fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Hackers Target Biomanufacturing with Stealthy Tardigrade Malware

Hackers Target Biomanufacturing with Stealthy Tardigrade Malware

UPDATE: An update has been added to the article reflecting concerns security researchers have with the report.

​An advanced hacking group is actively targeting biomanufacturing facilities with a new custom malware called ‘Tardigrade.’

The actor uses the custom malware to spread in compromised networks and exfiltrates data for extensive periods without being noticed.

According to an advisory published by Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) today, the actor has been actively targeting entities in the field since the Spring of 2021.

Also Read: 5 Signs On How to Know if Ransomware is on Your Computer

Tartigrade attack timeline
Tartigrade attack timeline
Source: BIO-ISAC

BIO-ISAC member BioBright told Wired that the first noticeable signs of these attacks came in the form of peculiar ransomware infections, where the actors left ransom notes that didn’t indicate a sincere interest in receiving any payments.

The purpose of these ransomware deployments was likely to conceal the drop of the actual payload, a metamorphic malware that would nest in the compromised systems, spread like a worm, and exfiltrate files.

Metamorphic ‘SmokeLoader’

BIO-ISAC explains that the threat actors use a custom metamorphic version of ‘SmokeLoader’ named ‘Tartigrade,’ that is delivered via phishing or USB sticks that somehow found their way on the premises of the target organizations.

The malware is particularly interesting in the sense that it can recompile the loader from memory without leaving a consistent signature, so it’s a lot harder to identify, trace, and remove.

The SmokeLoader acts as a stealthy entrance point for the actors, downloading more payloads, manipulating files, and deploying additional modules.

Past SmokeLoader versions relied heavily on external direction, but this variant can operate autonomously and even without a C2 connection.

Even if the C2 is down, the malware continues to move laterally based on internal logic and advanced decision-making abilities, even having the ability to selectively identify files for modification.

Also Read: How COVID-19 Contact Tracing in Singapore Applies at Workplace

As of October 25, 2021, BIO-ISAC reports that SmokeLoader can stay hidden from roughly half of the AV engines used in Virus Total.

VirusTotal results against SmokeLoader
VirusTotal results against SmokeLoader
Source: BIO-ISAC

Defending against attacks

The goal of the threat actors is cyber-espionage and possibly also operational disruption, but their malware can be a persistent problem for the infected systems even if it can no longer communicate with command and control servers.

The BIO-ISAC report recommends the following practices to following standard network segmentation practices, keeping offline backups of key biological infrastructure, and inquiring about lead times for critical bio-infrastructure components.

  • Review your biomanufacturing network segmentation
  • Work with biologists and automation specialists to create a “crown jewels” analysis for your company
  • Test and perform offline backups of key biological infrastructure
  • Inquire about lead times for key bio-infrastructure components
  • Use antivirus with behavioral analysis capabilities
  • Participate in Phishing detection training
  • Stay vigilant

Using security software with strong behavioral analysis capabilities is recommended, so even if SmokeLoader changes signature and exfiltration methods, the suspicious behavior could be detected and raise alarms.

At this time, the attribution remains unclear, so the origin of these attacks is unknown.

Security researchers dispute BIO-ISAC’s report

After publishing this article, BleepingComputer was contacted by security researchers who were concerned about the veracity of BIO-ISAC’s report and the technical data presented within it.

As part of the report, BIO-ISAC linked to a intserrs644.dll file submitted to VirusTotal and indicated that this was the new Tardigrade malware loader based on SmokeLoader.

However, Advanced Intel’s Vitali Kremez and other researchers who have spoken to BleepingComputer state that this DLL is actually a Cobalt Strike HTTP beacon packed using Conti’s crypter, and has no relation to SmokeLoader.

BleepingComputer has emailed BIO-ISAC and BioBright with questions about sample shared in the report and have not heard back at this time.

Update 11/23/21: Updated story with clarifications from BioBright that the malware is named ‘Tartigrade’ and that their included timeline of attacks are not those attributed to the threat actor. We have revised our story accordingly.

A new section has also been added with concerns security researchers have regarding the report.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us