Tag: cyberattack

NCSC's Early Warning service

Agency News, Cyber Security CII sector, Industry News
Early Warning helps organisations investigate cyber attacks on their network by notifying them of malicious activity that has been detected in information feeds.
Early Warning is a free NCSC service designed to inform your organisation of potential cyber attacks on your network, as soon as possible. The service uses a variety of information feeds from the NCSC, trusted public, commercial and closed sources, which includes several privileged feeds which are not available elsewhere.
Early Warning filters millions of events that the NCSC receives every day and, using the IP and domain names you provide, correlates those which are relevant to your organisation into daily notifications for your nominated contacts via the Early Warning portal.
Organisations will receive the following high level types of alerts:
- Incident Notifications – This is activity that suggests an active compromise of your system.
For example: A host on your network has most likely been infected with a strain of malware.
- Network Abuse Events – This may be indicators that your assets have been associated with malicious or undesirable activity.
For example: A client on your network has been detected scanning the internet.
- Vulnerability and Open Port Alerts – These are indications of vulnerable services running on your network, or potentially undesired applications are exposed to the internet.
For example: You have a vulnerable application, or you have an exposed Elasticsearch service.
Cyber security researchers will often uncover malicious activity on the internet or discover weaknesses in organisations security controls, and release this information in information feeds. In addition, the NCSC or its partners may uncover information that is indicative of a cyber security compromise on a network. The NCSC will collate this information and use this data to alert your organisation about potential attacks on your network.
Full details at www.ncsc.gov.uk/information/early-warning-service
Leave a comment , , ,

Cyber attacks on operational technology increasing

Cyber Security CII sector, Industry News
Ransomware: What board members should know and what they should be asking their technical experts
A recent report by FireEye’s Mandiant looked at attacks on operational technology control processes. Once viewed as complex due to access requirements, there are now many more internet-facing endpoints offering a wider attack surface.
Mandiant noted that attackers are not necessarily sophisticated, nor do they know what they are targeting. Graphical user interfaces have been accessed allowing attackers to modify variables without understanding the process being controlled.
The recent attack on Colonial Pipeline disrupted supply lines causing shortages is just one of a number of attacks against critical infrastructure networks.
Last year, in joint work, the NCSC released information for Critical National Infrastructure (CNI) organisations on effective use of the Security design principles and CISA, in the US, issued a summary of best practices for the security of Industrial Control Systems (ICS).
Leave a comment , ,

FS-ISAC Report Finds Cybercriminals and Nation-State Actors Converging, Increasing Cross-Border and Supply Chain Attacks

Cyber Security CII sector, Industry News
FS-ISAC, the only global cyber intelligence sharing community solely focused on financial services, announced today the findings of its latest report, which found that wittingly or otherwise, nation-states and cyber criminals are leveraging each other’s tools and tactics, leading to an increase in cross-border attacks targeting financial services suppliers.
The pandemic has accelerated digitization, connectivity, and the sector’s interdependence, as demonstrated by recent supply chain incidents. Increasingly, the financial sector needs a trusted conduit of real-time cyber information between institutions and third-parties.
"FS-ISAC was the logical host for us to brief the financial services sector to reach a critical mass of institutions around the world all at once," said Jonathan Yaron, CEO of Accellion. "This way, we could ensure that the industry received critical and correct information via a trusted source, enabling it to act quickly to mitigate the impact of the incident."
“Organizations properly practicing defense-in-depth with multi-layered controls are still vulnerable to large-scale and even systemic issues through third party suppliers,” said J.R. Manes, Global Head of Cyber Intelligence at HSBC. “The FS-ISAC community provides its members the visibility into emerging threats that could impact customers and business, even when they are not directly exposed. Ensuring and encouraging the sharing of cyber threat intelligence is a vital part of the defense of not only the financial sector, but the whole business ecosystem that runs on top of the Internet.”
FS-ISAC’s report outlines today’s top threats:
- Convergence of nation-states and cyber criminals: Nation-state actors are leveraging the skills and tools of cyber criminals, either knowingly or not, to enhance their own capabilities.
- Third-party risk on an upward trend: Suppliers to financial firms will continue to be lucrative targets for threat actors, as shown by three highly visible incidents in the last two quarters.
- Cross-border attacks will increase: Cyber criminals test their attack in one country before hitting multiple continents and sub-verticals, as shown by a DDoS extortion campaign targeting ~100 financial institutions in months.
“Trying to outpace evolving cyber threats diverts resources from a financial firm’s core business,” said Steve Silberstein, FS-ISAC CEO. “As the global fincyber utility, FS-ISAC enables industry-wide cross-border sharing to pool resources, expertise, and capabilities to manage cyber risks and incident response.”
Report Methodology
The Navigating Cyber 2021 report is derived from FS-ISAC’s rigorous threat intelligence monitoring maintained by its intelligence operations team. The intelligence is sourced from FS-ISAC's thousands of member financial firms in more than 70 countries and further augmented by analysis by the Global Intelligence Office. Multiple streams of intelligence were leveraged for the curation of the round-up, which examined data across a one year period from January 2020 to January 2021.
Leave a comment , , ,

