VaxSurge Ransomware Hits Freezers

The VaxSurge ransomware reported Sunday included a previously undetected worm that attacked health department freezers holding COVID-19 vaccines. “We under-estimated the sophistication of the VaxSurge ransomware,” General Buck Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), told reporters this morning: “When we saw how easy it was to stop the spread of the data encryption process, we assumed that the attacker was not using a sophisticated ransomware program. We were wrong.”

The CI-SOC researchers discovered the worm (unofficially being called the FreezerWorm according to technicians I have talked to) after the Delano, GA Health Department reported discrepancies in their temperature monitoring processes.

A researcher from Dragonfire Cyber, speaking on background, told reporters that the Delano facility was using old-style circular chart recorders in addition to the digital temperature reporting system provided by the freezer manufacturer. They did this in response to last November’s attack on Mengele Pharma. The chart recorder showed a significant temperature rise not reflected by the digital system. The company immediately informed the Dragonfire team that was on-site for the VaxSurge investigation.

Lilian Wald, the Director for the Delano Public Health Department, told reporters at the CI-SOC news conference that temperatures never got above the safe storage temperature limit for the vaccines. “Thanks to the prompt action of the Dragonfire team, the vaccines are still safe to use,” Wald told reporters.

The Chief-Technical Officer for Dragonfire Cyber, Dade Murphy, explained to reporters at the press conference that the worm associated with the VaxSurge attack exploited a new vulnerability in the Robotron data historian that effectively bypasses the digital data diode used in that system. “We have communicated the vulnerability to Robotron and they are working on mitigation measures,” Murphy explained.

CI-SOC has a software tool that reverses the attack on the Robotron freezer control system. “Any organization that has received the VaxSurge email, should immediately contact CI-SOC for assistance,” Turgidson explained at the end of the VaxSurge presentation.

Mary Cavart, spokesperson for the Department of Health and Medical Services, confirmed today by video feed that the Department had shut down the email account that had been used to spread the VaxSurge ransomware.

The Federal Bureau of Inquiry is investigating the attack on that email server. “As far as we can tell that account was established at least eight months ago,” Johnathan Quest, FBI spokesperson said; “It does appear that may have been associated with the Solar Winds based attack last year.”

The FBI reports that they have now received notifications form over 150 health departments about receiving the VaxSurge email. Because of the news reporting Sunday, most of those reporting did not open the email on Monday when it was first seen in their inboxes. “Most of the reporting health departments are located in the South Eastern United States,” Quest reported.

CAUTIONARY NOTE: This is a future news story –

VaxSurge Ransomware

The Federal Bureau of Inquiry announced this morning that it was investigating a new ransomware campaign targeted at local public health agencies. While the attack was encoding files at the affected agencies the attacker has not been demanding a monetary ransom. Instead, they are unlocking files once the agency has published a notice in the local newspaper that they were not supporting the President’s new mandatory COVID-19 vaccination program.

“We have been notified by twenty local public health agencies about successful attacks since yesterday morning,” Johnathan Quest, spokesperson for the FBI, told reporters this morning; “Since the attacks appear to have started on Saturday, we expect to receive more notifications on Monday when many of these organizations return to normal workhours.”

The National Critical Infrastructure Security Operations Center (CI-SOC), working with the Delano, Georgia Health Department, has determined that the attackers have delivered the ransomware via a letter emailed to the Department. “The email was apparently sent by a compromised email server in the Department of Health and Medical Services. It purportedly came from the Office for COVID Vaccinations,” General Turgidson explained at an unusual Sunday press conference at CI-SOC.

A spokesperson for the Department confirmed that there was no such office in DHMS.

A technician from the CI-SOC, speaking on background, told reporters that this was not a very sophisticated ransomware program. Instead of trying to penetrate the organization network before announcing its presence, the ransomware encrypted the machine at the point of infection before it started penetrating the network. Promptly unplugging the connections to the network effectively stopped the spread of the ransomware.

Turgidson reported that the infected email included a Microsoft Word document entitled “Mandatory COVID-19 Vaccination Surge”. It contained an ActiveX-control that exploited the newly reported 0-day Microsoft® MSHTML Remote Code Execution Vulnerability. “The rapid exploitation of the Microsoft vulnerability and the use of the old-school ransomware program do not paint a consistent picture of this attacker,” Turgidson explained; “That combined with an exploitation of a SolarWinds compromised mail system is causing us all sorts of investigative headaches.”

