Category: Cyber Security CII sector

Enea consolidates its suite of network security solutions to serve the unique needs of Mobile Network Operators and CPaaS providers as the volume of messaging and signaling attacks continues to break records and threaten critical infrastructure.

Enea, a leading provider of telecom and cybersecurity solutions, has consolidated its suite of network security solutions to address the mounting challenges of mobile network security and regulatory compliance and addresses two key areas: signaling security and messaging security. The portfolio update emphasizes intelligence-driven adaptability and accuracy and comprises four solutions tailored to the critical and growing demands of Mobile Network Operators (MNOs) and Communication Platform as a Service (CPaaS) providers and aggregators, and a further solution designed for the unique requirements of national security agencies.

The four network security solutions announced today for mobile network operators, CPaaS providers, and aggregators are as follows:

- Enea Adaptive Signaling Firewall accurately detects and blocks malicious signaling traffic to protect against threats such as person location tracking, interception of calls and messages, subscriber privacy intrusions, and DoS attacks on mobile networks. It combines the multi-protocol signaling firewall with unified enhanced reporting and signaling threat intelligence, providing a uniquely comprehensive three-point defense against signaling threats to keep attackers in check.

- Enea Signaling Intelligence Layer uses aggregated and obfuscated data from a worldwide footprint of signaling firewalls, combined with qualified threat intelligence, to provide insights on global network traffic. It gives mobile network operators unrivaled, up-to-the-minute visibility of the dynamic threat landscape, which can be used to guard against evolving threats on the network.

- MNOs will also benefit from the Enea Adaptive Messaging Firewall, which detects, blocks, and protects from rapidly adapting messaging threats such as phishing and spam and protects against revenue leakage to grey routes. Mobile network operators can filter malicious and unmonetized messages using advanced technologies such as tamper-resistant fingerprinting, intelligent message categorization, and URL classification, backed with up-to-the-minute threat intelligence.

- CPaaS providers and aggregators, who transmit A2P messages from brands to mobile networks, will be able to leverage the Enea Adaptive Messaging Firewall for CPaaS to filter messages for compliance and use granular controls to prioritize message delivery and guard against rising threats such as Artificial Inflation of Traffic (AIT), which exploit communication platforms for financial gain, often at the cost of the sending brands.

All three firewall solutions are based on Enea’s latest cloud-native platform technology, which enables deployment in public or private cloud, on virtual infrastructure, or on bare-metal servers. Granular control for multi-site deployments improves resilience and manages regulatory compliance for cross-border needs. The platform uses flexible configurations, allowing swift upgrades to counter new threats. Mobile network operators typically require both messaging and signaling firewalls and therefore benefit from a unified platform for both solutions.

To ensure optimal protection, all solutions integrate extensive threat intelligence provided through a combination of Enea’s expert security analysts, machine learning, and intelligent algorithms. Both signaling and messaging security rely heavily on the actionable insights threat intelligence provides to keep defense up-to-date and ahead of threat actors, fraudsters, and scammers.

The portfolio announced today ensures the needs of different users are comprehensively addressed and separated into discrete solutions. This approach makes it easier for buyers to assess the values offered by the portfolio and will increase the speed at which Enea can bring important innovations to the market and deliver new value to its customers. This agility is vital in the context of a rapidly evolving threat landscape, when signaling-borne and message-based threats are on the rise. As far as messaging is concerned, phishing remains the number one attack vector globally. A recent survey based on a poll of 8,000 consumers identified a 70% increase in fraudulent messages. As well as the considerable damage cybercrime causes victims, fraudulent messages also erode trust in brands, negatively impacting revenue and churn, making it a growing concern for CPaaS providers and aggregators.

Signaling threats, often posed by nation-state-sponsored threat actors, have come under increased scrutiny by regulators because of their risk to privacy and national security. In a series of recent research publications, Enea has shown how mobile networks in Ukraine have been attacked through the signaling network with the aim of damaging civil and military defenses.

