IT NEWS

Last week on Malwarebytes Labs:

• Cryptojackers growing in numbers and sophistication
• CISA wants you to patch these actively exploited vulnerabilities before September 8
• Reddit users crowdsourcing explicit images and identities
• Criminals socially engineer their way to bank details with fake arrest warrants
• Google flags man as sex abuser after he sends photos of child to doctor
• Thousands of Hikvision video cameras remain unpatched and vulnerable to takeover
• 6 reasons MSPs need a patch management platform
• How to secure a Mac for your kids
• Reset your password now! Plex suffers data breach
• ChromeOS vulnerability found by Microsoft
• Twitter security under scrutiny after former executive turns whistleblower
• Binance chief says a “sophisticated hacking team” turned him into a deepfake hologram
• Update now! GitLab issues critical security release for RCE vulnerability
• Introducing Patch Management for OneView
• Exploits and TrickBot disrupt manufacturing operations
• Source code of password manager LastPass stolen by attacker
• Adware found on Google Play — PDF Reader servicing up full screen ads

Stay safe!

Earlier this month, messaging service Twilio got compromised by a sophisticated social engineering attack. After deploying phishing attacks against company employees, hackers were able to access user data, but now it seems that the impact of the hack was more elaborate than originally assumed.

In a first update, Twilio, a cloud-based communication platform provider, revealed that the attackers also compromised the accounts of some users of Authy, its two-factor authentication (2FA) app. Outisde of Twilio, the identity authentication company Okta revealed that the data of some Okta customers was accessible to a threat actor, as well. And Signal tweeted that they, too, had been affected by the Twilio breach.

Authy

Authy is a two-factor authentication (2FA) service from Twilio that allows users to secure their online accounts by double-checking the login attempt via a dedicated app, after typing in the login credentials.

By gaining access to 2FA data, the malicious actors gained access to the accounts of 93 individual Authy users and registered additional devices to their accounts. Twilio says that it has now removed such devices from accounts.

Okta

Okta has determined that a small number of mobile phone numbers and associated SMS messages containing one-time passwords (OTPs) were accessible to the threat actor via the Twilio console. A one-time password is an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session. OTPs typically expire after a short period (up to one minute).

Okta offers customers a range of authenticators to choose from, including the use of SMS for the delivery of one-time codes. Twilio provides one of two services Okta leverages for customers that choose to use SMS as an authentication factor.

Signal

Signal is an end-to-end encrypted messaging service, similar to WhatsApp or iMessage, but owned and operated by a non-profit foundation. Twilio provides Signal with phone number verification services. As a result of the attack on Twilio, Signal warned that for 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. These 1,900 users were notified directly, and prompted to re-register.

Signal’s tweet about the Twilio breach

Scatter Swine

The Twilio data breach appears to be part of a larger campaign from hackers that targeted at least 130 organizations, among them MailChimp, Klaviyo, and Cloudflare.

In this campaign, spanning recent months, a number of technology companies were subject to persistent phishing attacks by a threat actor that you will see referred to as Scatter Swine or Oktapus. This threat actor is known to repeatedly target the same organizations with multiple phishing attacks within a matter of hours.

In the Twilio case, the threat actor searched for 38 unique phone numbers in the Twilio console, nearly all of which can be linked to a single targeted organization. A review of logs provided by Twilio revealed that the threat actor was seeking to expand their access. It is likely that the threat actor used credentials previously stolen in phishing campaigns to trigger SMS-based MFA challenges, and used access to Twilio systems to search for OTPs sent in those challenges.

Mitigation

If you are a user of any of the services mentioned above, you should have been notified if your account was affected, but it doesn’t hurt to check the advice and details about the attack on their respective sites.

• Authy: enable or disable Authy multi-device
• Okta: ScatterSwine
• Signal: Twilio incident: what Signal users need to know
• MailChimp: information about a recent security incident targeting crypto companies

One general piece of advice is to be extra vigilant about “new device added” notifications from any provider. This could be a warning signal that a threat actor is trying to intercept 2FA messages or OTPs that are intended for you.

