Search Results

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://www.infosecurity-magazine.com/news/critical-bugs-enable-ot-supply/ By Phil Muncaster 9/9/20 “Security researchers have discovered six critical vulnerabilities in third-party code which could expose countless operational technology (OT) environments to remote code execution attacks.” “Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data and prevent normal operation of third-party software dependent on the CodeMeter,” the US Cybersecurity and Infrastructure Security Agency (CISA) noted.” “Attackers could phish their targets, socially engineering them into visiting a malicious site under their control to inject a malicious license onto the victim machine. Or they could exploit one of the bugs to create and inject forged licenses onto a machine running CodeMeter, Claroty said.”

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://threatpost.com/spyware-labeled-tiktok-pro-exploits-fears-of-us-ban/159050/ By Elizabeth Montalbano 9/9/20 “Researchers have discovered a new Android spyware campaign pushing a “Pro” version of the TikTok app that is exploiting fears among its young and gullible users that the popular social media app is on the cusp of being banned in the United States. The malware can take over basic device functions—such as capturing photos, reading and sending SMS messages, making calls and launching apps—as well as uses a phishing tactic to steal victims’ Facebook credentials.” “The rogue app called TikTok Pro is being promoted by threat actors using a variant of a campaign already making the rounds, which urges users via SMS and WhatsApp messages to download the latest version of TikTok from a specific web address, said Zscaler senior security researcher Shivang Desai, in a report published 8 September.”

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://heimdalsecurity.com/blog/baltimore-ransomware/?utm_medium=email&_hsmi=94871936&_hsenc=p2ANqtz-8bfE16LtUAM8jCoJXvguGFMILPYSaycrTV70sLvJMMgiq1aJ_PubditwliNduhDYsl5vS3Girg8-9ix-8KuAfTI4i1uw&utm_content=94871936&utm_source=hs_email By ALINA GEORGIANA PETCU 9/8/20 “Nowadays, cybercriminals are becoming increasingly hooked on big game hunting. Public institutions ranging from educational facilities to governmental agencies seem to be their favorite targets. One of the most notable instances of the latter in recent history was the Baltimore ransomware attack.” “Even though the attack took place in May 2019, there is a lot still to be learned from the Baltimore ransomware case today. In this article, I will present a timeline of the events that unfolded in the wake of the infection, as well as answer the most pressing question in any situation like this: did Baltimore city pay the ransom? Plus, if you want to learn how to prevent a ransomware attack in your institution, keep on reading. I’ll get into that as well.”

By Fred Gordy, (CS)²AI Fellow, Director of Cybersecurity at Intelligent Buildings, LLC October, 2020 Building automation systems have historically been installed with convenience in mind. Isn’t that why facility managers started using a browser instead of having to install a specific application on all the PCs that needed to access the BAS? Lower cost, greater portability, and ease of access. Web access remotely was the next logical step for both the facility manager and the supporting vendors. Facility managers could check their systems through a web browser, and vendor cost could be reduced because they could access the system remotely through a browser and pre-diagnose or fix the issue before rolling trucks. In the early days, IT really didn’t have or want to have anything to do with these systems, so BAS vendors took on the responsibility of running cable, installing unmanaged switches, and setting up remote access. Remote access was often accomplished either by using a public IP (a public IP is a globally unique address that can be accessed over the Internet) or forwarding a public IP to a private IP through a standard, internet service provider (ISP) router. Public IPs were used in personal computers that ran the web service/application that enabled facility managers to view and interact with the BAS remotely. The vendor could also view, control, and reprogram the application through the public IP. Because the vendor could also program remotely, public IPs were extended to devices to facilitate programming. As a result, the system was totally exposed. At the time, being exposed was okay to both the end user and the vendor because no one was actively seeking out these systems. That’s all changed. Devices are now in the hacker’s crosshairs. Why has this changed? The simple answer is that devices offer the path of least resistance. Hackers may or may not be looking to compromise or destroy equipment. They may be looking for another way into the company network, and they know that control networks have little or no security and that these networks are not typically monitored for threats or intrusions. Up until 2009, search engines were not specifically looking for Internet-connected devices. In 2009, Shodan was launched. It was the first search engine dedicated to searching for Internet-connected devices, also known as the IoT (Internet of Things). The intent was to catalog the number of devices (not websites) active on the Internet. Users could search free of charge for specific devices from specific manufacturers. A byproduct of indexing Internet-connected devices was that now the bad guys could use this tool to find devices and probe for vulnerabilities. In 2015, Censys was created at the University of Michigan and made available to the public for free. Censys, like Shodan, crawls the Web in search of Internet-connected devices. And like Shodan, both security researchers and hackers can use it. Censys and Shodan both index and add tags to the devices. Why tags? It makes searching easier. You don’t have