Global ransomware threat expected to rise with AI, NCSC warns

Agency News, Cyber Security CII sector, Organisation Types
Artificial intelligence (AI) is expected to increase the global ransomware threat over the next two years cyber chiefs have warned in a new report published.
The near-term impact of AI on the cyber threat assessment, published by the National Cyber Security Centre (NCSC), a part of GCHQ, concludes that AI is already being used in malicious cyber activity and will almost certainly increase the volume and impact of cyber attacks – including ransomware – in the near term.
Among other conclusions, the report suggests that by lowering the barrier of entry to novice cyber criminals, hackers-for-hire and hacktivists, AI enables relatively unskilled threat actors to carry out more effective access and information-gathering operations. This enhanced access, combined with the improved targeting of victims afforded by AI, will contribute to the global ransomware threat in the next two years.
Ransomware continues to be the most acute cyber threat facing UK organisations and businesses, with cyber criminals adapting their business models to gain efficiencies and maximise profits.
To tackle this enhanced threat, the Government has invested £2.6 billion under its Cyber Security Strategy to improve the UK’s resilience, with the NCSC and private industry already adopting AI’s use in enhancing cyber security resilience through improved threat detection and security-by-design.
The Bletchley Declaration, agreed at the UK-hosted AI Safety Summit at Bletchley Park in November, also announced a first-of-its-kind global effort to manage the risks of frontier AI and ensure its safe and responsible development. In the UK, the AI sector already employs 50,000 people and contributes £3.7 billion to the economy, with the government dedicated to ensuring the national economy and jobs market evolve with technology as set out under the Prime Minister’s five priorities.
Leave a comment

NCSC and partners issue warning about state-sponsored cyber attackers hiding on critical infrastructure networks

Agency News, Cyber Security CII sector, Industry News
The UK and allies have issued a fresh warning to critical infrastructure operators about the threat from cyber attackers using sophisticated techniques to camouflage their activity on victims’ networks.
The National Cyber Security Centre – a part of GCHQ – and agencies in the US, Australia, Canada and New Zealand have detailed how threat actors have been exploiting native tools and processes built into computer systems to gain persistent access and avoid detection.
This kind of tradecraft, known as ‘living off the land’, allows attackers to operate discreetly, with malicious activity blending in with legitimate system and network behaviour making it difficult to differentiate – even by organisations with more mature security postures.
The NCSC assesses it is likely this type of activity poses a threat to UK critical national infrastructure and so all providers are urged to follow the recommended actions to help detect compromises and mitigate vulnerabilities.
The new ‘Identifying and Mitigating Living Off The Land’ guidance warns that China state-sponsored and Russia state-sponsored actors are among the attackers that have been observed living off the land on compromised critical infrastructure networks.
Leave a comment

Ministry of Defence of the Netherlands Uncovers COATHANGER, a Stealth Chinese Fortigate RAT

Agency News, Cyber Security CII sector, Industry News
The Ministry of Defence (MOD) of the Kingdom of the Netherlands was impacted in 2023 by an intrusion into one of its networks. The effects of the intrusion were limited because the victim network was segmented from the wider MOD networks.
During an incident response case, the Netherlands’ MIVD found a Remote Access Trojan (RAT) present on the FortiGate device that had been used for initial access.
The victim network had fewer than 50 users. Its purpose was research and development (R&D) of unclassified projects and collaboration with two third-party research institutes. These organizations have been notified of the incident.
MIVD & AIVD assess with high confidence that the intrusion at the MOD, as well as the development of the malware described in this report, was conducted by a state-sponsored actor from the People’s Republic of China.
MIVD & AIVD emphasize that this incident does not stand on its own, but is part of a wider trend of Chinese political espionage against the Netherlands and its allies.
The COATHANGER malware provides access to compromised FortiGate devices after installation. The implant connects back periodically to a Command & Control server over SSL, providing a BusyBox reverse shell.
Leave a comment

Incident Response Guide for the WWS Sector

Agency News, Industry News

CISA, the Federal Bureau of Investigation (FBI), and the Environmental Protection Agency released a joint Incident Response Guide for the Water and Wastewater Systems (WWS) Sector. The guide includes contributions from over 25 WWS Sector organizations spanning private industry, nonprofit, and government entities. This coordination enabled CISA, FBI, and EPA to develop a guide with meaningful value to WWS Sector organizations.

