Triton malware still a threat, FBI warns • The Register

Triton malware still a threat, FBI warns • The Register


In Brief Triton malware remains a threat to the global energy sector, according to an FBI warning.

Triton is the software nasty used in a 2017 cyber attack carried out by a Russian government-backed research institution against a Middle East petrochemical facility.

The new FBI warning [PDF] came a day after the US Department of Justice unsealed a pair of indictments that detail alleged Russian government efforts to use supply chain attacks and malware in an attempt to compromise and control critical infrastructure.

One of the two indictments involves Triton malware and its use in the 2017 attack. And the group behind this intrusion, the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), is still up to no good, according to the FBI.

Triton malware, also known as Trisis and HatMan, is designed to break physical safety systems or cause them to operate unsafely. “Its potential impact could be similar to cyberattacks previously attributed to Russia that caused blackouts in Ukraine in 2015 and 2016,” the FBI warned. 

In the 2017 attack, the Russian agency used Triton to target a Schneider Electric Triconex safety instrumented system (SIS), which initiates safe shutdown procedures in emergency situations.

After gaining initial access, the attackers moved laterally through the IT and OT networks onto the safety system and installed Triton malware. The malware modified in-memory firmware to add malicious programming, which the FBI said could have led to facility damage, system downtime, or even death if the SIS failed to initiate safe shutdown procedures.

“The Triton attack represented a notable shift in ICS targeting as the first attack designed to allow physical damage, environmental impact, and loss of life in the event of a plant’s running in an unsafe condition,” according to the Feds. 

While Schneider Electric fixed the flaw when it released an updated version of the Tricon controller in June 2018, older versions are still in use and remain vulnerable to an attack. 

Ransomware kingpin jailed

An Estonian man accused of stealing more than $53m in ransomware attacks was sentenced to 66 months in prison and ordered to pay more than $36m in restitution.

Maksim Berezan, 37, pleaded guilty in April 2021 to conspiracy to commit wire fraud against a financial institution, access device fraud and computer intrusions. According to the US Department of Justice, Berezan was an active member of an online forum for Russian-speaking cybercriminals.

After his arrest investigators found evidence on his electronic devices of his involvement with ransomware gangs. This investigation, which happened after Berezan was extradited from Latvia, determined he had participated in at least 13 ransomware attacks, seven of which were against US victims, and that about $11m in ransom payments was sent to cryptocurrency wallets that Berezan controlled.

According to the Feds, Berezan used his “ill-gotten gains” to buy two Porsches, a Ducati motorcycle, and a bunch of jewelry.

Authorities also recovered currency worth more than $200,000 from his residence, along with electronic devices storing passphrases to Bitcoin wallets that contained Bitcoin worth about $1.7m. That Bitcoin has been forfeited.

Dell patches more Log4j holes

Dell issued several critical and high-priority patches this week, including some that aim to fix ongoing Log4j vulnerabilities before attackers find and exploit them.

One of the software fixes targets two critical Log4j remote code vulnerability in Dell EMC VxRail systems – these are hyperconverged infrastructure systems running VMware Vcenter software on Dell EMC hardware.

It addresses CVE-2021-44228 and CVE-2021-45046, but Dell noted that it also requires a workaround and directed customers over to VMware for details on how to perform it.

Affected VxRail appliances include 4.5.x versions, 4.7.x versions, and 7.0.x versions.

These are critical vulnerabilities that could allow an attacker to remotely execute malicious code on a compromised machine then do any number of nefarious deeds, including stealing sensitive data and taking over the system entirely.

In another critical security update for Log4j remote code execution vulns, Dell issued patches for its Connectrix SANnav Management Portal versions v2.2.0 and those before v2.1.1.7 – Dell’s SAN management software for Connectrix B-Series switches. They address several remote code execution vulnerabilities: CVE-2021-44228, CVE-2021-45046, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307, CVE-2019-17571, and CVE-2020-9488.

Free Diavol ransomware decryptor

Security vendor Emsisoft has released a free Diavol ransomware decryptor and a guide [PDF] on how to use it. 

The FBI officially tied Diavol, which means “devil” in Romanian, to the notorious Trickbot cybercriminal gang in January after security vendor Fortinet’s research team first linked the two five months earlier. 

“Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker,” according to the FBI’s Diavol warning.

The criminal group typically demands ransoms between $10,000 and $50,000, but it will negotiate and accept lower payouts, the agency said. “The FBI has not yet observed Diavol leak victim data,” it added.

But before downloading the free tool, quarantine the malware first, Emsisoft warns in the guide. You can also use the vendor’s free anti-malware software to do this. 

Additionally, if Diavol accessed your system through the Windows Remote Desktop feature, Emsisoft recommends changing all passwords of all remote users and checking local user accounts to see if the attacker compromised any of those.

“The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the encrypted file to reconstruct the encryption keys needed to decrypt the rest of your data,” the security firm said, adding this file should be about 20KB or larger.

Beware the Metaverse and bad apes

Madonna isn’t the only one keeping tabs on the Bored Ape Yacht Club.

Following the oh-so-exclusive non-fungible token (NFT) collection’s ApeCoin cryptocurrency debut, crooks stole millions of dollars using flash loan attacks, according to Check Point. The security vendor’s research doubles as a cautionary tale for Metaverse shenanigans and cartoon apes gone bad.

Earlier this month, the Bored Ape Yacht Club launched its own cryptocurrency called ApeCoin, and allowed Bored Ape and Mutant Ape NFT holders to claim a certain amount of free tokens. Each NFT holder got 10,094 tokens, valued anywhere between $80,000 and $200,000, which they could either hold on to or sell for a profit.

What could possibly go wrong? 

Plenty, according to Check Point’s researchers, who found miscreants claiming a large number of tokens using NFTs that they did not initially own. They did this by taking advantage of flash loans, which allow lending and returning the loan on a single transaction in the blockchain network.

“Unlike a regular loan, you don’t need any collateral, or to even go through the identification process,” Check Point explained. “Hackers like to use the flash loan, since they don’t even have to risk their own capital, and the wallets don’t get traced back to them, since they are using someone else’s funds.”

In this particular case, the bad monkeys found Bored Ape NFTs that weren’t being used to claim the airdropped ape token using the NFTX protocol. This allowed a thief to deposit NFTs into a vault in exchange for a token to trade on platforms like Sushi and Uniswap.

“After the attack, [the] attacker sold the ape coin on the open market and gained $1.5 million,” according to Check Point. “The main bug was that the ApeCoin airdrop didn’t check how long the holder had the Bored Ape NFT. Instead, it was claimable by anyone who owns a Bored Ape at the point of claiming the airdrop.” ®

You May Also Like…