At a glance.
- Dragos releases its ICS/OT Cybersecurity Year in Review for 2022.
- Command injection vulnerability affects Cisco devices.
- IoT supply chain threatened by exploitation of Realtek Jungle SDK vulnerability.
- GRU wiper malware active against Ukraine, again.
- Sandworm's NikoWiper and Ukraine's energy sector.
- Cyberattack hits Nunavut energy company’s IT systems.
- The WEF’s Cybersecurity Outlook for 2023.
- US House Subcommittee on Cybersecurity and Infrastructure Protection gets a new chair.
Dragos releases its ICS/OT Cybersecurity Year in Review for 2022.
Dragos has published its ICS/OT Cybersecurity Year in Review for 2022. The report found that ransomware attacks against industrial organizations nearly doubled last year, with seventy percent of these attacks targeting the manufacturing industry: "There were multiple reasons for the increase in ransomware activity impacting industrial organizations, including political tensions, the introduction of Lockbit Builder, and the continued growth of ransomware-as-a-service (RaaS). Dragos observed ransomware trends tied to political and economic events, such as the conflict between Russia and Ukraine and Iranian and Albanian political tensions."
The security firm also discovered two new threat actors in 2022: CHERNOVITE and BENTONITE. CHERNOVITE is the developer of PIPEDREAM, an ICS attack framework that Dragos says "represents a substantial escalation in adversarial capabilities." The framework was likely developed by a state-sponsored actor, but Dragos says it doesn't appear to have been deployed in the wild yet: "Dragos assesses with low confidence that no adversary has employed or leveraged components of PIPEDREAM against industrial networks for disruptive or destructive effects. Dragos’s discovery of CHERNOVITE constitutes a rare case of accessing and analyzing malicious capabilities developed by an adversary before its employment, giving defenders a unique opportunity to prepare in advance."
BENTONITE is a threat actor that's been "opportunistically targeting maritime oil and gas (ONG), governments, and the manufacturing sectors since 2021." Dragos says BENTONITE "conducts offensive operations for both espionage and disruptive purposes." Dragos as a policy doesn't attribute threat activity to particular nation-states, but the researchers note that BENTONITE has overlaps with the threat actor tracked by Microsoft as "PHOSPHOROUS," which Microsoft has tied to the Iranian government.
Command injection vulnerability affects Cisco devices.
Trellix discovered and responsibly disclosed a remote command injection flaw affecting multiple Cisco appliances, including some used in industrial environments. The affected devices include 800 Series Industrial ISRs, IC3000 Industrial Compute Gateways, and IR510 WPAN Industrial Routers. The researchers explain that the flaw, tracked as CVE-2023-20076, can be used to “[gain] unrestricted access, allowing malicious code to lurk in the system and persist across reboots and firmware upgrades.” Trellix stresses that this vulnerability can also be used to compromise third-party devices in the supply chain.
Cisco has issued patches for the devices, and customers are urged to apply them as soon as possible.
IoT supply chain threatened by exploitation of Realtek Jungle SDK vulnerability.
Looking at attack records between August and October of last year, Palo Alto Networks' Unit 42 researchers discovered that one vulnerability in particular, a remote-code execution issue affecting the Realtek Jungle SDK, was particularly attractive to attackers. It's unusual, Unit 42 says, to see a single vulnerability account for more than 10% of the attacks detected over a period of time, but this one (CVE-2021-35394) "accounted for more than 40% of the total number of attacks" over those three months. "Many of the attacks we observed tried to deliver malware to infect vulnerable IoT devices," the researchers wrote. "This tells us that threat groups are using this vulnerability to carry out large-scale attacks on smart devices around the world."
GRU wiper malware active against Ukraine, again.
Security firm ESET says a new strain of wiper malware they're calling "SwiftSlicer" has been deployed against Ukrainian networks. ESET Research tweeted, "On January 25th #ESETResearch discovered a new cyberattack in Ukraine. Attackers deployed a new wiper we named #SwiftSlicer using Active Directory Group Policy. The #SwiftSlicer wiper is written in Go programming language. We attribute this attack to #Sandworm." The Sandworm group is operated by Russia's GRU, and SwiftSlicer represents a successor to HermeticWiper and CaddyWiper, both of which the Russian service had deployed against Ukraine in the early phases of the invasion. HermeticWiper was identified in February 2022, during the opening days of the invasion; CaddyWiper was observed the following month. ESET has not identified the organization or organizations affected by SwiftSlicer.
