According to the World Bank, the manufacturing industry accounts for about 16% of global GDP, and for as much as 47% of the GDP of some countries. Activities which disrupt such an industry can have impacts which are felt on a global scale.
This makes the frequency of attacks against manufacturing organizations even more important than just the impact they might have on those specific organizations. According to data gathered for the annual NTT Global Threat Intelligence Report (GTIR), manufacturing has historically been one of the most highly attacked industries year after year.
Web, denial of service (DoS), brute force, and a plague of IoT/OT attacks challenge not only manufacturing organizations, but their vendors, suppliers, and transportation providers. At a time when it is even more important that manufacturing organizations manage margin, economies in supply management, and resilient operations, those same organizations are challenged with attacks which can have dramatic impacts on their capability to deliver.
Based on reviewing data from NTT’s GTIR, in the past five years, manufacturing has only been out of the top five most highly targeted industries one year, and by less than 2% of total attacks. Current hostile activity is mostly consistent with historical activity.
From mid-August to mid-September, hostile activity within manufacturing was dominated by DoS and brute force attacks. These attacks tend to show as spikes of transient activity and irregular volume, and can often impact operations.
Globally, 32% of all attacks tend to be some form of web attack (application specific or web application attacks). From mid-August to mid-September, 50% of attacks against manufacturing were web attacks. Throughout 2018, web attacks accounted for 50% of all attacks against these same manufacturing organizations, so the most common types of attacks have not changed significantly. These attacks tend to be highly automated and more common in industries with a strong web presence.
Authentication, authorization, and accounting (AAA) attacks are attempts to bypass proper authentication and authorization to gain access to organizational resources. Researchers observed similar attacks throughout 2018, though AAA attacks and network manipulation attacks against manufacturing have both increased in the past year. Some of these attacks indicate more focused activity from attackers with either a high degree of skill or advanced tools.
Profiling technical attacks
For most industries, the actual vulnerabilities exploited and technologies attacked is narrow. This is just as true for attacks against manufacturing. Nearly 89% of all exploit attempts in the previous month focused on the top five most targeted CVEs. It is also worth noting that three of the top five CVEs are over two years old and all five CVEs have patches or mitigating controls available.
CVE-2014-6278 is related to Shellshock, and, historically, most of these attacks have been reconnaissance activity to determine if the vulnerability is present.
CVE-2019-9184 is a more recent vulnerability, as it was defined in February 2019. This vulnerability saw a surge in activity starting in August 2019. This is an SQL vulnerability in the popular Joomla! shopping cart extension. Analysis suggests a majority of these detections are blind SQL injection attempts, which are most likely reconnaissance against servers running Joomla!.
CVE-2019-0708 is also known as BlueKeep, a vulnerability in the Remote Desktop Protocol (RDP) available on select Microsoft operating systems. BlueKeep gathered attention when first announced not only because of the potential numbers and variety of affected systems, but because the vulnerability is wormable – making successive infections easier and recovery more challenging. BlueKeep saw a resurgence in attention around 6th September when researchers announced they had created proof of concept code and had implemented exploit code within Metasploit.
As with most industries, manufacturing also faced a wide variety of malware. Observations revealed that, while over 20 malware variants were detected during the month, nearly 74% of all malware detections within manufacturing clients were related to China Chopper. China Chopper is a web shell designed to remotely control web servers.
The manufacturing industry has consistently been among the industries most targeted by malicious actors and trends suggest continued high levels of activity. Though much of the hostile activity now being detected appears to be more focused on reconnaissance, organizations should keep in mind that prolonged periods of reconnaissance are often followed by sustained attacks and other hostile activity. While technical attacks against manufacturing organizations in the August/September timeframe have affected a wide variety of systems, nearly 89% of all detected exploit attempts focus on five vulnerabilities.
Truly mitigating ongoing attacks requires a multi-level security program with a wide variety of overlapping technical and non-technical controls, however, focusing on these recommendations is a start:
- Prioritize patching – especially on critical and exposed systems, and especially for systems affected by the top five vulnerabilities.
- Protect against web attacks. Manufacturing organizations should take actions to protect against the sheer volume of web attacks they are experiencing. Improve internal development processes, vet applications developed by external sources, implement web application firewalls, and perform web app testing to help identify vulnerabilities.
- Review webserver policies and controls. 74% of all detected malware was in relationship to China Chopper, which enables remote management of web servers. It appears likely that attackers are targeting this as an effective attack vector at this time. It is worth verifying that your organization is not affected by China Chopper and is implementing controls which will increase the likelihood of future detection.