In 1993, the video game developers at id Software released Doom, a first-person shooter that placed a nameless protagonist into the fiery depths of hell, equipped with an arsenal of weapons to mow down imps, demons, lost souls, and the intimidating “Barons of Hell.” 

In 2022, the hacker Sick Codes installed a modified version of Doom on the smart control panel of a John Deere tractor, with the video game’s nameless protagonist this time mowing down something entirely more apt for the situation: Corn.

At DEFCON 30, Sick Codes presented his work to an audience of onlookers at the conference’s main stage. His efforts to run the modified version of Doom, which are discussed in today’s episode of Lock and Code with host David Ruiz, are not just good for a laugh, though. For one specific community, the work represents a possible, important step forward in their own fight—the fight for the “right to repair.” 

“Right to Repair” enthusiasts want to be able to easily repair the things they own. It sounds like a simple ask, but when’s the last time you repaired your own iPhone? When’s the last time you were even able to replace the battery yourself on your smartphone?

The right to repair your equipment, without intervention from an authorized dealer, is hugely important to some farmers. If their tractor breaks down because of a software issue, they don’t want to wait around for someone to have to physically visit their site to fix it. They want to be able to fix it then and there and get on with their work.

So, when a hacker shows off that he was able to do something that wasn’t thought possible on a device that can be notoriously difficult to self-repair, it garners attention.  

Today, we speak with Sick Codes about his most recent work on a John Deere tractor, and how his work represents a follow-up to what he a group of researchers showed last year, when he revealed how he was able to glean an enormous amount of information about John Deere smart tractor owners from John Deere’s data operations center. This time around, as Sick Codes explained, the work was less about tinkering around on a laptop and more about getting phsyical with a few control panels that he found online. 

“It’s kind of like surgery but for metallic objects, if that makes sense. Non-organic material.”

Tune in today to listen to Sick Codes discuss his work, why he did what he did, and how John Deere has reacted to his research. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

In a security incident notice from LastPass the company informed the public know that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account. There is no evidence that this incident involved any access to customer data or encrypted password vaults.

LastPass

LastPass offers a password manager which is reportedly used by more than 33 million people and 100,000 businesses around the world. A password manager is a software application designed to store and manage online credentials. It also generates strong passwords. Usually, these passwords are stored in an encrypted database and locked behind a master password.

Stolen passwords

Because of the nature of their business, a breach notification naturally worries people that the passwords they stored in their password manager may have been leaked or compromised. And indeed here was some speculation on social media that hackers may be able to access the keys to password vaults after stealing source code and proprietary information.

Since your individual passwords are encrypted and locked behind a master password that even LastPass does not know, this worry seems unjustified. In December of 2021, LastPass users reported that their master passwords were compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations and devices. LastPass determined that these were the result of a credential stuffing attack. Credential stuffing is a special type of brute force attack where the attacker uses existing username and password combinations, usually ones that were stolen in a data breach on another service.

Random generated passwords

Depending on the source code that was stolen there could be reason to worry about random generated passwords. Since computer systems are unable to come up with truly random numbers, having access to the source code might make it possible to predict the “random” generated passwords.

While that may seen far-fetched, a determined attacker with enough background knowledge about the circumstances under which the password was generated, for example length of the password, date of creation, username and/or email address, which elements are allowed and required, etc., might be able to brute force the password with a lot less guesses, if they know how the randomization part of the password creation is coded in the software.

What to do?

In response to the incident, LastPass deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While the investigation is ongoing, they have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity. 

If you haven’t done so already it is advisable to enable multi-factor authentication (MFA) on your LastPass accounts so that threat actors won’t be able to access your account even if your password is compromised. The instructions to enable MFA can be found on the LastPass Support pages.

We will keep you posted here if there are any updates to the story.

