Download 2020 Report on Threats Affecting ICS Endpoints
The use of Industrial Control Systems (ICS) makes operations more efficient for various industries. These systems are powered by the interconnection between IT (information technology) and OT (operational technology), which help boost efficiency and speed. Unfortunately, this very interconnection also inadvertently makes ICS susceptible to cyberthreats.
Securing these systems is vital, and one of its components that must be protected from threats are endpoints. In our paper “2020 Report on Threats Affecting ICS Endpoints,” we rounded up the different types of threats that affected ICS endpoints the most in 2020 to help the industrial sector protect their systems from existing or impending security issues.
Ransomware in ICS could lead to loss of view and control of physical processes, since such attacks encrypt a variety of files, including image and configuration files, that are necessary for rendering the interface. This in turn leads to loss of revenue due to disrupted operations. Victims could also lose money from extortion schemes as more ransomware operators also threaten to publicize stolen data.
In 2020, the ransomware variants we detected the most in ICS were Nefilim, Ryuk, LockBit, and Sodinokibi, mostly due to increased attacks from September to December.
RYUK - 19.8%
NEFILIM - 14.6%
SODINOKIBI - 13.5%
LOCKBIT - 10.4%
CRYPTESLA - 7.3%
BITPAYMER - 5.2%
EGREGOR - 4.2%
LOCKY - 4.2%
MEDUSALOCKER - 3.1%
BLOCKER - 2.1%
CRYPCRYPMOD - 2.1%
CRYPTWALL - 2.1%
DOPPELPAYMER - 2.1%
LEDIF - 2.1%
NETWALKER - 2.1%
COLDLOCK - 1%
CONTI - 1%
EXX - 1%
WANNACRYPT - 1%
ZEPPELIN - 1%
Figure 1. Breakdown of ransomware that affected ICS in 2020 Source: Trend Micro™ Smart Protection Network™ infrastructure
For coinminers, the mining activity’s CPU utilization can negatively affect the efficiency of ICS endpoints. The said threat can cause ICS to become slow and unresponsive, indirectly causing loss of control and view. This is especially true if the affected computers have low CPU capacity and/or running outdated operating systems, which is not rare in industrial environments.
For 2020, the coinminer variant we detected the most on ICS is the post-intrusion coinminer MALXMR. It was typically installed filelessly, but starting in 2019, we have seen MALXMR infections being propagated through the EternalBlue vulnerability.
MALXMR - 51.9%
WORM_COINMINER - 15.4%
TOOLXMR - 15.4%
CRYPTONIGHT - 4.8%
ETHEREUM - 3.8%
COINHIVE - 2.9%
BITMINER - 1.0%
BTCMINER - 1.0%
OTHERS - 4.0%
Figure 2. Breakdown of coinminers affecting ICS in 2020 Source: Trend Micro™ Smart Protection Network™ infrastructure
First discovered in 2008, Conficker is more than a decade old, but this persistent threat is still being detected. Containing worm infections that spread rapidly is not an easy task, especially when it uses multiple methods of propagation (such as network exploit, removable drives, and credential bruteforce) as in the case of Conficker.
Conficker was first known to widely propagate via the MS08-067 vulnerability found in Windows. MS08-067 does not apply to Windows 10 and Windows 7; however, our 2020 data shows that most Conficker infections were detected in these operating systems. This means that those detected in ICS are propagated using removable drives or dictionary attacks on ADMIN$ share.
Windows 10 (10.0) - 55.0%
Windows 7 Ultimate Professional Service Pack 1 (6.1) - 39.7%
Microsoft Windows XP Professional Service Pack 3 (5.1) - 2.7%
Microsoft Windows Server 2008 Server 4.0, Enterprise Edition Service Pack 1 (6.1) - 1.3%
Microsoft Windows Server 2008 Server 4.0 Service Pack 1 (6.1) - 0.3%
Microsoft Windows Server 2012 Server 4.0 (6.3) - 0.3%
Microsoft Windows XP Professional Service Pack 3, v.6419 (5.1) - 0.3%
Windows 8 Professional (6.3) - 0.3%
Figure 3. OS distribution of ICS endpoints with Conficker detections Source: Trend Micro™ Smart Protection Network™ infrastructure
Like Conficker, legacy malware are old, but they are still persistently detected in ICS systems. The use of USB thumb drives for transferring files and data between air-gapped networks allows the propagation of such legacy worms. Another possible cause is the use of unscanned removable drives for creating system backups or cold standby terminals.
In 2020, the legacy malware variants we detected the most were Sality, Ramnit, and Autorun. Although they are not associated with notorious cybercrime groups, their persistence in industrial networks reveals insufficient security and maintenance of data backups and removable drives.
Figure 4. Breakdown of legacy malware detected in ICS endpoints Source: Trend Micro™ Smart Protection Network™ infrastructure