Oil and gas start-up companies not only need to think about raising funds, but making sure they have a strategy for dealing with cyberattacks. Cybersecurity defense firm Bromium recently uncovered evidence of an attack against an oil and gas technology start-up company’s website. The company that underwent the attack had just completed a round of fundraising from several companies, including one company based in the Middle East.
The reasonably sophisticated malware used indicates the attack was planned, said Rahul Kashyap, chief security architect and head of security research at Cupertino, California-based Bromium, in an interview with Rigzone. Kashyap previously led the world threat research teams at McAfee Labs, created and worked on several security technologies deployed in military, government, banking and healthcare institutions globally, and has led cyber defense strategies for several high profile security investigations.
“When you make an announcement like that, you expect lots of people to visit sites, including journalists, manufacturers and oil and gas companies,” said Kashyap.
Visitors who looked at the site through Internet Explorer (IE) were infected with a Trojan malware program that disguises itself as part of Windows to evade detection and can receive remote commands to allow for the recording of keystrokes or installation of ransomware and other malicious programs.
“IE clearly has been the browser of choice for attackers this year,” said Kashyap. “Its ubiquity makes it a prime target.” Bromium’s recent report on key attack data in the first half of 2014 reflects this trend. “In this case, the attack was leveraging an unpatched, publicly disclosed low-severity Internet Explorer vulnerability, CVE-2013-7331.”
CVE stands for common vulnerabilities and exposures, which Kashyap likened to a universal, real-time dictionary of software vulnerabilities.
A Fortune 1000 company in the chemical manufacturing space detected and stopped the watering hole attack against the targeted start-up with Bromium’s software, said Kashyap. The attack technique used in this situation is indicative of some of the latest tradecraft that is making it more difficult to defeat cyberthreats with traditional defenses, said Kashyap. By placing malicious code on the company’s website, it allowed the hackers to not only access all of the start-up’s intellectual property, but meant that a number of visitors who checked out the site after the funding news faced risk of infection.
“Attackers are surfacing in areas where people least expect it,” said Kashyap.
Attackers also are targeting end-users, preying on victims’ specific interests, and exploiting apps that companies must permit to run on nearly every device, such as browsers.
Kashyap said the oil and gas industry remains vulnerable to cyberattacks as it still employs a good deal of legacy SCADA equipment that is not up to standards in terms of security.
“The industry is already under attack, and we expect to find more and more evidence of attacks. If you have an IP address and intellectual property, you have to protect them.”
“The reality is that if we have something important, we have to be careful if we go online, given the way that the world is emerging and that there are no rigorous laws governing the Internet,” said Kashyap, adding that the company has captured evidence from the infected machine and is looking to identify the attacker.
Most cyberattackers are repackaging malware for deployment into the financial industry, and then repackaging it again for a cyberattack against an oil and gas company. In most cases, cyberattacks involve repackaged malware, but in some cases, malware is specifically written for a targeting a particular platform, such as the Stuxnet attack, said Kashyap.
Cybersecurity has been a growing focus in the oil and gas industry, with its increasing reliance on third party vendor materials, products and services meaning it will need greater cyber-risk management practices to protect their businesses from would-be hackers, Rigzone reported last year. To address cybersecurity risks, the U.S. oil and gas industry earlier this year launched the Oil and Natural Gas Information Sharing and Analysis Center to protect critical energy information from cyberattacks.
INTERNET EXPLORER LIKELY TO CONTINUE AS SWEET SPOT FOR ATTACKERS
Software vendors are responding to the increased focus on cybersecurity and high-profile attacks by improving their development practices, but all software is vulnerable to attack, according to Bromium Labs Research Brief on endpoint exploration trends for the first half of 2014.
“In the ever-shifting cyber-landscape, the attackers’ choice of targets is driven by the ease with which a particular product can be attacked, its importance to the intended targets of the attacker and how prevalent the software is in the market,” the report noted. “It is important to understand the changing dynamics of the battle against attackers because it enables organizations to make the most effective use of security personnel and defend against attackers in a more effective way.”
Growth in zero-day exploitation continued unabated from 2013 into the first half of 2014, with all the zero day attacks targeting end-user applications such as browsers and productivity applications like Microsoft Office.
“Typically, these attacks are launched leveraging users as bait using classic spear-phishing tactics,” Bromium said in the report.
One notable trend seen this year is that IE was the most patched and one of the most exploited products, surpassing other products such as Oracle Java and Adobe Flash. According to the report, IE set a record high for reported vulnerabilities in the first half of this year. IE also leads in the number of publicly reported exploits.
Despite its likelihood to continue as the browser of choice for cyberattacks, one reason IE remains so popular within businesses is because of its backward compatibility with older software, which is also the reason why these issues crop up.
“The legacy code in IE is a blessing and a curse at the same time,” said Kashyap. “It affords flexibility to businesses, but the code in the browser is allowing this flexibility to be exploited by attackers.”
“Faster patching is clearly a good practice, but a lot more can be done for protection, such as evaluating a ‘defense in depth’ strategy by leveraging security technologies on employees’ PCs that provide protection without the need for significant updates.”
The report also found that:
- Web browser release cycles are becoming more frequent – as are initial security patches
- Adobe Flash is the primary browser plug-in being targeted by zero day attacks this year
- New ‘Action Script Spray’ techniques targeting Flash have been uncovered in the wild, exploiting zero day vulnerabilities