As part of our security experts comments series Andrea commented below on the news that malicious actors have used ransomware to take the website of Ukraine’s energy ministry offline and encrypt its files. IT security experts commented below.
Andrea Carcano, Co-Founder and Chief Product Officer at Nozomi Networks:
“Due to the criticality of their services critical infrastructure systems have become a juicy target for cyber criminals interested in cyber espionage, cyber warfare, hacktivism and cyber ransom attacks. In addition, over the years CNI have become more dependent upon interconnected devices which has also opened them up to cyber risk.
“In this type of cyber-threat, the attacker was targeting the Ukraine energy and coal ministry’s IT networks. It doesn’t appear there were any intentions or efforts to attack critical infrastructure. That said, IT is often used as an entry point for attackers who are targeting OT networks and this case is yet another reminder of the vulnerabilities within both IT and OT networks.
“Cyber-risk management must be a treated as a high priority for CNI. This requires both public and private sector collaboration and investments in better prevention and resiliency. With technological advances, such as machine learning and artificial intelligence, it’s now possible to model and monitor even large, complex networks and critical physical processes typical of refineries, power plants and pipelines. Operators can gain asset visibility and identify vulnerabilities.”
Craig Young, security researcher at Tripwire:
While many people might be quick to cast blame on Russia for this incident, I believe this was probably not the case. Looking over the Internet archive of this site, it appears that they were running Drupal 7 which is currently under active attack by automated attackers armed with “Drupalgeddon2” exploits. “Drupalgeddon2” is a highly critical remote code execution bug affecting most Drupal sites which was disclosed at the end of March. It is also possible (although less likely) that someone is already exploiting CVE-2018-7602 which the Drupal team announced just yesterday but has yet to provide a public fix.
Organizations need to understand that off-the-shelf content management systems like Drupal, WordPress, and Joomla may start seeing exploitation within days or even hours of a critical disclosure. These public facing systems must be a top priority for infosec teams.
Users of these systems should also be certain to maintain up to date backups of their content to facilitate recovery after a ransomware attack.
The information was determined by looking at the source on the Wayback machine here:
https://web.archive.org/web/20180419075742/http://www.mev.gov.ua/
And noting that it shows <meta name=”Generator” content=”Drupal 7 (http://drupal.org)”/>