to know a query language, just know the tags. If you wanted to find all the building control system devices in the world that Censys has indexed, you would enter “building control” in the search box and in less than a second you would have a list. You could do the same for any of the tags shown. The large list of tags makes searching for devices easy to do and easy to refine. Censys provides a lot of useful information for both good guys and bad guys, including the system version, the host ID/license, the host name, and the name of the building where the device resides. It also lists the geographic location of the device, manufacturer, OS version, ISP, etc. After a device has been found, several software applications make compromising a device relatively easy. For example, if a hacker can find a BBMD (BACnet broadcast management device), they can have full command and control without having to crack the username and password. And the tool to do this is free. Anyone can download it from SourceForge.net. When the first concerns about cybersecurity for control systems were raised, some in the field would ask, “So what if someone turns off the lights?” Today, there is widespread understanding that hackers can cause life safety issues, financial loss, and brand damage to companies. Let’s unpack of few of these incidents. Most of them could have been prevented. When the subject of cybersecurity for control systems comes up, the obvious thing that people think of first is loss or damage to equipment. If a generator were to be attacked and destroyed there is a cost of replacing the generator. (Here’s a Department of Homeland video of a staged generator attack.) But who would think that a printer connected to a parking system could cost a company six figures? One organization had an exposed printer and someone printed, “There is a bomb in building.” Nothing was damaged, right? Wrong. The high-rise building had to be evacuated, causing work to stop, yet salaries were still being paid. Emergency personnel were dispatched. And brand damage was inevitable and as of yet not quantified. Another common situation involves the loss of front-end access. In one case, the front-end application was crippled, causing business cessation for 48 hours. Ransomware can also block front-end access. In 2017, there were numerous ransomware attacks on control systems. These caused stoppages in some cases and investigation in others, but for both the financial impact has not been fully realized due to ongoing review. In all the cases just noted, these attacks could have easily been prevented. The biggest thing holding most facility managers back from securing their systems is fear of the unknown. How much will this cost? How hard will the change be? How inconvenient will it be? What else will it add to the daily to-do list? The good news is that there is a lot of low hanging fruit — actions that will incur minimal cost. The first thing a facility manager can do is find out if the system has a public IP. If so remove it and get it behind a firewall. If remote access is needed, there are several low-cost remote access solutions. Just by doing that, the control system is now hidden from search engines like Shodan and Censys, making the system much harder to find. As mentioned earlier, ransomware attacks are up — and relatively speaking, up significantly — on control systems. Ransomware has several delivery methods, but the most common is through email or social media. By restricting direct access to front-end, the facility manager will significantly reduce the probability of a ransomware attack. The front-end needs to be moved off the engineer’s desk, even if the engineer’s office is locked most of the time, and placed into a locked closet with the keyboard, mouse, and monitor removed. It is essential to make sure every user, including your vendor, has a unique username and to make sure no one shares user credentials with others. This also means establishing access policies for both employees and vendors. The policy would require at a minimum the following: · Least Privileges – Users of the system should have only the necessary rights to perform their duties. · Admin – Most building systems only need 2 administrators. · Vendor users should be disabled and only enabled during the time the vendor is performing work request by your company. · Employee Access Cessation – If an employee is not no longer employed or no longer has need to access the system, they must be removed the last day of employment or last day of needed access · Vendor Access Cessation – The vendor is required to inform FM with 24 hours that employee is no longer employed by the vendor or longer requires access to the system. · Assess – Determine specific risk for by equipment type and function. Document the primary risk and recovery plan when an event occurs. · Inventory – Make sure all the devices that are connected are supposed to be connected and how they are connected. Remember the printer example? Once that happened the company thought the wireless access had been disconnected from the printer. When we performed our audit is was still connected. Inventory is not a “one-and-done”. Establish a periodical inventory review and change management process. There are many more things that can be done at low or medium cost to secure a facility. The list above will get you pointed in the right directions. The National Institute of Standards and Technology has established an elegant and simple principal in their cybersecurity framework that gives a high-level approach to securing systems: • Identify: Learn to manage cybersecurity risks. • Protect: Limit or contain the impact of cybersecurity events. • Detect: Identify when a cybersecurity event occurs. • Respond: Take action when a cybersecurity event is detected. • Recover: Maintain plans for resilience and restore capabilities or services impaired due to a cybersecurity event. The