Hsinchu, Taiwan – Nov 3, 2021 – It is very surprisingly that FBI, CISA (Cybersecurity and Infrastructure Security Agency), EPA (Environmental Protection Agency) and NSA (National Security Agency) of the United States of America issued a joint alert on October 14, 2021 - “Alert (AA21-287A) Ongoing Cyber Threats to U.S. Water and Wastewater Systems”. This joint alert mentioned that three previously unreported ransomware attacks that impacted ICS (industrial control systems) at water facilities. Precisely speaking, the SCADA (supervisory control and data acquisition) Systems were attacked by ransomware in these three water facilities.
For decades, we have referred to computers and data networks as IT (information technology); the operation and program control of ICS (industrial control system) is usually referred to as OT (operational technology). IT and OT have different focuses. The focus of OT is the stable and smooth operation in long time. OT was usually operated in an isolated network and thus is very safe.
However, IT and OT are usually integrated nowadays for convenience and efficiency. This exposes the OT network to the large amount of malicious content from IT network. Furthermore, there are some malware which is designed for targeting to industrial systems like nuclear power plant or other public facilities. The OT network is as dangerous as the IT network now.
The joint alert mentioned that Ghost and ZuCaNo variant ransomware are two of the three assassins which cyber-attacked the water facilities. The third assassin is an unknown ransomware. Actually the Ghost and ZuCaNo ransomware are quite old and have many variants. Ghost is also known as Farfli and ZuCaNo is derived from the Xorist virus.
Lionic has been watching out these Ghost/Farfli and ZuCaNo/Xorist families long time ago. So far, Lionic has collected roughly three thousands of Ghost/Farfli variant ransomware and roughly one thousand of ZuCaNo/Xorist variant ransomware. Their amounts are still keeping growing. Due to these large amounts, Lionic anti-virus technology based products should enable the cloud based scan to obtain the full protection against the Ghost/ZuCaNo families of ransomware.
Partial list of Cloud Anti-Virus rules for Ghost/Farfli variant ransomware:
Rule ID | Virus Name | Release Date |
---|---|---|
9048798840803219 | Trojan.Win32.Farfli.m | 2021-10-26 |
9022547998911384 | Trojan.Win32.Farfli.m | 2021-10-25 |
9146834145384677 | Trojan.Win32.Farfli.m | 2021-10-14 |
9042297924008237 | Trojan.Win32.Farfli.m | 2021-10-12 |
9061841733620148 | Trojan.Win32.Farfli.m | 2021-10-10 |
9089748810901273 | Trojan.Win32.Farfli.m | 2021-10-05 |
9094915515665661 | Trojan.Win32.Farfli.m | 2021-10-05 |
9152371980257502 | Trojan.Win32.Farfli.m | 2021-09-24 |
9166104037500258 | Trojan.Win32.Farfli.m | 2021-09-24 |
9013335721520404 | Trojan.Win32.Farfli.m | 2021-09-22 |
9165963568549027 | Trojan.Win32.Farfli.m | 2021-09-16 |
9039165032608294 | Trojan.Win32.Farfli.m | 2021-09-16 |
9170526783068062 | Trojan.Win32.Farfli.m | 2021-09-15 |
9003301358627921 | Trojan.Win32.Farfli.m | 2021-09-10 |
9123589396959496 | Trojan.Win32.Farfli.m | 2021-09-09 |
9083310299999579 | Trojan.Win32.Farfli.m | 2021-09-09 |
… | … | … |