U.S. law enforcement warn of regular, regionally disruptive threats that could impact the delivery of patient care

Cyber Security CII sector, Industry News

The Federal Bureau of Investigation has issued an alert regarding “Conti,” a highly disruptive ransomware variant. Attacks associated with Conti and the previously published Darkside ransomware variant are believed to be emanating from criminal networks operating from a non-cooperative foreign jurisdiction.

The FBI says it identified at least 16 Conti ransomware attacks targeting U.S. health care and first responder networks, including law enforcement agencies, emergency medical services, 911 dispatch centers and municipalities within the last year.

Ransomware attacks associated with these variants have resulted in regionally disruptive impacts to critical infrastructure, including hospitals and health systems in the United States and Ireland. Most recently, hospitals in New Zealand have been hit by disruptive ransomware attacks.

These ransomware attacks have delayed or disrupted the delivery of patient care and pose significant potential risks to patient safety and the communities that rely on hospitals’ availability.

The American Hospital Association (AHA) remains concerned about cyberattacks with the potential to disrupt patient care and jeopardize patient safety. As stated in our testimony before the Senate Homeland Security Committee in December 2020, the AHA believes that a ransomware attack on a hospital or health system crosses the line from an economic crime to a threat-to-life crime.

The AHA acknowledges and commends the U.S. government’s efforts to share timely and actionable cyber-threat intelligence. However, relying on victimized organizations to individually defend themselves against these attacks is not the solution to this national strategic threat. The vast majority of these attacks originate from outside the United States, often beyond the reach of U.S. law enforcement, where ransomware gangs are provided safe harbor and allowed to operate with impunity, sometimes with the active assistance of adversarial nations.

In response, the AHA has urged the government to embark upon a coordinated campaign that will use all diplomatic, financial, law enforcement, intelligence and military cyber capabilities to disrupt these criminal organizations and seize their illegal proceeds, as was done so effectively during the global fight against terrorism.

Leave a comment , ,

Mitigating the Impacts of Doxing on Critical Infrastructure

Agency News, Cyber Security CII sector, Industry News
CISA has produced an insight designed to help mitigate the impact of doxing: Mitigating the Impacts of Doxing on Critical Infrastructure:
WHAT IS DOXING?
Doxing refers to the internet-based practice of gathering an individual’s personally identifiable information (PII)—or an organization’s sensitive information— from open source or compromised material and publishing it online for malicious purposes. Although doxing can be carried out by anyone with the ability to query and combine publicly available information, it is often attributed to state actors, hacktivists, and extremists.
Doxers compile sensitive information from compromises of personal and professional accounts and a wide range of publicly available data sources to craft invasive profiles of targets, which are then published online with the intent to harm, harass, or intimidate victims.
POTENTIAL IMPACT TO CRITICAL INFRASTRUCTURE
Like many other businesses, critical infrastructure organizations maintain digital databases of PII and organizationally sensitive information, making them ripe targets for doxing attacks. Threat actors may target critical infrastructure organizations and personnel with doxing attacks as a result of grievances related to organizational activities or policies. Incidents of doxing that target personnel and facilities often serve to harass, intimidate, or inflict financial damages, and can potentially escalate to physical violence.
Doxing also poses a threat to senior leadership of critical infrastructure organizations, who may be targeted due to their elevated position with the organization or stance on a particular issue. Doxing attacks targeting senior leaders often serve as “reputation attacks” and could lead to activities seeking to embarrass, harass, or undermine confidence in an official.
Leave a comment , , , ,

US and UK agencies release cybersecurity advisory on recently modified tactics by Russian intelligence agency

Agency News, Cyber Security CII sector, Industry News
The FBI, National Security Agency and Cybersecurity and Infrastructure Security Agency collaborated with the United Kingdom's National Cyber Security Centre to release a Joint Cybersecurity Advisory examining tactics, techniques, and procedures associated with Russian Foreign Intelligence Service (SVR). The advisory provides additional insights on SVR activity including exploitation activity following the SolarWinds Orion supply chain compromise.
CISA released a related document, Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise, that summarizes three joint publications focused on SVR activities related to the SolarWinds Orion compromise.
SVR cyber operators appear to have reacted to prior reporting by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders.
Leave a comment , , , ,

