Tag Archive for: CISAs

CISA’s response to Iran hacking control systems in US critical infrastructures is inadequate

/in


Iran is in an undeclared war, including cyber war, against the U.S. and our critical infrastructures. Dec. 1, 2023, CISA, FBI, EPA, NSA and the Israel National Cyber Directorate (INCD) issued the following alert: “IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities.”

The Iranian Government Islamic Revolutionary Guard Corps (IRGC) is a nation-state with associated capabilities, not just some hackers who support a cause. The picture of the hack of Full Pint Brewery should remove all doubt that Iran is directly behind state-sponsored hacking of U.S. critical infrastructures. The Unitronics incidents are cyberattacks on control systems, in this case PLCs, not IP networks or equipment. PLCs are used for operation, not to hold customer information. Because IRGC got to the PLC, they can compromise the near- or long-term operation of any targeted system.
Iran has PLCs (think about Stuxnet as that was an attack against Siemens PLCs) in their nuclear, manufacturing and oil/gas industries and is familiar with the operation of PLCs. The Nov. 25 IRGC cyberattack of the Municipal Water Authority of Aliquippa brings several interesting wrinkles to cyber war. The IRGC targeted the control system equipment, in this case Israeli-made Unitronics PLCs, not the end-users such as Aliquippa or Full Pint. Consequently, this is a nation-state supply chain attack against U.S. critical infrastructure, not any single end-user or sector.

However, this supply chain attack is not the usual software compromise that can be addressed by a Software Bill of Materials, but design weaknesses in control systems that are not unique to Unitronics. Recall, Stuxnet compromised Siemens PLCs to cause damage to the centrifuges and Triconix controllers were compromised by the Russians in an attempt to blow up a Saudi Arabian petrochemical plant. It is evident the Dec. 1 alert does not address PLC-unique issues identified from the Unitronics incidents or other previous PLC attacks. 

Unitronics

Unitronics is a control system/automation supplier. From the Unitronics website, the company was founded in 1989 with installations in automated parking systems,…

Source…

OIG Assesses CISA’s Cyber Response Post-SolarWinds

/in


A review by the Office of Inspector General (OIG) has found that the Cybersecurity and Infrastructure Security Agency (CISA) has improved its ability to detect and mitigate risks from major cyber attacks since the SolarWinds breach discovery in 2020. The watchdog added however, that work remains to safeguard Federal networks. 

The SolarWinds Incident

In 2019, a threat actor, later identified as the Russian Foreign Intelligence Service, carried out a campaign of cyber attacks that breached computing networks at SolarWinds, a Texas-based network management software company. The threat actor conducted a software supply chain attack, taking advantage of security vulnerabilities to plant malware (malicious code) in a software update that SolarWinds sent to its clients. When a client installed an infected update, the malware would spread, allowing access to the client’s networks and systems. The attack was highly sophisticated and used new techniques and advanced tradecraft to remain undetected for more than a year.

Because the U.S. government widely uses SolarWinds software to monitor network activity on Federal systems, this incident allowed the threat actor to breach infected agency information systems. SolarWinds estimated that nearly 18,000 of its customers could have received a compromised software update. Of those, the threat actor targeted a subset of high-value customers to exploit, including DHS and multiple other Federal agencies, primarily for espionage. The operation was first detected and reported to CISA by a private sector cybersecurity firm.

CISA participated in a task force with other Federal agencies to coordinate a government-wide response to the SolarWinds breach. The task force worked from December 2020 through April 2021 to discover the impact and mitigate the effects of the cyberattack. After CISA completed its SolarWinds response, it prepared several after-action reports that identified lessons learned, capability gaps, and areas for improvement. CISA reported it needed a better communication process, more visibility into Federal agencies’ networks, and increased authority to find cyber threats on Federal networks.

The Department of Homeland Security…

Source…

Lazarus Group phishes for hacking tools. Rockethack’s odd position in the C2C market. CISA’s holiday advice. SEC scam warning.

/in


Attacks, Threats, and Vulnerabilities

North Korean Hackers Caught Snooping on China’s Cyber Squad (The Daily Beast) North Korean hackers are under fierce pressure to raise revenue to fund regime goals. Now they’re trying to spy on Chinese security researchers to get better hacking tools.

Void Balaur explained—a stealthy cyber mercenary group that spies on thousands (CSO Online) Unlike other groups, Void Balaur will target individuals and organizations in Russian-speaking countries and seems to have intimate knowledge of telecom systems.

APT41’s cyber attack methods are a blueprint for hacker groups- TechHQ (TechHQ) APT41’s cyberattack methods is becoming the blueprint for other hacker groups to launch attacks on the supply chain and other industries as well.

Reminder for Critical Infrastructure to Stay Vigilant Against Threats During Holidays and Weekends (CISA) As Americans prepare to hit the highways and airports this Thanksgiving holiday, CISA and the Federal Bureau of Investigation (FBI) are reminding critical infrastructure partners that malicious cyber actors aren’t making the same holiday plans as you. Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways—big and small—to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure. 

New ‘SharkBot’ Android Banking Malware Hitting U.S., UK and Italy Targets (SecurityWeek) A newly discovered Android banking trojan has been observed targeting international banks and five different cryptocurrency services.

Github cookie leakage – thousands of Firefox cookie files uploaded by mistake (Naked Security) Be aware before you share! That’s a good rule for developers and techies, just as much as it is for social media addicts.

Space cyber wargame exposes satellite industry risks (README) Space industry executives grappled with a simulated crisis Monday as a hacker compromised a satellite and set it on a collision course.

US SEC warns investors of ongoing govt impersonation attacks (BleepingComputer) The Securities and Exchange Commission (SEC) has warned US investors of scammers impersonating SEC…

Source…