“As is increasingly recognized by both regulators and leading telcos, cybersecurity operations in the telecom sector needs to be increasingly threat-intelligence driven” said Patrick Donegan, Principal Analyst, HardenStance. “It’s good to see a mobile network security leader like Enea leading with this as it refreshes and repositions its portfolio.”

John Hughes, senior vice president and head of Enea’s network security business, commented, “In a zero-trust world, mobile network operators and communications services providers are under near-constant attack. Faced with the pressure to protect their networks and comply with regulations, Enea’s suite of intelligence-driven network security solutions give accurate, granular control, simplify and streamline operations, and can scale easily to match modern-day data usage trends.”

The Enea Adaptive network security solutions are today deployed in more than 90 service providers worldwide, securing services for 2.4 billion subscribers. In excess of 3 billion messages are handled by Enea’s messaging firewalls every day.

The UK's cyber chief has signalled that the threat to the nation’s most critical infrastructure is ‘enduring and significant’, amid a rise of state-aligned groups, an increase in aggressive cyber activity, and ongoing geopolitical challenges.

In its latest Annual Review, published today, the National Cyber Security Centre (NCSC) – which is a part of GCHQ – warned that the UK needs to accelerate work to keep pace with the changing threat, particularly in relation to enhancing cyber resilience in the nation’s most critical sectors.

These sectors include those that provide the country with safe drinking water, electricity, communications, its transport and financial networks, and internet connectivity.

Over the past 12 months, the NCSC has observed the emergence of a new class of cyber adversary in the form of state-aligned actors, who are often sympathetic to Russia’s further invasion of Ukraine and are ideologically, rather than financially, motivated.

In May this year, the NCSC issued a joint advisory revealing details of ‘Snake’ malware, which has been a core component in Russian espionage operations carried out by Russia’s Federal Security Service (FSB) for nearly two decades.

Today, the NCSC is reiterating its warning of an enduring and significant threat posed by states and state-aligned groups to the national assets that the UK relies on for the everyday functioning of society.

More broadly, the UK government remains steadfast in its commitment to safeguarding democratic processes. Recent milestones include the implementation of digital imprint rules under the Elections Act to foster transparency in digital campaigning, fortifying defences against foreign interference through the National Security Act, and advancing online safety measures through the implementation of the Online Safety Act.

NCSC CEO Lindy Cameron said:

“The last year has seen a significant evolution in the cyber threat to the UK – not least because of Russia’s ongoing invasion of Ukraine but also from the availability and capability of emerging tech.

“As our Annual Review shows, the NCSC and our partners have supported government, the public and private sector, citizens, and organisations of all sizes across the UK to raise awareness of the cyber threats and improve our collective resilience.

“Beyond the present challenges, we are very aware of the threats on the horizon, including rapid advancements in tech and the growing market for cyber capabilities. We are committed to facing those head on and keeping the UK at the forefront of cyber security.”

CISA leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure. We continuously we publish alerts and advisories to help defenders prioritize their work based on the current threats and software vulnerabilities. We additionally provide defenders with ongoing help prioritizing their scarce resources; for example, our Known Exploited Vulnerabilities (KEV) program identifies the common vulnerabilities and exposures (CVEs) that malicious actors are actively exploiting in the wild.

But to reduce the nation’s risk, we need to do more than warn defenders about the most current attacks and software vulnerabilities. We need to look much further “left-of-boom” and into the software development practices in order to fix things before intrusions cause harm to the American people. We need to identify the recurring classes of defects that software manufacturers must address by performing a root cause analysis and then making systemic changes to eliminate those classes of vulnerability. We need to spot the ways in which customers routinely miss opportunities to deploy software products with the correct settings to reduce the likelihood of compromise. Such recurring patterns should lead to improvements in the product that make secure settings the default, not stronger advice to customers in “hardening guides”.