bottom line is that the days when control systems were not on any hacker’s radar are gone. Control systems are seen as easy targets. As a result, IT departments are beginning to be more involved in helping secure control systems, and that’s great, but it’s not enough. When a control system is being assessed, and a report/remediation plan is being created, three risks must be factored in. The obvious is the cyber risk. A second risk is the financial/business risk. This one has components that are somewhat easy to quantify, but it is always tough to assign a dollar value to brand damage. The risk that is typically not thought of is the operational risk if IT implements its own cybersecurity measures on the control system. Operational risks are anything that could impede or disrupt system performance. Some IT threat-monitoring or corrective technologies can literally cause control systems to fail or lockup or at the very least disrupt communication, which in turn could prevent sequences of operations from functioning. The remediation report must include what IT can and cannot do. In addition to being easily found now with IoT/device search engines, common best practices that IT has used for years are not utilized in the OT (operating technology) world. Audits of systems in the United States and Canada — including commercial real estate, healthcare facilities, government buildings, retail facilities, public venues, and military bases — show in almost every case that the organizations have virtually the same vulnerabilities and bad practices. Here are some examples: · The vendor controls user administration. · The vendor has 24/7 access to the system. · The vendor controls remote access and administers it. · The vendor maintains the backups, and the facility · manager has limited access. · The front-end uses a public IP (some of the devices · also have a public IP). · Shared or common username for both the facility · manager and vendors. · Incomplete or unknown inventory of connected devices. · No change management. · No disaster recovery plan. · Backups stored locally on the front end. · The front-end is exposed where anyone can use it. · The front-end is used to surf the Web, check email, · and visit social media sites. · The front-end operating system and some devices · are past end of life. · Patching is not up to date. · No antivirus software is used. · There is no access management policy. · No cyber awareness training is utilized. In more cases than not, audits find all those problems with building control systems, and more. Facility managers have many responsibilities, and few want to add cybersecurity to the list. They already have their hands full with running the facility. But we are in a new era where everything is connected, which means it is time to stretch skillsets. Done correctly cybersecurity will not add an unmanageable amount of work to the load, and the facility will be safer.

By Derek Harp, Founder and Chairman September, 2020 Dear Industry Colleagues, As a global pandemic continues to evolve around the world, we all know we are in the middle of an unprecedented set of circumstances in modern times. While many of us are necessarily prioritizing taking care of our families, employees and communities, it is precisely these sort of very significant world events that create opportunity for those bent on doing harm to the highly integrated systems that run our modern society. We have seen confirmations of this in our own research as well as that of countless security companies and professional intelligence agencies. We must stay vigilant. Perhaps in part due to the current environment and the fact that many of us have at least some newly freed up time, (CS)²AI is working more than ever to support the global cyber security workforce. I invite you to join our members helping members efforts by joining the (CS)²AI community as a global member, partner, contributor, committee member, (CS)²AI Fellow or research participant. Right now we have room on a few new global level committees; contact us to learn more about how you can contribute to our mission. You can review multiple ways to GET INVOLVED on our global website and I look forward to your ideas and community engagement that will bolster our society-critical cause. Regards, Derek Harp

Submitted by: Bengt Gregory-Brown (CS)²AI Co-Founder Original Source: https://isssource.com/how-to-hack-into-vulnerable-ics-project-files/ By Gregory Hale 8/12/20 With an increase of phishing attacks during the pandemic, along with little-known vulnerabilities within ICS project files, and it is possible for attackers to gain the ability to execute remote code on a system’s network. Phishing attacks are nothing new as they have been occurring for years, but what is different about this is hackers using vulnerable ICS project files to gain access to a network. “These vulnerabilities will allow an attacker to direct access to critical segments of the network because you are guaranteed the vulnerability will exploit an engineering computer, and you will get access to most critical points of the network,” said Nadav Erez, research team lead at industrial cybersecurity company Claroty prior to his presentation at the DEF CON ICS Village last Friday discussing the details of an ICS vulnerability disclosed late last month. “Project files are any thing or entity in which the ICS engineering software takes its information,” Erez said. “If you are programming a PLC in specific software and you click the save button because you want to protect the progress you have made, the entity you save is a project file. It may be a file or a directory. It may be ICS project data or ICS project information that is saved in some type of manner and represents all the information.” Accidental Discovery Erez said they didn’t start off looking for vulnerabilities in project files, but rather they were looking at adding in visibility for