Team82 Blog / 4 min read
Biomanufacturing facilities are being urged to inspect their industrial networks—many of which are used in the production of critical medicines, vaccines, and other applications—for signs of a newly disclosed advanced attack designed to steal intellectual property.
Nicknamed Tardigrade, the attacks are spreading among biomanufacturing companies, according to the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC). The malware is highly customizable, adapts to the environment it has infected, and can act autonomously if cut off from the attackers' command-and-control server, said researchers from BioBright.
BioBright, a BIO-ISAC member, investigated attacks at two facilities, one this spring, and another in October. Both facilities initially reported ransomware attacks on their respective networks, another strange twist to these incidents given the noisy nature of ransomware attacks, which are in stark contrast to the inherently stealthy nature of the malware.
BIO-ISAC released some technical details about these attacks yesterday; given that the group says the attacks are ongoing, users in this industry need to be vigilant about cutting off the intruders' access to these critical networks.
Here's what you need to know:
Tardigrade is polymorphic malware. This is an advanced malware technique where the code changes depending on its environment as a technique to avoid detection. According to an article in Wired, one BioBright analyst said she conducted dozens of tests on the malware, and each time it compiled differently and communicated uniquely with command-and-control servers. If that backdoor access is somehow cut off, the malware will continue to deploy its payloads.
Polymorphic malware is advanced, but not uncommon. Tardigrade stands out because, according to details released by BIO-ISAC, it is able to recompile its loader from memory and not leave a consistent signature. This would complicate detection efforts.
The malware is delivered via numerous vectors, including phishing emails and infected USB drives. It uses a malware loader known as SmokeLoader, or Dofoil, to inject modules onto compromised machines, including keyloggers, password-stealing utilities. It also creates a backdoor connection that allows for downloading files and commands from the attacker's server, deploying additional attack modules, and remaining hidden on the network. Its purpose is espionage, and BioBright and BIO-ISAC believe it's the work of an advanced persistent threat (APT) group, likely state-sponsored.
SmokeLoader, meanwhile, has been available on underground forums for a decade. It's been linked to numerous attacks, including some involving cryptocurrency mining and data exfiltration attacks. It's armed with numerous plug-ins that enable persistence on compromised networks, and also tools ensure its stealthiness, including some that obfuscate values in the malware, and processes designed to determine if it's executing within a virtual machine, which would indicate that it's been found and quarantined.
According to BIO-ISAC's report, the version of SmokeLoader used by Tardigrade is more autonomous than previous versions and can make decisions on lateral movement or file manipulation based on internal logic. The BIO-ISAC report has made a list of indicators of compromise available, as well as detection statistics; 34 of 69 antimalware vendors detect it as malicious as of yesterday.
The concern is that COVID-19 vaccines and treatments are being developed within this sector, and since the start of the pandemic, espionage efforts targeting these companies have ramped up. BioBright CEO Charles Fracchia declined to connect the victims to Covid-19 research, according to Wired, but said their processes play a role.
Stealing private research related to Covid-19 vaccines, for example, would alleviate an adversary state's research-and-development time and costs significantly.
Biomanufacturing companies should scan their networks for indicators of compromise pointing to a Tardigrade infection.
Proper network segmentation is a key mitigation step for operators of industrial networks, including as a tactic for fending off Tardigrade. Operational technology networks should be segmented from enterprise networks, and any crossover points between IT and OT should be guarded.
Segmentation likely would involve virtual zoning that allows for zone-specific policies that are tailored to engineering and other process-oriented functions. The ability to inspect traffic and OT-specific protocols is also crucial to defend against anomalous behaviors.
Visibility into remote access is also essential. These connections should be monitored and audited for anomalous activity; shared passwords should be discouraged, and two-factor authentication should be enabled.
Secure remote access solutions must not only alert on suspicious activities, but also provide the capability to investigate specific sessions, either live or on-demand, and allow administrators to respond by either disconnecting a session or taking another action to contain or remediate damage.
BIO-ISAC recommends backups for key segments of the infrastructure, including ladder logic for biomanufacturing instrumentation, SCADA and historian configurations, and the batch record system.
CWE-285: IMPROPER AUTHORIZATION
Certain MQTT wildcards are not blocked on the system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 6.5
CWE-321: USE OF HARD-CODED CRYPTOGRAPHIC KEY
The devices Power Panel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send malicious data.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 6.5
CWE-89: IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION')
An attacker with certain MQTT permissions can create malicious messages to all Power Panel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 8.8
CWE-257: STORING PASSWORDS IN A RECOVERABLE FORMAT
The key used to encrypt passwords stored in the database can be found in the application code, allowing the passwords to be recovered.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 4.9
CWE-489: ACTIVE DEBUG CODE
Hard-coded credentials for the test server can be found in the production code. This might result in an attacker gaining access to the testing or production server.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 9.8