2021 Week 24 Security Roundup
Summary
Cybersecurity is getting a lot of attention because of the rash of high-profile attacks. This week saw more information about some of those attacks as well as new attacks against schools. We also are starting to get word of past attacks that have had their investigations completed or that were declassified.
News
Colonial Pipeline Hack
Evidence is mounting that the United States government was the group behind the dismantling of servers operated by the DarkSide hacking group. The Federal Bureau of Investigations (FBI) announced that they had worked with Colonial Pipeline to recover about $2.3 million worth of bitcoin. This marks the first such seizure by the newly created Department of Justice digital extortion taskforce (what? No acronym? Our federal partners are falling down on the game...). This is part of the reason, in my opinion, that several of the global hacking organizations are making a change to avoid critical infrastructure. In effect, we have had a detente in the cybercrime world where nation-state-sponsored and/or protected threat actors would avoid major government targets outside of active war zones. Only time will tell if the escalation will lead to more or less activity by these groups.
Another bit of information we got was that the system was compromised utilizing an old and unused virtual private network (VPN) account that had been compromised. This underscores the old security adage that the bad guys only have to be right once. The password to the account was discovered on a breach list accessible for the dark web. This is an indication that the password was one reused by a current or former employee on a service that had previously been breached. It also indicates that simply requiring 2-factor authentication for accessing the network would have prevented the incident.
A further bombshell came in the admission from the CEO that Colonial did not have a ransomware plan or playbook in place at the time of the attack.
U.S. Energy secretary warns of Power Grid attacks
Following up on last week's letter asking companies to take ransomware attacks more seriously, Jake Tapper and Secretary Jennifer Granholm (and several elected officials) took to the Sunday news shows to highlight the threat to America's energy distribution networks include electrical and oil transportation/production. They highlighted the recent new regulation requiring companies to report attacks as they are happening to critical infrastructure systems. Granholm also mentioned that she was backing a law to make it illegal to pay ransoms. Former Secretary of State Condoleezza Rice said that we should be putting pressure on Russia to shut down hacking groups operating within their borders and if they don't comply, it would be telling of their support of these groups.
Nuclear facilities brought down
So... I normally would not have given this the time of day. But, it comes from the person who was head of the Advanced Aerospace Threat Identification Program under Presidents Obama and Trump. In interviews with media outlets including the Washington Post, Luis Elizondo has said that with the declassification of information leading up to a June release of a special report of so-called Unidentified Areal Phenomena (UAP) he was able to disclose that some United States nuclear assets have been disabled by these UAP's. He said that he was also alarmed by reports that other countries have had idled nuclear devices or facilities remotely enabled in the presence of these devices. From a security standpoint, this may mean that a close inspection of drone no-fly zones and drone countermeasures might be for defense and civilian nuclear facilities going forward. He also stated that in his informed opinion these devices were not part of a TR-3B (a purported anti-gravity surveillance aircraft that the United States Air Force operates) project or any other know U.S. military device. This leaves foreign or extraterrestrial craft. I will also submit that it could be the property of as yet unknown civilian or non-Nation State Actors. It may also be worth noting that he may have been talking about a 2010 incident in which Warren Air Force Base in Cheyenne, Wyoming lost the ability to send and receive command and control (SCADA) messages with the U.S. fleet of Minuteman III missiles.
Several PLC and SCADA devices patched
Siemens, Schneider Electric, and Wago all announced patches for PLC or SCADA controllers this week. Considering how old some of the flaws are, I personally wonder how many are related to the CODESYS vulnerability (https://www.securityweek.com/serious-vulnerabilities-found-codesys-software-used-many-ics-products). CODESYS is a common code base found in Industrial Control Systems (ICS) devices by dozens of industrial automation companies. After further investigation, it appears that CODESYS is part of it, but also Rockwell Automation is part of it as well as they have a bug in AADvance and ISaGRAF components.
The list of products affected is too numerous to list here, so I highly recommend you check the links below if you use any devices from any of the 3 companies.
New York City (NYC) Law Department breached
The NYC's legal department was breached which caused the city's Cyber Command to limit some access over the weekend. At this time they are not saying if any data was exposed. This continues the trend discussed last week of threat actors targeting legal systems and it, in turn, affecting ongoing and new criminal and civil proceedings in courts across the country.
Fastly outage
Early on Tuesday (6/8/2021) morning US time large swaths of the internet went down. This was not an attack but apparently a misapplied setting on a core network appliance. Fastly is a content delivery network (CDN) that is essentially a cache (or temporary storage) of the most popular destinations of the web strategically located worldwide. The idea with these services is that popular content that is rarely (less than each hour or so) updated can be stored closer to the end-user speeding up content delivery and reducing the overall load on transcontinental or transoceanic lines. It is looking more and more like the crash was caused by a "customer configuration change" according to an unnamed source at Fastly. This outage should serve as a learning experience in just how fragile our worldwide communications networks are.
New South Wales (NSW) Health data breach
One of the stories that I was not able to add due to the Blogger issue was one of Accellion being breached back in December and another round of attacks using the zero-day in the now discontinued File Transfer Appliance. Accellion provides data handling services (among others) to information technology departments in all kinds of companies worldwide to include many SLTT's. NSW announced that the Health services had lost some records and they were investigating any other government agencies that might have been affected.
Fedena zero-days
The abandoned open-source school and university management platform has several significant flaws that attackers can use to gain information about users and students. The software is no longer supported, so it is doubtful there will be fixes created any time soon if ever. One group was able to find 30 internet-facing instances of the software, but at one time as many as 40,000 institutions were using it. It is recommended that any users still on this platform find another system, preferably one that is fully maintained.
Des Moines Area Community College (DMACC) closed due to a cybersecurity incident
The DMACC was forced to shut down parts of its network, which in turn caused the cancelation of some classes. The shutdown affected the Blackboard education delivery system, email, and phones. The school indicated they do not have any reason to believe any student information was breached.
Kent schools breached
Officials with the Skinners' Kent Academy and Primary School have announced they have data that was encrypted by threat actors. The school officials said they do not believe employee nor student data was removed or exposed, but admitted they do not have evidence. Since they had no access to their data, including emergency contact information, they decided to close the schools.
Russian linked hackers breach Dutch police systems
A couple of things struck me about this new release. First was the fact that the Dutch knew the treat actors as operating under the direction of the Russian intelligence services due to AVID (the Dutch intelligence service) having previously hacked Russian systems. The second was that it took AVID doing an investigation as there were no breach notification systems in place at the academy where the breach occurred.
The Cyber Safety Review Board (CSRB) is taking shape
One of President Biden's cybersecurity executive order (EO) provisions was the creation of a CSRB modeled after the National Transportation Safety Board that investigates transportation incidents. Quoting from the EO the purpose of the board is to "[...] review and assess, with respect to significant cyber incidents […] affecting Federal Civilian Executive Branch Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.” Much like the NTSB investigations, the board will create ad-hock investigation boards at the will of the president, secretary of Homeland Security, or whenever the Cyber Unified Coordination Group is triggered. Under the EO, they are chartered to investigate incidents affecting federal, non-federal, and civilian agencies. After the first incident is reported, the board is to review the makeup and reevaluate to ensure it has the correct mix of government and civilian experts.
Legislative actions
Federal
The United States Senate Majority Leader Chuck Schumer is tasking the Homeland Security Committee to examine if new laws could help curb cybersecurity issues. He noted attacks against transportation systems, the Colonial Pipeline, and other newsmakers. He also said he is seeking a $500 million increase in the Cybersecurity and Infrastructure Security Agency (CISA) to assist in response operations.
Comments
Post a Comment