Tag Archive for: Including

IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities


SUMMARY

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)—hereafter referred to as “the authoring agencies”—are disseminating this joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors.

The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations.

Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices. The IRGC-affiliated cyber actors left a defacement image stating, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” The victims span multiple U.S. states. The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.

This advisory provides observed IOCs and TTPs the authoring agencies assess are likely associated with this IRGC-affiliated APT. For more information on Iranian state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and the FBI’s Iran Threat webpage.

For a PDF version of this CSA, see: 

For a downloadable copy of IOCs, see:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See Table 1 for threat actor activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

CyberAv3ngers (also known as CyberAveng3rs, Cyber Avengers) is an Iranian IRGC cyber persona that has claimed responsibility for numerous attacks against critical infrastructure organizations.[1],[2],[3],[4],[5] The group claimed responsibility for cyberattacks in Israel beginning in 2020. CyberAv3ngers falsely claimed they compromised several critical infrastructure organizations in Israel.[2] CyberAv3ngers also reportedly has connections to another IRGC-linked group known as Soldiers of Solomon.

Most recently, CyberAv3ngers began targeting U.S.-based WWS facilities that operate Unitronics PLCs.[1] The threat actors compromised Unitronics Vision Series PLCs with human machine interfaces (HMI). These compromised devices were publicly exposed to the internet with default passwords and by default are on TCP port 20256.

These PLC and related controllers are often exposed to outside internet connectivity due to the remote nature of their control and monitoring functionalities. The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative. With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment. It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved. Organizations should consider and evaluate their systems for these possibilities.

Threat Actor Activity

The authoring agencies have observed the IRGC-affiliated activity since at least October 2023, when the actors claimed credit for the cyberattacks against Israeli PLCs on their Telegram channel. Since November 2023, the authoring agencies have observed the IRGC-affiliated actors target multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs. Cyber threat actors likely compromised these PLCs since the PLCs were internet-facing and used Unitronics’ default password. Observed activity includes the following:

  • Between September 13 and October 30, 2023, the CyberAv3ngers Telegram channel displayed both legitimate and false claims of multiple cyberattacks against Israel. CyberAv3ngers targeted Israeli PLCs in the water, energy, shipping, and distribution sectors.
  • On October 18, 2023, the CyberAv3ngers-linked Soldiers of Solomon claimed responsibility for compromising over 50 servers, security cameras, and smart city management systems in Israel; however, majority of these claims were proven false. The group claimed to use a ransomware named “Crucio” against servers where the webcams camera software operated on port 7001.
  • Beginning on November 22, 2023, IRGC cyber actors accessed multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs with an HMI likely by compromising internet-accessible devices with default passwords. The targeted PLCs displayed the defacement message, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is Cyberav3ngers legal target.”

INDICATORS OF COMPROMISE

See Table 1 for observed IOCs related to CyberAv3nger operations.

Table 1: CyberAv3nger IOCs

Indicator

Type

Fidelity

Description

BA284A4B508A7ABD8070A427386E93E0

MD5

Suspected

MD5 hash associated with Crucio Ransomware

66AE21571FAEE1E258549078144325DC9DD60303

 

SHA1

Suspected

SHA1 hash associated with Crucio Ransomware

440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3

 

SHA256

 

Suspected

SHA256 hash associated with Crucio Ransomware

 

178.162.227[.]180

IP address

 

 

185.162.235[.]206

IP address

 

 

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 2 for referenced threat actor tactics and techniques in this advisory.

Table 2: Initial Access

Technique Title

ID

Use

Brute Force Techniques

T1110

Threat actors obtained login credentials, which they used to successfully log into Unitronics devices and provide root-level access.

MITIGATIONS

The authoring agencies recommend critical infrastructure organizations, including WWS sector facilities, implement the following mitigations to improve your organization’s cybersecurity posture to defend against CyberAv3ngers activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Note: The below mitigations are based on threat actor activity against Unitronics PLCs but apply to all internet-facing PLCs.