Specifically, the guide provides information about the federal support available at each stage of the cyber incident response (IR) lifecycle and aims to enhance WWS Sector cybersecurity by:

• Establishing clear guidance for reporting cyber incidents;
• Connecting utilities with available cybersecurity resources, services, and no-cost trainings;
• Empowering utilities to build a strong cybersecurity baseline to improve cyber resilience and cyber hygiene; and
• Encouraging utilities to integrate into their local cyber communities.

CISA, FBI, and EPA urge all WWS Sector and critical infrastructure organizations to review this guidance and incorporate it into their organizational cyber incident response planning. Organizations can visit CISA.gov/water for additional sector tools, information, and resources.

Leave a comment

Enabling Threat-Informed Cybersecurity: Evolving CISA’s Approach to Cyber Threat Information Sharing

Agency News, Cyber Security CII sector, Industry News

One of CISA’s most important and enduring roles is providing timely and actionable cybersecurity information to our partners across the country. Nearly a decade ago, CISA stood up our Automated Indicator Sharing, or AIS, program to widely exchange machine-readable cyber threat information. We know that the only constant in cybersecurity is change, and we’re evolving our information sharing approaches to maximize value to our partners and keep pace with a changing threat environment.

How Did We Get Here?

Every day, CISA evaluates the cyber threat environment, considers the impact of known vulnerabilities, and assesses the defensive posture of entities across our Nation to determine how we can most effectively safeguard critical infrastructure and government networks. Our insight is derived from a variety of sources to include classified and open-source reporting; operational collaboration with government and industry partners; findings from CISA assessments and incident response; and from information shared by members of our broad cybersecurity community through mechanisms such as AIS.

CISA then translates these insights into timely and relevant information. We share information broadly on a global scale, through alerts, advisories, and our Known Exploited Vulnerabilities catalog. We enrich our shared services and cyber capabilities with cyber threat information (CTI). And we leverage these insights to design and prioritize new cyber capabilities for programs such as Continuous Diagnostics and Mitigation (CDM). Across the board, CISA incorporates our unique insights of the global cyber threat environment into everything we offer to provide value to our partners.

While these threat-informed products and capabilities are important to many of our stakeholders, we know that organizations also benefit from receiving cyber threat information to shape investment decisions and prioritize mitigation actions. It is not enough to monitor broad cyber threats generally; organizations must apply threat information to their own risk and technology environments. AIS was established to satisfy legislative requirements and to provide stakeholder communities with a cost-effective means by which to exchange cyber threat indicators and defensive measures with CISA and, in doing so, with thousands of cybersecurity practitioners across the country and with partners across the globe. When it was first established, AIS was a novel model that helped many organizations around the world. But now, it’s time for a change.

Where Are We Going?

As the cyber threat environment evolves, so must our capabilities to analyze and share cyber threat information. When AIS was first designed, the U.S. Government was focused on filling an identified gap in cyber threat intelligence for many organizations and ensuring strong privacy controls. In the early days of AIS, the priority was speed. A decade later, the cybersecurity industry has matured substantially; current products and services are addressing information requirements for most organizations and, in an era of information overload, practitioners still require speed but value context, precision, and tailored insights over volume and velocity alone.

In 2024, CISA will begin a strategic effort to modernize our approach to enterprise cyber threat information sharing. This effort will drive three key areas of progress:

- Simplification: We will refocus and consolidate our customer-facing cyber threat intelligence offerings under a new initiative called Threat Intelligence Enterprise Services (TIES). The TIES Exchange Platform will unify our information sharing capabilities under a single banner for federal agencies and certain user communities, enabling streamlined provision of cyber threat information from our partners and commercial sources. This will offer a common view which will facilitate communications and enable threat-specific engagement. As we design and implement this central solution, CISA is working in parallel to modernize our AIS capability which, in the future, will further complement CISA-curated threat feeds made available by this shared service platform.

- Partner-Centered Design: Throughout this process, we will be driven by the requirements of our partners, including federal agencies, critical infrastructure organizations, and state, local, tribal, territorial governments, to ensure that we are adding value rather than duplicating capabilities. We will continuously seek feedback and ensure that the platform itself is built around human-centered design principles to enable ease-of-use even for under-resourced organizations.

