MORPHISEC’S MANUFACTURING CYBERSECURITY THREAT INDEX | JUNE 2021

TABLE OF CONTENTS

OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

MANUFACTURING THREAT LANDSCAPE . . . . . . . . . . . . . . . . . . . . . . . . . . 4

A SURVEY OF U.S. AND U.K. MANUFACTURING EMPLOYEES . . . . . . . . . 5

SELECTED THREAT PROFILES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Long Live, Osiris: Banking Trojan Targets German IP Addresses 9
The Introduction of the Jupyter Infostealer/Backdoor 10
Obfuscated VBScript Drops Zloader, Ursnif, QakBot & Dridex 11

CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

© 2021 Morphisec Inc. | www.morphisec.com 2

MORPHISEC’S MANUFACTURING CYBERSECURITY THREAT INDEX | JUNE 2021

OVERVIEW

Employing about 15 million people in the U.S. operational 24/7 and therefore may pay
and U.K., there’s no doubting the substantial role quickly to regain control of their systems and
that the manufacturing industry plays in both minimize extended downtime. And although
economies. It accounts for about a tenth of the the takedown of the Emotet botnet in January
$22 trillion U.S. GDP, while the U.K. calls itself brought some celebration, scattered pockets of
home to the ninth largest manufacturing industry less familiar but equally aggressive cybercrime
in the world. Therefore, it’s hardly a surprise that groups have emerged in its aftermath leveraging
cybercriminals have long targeted manufacturing both ransomware and infostealers to target
companies within both countries. However, manufacturing companies in new ways. For
during the COVID-19 pandemic, the industry has instance, Acer, the computer manufacturer, was
seen a widespread uptick in cyberattacks. hit with a bold $50 million ransomware demand
in March of this year from the REvil/Sodinokibi
While overall enterprise attacks tripled during ransomware group.
the pandemic’s peak, the manufacturing
sector was hit especially hard. It reported the Given the gravity of the cybersecurity threat
highest number of ransomware attacks in 2020. facing manufacturers today — and as we
Manufacturers increasingly found themselves continue to assist these organizations with
at the mercy of state-sponsored cyber attackers securing their valuable IP — Morphisec
looking to probe national vulnerabilities, gather combined internal data on the manufacturing
intelligence, and exploit money. Indeed, during attack landscape with an external survey of
a year when the national security of both 567 manufacturing employees across the
countries was at the forefront of people’s minds, U.S. and U.K. in April to inform our inaugural
cybercriminals felt like they had a lot to gain from Manufacturing Cybersecurity Threat Index.
infiltrating key manufacturing businesses and The report aims to dig deeper into this persistent
their critical IP. and evolving cybersecurity threat and explore
how the rising number of breaches targeting
Worse yet, the economic impact that these organizations’ IP and the risk of ransomware
nefarious parties pose continues to increase with shutting operations down is impacting
the cost of the ransomware damage inflicted professionals’ views towards security.
growing into the millions, as hackers take
advantage of an industry that needs to be Here’s what we found.

© 2021 Morphisec Inc. | www.morphisec.com 3

MORPHISEC’S MANUFACTURING CYBERSECURITY THREAT INDEX | JUNE 2021

MANUFACTURING THREAT LANDSCAPE

Like most industries, the manufacturing cybersecurity threat landscape has rapidly evolved over the last
twelve months as cybercriminals increasingly targeted pandemic-driven hybrid work environments.

Adversaries targeting the manufacturing industry have become adept at bypassing best practice allow-
listing products and configurations by leveraging already allow-listed processes. While many of these
organizations have safeguards in place, there’s still a large percentage of manufacturing executives that
lack confidence that their IP assets are adequately protected.

In January, Morphisec identified a significant banking trojan/infostealer campaign targeting multiple

German customers from the manufacturing industry for IP. In this specific example, targeted personnel
were redirected to compromised websites that were still delivering advanced fileless downloaders that
eventually lead to an Osiris client with a bundled mini-Tor communicating to a C2 onion Tor panel.

These types of infostealer and financially motivated attacks, which have been common in the financial
sector, now target manufacturing companies for espionage. Unlike ransomware, which can be sudden
and render short-term gains for adversaries, malware is deployed as part of a long-term campaign
seeking access to specific proprietary information.

