Somewhere in time. This is 2015 – BlackEnergy2 exists in the form of a kernel-mode driver, which makes it harder for network administrators to discover the compromise. Black energy Group will mimics their custom tool(driver) thus made to look like a normal Windows component. They are interested in infecting Windows servers especially OPC server. But Microsoft implemented a driver signing policy in order to avoid loading unsigned driver. This feature is enabled on 64 bits versions of Windows systems.

Synopsis: In normal circumstances, activate the function of the cyber espionage and information destruction attack features needed to be rebooted in order to start the mimics driver. Even though black energy do not have exception.This unplanned reboot of the Windows server could raise suspicion. To solve the reboot issue, the attackers started to use a tool called DSEFix (an open-source tool that exploits CVE-2008-3431, a vulnerability in the legitimate VirtualBox driver), in order to disable the driver signature check. The attackers will made a custom version of DSEFix that also modifies boot configuration data (BCD) in order to enable TESTSIGNING mode.

What is TESTSIGNING mode: By default, Windows does not load test-signed kernel-mode drivers. To change this behavior and enable test-signed drivers to load, use the boot configuration data editor, BCDEdit.exe, to enable or disable TESTSIGNING, a boot configuration option. You must have Administrator rights to enable this option.

Those cyber criminal will focusing the OPC server.Because the OPC client uses the OPC server to get data from or send commands to the hardware.

Will it happen today? The elaborate email subject and content presents challenges for traditional security tools, because it is designed specifically to evade detection.

Synopsis:

a. Attackers disguise their scam email as an official (WHO) alert issued by the Centers for Disease Control Health Alert Network. (Targeting individuals from the United States and the United Kingdom)

b. Attackers disguise their scam email as an alert of Coronavirus status, they are target to shipping industry.

Description: About the attack to shipping industry – Hacker exploit the vulnerability of CVE 2017-11882, perhaps they found that the patch management on the boat not enforce in frequent. And therefore the attack explicitly target shipping industry. About the attack to individuals from the United States and the United Kingdom – WHO urge that if anyone see similar type of scam email. Report to WHO – https://www.who.int/about/report_scam/en/

The slogan – Do not rush to open a URL or open a email. Take care.

Advantech, a leader within the IPC global market. Advantech offers a comprehensive IPC product range that delivers reliability and stability for extreme environments, providing its customers with a one-stop shopping experience implementing Industry 4.0 and fulfilling their Industrial IoT needs.

IoT and SCADA are the APT (Advanced Persistent threat) targeting devices so far. Meanwhile this type of manufacturer will be lured attacker interest. Regarding to the technical details, please refer below url for reference.

https://www.eset.com/int/greyenergy-exposed/

So, It is possible to make people predict the attack may targeting Advantech customer.

Factor:
In Advantech WebAccess/SCADA versions prior to V8.2_20170817.
WebAccess/SCADA does not properly sanitize its inputs for SQL commands.

Synopsis:
Chosen with servers that have a high uptime, where reboots and patch management are rare.
In order to mislead people, threat actor will use the vendor official server cert to conducting data exfiltration.
Since malware alive and therefore C&C server is able to conduct hacker job task (exploit the SQL vulnerability).

Should you have interest to know the specifics vulnerabilities. Please refer below hyperlink for reference.

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445