The Ukrainian Energy Ministry has been hit by a ransomware attack – and for once it looks like this is the work of amateurs, not nation-state attackers bent on making a geopolitical point. However, the bad actors appear to have made use of the recently patched Drupal vulnerability, pointing out yet once again that patch management needs to be a top security-posture priority for government and critical infrastructure organizations.
Sophisticated APT attackers have repeatedly targeted Ukrainian government networks and critical infrastructure in recent years, and most researchers have pointed the attribution finger squarely towards APTs such as BlackEnergy and threat actors behind malware Bad Rabbit and Petya/ExPetr. However, in this case, the attack seems to be financially motivated.
Researchers suspect that the incident was two-pronged: First, a hacker (going by the handle “X-zakaria,” according to researchers at AlienVault quoted in a BBC report) was able to deface the website, while a second hacker then used the first actor’s backdoor to go in an encrypt the website’s files. The English-language ransom note is demanding 0.1 bitcoin, or about $928 as of this time of writing.
Limited Damage, Limited Skill
Ukrainian-cyber police spokeswoman Yulia Kvitko called the damage “isolated”, resulting in the defacement and locking up of the ministry website. She told Reuters that the attacks didn’t affect other government systems or the country’s state-run energy companies.
“This case is not large-scale. If necessary, we are ready to react and help,” Kvitko said. “Our specialists are working right now … We do not know how long it will take to resolve the issue. Ukrenergo, Energoatom – everything is okay with their sites, it’s only our site that does not work.”
“From what has been seen, it is clearly multiple cyber-actors, possibly working together, or not, though it’s likely they have been in communication at the minimum,” Joseph Carson, chief security scientist at Thycotic, told Threatpost.
He added that while the incident shows little advanced skill, it shouldn’t be discounted: “It’s very likely that the cybercriminals behind this recent cyberattack against the Ukrainian Energy Ministry are testing their new skills in order to improve for a bigger cyberattack later, or to get acceptance into a new underground cyber-group that requires showing a display of skills and ability,” said Carson.
It’s also interesting to note that the attack used ransomware, which at this point seems almost a throwback threat vector; recently, cryptomining has gained top billing for financially motivated types, thanks to the skyrocketing value of virtual currencies.
“Ransomware has been waning as an overall attack vector, with only one device in every 10,000 showing signs of ransomware for the period of August 2017 through January 2018,” Mike Banic, vice president of marketing at Vectra, told us. “The WannaCry attack collected approximately $72,000 in ransom. The industry responded to the NotPetya and WannaCry attacks by patching Windows systems to remove the Eternal Blue exploit and bolstering their data backup and recovery programs. As ransomware started to wane in 2017, we saw a rise in cryptomining, which has been prevalent in higher-education, technology companies and healthcare organizations.”
An Avoidable Attack: Drupal Vulnerability Exploited
The attackers appear to be exploiting the Drupalgeddon2, a highly critical remote code execution bug affecting most Drupal sites, which was disclosed at the end of March (and since patched). That bug is now being actively exploited by hackers stocked with automated tools, including a newly uncovered botnet, dubbed Muhstik, that we reported on yesterday.
Drupal also announced this week that a new vulnerability (details are scant) is being patched April 25.
“Looking over the Internet archive of this site, it appears that they were running Drupal 7, which is currently under active attack by automated attackers armed with Drupalgeddon2 exploits,” Craig Young, security researcher at Tripwire, said via email. “It is also possible (although less likely) that someone is already exploiting CVE-2018-7602 which the Drupal team announced just yesterday, but has yet to provide a public fix.”
Organizations – especially those running critical, strategic networks, it goes without saying – should know that off-the-shelf content management systems like Drupal, WordPress and Joomla are widely deployed and a key target of automated exploits. In fact, these platforms may start seeing exploitation within days or even hours of a critical disclosure, added Young: “These public facing systems must be a top priority for infosec teams.”