- Learning from Experience: We will rigorously learn from known challenges with the legacy AIS system: we know that it must be easy to both share and receive, that shared information must have sufficient context to enable prioritized action; and that every participant must recognize meaningful value that is additive to existing cybersecurity capabilities. At the same time, we will build upon the successes of the AIS program, including a rigorous focus on privacy and confidentiality by design.

What to Expect Next?

CISA's goal is to facilitate collective, automated cyber defense through increased sharing and context, shaped by an acute understanding of the threat environment. While CISA implements this transition over the next two years, the AIS program will remain available, and we encourage users to continue leveraging this capability and actively share indicators back with CISA.

The shared visibility into cyber threats is our best defense. When an organization identifies threat activity and keeps it to itself, our adversaries win. When we rapidly share actionable information across a community of partners, we take back the advantage. And, when we turn actionable information into strategic investments to drive the most important mitigations, we achieve enduring change. In this new year, we encourage every organization to make a commitment- perhaps a New Year’s resolution- to cybersecurity information sharing, including incident information, indicators of compromise, or even feedback and insights that could benefit peers across the Nation. We look forward to sharing more details about TIES and our cyber threat exchange modernization initiatives throughout the year.

Leave a comment

CISA Releases Key Risk and Vulnerability Findings for Healthcare and Public Health Sector

Agency News, Cyber Security CII sector, Health & Social Care, Industry News

Report provides recommended actions and mitigation strategies for HPH sector, critical infrastructure and software manufacturers

The Cybersecurity and Infrastructure Security Agency (CISA) published a Cybersecurity Advisory (CSA), Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment, detailing the agency’s key findings and activities during a Risk and Vulnerability Assessment (RVA) conducted at a healthcare and public health (HPH) organization in early 2023. The advisory also provides network defenders and software manufacturers recommendations for improving their organizations’ and customers’ cyber posture, which reduces the impact of follow-on activity after initial access.

The CISA assessments team identified several findings as potentially exploitable vulnerabilities that could compromise the confidentiality, integrity, and availability of the tested environment. Tailored for HPH organizations of all sizes as well as for all critical infrastructure organizations, the advisory provides several recommended mitigations mapped to 16 specific cybersecurity weaknesses identified during the RVA. Also, the advisory provides three mitigation strategies that all organizations should implement: (1) Asset management and security, (2) Identity management and device security, and (3) Vulnerability, patch, and configuration management. Each strategy has specific focus areas with details and steps on how HPH entities can implement them to strengthen their cybersecurity posture.

“Exposure of common vulnerabilities and insecure configurations can result in detrimental cyber activity for U.S. healthcare organizations, such as ransomware, data breaches, or denial-of-service. The intent of this advisory is to help organizations maintain the availability, confidentiality, and integrity of their critical healthcare and public health systems, functions, and data,” said CISA Deputy Director Nitin Natarajan. “Adversaries and criminals will continue to target organizations seen as target rich, cyber poor. To reduce the burden of cybersecurity on customers, manufacturers of HPH technology products should implement the recommended actions in the advisory that are aligned to our Principles and Approaches for Secure by Design Software white paper. Also, we strongly encourage healthcare entities and all organizations to review this advisory, implement the mitigations and enroll in our vulnerability scanning service which can further help reduce cyber risk.”

This advisory builds on the CISA and Health and Human Services Healthcare Cybersecurity Toolkit and CISA’s Mitigation Guide for HPH Sector that were recently released. The recommended mitigations for network defenders are mapped to the Cross-Sector Cybersecurity Performance Goals (CPGs).

The recommended actions for software manufacturers are aligned to the recently updated, Principles and Approaches for Secure by Design Software, a joint guide co-sealed by 18 U.S. and international agencies. It urges software manufacturers to take urgent steps necessary to design, develop, and deliver products that are secure by design.

Leave a comment

Action against digital skimming reveals 443 compromised online merchants

Agency News, Cyber Security CII sector, Industry News

Europol, law enforcement authorities from 17 countries and the European Union Agency for Cybersecurity (ENISA) have joined forces with the private sector partners, including Group-IB and Sansec, to fight digital skimming attacks.