Network Defenders

The cyber threat actors likely accessed the affected devices—Unitronics Vision Series PLCs with HMI—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet. To safeguard against this threat, the authoring agencies urge organizations to consider the following:

Immediate steps to prevent attack:

  • Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password is not in use.
  • Disconnect the PLC from the public-facing internet.

Follow-on steps to strengthen your security posture:

  • Implement multifactor authentication for access to the operational technology (OT) network whenever applicable.
  • If you require remote access, implement a firewall and/or virtual private network (VPN) in front of the PLC to control network access. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication.
  • Create strong backups of the logic and configurations of PLCs to enable fast recovery. Familiarize yourself with factory resets and backup deployment as preparation in the event of ransomware activity.
  • Keep your Unitronics and other PLC devices updated with the latest versions by the manufacturer.
  • Confirm third-party vendors are applying the above recommended countermeasures to mitigate exposure of these devices and all installed equipment.

In addition, the authoring agencies recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by cyber threat actors:

  • Reduce risk exposure. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. CISA Cyber Hygiene services can help provide additional review of organizations’ internet-accessible assets. Email [email protected] with the subject line, “Requesting Cyber Hygiene Services” to get started.

Device Manufacturers

Although critical infrastructure organizations using Unitronics (including rebranded Unitronics) PLC devices can take steps to mitigate the risks, it is ultimately the responsibility of the device manufacturer to build products that are secure by design and default. The authoring agencies urge device manufacturers to take ownership of the security outcomes of their customers by following the principles in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software, primarily:

  • Do not charge extra for basic security features needed to operate the product securely.
  • Support multifactor authentication, including via phishing-resistant methods.

By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates.

For more information on common misconfigurations and guidance on reducing their prevalence, see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 2).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REPORTING

All organizations should report suspicious or criminal activity related to information in this CSA to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. For NSA client requirements or general cybersecurity inquiries, contact [email protected].

Additionally, the WaterISAC encourages members to share information by emailing [email protected], calling 866-H2O-ISAC, or using the online incident reporting form. State, local, tribal, and territorial governments should report incidents to the MS-ISAC ([email protected] or 866-787-4722).

REFERENCES

  1. CBS News: Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group
  2. Industrial Cyber: Digital Battlegrounds – Evolving Hybrid Kinetic Warfare
  3. Bleeping Computer: Israel’s Largest Oil Refinery Website Offline After DDoS Attack
  4. Dark Reading: Website of Israeli Oil Refinery Taken Offline by Pro-Iranian Attackers
  5. X: @CyberAveng3rs

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.

VERSION HISTORY

December 1, 2023: Initial version.

Source…

Android Users Warned Of 2 Zero-Day Exploits, Including Spy-On-Phone Attack


Google has announced an October security update for all Android users that addresses more than 50 vulnerabilities and includes fixes for two zero-days already known to be exploited by malicious attackers.

CVE-2023-4863 Is The Same Vulnerability That Led To Zero-click iPhone Spyware Attacks

The first of the zero-day vulnerabilities may sound familiar to regular readers, as well it might. CVE-2023-4863 is none other than the same one impacting the libwebp open-source library that led to recent emergency updates for 1Password, Signal, Chrome, Edge and Firefox, among others.

MORE FROM FORBESCritical New 1Password, Signal, Chrome, Edge, Firefox Emergency Security Updates

This critical buffer overflow vulnerability can lead to remote code execution and appears to be the same flaw that is addressed as CVE-2023-41064 by Apple and used in a zero-click iMessage exploit chain to install spyware onto previously fully patched iPhones.

Although there is currently no evidence that Android users are being targeted by the same iPhone spyware attack, as identified by Citizen Lab and Google’s Threat Analysis Group in September, it remains flagged as exploited in the wild. As such, all users of Android devices are urged to install the October security update as a matter of some urgency.

MORE FROM FORBESNew Critical Security Warning For iPhone, iPad, Watch, Mac-Attacks Underway

CVE-2023-4211 Known To Be Under Targeted Attack

The second zero-day vulnerability, CVE-2023-4211, included within the October security update, is stated, along with CVE-2023-4863, as potentially being “under limited, targeted attack,” according to the Google security advisory. Arm also points to there being evidence of the same targeted attack in a security advisory to users.