Partial list of Cloud Anti-Virus rules for ZuCaNo/Xorist variant ransomware:
Rule ID | Virus Name | Release Date |
---|---|---|
9166493005405686 | Trojan.Win32.Xorist.j | 2021-10-18 |
9067294339787712 | Trojan.Win32.Xorist.j | 2021-07-30 |
9048841483316589 | Trojan.Win32.Xorist.j | 2021-07-28 |
9052509818169155 | Trojan.Win32.Xorist.j | 2021-07-28 |
9086982631637724 | Trojan.Win32.Xorist.j | 2021-07-28 |
9070000048607928 | Trojan.Win32.Xorist.j | 2021-07-28 |
9080907590657780 | Trojan.Win32.Xorist.j | 2021-07-28 |
9054386581603980 | Trojan.Win32.Xorist.j | 2021-07-28 |
9059517299334413 | Trojan.Win32.Xorist.j | 2021-07-26 |
9149937347874699 | Trojan.Win32.Xorist.j | 2021-06-09 |
9014453044295455 | Trojan.Win32.Xorist.j | 2021-06-09 |
9105044353323474 | Trojan.Win32.Xorist.j | 2021-06-06 |
9130371382114136 | Trojan.Win32.Xorist.j | 2021-06-05 |
9138520880569470 | Trojan.Win32.Xorist.j | 2021-06-05 |
9250698163532743 | Trojan.Win32.Xorist.j | 2021-05-30 |
9122130342028587 | Trojan.Win32.Xorist.j | 2021-05-29 |
9068599240069620 | Trojan.Win32.Xorist.j | 2021-05-19 |
9014893740863258 | Trojan.Win32.Xorist.j | 2021-05-19 |
9171335746850719 | Trojan.Win32.Xorist.j | 2021-05-11 |
9118060765663779 | Trojan.Win32.Xorist.j | 2021-05-07 |
… | … | … |
Once the OT network connected to IT network, the OT network should watch out the malware and cyber-intrusions both. Some OT network security devices have anti-intrusion ability only and no anti-virus ability. It is not enough for all the possible cyber-threats now.
This water facilities ransomware event serves as a powerful reminder of how important it is to install one Pico-UTM 100 for one important machine in OT network. Pico-UTM 100 has full protection including Anti-Virus, Anti-Intrusion, Anti-WebThreat and Firewall features. Also, the operating systems of equipment in OT network are very old Windows, Linux or other operating systems usually. There are many known vulnerabilities in these old operating systems. And these old operating systems are very hard to upgrade usually. Pico-UTM 100 also has anti-virus and anti-intrusion rules for protecting the old MS-Windows and other OS just like “Virtual Bug Fixes” or “Virtual Patch”.
It is highly possible that those water facilities can minimize the impact of the ransomware catastrophe if they deploy large amount of Pico-UTM 100 in their OT network. We recommend the managers of OT networks can think about deploying one Pico-UTM 100 for one important machine to block the ransomware and old vulnerabilities attacks in advance.
References:
- Alert (AA21-287A) Ongoing Cyber Threats to U.S. Water and Wastewater Systems, https://us-cert.cisa.gov/ncas/alerts/aa21-287a
- Ransomware Hit SCADA Systems at 3 Water Facilities in U.S., https://www.securityweek.com/ransomware-hit-scada-systems-3-water-facilities-us
- SCADA, https://en.wikipedia.org/wiki/SCADA
- Stuxnet, https://en.wikipedia.org/wiki/Stuxnet
關於Lionic Corporation
Lionic Corporation是創新的「深層數據包檢測」解決方案的全球供應商。 Lionic的技術包括完整的基於DPI的軟件引擎和相關的管理軟件,這些軟件提供可解決防病毒,防入侵,防網絡威脅的「安全解決方案」。 以及「內容管理解決方案」,用於解決應用程序標識,設備標識,基於應用程序的QoS,Web內容過濾,家長控制。
Lionic的安全和內容管理解決方案,基於雲的掃描服務和簽名訂閱服務已經在世界範圍內廣泛部署, 他們幫助服務供應商,網絡設備製造商,半導體公司等,以實現下一代家用商業路由器網關,SD WAN邊緣和雲網關,高級防火牆,UTM,智慧網卡和移動設備。 那些由Lionic支持的產品可提供更好的網絡管理和保護全球網絡免受不斷增加的安全威脅。