Most importantly, we need to convey that insecure technology products are not an issue of academic concern: they are directly harming critical infrastructure, small businesses, local communities, and American families. Today CISA is launching a new series of products: Secure by Design Alerts. When we see a vulnerability or intrusion campaign that could have been reasonably avoided if the software manufacturer had aligned to secure by design principles, we’ll call it out. Our goal isn’t to cast blame on specific vendors; to the contrary, we know that vendors make software development and security choices as part of broader business decisions. Instead, our goal is to shine a light on real harm occurring due to these “anti-security” decisions. While the usual dialogue around an intrusion is about how victims could have done more to prevent or respond, alerts in this new series will invert this dialogue by focusing attention on how vendor decisions can reduce harm at a global scale.

Our first publication in the Secure by Design Alert series focuses on malicious cyber activity against web management interfaces. It brings attention to how customers would be better shielded from malicious cyber activity targeting these systems if manufacturers implemented security best practices and eliminated repeat classes of vulnerabilities in their products – and aligned their work to Secure by Design principles.

One of the core principles we identified in our Secure by Design whitepaper is to “take ownership for customer security outcomes”. By identifying the common patterns in software design and configuration that frequently lead to customer organizations being compromised, we hope to put a spotlight on areas that need urgent attention. The journey to build products that are secure by design is not simple and will take time. We hope Secure by Design Alerts will help software manufacturers evaluate their software development lifecycles and how they relate to customer security outcomes.

In a landmark collaboration, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) are proud to announce the release of the Guidelines for Secure AI System Development. Co-sealed by 23 domestic and international cybersecurity organizations, this publication marks a significant step in addressing the intersection of artificial intelligence (AI), cybersecurity, and critical infrastructure.

The Guidelines, complementing the U.S. Voluntary Commitments on Ensuring Safe, Secure, and Trustworthy AI, provide essential recommendations for AI system development and emphasize the importance of adhering to Secure by Design principles. The approach prioritizes ownership of security outcomes for customers, embraces radical transparency and accountability, and establishes organizational structures where secure design is a top priority.

The Guidelines apply to all types of AI systems, not just frontier models. We provide suggestions and mitigations that will help data scientists, developers, managers, decision-makers, and risk owners make informed decisions about the secure design, model development, system development, deployment, and operation of their machine learning AI systems.

This document is aimed primarily at providers of AI systems, whether based on models hosted by an organization or making use of external application programming interfaces. However, we urge all stakeholders—including data scientists, developers, managers, decision-makers, and risk owners make—to read this guidance to help them make informed decisions about the design, deployment, and operation of their machine learning AI systems.

Resolve to be Resilient!

Each year, the Cybersecurity and Infrastructure Security Agency (CISA) leads the national recognition of Critical Infrastructure Security and Resilience (CISR) Month in November. This annual effort focuses on educating and engaging all levels of government, infrastructure owners and operators, and the American public about the vital role critical infrastructure plays in the nation’s wellbeing and why it is important to strengthen critical infrastructure security and resilience.

Weather is becoming more extreme, physical and cyberattacks are a persistent threat, and technology is advancing in ways that will change our future very quickly. We must prepare by accepting that it’s our responsibility to strengthen critical infrastructure and protect the vital services it provides. We can do this by embracing resiliency and building it into our preparedness planning—and then exercising those plans. The safety and security of the nation depends on the ability of critical infrastructure to prepare for and adapt to changing conditions and to withstand and recover rapidly from disruptions.

President Joe Biden issued the following statement: "Bolstering the Nation’s infrastructure is a cornerstone of my Investing in America agenda. With a combination of funding from the American Rescue Plan, Bipartisan Infrastructure Law, the Inflation Reduction Act, and the CHIPS and Science Act, we are investing billions of dollars to enhance the security of our infrastructure by elevating roads and bridges above projected flood zones, supporting community resilience programs, reducing the strain put on our power grids, and so much more. These investments will save lives, protect our families, render a strong and innovative economy, enhance our resilience to disasters, and provide peace of mind to millions of Americans.