With the support of national Computer Security Incident Response Teams (CSIRT), the two-month action has enabled Europol and its partners to notify 443 online merchants that their customers’ credit card or payment card data had been compromised. This action, led by Greece, falls under the EMPACT priority, which targets the criminals behind online fraud schemes.

Digital skimming is the act of stealing credit card information or payment card data from customers of an online store. Criminals use sophisticated information technology to intercept data during the online checkout process, without customers or online merchants noticing anything unusual.
Data theft often goes unnoticed

Digital skimming attacks can go undetected for a long time. Payment or credit card information stolen as a result of these criminal acts is often offered for sale on illicit marketplaces on the darknet. Customers are usually not aware that their payment details have been compromised until the criminals have already used them to carry out an unauthorised transaction. Generally, it is difficult for customers to find the point of compromise.

Europol is participating in the digital skimming action with the aim of informing affected e-commerce platforms and other online merchants that they have been unintentional points of compromise for such stolen payment data. Europol, national law enforcement authorities, national Computer Security Incident Response Teams and trusted private industry partners identify affected online merchants and provide technical support to these platforms to resolve the issues and protect future customers.

Leave a comment

NCCoE Announces Technology Collaborators for Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector Project

Agency News, Cyber Security CII sector, Industry News

The NCCoE has invited technology providers and industry experts from Amazon Web Services, Cisco, Dragos, Garland Technology, Inductive Automation, Qcor, Rockwell, Siemens, TDI Technologies, and Tenable to collaborate on the Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector project.

These collaborators will work with the NCCoE project team to demonstrate a practical solution to assist organizations in detecting, responding, and recovering from a cyber incident within an operational technology environment.

The result will be a freely available NIST Cybersecurity Practice Guide that includes a reference design and a detailed description of the practical steps needed to implement the solution based on the NIST Cybersecurity Framework and industry standards and best practices.

Each of these organizations responded to a notice in the Federal Register to submit capabilities that aligned with desired solution characteristics for the project. The accepted collaborators were extended a Cooperative Research and Development Agreement, enabling them to participate in a consortium in which they will contribute expertise and hardware or software to help refine a reference design and build example standards-based solutions.

Leave a comment

CISA Issues Request For Information on Secure by Design Software Whitepaper

Agency News, Cyber Security CII sector, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector

The Cybersecurity and Infrastructure Security Agency (CISA) has published a Request for Information from all interested parties on secure by design software practices, including the Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software whitepaper, as part of its ongoing, collective secure by design campaign across the globe.

To better inform CISA’s Secure by Design campaign, CISA and its partners seek information on a wide range of topics, including the following:

- Incorporating security early into the software development life cycle (SDLC): What changes are needed to allow software manufacturers to build and maintain software that is secure by design, including smaller software manufacturers? How do companies measure the dollar cost of defects in their SDLC?
- Security is often relegated to be an elective in education: What are some examples of higher education incorporating foundational security knowledge into their computer science curricula; When new graduates look for jobs, do companies evaluate security skills, knowledge, and experience during the hiring stage, or are employees reskilled after being hired?
- Recurring vulnerabilities: What are barriers to eliminating recurring classes of vulnerability; how can we lead more companies to identify and invest in eliminating recurring vulnerabilities; how could the common vulnerabilities and exposures (CVE) and common weakness enumeration (CWE) programs help?
- Operational technology (OT): What incentives would likely lead customers to increase their demand for security features; Which OT products or companies have implemented some of the core tenants of secure by design engineering?
- Economics of secure by design: What are the costs to implement secure by design and default principles and tactics, and how do these compare to costs responding to incidents and breaches?

“While we have already received a wide range of feedback on our secure by design campaign, we need to incorporate the broadest possible range of perspectives,” said CISA Director Jen Easterly. Our goal to drive toward a future where technology is safe and secure by design requires action by every technology manufacturer and clear demand by every customer, which in turn requires us to rigorously seek and incorporate input. The President’s National Cybersecurity Strategy calls for a fundamental shift in responsibility for security from the customer to software manufacturers, and input from this RFI will help us define our path ahead, including updates to our joint seal Secure by Design whitepaper.

Co-sealed by 18 U.S. and international agencies, our recent Secure by Design guidance strongly encourages every software manufacturer to build products in a way that reduces the burden of cybersecurity on customers. More recently, CISA launched a new series of Secure by Design Alerts outlining the real-world harms that result from technology products that are not secure by design.