asset owners and the project files represented very interesting component. “Having looked at project files for years, we started to realize these files resemble some traits in ICS protocols because they are very complex, and they contain some interesting information that is proprietary. These traits that are similar to ICS protocols got us thinking maybe these project files were not designed with security in mind because ICS protocols are not the greatest in terms of security.” As it turns out, he was right. Erez and his team discovered, and reported to VDE Cert, an improper path sanitation vulnerability in the import of project files in Phoenix Contacts its PLCnext Engineer version 2020.3.1. Before Phoenix Contact fixed the vulnerability, the build settings of a PLCnext Engineer project (.pcwex) could end up manipulated in a way that could result in the execution of remote code. The attacker needed to get access to a PLCnext Engineer project to be able to manipulate files inside. Additionally, the files of the remote code need to be transferred to a location which can be accessed by the PC that runs PLCnext Engineer. When PLCnext Engineer runs a build process of the manipulated project the remote code can be executed. Project File Vulnerability Erez equated this project file issue to a vulnerability in a Microsoft Word file, which have been around for decades. “An attacker can send a malicious doc file and when a victim double clicks, malicious code will be executed. Can we do the same with a project file? Can we make it when you double click on a malicious project file you execute malicious code? What we found is you can,” he said. Yes, it is possible to create code to hack into project files, but Erez said there is an easier way to get into a network that doesn’t involve the tedious and time-consuming effort of developing malware. “What is interesting is using the same approach a hacker would use in a malicious doc file is by sending a phishing campaign to millions of email addresses,” Erez said. “They may send a phishing campaign to engineers and they may not be security minded and to not open a project file is not trivial. An engineer who loves his job and is curious about what the project file may contain; it is not a big leap to open the project file. It is not that big a leap because they are not security minded when it comes to opening a project file. We took the original project file and changed it to point to our own malicious project file. We could send it to the engineer and say, ‘Mr. Engineer can you open this project file’ and it would point to our own target file.” So, how would an attacker get into a system to start a potential attack? Erez said social engineering works just fine. “You send an email to an engineer saying ‘I see on LinkedIn you are using this technology and I am wondering if you could you help me out’ and when you send the mail, the attachment is loaded with the malicious code,” Erez said. “Engineers will willingly download an ICS project file from people they don’t know.” Open the Door Once the project file is open, the hacker can execute whatever code they want to on the engineer’s computer. “It is a great vector to be used by the hacker, because the hacker sending over the phishing campaign knows because when someone is opening a project file you know the engineer is opening it on a work computer because that is where the software is installed. You know when someone opens the malicious project file it will be on a computer that has access to critical segments of the network and so when you have done that you have gained access to whatever physical devices on the network, and then it is game over.”

Submitted by: Bengt Gregory-Brown (CS)²AI Co-Founder Original Source: https://www.darkreading.com/application-security/the-race-to-hack-a-satellite-at-def-con/d/d-id/1338657 By: Curtis Franklin Jr. 8/13/20 Eight teams competed to win cash, bragging rights, and the chance to control a satellite in space. At DEF CON 27 there was a tantalizing promise: A space-based capture-the-flag competition at DEF CON 28, featuring actual satellites to be controlled. Then came 2020. Hack-a-Sat, as it came to be called, was still on. In the spring, more than 6,000 competitors virtually gathered, self-organized into more than 2,000 teams. In May they competed in a series of challenges, and by May 24, eight teams had risen to the top. At DEF CON 28, they spent two days working through five challenges with several rewards at stake. One (and a big one at that) was bragging rights. Another was a shared of a $100,000 prize purse. And third was the chance to have a solution uploaded to an actual, operational satellite and have it dance to the tune called by the winning team. The eight teams, with members from around the world, were: Poland Can Into Space, FluxRepeatRocket, AddVulcan, Samurai, Solar Wine, PFS, 15 Fitty Tree, and 1064CBread. On Friday morning, August 7, they began the competition, which was part of the Aerospace Village at DEF CON. Floating on Air Unlike many capture-the-flag (CTF) competitions, Hack-a-Sat had a physical component for each team. The sponsors had purchased a series of off-the-shelf training satellites featuring a "standard" guidance navigation and control system (GNC) and a custom Artix 7 FPGA- and Raspberry Pi-based board for onboard and payload systems. According to the team that ran the competition, code from the European Space Agency (ESA) and NASA was used on the two boards, with the off-the-shelf board chosen for its rapid access to sensor and control surfaces, and the custom board designed to be far more interesting from a CTF perspective. The physical elements came from the "flat sat" training satellites that were platforms for the electronic components. These earth-bound physical simulators were mounted on air-bearings so they could move without resistance and simulate various elements of the scenario. The competition lab also had moving radio transceivers for each team, to simulate moving communication issues, and a virtual moon (along with other visual targets). 