2021 Week 11 Security Roundup

-

 

Summary

This blog is geared towards cybersecurity events that are of interest to State, Local, Tribal, and Territorial (SLTT) governments in the United States of America.  It is hoped that this focus will help SLTT information technology workers and policymakers to get the information relevant to their mission.  If you are in other sectors hopefully there is information you can find useful as well.  


News

Windows Outlook Vulnerability

The 0-Day for Microsoft Exchange Server keeps making news.  Over the course of the week threat actors outside of the Haifum Chinese cyber espionage group started to take advantage of the exploit.  Many new breaches were identified over the weekend as organizations large and small rushed to update vulnerable servers.  From the briefings I have sat through over the last week or so, I can only add my echo to the chorus saying that you should immediately patch your on-premises version of Outlook.  Here are some of the developments that we have seen:

ZDNet and others reported that Microsoft has rushed out patches for older servers.  Originally it was announced that earlier versions did not suffer from the same issue, but this seems to be a reversal for Microsoft.

Defense Systems among others reminds us that patching and closing the door is not the only step if you may have been compromised.  Agencies need to spend some time patching other systems and threat hunting in their environment to make sure that the threat actors are totally evicted from their systems.  The article links to scripts that you too can use to help determine if you were breached using this exploit.
Other mentions of the APT nature:

Multiple groups using the exploits to gain access.  Basically, it is no longer a targeted attack against local governments and medical infrastructure, but now a free for all as every hacker is trying to see if they can use the released information.  As an example, they mention security firm Praetorian release a report that outlines how they were able to weaponize the openings and Marcus Hutchins reported that proof of concepts has been making the rounds of hacking groups.  


MS-ISAC/EI-ISAC has an information clearing page to help you deal with the situation and to keep up to date:


Norway Parliament hack

Norwegian Parliament was hit by a second cyberattack just 6 months after disclosing an attack.

Verkada

I mention this one because I know several local governments and schools have installed these cameras.  It appears that a hacking collective compromised 150,000+ cameras.  Several have reported on this.  Here is a general roundup of articles:

SolarWinds Orion (Sunburst)

Solarwinds continues to make the news.  Mostly at this point are discussions of remediations and how many threat actors seem to have used it.  This is an important reminder that just because one nation-state actor develops a tool does not mean they always keep it to themselves.  In this case, we are seeing more and more cooperation between Russian-linked groups and groups in China, Iran, and North Korea.  This indicates that it could very well be a "mostly hidden" first shot in a global cyberwar. I will use this as a chance to remind you that if you are not a member of the MS-ISAC, EI-ISAC, Infragard, and state-based IT organizations, now is a good time.  We are stronger together.
Here are some of this week's articles:

Links to some government resources:

Oklahoma Specific:

Universities hacked 

University of Texas at El Paso was hacked.  In an attempt to slow the attack they disabled their network.  It appears that it was not too bad and no information about students nor employees were exposed.

Some European universities were also attacked in what seems to be a similar fashion.  This is difficult to confirm as there is very little information about any of the attacks.  The National Cyber Security Centre was not able to confirm that the attacks on the University of Central Lancashire, The University of the Highlands and Islands, and Queen's University in Belfast were linked.   

Florida Water Treatment facility hack

The attack on a water treatment facility in Pinellas County Florida was a wake-up call for many of us that do cybersecurity for water facilities.  This article lists some of the things being done to help keep our water systems safe.  These include such things as disconnecting SCADA systems from corporate and internet networks, anti-Phishing activities, network monitoring, and defense systems, etc.  Basically, the kind of good cyber hygiene we have been using for IT networks is now coming to OT networks. 

Schneider Electric Power Meter Vulnerable

Two CVE's have been issued for Schneider meters.  CVE-2021-2274 is critical and allows an attacker to reboot the meter and could even cause it to execute code.  Another one, CVE-2021-22713 is high and can force the meter to reboot.  You can find information about the mitigations here:  CVE-2021/2214 and CVE-2021-22713.




Legislative actions 



Utah passed a Porn Filter law HB72 that would mandate that every phone and tablet sold in the state will have to have porn filtering technology built-in and enabled.

Businesses are looking for guidance on state and federal legislation as the new legislative season starts:

A bipartisan group in the U.S. House of Representatives introduced a bill that would allow Americans to hold foreign governments accountable for malicious cyber activity.  I am curious how this would work practically, but more evidence that cyber issues are rising to the forefront of our legislative bodies.



Comments

Post a Comment

Popular posts from this blog

2021 Weeks 32-40 Security Roundup

-
  Summary Let me apologize for the long delay right upfront.  First, we had a round of Covid in the household in a person who is immune-compromised.  Next, I started a new semester in college and the workload was far greater than I expected.  Lastly, this is the start of the budget year for us and I had several projects that have demanded almost every second of my work time.  I hope to get back to weekly updates by November. Lots of news that covers:  health care, education, infrastructure, and SLTT governments around the world.  Since I am hitting the length limitations of Blogger, I will simply invite you to read and try and get caught up yourself.  News UC San Diego Health sued over breach In what is becoming a growing trend UC San Diego Health is being sued for failure to have proper data protection protocols.  The suit is citing breach of contract, negligence, and violating California consumer and medical privacy laws.  Specifically, the suit alleges failure to adequately train em
Read more

2021 Week 29 Security Review

-
  Summary Sorry, this was late this week.  I was in training on Friday with the good folks at the LSU Academy of Counter-Terrorist Education.  If you are a Tribal or other American first responder or researcher in the field of terrorism and not taking advantage of their amazing resources, please check them out at  https://www.ncbrt.lsu.edu/ . Not a lot of new things this week.  There was an update from the City of Tulsa and their breach.  We also saw REvil disappear from both the Web and the dark Web.  Lastly, CIS tools are taking the forefront in the defensive posture of the SLTT landscape. News City of Tulsa Oklahoma breach Tulsa, which was breached back in May ( https://yasb2018.blogspot.com/2021/05/2021-week-19-security-roundup.html ), has announced that at least 27 people had their Social Security number accessed.  The city said they have attempted to reach out to those affected.  To date, more than 18,000 files from the hack have been released to the dark web. https://www.securit
Read more