Tag Archive for: treatment

Pakistan’s Baluchis Protest Iranian Treatment Of Ethnic Brethren After Border Shootings

/in


Dozens of ethnic Baluch rights activists have staged a protest in Pakistan’s port city of Karachi to condemn the killing of their ethnic brethren by Iranian border guards last month.

The protest comes amid reports of violent unrest and Internet blackouts in Iran’s southeastern Sistan-Baluchistan Province triggered after security forces killed cross-border fuel smugglers.

Human Rights Watch last month said at least 10 people were killed at the Saravan border area near Pakistan on February 22, although the number of dead may be higher.

In the wake of the killings, there have been reports of armed men attacking Iranian government buildings and security forces near the border, prompting a harsh crackdown.

In Karachi, the protesters demanded of the Iranian government stop using violence against smugglers and protesters who have few other means of earning a living in the poverty-stricken region.

They also demanded compensation for those who have been killed and injured.

Sistan-Baluchistan, one of Iran’s poorest provinces, is a volatile area where drug smugglers and militant groups operate along a porous border with Pakistan, which also faces an ethnic Baluch separatist insurgency and a brutal state crackdown that has killed thousands of people since 2004.

Source…

Florida water treatment facility hack used a dormant remote access software, sheriff says

/in


A hacker who last week tried to poison a Florida city’s water supply used a remote access software platform that had been dormant for months, Pinellas County Sheriff Bob Gualtieri told CNN on Tuesday.



a group of people posing for the camera: On Monday, February 8, 2021, Sheriff Bob Gualtieri gave a press conference surrounding the unlawful intrusion to the City of Oldsmar's water treatment system. He was joined by Mayor Eric Seidel and City Manager Al Braithwaite.

© Pinellas County Sheriff’s Office
On Monday, February 8, 2021, Sheriff Bob Gualtieri gave a press conference surrounding the unlawful intrusion to the City of Oldsmar’s water treatment system. He was joined by Mayor Eric Seidel and City Manager Al Braithwaite.

The cyber-intruder got into Oldsmar’s water treatment system twice on Friday — at 8 a.m. and 1:30 p.m. — through a dormant software called TeamViewer. The software hadn’t been used in about six months but was still on the system.

“How they got in, whether it was through a password or through something else, I can’t tell you that,” said Gualtieri.

However, Oldsmar’s assistant city manager, Felicia Donnelly, told CNN that a password was required for the system to be controlled remotely.

TeamViewer, which is based in Germany and has more than half a million customers around the world using commercial licenses, said that there was no indication of suspicious activity.

“Based on cooperative information sharing, a diligent technical investigation did not find any indication for suspicious connection activity via our platform,” TeamViewer spokesperson Martina Dier told CNN on Wednesday.

Once inside the system, the hacker adjusted the level of sodium hydroxide, or lye, to more than 100 times its normal levels, Gualtieri said. The system’s operator noticed the intrusion and immediately reduced the level back. At no time was there a significant adverse effect to the city’s water supply, and the public was never in danger, he said.

The identity of the hacker, or hackers, isn’t yet known. Gualtieri praised the operator who spotted the attack on Friday and said current and former employees have been interviewed after early consideration of an insider threat. There are currently no suspicions or indications that’s the case, he said.

The incident highlights how some critical infrastructure systems are vulnerable to hacking because they are online and use remote access programs, sometimes with lax security.

Vulnerabilities in…

Source…

Compromise of U.S. Water Treatment Facility

/in


Summary

On February 5, 2021, unidentified cyber actors obtained unauthorized access to the supervisory control and data acquisition (SCADA) system at a U.S. drinking water treatment plant. The unidentified actors used the SCADA system’s software to increase the amount of sodium hydroxide, also known as lye, a caustic chemical, as part of the water treatment process. Water treatment plant personnel immediately noticed the change in dosing amounts and corrected the issue before the SCADA system’s software detected the manipulation and alarmed due to the unauthorized change. As a result, the water treatment process remained unaffected and continued to operate as normal. The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system. Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system. Onsite response to the incident included Pinellas County Sheriff Office (PCSO), U.S. Secret Service (USSS), and the Federal Bureau of Investigation (FBI).

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have observed cyber criminals targeting and exploiting desktop sharing software and computer networks running operating systems with end of life status to gain unauthorized access to systems. Desktop sharing software, which has multiple legitimate uses—such as enabling telework, remote technical support, and file transfers—can also be exploited through malicious actors’ use of social engineering tactics and other illicit measures. Windows 7 will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system. Continuing to use any operating system within an enterprise beyond the end of life status may provide cyber criminals access into computer systems.

Click here for a PDF version of this report.

Technical Details

Desktop Sharing Software

The FBI, CISA, EPA, and MS-ISAC have observed corrupt insiders and outside cyber actors using desktop sharing software to victimize targets in a range of organizations, including those in the critical infrastructure sectors. In addition to adjusting system operations, cyber actors also use the following techniques:

  • Use access granted by desktop sharing software to perform fraudulent wire transfers.
  • Inject malicious code that allows the cyber actors to
    • Hide desktop sharing software windows,
    • Protect malicious files from being detected, and
    • Control desktop sharing software startup parameters to obfuscate their activity.
  • Move laterally across a network to increase the scope of activity.

