Trend Micro's Industrial Honeypot - ThreatWire Crosspost (Patreon)

By Shannon Morse, ThreatWire 

In a report published by Trend Micro, the company is trying to address the growing concern of industrial control systems and manufacturing sectors being targeted with ransomware and malware strains. With attacks such as WannaCry from 2017, this is nothing new, but it is a major issue. Many ICS’s don’t know where to start when it comes to protecting their systems or understanding why they’re targeted, so Trend Micro created a honeypot to attract attackers in order to study them. The honeypot was for a fake company called MeTech, which Trend Micro created down to the fake website.

Their mock factory network was online for seven months and attracted attackers into running cryptocurrency miners as well as infecting it with two different strains of the same ransomware called CrySIS along with another type called Phobos. Trend Micro left their “robotics workstation” online and exposed to the internet, allowing attackers to use that as an entry point into the network. They also put VNC on the network, left ports open, and used the same password for multiple workstations.  Attackers were totally attracted to the bait. They locked up files with the ransomware and used some basic vulnerabilities to take advantage of poor security controls that Trend Micro put in place. Trend Micro chose this concept to make a point to real ICSs - the fact that many of these companies don’t take basic security steps allows for them to become targets.

Trend Micro suspects that attackers started selling the mock data via online forums because they saw more attacks as time went on. They negotiated rates with attackers who successfully infected them with ransomware but they never paid since this was a mock network that could be returned to factory settings. In each of these cases, they were not nation-state backed attackers, they were common, run-of-the-mill criminals looking for easy targets.

The company hopes that this honeypot research helps ICSs and factories strengthen their networks against attacks.

Support me on alternative platforms! https://snubsie.com/support

Shop ThreatWire Merch! - https://snubsie.com/shop

https://www.youtube.com/shannonmorse --  subscribe to my new channel!

ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire 

Links:

Mock ICS:

https://documents.trendmicro.com/assets/white_papers/wp-caught-in-the-act-running-a-realistic-factory-honeypot-to-capture-real-threats.pdf

https://www.cyberscoop.com/trend-micro-honeypot-ransomware-factory-s4/

https://www.zdnet.com/article/ransomware-snooping-and-attempted-shutdowns-the-state-of-this-honeypot-shows-what-hackers-do-to-systems-left-unprotected-online/

https://threatpost.com/fake-smart-factory-honeypot-highlights-new-attack-threats/152170/