ENDPOINTS SERVERS

Based on Morphisec analysis of attempted attacks Based on Morphisec analysis of attempted attacks
against the manufacturing endpoints it is deployed against servers it is deployed on within manufacturing
on, there was a much higher level of attempted organizations, manufacturers experienced more
infostealers and bankers in the past twelve months attempted exploits focused on initial access year-
(March 2020-March 2021), versus the prior twelve over-year. This was the most active type of attempted
months. In fact, infostealers and bankers made up attack on manufacturing servers (30%) as exploits
the highest percentage of attempted attacks during targeted BlueKeep and SMBGhost.
this period (31%).
Ransomware (15%) was also incredibly popular
This was followed by fileless and unknown attacks for attackers when it came to being used against
that detection-centric AV can’t stop (28%). However, the servers within manufacturing organizations.
the number of fileless attacks was consistent with This included human-operated ransomware that
the prior twelve months and Morphisec did not leveraged cybercriminal personnel to direct the
notice any major uptick with these types of attacks. ransomware while it’s in the target’s systems. In
Comparatively, ransomware (13%) and supply chain some of these cases, Morphisec observed that
(8%) attack attempts on endpoints saw a marked cybercriminals were even able to exfiltrate data
increase over the last twelve months. without encrypting it, illustrating a new pattern that
shows human-operated ransomware attacks have
indeed increased.

© 2021 Morphisec Inc. | www.morphisec.com 4

MORPHISEC’S MANUFACTURING CYBERSECURITY THREAT INDEX | JUNE 2021

A SURVEY OF U.S. AND U.K. MANUFACTURING EMPLOYEES

1-in-5 manufacturing companies in the U.S./U.K. have been the victims of

cyberattacks over the last 12 months.
With manufacturers reporting the highest number of ransomware attacks of any industry in 2020, it’s
safe to say that on top of dealing with the fallout of the pandemic, organizations have been navigating a
cybersecurity emergency, too. The issue has gotten so bad that a recent report found that the average
ransom paid by manufacturers has tripled to $312,000, and 2020 saw the highest paid ransom ever of
$10 million.

Our survey of 567 manufacturing employees across the U.S. and U.K reveals that one-in-five
manufacturing companies in the U.S. and U.K. have been the victim of a cyberattack in the last 12
months. Furthermore, the cadence of these attacks is increasing. Of the one-in-five organizations that
told Morphisec they’ve fallen victim in the last year, about a quarter (24%) reported that cyberattacks
against them occur weekly and 35% say they’re targeted monthly.

In addition, 70% of all manufacturing professionals note that they believe manufacturers are being targeted
more since the onset of the pandemic, which is a fair assumption to make. After all, the manufacturing
industry is one that’s operationally ‘always on,’ which makes them an attractive target for money-hungry
operators more than willing to deploy ransomware and malware infostealers to boost their profits. These
cybercriminals are largely motivated by the fact that manufacturers can’t afford any downtime. They
therefore often feel like they have no choice but to pay ransoms quickly to avoid further damage.

The reality is, however, that while the percentage of manufacturing professionals that have reported
a cyberattack on their company in the last year is worrying, it’s likely only the tip of the iceberg. For
instance, Morphisec found that just 28% of manufacturing employees surveyed are aware their
organizations have been a victim of a cyberattack ever. Although a substantial number given the size
of the manufacturing industries in the U.S. and U.K., the actual figure is likely much more than this
considering professionals that work in areas outside IT might not be aware of every attack.

© 2021 Morphisec Inc. | www.morphisec.com 5

MORPHISEC’S MANUFACTURING CYBERSECURITY THREAT INDEX | JUNE 2021

A SURVEY OF U.S. AND U.K. MANUFACTURING EMPLOYEES

Infostealers and Ransomware Among Most Active Manufacturing Attacks, and

Most Damaging.
Given the severity of the damage that can be caused, it’s important to understand just how these
cybercriminals bypass detection to access the most critical aspects of manufacturers’ networks. While the
incentive will always remain largely the same (profit), threat actors regularly upgrade their methods of
attack to make them increasingly sophisticated.

As we previously noted, our internal attack landscape data indicates that malware and infostealers
represented almost a third (31%) of all attacks against manufacturers’ endpoints over the last twelve
months, by far the most common method we identified. Our data also shows that manufacturing
organizations are almost 2.5 times more likely to be targeted by infostealers than ransomware.

Our survey of manufacturing employees largely corroborates that data. When those who reported
attacks within the last 12 months were asked what type of attack their organization experienced,
malware or infostealer was the top answer (40%). This was followed by phishing or a fraudulent business
attempt (20%), ransomware (17%), a DDoS attack (12%), or multiple types of attacks (4%).

