A professional-Russian hacktivist group known as TwoNet pivoted in lower than a yr from launching distributed denial-of-service (DDoS) assaults to concentrating on crucial infrastructure.
Lately, the menace actor claimed an assault on a water remedy facility that turned out to be a sensible honeypot system arrange by menace researchers particularly to watch adversaries’ actions.
The compromise on the decoy facility occurred in September and revealed that the menace actor moved from preliminary entry to disruptive motion in about 26 hours.
Decoy plant however actual menace
Researchers at Forescout, an organization offering cybersecurity options for enterprise IT and industrial networks, monitoring TwoNet’s exercise within the faux water remedy plant, observed the hackers making an attempt default credentials and gaining preliminary entry at 8:22 AM.
Throughout the first day, the hacktivist group tried to enumerate the databases on the system; they succeeded in a second try, after utilizing the proper set of SQL queries for the system.
The attacker proceeded to create a brand new consumer account known as Barlati and introduced their intrusion by exploiting an outdated saved cross-site-scripting (XSS) vulnerability tracked as CVE-2021-26829.
They leveraged the safety concern to set off a pop-up alert on the human machine interface (HMI) that displayed the message “Hacked by Barlati.”
Nonetheless, they engaged in additional damaging actions to disrupt processes and disable logs and alarms.
Forescout researchers say that TwoNet, unaware of breaching a decoy system, disabled the real-time updates by eradicating the linked programmable logic controllers (PLCs) from the info supply checklist, and adjusted the PLC setpoints within the HMI.
“The attacker didn’t try privilege escalation or exploitation of the underlying host, focusing solely on the internet software layer of the HMI,” – Forescout
The next day, at 11:19 AM, Forescout researchers logged the intruder’s final login.
Whereas TwoNet began initially as one other pro-Russian hacktivist group targeted on launching DDoS assaults in opposition to entities displaying assist for Ukraine, the gang seems to be engaged in numerous cyber actions.
On the attacker’s Telegram channel, Forescout discovered that TwoNet tried to focus on HMI or SCADA interfaces of crucial infrastructure organizations in “enemy international locations.”
The gang additionally revealed private particulars of intelligence and police personnel, business choices for cybercrime providers like ransomware-as-a-service (RaaS), hacker-for-hire, or for preliminary entry to SCADA techniques in Poland.
“This sample mirrors different teams which have shifted from ‘conventional’ DDoS/defacement into OT/ICS operations,” Forescout researchers say.
To scale back the danger of a breach, Forescout recommends organizations within the crucial infrastructure sector to ensure that techniques have sturdy authentication and aren’t uncovered to the general public internet.
Correctly segmenting the manufacturing community, mixed with IP-based entry management lists for admin interface entry, can preserve menace actors at bay in the event that they breach the company community.
Forescout additionally recommends utilizing protocol-aware detection that alerts on exploitation makes an attempt and modifications within the HMI.
Be part of the Breach and Assault Simulation Summit and expertise the way forward for safety validation. Hear from high specialists and see how AI-powered BAS is reworking breach and assault simulation.
Do not miss the occasion that can form the way forward for your safety technique
