Connect with us

Biz & IT

New ransomware doesn’t just encrypt data. It also meddles with critical infrastructure



Over the past five years, ransomware has emerged as a vexing menace that has shut down factories, hospitals, and local municipalities and school districts around the world. In recent months, researchers have caught ransomware doing something that’s potentially more sinister: intentionally tampering with industrial control systems that dams, electric grids, and gas refineries rely on to keep equipment running safely.

A ransomware strain discovered last month and dubbed Ekans contains the usual routines for disabling data backups and mass-encrypting files on infected systems. But researchers at security firm Dragos found something else that has the potential to be more disruptive: code that actively seeks out and forcibly stops applications used in industrial control systems, which is usually abbreviated as ICS. Before starting file-encryption operations, the ransomware kills processes listed by process name in a hard-coded list within the encoded strings of the malware.

In all, Ekans kills 64 processes, including those spawned by human-machine interfaces from Honeywell, the Proficy Historian from General Electric, and licensing servers from GE Fanuc. The same 64 processes, it turns out, are targeted in a version of the MegaCortex ransomware. That version first came to light in August.

ICS-specific functionality

By ceasing operations at hospitals, factories, and other mission-critical environments, ransomware has always represented a threat to safety. But the resulting damage remained largely contained to IT systems inside targeted networks. Unless the ransomware made an unexpected jump to ICS networks—which are usually segregated and better fortified—the likelihood of disrupting sensitive industrial systems seemed remote. In a post published on Monday, Dragos researchers wrote:

Ekans (and apparently some versions of MegaCortex) shift this narrative as ICS-specific functionality is directly referenced within the malware. While some of these processes may reside in typical enterprise IT networks, such as Proficy servers or Microsoft SQL servers, inclusion of HMI software, historian clients, and additional items indicates some minimal, albeit crude, awareness of control system environment processes and functionality.

Monday’s report described Ekans’ ICS targeting as minimal and crude because the malware simply kills various processes created by widely used ICS programs. That’s a key differentiator from ICS-targeting malware discovered over the past few years with the ability to do much more serious damage. One example is Industroyer, the sophisticated malware that caused a power outage in Ukraine in December 2016 in a deliberate and well-executed attempt to leave households without electricity in one of the country’s coldest months.

Another example is Trisis (aka Triton), which deliberately tampered with systems that were designed to prevent health- and life-threatening accidents inside a critical infrastructure facility in the Middle East. Other examples include the Stuxnet worm that targeted Iran’s nuclear program a decade ago, the BlackEnergy malware used to create a regional blackout in Ukraine in December 2015 (a year before the Industroyer incident), and espionage malware known as Havex, which targeted 2,000 industrial sites with code that mapped out industrial equipment and devices.

Industroyer, Trisis, and the other examples contained code that surgically and painstakingly tampered with, mapped, or dismantled certain highly sensitive functions inside the critical infrastructure sites they targeted. Ekans and MegaCortex, by contrast, simply kill processes spawned by ICS software. It remains unclear precisely what effect the killing of those processes would have on the safety of operations inside infected facilities.

Another reason Dragos considers Ekans to be a “relatively primitive attack” is that the ransomware has no mechanism to spread. That makes Ekans much less of a threat than ransomware such as Ryuk, which quietly collects credentials for months on infected systems so it can eventually proliferate widely through almost all parts of a targeted network.

Monday’s post also challenged recent reporting that Ekans, which also goes by the name Snake, was created by Iran. The report, which was based on research findings from security firm Otorio, cited similarities to previously known Iranian malware and operations. Dragos researchers said that the firm “finds any such link to be incredibly tenuous based upon available evidence.”

Despite the lack of sophistication and no established links to nation states, Ekans warrants serious attention by organizations with ICS operations.

“While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static ‘kill list’ shows a level of intentionality previously absent from ransomware targeting the industrial space,” Dragos researchers wrote. “ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.”

Continue Reading

Biz & IT

Cox’s bad customer service stymies users who don’t want upload speeds cut



Cox has been making it extremely difficult or impossible for some customers to stick with their current Internet speeds despite promising that it won’t force users onto plans with slower uploads.

As we wrote two weeks ago, Cox informed customers with 300Mbps download and 30Mbps upload speeds that they will be switched to a plan with 500Mbps downloads and 10Mbps uploads on March 3. A Cox spokesperson told Ars at the time that customers can stay on the plan with 30Mbps uploads as long as they upgrade to a DOCSIS 3.1 modem. But Cox’s email to its customers did not mention this option, and customers who called Cox customer service have since been told in no uncertain terms that they cannot stay on their current plans.

