scada

TWiC | This Week in Cybersecurity

Over the past week there have been many hot topics in cybersecurity. This edition of This Week in Cybersecurity includes stories covering Microsoft rolling back their decision to not block Office macros by default, phishing campaigns successfully bypassing multi-factor authentication (MFA), a former CIA engineer responsible for the “Vault 7 Leaks” was convicted, hackers targeting industrial control systems, and much more. Check out the details below.

Microsoft Rolls Back Decision To Block Office Macros By Default

While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said that it will roll back this change based on “Feedback” until further notice. Microsoft’s customers were the first to notice that Microsoft rolled back this change in the Current Channel, with the old ‘Enable Editing’ or ‘Enable Content’ buttons shown at the top of downloaded Office documents with embedded macros. While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros.
Large-Scale Phishing Campaign Bypasses MFA

Attackers are getting wise to organizations’ increasing use of MFA to better secure user accounts and creating more sophisticated phishing attacks like these that can bypass it, noted a security professional. “While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie – and because the session cookie shows that MFA was already used to login – the attackers can often circumvent the need for MFA when they login to the account again later using the stolen password,” observed Erich Kron from KnowB4. This attack is especially convenient for threat actors because it precludes the need for them to craft their own phishing sites such as the ones used in conventional phishing campaigns, researchers noted. In the phishing campaign observed by Microsoft researchers, attackers initiate contact with potential victims by sending emails with an HTML file attachment to multiple recipients in different organizations. One of nGuard’s most common assessments is Social Engineering. During these assessments our engineers come across applications that require MFA and attempt to bypass the requirement using these techniques and others like MFA Prompt Bombing.
Jury convicts ex-CIA engineer for leaking the agency’s “Vault7” hacking toolset

Joshua Schulte, the former CIA engineer arrested for what’s being called the biggest theft of classified information in the agency’s history, has been convicted by a federal jury. Schulte was arrested in relation to the large cache of documents that Wikileaks had published throughout 2017. That string of CIA leaks known as “Vault 7” contained information on the tools and techniques the agency used to hack into iPhones and Android phones for overseas spying. It also had details on how the CIA broke into computers and how it turned smart TVs into listening devices. A federal jury has found Schulte guilty on nine counts, including illegally gathering national defense information and then transmitting it. As part of his closing arguments, he told the jurors that the CIA and the FBI made him a scapegoat for their embarrassing failure, repeating what his side had been saying from the time he was arrested.
State-backed hackers targeted US-based journalists in widespread spy campaigns

State-sponsored hackers from China, North Korea, Iran and Turkey have been regularly spying on and impersonating journalists from various media outlets in an effort to infiltrate their networks and gain access to sensitive information, according to a report released by cybersecurity firm Proofpoint. In one of the operations, the report found that since early 2021, Chinese-backed hackers engaged in numerous phishing attacks mainly targeting U.S.-based journalists covering U.S. politics and national security. The researchers concluded their report with a warning to journalists to protect themselves and their sources because these types of attacks are likely to persist as state-sponsored hackers attempt to gather more sensitive information and manipulate public perception.
Hackers are targeting industrial systems with new strain of malware

People hawking password-cracking software are targeting the hardware used in industrial-control facilities with malicious code that makes their systems part of a botnet, a researcher reported. Lost passwords happen in many organizations. A programmable logic controller — used to automate processes inside factories, electric plants, and other industrial settings, for example, may be set up and largely forgotten over the following years. When a replacement engineer later identifies a problem affecting the PLC, they may discover the now long-gone original engineer never left the passcode behind before departing the company. An entire ecosystem of malware attempts can capitalize on scenarios like this one inside industrial facilities. Online advertisements promote password crackers for PLCs and human-machine interfaces, which are the workhorses inside these environments. nGuard has a wide range of experience securing Critical Infrastructure, SCADA systems, and Industrial Controls Systems for the manufacturing industry. Our penetration testing and compliance assessments can give you the confidence in the security posture of these environments.

