24 January 2020

Researchers set up fake factory network and watched it attract all sorts of nasties


Researchers set up fake factory network and watched it attract all sorts of nasties

In an effort to study threats commonly faced by industrial organizations researchers from Trend Micro have built an elaborate honeypot that mimicked a factory. To make the ruse as realistic as possible, the industrial environment included ICS hardware (PLCs from Siemens, Allen-Bradley and Omron), physical hosts, and virtual machines. The team has even created a fake company that claimed to be “a rapid prototyping consultancy firm” working for special customers.

In order to make the mock network more inviting for cybercriminals, the researchers intentionally left some vulnerabilities and made their system seem like it had been hacked by posting “leaked” information about it.

The MeTech honeypot went live in May 2019, and in the following seven months the researchers observed multiple attempts to infiltrate the network. Unsurprisingly, initially the honeypot was targeted by scanners prompting the researchers to block requests coming from known scanning services like Shadow Server, Shodan, and ZoomEye.

Trend Micro has also observed multiple attempts to use the honeypot’s resources to conduct fraudulent activity, such as buying smartphones by upgrading mobile subscriber accounts and cashing out airline miles for gift cards.

In other cases hackers installed cryptocurrency miners, and the team has also observed two instances of ransomware attacks with a Crysis ransomware and a Phobos ransomware being installed. Soon after these two incidents occured, the honeypot attracted a fake ransomware attack, which researchers at Trend Micro described as "fumbled around our system trying to get a PowerShell command to work". The hacker behind this attack deployed a fake ransomware that simply renamed the files on the system without actually encrypting them.

As for the control system attacks, the researchers said the PLCs were mostly targeted by unknown scanners, and while the traffic appeared to be non-malicious Trend Micro doesn’t exclude the possibility “that this could be part of a reconnaissance activity for further attacks that were never seen”.

In case of one of the Allen-Bradley MicroLogix 1100 PLCs that was exposed on the Internet, the researchers observed a number of unknown commands that appeared to be harmless.

“However, looking further revealed that these unknowns were random information being sent to the port 44818. While in this case the PLC would respond simply by saying that it was an unknown command, sending unknown traffic to known ICS protocol ports still remains a dangerous practice that could cause older devices to crash,” the researchers noted.

The team also observed some interesting activity in December when an attacker started the factory, stopped the conveyor belt, stopped the factory, and then closed the application window. One day later, the same threat actor started the palletizer and opened the log view for its optical system.

“Our findings should serve as cautionary examples for organizations who run similar systems. And we have illustrated the conscious decisions and actions we took to make our system unsecure and consequently inviting for cybercriminals to target. We did all this only to a limited degree to keep our honeypot believable. This means we created openings for attacks that could realistically be found in actual smart factories,” the researchers said.

Back to the list

Latest Posts

PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020
Croatia’s largest petrol station chain joins list of victims of ransomware attacks

Croatia’s largest petrol station chain joins list of victims of ransomware attacks

The CLOP ransomware family is suspected to be involved in the attack.
21 February 2020
WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

The flaw in the ThemeREX Addons plugin can be used to remotely execute code on websites.
20 February 2020