研究人员说，针对ICS / SCADA的恶意软件很可能在本周和本田以及一家南美能源公司遭受了两次攻击。
In a tweet on Monday, the Honda Automobile Customer Service said it was “experiencing technical difficulties and are unavailable.” And later, the Japanese auto giant told the BBC that “Honda can confirm that a cyberattack has taken place on the Honda network.”
Meanwhile, a Honda spokesperson told Forbes, “Honda has experienced a cyberattack that has affected production operations at some U.S. plants. However, there is no current evidence of loss of personally identifiable information. We have resumed production in most plants and are currently working toward the return to production of our auto and engine plants in Ohio.”
Researchers have analyzed samples from the attack that were shared online on Monday, and have determined that it’s likely that the Snake ransomware is responsible for the hit. Snake was first publicized in January after being discovered and analyzed by MalwareHunterTeam and reverse-engineer Vitali Kremez. Researchers at Dragos also looked into the malware, which is written in the Go language, is heavily obfuscated, goes after ICS/SCADA environments, and tends to be highly targeted.
The Honda samples fit this profile. “We found several artifacts that corroborate this possibility,” Researchers at Malwarebytes wrote in a Tuesday analysis.
The researchers explained, “We tested the ransomware samples publicly available in our lab, by creating a fake internal server that would respond to the DNS query made by the malware code with the same IP address it expected. We then ran the sample alleged to be tied to Honda against Malwarebytes Nebula, our cloud-based endpoint protection for businesses. We detect this payload as ‘Ransom.Ekans’ when it attempts to execute.” EKANS is another name for Snake in security firms’ telemetry – it’s just “snake” backwards.
Chris Clements, vice president of solution architecture at Cerberus Sentinel, also took a look at the public samples relating to the Honda attack. He said that the malware includes a check for a hardcoded internal system name and public IP addresses related to Honda. And, it exits immediately if associations with Honda are not detected.
“This strongly implies that this was a targeted attack rather than a case of cybercriminals spraying out ransomware indiscriminately,” he said via email – a Snake hallmark.
Clements also warned that while Honda noted that no PII appears to have been accessed (unlike in its recent data-breach incident), the Snake ransomware team has historically attempted to exfiltrate sensitive information before encrypting their victim’s computers.
“This, combined with the targeted nature of the malware’s pre-checks indicates that the attackers likely had access to Honda’s internal systems for some time before launching the ransomware’s encryption functions,” he told Threatpost. “Without confirmation from the SNAKE group or Honda, it is impossible to say how long the attackers were present or what sensitive data they may have been able to steal.”
Caleb Barlow, president and CEO of Cynergistek, also believes the attack stems from the Snake ransomware, and noted that the malware is concerning in terms of its scope.
“It goes after the entire network, not individual machines and PCs,” he said via email. “That includes internet-of-things and SCADA devices. So think about a manufacturing environment which has thousands of devices, they are all down and need to be restored….[so], its objective is far beyond locking up data, it is a form of malware designed for destruction of systems it infects.”
Regardless of whether the actual code is indeed the Snake ransomware, evidence suggests that the same malware is responsible for another attack, according to Malwarebytes, on Enel Argentina. Its Edesur S.A. subsidiary tweeted earlier this week that “Our systems are affected by a computer failure, which hinders customer service by phone, social networks and the use of the Virtual Office. We are working on the resolution of the incident in the shortest possible time to restore communication.”
In examining the case, the aforementioned attempt to resolve to a hardcoded hostname (in the case of Honda, that’s “mds.honda.com”) mirrors the approach taken by the Enel Argentina malware. Also, Malwarebytes researchers said that the email left in the ransom note is the same in both attacks: “CarrolBidell@tutanota[.]com.”
Malwarebytes also speculated that Remote Desktop Protocol (RDP) may have been the attack point for the incidents. Both companies had machines with RDP access publicly exposed, the firm found.
“RDP has been called out as some of the lowest hanging fruit preferred by attackers,” according to the firm. “However, we also recently learned about a new SMB vulnerability allowing remote execution. It is important for defenders to properly map out all assets, patch them, and never allow them to be publicly exposed…Ultimately, only a proper internal investigation will be able to determine exactly how the attackers were able to compromise the affected networks.
Neither Honda nor Enel Argentina immediately returned a request for comment, but Threatpost will update this post if and when they do respond.