The time they said their manufacturing organization needed to recover from these attacks was up to a
week in most cases (53%) and two weeks for almost a fifth of incidents (18%). On the more extreme end,
5% of respondents noted that their organization needed 15 to 21 days to recover from their attack and
8% stated that time to recovery was even longer than this. What’s worth noting in these most severe
cases where organizations needed three weeks or more to recuperate, is that respondents said their
organization was the victim of ransomware.

© 2021 Morphisec Inc. | www.morphisec.com 6

MORPHISEC’S MANUFACTURING CYBERSECURITY THREAT INDEX | JUNE 2021

A SURVEY OF U.S. AND U.K. MANUFACTURING EMPLOYEES

Downtime, Customer information, and Securing IP Top Cybersecurity Concerns

Although these sobering threats are certainly not limited to the manufacturing industry, cyberattackers
are acutely aware of the data manufacturing facilities have on hand. In fact, some cybercrime groups
have even been using ransomware as a smokescreen for cyberattacks designed to steal intellectual
property, increasing the damage that they can inflict in the long-run as they bully victims by threatening
to leak data if they don’t pay.

Morphisec found that 57% of manufacturing professionals say they’re more worried today about their
organization being targeted for intellectual property by cybercriminals than they were a year ago — a
concern that’s certainly substantiated. In February, Bombardier, a Canadian manufacturer of business
jets, admitted that designs for airplanes and plane parts were available for free on the ransomware gang
Clop’s dark web portal.

An initial investigation revealed that an unauthorized party accessed and extracted data by exploiting a
vulnerability affecting a third-party file-transfer application, which was running on purpose-built servers
isolated from the main Bombardier IT network. Personal and other confidential information relating to
employees, customers and suppliers were also compromised.

Even with the above said, and with the stresses of losing IP well outlined, it’s not manufacturers’ biggest
concern in this cybersecurity crisis. A ransomware attack that shuts down production and delays, limits,
or prohibits access to the network is what manufacturing professionals say their organization is most
worried about (35%). This is exactly what happened to Honda last June when a breach forced it to put the
brakes on its production activities.

Meanwhile, a third (33%) of manufacturing professionals say that a malware or data breach that
compromises customer information (like the colossal 2015 attack on undergarment manufacturer
HanesBrands that stole 900,000 customer records) is their biggest concern. This is followed by a
data breach that compromises IP (20%), and an attack that gains access to IoT equipment on the
manufacturing floor (10%).

© 2021 Morphisec Inc. | www.morphisec.com 7

MORPHISEC’S MANUFACTURING CYBERSECURITY THREAT INDEX | JUNE 2021

A SURVEY OF U.S. AND U.K. MANUFACTURING EMPLOYEES

The Pandemic’s Hybrid Work Shift Has Increased Cyber Threats

The pandemic causing millions of employees to work from home in some capacity has only added to the
complexity of this cybersecurity crisis. And the manufacturing industry is no different. More than three-
quarters (76%) of manufacturing professionals told Morphisec that they’ve had at least some colleagues
working remotely and from home during Covid.

But with even the largest manufacturing companies dealing with limited IT resources and security teams,
these assets moving to remote environments has just complicated their security setups and exacerbated
existing vulnerabilities. For example, Morphisec’s WFH Employee Cybersecurity Threat Index uncovered
that while 56% of remote workers have been using their personal computers for work, less than a quarter
don’t even know what security protocols are installed on their devices. These are stats that are sure to
make cybercriminals’ mouths water as they represent an opportunity to target weakened networks for
easy access to valuable IP.

As a result, the enterprise’s security perimeter has vanished and the IT team’s task of protecting
their organizations from attack becomes significantly more difficult. This is especially true given the
unprecedented surge in attacks that their entire industry has been dealing with since the pandemic’s
onset. Of respondents to our survey that said they had colleagues working remotely, nearly two-thirds
(64%) said they believe it has increased the risk of a cybersecurity breach against their organization.
These employees are likely influenced by a seemingly never-ending wave of headlines detailing similar
attacks against government agencies and private companies, many of which have been state-sponsored.

CISA recently issued an emergency directive after the United States experienced its third severe and
distinct cyberattack in the span of just a few months, with the latest pointing to China and targeting
remote workers across the country. The hackers intruded on the target’s devices through Pulse Secure,
a program that connects workers to their offices as they work remotely, before planting backdoor
programs that allowed them to spy on the network for a period of time. It resulted in them gaining access
to major U.S. companies and government agencies.