5 Challenges The scenario for the contest allowed for a wide variety of challenges: A satellite has been attacked and compromised by an attacker, and is now spinning out of control. The teams need to regain control of the satellite. To do that, they had to complete five challenges - four that were scored based on order to arrive at a solution and time required, and one that was pass/fail. Challenge 0: Gain control of the satellite communications ground station. The adversary had obtained access and locked others out, so teams had to use a network to access to the station. Challenge 1: Attempt communication with the satellite spinning out of control. They then had to regain communications with the satellite. Challenge 2: The satellite's guidance navigation and control system (GNC) "went offline." Teams had to repair it as quickly as possible to stop the the satellite's spinning. This was a challenge in which the satellite's physical reality became important: Each flat-sat had only so much battery power for the day, and solutions that used too much power could leave the teams unable to solve subsequent challenges until after the satellite had recharged overnight. Challenge 3: The satellite has stopped spinning but can't communicate with the payload module or imager. This brings up an important question: what else might be damaged? Teams had to restore communications to the payload module. Challenge 4: Restore normal operations of the payload module to then control the imager. Challenge 5: The teams have regained control, but now must prove it by taking an image of the moon in the lab. This challenge was pass/fail and was important for two additional reasons. First, teams had to pass this test to be eligible for podium placement at the end of the challenge. Next, one team would be selected to have their solution uploaded to an actual satellite to see whether it could get an image of the actual moon. Solving the challenges involved a combination of traditional communications hacking, diving through documentation, understanding orbital mechanics and flight controls, and hardware hacking through exploiting undocumented input and output mechanisms. Every hour throughout the two days of the competition there was an update showing a leaderboard with comments on the progress (or lack) by the various teams, and explanations of the challenges and solutions. Story continues. . . Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ...View Full Bio

Submitted by: Bengt Gregory-Brown (CS)²AI Co-Founder Original Source: https://thehill.com/policy/cybersecurity/512119-federal-agency-announces-completion-of-simulated-cyberattack-on-critical BY MAGGIE MILLER 08/14/20 The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) announced Friday the successful completion of a biannual simulated cyberattack aimed at preparing the U.S. and its partners to defend against a real attack on critical systems. The three-day exercise, known as “Cyber Storm,” involved 2,000 participants from the fields of private industry, the federal government and international groups, and was described by CISA as the most extensive cybersecurity exercise in the United States. CISA Assistant Director for Infrastructure Security Brian Harrell told reporters Friday following the end of the simulation that it was important to simulate a debilitating attack to increase coordination between all the potential groups, all of whom worked together remotely from their homes or places of work during the exercise. “We’re more connected than ever, which means our nation’s critical infrastructure faces increased risks from cyber-attacks,” Harrell said in a statement. “No one company or government agency can be expected to go it alone, which is why exercises like Cyber Storm bring everyone together to discuss and exercise how we would respond collectively to a cyber-attack. Each Cyber Storm our coordination and capabilities get better, and this year was no different.” He told reporters that the simulation — which mimics potential attacks on critical systems but does not actually attack or disrupt these systems — involved an “all out attack on different sectors” that was modeled on the capabilities of real-world adversaries. “Now is the time to exercise under blue sky conditions, you don’t want to exchange business cards during a hurricane,” Harrell told reporters. “The Cyber Storm exercise elements represented actual and potential risks and attacks were made to be as realistic as possible.” While election security has been a key issue of concern in recent weeks, Harrell said this was not a sector tested by the simulation, though CISA did host a tabletop exercise among election officials and private sector election groups last month to serve as a test for Election Day plans. Harrell said he felt this year’s Cyber Storm exercise had shown the progress made in protecting critical infrastructure from attack. “Did we move the needle when it comes to cyber response, and I think this time around ... we are seeing some marketable improvement across the critical infrastructure space,” Harrell told reporters. CISA plans to soon release a report that will go more in-depth on the findings of the exercise, Harrell noted. The Cyber Storm exercise last took place in April 2018, and involved half the amount of participants who were involved in this year’s simulation. Concerns around cybersecurity of critical infrastructure have ramped up during the COVID-19 pandemic, as individuals have moved online for everything from business to socializing. CISA and the National Security Agency (NSA) warned in July that foreign hackers were attempting to target U.S. critical infrastructure, specifically the internet-connected operational technology (OT) assets, used throughout U.S. defense systems.

