3 minute read time

Drilling into Mining Threats during Cybersecurity Awareness Month

by Micro Focus Employee in CyberRes

October is Cybersecurity Awareness Month, with the theme of 2022 being “See Yourself in Cyber”. No matter what kind of business you’re in, cyberthreats probably affect you in some form or fashion. Awareness is the first step towards action, but with thousands of threats out in the world, what’s the best way to get started? 

Drilling into Mining Threats during Cybersecurity Awareness MonthNarrowing your focus to industry-specific threats is a great way to maximize your efforts, and with CyberRes Galaxy, you can see what matters most to you. I live next to one of the biggest copper mines in the United States, so I searched for threats specific to the mining industry and the North American region. This brought up a list of 34 threats in which mining organizations should be aware, but I got started by researching one of the biggest monetary threats called Black Kingdom Ransomware. 

Black Kingdom Ransomware: 

The Black Kingdom ransomware program is one of the top threats for the Construction sector and the Mining sector, and the No. 2 threat for Agriculture companies. While not a new threat, as it was first noticed in 2019, Black Kingdom has had some success attacking industries that are typically not at the bleeding edge of cybersecurity. The threat group also targets manufacturing, transportation, healthcare, and the information-and-communication sectors, according to threat brief on CyberRes Galaxy

Black Kingdom ransomware is not the pinnacle of sophistication, but uses vulnerabilities in two common pieces of enterprise technology. The group started targeting Pulse Secure VPN software in June 2020 using a vulnerability disclosed in 2019 (CVE-2019-11510). The attacks came during the early days of the Coronavirus Pandemic as companies moved employees from working in the office to working from home. 

The malware is written in Python and uses a backup service, known as Mega.io, to store the encryption keys used to lock the data on victims' computers. The threat group typically compromises the targeted system using exploits for the previously mentioned vulnerabilities, and then installs the ransomware program using PyInstaller. The program encrypts files using a dynamically created key, if possible. If the ransomware cannot reach the upload site, then it will use a hardcoded key instead. 

Overall, threat researchers rank Black Kingdom as one of the least sophisticated ransomware programs, with much of its logic contained in a single Python file, which allowed forensic engineers to more easily analyze the program. In addition, malware developer's creation of a hardcoded key allows some victims to recover data, if the Mega.io file upload service has been blocked. The fact that the three industry sectors have been broadly targeted by the threat group behind the relatively unsophisticated Black Kingdom using older vulnerabilities suggest that the Agriculture, Mining, and Construction sectors still have some work to be done as they establish stronger cybersecurity programs. 

3 Things You Can Do: 

In the case of Black Kingdom Ransomware, keeping your software up to date would probably do the trick. For a more resilient approach, managing who has access to sensitive systems would be the smartest solution. At CyberRes, NetIQ has everything you need to get started with Identity and Access Management and multi-factor authentication. 

Additional Resources:

Connect With Us: 

Join our Galaxy Community. Have technical questions about Galaxy’s threat intelligence? Visit the Galaxy User Discussion Forum. Keep up with the latest Tips & Info. Do you have an idea or Product Enhancement Request about ArcSight? Submit it in the Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below.

Labels:

Security Operations