Technical Tip: How to use FortiDeceptor to detect & mitigate the CosmicEnergy malware

This article describes how to combat the CosmicEnergy malware with FortiDeceptor.

The Deception Decoys & lures against the 'CosmicEnergy Malware' attacks can be used in FortiDeceptor V.3.3 and above.

A new malware called CosmicEnergy has been discovered.

Cyber Deception Against cyber attacks that try to leverage CosmicEnergy Malware

1) FortiDeceptor starts by deploying network decoys across the OT network segments that create a fake environment that simulates the real network and assets. The " CosmicEnergy Malware” exploit looks to attack MSSQL server and the IEC-104 protocol, so Network decoys like Windows & OT decoys with SQL and IEC-104 enabled will be deployed across the network OT segments.

2) In addition, the FortiDeceptor customization module allows to generate a  decoy template from the customer gold image and deploy it across the network and in the customer data center. The ability to deploy a Decoy that runs the customer gold image and part of the customer domain network will expand the attack surface for the CosmicEnergy Malware trying to leverage MSSQL server. In addition, this decoy will generate accurate threat intelligence and IOC's against the attack operational technology sector. According to the reports, the malware is designed to cause electric power disruption by exploiting remote terminal units (RTUs) such as EC 60870-5-104 (IEC-104) devices, which are commonly used in electric transmission and distribution operations in Europe, the Middle East, and Asia.

Cyber Deception Against "CosmicEnergy Malware" Attacks:

1) Configure network segments under the "Deployment Network" section that FortiDeceptor will use to deploy network decoys. (Due to the nature of the attack, verify that the OT network segments are covered.)

2) Use the 'Customization' feature to deploy Windows 2016/2019 Decoy that runs Windows MSSQL Server. (see this video for technical instruction on how to use the customization module-> https://video.fortinet.com/products/fortideceptor/3.0/fortideceptor-windows-customization )

3) Deploy the Windows Decoys (Legacy OS and MSSQL enabled) and OT Decoys (IEC-104 enabled) across the OT Network segments VLANs that are configured under the 'Deployment Network' section.

4) Once a CosmicEnergy Malware tries to penetrate a decoy with MSSQL or IEC104 enabled, FortiDeceptor will trigger a real-time alert.

5) FortiDeceptor will leverage the Fortinet Fabric to execute a threat mitigation response to isolate the threat.

FortiDeceptor is Part of the Fortinet Security Fabric.

FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiSIEM, FortiAnalyzer,FortiSOAR,FortiEDR and other Third party solutions to automate the mitigation response based on attack detection.