Several Cox users from California emailed Ars about the problem after reading our article, all with similar experiences.

“I just got off the phone with a Cox tech rep and she said that my current Ultimate Classic plan (300/30) is going away regardless of whether I upgrade to a DOCSIS 3.1 modem or not,” a customer whose first name is Dam and lives in Aliso Viejo, California, told Ars on Thursday last week. “When the time comes in March, my new plan will be the new Ultimate 500/10. I told her about your article and she said that is not what she’s seeing in her system or hearing from her higher-ups.”

We contacted Cox about the problem on Friday last week, and a Cox spokesperson admitted that the company failed to ensure that sales reps know customers are allowed to stay on the 300/30Mbps plan.

“There clearly are some gaps that we need to address to avoid this confusion,” Cox told Ars on Monday. “We’re in the process of retraining our frontline-facing teams to make sure they are consistently communicating the options available to impacted customers, including staying on their existing plan of 300/30 so long as they upgrade their modem.”

As before, customers will be automatically switched from the 300/30Mbps plan to the 500/10Mbps tier unless they contact customer service and insist on keeping their plan. The change to download and upload speeds will happen regardless of whether customers have an upgraded modem, but customers who stick with an older modem may not get the full 500Mbps download speeds. Cox, which has about 5.3 million Internet customers in 19 states, says the changes are related to a network upgrade.

Cox’s customer-service screwup

The evidence (including Cox’s email to customers and statements from Cox sales reps to customers) makes it seem as if Cox didn’t intend to let customers keep their 30Mbps upload speeds until the company faced criticism and media exposure two weeks ago. That would explain why customer-service reps have told customers they must give up the 300/30Mbps plan and why Cox is now scrambling to tell employees about the option.

However, a Cox spokesperson told Ars that the company “always” intended to let customers keep the 30Mbps upload speeds. If that is true, then the company totally screwed up its messaging to customers and the change to its customer-service systems.

Cox described the fix now being implemented as a “retraining” in a statement to Ars yesterday:

Our frontline care agents were originally trained late January ahead of the first batch of customer communications in early February. Based on the feedback from a few customers, including the ones you shared, we are revisiting training to ensure ALL customers are getting consistent and correct information. To that end, we are in the process of conducting refresher training that will run through the end of this week for all our frontline employees.

As we retrain our employees, we are making sure they are communicating the options available to impacted customers, including staying on their existing Ultimate Classic plan (300/30) so long as they upgrade their modem. Staying on this plan was always an available option, albeit not one that was communicated as clearly as it could have been. We want to be sure customers clearly understand their options if they need more upload speed.

The 500/10Mbps plan is a direct replacement for the 300/30Mbps plan in terms of price and its place within Cox’s speed tiers. It costs $80 a month for the first year and $100 after the promo period expires. With the 300/30Mbps plan being discontinued, the only option with upload speeds higher than 10Mbps is the “Gigablast” plan with 940Mbps download speeds and 35Mbps upload speeds. That plan generally costs $100 during the promo period and $120 afterward, but some customers have been offered a $92.50 promotional rate. Cox charges $12 a month for a combined modem and router, but customers can use their own compatible equipment to avoid the rental fee.

Cox’s email notifying users of the upcoming download and upload speed changes said that customers who want upload speeds above 10Mbps can “call to learn more about equipment and our speed plans,” but it did not mention the option of staying on the same 300/30Mbps plan. Customers who received this email and those who contact Cox before all of the customer-service problems are solved may still mistakenly believe that keeping their plan isn’t an option. They would thus have their upload speeds cut to 10Mbps automatically when the change takes effect next week. We asked Cox if it is contacting all of these customers again to make clear they can avoid the upload-speed cut, and we will update this article if we get an answer.

Cox has apparently struggled to provide advertised upload speeds during the pandemic. In June 2020, we wrote about how Cox warned some customers about “excessive” upload usage and how the company lowered upload speeds on the Gigablast plan from 35Mbps to 10Mbps in some entire neighborhoods where its network was having trouble.

Continue Reading

Biz & IT

Ukraine says Russia hacked its document portal and planted malicious files



Ukraine has accused the Russian government of hacking into one of its government Web portals and planting malicious documents that would install malware on end users’ computers.

“The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities,” officials from Ukraine’s National Coordination Center for Cybersecurity said in a statement published on Wednesday. “The malicious documents contained a macro that secretly downloaded a program to remotely control a computer when opening the files.”