The Ukrainian Computer Emergency Response Team (CERT-UA) on January 26th reported identifying five distinct strains of wiper malware in the networks of the Ukrinform news outlet. The strains, and the systems the affected, were: CaddyWiper (Windows), ZeroWipe (Windows), SDelete (Windows), AwfulShred (Linux), and BidSwipe (FreeBSD). The Russian hacktivist group "CyberArmyofRussia_Reborn" claimed credit in its Telegram channel for the infestations. BleepingComputer says that two of the strains, ZeroWipe and BidSwipe, represent either novel malware or, if they're existing, known strains, they're being tracked under unfamiliar names by CERT-UA.
Sandworm's NikoWiper and Ukraine's energy sector.
ESET's APT Activity Report for T3 2022, released on January 31st, describes a hitherto unknown wiper, "NikoWiper," which was "used against a company in the energy sector in Ukraine in October 2022." The report goes on to give particulars of the malware. "TheNikoWiper is based on SDelete, a command line utility from Microsoft that is used for securely deleting files." It's been difficult to see coordination between Russian kinetic and cyber operations, but the NikoWiper deployment at least coincided with Russian missile strikes against Ukraine's energy sector. "This attack happened around the same period that the Russian armed forces targeted Ukrainian energy infrastructure with missile strikes. Even if we were unable to demonstrate any coordination between those events, it suggests that both Sandworm and the Russian armed forces have the same objectives." Coincidence isn't necessarily coordination, but of course it might be. Sandworm represents threat activity directed by Russia's GRU military intelligence service.
Cyberattack hits Nunavut energy company’s IT systems.
Qulliq Energy Corp (QEC) in Nunavut was hit by a cyberattack on January 15th that took down its IT systems, the CBC reports. QEC disclosed last week that the attack brought down the systems at its Customer Care and administrative offices. The company has enlisted external cybersecurity experts to investigate the scope of the attack and determine which data were accessed. QEC says it will notify anyone whose information was accessed.
The attacks didn’t affect power plant operations, just business systems (and customers are presently unable to pay their bills via credit card).
Premier P.J. Akeeagok said in a statement that various Provincial and Federal agencies are assisting with the recovery, and that the Royal Canadian Mounted Police are investigating the incident.
The WEF’s Cybersecurity Outlook for 2023.
The World Economic Forum (WEF), in collaboration with Accenture, has published its Global Cybersecurity Outlook for 2023, finding that 93% of cyber leaders believe that “global geopolitical instability is moderately or very likely to lead to a catastrophic cyber event in the next two years.”
Much of the report focuses on the relationship between cybersecurity teams, the C-Suite, and board leadership. The report found that both business leaders and cybersecurity employees made more appearances in front of board members last year, but also concludes that “ cyber and business leaders still have a great deal of work to do to truly understand each other, articulate the risk cyber issues pose to their business and translate that into meaningful management and mitigation measures.”
That sort of close cooperation is as important for industrial control systems as it is for IT systems. And among the most attractive targets for a nation-state waging cyber war is the adversary’s infrastructure.
US House Subcommittee on Cybersecurity and Infrastructure Protection gets a new chair.
Representative Andrew R. Garbarino (Republican, New York 2nd District) has been appointed to chair the US House Subcommittee on Cybersecurity and Infrastructure Protection in the new Congress. Representative Garbarino said, “I’m thrilled and honored to have been selected to serve as Chairman of the Cybersecurity and Infrastructure Protection Subcommittee and to be able to continue the great work we started last Congress improving our nation’s cyber preparedness. Cyberattacks are the preeminent threat of our time, impacting every sector of our economy – from the energy sector to financial services. Our foreign adversaries have grown more advanced making cybersecurity the next arena in which we must build out our national defenses. I thank Chairman Green for selecting me to lead this subcommittee and I look forward to working closely with him to ensure our cyber borders are protected. I also look forward to continuing to work closely with CISA and fostering a strong partnership and open dialog between the public and private sectors in order to face rising threats and strengthen our national cybersecurity posture.”