At a glance.
- More deniable DDoS attacks strike countries friendly to Ukraine.
- Assessing Russian intentions and capabilities against ICS in its hybrid war.
- Predatory Sparrow's assault on Iran's steel industry.
- Log4j is now considered “endemic.”
- Operational technology and the criminal-to-criminal market.
- TSA issues revised pipeline cybersecurity guidelines.
- MOXA issues patches for two vulnerabilities.
- ICS security advisories.
More deniable DDoS attacks strike countries friendly to Ukraine.
Lithuania's state energy provider, Ignitis Group, sustained a large distributed denial-of-service (DDoS) attack in mid-July, LRT reports. The attacks had been intermittent over more than a week, peaking on Saturday, July 9th, 2022. Ignitis said that it has now overcome the attacks, and that its control systems were not affected. Tech Monitor says that Killnet claimed responsibility for the operation. Lithuania, like the other Baltic states, has strongly supported Ukraine during Russia's war. It has recently stopped imports of Russian natural gas, and, just this morning, imposed further restrictions on Russian shipments to its discontinuous Kaliningrad territory.
Killnet also claimed responsibility for a DDoS attack against a website operated by the US Congress, which experienced brief interruptions of public access between 9:00 and 11:00 AM Thursday. CyberScoop quotes the group's crowing over Telegram: "They have money for weapons for the whole world, but not for their own defense.”
The degree of control Russian intelligence services exercise over Killnet remains unclear, but the group makes no secret of its determination to support Russia in its war against Ukraine. Wired has a brief overview of the group's activities, which have affected targets in Lithuania, Italy, the United States, Romania, and Norway. Killnet has "declared war" against these and other states who've been too sympathetic to Ukraine. For all of its online posturing, Killnet's activities haven't so far risen above a nuisance level. Flashpoint offers a suitably tepid appraisal of the group's work. "While Killnet’s threats are often grandiose and ambitious, the tangible effects of their recent DDoS attacks have so far appeared to be negligible."
Assessing Russian intentions and capabilities against ICS in its hybrid war.
Western intelligence services continue to look for an explanation of why Russian cyberattacks in support of its war against Ukraine have so far fallen short of the devastating potential widely expected as the special military operation began. They’ve occurred, and some of them, notably some wiper malware deployed in the opening days of the Russian invasion, have been destructive in their effects. But on the whole, again, the cyber operations have seldom risen above a nuisance level.
That Russia has been capable of more was shown in its earlier attacks against sections of Ukraine’s power grid in 2015 and 2016. Yet during the current war the lights have stayed, and indeed Russian attacks against Ukraine’s grid have been conducted by cannon fire or missile strike.
Deputy National Security Adviser for Cyber Anne Neuberger reviewed the bidding on July 20th at the Aspen Security Forum. Defense News quotes her as saying, “With regard to the Russian use of cyber and our takeaways, there are any number of theories for what we saw and what, frankly, we didn’t see. Some argue for the deterrence the U.S. has put in place,” and in this she was alluding to the discussion between Presidents Biden and Putin after the Colonial Pipeline ransomware attack. “Some argue that it was the result of the extensive cybersecurity preparations Ukraine did, supported by allies and partners. And some argue that we don’t quite know.”
Ukraine thinks defensive preparations made a contribution to blunting Russian cyberattacks. Illya Vityuk, head of the cybersecurity department of the Ukrainian State Security Service, pointed to the weeks of preparatory Russian cyberattacks before the actual invasion. “For us it was like a full dress rehearsal,” he said, as reported by CyberScoop. The Ukrainian services had an opportunity to assess the enemy's capabilities and to address their own vulnerabilities in advance of the onset of war, and he says they were able to make good use of the opportunity.
But there’s no clear single explanation for why Russia’s cyber operations against industrial control systems have in general failed to materialize.
Predatory Sparrow's assault on Iran's steel industry.
The BBC reports that Predatory Sparrow, a nominally hacktivist group opposed to Iran's regime, which claimed to have disrupted operations at Iran's Mobarakeh Steel Company on June 27th, posted video of fires at the facility it claims were caused by its cyberattack. Mobarakeh Steel has minimized the effects of the attack, saying that its operations were not disrupted. CyberScoop reports that Predatory Sparrow has also dumped a set of documents it calls "top secret" and which it claims were taken from the Iranian facilities during the cyberattack. Those claims, as well as the authenticity of the documents themselves, remain unverified.
Given the long-running tension between Iran and Israel, there's been widespread speculation in the Israeli press that Predatory Sparrow, which presents itself as an Iranian dissident group, is operating in the interest of Israeli intelligence services. The Israeli government has begun an investigation into the source of the stories, which may or may not have derived from leaks.
