Commerce and DHS report on the ICT supply chain. Iranian threat actor MuddyWater resurfaces with a major cyberespionage campaign.

Summary

By the CyberWire staff

At a glance.

Commerce and DHS report on the ICT supply chain.
Iranian threat actor MuddyWater resurfaces with a major cyberespionage campaign.

US DHS and Commerce address challenges to the ICT supply chain.

Yesterday the US Departments of Commerce and Homeland Security released a joint report assessing the risks faced by the supply chains supporting the information and communications technology (ICT) industry. The report was requested as part of the executive order issued last year by the Biden administration focused on decreasing the vulnerability of the supply chain. As Cyberscoop explains, device firmware and open-source software (OSS) are two major sources of vulnerability. “Given the already vast and growing use of OSS, the urgency and importance of ensuring that OSS is secure and can be trusted cannot be overstated,” the report reads. The infamous Log4j bug, as well as techniques like typosquatting – tricking users into visiting malicious URLs that are very similar to their legitimate counterparts – are cited as two methods threat actors use to compromise OSS. Also discussed is the growing reliance of Original Equipment Manufacturers on third-party suppliers for firmware development, due to a diminishing manufacturing base, which can lead to blindspots in controlling authenticity and detecting irregularities.

The report makes several recommendations for improving risk management practices and monitoring efforts, including strategies to increase the domestic technology workforce, and the development of a new Critical Supply Chain Resilience Program at the Department of Commerce. In a joint statement, Secretary of Commerce Gina Raimondo and Secretary of Homeland Security Alejandro Mayorkas acknowledged that resolving the issues cited in the report would require a great degree of collaboration: “We look forward to working with industry stakeholders, foreign governments, and other domestic and international partners to implement measures identified in the assessment that build resilience and security throughout the ICT supply chain and across our nation.”

US officials warn that MuddyWater is making waves again.

The US Cybersecurity and Infrastructure Security Agency, in collaboration with the Federal Bureau of Investigation, the Cyber Command Cyber National Mission Force, and the UK’s National Cyber Security Centre, issued an alert warning of new malicious cyber operations from the MuddyWater threat group. The Iranian government-backed advanced persistent threat group (APT) is targeting government and private business in various sectors including telecom, defense, local government, and oil and natural gas across the globe in Asia, Africa, Europe, and North America. MuddyWater, also known as Static Kitten and Seedworm, has been conducting cyberespionage campaigns for the Iranian Ministry of Intelligence and Security (MOIS) since 2018. The advisory states, “MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware.” The alert includes details about the APT’s techniques in an effort to help organizations detect if they’re being targeted. A brief summary can be found here.

James McQuiggan, security awareness advocate at KnowBe4, sent us some comment on the implications of the warning:

“Organizations within telecommunications, IT government and critical infrastructure are no doubt on a heightened level of security with the current events in the geopolitical environment.

"However, with this attack style, all organizations must increase awareness and education for their users to spot and be alert to phishing emails. Ensure that users conduct a quick checklist of "Do I know this person," "Am I expecting this email," "Is the request unusual and unlike the sender," and "Is there a sense of urgency" to the request? Answering these questions unfavorably should trigger the user to examine the email a little closer and report to their IT or InfoSec teams.

"Users must be aware of the practice of checking their links and reporting any suspicious emails to their appropriate IT team or simply deleting them. Considering social engineering and phishing are the leading way for nation-state groups to gain access, it is apparent that humans are the most significant attack vector and require proper education and awareness to recognize these online scams.”

Selected Reading

Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks (CISA) Actions to Take Today to Protect Against Malicious Activity * Search for indicators of compromise. * Use antivirus software. * Patch all systems. * Prioritize patching known exploited vulnerabilities. * Train users to recognize and report phishing attempts.

Iranian Government-Sponsored MuddyWater Actors Conducting Malicious Cyber Operations (CISA) CISA, the Federal Bureau of Investigation (FBI), U.S. Cyber Command Cyber National Mission Force (CNMF), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the National Security Agency (NSA) have issued a joint Cybersecurity Advisory (CSA) detailing malicious cyber operations by Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater.

Joint advisory on MuddyWater actor (NCSC) A joint advisory with international partners on the Iranian actor MuddyWater.

US and UK expose new malware used by MuddyWater hackers (BleepingComputer) US and UK cybersecurity and law enforcement agencies today shared info on new malware deployed by the Iranian-backed MuddyWatter hacking group in attacks targeting critical infrastructure worldwide.

CISA Warns of Ongoing Attacks by MuddyWater APT (Decipher) U.S. agencies are warning that the Iranian-backed APT group MuddyWater is targeting organizations in many industries in North America and elsewhere.

US-Mexico border summit addresses cyber security threats at border amid Russia-Ukraine war (KFOX) The U. S. government is on high alert for more cyberattacks following Russia's invasion of Ukraine. Russia has shown an ability to cause significant disruption and damage in cyberspace in the past and it's likely they will take retaliatory measures to the sanctions being imposed. The Biden administration said they are working with the private sector to sharpen their ability to respond to cyber-attacks. Caption: Lianna Golden reports on US-Mexico summit discusses cyber attacks. The U. S.

CISA’s Robert Costello Talks Culture Shifts, Cyber Innovation Strategies During Keynote at GovCon Wire’s Information Security & Innovation Forum (GovConWire) GovCon Wire Events’ timely Information Security and Innovation Forum on Wednesday brought together prominent figures across government and industry to discuss how public and private sector organizations are working together to better fortify the United States’ critical information security and cybersecurity capabilities in response to the heightened threat of cyber attacks in today’s digital age.

The Navy’s Cyber Warfare Magazines Have Always Been Empty (U.S. Naval Institute) For more than a decade Navy information warfare leaders have smothered the specialization needed to develop a serious offensive cyber warfare capability.

US Army cyber conference seeks to bolster holistic national cybersecurity (C4ISRNet) The Jack Voltaic series brings together a diverse group of organizations to bolster the cybersecurity of critical infrastructure.

EU parliament to investigate use of NSO Group's Pegasus spyware (Euronews) The European Parliament is setting up a rare committee of inquiry into the Pegasus spyware scandal. #EuropeanDebates