Submitted by: Bengt Gregory-Brown (CS)²AI Co-Founder Original Soure: https://atlasvpn.com/blog/cyberattacks-on-us-companies-skyrocketed-by-93-in-the-last-12-months By: Alex T. | August 17, 2020 Cybersecurity remains a hot topic for organizations today as cyberattacks directed at business organizations are on the rise. According to the Atlas VPN investigation, companies across North America reported a 93% increase in cyberattacks in the past 12 months. Cyberattack is a malicious assault by an individual or organization aimed at gaining unauthorized access to the victim's device. Such attacks are frequently employed to steal sensitive data, take over computers, or disrupt a company's internal network infrastructure. The data is based on a survey by VMware Carbon Black, which canvassed representatives from 250 North American companies operating across different industries including but not limited to finance, healthcare, and government. The research takes into account data from March 2019 up to March 2020. Among companies surveyed, 93% reported an increase in cyberattacks in the past 12 months. As many as 88% of respondents believe that the rise in cyberattacks was a result of employees working from home during the COVID-19 pandemic. In particular, 23% of the respondents saw an uptick in attack volumes between 1-25%. Moreover, 42% reported a more significant increase between 26-50%. Nearly a quarter of the surveyed companies saw a more than 50% growth in the attacks' volume, while 4% reported that the attack volume surged by more than 2 to 4 times. Some business sectors were targeted more than the others. The financial services sector saw the highest average rise in cyberattacks experienced at 56%—11% above the norm. What is more, 43% of the companies in this sector reported an over 50% increase in the volume of the attacks. The financial sector is closely followed by the healthcare sector, which saw an average increase of 49% in cyberattacks. Nearly half of the respondents within the industry reported upward jumps in attack volume between 26-50%. Malware most favored by cybercriminals Cybercriminals are increasingly targeting businesses, and they are doing so by employing a wide range of tactics and techniques. According to the research, custom malware was the most common cyberattack threat named by nearly the third of the surveyed companies at 29%. It was especially prevalent in the financial sector, with 62% of the companies reporting it as the most frequent type of attack. Custom malware is a type of fileless malware developed to breach a specific company. It leverages existing and legitimate software that is already installed on a user's computer to carry out malicious activities. Commodity malware is another prolific cybersecurity attack type reported by 1 in 10 of the surveyed companies. It is especially common among companies in the financial and healthcare sectors, with 12% of financial companies and 14% of healthcare organizations having experienced it in12 months preceding the survey. Unlike customized malware, commodity malware is not custom-built and is typically widely available for purchase or download. Supply chain attacks were another common security threat reported by 9% of the companies. Such attacks attempt to exploit the cyber-vulnerabilities within the supply chain of a targeted company. Supply chain attacks were closely followed by ransomware, with 7% of companies citing it as the most frequent cyberattack. As suggested by its name, ransomware is a malicious software designed to prevent a person or an organization from accessing their computer or files unless a ransom is paid. Completing the top five list of the most often encountered cyberattacks is process hollowing. It was named by 5% of the organizations. Process hollowing is a code injection technique that is commonly initiated through malicious links in phishing emails. During the injection, a legitimate code of a certain process is overwritten with malicious code, this way blending in the malware to bypass security checks. While less frequent than its counterparts, island hopping was reported by 2% of the companies. Island hopping is a rather new cyberattack method that involves infiltrating small organizations to ultimately get to their large partners. This cyberattack method was named after the US strategy against Japan in World Word Two, which involved conquering smaller islands first in order to take the mainland.

Submitted by: Bengt Gregory-Brown (CS)²AI Co-Founder Original Source: https://www.securityweek.com/us-army-report-describes-north-koreas-cyber-warfare-capabilities By Eduard Kovacs on August 18, 2020 A report published recently by the U.S. Army describes North Korea’s cyber warfare capabilities and provides information on various units and their missions. The 332-page report, titled “North Korean Tactics,” details North Korean forces and their actions, and one chapter focuses on electronic intelligence warfare, which Pyongyang allegedly uses to collect information on its enemies, deceive its enemies, and launch disruptive and destructive attacks, particularly ones aimed at communication and information systems and infrastructure. North Korea’s electronic warfare includes both lethal and non-lethal methods. Non-lethal methods include electronic jamming and signals reconnaissance, while lethal methods can include physical destruction of targets supporting its enemy’s decision-making process. In terms of computer warfare, the Army says North Korea primarily conducts these types of attacks because they represent a low-cost and low-risk method for targeting the enemy’s computers, they can be used to counter the enemy’s superior conventional military capabilities, and they can “upset the status quo with little fear of retaliation.” “North Korean computer warfare activities may be conducted prior to or during a military action. For example, by damaging or destroying networks related to an enemy’s projected force deployments and troop movements, the [Korean People’s Army (KPA)] can effectively disrupt planning and misdirect movement, producing substantial confusion and delays. As modern armies increasingly rely on ‘just-in-time’ logistics support, targeting logistics-related computers and databases can produce delays in the arrival of important material such as ammunition, fuel, and spare parts during critical phases of a conflict,” the report reads. The unit responsible for cyber warfare is called the Cyber Warfare Guidance Unit, and it’s often referred to as Bureau 121. The Army says Bureau 121 has more than 6,000 members, with many operating from countries such as China, Russia, India, Malaysia and Belarus. It’s worth pointing out that South Korea’s defense ministry estimated in 2015 that North Korea had an elite cyber warfare unit with up to 6,000 members. The Army says Bureau 121 has four main subordinate groups. One of them is Lazarus, which has an unknown number of members and which is believed to be responsible for many of the high-profile cyberattacks launched by North Korea over the past years. Another group is called Andarial (Andariel), which has roughly 1,600 members and whose mission is to conduct reconnaissance operations in preparation of further attacks. The Bluenoroff group has approximately 1,700 members and it focuses on financially-motivated campaigns. The U.S. Treasury Department last year placed sanctions on Andarial, Lazarus, and Bluenoroff. The fourth and final group is the Electronic Warfare Jamming Regiment, which focuses on jamming enemy communications.