A PDF reader found on Google Play with over one million downloads is aggressively displaying full screen ads, even when the app is not in use. More specifically, the reader is known as PDF reader – documents viewer, package name com.document.pdf.viewer. As a result, this aggressive behavior lands it in the realm of adware. Or as we call it, Android/Adware.HiddenAds.PPMA.

Catching the adware

Catching this adware in real time is a game of install and wait. It takes a couple of hours before the PDF app will display ads. This long delay is in order to make it harder to track down which app is causing the ads. For example, full screen ads displaying immediately after install would likely result in quick a uninstall. With this in mind, I plugged my test phone into my laptop with Android Device Monitor running. Among other tools, Android Device Monitor includes LogCat which logs all activity on an Android mobile device. I then installed PDF reader – documents viewer, package name com.document.pdf.viewer, directly from Google Play. Thus, my waiting game begins the morning of August 22^nd.

To my surprise, at 15:04 I heard my test phone sound a charm. My expectation from previous testing is that it takes longer before an ad displays. Before unlocking the screen, I checked my LogCat logs.

08-22 15:04:55.348: I/ActivityManager(765): START u0 {flg=0x14c00004 cmp=com.document.pdf.viewer/.ads.PPMActivity} from uid 10277

The keyword is ‘START’ in the log. What starts is an Ad SDK. This time, from the PDF reader’s special in-house Ad SDK, com.document.pdf.viewer.ads.PPMActivity.  Unlocking the lock screen, another important log comes in.

08-22 15:04:56.318: I/ActivityManager(765): Displayed com.document.pdf.viewer/.ads.PPMActivity: +942ms

Indeed, looking at the phone there is a full screen ad “displayed.”

Soon after, another Ad SDK starts in the logs.

08-22 15:05:34.227: I/ActivityManager(765): START u0 {flg=0x10000000 cmp=com.document.pdf.viewer/com.facebook.ads.AudienceNetworkActivity (has extras)} from uid 10277

Once again, another ad displays. This time it is a video ad.

08-22 15:05:34.927: I/ActivityManager(765): Displayed com.document.pdf.viewer/com.facebook.ads.AudienceNetworkActivity: +555ms

After the initial ads, they come more frequently. Each time, the start of ads is signified by a charm sounding on the mobile device.  Henceforth, a full screen ad is waiting. Immediately after the first ad is a video ad.

Don’t blame the Ad SDKs

PDF reader uses an array of common Ad SDKs and its own Ad SDK. Facebook Ads is shown in the log above, but we also observed it using Applovin along with others. In addition, it uses an in-house Ad SDK contained in com.document.pdf.viewer.ads.PPMActivity. Although the use of these common Ad SDKs is shown displaying ads, it is not necessarily their fault. The issue is displaying ads where they ought not to be displayed. Any of these ads within the app, whiling using the app, is fair game. Moreover, Ad SDK’s like Applovin and Facebook Ads are necessary to keep apps free on the Play Store. It is only when the ads start displaying outside the app at random that this qualifies as adware. It is the PDF reader app that is wrongfully using these Ad SDKs.

Not all PDF readers are the same

There are many good PDF readers on Google Play. However, this one has some oddities signaling red flags right from the Google Play Store description.

Note the Mature 17+ content rating. For what reason does a PDF reader need a mature rating? Another clue something is not right is the developer’s name of Fairy games. I get diversifying the kinds of apps you provide, but odd developer name for anything other than gaming apps.

Am I infected?

If you are thinking to yourself, “I have a PDF reader installed, am I infected!?” here are a few things to check. Are you receiving full screen ads? If yes, do you have an icon that looks like this?

If you do, you can uninstall from Apps info.

More easily, you can install Malwarebytes for Android and use our free scanner to remove.