We know that to protect our critical infrastructure we must improve our cybersecurity. From the very beginning of my Administration, we have worked tirelessly to strengthen our Nation’s cyber defenses. During my first year in office, I issued an Executive Order on Improving the Nation’s Cybersecurity, a crucial step toward defending against the increasingly malicious cyber campaigns targeting our infrastructure. My Bipartisan Infrastructure Law builds on this progress by investing $1 billion to bolster cybersecurity for State, local, Tribal, and territorial governments. I am proud to have appointed senior cybersecurity officials who are laser-focused on anticipating and responding to cyber threats and ensuring that the Federal Government leverages all of its resources to improve the cybersecurity of the Nation’s critical infrastructure. These priorities have been catalyzed by my National Cybersecurity Strategy released earlier this year, which lays out our strategy to enhance the cybersecurity and resilience of our Nation’s critical infrastructure and the American people.

While my Administration is investing to protect America’s critical infrastructure, we are also working with our international partners to build sustainable, resilient infrastructure around the globe. At the G20 Summit earlier this year, through the Partnership for Global Infrastructure and Investment, I was proud to unveil the launch of the landmark United States partnership with the European Union to develop the Trans-African Corridor. We are working with partners to connect the Democratic Republic of the Congo and Zambia to regional and global trade markets through the Port of Lobito in Angola, including by launching feasibility studies for a new greenfield rail line expansion between Zambia and Angola. This reliable and cost-effective corridor will increase efficiencies, secure regional supply chains, enhance economic unity, generate jobs, and decrease the carbon footprint in both countries. We hope to pursue opportunities to connect our initial investments across the continent to Tanzania and, ultimately, the Indian Ocean. Through quality infrastructure investments in key economic corridors like these, we are creating a better future filled with opportunity, dignity, and prosperity for everyone."

The Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet on the effort to revise the National Cyber Incident Response Plan (NCIRP). Through the Joint Cyber Defense Collaborative (JCDC), CISA will work to ensure that the updated NCIRP addresses significant changes in policy and cyber operations since the initial NCIRP was released.

First published in 2016, the NCIRP was developed in accordance with Presidential Policy Directive 41 (PPD-41) on U.S. Cyber Incident Coordination and describes how federal government, private sector, and state, local, tribal, territorial (SLTT) government entities will organize to manage, respond to, and mitigate the consequences of significant cyber incidents.

NCIRP 2024 will address changes to the cyber threat landscape and in the nation’s cyber defense ecosystem by incorporating principles grounded in four main areas:

- Unification
- Shared Responsibility
- Learning from the Past
- Keeping Pace with Evolutions in Cybersecurity

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated version of the joint #StopRansomware Guide. The update includes new prevention tips such as hardening SMB protocols, revised response steps, and added threat hunting insights.

Developed through the U.S. Joint Ransomware Task Force (JRTF), #StopRansomware Guide is designed to be a one-stop resource to help organizations minimize the risks posed by ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks.

CISA and its partners encourage organizations to implement the recommendations in the guide to reduce the likelihood and impact of ransomware incidents. For more information, visit CISA’s Stop Ransomware page.

The Department of Homeland Security (DHS) outlined a series of actionable recommendations on how the federal government can streamline and harmonize the reporting of cyber incidents to better protect the nation’s critical infrastructure. These recommendations provide a clear path forward for reducing burden on critical infrastructure partners and enabling the federal government to better identify trends in malicious cyber incidents, as well as helping organizations to prevent, respond to, and recover from attacks. The recommendations, delivered to Congress today in a report, are a requirement of the landmark Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Key recommendations include establishing model definitions, timelines, and triggers for reportable cyber incidents; creating a model cyber incident reporting form that federal agencies can adopt; and streamlining the reporting and sharing of information about cyber incidents, including the assessment of a potential single reporting web portal. The report also notes that there are situations when incident reporting might be delayed, such as when it would pose a significant risk to critical infrastructure, national security, public safety, or an ongoing law enforcement investigation.