There’s a lack of detailed technical information regarding CVE-2023-4211 beyond the fact that it resides in the Arm Mali GPU driver and is a use-after-free issue that could allow for data manipulation.

As Ionut Arghire reports, however, such vulnerabilities have previously been known to be connected with…

Source…

Kids’ intimate files — including suicide attempts — are being put online after ransomware gangs hack schools: report


The confidential documents stolen from schools and dumped online by ransomware gangs are raw, intimate and graphic.

They describe student sexual assaults, psychiatric hospitalizations, abusive parents, truancy — even suicide attempts.

“Please do something,” begged a student in one leaked file, recalling the trauma of continually bumping into an ex-abuser at a school in Minneapolis.

Other victims talked about wetting the bed or crying themselves to sleep.

Complete sexual assault case folios containing these details were among more than 300,000 files dumped online in March after the 36,000-student Minneapolis Public Schools refused to pay a $1 million ransom.

Other exposed data included medical records, discrimination complaints, Social Security numbers and contact information of district employees.

Rich in digitized data, the nation’s schools are prime targets for far-flung criminal hackers, who are assiduously locating and scooping up sensitive files that not long ago were committed to paper in locked cabinets. “In this case, everybody has a key,” said cybersecurity expert Ian Coldwater, whose son attends a Minneapolis high school.

Often strapped for cash, districts are grossly ill-equipped not just to defend themselves but to respond diligently and transparently when attacked, especially as they struggle to help kids catch up from the pandemic and grapple with shrinking budgets.

Months after the Minneapolis attack, administrators have not delivered on their promise to inform individual victims.


Ransomware gangs dumped 300,000 files, including medical record and Social Security numbers, from Minneapolis Public Schools.
Ransomware gangs dumped 300,000 files, including medical record and Social Security numbers, from Minneapolis Public Schools.
AP

Unlike for hospitals, no federal law exists to require this notification from schools.

The Associated Press reached families of six students whose sexual assault case files were exposed.

The message from a reporter was the first time anyone had alerted them.

“Truth is, they didn’t notify us about anything,” said a mother whose son’s case file has 80 documents.

Even when schools catch a ransomware attack in progress, the data are typically already gone.

That was what Los…

Source…

Ransomware gang lists first victims of MOVEit mass-hacks, including US banks and universities


Clop, the ransomware gang responsible for exploiting a critical security vulnerability in a popular corporate file transfer tool, has begun listing victims of the mass-hacks, including a number of U.S. banks and universities.

The Russia-linked ransomware gang has been exploiting the security flaw in MOVEit Transfer, a tool used by corporations and enterprises to share large files over the internet, since late May. Progress Software, which develops the MOVEit software, patched the vulnerability — but not before hackers compromised a number of its customers.

While the exact number of victims remains unknown, Clop on Wednesday listed the first batch of organizations it says it hacked by exploiting the MOVEit flaw. The victim list, which was posted to Clop’s dark web leak site, includes U.S.-based financial services organizations 1st Source and First National Bankers Bank; Boston-based investment management firm Putnam Investments; the Netherlands-based Landal Greenparks; and the U.K.-based energy giant Shell.

GreenShield Canada, a non-profit benefits carrier that provides health and dental benefits, was listed on the leak site but has since been removed.

Other victims listed include financial software provider Datasite; educational non-profit National Student Clearinghouse; student health insurance provider United Healthcare Student Resources; American manufacturer Leggett & Platt; Swiss insurance company ÖKK; and the University System of Georgia (USG).

A USG spokesperson, who did not provide their name, told TechCrunch that the university is “evaluating the scope and severity of this potential data exposure. If necessary, consistent with federal and state law, notifications will be issued to any individuals affected.”

Florian Pitzinger, a spokesperson for German mechanical engineering company Heidelberg, which Clop listed as a victim, told TechCrunch in a statement that the company is “well aware of its mentioning on the Tor website of Clop and the incident connected to a supplier software.” The spokesperson added that the “incident occurred a few weeks ago, was countered fast and effectively and based on our analysis did not lead to any data breach.”

None of…

Source…