At a glance.
- Commerce and DHS report on the ICT supply chain.
- Iranian threat actor MuddyWater resurfaces with a major cyberespionage campaign.
US DHS and Commerce address challenges to the ICT supply chain.
Yesterday the US Departments of Commerce and Homeland Security released a joint report assessing the risks faced by the supply chains supporting the information and communications technology (ICT) industry. The report was requested as part of the executive order issued last year by the Biden administration focused on decreasing the vulnerability of the supply chain. As Cyberscoop explains, device firmware and open-source software (OSS) are two major sources of vulnerability. “Given the already vast and growing use of OSS, the urgency and importance of ensuring that OSS is secure and can be trusted cannot be overstated,” the report reads. The infamous Log4j bug, as well as techniques like typosquatting – tricking users into visiting malicious URLs that are very similar to their legitimate counterparts – are cited as two methods threat actors use to compromise OSS. Also discussed is the growing reliance of Original Equipment Manufacturers on third-party suppliers for firmware development, due to a diminishing manufacturing base, which can lead to blindspots in controlling authenticity and detecting irregularities.
The report makes several recommendations for improving risk management practices and monitoring efforts, including strategies to increase the domestic technology workforce, and the development of a new Critical Supply Chain Resilience Program at the Department of Commerce. In a joint statement, Secretary of Commerce Gina Raimondo and Secretary of Homeland Security Alejandro Mayorkas acknowledged that resolving the issues cited in the report would require a great degree of collaboration: “We look forward to working with industry stakeholders, foreign governments, and other domestic and international partners to implement measures identified in the assessment that build resilience and security throughout the ICT supply chain and across our nation.”
US officials warn that MuddyWater is making waves again.
The US Cybersecurity and Infrastructure Security Agency, in collaboration with the Federal Bureau of Investigation, the Cyber Command Cyber National Mission Force, and the UK’s National Cyber Security Centre, issued an alert warning of new malicious cyber operations from the MuddyWater threat group. The Iranian government-backed advanced persistent threat group (APT) is targeting government and private business in various sectors including telecom, defense, local government, and oil and natural gas across the globe in Asia, Africa, Europe, and North America. MuddyWater, also known as Static Kitten and Seedworm, has been conducting cyberespionage campaigns for the Iranian Ministry of Intelligence and Security (MOIS) since 2018. The advisory states, “MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware.” The alert includes details about the APT’s techniques in an effort to help organizations detect if they’re being targeted. A brief summary can be found here.
James McQuiggan, security awareness advocate at KnowBe4, sent us some comment on the implications of the warning:
“Organizations within telecommunications, IT government and critical infrastructure are no doubt on a heightened level of security with the current events in the geopolitical environment.
"However, with this attack style, all organizations must increase awareness and education for their users to spot and be alert to phishing emails. Ensure that users conduct a quick checklist of "Do I know this person," "Am I expecting this email," "Is the request unusual and unlike the sender," and "Is there a sense of urgency" to the request? Answering these questions unfavorably should trigger the user to examine the email a little closer and report to their IT or InfoSec teams.
"Users must be aware of the practice of checking their links and reporting any suspicious emails to their appropriate IT team or simply deleting them. Considering social engineering and phishing are the leading way for nation-state groups to gain access, it is apparent that humans are the most significant attack vector and require proper education and awareness to recognize these online scams.”