Another one slips through

From what we can tell from previous versions of PDF reader – documents viewer, it has existed since November 2021. Each version thereafter serves ads just like the most recent Google Play version. Although we cannot verify if it existed on Google Play since 2021, it is likely the case. If you have a lot of apps installed on your mobile device, this one can very hard to track down. Another reason to not blindly trust you are safe while installing exclusively from Google Play. Even if the Play Store is by far the safest place to install apps on Android, it can fault from time to time as well. Having an anti-malware scanner, or anti-adware in this case, is a good idea. Stay safe out there! 

App Information

Package name: com.document.pdf.viewer

App Name: PDF reader – documents viewer

Developer: Fairy games

MD5: CDA77D85D5B733C89F53254F11F3F372

Google Play URL: https://play.google.com/store/apps/details?id=com.document.pdf.viewer

A former Twitter executive has acted as a whistleblower and alleged some serious problems. Provided these accusations are true, the disclosure shows a side of Twitter that poses a threat to its own users’ personal information, to company shareholders, to national security, and to democracy.

Otherwise known as Mudge, Peiter Zatko is a network security expert, open source programmer, writer, and a hacker. His most recent position was as head of security at Twitter, reporting directly to the CEO. He was the most prominent member of the high-profile hacker think tank the L0pht, as well as the computer and culture hacking cooperative the Cult of the Dead Cow. The L0pht was one of the first viable hackerspaces in the US, and a pioneer of responsible disclosure. Zatko first came to national attention in 1998 when he took part in the first congressional hearings on cybersecurity.

Zatko was fired by Twitter in January for what the company claims was poor performance.

“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance.”

Major problems

The 2020 Twitter hack was one of the main reasons for Twitter to hire Zatko, who previously held senior roles at Google, Stripe, and the US Department of Defense. When Zatko arrived at Twitter, he said he found a company with extraordinarily poor security practices, including giving thousands of the company’s employees — amounting to roughly half the company’s workforce — access to some of the platform’s critical controls. His disclosure describes his overall findings as “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.”

According to Zatko, “it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did…. Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.”

Infrastructure

Twitter’s flimsy server infrastructure is a separate yet equally serious vulnerability, the disclosure claims. About half of the company’s 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors. Zatko’s letter to a Twitter board member about that issue is included in the disclosure.

The disclosure also claims that Twitter lacks sufficient redundancies and procedures to restart or recover from data center crashes, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline.

FTC

In 2010, the Federal Trade Commission (FTC) filed a complaint against Twitter for its mishandling of users’ private information and the issue of too many employees having access to Twitter’s central controls. Zatko alleges that despite the company’s claims to the contrary, it has never been in compliance with what the FTC demanded over ten years ago.

Elon Musk

After recent events, whenever Twitter is mentioned, the name of Elon Musk comes up as well. Musk, who is engaged in a legal battle with Twitter over his attempt to back out of buying the company,  claims that the number of bots on the platform affect the user experience and that having more bots than previously known could therefore impact the company’s long-term value.

According to Zatko’s disclosure, Twitter’s CEO Parag Agrawal tweeted false and misleading statements about Twitter’s handling of bots on the platform. In fact, he stated, deliberate ignorance was the norm amongst the executive leadership team. The reason is simple to understand, a social platform’s value is based on the number of active users, since that is the potential audience for advertising on the platform. Twitter uses a unique metric called monetizable daily active users (mDAU’s) which it says counts all users that could be shown an advertisement on Twitter.

The company has repeatedly said that less than 5% of its mDAUs are fake or spam accounts. But Zatko’s disclosure argues that by reporting bots only as a percentage of mDAU, rather than as a percentage of the total number of accounts on the platform, Twitter obscures the true scale of fake and spam accounts on the service, a move Zatko alleges is deliberately misleading.

Foreign influence

According to the disclosure, Twitter is exceptionally vulnerable to foreign government exploitation in ways that undermine US national security, and the company may even have foreign spies currently on its payroll.

