ADYLKUZZ

Date First Appeared

April 2017

Impact

Copycat of WannaCry; leveraged NSA-developed advanced hacking tools.

Attack Details

  • Exploited SMB vulnerability in Microsoft
  • Memory exploitation toolkits EternalBlue and DoublePulsar
  • Closed SMB ports to block competing malware

Virsec Protection

  • Stops memory corruption attacks buffer overflow exploits
  • Detects and stops DLL Injection
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target

BLACKENERGY

Date First Appeared

2014

Impact

Russian attributed Sandworm group targeted ICS systems globally with DDOS and memory attacks to disrupt industrial enterprises. Variant GreyEnergy appeared in 2018.

Attack Details

  • Entry via spear phishing email
  • Fileless attack installs keylogger to steals credentials
  • Corrupts registry keys
  • DLL injection into running processes and services
  • Hijacks remote command and control (C&C)
  • Modifies firmware to damage ICS equipment

Virsec Protection

  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target system
  • Stops DLL injections

EQUIFAX

Date First Appeared

September 2017

Impact

Massive breach of personal data for over 145 million consumers. Incident and poor response led to the removal of their CEO, CIO and others, and legal action by multiple US states.

Attack Details

  • Exploited unpatched vulnerability in Apache Struts web servers
  • Gained network access, discovered sensitive databases
  • Exfiltrated data without detection

Virsec Protection

  • Stops exploitation of web server vulnerabilities including Struts
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target

GLIBC

Date First Appeared

February 2017

Impact

Copycat of WannaCry; leveraged NSA-developed advanced hacking tools.

Attack Details

  • Exploited SMB vulnerability in Microsoft
  • Memory exploitation toolkits EternalBlue and DoublePulsar
  • Closed SMB ports to block competing malware

Virsec Protection

  • Stops memory corruption attacks buffer overflow exploits
  • Detects and stops DLL Injection
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target

HAVEX

Date First Appeared

2013

Impact

Russian attributed APT group launched espionage campaign targeting US and European ICS systems in energy, aviation, pharmaceuticals, defense and petrochemical sectors.

Attack Details

  • Entry through cross-site scripting (XSS) vulnerability
  • Installation of Remote Access Trojan (RAT) via fileless scripts
  • RAT hijacks control and establishes remote C&C
  • Repeated lateral movement to find air-gap weaknesses

Virsec Protection

  • Prevents XSS attacks in milliseconds
  • Detects and stops execution of fileless scripts

HEARTBLEED

Date First Appeared

2014

Impact

Security bug in OpenSSL crypto library affected millions of popular TLS-enabled installations; forced massive patching, and sporadic exploits.

Attack Details

  • Enters by connecting to malicious/attacked remote server
  • Design error in protocol

Virsec Protection

  • Lexar matching of PII in HTTP Response

INDUSTROYER

Date First Appeared

December 2016

Impact

Targeted Ukraine’s power grid, disabling power in Kiev for hours. Considered a large-scale test for future ICS attacks.

Attack Details

  • Entry via social engineering to gain foothold
  • Fileless attack inserts Trojan to open backdoor
  • Memory corruption attack hijacks systems
  • Connects to bad actor’s C&C
  • Targets specific ICS equipment and protocols

Virsec Protection

  • Prevents memory corruption triggered by buffer error vulnerability
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target

NOTPETYA

Date First Appeared

June 2017

Impact

Massive global disruption and billions in losses for industrial companies including Maersk, Fedex, Merck, Saint-Gobain and others. Instead of ransomware, it focused on disabling systems.

Attack Details

  • Downloaded via software update package
  • Memory Corruption toolkits: EternalBlue for servers, EternalRomance, Double Pulsar used for further exploitation
  • Infects windows services, and master boot records
  • Encrypts hard drive file system and services
  • Propagated downstream via open SMB shares
  • Triggers restart to lock machine and start corrupted services

Virsec Protection

  • Stops memory corruption toolkits from exploiting processes
  • Detects and stops DLL Injection
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target

SHAMOON

Date First Appeared

2012

Impact

Apparently intended for cyber warfare, malware can spread from infected machine to other systems on the network. Viewed as the “biggest hack in history” at the time, used against Middle Eastern oil & gas companies.

Attack Details

  • Entry via spear phishing of targeted businesses
  • Fileless attack using PowerShell established remote C&C
  • Privilege escalation to access critical systems
  • Malware overwrites master boot record to make machines unusable

Virsec Protection

  • Stops fileless malware attacks
  • Prevents memory corruption through buffer error vulnerability and subsequent privilege escalation
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target system

SHARP SHOOTER

Date First Appeared

October 2018

Impact

Leverages multiple types of malware from the Lazarus Group to create backdoors to infiltrate critical industries.

Attack Details

  • Decoy and malicious docs downloaded from Dropbox
  • Implants fileless in-memory malware
  • Retrieves a second-stage implant (Rising Sun)
  • Duuzer Trojan used to open backdoor

Virsec Protection

  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target

SHELL SHOCK

Date First Appeared

2014

Impact

Family of backdoor bugs caused millions of web servers to remotely execute arbitrary commands.

Attack Details

  • Enters by connecting to malicious/attacked remote server
  • Exploits command injection vulnerability in Unix Bash shell

Virsec Protection

  • Prevents CMD injection attacks

SPECTRE & MELTDOWN

Date First Appeared

January 2018

Impact

Exposed vulnerabilities affecting billions of processors deployed in the last 20 years, and caused massive disruption, patching problems, and firmware upgrades.

Attack Details

  • Exploits flaws in speculative execution
  • Repeatedly exposes data to side-channel attacks
  • Over 20 variants have been documented

Virsec Protection

  • Only solution to protect applications from Spectre & Meltdown
  • Detects exploits of speculative execution
  • Terminates side channel attacks

TRITON / TRISIS

Date First Appeared

January 2018

Impact

Targeted attack on Middle Eastern oil company caused downtime, disruption and significant financial loss.

Attack Details

  • Social engineering to gain foothold
  • File-based malware corrupts memory on engineering workstations
  • Fileless malware targets firmware of specific ICS controllers
  • Executes rogue commands on “altered” PLCs through SCADA servers

Virsec Protection

  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target system
  • Prevents ICS workstations from attacking downstream controllers

WANNACRY

Date First Appeared

May 2017

Impact

Massive global ransomware attack impacting 10,000 companies, 230,000 computers in over 150 countries.

Attack Details

  • SMB vulnerability in Microsoft kernel
  • DLL injection to establish backdoor
  • Memory exploitation toolkits EternalBlue and DoublePulsar
  • Endpoint file encryption

Virsec Protection

  • Prevents memory vulnerabilities in code from being exploited
  • Detects and stops DLL Injection
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target systems