IACIPP Concerned at Increasing Ransomware Attacks Against Critical Infrastructure

Association News, Cyber Security CII sector, Power/Energy/Oil & Gas sector
The International Association of CIP Professionals (IACIPP) is concerned about the increasing threat and ransomware attacks against critical infrastructure and in particular the energy sector.
As has been demonstrated by the recent ransomware attack on Colonial Pipeline in North America, and the impact this has had across other infrastructure services, and the wider economic impact on, for example, the price of petrol and oil, such attacks should be a concern to us all.
"The attack on the Colonial Pipeline Industrial Control System was not a total surprise. For years, our pipeline infrastructure and other critical infrastructures have experienced an ever-increasing level of probes and attacks.  The ICS owners and operators must be vigilant and assure their systems are continuously monitored and armed with the latest cyber protection tools." Commented Dr. Ron Martin, CPP,  Professor of Practice: Critical Infrastructure, Industrial Control System Security, and Access and Identity Management at Capitol Technology University.
Although the FBI and other federal and private cybersecurity entities are working to mitigate the effects of the attack on Colonial Pipeline, there needs to be the wider discussion and collaboration across industry sectors to prepare for future attacks to mitigate future economic impact such attacks cause.
“Our critical infrastructure sectors are the modern day battlefield and cyber space is the great equalizer. Hacker groups can essentially attack with little individual attribution and virtually no consequence. With over 85% of all infrastructure owned and operated by the private sector, significant investment and attention must be placed on hardening key critical systems. I anticipate more attacks like this happening in the future. A key lesson here is that while technology and automation is good, we must also have the ability to efficiently operate manually as well. Attacks will happen, but how quick can you recover and restore critical services?” commented Brian Harrell, Strategic Adviser to IACIPP and Former Assistant Secretary for Infrastructure Protection.
CISA and the Federal Bureau of Investigation (FBI) have recently released a Joint Cybersecurity Advisory (CSA) on a ransomware-as-a-service (RaaS) variant—referred to as DarkSide—recently used in a ransomware attack against Colonial Pipeline.
Chuck Brooks, President of Brooks Consulting International and cyber expert, commented, “Protecting critical infrastructure needs to be a shared responsibility of both the public and private sectors. The energy sector become a preferred target of sophisticated hackers often in collusion with nation state actors. The cost of breach as evidenced in the Colonial pipeline ransomware attack can be disruptive to commerce and impact many industry verticals. “
“Critical infrastructure needs to be fortified from cyberattacks and physical attacks in a joint government/industry collaboration. Resources need to be invested in emerging automation technologies and training. IT and OT systems need to be monitored at the sensor level for anomalies. Sensitive operations need to be segmented and air gapped. Back up of data is an imperative and resiliency a requirement for all critical infrastructure operations. It may take new laws and regulations, but it needs to be done.” Concluded Mr Brooks.
The cyberattack against Colonial Pipeline that was discovered on May 7 underscores the growing impact of cyberthreats on industrial sectors. While the investigation is ongoing and important lessons from this attack will be extracted in the next few weeks, the fact that Colonial Pipeline had to pro-actively take their OT systems offline after starting to learn about which IT systems were impacted by the ransomware is significant.
John Donlon QPM the Chairman of IACIPP stated - ‘This type of attack comes as no real surprise. It is consistent with recent trends and what is really quite concerning is the fact that the scale and impact of such events continue to escalate. We have seen recent Government activity across the Western world seeking to put in place support to Infrastructure Owners and Operators but the speed of new attack methodologies, either through nation-state actors or criminal groups, means it is not always easy to keep ahead of the curve. Unfortunately, I believe we will continue to see even greater escalation in the power of attacks being executed and therefore the breadth and depth of collaboration between governments and the private sector has to develop at pace’.
This will also be subject to a case study panel discussion at Critical Infrastructure Protection and Resilience North America (www.ciprna-expo.com) in New Orleans LA on 19th - 21st of October 2021.
Leave a comment , , , ,

CISA-FBI Cybersecurity Advisory on DarkSide Ransomware following Colonial Pipeline cyberattack