Last year, prior to Russia’s invasion of Ukraine, Agrawal — then Twitter’s chief technology officer — proposed to Zatko that Twitter comply with Russian demands that could result in broad-based censorship or surveillance of the platform, Zatko alleges. While Agrawal’s suggestion was ultimately discarded, it was still an alarming sign of how far Twitter was willing to go in pursuit of growth, according to Zatko.

Zatko’s report is becoming public just two weeks after a former Twitter manager was convicted of spying for Saudi Arabia.

Motivation

By going public, Zatko says, he believes he is doing the job he was hired to do for a platform he says is critical to democracy.

“Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I’m still performing that mission.”

Zatko may be eligible for a monetary award from the US government as a result of his whistleblower activities. Original, timely and credible information that leads to a successful enforcement action by the Securities and Exchange Commision (SEC) can earn whistleblowers up to a 30% cut of agency fines related to the action if the penalties amount to more than $1 million, the SEC has said.

The prospect of a reward was not a factor in Zatko’s decision, he said, and in fact he claims he didn’t even know about the reward program when he decided to become a lawful whistleblower.

Deepfakes are back, and causing major problems for people involved in financial circles. Scammers have been targeting people in the cryptocurrency community for some time now. There’s huge money to be made via the act of ripping folks off. Some of it is phishing, other attacks focus on breaking into currency exchanges. A few of these have dabbled in (very poorly done) Elon Musk deepfakes. The clips are bad, the voice an overt mashup of clipped and broken dialogue. All in all: not very convincing.

Well, scammers are back for another go.

Behold the Deepfake hologram

In this case, it’s a deepfake hologram impersonating Patrick Hillmann, Chief Communications Officer (CCO) at Binance. Hillman states that a “sophisticated hacking team” raided the old footage archives. News interviews, TV appearances, anything that they could get their hands on. The aim of the game? To use this footage and create a convincing deepfake.

The Hillmann deepfake was then used in a variety of scenarios to trick people, he said. The scam involved “potential opportunities to list their assets on Binance.com”. At least one incident involves someone ending up in a Zoom call with a “hologram”. We assume this is some sort of old hologram style marketing material repurposed for the bogus Zoom call. Or perhaps the person calling it a hologram is simply unfamiliar with this technology and just calling it a hologram because of that.

Fooling the community

While no footage of these fakes currently exists, Hillmann claims that these calls fooled “several highly intelligent crypto community members”. These individuals no doubt have some sort of familiarity with the people being used in the scam, so they must have been somewhat decently put together. Still: one person’s incredibly convincing deepfake is another person’s Playstation 2 full motion video emulator. Without seeing one of these in action, we may never know for sure.

There is also no word as to which projects were targeted by the scammers, or investment numbers/finance requests. Did anybody make off with some cash? We don’t know.

Avoiding cryptocurrency Deepfake scammers

Here are some tips from Binance in relation to avoiding scams like this one:

• Be vigilant and always take proactive steps to ensure you don’t fall prey to scams and impersonations.

• Use the Binance Verify tool to check whether the account officially represents Binance. Binance Verify isn’t foolproof though, and a scammer could spoof their “from” email address or hide behind the real name of a Binance employee. In both cases, Binance Verify would produce mixed results. 

• Report any suspicious activities or accounts to Binance Support.

On a related note, you can always ask someone you suspect of being a deepfake to turn their head to one side. Your reward will be a horrifying rendering of broken facial structure from the upside-down, or the pangs of social embarrassment felt from accusing someone of being entirely digital. Given the fakery running wild out there at the moment, one would hope the person you’re talking to would understand the need for caution. The choice, as they say, is yours.

GitLab has released versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and it’s recommended that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.

GitLab

GitLab and GitHub are open-source code repository platforms allowing anyone to collaborate on projects. GitLab focuses on providing tools for teams working on software development projects (repositories), while GitHub focuses more on managing the workflow of individual developers and organizations. The name GitLab was chosen because it combines GitHub and Lighthouse (the company that develops the source code management system).

