Hsinchu, Taiwan – Nov 3, 2021 – It is very surprisingly that FBI, CISA (Cybersecurity and Infrastructure Security Agency), EPA (Environmental Protection Agency) and NSA (National Security Agency) of the United States of America issued a joint alert on October 14, 2021 - “Alert (AA21-287A) Ongoing Cyber Threats to U.S. Water and Wastewater Systems”. This joint alert mentioned that three previously unreported ransomware attacks that impacted ICS (industrial control systems) at water facilities. Precisely speaking, the SCADA (supervisory control and data acquisition) Systems were attacked by ransomware in these three water facilities.


The SCADA example picture. Retrieved Nov 3, 2021, from https://en.wikipedia.org/wiki/SCADA

For decades, we have referred to computers and data networks as IT (information technology); the operation and program control of ICS (industrial control system) is usually referred to as OT (operational technology). IT and OT have different focuses. The focus of OT is the stable and smooth operation in a long time. OT was usually operated in an isolated network before and thus is very safe.

However, IT and OT are usually integrated nowadays for convenience and efficiency. This exposes the OT network to the large amount of malicious content from IT network. Furthermore, there are some malware which is targeting or just sent to industrial systems like nuclear power plant, oil company or other public facilities. The OT network is as dangerous as the IT network now.

The “Alert (AA21-287A) Ongoing Cyber Threats to U.S. Water and Wastewater Systems” joint alert mentioned that Ghost and ZuCaNo variant ransomware are two of the three assassins which cyber-attacked the water facilities. The third assassin is an unknown ransomware. Actually the Ghost and ZuCaNo ransomware are quite old and have many variants. Ghost is also known as Farfli and ZuCaNo is derived from the Xorist virus.

Lionic has been watching out these Ghost/Farfli and ZuCaNo/Xorist families long time ago. So far, Lionic has collected roughly three thousands of Ghost/Farfli variant ransomware and roughly one thousand of ZuCaNo/Xorist variant ransomware. Their amounts are still keeping growing. Due to these large amounts, Lionic Anti-Virus technology based products should enable the cloud based scan to obtain the full protection against the Ghost/ZuCaNo families of ransomware.

Partial list of Cloud Anti-Virus rules for Ghost/Farfli variant ransomware:

Rule ID Virus Name Release Date
9048798840803219 Trojan.Win32.Farfli.m 2021-10-26
9022547998911384 Trojan.Win32.Farfli.m 2021-10-25
9146834145384677 Trojan.Win32.Farfli.m 2021-10-14
9042297924008237 Trojan.Win32.Farfli.m 2021-10-12
9061841733620148 Trojan.Win32.Farfli.m 2021-10-10
9089748810901273 Trojan.Win32.Farfli.m 2021-10-05
9094915515665661 Trojan.Win32.Farfli.m 2021-10-05
9152371980257502 Trojan.Win32.Farfli.m 2021-09-24
9166104037500258 Trojan.Win32.Farfli.m 2021-09-24
9013335721520404 Trojan.Win32.Farfli.m 2021-09-22
9165963568549027 Trojan.Win32.Farfli.m 2021-09-16
9039165032608294 Trojan.Win32.Farfli.m 2021-09-16
9170526783068062 Trojan.Win32.Farfli.m 2021-09-15
9003301358627921 Trojan.Win32.Farfli.m 2021-09-10
9123589396959496 Trojan.Win32.Farfli.m 2021-09-09
9083310299999579 Trojan.Win32.Farfli.m 2021-09-09

Partial list of Cloud Anti-Virus rules for ZuCaNo/Xorist variant ransomware:

Rule ID Virus Name Release Date
9166493005405686 Trojan.Win32.Xorist.j 2021-10-18
9067294339787712 Trojan.Win32.Xorist.j 2021-07-30
9048841483316589 Trojan.Win32.Xorist.j 2021-07-28
9052509818169155 Trojan.Win32.Xorist.j 2021-07-28
9086982631637724 Trojan.Win32.Xorist.j 2021-07-28
9070000048607928 Trojan.Win32.Xorist.j 2021-07-28
9080907590657780 Trojan.Win32.Xorist.j 2021-07-28
9054386581603980 Trojan.Win32.Xorist.j 2021-07-28
9059517299334413 Trojan.Win32.Xorist.j 2021-07-26
9149937347874699 Trojan.Win32.Xorist.j 2021-06-09
9014453044295455 Trojan.Win32.Xorist.j 2021-06-09
9105044353323474 Trojan.Win32.Xorist.j 2021-06-06
9130371382114136 Trojan.Win32.Xorist.j 2021-06-05
9138520880569470 Trojan.Win32.Xorist.j 2021-06-05
9250698163532743 Trojan.Win32.Xorist.j 2021-05-30
9122130342028587 Trojan.Win32.Xorist.j 2021-05-29
9068599240069620 Trojan.Win32.Xorist.j 2021-05-19
9014893740863258 Trojan.Win32.Xorist.j 2021-05-19
9171335746850719 Trojan.Win32.Xorist.j 2021-05-11
9118060765663779 Trojan.Win32.Xorist.j 2021-05-07

Once the OT network connected to IT network, the OT network should watch out the malware and cyber-intrusions both. Some OT network security devices have Anti-Intrusion ability only and no Anti-Virus ability. It is not enough for all the possible cyber-threats now.

This water facilities ransomware event serves as a powerful reminder of how important it is to install one Pico-UTM 100 for one important machine in OT network. Pico-UTM 100 has full protection including Anti-Virus, Anti-Intrusion, Anti-WebThreat and Firewall features. Also, the operating systems of equipment in OT network are very old Windows, Linux or other operating systems usually. There are many known vulnerabilities in these old operating systems. And these old operating systems are very hard to upgrade usually. Pico-UTM 100 also has Anti-Virus and Anti-Intrusion rules especially for protecting the old MS-Windows and other OS just like “Virtual Bug Fixes” or “Virtual Patch”.

It is highly possible that those water facilities can minimize the impact of the ransomware catastrophe if they deploy large amount of Pico-UTM 100 in their OT network. We recommend the managers of OT networks can think about deploying one Pico-UTM 100 for one important machine to block the ransomware and old vulnerabilities attacks in advance.

 

References:

  1. Alert (AA21-287A) Ongoing Cyber Threats to U.S. Water and Wastewater Systems, https://us-cert.cisa.gov/ncas/alerts/aa21-287a
  2. Ransomware Hit SCADA Systems at 3 Water Facilities in U.S., https://www.securityweek.com/ransomware-hit-scada-systems-3-water-facilities-us
  3. SCADA, https://en.wikipedia.org/wiki/SCADA
  4. Stuxnet, https://en.wikipedia.org/wiki/Stuxnet
  5. Hackers Breached Colonial Pipeline Using Compromised Password, https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

 

About Lionic Corporation

Lionic Corporation is a worldwide provider of innovative Deep Packet Inspection solutions. The technologies of Lionic include the complete DPI-based software engine and related management software which offer the Security Solutions that addresses anti-virus, anti-intrusion, anti-webthreat; and the Content Management Solutions that addresses application identification, device identification, application based QoS, web content filtering, parental control.

Lionic’s security and content management solutions, cloud-based scan services and signature subscription service are widely deployed in the world already. They help service providers, network appliance manufacturers, semiconductor companies, etc. to enable the next generation of business routers, residential gateways, SD WAN edges and cloud gateways, advanced firewalls, UTMs, Smart NICs and mobile devices. Those products powered by Lionic provide better network management and protect the world’s networks from an ever increasing level of security threats.