Cyber Security CII sector, Industry News
CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on a ransomware-as-a-service (RaaS) variant—referred to as DarkSide—recently used in a ransomware attack against a critical infrastructure (CI) company.
The cyberattack against Colonial Pipeline that was discovered on May 7 underscores the growing impact of cyberthreats on industrial sectors. While the investigation is ongoing and important lessons from this attack will be extracted in the next few weeks, the fact that Colonial Pipeline had to pro-actively take their OT systems offline after starting to learn about which IT systems were impacted by the ransomware is significant.
Latest Update:
May 11: The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks
May 10: Colonial Pipeline restarted some systems with the goal of substantially restoring operational service by the end of the week
May 9: Colonial Pipeline is is developing a system restart plan
May 7: A ransomware attack against the corporate systems (IT) of Colonial Pipeline led the organization on Friday May 7 to proactively take certain operational systems (OT) offline to contain the threat, which has temporarily halted all pipeline operations. Details on the attack mechanism and the attack scope are under active investigation by the FBI and the private security firm Mandiant (a division of FireEye).
Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data. These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy.
Prevention is the most effective defense against ransomware. It is critical to follow best practices to protect against ransomware attacks, which can be devastating to an individual or organization and recovery may be a difficult process. In addition to the Joint CSA, CISA and FBI urge CI asset owners and operators to review the following resources for best practices on strengthening cybersecurity posture:
CISA and Multi-State Information Sharing and Analysis Center: Joint Ransomware Guide <https://www.cisa.gov/publication/ransomware-guide>
Leave a comment , , ,

FS-ISAC Leads Financial Sector in World's Largest International Live-Fire Cyber Exercise

Cyber Security CII sector, Industry News
FS-ISAC, the only global cyber intelligence sharing community solely focused on financial services, announced its leadership role in devising the financial sector’s scenario during this year’s NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) Exercise Locked Shields.
Locked Shields simulated a series of realistic and sophisticated cyber attack scenarios using cutting-edge technologies, complex networks, and diverse attack methods to test the countries’ ability to protect vital services and critical infrastructure.
This year the exercise strategic track scenario included a large-scale disruption across multiple aspects of the financial services sector. To do this, FS-ISAC convened a Scenario Expert Planning Group comprised of its members including the Bank for International Settlements (BIS) Cyber Resilience Coordination Centre (CRCC), Mastercard, NatWest Group, and SWITCH-CERT among others.
“Given the cross-border nature of today’s cyber threats, exercises like Locked Shields are critical tools in preparing the global financial services industry to better defend against increasingly sophisticated threat actors,” said Teresa Walsh, Global Head of Intelligence of FS-ISAC. “To strengthen the financial sector’s resiliency, FS-ISAC has facilitated cyber exercises for more than ten years. This is a natural extension of our role in helping protect the global financial system.”
A key focus of the exercise strategic track is the cyber dependencies of the financial services industry and how they relate to government and critical infrastructure. The exercise will also examine and account for the new realities brought about by the pandemic, such as the greater security vulnerabilities caused by accelerated digitization and remote work.
“Large-scale exercises like Locked Shields provide both the public and private sectors an opportunity to pressure test response capabilities across borders,” said Ron Green, Chief Security Officer, Mastercard. “Moving with speed and purpose are crucial during an actual incident and everyone involved will gain from the enhanced collaboration and information sharing.”
“Locked Shields continually strives to address the most pressing needs of our nations by emulating current challenges faced by leaders in the cyber domain. Partnerships, such as with FS ISAC, allows us to present current real-world challenges to national leadership. The exercise tests the ability of nations to address a massive cyber attack from internal government cooperation to what mechanisms can be used for coordination and information sharing with the private sector and international partners,” said Colonel Jaak Tarien, Director of the CCDCOE, a NATO-affiliated cyber defence hub that has organized this Exercise every year since 2010.
Leave a comment , , ,