GitLab has millions of users worldwide. Since no specific deployment type (omnibus, source code, helm chart, etc.) is mentioned in the release, this means all types are affected.

RCE vulnerability

The main reason to apply this security update as soon as possible is CVE-2022-2884, a Remote Command Execution (RCE) vulnerability in Github import. The vulnerability’s severity was given a CVSS score of 9.9 out of 10.

The vulnerability in GitLab CE/EE affects all versions starting from 11.3.4 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1. The flaw allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. By making use of this vulnerability, a threat actor could take control over the server, steal or delete source code, perform malicious commits, and more.

Mitigation

Users are advised to upgrade to the latest security release for their supported version. To update GitLab, see the GitLab update page.

If you’re unable to update right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade.

Disable GitHub import

Login using an administrator account to your GitLab installation and perform the following:

• Click “Menu” -> “Admin”.
• Click “Settings” -> “General”.
• Expand the “Visibility and access controls” tab.
• Under “Import sources” disable the “GitHub” option.
• Click “Save changes”.

Verifying the workaround

• In a browser window, login as any user.
• Click “+” on the top bar.
• Click “New project/repository”.
• Click “Import project”.
• Verify that “GitHub” does not appear as an import option.

We’re thrilled to announce our Patch Management module for OneView, which is paired alongside our Vulnerability Assessment module to help you uncover vulnerabilities, respond to threats, and keep your customers productive and safe.

Vulnerability identification and system patching are critical to strengthening security postures, but they can become a monumental task that many organizations aren’t equipped to tackle. Despite the known risks of malware and ransomware infections, the average time to patch is 102 days and almost 75% of small and large businesses say they lack the resources to patch vulnerabilities quickly enough.

As an MSP, it is important you have tools to streamline an effective, intuitive approach to vulnerability visibility and patch management for your customers. Check out our blog post “6 reasons MSPs need a patch management platform” for more benefits of a VPM platform for MSPs.

Malwarebytes Vulnerability Assessment and Patch Management modules extend OneView functionality to provide your organization deep visibility into the security vulnerabilities in your customers’ digital ecosystems. In this post, we give you a walkthrough of how to use Patch Management for OneView. For our previous post on using Vulnerability Assessment for OneView, click here.

Using the Patch Management module 

Click on “Patch Management“.

Here you can find more information on the updates available for your site’s endpoints and install these updates. Choose between tabs for operating system patches and third-party software application updates.   Click on a particular patch to learn more.

Below you will see a list of all endpoints with this vulnerability. Select the endpoints and click “Apply patches“.

Check the status of these updates on the “Tasks” page.

Quickly uncover and respond to vulnerabilities with VPM for OneView

Vulnerability and Patch Management will scan for updates across your endpoints and hand you the keys so you can lock the doors quickly and easily. To recap, this module provides the following features:

• Scan for vulnerabilities across installed endpoint software.
• Patch outdated applications, operating systems, or software vulnerabilities across your endpoints.
• View detailed information on vulnerabilities across sites and endpoints.
• View detailed information on available software and OS patches across sites and endpoints.
• View recommended updates to perform on detected vulnerabilities.
• Send automatic email notifications to administrators on detected vulnerabilities, available patches, and installed patches.
• View summarized vulnerability and patching information across endpoints from your OneView dashboard.

If you have any questions, please visit service.malwarebytes.com.

Check out our MSP’s Guide to selling security!

September 2021 saw a huge spike of exploit detections against the manufacturing industry, with a distributed spread between California, Florida, Ohio, and Missouri.  This is combined with heavy detections of unseen malware, identified through our AI engine, spiking in May as well as September 2021.

May brought with it a flood of attacks that exploited the Dell system driver exploit (CVE-2021-21551), where we observed the greatest number of detections in Michigan. During this month, JBS, one of the largest meat suppliers, was targeted by the REvil group who likely exploited this vulnerability to infiltrate the network. By June, overall detection of this threat against manufacturing firms began to fall significantly, with only about two dozen detections averaged between November 2021 and June 2022.