Log4j is now considered “endemic.”
The US Department of Homeland Security's Cyber Safety Review Board (CSRB) has decided that the Apache Log4j vulnerability disclosed this past December and exploited by various actors since then, will be with us for the foreseeable future. It can be expected to remain “a significant risk” to the software supply chain for at least another ten years. Maybe longer.
This endemic risk presents organizations with at least two challenges, one close and local, the other broad and general. Dark Reading observes that the first of these challenges is one of visibility: organizations need to know what’s in the software they use (and that goes for OT as well as IT systems), whether it’s susceptible to exploitation of Log4j, and what mitigations they can undertake to manage their risk. The second challenge lies in the open source software supply chain itself: open source software probably requires more attention and more resources than it’s too often received. What struck FedScoop about the report were its findings that most of the organizations surveyed lacked software inventories and software bills of materials.
The CSRB offered nineteen specific recommendations organized under four headings:
- “Address Continued Risks of Log4j: continued vigilance in addressing Log4j vulnerabilities for the long term.”
- “Drive Existing Best Practices for Security Hygiene: adopt industry-accepted practices and standards for vulnerability management and security hygiene.”
- “Build a Better Software Ecosystem: drive a transformation in the software ecosystem to move to a proactive model of vulnerability management.” [and]
- “Investments in the Future: pursue cultural and technological shifts necessary to solve for the nation’s digital security for the long run.”
The board’s conclusions are worth the attention of all industrial organizations. Some products are integrating the visibility, detection, and educational measures the Board recommends. One example of this sort of approach was announced by Dragos and Emerson last week. Dragos is extending its ICS/OT cybersecurity solutions to Emerson’s DeltaV Distributed Control System, where it is designed to enhance the protection of process industries.
On July 28th CISA released a Malware Analysis Report on Log4j vulnerabilities exploited against "unpatched, public-facing VMware Horizon and Unified Access Gateway (UAG) servers." The samples, as analyzed, offer some useful insights into how threat actors are exploiting these vulnerabilities, which are now, we emphasize again, regarded as endemic, here with all of us for the foreseeable future.
Operational technology and the criminal-to-criminal market.
Cyberattack tools generally considered are showing increased commodification. Malware is now traded in a variety of dark web souks, and can be bought and used by individuals and organized criminal gangs who can thus forego the need to develop and prove their own malware. It’s not just the script kiddies and the lazy who buy their attack tools. It’s a capable and ambitious gang as well. Buying malware, buying access, buying the other things you need can simply make good economic sense. Outsourcing works in criminal markets as well as it does in legitimate ones.
This criminal market extends specifically to programmable logic controllers. And the market also seeks to present a legitimate face to its potential victims. A Dragos study has found that “Multiple accounts across a variety of social media websites are advertising Programmable Logic Controller (PLC), Human-Machine Interface (HMI), and project file password cracking software. Buyers can retrieve forgotten passwords by running an executable provided by the seller that targets a specific industrial system.” So if you’re an operator and have forgotten a password to an essential system, you can pay for a tool that will crack the password and restore your access. Forget for a moment that a little reflection on the words “password cracking” would put even the most obtuse engineer an ABET-accredited college ever spawned on their guard. Password cracking? That can’t be good. And in fact it’s not.
In fact, it’s worse than that. The password-cracking software isn’t cracking anything. It’s exploiting a firmware vulnerability. And more than that, the software also carries a Trojan as a payload, and the unwary user who just wanted to crack a password has given away access to their system. As Dragos says in its conclusion, “Trojanized software is a common delivery technique for malware and has been proven effective for gaining initial access to a network.” (We note that the affected system, Automation Direct’s DirectLogic 06 PLC, has been patched.)
Ars Technica points out that the incidents Dragos looked into represented financially motivated criminal activity, but that there’s no reason to assume that comparable techniques couldn’t be used by a nation-state or terrorists to conduct attacks with kinetic effect “to sabotage a dam, power plant, or similar facility.” To this we’ll add that espionage services and terrorists are also customers in the criminal-to-criminal market, and that commodity malware is as accessible to them as it is to the crooks.
So don’t try to recover passwords by downloading a cracker from the Internet. You’d be better off writing passwords on sticky notes. Not that you should do that, either.
TSA issues revised pipeline cybersecurity guidelines.