The fact that these threat actors could so easily infiltrate the United States government should only
stimulate manufacturers to tighten their security stacks and train their employees or risk falling victim,
too. As they continue to work in hybrid environments, an inefficient shift to cloud services and improperly
secured corporate VPNs can all lead to the loss of irreplaceable IP and employee and customer data, as
well as, of course, potentially millions of dollars in damages.

© 2021 Morphisec Inc. | www.morphisec.com 8

MORPHISEC’S MANUFACTURING CYBERSECURITY THREAT INDEX | JUNE 2021

SELECTED THREAT PROFILES

Long Live, Osiris: Banking Trojan Targets German IP Addresses

THE THREAT
In January 2021, Morphisec identified a significant campaign
targeting multiple German customers from the manufacturing
industry. Targeted personnel were redirected to compromised
websites that were, and still are, delivering advanced fileless
downloaders that eventually lead to an Osiris client with a bundled
mini-Tor communicating to a C2 onion Tor panel.

Following an additional investigation and sharing some of the

TTPs with the community, we were notified of additional targeted
countries such as the United States and Korea, which delivered
REvil and other payloads using the same delivery mechanism as
described in the report. Weeks later, we also identified dozens of
manufacturing businesses who were compromised by a Cobalt
Strike framework initiated by these same TTPs.

THE TECHNICAL ANALYSIS

The attack chain is composed of five main stages;
• The victim receives a link to a compromised website that
contains a download link to a malicious zip file, which then
contains a JS file. The web page and the file name translates to
“collective agreement on-call remuneration ig metal.”
• An obfuscated Javascript downloader from a compromised site.
• A Second stage Javascript downloader that takes care of
persistence.
• A fileless .NET loader that’s mapped from the registry and
decodes to a new .NET hollower in-memory executable, which
is responsible for hollowing the Osiris trojan into a legitimate
Windows process.
• Osiris connects to its C2 with the help of a mini-Tor bundle.
• Later, the attackers replace Osiris with Cobalt and REvil.

THE TAKEAWAY
The Osiris trojan attacking German IP addresses continues the trojan’s historical use. The Morphisec platform blocks
Osiris with a zero-trust default-deny approach to endpoint security. Customers of Morphisec are thus protected from
Osiris, regardless of what defense evasion techniques the authors deploy.

© 2021 Morphisec Inc. | www.morphisec.com 9

MORPHISEC’S MANUFACTURING CYBERSECURITY THREAT INDEX | JUNE 2021

SELECTED THREAT PROFILES

The Introduction of the Jupyter Infostealer/Backdoor

THE THREAT
In November 2020, Morphisec identified (and prevented) a new .NET infostealer variant called Jupyter, during
what began as a routine incident response process. Jupyter is an infostealer that primarily targets Chromium,
Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional
capabilities for full backdoor functionality. These include:

• a C2 client
• download and execute malware
• execution of PowerShell scripts and commands
• hollowing shellcode into legitimate windows
configuration applications.

THE TECHNICAL ANALYSIS

Jupyter’s attack chain typically starts with a downloaded zip file that contains an installer, an executable
that usually impersonates legitimate software such as Docx2Rtf. Some of these installers have maintained
0 detections in VirusTotal over the last 6 months, making it exceptional at bypassing most endpoint security
scanning controls.

Upon execution of the installer, a .NET C2 client (Jupyter Loader) is injected into memory. This client has a well
defined communication protocol, versioning matrix, and has recently included persistence modules.

The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter
.NET module. Both of the .Net components have similar code structures, obfuscation, and unique UID
implementation. These commonalities indicate the development of an end to end framework for implementing
the Info stealer.

THE TAKEAWAY
Morphisec has monitored a steady stream of forensic data to trace multiple versions of Jupyter starting in May
2020. While many of the C2s are no longer active, they consistently mapped to Russia when we were able to
identify them.

This is not the only piece of evidence that this attack is likely Russian in origin. First, there is the noticeable
Russian to English misspelling of the planet name. Additionally, Morphisec researchers ran a reverse Google
Image search of the C2 admin panel image and were not surprised to find the exact image on Russian-language
forums.

Jupyter and similarly evolving attacks make clear the fundamental issue with detection-centric tools because
they show that the adversary can consistently iterate on their attack to stay ahead of the defender. Morphisec
customers are secured against unknown attacks like this without needing to detect any portion of the attack
chain through the zero trust runtime environment for workstations, VDI, servers, and cloud workloads.

