OT network diagrams
– Consistent backups of all critical files and software
– Verify the validity of the sender of the email before replying or opening unsolicited email messages.
– Implementation of the US Infrastructure and Cybersecurity Security Agency. UU. (CISA) better practices
According to the UK National Cyber Security Center (NCSC), Ryuk malware was first seen in August 2018 and has been used in multiple attacks worldwide. Ryuk is a targeted ransomware where demands are established according to the victim's perceived ability to pay. Ryuk ransomware is often not observed until a period after the initial infection, which varies from days to months, which gives the actor time to perform recognition within an infected network, identifying and targeting critical network systems and maximizing the impact of the attack. .
According to NCSC, when a Ryuk infection occurs, the attacker uses additional post-exploitation software tools to allow illegal activities within the target network. These additional tools facilitate the obtaining of credentials, remotely control the victim's workstation and perform lateral movements to other machines within a network.
"Access to compromised machines can be sold to other criminal operators at any stage of this process, either as a facilitated deployment or through the sale of credentials for the compromised network," NCSC warned.