With its partners, CISA encourages technology manufacturers and all interested stakeholders to review the Request for Information and provide written comment on or before 20 February 2024. Instructions for submitting comment are available in the Request for Information. The feedback on current analysis or approaches will help inform future iterations of the whitepaper and our collaborative work with the global community.

Leave a comment

Most populous city in Philippines leads by example in inclusive DRR

Agency News, Industry News, Power/Energy/Oil & Gas sector, Water sector

Reducing disaster risk is seemingly never-ending in a country like the Philippines, which is exposed to a multitude of natural hazards.

Increasing urbanization also increases the risk of disasters in cities. New patterns of hazards, exposure and vulnerability are emerging. In this context, local authorities play a dual role. They are the first responders to disasters but are also instrumental in disaster risk reduction (DRR).

Persons with disabilities are often the most affected by natural hazards. Little progress has been made over the past decade in including them in DRR, according to a survey conducted by the United Nations Office for Disaster Risk Reduction (UNDRR) in 2023. Persons with disabilities often do not have access to information about disaster risk and are not included in decision-making related to DRR in communities, and few DRR plans consider the specific needs of persons with disabilities. This is the case in the Philippines as in most countries around the world.
A push in the right direction

The Midterm Review of the Sendai Framework for Disaster Risk Reduction 2015-2030, which concluded in 2023, emphasized that more needs to be done to engage the whole of society in DRR, especially the people and communities most at-risk, and that DRR at the local level is of great importance if we want to implement the Sendai Framework by 2030.

Despite the ambitious agenda to localize DRR and the progress that the Philippines has made in increasing capacities and resources and developing regulations at the smallest government units (barangay), its voluntary national report for the Sendai Framework Midterm Review highlights the need to further strengthen local DRR as a priority area.
A chain of learning

On 28 and 29 November 2023, UNDRR provided a training on urban resilience and disability inclusion in DRR in Quezon City, which is the most populous city in the Philippines and belongs to the Metro Manila region. Representatives from different city departments attended, alongside organizations of persons with disabilities.

A key element of the UNDRR-led initiative Making Cities Resilient 2030 (MCR2030) is connecting cities and facilitating peer learning on resilience. A representative from Baguio City in the northern Philippines co-facilitated the training in Quezon City and shared experiences from the inclusion of persons with disabilities in DRR in a context that is familiar to Quezon. In 2022, officials from Baguio City were trained by the MCR2030 Resilience Hub Makati City, which is also part of Metro Manila. Quezon City is thus the third city in this learning chain.
An assessment, an action plan, a platform and lots of commitment

During the training in Quezon City, participants learned how to use the Disaster Resilience Scorecard for Cities and its annex for the inclusion of persons with disabilities in DRR to evaluate disaster risk management practices.

Based on this assessment, they developed an initial action plan on the inclusion of persons with disabilities in institutional capacities, infrastructure resilience, and recovery, including “Building Back Better”.

The aim of the training was not only to increase knowledge about inclusive DRR and risk assessment capacities, but also to build a platform where local authorities and persons with disabilities come together to discuss DRR and where persons with disabilities are involved in risk assessments and decision-making on DRR.

For many representatives from organizations of persons with disabilities, this training was the first time they had been included in discussions about DRR. “We appreciate the opportunity to have a seat at the table and contribute to decisions that concern us”, one representative said.

Together, the city officials and the organizations of persons with disabilities committed to making DRR in Quezon City more inclusive and to transfer their knowledge and lessons learnt to other cities.
Support for local DRR from the national authorities

With the Department of the Interior and Local Governments (DILG) and the Office for Civil Defense (OCD), national authorities were also represented at the workshop.

An official from the OCD highlighted that the inclusion of persons with disabilities is an issue that needs to be further considered in policies and frameworks, at the local and national levels. “The training helped to understand that local planning needs to be more inclusive and also take into account the needs and perspectives of persons with disabilities to build resilience”, he said.

The engagement of national authorities in MCR2030 builds capacity for urban resilience also at the national level, helping to ensure that cities are more resilient to future disasters and the most at-risk are protected.

[Source: Making Cities Resilient 2030 (MCR2030) United Nations Office for Disaster Risk Reduction - Regional Office for Asia and Pacific]
Leave a comment
1 2 3 4 54