In the first half of the year, we observed spiking detections of threats associated with tech support scams. These threats install applications on the system that create fake error messages, urging the user to call a “help center” that is, in reality, a scam operation. These spikes were in March and May 2021 and focused primarily on firms in New York and Texas. However, detections of this threat declined steadily through the rest of the analyzed timeframe.

Figure 1. United States manufacturing threat family detections by month

The notorious TrickBot Trojan was detected constantly throughout 2021, with small spikes in February and September 2021 and February 2022. This threat is very capable of infecting a single endpoint, and by using additional tools and features, can compromise the entire network, often for the benefit of launching additional malware.

While our detections of TrickBot focused on attacks in New York, the fallout from the September spike saw three more manufacturer breaches, all in October. Victims of these attacks included the candy maker Ferrara, who was targeted right before Halloween, and the cookware company Meyer, whose employee data was leaked.

Schreiber Foods, a cheese manufacturer, dealt with attacks attempting to disrupt plant and distribution center operations. That attack actually caused a nationwide shortage for cream cheese!

Figure 2. United States manufacturing family threat detections pie chart

Finally, manufacturing companies in North Carolina dealt with heavy information stealing spyware during the first few months of 2021, with a gradual decline to December 2021. However, that trend reversed in January 2022 with new spikes in February and April 2022.

Between February and May 2022, the industry dealt with significant manufacturer breaches. For example, the video card maker NVIDIA dealt with a significant attack in February 2022; March saw the infection of the tool manufacturer Snap-On Tools by Conti ransomware; in April there was an operation against General Motors; and in May, infiltration of the agricultural company, AGCO.

Exploits were a serious issue for the manufacturing industry in 2021. In fact, the JBS attack coincides with spikes of certain exploits, and after a huge spike in exploit detections during September, we observed three attacks in a single month. One of those attacks disrupted operations and caused a nationwide supply chain issue.

However, things aren’t the same in 2022, and detections for exploits have dropped significantly. Despite that, we’ve seen at least four major manufacturing attacks occur between February and May 2022, with threats like trojans, information stealers and backdoors possibly to blame for the breaches. 

Recommendations for the manufacturing industry

With all that in mind, we recommend that businesses who operate in the manufacturing industry consider the most important part of their security plan, which is to keep things moving. Therefore, we highly recommend that there be some division between networks for offices, plants, and distribution centers to reduce the chance that an infection of an endpoint will lead to a factory needing to shut down.

Combine this with a security playbook which will inform all staff on what procedures need to be followed if a cyberattack is discovered. For example, who to call, what systems to secure, etc. In the case of manufacturing firms, it’s important to describe how to keep operations continuing, even during an active breach.

Historically, exploit protection has been very important for this industry, so utilizing anti-exploit technology to block these types of attacks on all endpoints and servers will greatly reduce the chance attackers can use this method for infiltration. 

Next, the discovery of a lot of tech support scam malware could be the result of users who have too many rights on their endpoint, installing third-party, unverified software onto their corporate systems. So doing a thorough audit of user accesses and rights on their endpoint will reduce the junk they are able to install and greatly reduce the chance that junk will be bundled with something nasty.

Finally, the discovery of so many TrickBot attacks against this industry means that manufacturing is clearly a top target for this group. TrickBot frequently compromises every endpoint in a network before preparing it for a ransomware attack. Ransomware attacks that disrupt operations and start bleeding the company money are more likely to be quickly resolved, so going after manufacturing firms is a great way to get paid quick. To protect against this threat, you need to use anti-malware software that uses behavior as well as signatures to identify TrickBot and quickly remove it from the system.

In addition, TrickBot has multiple methods of initial infection, including phishing attacks against employees, so educating staff on how to recognize phishing is a great idea. But going one step further would be to deploy a phishing button in your organization’s email client. This make it easy for employees to submit a suspect email to be analyzed by the security team for any malicious intent.