On July 21st the US Transportation Security Administration (TSA) issued a revised version of its cybersecurity guidelines for pipeline owners and operators. TSA says that the new version differs from its predecessor (which had been promulgated in July of last year) in that it focuses on “performance-based, rather than prescriptive” measures. “The security directive requires that TSA-specified owners and operators of pipeline and liquefied natural gas facilities take action to prevent disruption and degradation to their infrastructure to achieve the following security outcomes:
- “Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa;
- “Create access control measures to secure and prevent unauthorized access to critical cyber systems;
- “Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and
- “Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.”
It goes on to specify, “Pipeline owners and operators are required to:
- “Establish and execute a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures the pipeline owners and operators are utilizing to achieve the security outcomes set forth in the security directive.
- “Develop and maintain a Cybersecurity Incident Response Plan that includes measures the pipeline owners and operators will take in the event of operational disruption or significant business degradation caused by a cybersecurity incident. [And]
- “Establish a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.”
The ransomware attack on Colonial Pipeline in May of 2021 lent urgency to the first set of guidelines TSA issued. This latest iteration reflects the experience gained over the past year as well as considerable industry input to TSA.
MOXA issues patches for two vulnerabilities.
Industrial networking provider MOXA has patched two serious vulnerabilities in its Nport Ethernet-to-serial converter devices, SecurityWeek reports. The vulnerabilities could be used to launch denial-of-service attacks against the devices. The flaws were discovered by researchers at En Garde Security, who notified the vendor in March. MOXA coordinated with CISA, and CISA published an advisory on July 26th. In addition to applying the security patch, CISA offers the following recommendations:
- "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
- "Locate control system networks and remote devices behind firewalls and isolate them from business networks.
- "When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices."
ICS security advisories.
The US Cybersecurity and Infrastructure Security Agency (CISA) released three Industrial Control Systems Advisories on July 7th, covering Rockwell Automation MicroLogix ("mitigations for an Improper Restriction of Rendered UI Layers or Frames vulnerability in the Rockwell Automation MicroLogix controllers"), Bently Nevada ADAPT 3701-4X Series and 60M100 ("mitigations for Use of Hard-coded Credentials and Missing Authentication for Critical Function vulnerabilities in the Bently Nevada ADAPT 3701-4X Series and 60M100 machinery monitors"), and Mitsubishi Electric MELSEC iQ-R Series C Controller Module (Update B) (a follow-up to ICSA-21-280-04 Mitsubishi Electric MELSEC iQ-R Series C Controller Module (Update A) published October 28, 2021, this "contains mitigations for an Uncontrolled Resource Consumption vulnerability in Mitsubishi Electric MELSEC iQ-R Series C controller module products").
On Tuesday, July 12th, CISA released two Industrial Control System (ICS) Advisories, one for Dahua ASI7213X-T1 ("mitigations for Improper Input Validation") and the other for Schneider Electric Easergy P5 and P3 (Update A) ("mitigation for Use of Hard-coded Credentials, Classic Buffer Overflow, and Improper Input Validation vulnerabilities in the Schneider Electric Easergy P5 medium voltage protection relay").
On July 14th, CISA released an unusually large number of ICS advisories, thirty in all. They include notices on:
- Siemens SCALANCE X Switch Devices ("mitigations for Use of Insufficiently Random Values, and Classic Buffer Overflow vulnerabilities in the Siemens SCALANCE X Switch Devices industrial ethernet switches")
- Siemens SICAM GridEdge ("mitigations for an Exposure of Resource to Wrong Sphere vulnerability in the Siemens SICAM GridEdge")
- Siemens SIMATIC MV500 Devices ("mitigations for Insufficient Session Expiration, and Missing Authentication for Critical Function vulnerabilities in the Siemens SIMATIC MV500 Devices Optical Readers")
- Siemens Simcenter Femap ("mitigations for an Out-of-bounds Write vulnerability in the Simcenter Femap complex model simulator")
- Siemens RUGGEDCOM ROX ("mitigations for a Command Injection vulnerability in the Siemens RUGGEDCOM ROX products")
- Siemens Mendix Excel Importer ("mitigations for an XML Entity Expansion vulnerability in the Mendix Excel Importer Module")
- Siemens Datalogics File Parsing Vulnerability ("mitigations for a Heap-based buffer Overflow vulnerability in Siemens Teamcenter Visualization products")
