2022 Week 8 and 9

-

 Summary

A lot of news from the last 2 weeks.  I am trying to be more timely with these summaries as the war in Ukraine is in progress.  There has been observed quite a bit of activity around SLTT and infrastuctre targets.  

News

SLTT

The Cybersecurity and Infrastructure Security Agency (CISA) of the United States (U.S.) released a list of free cybersecurity tools and services for SLTT's that they pledge to keep updated.  The goal is to help better the overall cybersecurity posture of U.S. critical infrastructure sectors and as such are usable by those out of the SLTT arena.
Tool:

CISA also released a bulletin outlining APT group MuddyWater and their attempt to target SLTT and critical infrastructure entities.  

City of Baltimore, Maryland USA was tricked out of about $375,000.  It appears it was a vendor payment redirect attack where someone gained access to a vendor's email account and requested funds be redirected to a bank account controlled by the fraudster.  
Report:

Port of LA continues to make strides on its Cyber Resilience Center which was covered back in Week 5. Their partner is IBM and they are giving the various participants in the center access to the IBM X-Force threat intelligence stream.  This multi-year agreement is expected to be a substantial upgrade from their old manual system. It seems that IBM is using this as a testbed to create similar centers at other critical supply chain locations. 

Missouri decides to not press charges against a reporter and university researcher over their disclosure to the state that a misconfigured web server was exposing employee data.  The governor originally went on the record saying that they would prosecute those involved to the fullest extent of the law, but now that it appears it was his own office at fault, they have decided to not move forward.
Criminal Incident Report:

DNA evidence from rap victims for the Oklahoma City Police Department (and potentially others) was exposed during a data breach in November 2021.  DNA Solutions Inc. It is unknown how much data may have been accessed.  The company says they are working with federal law enforcement to investigate the breach.

Infrastructure General

The Conti gang has vowed to hack the infrastructure of any country that supports any nation that opposes Russia.  

ICS/OT/SCADA General

Broad attacks against Industrial Control Systems (ICS) are increasing and will only get worse it appears.  A report by the Dragos group shows over half of these are traceable to just 2 groups.

GE Digital has released patches for 2 vulnerabilities in its Proficy CIMPLICITY HMI/SCADA software.  These issues are CVE-2022-2391 which can allow privilege escalation and CVE-2022-21798 which covers credentials in cleartext.

Power

A group of men attempted to recruit juveniles to help disrupt the U.S. power grid by attacking electrical substations.  The attack was planned to be coordinated attacks on substations using high-power rifles.  The alleged motive was to create economic and civil hardship which they felt would lead to a race war.  


Healthcare

Extend fertility out of New York City sent notice to patients that personal data may have been compromised during an attack discovered in December.  They are still not reporting (if they even know yet) the extent of the breach.

The U.S. National Institute of Science and Technology (NIST) Cybersecurity Center of Excellence has released its guidance for telehealth.  Securing Telehealth Remote Patient Monitoring Ecosystem (NIST SP 1800-30) guide seeks to help healthcare providers to adopt best practices around videoconferencing and other emerging technologies that seek to take healthcare remote.  
Guidance:

Aerospace

TA2541 has been attempting Remote Access Trojans (RATs) at aviation companies for years according to a new report by Proofpoint.  This is in addition to the 2 well-documented attacks already attributed to TA2541 (Operation Layover and the RevengeRAT attack).  The articles below go over the tactics and techniques used by the threat actor(s).
Note, normally TA2541 would have a link to access more information about the organization and/or a common name.  In this case, they have been good enough at evading intelligence that little is known about them, other than the consistency of their targets and the commercial tools they are using.  
Proofpoint report:


Legislative actions 

U.S. Senate Bill 3538 would require that companies decrypt all data and traffic on their servers to ensure, among other things, that there is no child pornography present.  I guess if you can't get traction making private encryption illegal for terrorism or national defense reasons you make it unusable because of child porn.

Oklahoma House of Representatives has a bill (HB2969) in the works that seek to protect people's privacy.  It would require certain businesses to disclose:
1.  How to exercise their privacy rights
2.  What personal information is collected
3.  The reason personal information is collected
4.  If information is disclosed and if so how
5.  If information is shared with service providers and if so what are the categories of those service providers 
6.  The retention policy for personal information

Jobs

The state of Oklahoma is hiring for a threat analyst.

Comments

Post a Comment

Popular posts from this blog

2021 Week 11 Security Roundup

-
  Summary This blog is geared towards cybersecurity events that are of interest to State, Local, Tribal, and Territorial (SLTT) governments in the United States of America.  It is hoped that this focus will help SLTT information technology workers and policymakers to get the information relevant to their mission.  If you are in other sectors hopefully there is information you can find useful as well.   News Windows Outlook Vulnerability The 0-Day for Microsoft Exchange Server keeps making news.  Over the course of the week threat actors outside of the Haifum Chinese cyber espionage group started to take advantage of the exploit.  Many new breaches were identified over the weekend as organizations large and small rushed to update vulnerable servers.  From the briefings I have sat through over the last week or so, I can only add my echo to the chorus saying that you should immediately patch your on-premises version of Outlook.  Here are some of the developments that we have seen: ZDNet a
Read more

2021 Weeks 32-40 Security Roundup

-
  Summary Let me apologize for the long delay right upfront.  First, we had a round of Covid in the household in a person who is immune-compromised.  Next, I started a new semester in college and the workload was far greater than I expected.  Lastly, this is the start of the budget year for us and I had several projects that have demanded almost every second of my work time.  I hope to get back to weekly updates by November. Lots of news that covers:  health care, education, infrastructure, and SLTT governments around the world.  Since I am hitting the length limitations of Blogger, I will simply invite you to read and try and get caught up yourself.  News UC San Diego Health sued over breach In what is becoming a growing trend UC San Diego Health is being sued for failure to have proper data protection protocols.  The suit is citing breach of contract, negligence, and violating California consumer and medical privacy laws.  Specifically, the suit alleges failure to adequately train em
Read more

2021 Week 29 Security Review

-
  Summary Sorry, this was late this week.  I was in training on Friday with the good folks at the LSU Academy of Counter-Terrorist Education.  If you are a Tribal or other American first responder or researcher in the field of terrorism and not taking advantage of their amazing resources, please check them out at  https://www.ncbrt.lsu.edu/ . Not a lot of new things this week.  There was an update from the City of Tulsa and their breach.  We also saw REvil disappear from both the Web and the dark Web.  Lastly, CIS tools are taking the forefront in the defensive posture of the SLTT landscape. News City of Tulsa Oklahoma breach Tulsa, which was breached back in May ( https://yasb2018.blogspot.com/2021/05/2021-week-19-security-roundup.html ), has announced that at least 27 people had their Social Security number accessed.  The city said they have attempted to reach out to those affected.  To date, more than 18,000 files from the hack have been released to the dark web. https://www.securit
Read more