Analysis Summary

A recent cyberattack on Halliburton, a major provider of oil and gas services, affected the company's IT infrastructure and day-to-day operations. The RansomHub ransomware gang carried out the attack.

Due to the extensive disruption caused by the attack, clients could not create purchase orders or invoices since the necessary systems were unavailable. In an SEC filing, Halliburton revealed the incident, claiming that an unauthorized entity had conducted a cyberattack against them on August 21, 2024. Upon discovering the incident, the company triggered its cybersecurity response plan and initiated an internal inquiry, aided by outside consultants, to evaluate and address the illegal behavior.

The business offers a wide range of services to the oil and gas industry, such as IT software and services, well construction, drilling, and hydraulic fracturing (fracking). The organization and its clients are highly connected because of its various services. A customer in the oil and gas sector said that they have been kept in the dark about whether the assault affected them and how to protect themselves. Nevertheless, the corporation has not released many specifics regarding the attack. Other consumers have disconnected from Halliburton as a result of this since not enough information is being supplied.

Some businesses are collaborating with ONG-ISAC, an organization that serves as a focal point for coordination and communication regarding physical and cybersecurity threats against the oil and gas sector, to obtain technical details regarding the attack and ascertain whether they were also compromised. There have been claims for days that Halliburton was the victim of a RansomHub ransomware attack. People have made these claims on Reddit and TheLayoff, a discussion board for job layoffs, where a partial RansomHub ransom message was posted.

However, Halliburton added more details in an email sent to suppliers on August 26. The email stated that the business took systems offline for security reasons and is collaborating with Mandiant to look into the situation. Additionally, they said that because its email services are hosted on Microsoft Azure servers, they are still operational. There is also a solution available for making purchases and sending out purchase orders.

To help customers identify similar behavior on their network, this email contains a list of IOCs, which are file names and IP addresses linked to the attack. One of these IOCs is for the Windows executable maintenance.exe, which is an encryptor for the RansomHub ransomware. Upon closer inspection, the sample seems to be a more recent version than those that were examined earlier since it has a new "-cmd string" command-line option, which causes a command to be run on the device before file encryption.

Launched in February 2024, the RansomHub ransomware campaign claimed to be an extortion group that sold stolen files to the highest bidder, engaging in data theft. Subsequently, it was found that the operation also used ransomware encryptors for its double-extortion attacks, in which threat actors broke into networks, stole data, and then encrypted files. Then, businesses were coerced into paying a ransom by using the encrypted files and the possibility of stolen data leaking as leverage.

The threat actor's methods are shared in an advisory concerning RansomHub that was issued by the FBI recently, along with a warning that at least 210 individuals had been compromised since February. Coordinated advisories on threat actors are frequently released by the FBI and CISA shortly after they carry out a significant attack on vital infrastructure, like Halliburton. It is unknown, therefore, if the attack and the advisory are connected.

Impact

• Operational Disruption
• Data Theft
• Financial Loss
• File Encryption

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.