Submitted by: Bengt Gregory-Brown (CS)²AI Co-Founder https://www.zdnet.com/article/a-mysterious-group-has-hijacked-tor-exit-nodes-to-perform-ssl-stripping-attacks/ ByCatalin Cimpanu for Zero Day |August 10, 2020 Since January 2020, a mysterious threat actor has been adding servers to the Tor network in order to perform SSL stripping attacks on users accessing cryptocurrency-related sites through the Tor Browser. The group has been so prodigious and persistent in their attacks, that by May 2020, they ran a quarter of all Tor exit relays — the servers through which user traffic leaves the Tor network and accesses the public internet. According to a report published on Sunday by an independent security researcher and Tor server operator known as Nusenu, the group managed 380 malicious Tor exit relays at its peak, before the Tor team made the first of three interventions to cull this network. SSL STRIPPING ATTACKS ON BITCOIN USERS "The full extend[sic] of their operations is unknown, but one motivation appears to be plain and simple: profit," Nusenu wrote over the weekend. The researcher says the group is performing " person-in-the-middle attacks on Tor users by manipulating traffic as it flows through their exit relays," and that they are specifically targeting users accessing cryptocurrency-related websites using the Tor software or Tor Browser. The goal of the person-in-the-middle attack is to execute "SSL stripping" attacks by downgrading the user's web traffic from HTTPS URLs to less secure HTTP alternatives. Based on their investigation, Nusenu said the primary goal of these SSL stripping attacks was to allow the group to replace Bitcoin addresses inside HTTP traffic going to Bitcoin mixing services. More than 70% of hiring managers indicated they planned to increase their cybersecurity and information security workforce. As cyber threats and the data protection environment evolve, companies are increasingly looking to bring their cybersecurity functions in-house. Bitcoin mixers are websites that allow users to send Bitcoin from one address to another by breaking the funds in small sums and transferring them through thousands of intermediary addresses before re-joining the funds at the destination address. By replacing the destination address at the HTTP traffic level, the attackers effectively hijacked the user's funds without the users or the Bitcoin mixer's knowledge. A difficult attack to pull through "Bitcoin address rewriting attacks are not new, but the scale of their operations is," the researcher said. Nusenu said that based on the contact email address used for the malicious servers, they tracked at least nine different malicious Tor exit relay clusters, added across the past seven months. Image: Nusenu The researcher said the malicious network peaked at 380 servers on May 22, when 23.95% of all Tor exit relays were controlled by the group, giving Tor users a one-in-four chance of landing on a malicious exit relay. Nusenu said he's been reporting the malicious exit relays to Tor admins since May, and after the latest takedown on June 21, the threat actor's capabilities have been severely reduced. Image: Nusenu Nonetheless, Nusenu also added that since the last takedown "there are multiple indicators that suggest that the attacker still runs >10% of the Tor network exit capacity (as of 2020–08–08)." The researcher suggested that the threat actor is likely to continue their attack as the Tor Project does not have a thorough vetting process in place for entities who can join its network. While anonymity is a core feature of the Tor network, the researcher argues that better vetting can be put in place for at least exit relay operators. A SIMILAR ATTACK TOOK PLACE IN 2018 A somewhat similar attack like this one took place in 2018; however, it did not target Tor exit relays, but Tor-to-web (Tor2Web) proxies -- web portals on the public internet that allow users to access .onion addresses usually accessible only via the Tor Browser. At the time, US security firm Proofpoint reported that at least one Tor-to-web proxy operator was silently replacing Bitcoin addresses for users accessing ransomware payment portals intending to pay ransom demands -- effectively hijacking the payment and leaving the victims without a decryption key, even if they paid the ransom.