© 2021 Morphisec Inc. | www.morphisec.com 10

MORPHISEC’S MANUFACTURING CYBERSECURITY THREAT INDEX | JUNE 2021

SELECTED THREAT PROFILES

Obfuscated VBScript Drops Zloader, Ursnif, QakBot & Dridex

THE THREAT
Starting in March 2020, the Morphisec team started tracking an obfuscated VBScript package in campaigns.
Initially, the malware campaign was focused on targets within Germany, but moved on to additional targets
-- excluding any IP address within Russia or North Korea. These VBscripts started with delivering Zloader, as
previously identified, but have quickly evolved into a delivery mechanism for trojans like Ursnif, Qakbot, and
Dridex in addition to Zloader.

The danger here is that VBScript interpreter comes pre-loaded onto every Windows operating system, and has
done so since Windows 98. Interpreted languages like VBScript, Javascript, or really any text-based script will
always be difficult for scans to determine whether the code is malicious or not. The reason behind this is that
there is an endless number of possibilities to represent the same command or result.

THE TECHNICAL ANALYSIS

The campaign that Morphisec Labs has tracked starts with a zipped obfuscated VBScript file attached to an
email. The email the target receives contains a ZIP attachment that appears to be an invoice, specifying the
amount of the transaction, date, and transaction number. The goal here, as in most of these emails with false
invoices, is that the target won’t pay careful attention to the email.

Inside the zip file attachment is a heavily obfuscated Visual Basic Script file with a low detection rate.
ExecuteGlobal commands receive a string as an argument and execute the commands in the string. In this
case, the argument is in the form of an array that is being converted to a string using mathematical character
manipulation. Those strings are functions that are later used by the script. This obfuscation method can be
easily extracted by replacing ‘ExecuteGlobal’ with ‘Wscipt.Echo’.

The first function calls are used for anti-analysis and anti-virtual machine. If one of the following evasive checks
detects that it is running under a virtual machine or analysis environment, the attacker logs the IP, deletes
the script, and pops a fake error message. It also checks if the VBScript is running on an infected machine by
checking if the artifact is there. If it detects that it is running on an infected machine it will pop a fake error
message, delete the script, and exit. If not, it will create a new shortcut to mark the infected machine with the
new campaign. Finally, the script drops a zip folder, containing a payload, by using the same decoding technique
as used for decoding functions. It then unzips the folder and runs the payload.

THE TAKEAWAY
Simple obfuscation, or even less-simple obfuscation, of interpreted languages like VBScript are just enough for
attackers to bypass scanning solutions. The simple reason is that, because these are text-based languages, the
amount of possibly suspicious terms is endless.

No matter what obfuscation is used, however, Morphisec prevents the execution of the evasive payload, such
as Zloader, Ursnif, Qakbot, or Dridex, before any damage is done.

© 2021 Morphisec Inc. | www.morphisec.com 11

MORPHISEC’S MANUFACTURING CYBERSECURITY THREAT INDEX | JUNE 2021

CONCLUSION

Threat actors have never let a good crisis go to waste. Whether it’s COVID-19 or some other crisis,
phishing and targeted phishing emails will continue to target manufacturing companies to drive clicks
to create a foothold in their organizations. Companies need to be aware of these and other types of
phishing emails, which will continue to become more targeted toward specific organizations and less like
the “spray and pray” emails of the past.

Similarly, ransomware will continue to evolve in the year ahead. We expect to see a greater trend toward
double-extortion attacks as well as human-operated ransomware that includes time at the keyboard
directing the ransomware program itself. In some cases, in fact, threat groups have started cold-calling
their ransom targets to dissuade them from installing new security solutions in a bid to ensure that they
receive their fees.

Although security budgets have increased, the reality is that we are no more secure than 10 years ago.
The continual evolution in attack techniques necessitates a new approach -- one focused not on detecting
malicious actions and quickly remediating them -- but instead one that emphasizes reducing the attack
surface through proactive defense and a zero trust endpoint strategy. Only then can manufacturing
companies truly begin to reduce the risk of their critical infrastructure being locked up by a debilitating
attack.

ABOUT MORPHISEC
Morphisec delivers an entirely new level of innovation to customers with its patented
Moving Target Defense technology – placing defenders in a prevent-first posture against
the most advanced threats to the enterprise, including APTs, zero-days, ransomware,
evasive fileless attacks and web-borne exploits. Morphisec provides a crucial, small
footprint zero trust memory-defense layer that easily deploys into a company’s existing
security infrastructure to form a simple, highly effective, cost-efficient prevention stack
that is truly disruptive to today’s existing cybersecurity model.

© 2021 Morphisec Inc. | www.morphisec.com 12