“In the critical period immediately following a cyber-attack, our private sector partners need clear, consistent information-sharing guidelines to help us quickly mitigate the adverse impacts,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The recommendations that DHS is issuing today provide needed clarity for our partners. They streamline and harmonize reporting requirements for critical infrastructure, including by clearly defining a reportable cyber incident, establishing the timeline for reporting, and adopting a model incident reporting form.  These recommendations can improve our understanding of the cyber threat landscape, help victims recover from disruptions, and prevent future attacks. I look forward to working with Congress and partners across every level of government and the private sector to implement these recommendations and strengthen the resilience of communities across the country.”

The recommendations reflected in the DHS report were developed in coordination with the Cyber Incident Reporting Council (CIRC), which was established in 2022 and is chaired by DHS Under Secretary for Policy Robert Silvers on behalf of the Secretary of Homeland Security, to coordinate, deconflict, and harmonize existing and future federal cyber incident reporting requirements.

“To develop these recommendations, the Cyber Incident Reporting Council analyzed over 50 different federal cyber incident reporting requirements and engaged with numerous industry and private sector stakeholders,” said DHS Under Secretary for Policy and CIRC Chair Robert Silvers. “It is imperative that we streamline these requirements. Federal agencies should be able to receive the information they need without creating duplicative burdens on victim companies that need to focus on responding to incidents and taking care of their customers. We look forward to working with Congress and across the Executive Branch to implement these recommendations.”

“Reporting cyber incidents is critical to the nation’s cybersecurity: It allows us to spot trends in real-time, rapidly render assistance to victims, and share information to warn other potential targets before they become victims,” said CISA Director Jen Easterly. “We also recognize that the need for this information must be balanced with the burdens placed on industry, ensuring that requirements are harmonized and streamlined as effectively as possible. As the Cybersecurity and Critical Infrastructure Agency (CISA) implements reporting requirements as part of the Cyber Incident Reporting for Critical Infrastructure Act, these recommendations – along with the extensive input from stakeholders submitted as part of our rulemaking process – will help inform our proposed rule.”

The CIRC includes representation from 33 federal agencies, including the Departments of Homeland Security, Treasury, Defense, Justice, Agriculture, Commerce, Health and Human Services, Transportation, and Energy, the Office of the National Cyber Director, the Securities and Exchange Commission, the Federal Trade Commission, and the Federal Communications Commission.

The report’s recommendations will inform CISA’s ongoing rulemaking process to implement landmark cyber incident reporting requirements applicable to covered critical infrastructure entities, as mandated under CIRCIA.

Europol has supported the coordination of a large-scale international operation that has taken down the infrastructure of the Qakbot malware and led to the seizure of nearly EUR 8 million in cryptocurrencies. The international investigation, also supported by Eurojust, involved judicial and law enforcement authorities from France, Germany, Latvia, The Netherlands, Romania, United Kingdom and the United States. Qakbot, operated by a group of organised cybercriminals, targeted critical infrastructure and businesses across multiple countries, stealing financial data and login credentials. Cybercriminals used this persistent malware to commit ransomware, fraud, and other cyber-enabled crimes.

Active since 2007, this prolific malware (also known as QBot or Pinkslipbot) evolved over time using different techniques to infect users and compromise systems. Qakbot infiltrated victims’ computers through spam emails containing malicious attachments or hyperlinks. Once installed on the targeted computer, the malware allowed for infections with next-stage payloads such as ransomware. Additionally, the infected computer became part of a botnet (a network of compromised computers) controlled simultaneously by the cybercriminals, usually without the knowledge of the victims. However, Qakbot’s primary focus was on stealing financial data and login credentials from web browsers.

How does Qakbot work?