Water Utilities Are Critical Infrastructure

Target: Water Utilities
Water Utilities play a critical role in our society. They provide fresh, potable water to residents, businesses and industry as well as manage the wastewater from them. As with other utilities and critical infrastructure, they are increasingly a target for hackers, terrorists, and hostile nation states. A successful hack can contaminate the fresh water supply, impair availability or cause an environmental disaster. It’s a direct risk to the health of the local population and supply chains which depend on readily available fresh water and wastewater management.

Becoming a Hard Target
Managing the risks isn’t trivial, but it’s not rocket science either –the science of cyber security has greatly matured over the past 20 years. The following 5 steps are key to a water utility becoming a hard target that is resistant to cyberattacks. Assess your overall cyber security program. Test your organization’s current readiness to cyber attacks on an annual basis by assessing both your external perimeter and your internal networks. Make sure you include both the IT and the OT (SCADA) sides of the house. Perform ongoing vulnerability management throughout the year. Make sure you have someone watching for suspicious security events. Lastly, make sure you have a Cyber Security Incident Response (CSIR) program in place. Because a cyber security incident is a question of when, not if, you must have a plan in place before it happens.

Strength In Numbers
Recognizing the critical importance of the water supply, leading water associations in the U.S., along with the U.S. federal government, have become increasingly organized in the defense of this essential infrastructure. A key part of this organization has been the formation of the Water Information Sharing and Analysis Center (WaterISAC). Authorized by the United States’ 2002 Bioterrorism Act, the WaterISAC is the key security information source for all threats impacting water and wastewater systems. In support of their mission, they have developed the 15 Cybersecurity Fundamentals for Water & Wastewater Utilities. As part of their ongoing education and outreach, WaterISAC recently invited nGuard to speak about some of these key cybersecurity concepts at an association meeting. You can watch this webinar below.

DHS Warns Russian Cyber Attacks Are Likely

Threats Are on The Rise
As tensions rise on the border separating Russia and its south-west neighbor Ukraine, threats of cyber attacks have the Western World on edge. There have been nearly 500 documented cyber-attacks impacting the geopolitical landscape around the globe since 2009, with approximately 30% originating from Russia or China. History shows us that Russia has found success in launching cyber attacks against nations it feels “threaten their long-term national security.” On January 23^rd, 2022, the Department of Homeland Security (DHS) released a memo stating “Russia maintains a range of offensive cyber tools that it could employ against US networks—from low-level denials-of-service to destructive attacks targeting critical infrastructure.”

History of Conflict
Since the 2014 annexation of Crimea by the Russian Federation, cyberattacks have been a recurring militaristic theme in this conflict. In December 2015, Russian hackers exploited vulnerabilities in three Ukrainian energy distribution companies, disrupting the electricity supply for over 230,000 Ukrainians. The complex cyberattacks followed a similar exploit path that we see utilized by adversaries to this day. Social engineering campaigns were followed by the seizing of Supervisory Control And Data Acquisition (SCADA) systems, resulting in denial of service attacks on call centers, the destruction and encryption of critical file servers, and the disablement of OT infrastructure components.

Current Conflict
In 2022, it seems that the Kremlin is more than ready to use the same cyber tactics that led to the successful annexation of Crimea in 2014. On January 15^th, 2022 Microsoft reported that dozens of Ukrainian government agencies had fallen victim to a website defacement attack. The message on the affected websites read “be afraid and expect the worst.”

Russia is suspected of using similar tactics to launch “false-flag” operations that are intended to stir up domestic tension in Ukraine and/or cast blame on Ukraine for the conflict. U.S. and international information security teams are ramping up preparations for any possible scenario as diplomatic negotiations continue.

Preventative Measures
The continued discovery of critical vulnerabilities that affect internet-facing systems (see Log4j) requires organizations to conduct ongoing vulnerability scanning and penetration testing to ensure attackers can’t gain a foothold on internal networks. By incorporating internal security awareness training and table-top exercises, standard employees and information security teams can be prepared for any scenario. As a leading provider of cyber security services, nGuard is ready to discuss your organization’s needs and help implement protective measures.