White Dross

 In ITC's Threat of the Week

You would be forgiven for thinking that we might be talking about the Australian extremist who murdered 50 men, women and children in cold blood this week. But we won’t be affording him any further mention.

White Dross is the primary by-product of aluminium production and recycling (who knew?). This week there was significant downturn in white dross production due to unfortunate events, which you will all have read about, at the monster aluminium producer Norsk Hydro who were hit by a ransomware outbreak.

The ransomware in question is snappily called ‘LockerGoga’ (LG) and was seen earlier in the year in an attack on the French Altran Technologies, a 33 billion Euro company with over 33,000 employees.

Rather than go through the full details of LockerGoga in this blog, we would urge you to read ITC’s Threat Horizon on the subject, which if we do say so ourselves, is a fine piece of work from our SOC team, as usual.

Other than malpractice by the Certificate Authorities concerned (no surprise there), there are a few points to note about LG (it’s a rubbish name isn’t it?).

Firstly the code is relatively straightforward (apparently) and makes no attempt to hide. VirusTotal activity has been going through the roof since the Norsk Hydro event, it also does not spread itself laterally. We can only hope that traditional AV vendors have done their job and code the signatures out. It seems that behaviour based techniques such as those used in ITC’s managed EDR solution, which is used to augment traditional AV, would fare substantially better against this sort of attack.

In the case of Norsk Hydro, it seems that the firm’s own Active Directory (AD) and associated Group Policy (GPO), which is used by system admins to distribute code to run on associated client machines as required, was compromised prior and used to dish out the dirt far and wide.

Our best guess, and also seemingly that of our friends up the road RecordedFuture, would be that this was achieved via a good old fashioned phishing/spear phishing attack followed by credential swiping and decryption using Mimikatz or similar, leading to privilege escalation and lateral infection (hopefully not any NSA SMB tricks, please Norsk Hydro, please. They should be patched). That of course is merely conjecture and is therefore not mentioned in our Threat Horizon.

So it seems for now that having a good look at your AD estate and having robust protection against phishing are the best advice, along with (if you have the tools, and we can help you with this) looking for Indicators Of Compromise (IOC) in your infrastructure.

Norsk Hydra isn’t going to pay up it says, and is reverting to backup. You have to admire this approach along with the fact that it feels it can rely on its backup infrastructure; could you? Might this be a wake up call for us all to have a check of our own backup shizzle? (The answer to this is a resounding YES please).

Norsk Hydra also managed to keep production going in a number of factories because apparently some of the old hands knew how to do it using an Abacus/Slide Rule/Calculator/Back of a fag packet and directed the yoof appropriately; there is hope for us all:

As it happens, aluminium is the third most abundant mineral on Earth (after oxygen and silicon), and is widely processed (you can read that and more fascinating aluminium facts here) so this small hiccup will have little global consequence. Imagine however, if something like this was to befall a big national utility provider or anything else critical, worrying isn’t it?

In other worrying news this week is the fact that the lovely folk at ‘rose-smelling, butter wouldn’t melt’ Facebook, has mistakenly kept a copy of passwords for “hundreds of millions” users in plaintext. Although it does promise that they haven’t been seen outside the organisation and haven’t been abused by any employee, just like (presumably), Norsk Hydro would have said that its Active Directory was secure last Monday. Probably best change your Facebook password now.

Incidentally and extremely tangentially, has it occurred to you that the lower case ‘f’ in the Facebook logo is about as passive aggressive as it gets, or is that just our deeply buried, ok blatant, paranoia coming forth? Friends and family suggest it might just be the work of the ‘font-wallah’ – their words not ours, but we very much doubt that. Fetch the tin foil hats please.

Should you like some help to scour your networks for Indicators Of Compromise, talk about phishing defences and user education, whinge about your details being abused by monster Internet behemoths or anything else cyber security, please do contact our team at: [email protected] or call 020 7517 3900. They would love to hear from you and really can help.

Of course New Zealand hasn’t been the only country hit by tragedy. This week saw Cyclone Idai sweep through parts of Mozambique, Malawi and Zimbabwe killing hundreds, probably thousands and affecting over 2 million people.  They don’t need aluminium, but a few pounds might help.

Author: Kevin Whelan

Recent Posts

Leave a Comment

Tel:
+44 (0) 20 7517 3900