Submitted by: Bengt Gregory-Brown (CS)²AI Co-Founder https://www.securityweek.com/nsa-and-cisa-alert-highlights-urgency-ot-security ByGalina Antovaon August 18, 2020 In the last few years, we’ve seen ample evidence of how cyberattacks on critical infrastructure can be leveraged by nation-states and other powerful adversaries as weapons in geopolitical conflicts. The attacks on the Ukraine power grid and several other incidents demonstrated a show of power and how a country’s infrastructure can be disrupted. The indiscriminate use of destructive exploits in NotPetya (which caused widespread, collateral damage to operational technology (OT) networks and halted operations) revealed to security professionals just how poor the cyber risk posture of their OT networks is and prompted swift actions in many of the largest companies. For years now, the government has been warning openly and clearly that: “Since at least March 2016, Russian government cyber actors—hereafter referred to as ‘threat actors’—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” A new alert, issued by the U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), couldn’t be more clear: “We are in a state of heightened tensions and additional risk and exposure.” Government agency alerts about previous threats typically describe how the attacks are executed and provide some tactical steps to specific sectors to enhance their ability to reduce exposure. However, this recent alert stands out for its tone, language, and content. Framed from a strategic perspective, it includes broad warnings of an imminent and serious threat across all 16 critical infrastructure sectors, and lengthy, detailed sets of recommendations for how to protect OT environments that, together, encourage a holistic approach to risk mitigation. If you think like an attacker, the timing of this jump in critical infrastructure attacks isn’t surprising. Nation-state actors have habitually targeted organizations in industries including high-tech manufacturing, pharmaceuticals, biotech, and healthcare to steal intellectual property and research. Now, it is being widely reported that nation-state actors believed to be linked to China and Russia are targeting attacks against organizations involved in the research and production of COVID-19 vaccines – a clear use of cyber weapons to advance their geopolitical agendas. With many U.S. critical infrastructure organizations involved in these pursuits, the stakes are extraordinarily high. Adversaries are extremely motivated, and such threats are particularly concerning. As advances are made and we get closer to a vaccine, attacks will likely intensify. And this is just one example of how the other critical infrastructure industries could be targeted. Hence the urgency conveyed in the NSA and CISA alert to protect vulnerable networks. Why is the potential impact to critical assets so high? The alert describes a perfect storm situation, similar to what I have described before: a combination of legacy OT devices, many of which are internet-facing (something for which they were never designed) and thus expand the attack surface, and opportunistic adversaries with access to tools that provide information about these assets and ways to exploit them. The pervasiveness and gravity of the situation, and the relative ease with which these exploits can be executed, calls for immediate actions to reduce exposure across OT networks and control systems. Among an extensive list of specific recommendations, NSA and CISA urge the deployment of threat monitoring technology. We’ve talked about the need for asset visibility and threat monitoring in OT environments for years, because one of the biggest challenges in securing these environments is zero telemetry and thus, no visibility into OT networks. One of the roadblocks is that organizations have been constrained by preconceived notions of how to proceed based on trusted IT cybersecurity best practices that dictate a “crawl, walk, run” approach. What’s more, many of the IT security tools and approaches introduce unnecessary complexity and, worse, aren’t effective in OT environments. Clearly, based on the tone of the NSA and CISA alert, we need to move straight to “run” and focus on what we can execute immediately to reduce risk the most. That’s where threat monitoring comes in. OT networks communicate and share much more information than is typically available from IT components – the software version they are running, firmware, serial numbers, and more. OT network traffic provides all the security information required to monitor for threats. With a single, agentless solution for asset visibility and continuous threat monitoring, that can be implemented quickly and integrated into IT systems and workflows, organizations can move fast to detect and mitigate risk. Translating the obscurity of OT networks for IT security operations center (SOC) analysts, such a solution allows IT and OT teams to work together and bring the full power of the organization’s resources to bear. They can start to identify deviations from established behavioral baselines, unauthorized connections, and the presence of adversary techniques, such as those in the new MITRE ATT&CK for ICSframework, to implement mitigation recommendations rapidly. We cannot defend ourselves on this latest battlefield without the right security capabilities. Let’s learn from the previous examples of economic warfare and use the detailed observations and recommendations from NSA and CISA to our advantage. The stakes have never been higher. Fortunately, our capabilities to secure our OT environments are up to the challenge.