- Siemens PADS Standard/Plus Viewer ("mitigations for an Out-of-bounds Read, Out-of-bounds Write, and Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the PADS Standard and Standard Plus, a PCB schematic design and layout environment")
- Siemens Simcenter Femap and Parasolid ("mitigations for an Out-of-bounds Read vulnerability in Simcenter Femap, an advanced simulation application, and Parasolid, a 3D geometric modeling tool")
- Siemens Mendix Applications ("mitigations for an Injection Vulnerability in the Siemens Mendix Applications high productivity app platform")
- Open Design Alliance Drawings SDK ("mitigations for an Out-of-Bounds Read vulnerability in the Open Design Alliance Drawing SDK platform")
- Siemens SRCS VPN Feature in SIMATIC CP Devices ("mitigations for Heap-based Buffer Overflow, Command Injection, and Code Injection vulnerabilities in the Siemens SIMATIC CP Devices communication processors")
- Siemens Mendix ("mitigations for an Improper Access Control vulnerability in Siemens Mendix Applications, a high productivity app platform")
- Siemens CPC80 Firmware of SICAM A8000 ("mitigations for a Missing Release of Resource after Effective Lifetime vulnerability in Siemens CPC firmware")
- Siemens SIMATIC eaSie Core Package ("mitigations for Improper Input Validation, and Missing Authentication for Critical Function vulnerabilities in the Siemens SIMATIC eaSie digital manager")
- Siemens EN100 Ethernet Module ("mitigations for an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the Siemens EN100, an ethernet module")
- Siemens Opcenter Quality ("mitigations for an Incorrect Implementation of Authentication Algorithm vulnerability in the Siemens Opcenter quality management system")
- Siemens RUGGEDCOM ROS ("mitigations for an Improper Control of Generation of Code vulnerability in Siemens RUGGEDCOM ROS-based devices")
- Siemens Industrial Products Intel CPUs (Update D) ("mitigation for a Missing Encryption of Sensitive Data vulnerability in Siemens Industrial Products Intel CPUs")
- Siemens SIMATIC Industrial Products (Update B) ("mitigations for Operation on a Resource after Expiration or Release, and Missing Release of Memory after Effective Lifetime vulnerabilities in Siemens SIMATIC Industrial Products")
- Siemens SCALANCE X (Update D) ("mitigations for an Expected Behavior Violation vulnerability in Siemens SCALANCE X products")
- Siemens TIA Administrator (Update A) ("mitigations for an Uncontrolled Resource Consumption vulnerability in the Siemens TIA Administrator")
- Siemens VxWorks-based Industrial Products (Update C) ("mitigations for a Heap-based Buffer Overflow in Siemens Industrial Products incorporating the Wind River VxWorks product")
- Siemens PROFINET Stack Integrated on Interniche Stack (Update B) ("mitigations for an Uncontrolled Resource Consumption vulnerability in the Siemens PROFINET Stack Integrated on Interniche Stack")
- Siemens Industrial Products with OPC UA (Update A) ("mitigations for an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Siemens Industrial Products with OPC UA")
- Siemens Mendix (Update B) ("mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Siemens Mendix, a software platform to build mobile and web applications")
- Siemens OpenSSL Affected Industrial Products (Update A) ("mitigations for an Infinite Loop vulnerability in the Siemens OpenSSL Affected Industrial Products")
- Siemens SIMATIC WinCC (Update E) ("mitigations for Path Traversal, and Insertion of Sensitive Information into Log File vulnerabilities in the Siemens SIMATIC WinCC")
- Siemens Industrial PCs and CNC devices (Update A) ("mitigations for Improper Input Validation, Improper Authentication, Improper Isolation of Shared Resources on System-on-a-Chip, and Improper Privilege Management vulnerabilities in Siemens Industrial PCs and CNC devices")
- Siemens Industrial Products (Update A) ("mitigations for an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the OPC Foundation Local Discovery Server in multiple Siemens industrial products")
Patch Tuesday for July arrived on the 12th, and SecurityWeek reports that between them Siemens and Schneider Electric addressed a total of fifty-nine vulnerabilities in thirteen advisories. Siemens had the majority of issues—forty-six vulnerabilities—three of them rated critical with a CVSS score of 10. Schneider Electric fixed thirteen vulnerabilities, none rated critical, but several assessed as being of high severity.
CISA released two more ICS advisories on July 19th: a new advisory for MiCODUS MV720 GPS Tracker ("mitigations for Use of Hard-coded Credentials, Improper Authentication, Cross-site Scripting, and Authorization Bypass Through User-controlled Key vulnerabilities in the MiCODUS MV720 GPS tracker") and a follow-up for Dahua ASI7213X-T1 (Update A) ("mitigations for Unrestricted Upload of File with Dangerous Type, Authentication Bypass by Capture-replay, and Generation of Error Message Containing Sensitive Information vulnerabilities in the Dahua ASI7213X-T1 facial recognition access controller").