Compromise of U.S. Water Treatment Facility

Agency News, Cyber Security CII sector, Industry News, Water sector
On February 5, 2021, unidentified cyber actors obtained unauthorized access to the supervisory control and data acquisition (SCADA) system at a U.S. drinking water treatment facility. The unidentified actors used the SCADA system’s software to increase the amount of sodium hydroxide, also known as lye, a caustic chemical, as part of the water treatment process. Water treatment plant personnel immediately noticed the change in dosing amounts and corrected the issue before the SCADA system’s software detected the manipulation and alarmed due to the unauthorized change. As a result, the water treatment process remained unaffected and continued to operate as normal. The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system. Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system, although this cannot be confirmed at present date. Onsite response to the incident included Pinellas County Sheriff Office (PCSO), U.S. Secret Service (USSS), and the Federal Bureau of Investigation (FBI).
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have observed cyber criminals targeting and exploiting desktop sharing software and computer networks running operating systems with end of life status to gain unauthorized access to systems. Desktop sharing software, which has multiple legitimate uses—such as enabling telework, remote technical support, and file transfers—can also be exploited through malicious actors’ use of social engineering tactics and other illicit measures. Windows 7 will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system. Continuing to use any operating system within an enterprise beyond the end of life status may provide cyber criminals access into computer systems.
Click here for a PDF version of this report.
Technical Details
Desktop Sharing Software
The FBI, CISA, EPA, and MS-ISAC have observed corrupt insiders and outside cyber actors using desktop sharing software to victimize targets in a range of organizations, including those in the critical infrastructure sectors. In addition to adjusting system operations, cyber actors also use the following techniques:
- Use access granted by desktop sharing software to perform fraudulent wire transfers.
- Inject malicious code that allows the cyber actors to
 - Hide desktop sharing software windows,
 - Protect malicious files from being detected, and
 - Control desktop sharing software startup parameters to obfuscate their activity.
- Move laterally across a network to increase the scope of activity.
TeamViewer, a desktop sharing software, is a legitimate popular tool that has been exploited by cyber actors engaged in targeted social engineering attacks, as well as large scale, indiscriminate phishing campaigns. Desktop sharing software can also be used by employees with vindictive and/or larcenous motivations against employers.
Beyond its legitimate uses, when proper security measures aren’t followed, remote access tools may be used to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs). TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to RATs.
Windows 7 End of Life
On January 14, 2020, Microsoft ended support for the Windows 7 operating system, which includes security updates and technical support unless certain customers purchased an Extended Security Update (ESU) plan. The ESU plan is paid per-device and available for Windows 7 Professional and Enterprise versions, with an increasing price the longer a customer continues use. Microsoft will only offer the ESU plan until January 2023. Continued use of Windows 7 increases the risk of cyber actor exploitation of a computer system.
Cyber actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits. Microsoft released an emergency patch for its older operating systems, including Windows 7, after an information security researcher discovered an RDP vulnerability in May 2019. Since the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the vulnerability. Cyber actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks. The xDedic Marketplace, taken down by law enforcement in 2019, flourished by compromising RDP vulnerabilities around the world.
Mitigations
General Recommendations
The following cyber hygiene measures may help protect against the aforementioned scheme:
- Update to the latest version of the operating system (e.g., Windows 10).
- Use multiple-factor authentication.
- Use strong passwords to protect Remote Desktop Protocol (RDP) credentials.
- Ensure anti-virus, spam filters, and firewalls are up to date, properly configured, and secure.
- Audit network configurations and isolate computer systems that cannot be updated.
- Audit your network for systems using RDP, closing unused RDP ports, applying multiple-factor authentication wherever possible, and logging RDP login attempts.
- Audit logs for all remote connection protocols.
- Train users to identify and report attempts at social engineering.
- Identify and suspend access of users exhibiting unusual activity.
Water and Wastewater Systems Security Recommendations
The following physical security measures serve as additional protective measures:
- Install independent cyber-physical safety systems. These are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor.
- Examples of cyber-physical safety system controls include:
 - Size of the chemical pump
 - Size of the chemical reservoir
 - Gearing on valves
 - Pressure switches, etc.
The benefit of these types of controls in the water sector is that smaller systems, with limited cybersecurity capability, can assess their system from a worst-case scenario. The operators can take physical steps to limit the damage. If, for example, cyber actors gain control of a sodium hydroxide pump, they will be unable to raise the pH to dangerous levels.
Remote Control Software Recommendations
For a more secured implementation of TeamViewer software:
- Do not use unattended access features, such as “Start TeamViewer with Windows” and “Grant easy access.”
- Configure TeamViewer service to “manual start,” so that the application and associated background services are stopped when not in use.
- Set random passwords to generate 10-character alphanumeric passwords.
- If using personal passwords, utilize complex rotating passwords of varying lengths. Note: TeamViewer allows users to change connection passwords for each new session. If an end user chooses this option, never save connection passwords as an option as they can be leveraged for persistence.
- When configuring access control for a host, utilize custom settings to tier the access a remote party may attempt to acquire.
- Require remote party to receive confirmation from the host to gain any access other than “view only.” Doing so will ensure that, if an unauthorized party is able to connect via TeamViewer, they will only see a locked screen and will not have keyboard control.
- Utilize the ‘Block and Allow’ list which enables a user to control which other organizational users of TeamViewer may request access to the system. This list can also be used to block users suspected of unauthorized access.
Leave a comment , , ,
1 2