Wednesday’s statement said that the methods used in the attack connected the hackers to the Russian Federation. Ukraine didn’t say if the attack succeeded in infecting any authorities’ computers.
A large body of evidence has linked Russia’s government to several highly aggressive hacks against Ukraine in the past. The hacks include:

  • A computer intrusion in late 2015 against regional power authorities in Ukraine. It caused a power failure that left hundreds of thousands of homes without electricity in the dead of winter.
  • Almost exactly one year later, a second attack at an electricity substation outside Kyiv that once again left residents without power
  • A malicious update for widely used tax software in Ukraine that distributed disk-wiping malware to users. The so-called NotPetya worm ended up shutting down computers worldwide and led to the world’s most costly hack.

Elsewhere, Russia’s SVR intelligence agency has also been accused of carrying out the recently discovered hack that targeted at least nine US agencies and 100 companies in a supply chain attack against customers of the SolarWinds network management software.

Wednesday’s statement didn’t identify which of several known Russian hacking groups was accused of the breach.

Macro attacks like the one mentioned in the statement typically work by tricking Microsoft Office users into enabling macros, often under the guise that the macro is required for the document to display properly. The macros then download malware from an attacker-controlled server and install it.

The statement provided no details on how or when Ukraine’s System of Electronic Interaction of Executive Bodies—a portal that distributes documents to public authorities—was hacked or how long the intrusion lasted.

Indicators that someone has been compromised include:


IP addresses:

Link (URL):

Wednesday’s statement came two days after Ukraine’s National Coordination Center for Cybersecurity reported what it said were “massive DDoS attacks on the Ukrainian segment of the Internet, mainly on the websites of the security and defense sector.” An analysis revealed that the attacks used a new mechanism that hadn’t been seen before. DDoS attacks take down targeted servers by bombarding them with more data than they can process.

Continue Reading

Biz & IT

Android users now have an easy way to check the security of their passwords



Getty Images

Google is adding its password checkup feature to Android, making the mobile OS the latest company offering to give users an easy way to check if the passcodes they’re using have been compromised.

Password Checkup works by checking credentials entered into apps against a list of billions of credentials compromised in the innumerable website breaches that have occurred in recent years. In the event there’s a match, users receive an alert, along with a prompt that can take them to Google’s password manager page, which offers a way to review the security of all saved credentials.

Alerts look like this:


Google introduced Password Checkup in early 2019, in the form of a Chrome extension. In October of that year, the feature made its way into the Google Password Manager, a dashboard that examines Web passwords saved within Chrome that are synchronized using a Google account. Two months later, the company added it to Chrome.

Google’s Password Manager makes it easy for users to directly visit sites using bad passwords by clicking the “Change Password” button displayed next to each compromised or weak password. The password manager is accessible from any browser, but it works only when users sync credentials using their Google account password, rather than an optional standalone password.

The new password checkup was available as of Tuesday on Android 9 and above for users of autofill with Android, a feature that automatically adds passwords, addresses, payment details, and other information commonly entered into Web and app forms.

The Android autofill framework uses advanced encryption to ensure that passwords and other information are available only to authorized users. Google has access to user credentials only when users 1) have already saved a credential to their Google account and 2) were offered to save a new credential by the Android OS and chose to save it to their account.

When a user interacts with a password by either filling it into a form or saving it for the first time, Google uses the same encryption that powers the Privacy Checkup in Chrome to check if the credential is part of a list of known compromised passwords. The Web application interface sends only passwords that are cryptographically hashed using the Argon2 function to create a search key that’s encrypted with Elliptic Curve cryptography.

In a post published Tuesday, Google said that the implementation ensures that:

  • Only an encrypted hash of the credential leaves the device (the first two bytes of the hash are sent unencrypted to partition the database)
  • The server returns a list of encrypted hashes of known breached credentials that share the same prefix
  • The actual determination of whether the credential has been breached happens locally on the user’s device
  • The server (Google) does not have access to the unencrypted hash of the user’s password and the client (User) does not have access to the list of unencrypted hashes of potentially breached credentials

Google has written more about how the implementation works here.

On most Android devices, autofill can be enabled by:

  1. Opening Settings
  2. Tapping System > Languages & input > Advanced
  3. Tapping Autofill service
  4. Tapping Google to make sure the setting is enabled

Separately, Google on Tuesday reminded users of two other security features added to Android autofill last September. The first is a password generator that will automatically choose a strong and unique password and save it to users’ Google accounts. The generator can be accessed by long-pressing the password field and selecting Autofill in the pop-up menu.

Users can also configure the Android autofill to require biometric authentication before it will add credentials or payment information to an app or Web field. Biometric authentication can be enabled inside of the Autofill with Google settings.

Continue Reading