2021 Security for Week 25 Roundup
Summary
This week there was quite a bit of activity, including some that hit close to home. These include ICS security news, more PulseConnect victims, a deep dive at a school system response, and a local hospital that was the victim of ransomware. Lastly, there is quite a bit of legislative activity with the NATO and G7 summits dominating the news.
News
SolarWinds hack
I have had some who follow my writings here and on social media claim that attributing the SolarWinds attack to Russia is somehow partisan or rash. The argument seems to be that there is no real proof and instead, the hack was due to some perceived (but unattributed) lack in the operations of the current state of the nation's cyber defense strategy. If you are one of those, I really implore you to get in to that discussion here. What can we, the front-line workers in the cyber war front, do to be better at defense, response, and recovery?
This week, FireEye, who first identified the hack, released information on how they came to the conclusion that DarkSide is in fact a Russin organization behind the attack. Some of the key indicators were:
- The bad actors performed their searches inside of targeted networks using very specific playbooks.
- They all used specific keywords and user accounts instead of using any backdoor.
- FireeEye CEO Kevin Mandia personally received a taunting postcard that was later tracked back to a Russin address that indicated knowledge of FireEyes attempt to investigate the hack.
Puerto Rico power issues
I am not sure if it is just poor timing, but during a fire at a substation that left up to 800,000 people without power, a Distributed Denial of Service (DDoS) attack left many unable to get updates.
ISA releases a top 20 PLC Coding Best Practices
The International Society of Automation (ISA) released an open-source best practices guideline for hardening PLC's at the code level. Calling PLC's the last line of defense in the industrial control security scheme, they stressed the importance to equipment and life safety that PLC's are hardened against attack and accidental misconfiguration. I will link to the finished product below and hopefully, this is open up a new generation of PLC's that encourage manufacturers and end-users to take safety and security into consideration at the build and deployment phases of these devices.
The Guide
Schneider PowerLogic Devices vulnerabilities
Schneider has alerted customers that this PowerLogice EGX100 and DGX300 communication gateways have multiple vulnerabilities. The vulnerabilities have been assigned CVE-2021-22763 - CVE-2021-22768. While Dragos reported the flaws in the above, Schneider has since discovered that 2 of the flaws also impact the PowerLogic PM55xx metering devices as they share the same web server codebase. Some of these flaws can be exploited over the internet if the devices are so connected.
Water Utility breached in Pulse Connect Secure breach
Verizon and the Metropolitan Water District of Southern California indicated they were caught up in the massive Pulse Connect Secure hacks that were reported back in April of 2021. This is an indication that we are still getting a handle on just how much of the nation's critical infrastructure components were infiltrated by the Chinese actors. Many have also commented on how frightening it is that these breaches were not discovered sooner when they affect very large organizations with presumably large security budgets.
Stillwater Medical Center Ransomware
Stillwater Medical Center in Stillwater, Oklahoma was hit with a ransomware attack last weekend. The attack affected both the computer and phone networks. The hospital remains open, but some appoints have been pushed to later times. The hospital staff is working with law enforcement to investigate the incident.
Town of Freeport Ransomware attack
The town of Freeport took down its network to deal with a ransomware attack by the Avaddon ransomware group. Manager Peter Joseph said they took down the network themselves and were able to restore services shortly after without paying a ransom and they do not believe any data was removed. Joseph indicated they were working with Main State Police. Last Friday (6/11/2021) BleepingComputer announced that the Russian-oriented Avaddon group had suspended its ransomware ring and released decryptors after the Biden administration's announcement of a change in policy to start to retaliate against such gangs.
Avaddon is (hopefully was) one of the growing number of groups who would release data of city governments on the dark web if ransoms were not paid. They are also one of the groups I have noted which do coordination of attacks against U.S. targets and detonate payloads on Fridays and/or start of holidays so that IT staff is less likely to be actively monitoring systems.
Avaddon shutdown
Baltimore County Public Schools continue to bleed money
Baltimore County Public Schools has spent $8.1 Million so far in response to a Ryuk ransomware attack seven months ago. A spreadsheet with the amount broken down was obtained via a Freedom of Information request and it paints a picture of what it is like to deal with such incidents. Some key takeaways are that $11500 was spent in negotiations. Of the 8.1 only $2 million was covered by insurance.
Legislative actions
The North Atlantic Treaty Organization (NATO ) leaders who are meeting in Brussels this week have endorsed a new cyber defense policy. The new policy will invoke Article 5 of the North Atlantic Treaty which basically says that an attack on one nation is an attack on other member nations. The announcement which in part stated “Reaffirming NATO’s defensive mandate,
the Alliance is determined to employ the full range of capabilities at
all times to actively deter, defend against, and counter the full
spectrum of cyber threats, including those conducted as part of hybrid
campaigns, in accordance with international law,” in effect added cyber to the list of warfare types. It went on to state that a cyber attack, might in some cases, be considered the same as an armed attack. This builds on Sunday's announcement of the Group of Seven (G-7) leaders that Russian President Vladimir Putin must hold groups accountable for attacks launched from Russia.
The communique's
In a private meeting after the summits, President Biden laid out a new plan to President Putin that calls for the U.S. to respond to attacks against critical infrastructure with an appropriate "follow up." When pressed by reporters if that included military actions, Biden ignored the question.
The United States Senate bill to require breach notification for federal government and critical infrastructure entities is gaining more traction. The bill would require notification by those entities within 24 hours of detection. The agency that would collect the notifications is the Cybersecurity and Infrastructure Security Agency (CISA) which is a part of the Department of Homeland Security. The bill includes language that provides liability protections for companies that make notifications on time.
The United States Senate confirmed Chris Inglis as the first National Cyber Director by a voice vote. This position was first proposed in 2010 and after 11 years is finally seeing the light of day in the midst of an escalating cyberwar. The first challenge will be to just get a handle on all the federal government's cyber initiatives. As part of that, he is pledging to work with private sector partners. In my opinion, this is one of the key positions in any government as we move into the 21st century.
State and local government officials met with the U.S. Senate Homeland Security and Government Affairs Emerging Threats subcommittee to push for dedicated federal funding for cybersecurity initiatives. The long-standing arguments are centered around the one-time funding model that current projects use. All side admit that we need to make changes, but as always, the issue becomes in how to pay for it.
With the signing of House Bill 3746 into law, Texas joins California in requiring notification of loss of data affecting its residents. As well as the notification to residents, it requires notification of the Attorney General and directs the Attorney General to post the notifications on its website for 1 year.
Bill:
The United Kingdom has told the United Nations that it does not feel that member States should have to give prior notice before responding to cyber attacks with one of their own. This is another indication that the Cyber-cold-war is quickly becoming an active battle. This letter was released prior to the G7 meeting and might be some of the reason that other nations have believed that the G7 and NATO are exploring tougher stances. Many key figures in the British cyber economy are still not fully supporting cyber counterattacks, so it is unclear how much resolve the elected officials will have in signing off on escalation, but it does seem that there is more desire than ever.
Comments
Post a Comment