You are here

ICS/OT Threat Awareness – Brute Force Tactics Targeting VPNs in the Water Sector: Key Insights From Dragos

ICS/OT Threat Awareness – Brute Force Tactics Targeting VPNs in the Water Sector: Key Insights From Dragos

Created: Tuesday, October 1, 2024 - 15:24
Categories:
Cybersecurity, OT-ICS Security, Security Preparedness

This post is provided for awareness with most of the content pulled directly from the reporting source.

Yesterday, OT cybersecurity company Dragos indicated in an intelligence brief that they have recently identified malicious activity aimed at several critical infrastructure networks across North America, particularly in the electric, oil and gas, water and wastewater, and manufacturing sectors. This activity indicates preliminary reconnaissance efforts aimed at gaining initial access to VPN appliances, including Cisco Secure Socket Layer (SSL), Fortinet, and Palo Alto Global Protect. The attackers have utilized a combination of random and legitimate employee information, such as the credentials of former employees, in their login attempts.

Insights from Dragos’ intelligence brief highlight adversary activity targeting IT systems that could serve as a gateway to operational technology (OT) environments. Members are encouraged to review the entire intelligence brief, but for your convenience, Dragos’ key findings are included here:

  • Dragos identified widespread brute-force login attempts using a mix of random and genuine usernames of current and former employees targeting critical infrastructure virtual private network (VPN) appliances. 
  • Cisco SSL-VPN, Fortinet VPN, and Palo Alto Global Protect VPN are targeted across electric/energy, oil and gas, water and wastewater, and manufacturing. 
  • The adversary has mainly used virtual private server (VPS) infrastructure hosted by Stark Industries Solutions, a bulletproof hosting provider widely used for denial-of-service attacks. 
  • The tactics and infrastructure observed in these operations align with broader trends in cyber attacks targeting critical infrastructure sectors, including energy, utilities, and manufacturing. 
  • Although the adversary targets IT environments, there is a demonstrable focus on critical infrastructure and the potential for adversaries to pivot to OT networks.

The intelligence brief further explores how an adversary can transition from IT infrastructure to OT, starting with reconnaissance, including scanning for exposed devices and network mapping, as well as how they move laterally enabling them to jump network segments and escalate privileges. Access the full intelligence brief at Dragos.