- The global effect of the Colonial Pipeline ransomware incident.
- Ethiopia alleges an "international" cyberattack against a Nile dam.
- New loader identified in wiper campaigns.
- DDoS hits Port of London Authority.
- Bluetooth vulnerabilities demonstrated in proof-of-concept.
- CISA and its partners issue guidelines for evaluating 5G implementation.
- Hacking back in defense of critical infrastructure.
The Colonial Pipeline ransomware incident, one year later.
As the Australian publication ARN points out, the implications of the Colonial Pipeline ransomware incident are still being sifted for lessons to be learned. One of the biggest lessons is that security operations centers (SOCs) were paying insufficient attention to OT networks. The incident also showed the importance of segmentation in keeping an attack that develops in an IT network from pivoting into control systems. Authorities in the US, the UK, and the EU have responded to the ransomware attack with more realistic drills, increased regulatory scrutiny, and serious attempts to improve threat and vulnerability intelligence.
Claim: "international" cyberattack against Nile dam stopped.
Ethiopia says it stopped cyberattacks on its Nile dam and some financial institutions, the Addis Standard reports. Al-Monitor says that Egypt's government has not officially responded to Ethiopian accusations that it's behind any such cyberattacks. The Grand Ethiopian Renaissance Dam (GERD) and the Nile water rights it affects have been a point of contention between the two countries.
New loader identified in wiper campaigns.
The GRU's Sandworm group has deployed a new version of its ArguePatch loader, ESET reports. ArguePatch had seen previous use in both Industroyer and CaddyWiper attacks against Ukrainian targets. "The new variant of ArguePatch – named so by the Computer Emergency Response Team of Ukraine (CERT-UA) and detected by ESET products as Win32/Agent.AEGY – now includes a feature to execute the next stage of an attack at a specified time. This bypasses the need for setting up a scheduled task in Windows and is likely intended to help the attackers stay under the radar."
Politically motivated DDoS attack on Port of London Authority website.
An Iranian group has claimed responsibility for a distributed denial-of-service (DDoS) attack that interfered with the Port of London Authority's website. The Authority acknowledged the incident but said that operational systems were unaffected. The group that said it was behind the attack, the ALtahrea Team, is a nominally hacktivist group, HackRead says, that operates under the direction of the Iranian government.
Bluetooth vulnerabilities demonstrated in proof-of-concept.
NCC Group researchers have demonstrated that Bluetooth Low Energy (BLE) systems are vulnerable to link layer relay attack. NCC Group explains that BLE is "the standard protocol used for sharing data between devices that has been adopted by companies for proximity authentication to unlock millions of vehicles, residential smart locks, commercial building access control systems, smartphones, smart watches, laptops and more." It's not the kind of problem that can be resolved with a patch. Rather, NCC Group argues, it's the kind of issue that arises when technologies are extended beyond their intended purposes, and BLE, they say, was never designed for use in industrial infrastructure. The researchers offer three recommendations, two for manufacturers, one for users:
- "Manufacturers can reduce risk by disabling proximity key functionality when the user’s phone or key fob has been stationary for a while (based on the accelerometer)
- "System makers should give customers the option of providing a second factor for authentication, or user presence attestation (e.g., tap an unlock button in an app on the phone)
- "Users of affected products should disable passive unlock functionality that does not require explicit user approval, or disable Bluetooth on mobile devices when it’s not needed"
CISA and its partners issue guidelines for evaluating 5G implementation.
5G technology isn't simply the latest IT standard for smart phones, but will find its uses, as NSA and others have pointed out, wherever devices are connected, as they are in OT networks. CISA and its partners in the Department of Homeland Security’s Science and Technology Directorate and the Office of the Under Secretary of Defense for Research and Engineering have released version 1 of the 5G Security Evaluation Process Investigation.
It outlines a five-step process organizations should follow as they implement 5G. “Step 1 calls for a use case definition to identify 5G subsystems that are part of the system, component configurations, applications, and interfaces involved in the operation of the system.” In Step 2, agencies should define “the boundary to identify the technologies and systems requiring assessment and authorization (A&A), taking into consideration the ownership and deployment of the products and services that comprise the use case.” The third step, after determining the scope of the assessment, is to perform a threat analysis of each 5G subsystem with a view to mitigating the risks associated with it. At Step 4, an agency should consult relevant Federal security guidelines and “create a catalog” of that guidance. And, finally, in the fifth step. the agency applies the guidelines, identifies any gaps in security guidance, for ways to address them.
It seems a common-sense approach, with an appropriately bureaucratic bent, but CISA hopes that it will provide an approach that’s both “uniform and flexible.” CISA invites feedback, and the deadline for comment is June 27th.
Hacking back in defense of critical infrastructure.
UK Attorney General Suella Braverman declared that the country reserved the right to conduct cyber counterattacks when “key services” are targeted by nation-state adversaries, thereby officially extending the right of retaliation under international law to the digital world. (A note: in military doctrine, unlike journalistic usage, a "counterattack" is a defensive operation.)
Traditionally there has been an unofficial global agreement that military force will not be used to defend against digital attacks or espionage, especially since attribution is difficult. However, recent attacks on critical infrastructure and government networks have put that unspoken understanding to the test. In her remarks, Braverman cited recent incidents like the July 2021 Microsoft Exchange breaches and the Solarwinds attack, and she named four sectors as particularly vulnerable: energy security, essential medical care, the supply chain, and democratic processes. CPO Magazine notes that while none of these areas have been directly targeted by nation-states (aside from Russia’s attacks on Ukraine), they have increasingly fallen victim to ransomware operations, and North Korean advanced threat groups have been observed using such attacks to fund the government.