- The victim receives an email with an attachment or hyperlink and clicks on it;
- Qakbot deceives the victim into downloading malicious files by imitating a legitimate process;
- Qakbot executes and then installs other malware, such as banking Trojans;
- The attacker then steals financial data, browser information/hooks, keystrokes, and/or credentials;
- Other malware, such as ransomware, is placed on the victim’s computer.

Over 700 000 infected computers worldwide

A number of ransomware groups used Qakbot to carry out a large number of ransomware attacks on critical infrastructure and businesses. The administrators of the botnet provided these groups with access to the infected networks for a fee. The investigation suggests that between October 2021 and April 2023, the administrators have received fees corresponding to nearly EUR 54 million in ransoms paid by the victims. The lawful examination of the seized infrastructure uncovered that the malware had infected over 700 000 computers worldwide. Law enforcement detected servers infected with Qakbot in almost 30 countries in Europe, South and North America, Asia and Africa, enabling the malware’s activity on a global scale.

Over the course of the investigation, Europol facilitated the information exchange between participating agencies, supported the coordination of operational activities, and funded operational meetings. Europol also provided analytical support linking available data to various criminal cases within and outside the EU. The Joint Cybercrime Action Taskforce (J-CAT) at Europol also supported the operation. This standing operational team consists of cybercrime liaison officers from different countries who work on high-profile cybercrime investigations.

Eurojust actively facilitated the cross-border judicial cooperation between the national authorities involved. The Agency hosted a coordination meeting in July 2023 to facilitate evidence sharing and to prepare for this joint operation.

Following the Internet Organised Crime Assessment (IOCTA) 2023, Europol published the spotlight report “Cyber Attacks: The Apex of Crime-as-a-Service”. It examines developments in cyber-attacks, discussing new methodologies and threats as observed by Europol’s operational analysts. The report also outlines the types of criminal structures that are behind cyber-attacks, and how these increasingly professionalised groups are exploiting changes in geopolitics as part of their modi operandi.

Malware-based cyber-attacks, specifically ransomware, remain the most prominent threat. These attacks can attain a broad reach and have a significant financial impact on industry. Europol’s spotlight report takes an in-depth look at the nature of malware attacks as well as the ransomware groups’ business structures. The theft of sensitive data could establish itself as the central goal of cyber-attacks, thereby feeding the growing criminal market of personal information.

As well as shedding light on the most common intrusion tactics used by criminals, the report also highlights the significant boost in Distributed Denial of Service (DDoS) attacks against EU targets. Lastly, among the report’s key findings are the effects the war of aggression against Ukraine and Russia’s internal politics have had on cybercriminals.
Key findings in “Cyber Attacks: The Apex of Crime-as-a-Service”

- Malware-based cyber-attacks remain the most prominent threat to industry;
- Ransomware affiliate programs have become established as the main form of business organisation for ransomware groups;
- Phishing emails containing malware, Remote Desktop Protocol (RDP) brute forcing and Virtual Private Network (VPN) vulnerability exploitation are the most common intrusion tactics;
- The Russian war of aggression against Ukraine led to a significant boost in Distributed Denial of Service (DDoS) attacks against EU targets;
- Initial Access Brokers (IABs), droppers-as-a-service and crypter developers are key enablers utilised in the execution of cyber-attacks;
- The war of aggression against Ukraine and Russia’s internal politics have uprooted cybercriminals, pushing them to move to other jurisdictions.

Europol’s response in fighting cyber-attacks

Europol provides dedicated support for cybercrime investigations in the EU and thus helps protect European citizens, businesses and governments from online crime. Europol offers operational, strategic, analytical and forensic support to Member States’ investigations, including malware analysis, cryptocurrency-tracing training for investigators, and tool development projects. Based in Europol’s European Cybercrime Centre (EC3), the Analysis Project Cyborg focuses on the threat of cyber-attacks and supports international investigations and operations into cyber criminality affecting critical computer and network infrastructures in the EU.