CI-SOC is calling this the VaxSurge malware campaign because of that term is used in a comment line in the malware code sample that they are working on.

CAUTIONARY NOTE: This is a future news story –

CI-SOC Expands Robotron Advisory

Today, at an unusual afternoon press conference, Gen Turgidson, the Director of the Director for the National Critical Infrastructure Security Operations Center (CI-SOC), announced that on-going investigations related to yesterday’s announcement by Robotron had determined that a number of other vendor products were affected by the underlying JavaScript vulnerability. “We have already identified seven products from three other vendors that have SMS reporting tools that allow the exfiltration of system configuration files.” Turgidson told reporters.

A new alert published today by CI-SOC did not name the vendors or products that have been identified. A CI-SOC spokesperson speaking on background said that the government was working with the vendors to develop mitigation measures and did not want their names released until such fixes were available. “We expect to announce those mitigation measures within the next couple of days,” she told reporters.

The alert does note that any organization that has an industrial control system, building control system or security system that provides SMS alerts containing .PNG images of HMI screens associated with those alerts should contact CI-SOC. According to the alert, CI-SOC has a relatively simple test available that identifies active exploits of the JavaScript vulnerability.

Turgidson explained to reporters that the exploit of this vulnerability was a precursor tosome sort of potential future attack. “The configuration data would provide attackers insights into the cybersecurity weaknesses at the affected facilities that could potentially be exploited by a wide variety of potential actors, the General said.

In a series of messages, cYberg0d, the researcher who originally reported the vulnerability being exploited, explained to me that the JavaScript module that they identified was designed to search for a number of specific control system related devices and copy their configuration files. The information would then be encoded in a .PNG file and sent to one of a series of cell phone numbers hardcoded in the module.

When asked if this did not make the attacker vulnerable, Cyberg0d said that both the phone list and target systems had been changed in the module at least twice since he originally identified the problem. “The phones for the old numbers have probably been destroyed.”

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry confirmed that the FBI was working with CI-SOC to try to identify the identity of the attackers. “We are also working with a number of cybersecurity firms to keep an eye on the facilities that we have identified as being impacted by this problem,” Quest explained; “We are hoping to prevent any subsequent attacks on these facilities.”

CAUTIONARY NOTE: This is a future news story –

Robotron Announces Data Exfiltration Vulnerability

Today, Robotron announced the presence of a bug in their RoboAlarm® product that has been exploited in the wild to exfiltrate control system configuration files from secure control systems. Robotron spokesperson Erich Mielke explained that this bug was actually an exploit of the JavaScript CVE-2021-23406 vulnerability. Robotron has an update available to fix the vulnerability. RoboAlarm is packaged as a component of many Robotron products, including all of their HMI stations.

According to Robotron’s RoboAlarm advisory the vulnerability was reported by cYbrg0D. In a tweet published right after Robotron’s announcement, cYbrg0d explained that the current vulnerability could be expanded to include process information exfiltration by modifying a specific JavaScript module.

General Turgidson, the Director for the National Critical Infrastructure Security Operations Center (CI-SOC), urged all companies that owned Robotron equipment to update their RoboAlarm systems immediately. “We have documented cases where this bug has been used to exfiltrate control system configuration data,” Turgidson explained at the CI-SOC morning press conference: “This information would provide an attacker with critical intelligence needed to execute an effective attack on an industrial control system.”

Kate Libby, a spokesperson for Dragonfire Cyber, explained that RoboAlarm is a messaging application used by Robotron human-machine interfaces to send remote notifications about process upset conditions to managers and engineers in an organization. The messages typically include a screen shot of the HMI to provide more details for the recipient to make more informed judgements about an alarm condition.

“The system uses a .PNG file for the screen shot,” Libby explained: “So this JavaScript within the RoboAlarm product converts configuration files into .PNG files for exfiltration.”

In response to a question about the underlying vulnerablity Mielke reported that Robotron had not been aware of the JavaScript vulnerability until being informed about how it impacted their RoboAlarm product by cYbeg0D. “We are going back and reviewing all of the JavaScript code used in our products.” Mielke said.

CAUTIONARY NOTE: This is a future news story –