24 January 2020

Researchers set up fake factory network and watched it attract all sorts of nasties


Researchers set up fake factory network and watched it attract all sorts of nasties

In an effort to study threats commonly faced by industrial organizations researchers from Trend Micro have built an elaborate honeypot that mimicked a factory. To make the ruse as realistic as possible, the industrial environment included ICS hardware (PLCs from Siemens, Allen-Bradley and Omron), physical hosts, and virtual machines. The team has even created a fake company that claimed to be “a rapid prototyping consultancy firm” working for special customers.

In order to make the mock network more inviting for cybercriminals, the researchers intentionally left some vulnerabilities and made their system seem like it had been hacked by posting “leaked” information about it.

The MeTech honeypot went live in May 2019, and in the following seven months the researchers observed multiple attempts to infiltrate the network. Unsurprisingly, initially the honeypot was targeted by scanners prompting the researchers to block requests coming from known scanning services like Shadow Server, Shodan, and ZoomEye.

Trend Micro has also observed multiple attempts to use the honeypot’s resources to conduct fraudulent activity, such as buying smartphones by upgrading mobile subscriber accounts and cashing out airline miles for gift cards.

In other cases hackers installed cryptocurrency miners, and the team has also observed two instances of ransomware attacks with a Crysis ransomware and a Phobos ransomware being installed. Soon after these two incidents occured, the honeypot attracted a fake ransomware attack, which researchers at Trend Micro described as "fumbled around our system trying to get a PowerShell command to work". The hacker behind this attack deployed a fake ransomware that simply renamed the files on the system without actually encrypting them.

As for the control system attacks, the researchers said the PLCs were mostly targeted by unknown scanners, and while the traffic appeared to be non-malicious Trend Micro doesn’t exclude the possibility “that this could be part of a reconnaissance activity for further attacks that were never seen”.

In case of one of the Allen-Bradley MicroLogix 1100 PLCs that was exposed on the Internet, the researchers observed a number of unknown commands that appeared to be harmless.

“However, looking further revealed that these unknowns were random information being sent to the port 44818. While in this case the PLC would respond simply by saying that it was an unknown command, sending unknown traffic to known ICS protocol ports still remains a dangerous practice that could cause older devices to crash,” the researchers noted.

The team also observed some interesting activity in December when an attacker started the factory, stopped the conveyor belt, stopped the factory, and then closed the application window. One day later, the same threat actor started the palletizer and opened the log view for its optical system.

“Our findings should serve as cautionary examples for organizations who run similar systems. And we have illustrated the conscious decisions and actions we took to make our system unsecure and consequently inviting for cybercriminals to target. We did all this only to a limited degree to keep our honeypot believable. This means we created openings for attacks that could realistically be found in actual smart factories,” the researchers said.

Back to the list

Latest Posts

Hackers probing the Internet for vulnerable Microsoft Exchange servers

Hackers probing the Internet for vulnerable Microsoft Exchange servers

Exchange servers admins are urged to patch their servers before hackers could get to them.
28 February 2020
New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

Devices from Amazon, Apple, Google, and Samsung as well as some access points by Asus and Huawei, are found to be vulnerable to Kr00k.
27 February 2020
‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

The attack involves piggybacking C2 traffic on a legitimate traffic, thus allowing to bypass firewalls.
26 February 2020