russia

TWiC | Fortinet PoC, US Airport Sites Go Offline, CISA Warns of Industrial Appliance Flaws, & Windows 11 Phishing Protection

Over the past few weeks there have been several hot topics and time sensitive advisories released. In this edition of This Week in Cybersecurity, nGuard will highlight the Fortinet proof-of-concept (PoC) that was released; Russian-speaking hackers taking down US Airport websites; Windows 11 offering automatic phishing protection; and CISA warning of critical flaws in some industrial appliances.

Fortinet PoC Released
A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager. A successful exploitation of the shortcoming is tantamount to granting complete access “to do just about anything” on the affected system. Fortinet issued an advisory urging customers to upgrade affected appliances to the latest version as soon as possible and CISA added this to their Known Exploited Vulnerabilities (KEV) Catalog. 12 unique IP addresses have accounted for most responsibility in weaponizing CVE-2022-40684 as of October 13, 2022. A majority of them are located in Germany, followed by the U.S., Brazil, China and France. nGuard covered this in more detail in a Security Advisory last week. Conducting ongoing penetration testing and vulnerability management can alert you to these types of vulnerabilities being present in your environment.

US Airport Sites Taken Down by Russian-Speaking Attackers
On Monday October 10^th, more than a dozen public-facing airport websites, including those for some of the nation’s largest airports, appeared inaccessible, and Russian-speaking hackers claimed responsibility. The attack was carried out by a group known as Killnet, who support the Kremlin but are not thought to be government hackers. Killnet favors a type of attack known as a distributed denial of service (DDoS). Two of the sites that were affected by this attack were Atlanta’s Hartsfield-Jackson International Airport and the Los Angeles International Airport websites. Fortunately, there did not seem to be an impact to air travel itself but may have caused inconveniences for individuals traveling during the time access to those sites was attempted.

Windows 11 Offers Automatic Phishing Protection
Enhanced phishing protection now comes prebuilt into the Windows 11 operating system. This protection can automatically detect when users type their password into any app or site that is known to be dangerous. Admins can know exactly when a password has been stolen and can be equipped to better protect against such attacks. According to Microsoft, “When Windows 11 protects against one phishing attack, that threat intelligence cascades to protect other Windows users interacting with other apps and sites that are experiencing the same attack.” A blocking dialog warning is displayed prompting users to change their password if they type it into a phishing site in any Chromium browser or into an application connecting to a phishing site. If users try to store their password locally, like in Notepad or in any Microsoft 365 app, Windows 11 warns them that this is an unsafe practice and urges them to delete it from the file. To help train and test your employees on their security awareness, nGuard offers custom, tailored Security Awareness Training and social engineering.

CISA Publishes Two Advisories Regarding Industrial Appliances
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published two Industrial Control Systems advisories pertaining to severe flaws in Advantech R-SeeNet and Hitachi Energy APM Edge appliances. The list of issues, which affect R-SeeNet Versions 2.4.17 and prior are:

CVE-2022-3385 and CVE-2022-3386 (CVSS scores: 9.8) – Two stack-based buffer overflow flaws that could lead to remote code execution
CVE-2022-3387 (CVSS score: 6.5) – A path traversal flaw that could enable a remote attacker to delete arbitrary PDF files

Patches have been made available in version R-SeeNet version 2.4.21 released on September 30, 2022.

These alerts come less than a week after CISA published 25 ICS a d visories on October 13, 2022, spanning several vulnerabilities across devices from Siemens, Hitachi Energy, and Mitsubishi Electric.

nGuard has a wide array of experience assessing critical infrastructure, SCADA, and Industrial Control Systems (ICS) and can help you secure yours. Conducting annual penetration testing, having a proper Incident Response Plan, and ensuring you have the proper logging, alerting, and correlation can help you stay ahead of the attackers.

FBI Secretly Removing Malware

Late last week, Attorney General Merrick Garland announced that the FBI was removing malware from computer systems around the world in an attempt to thwart Russian cyber-attacks. In March, the White House warned that Russia could be targeting critical infrastructure in the United States. The malware that is being removed from systems by the FBI is reported to allow an arm of the Russian military called the GRU to take over machines and create botnets for DDoS attacks. The GRU is Russia’s largest foreign intelligence agency responsible for handling multiple forms of military intelligence.

The Justice Department says that this strain of malware is designed to compromise externally facing firewalls and loop them into a botnet called Cyclops Blink. The botnet is controlled by a notorious group called Sandworm that has been known to work with the GRU. The DOJ warned owners of infected devices that their machines were part of this Cyclops Blink botnet, but decided that it was not worth the wait and took it upon themselves to remove the malware from infected devices.

Through secret court orders, the Justice Department and FBI were able to quietly remove this malware from infected devices across the globe. After removing the malware, the FBI also closed the management port that was being used as the attack vector. The Biden administration has been ramping up their cyber security operations since the breakout of war in Ukraine. While Ukraine has been the number 1 target of cyber attacks over the last couple months, authorities warn that critical infrastructure organizations in the United States could be next.

Performing external penetration testing and having a formal external vulnerability management program can help to thwart attacks like this. By identifying these vulnerabilities and patching them before adversaries get their hands on them, you can protect your externally facing machines from becoming a part of a worldwide botnet.

DHS Warns Russian Cyber Attacks Are Likely

Threats Are on The Rise
As tensions rise on the border separating Russia and its south-west neighbor Ukraine, threats of cyber attacks have the Western World on edge. There have been nearly 500 documented cyber-attacks impacting the geopolitical landscape around the globe since 2009, with approximately 30% originating from Russia or China. History shows us that Russia has found success in launching cyber attacks against nations it feels “threaten their long-term national security.” On January 23^rd, 2022, the Department of Homeland Security (DHS) released a memo stating “Russia maintains a range of offensive cyber tools that it could employ against US networks—from low-level denials-of-service to destructive attacks targeting critical infrastructure.”

History of Conflict
Since the 2014 annexation of Crimea by the Russian Federation, cyberattacks have been a recurring militaristic theme in this conflict. In December 2015, Russian hackers exploited vulnerabilities in three Ukrainian energy distribution companies, disrupting the electricity supply for over 230,000 Ukrainians. The complex cyberattacks followed a similar exploit path that we see utilized by adversaries to this day. Social engineering campaigns were followed by the seizing of Supervisory Control And Data Acquisition (SCADA) systems, resulting in denial of service attacks on call centers, the destruction and encryption of critical file servers, and the disablement of OT infrastructure components.

Current Conflict
In 2022, it seems that the Kremlin is more than ready to use the same cyber tactics that led to the successful annexation of Crimea in 2014. On January 15^th, 2022 Microsoft reported that dozens of Ukrainian government agencies had fallen victim to a website defacement attack. The message on the affected websites read “be afraid and expect the worst.”

Russia is suspected of using similar tactics to launch “false-flag” operations that are intended to stir up domestic tension in Ukraine and/or cast blame on Ukraine for the conflict. U.S. and international information security teams are ramping up preparations for any possible scenario as diplomatic negotiations continue.

Preventative Measures
The continued discovery of critical vulnerabilities that affect internet-facing systems (see Log4j) requires organizations to conduct ongoing vulnerability scanning and penetration testing to ensure attackers can’t gain a foothold on internal networks. By incorporating internal security awareness training and table-top exercises, standard employees and information security teams can be prepared for any scenario. As a leading provider of cyber security services, nGuard is ready to discuss your organization’s needs and help implement protective measures.