TeamViewer, a desktop sharing software, is a legitimate popular tool that has been exploited by cyber actors engaged in targeted social engineering attacks, as well as large scale, indiscriminate phishing campaigns. Desktop sharing software can also be used by employees with vindictive and/or larcenous motivations against employers.

Beyond its legitimate uses, TeamViewer allows cyber actors to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs). TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to RATs.

Windows 7 End of Life

On January 14, 2020, Microsoft ended support for the Windows 7 operating system, which includes security updates and technical support unless certain customers purchased an Extended Security Update (ESU) plan. The ESU plan is paid per-device and available for Windows 7 Professional and Enterprise versions, with an increasing price the longer a customer continues use. Microsoft will only offer the ESU plan until January 2023. Continued use of Windows 7 increases the risk of cyber actor exploitation of a computer system.

Cyber actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits. Microsoft released an emergency patch for its older operating systems, including Windows 7, after an information security researcher discovered an RDP vulnerability in May 2019. Since the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the vulnerability. Cyber actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks. The xDedic Marketplace, taken down by law enforcement in 2019, flourished by compromising RDP vulnerabilities around the world.

Mitigations

General Recommendations

The following cyber hygiene measures may help protect against the aforementioned scheme:

  • Update to the latest version of the operating system (e.g., Windows 10).
  • Use multiple-factor authentication.
  • Use strong passwords to protect Remote Desktop Protocol (RDP) credentials.
  • Ensure anti-virus, spam filters, and firewalls are up to date, properly configured, and secure.
  • Audit network configurations and isolate computer systems that cannot be updated.
  • Audit your network for systems using RDP, closing unused RDP ports, applying multiple-factor authentication wherever possible, and logging RDP login attempts.
  • Audit logs for all remote connection protocols.
  • Train users to identify and report attempts at social engineering.
  • Identify and suspend access of users exhibiting unusual activity.

Water and Wastewater Systems Security Recommendations

The following physical security measures serve as additional protective measures:

  • Install independent cyber-physical safety systems. These are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor.
  • Examples of cyber-physical safety system controls include:
    • Size of the chemical pump
    • Size of the chemical reservoir
    • Gearing on valves
    • Pressure switches, etc.

The benefit of these types of controls in the water sector is that smaller systems, with limited cybersecurity capability, can assess their system from a worst-case scenario. The operators can take physical steps to limit the damage. If, for example, cyber actors gain control of a sodium hydroxide pump, they will be unable to raise the pH to dangerous levels.

TeamViewer Software Recommendations

For a more secured implementation of TeamViewer software:

  • Do not use unattended access features, such as “Start TeamViewer with Windows” and “Grant easy access.”
  • Configure TeamViewer service to “manual start,” so that the application and associated background services are stopped when not in use.
  • Set random passwords to generate 10-character alphanumeric passwords.
  • If using personal passwords, utilize complex rotating passwords of varying lengths. Note: TeamViewer allows users to change connection passwords for each new session. If an end user chooses this option, never save connection passwords as an option as they can be leveraged for persistence.
  • When configuring access control for a host, utilize custom settings to tier the access a remote party may attempt to acquire.
  • Require remote party to receive confirmation from the host to gain any access other than “view only.” Doing so will ensure that, if an unauthorized party is able to connect via TeamViewer, they will only see a locked screen and will not have keyboard control.
  • Utilize the ‘Block and Allow’ list which enables a user to control which other organizational users of TeamViewer may request access to the system. This list can also be used to block users suspected of unauthorized access.

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [email protected] or your local WMD Coordinator. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

To request incident response resources or technical assistance related to these threats, contact CISA at [email protected].

Revisions

February 11, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Source…

Poor Password Security Led to Recent Water Treatment Facility Hack

/in


New details have emerged about the remote computer intrusion at a Florida water treatment facility last Friday, highlighting a lack of adequate security measures needed to bulletproof critical infrastructure environments.

The breach involved an unsuccessful attempt on the part of an adversary to increase sodium hydroxide dosage in the water supply to dangerous levels by remotely accessing the SCADA system at the water treatment plant. The system’s plant operator, who spotted the intrusion, quickly took steps to reverse the command, leading to minimal impact.

password auditor

Now, according to an advisory published on Wednesday by the state of Massachusetts, unidentified cyber actors accessed the supervisory control and data acquisition (SCADA) system via TeamViewer software installed on one of the plant’s several computers that were connected to the control system.

Not only were these computers running 32-bit versions of the Windows 7 operating system, but the machines also shared the same password for remote access and are said to have been exposed directly to the Internet without any firewall protection installed.

It’s worth noting that Microsoft Windows 7 reached end-of-life as of last year, on January 14, 2020.

Adding to the woes, more often than not, many small public utilities are saddled with aging infrastructure, and the IT departments tend to be under-resourced, lacking in budget and expertise to upgrade their security posture and address vulnerabilities in a timely fashion.

“Restrict all remote connections to SCADA systems, specifically those that allow physical control and manipulation of devices within the SCADA network,” Massachusetts state officials said. “One-way unidirectional monitoring devices are recommended to monitor SCADA systems remotely.”

“Keep computers, devices, and applications, including SCADA/industrial control systems (ICS) software, patched and up-to-date,” the alert cautioned, adding “use two-factor authentication with strong passwords.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in a separate alert published today, warned of “cybercriminals targeting and exploiting desktop sharing software and computer networks running operating systems…

Source…