July 21st brought six more ICS advisories, for ABB Drive Composer, Automation Builder, Mint Workbench ("mitigations for an Improper Privilege Management vulnerability in ABB Drive Composer, Automation Builder, and Mint Workbench products"), Johnson Controls Metasys ADS, ADX, OAS ("mitigations for a Missing Authentication for Critical Function vulnerability in Johnson Controls Metasys ADS, ADX, OAS with MUI products"), Rockwell Automation ISaGRAF Workbench ("mitigations for Deserialization of Untrusted Data and Path Travel vulnerabilities in ISaGRAF Workbench, an automation development tool"), ICONICS Suite and Mitsubishi Electric MC Works64 Products ("mitigations for Path Traversal, Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere, Out-of-Bounds Read vulnerabilities in SCADA products"), Automation Direct Stride Field IO ("mitigations for a Cleartext Transmission of Sensitive Information vulnerability in AutomationDirect Stride Field I/O products"), and Rockwell Automation ISaGRAF (Update A) (an update to an earlier advisory, this "contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in Rockwell Automation ISaGRAF software products").
CISA's July 26th set of advisories addressing issues in five products: Inductive Automation Ignition ("mitigations for an Improper Restriction of XML External Entity Reference vulnerability in versions of Inductive Automation Ignition software"), Honeywell Safety Manager, ("mitigations for Insufficient Verification of Data Authenticity, Missing Authentication for Critical Function, and Use of Hard-coded Credentials vulnerabilities in Honeywell Safety Manager, a safety solution of the Experion Process Knowledge System"), Honeywell Saia Burgess PG5 ("mitigations for Authentication Bypass and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Honeywell Saia Burgess PG5 PCD, a PLC"), MOXA NPort 5110 ("mitigations for an Out-of-bounds Write vulnerability in MOXA NPort 5110, a device server"), and Mitsubishi MELSEC and MELIPC Series (Update D) ("mitigations for Uncontrolled Resource Consumption, Improper Handling of Length Parameter Inconsistency, and Improper Input Validation vulnerabilities in Mitsubishi Electric MELSEC and MELIPC Series industrial computers").
CISA's ICS-CERT on July 28th released three industrial control system (ICS) advisories, for Rockwell Products Impacted by Chromium Type Confusion Vulnerability ("mitigations for a Type Confusion vulnerability in various Rockwell Automation products"), Mitsubishi FA Engineering Software (Update B) ("mitigations for Out-of-bounds Read and Integer Underflow vulnerabilities in Mitsubishi Electric FA Engineering Software, an engineering software suite), and Mitsubishi Electric Factory Automation Engineering Software (Update C) ("mitigations for a Permission Issues vulnerability in Mitsubishi Electric Factory Automation Engineering Software").
And, finally, yesterday, August 2nd, CISA released five additional Industrial Control Systems Advisories, for Mitsubishi Electric Factory Automation Products Path Traversal (Update C) ("mitigations for a Path Traversal vulnerability in various Mitsubishi Electric Factory Automation products"), Mitsubishi Electric Factory Automation Engineering Products (Update H) ("mitigations for an Unquoted Search Path or Element vulnerability in various Mitsubishi Electric Factory Automation Engineering products"), Mitsubishi Electric FA Engineering Software Products (Update F) ("mitigations for Heap-based Buffer Overflow and Improper Handling of Length Parameter Inconsistency vulnerabilities in various Mitsubishi Electric FA Engineering Software products that communicate with MELSEC, FREQROL, or GOT products"), Delta Electronics DIAEnergie (Update C) ("mitigations for Use of Password Hash with Insufficient Computational Effort, Authentication Bypass Using an Alternate Path or Channel, Unrestricted Upload of File with Dangerous Type, SQL Injection, Cross-site Request Forgery, Cross-site Scripting, and Cleartext Transmission of Sensitive Information vulnerabilities in Delta Electronics DIAEnergie, an industrial energy management system"), and Delta Electronics DIAEnergie (Update C) ("mitigations for Path Traversal, Incorrect Default Permissions, SQL Injection, and Uncontrolled Search Path Element vulnerabilities in Delta electronics DIAEnergie, an industrial energy management system").
These recent advisories, all of which may be found on CISA’s site, represents a continuation of CISA’s program of seeking to keep ICS operators up-to-speed on vulnerabilities and mitigations that affect their systems. A study by SynSaber (reported by SecurityWeek on July 21st) counted them up and concluded that CISA had through the end of June disclosed a total of six-hundred-eighty-one vulnerabilities in ICS systems in its advisories. That’s “slightly more” than the number covered in the first half of 2021. So CISA’s discoveries and disclosures are running about on pace, year over year.