US Joint Advisory outlines threats to water and wastewater treatment facilities. Password-spraying from Tehran.

By the CyberWire staff

US Joint Advisory outlines threats to water and wastewater treatment facilities.

The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday published a joint advisory warning of "ongoing malicious activity—by both known and unknown actors" directed against water and wastewater (WWS) treatment facilities. It emphasizes the threat of spearphishing as well as exploitation of outdated operating systems and vulnerable control system firmware. CISA cited the following incidents that have occurred since 2019:

"In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
"In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
"In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).
"In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.
"In March 2019, a former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer."

Does Your SOAR Platform Move Like a DinoSOAR? Embrace the Smarter SOAR.

ThreatConnect SOAR combines threat intelligence, analytics, and orchestration into one place to enable faster, more informed decisions. Because threat intelligence is baked in, there’s no need for complicated data manipulation or time-intensive look-ups: it’s all converted to a predictable and easily understood format while still preserving the source’s attribution information and reputation details. Is your SOAR smart enough to do that? Learn more about the industry’s smarter SOAR.

Password-spraying from Tehran.

The Microsoft Threat Intelligence Center this week released a report on "DEV-0343," an "activity cluster" Redmond connects to Iran. DEV-0343 has been conducting password-spraying attacks against more than two-hundred-fifty Office 365 tenants. Fewer than twenty of the attempts were successful. Targets included "US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation." This is, of course, consistent with Iranian intelligence interests.

In the course of its campaign, DEV-0343 emulated a Firefox browser and used IPs hosted on TOR. It most often targeted Autodiscover and ActiveSync.Those of you interested in schedules and workplace customs in and around threat actors will take note that DEV-0343 was most active on Sundays and Thursdays between 7:30 AM Tehran time, when the factory whistle blew, and 8:30 PM, which seems to have been quitting time.

Microsoft uses the DEV prefix followed by a numeral to designate a threat actor that isn’t yet fully classified. Once it’s categorized and identified the actor, the company typically moves to one of its familiar elemental threat names.

Save $70 on H Layer’s SACP™ certification during Security Awareness Month

H Layer Credentialing™ certifies professionals who work as security awareness leaders. These professionals are responsible for creating and maintaining a human layer of cybersecurity which protects organizations from their greatest information security threat. The cornerstone certification is the Security Awareness and Culture Professional (SACP)™ credential. To recognize Security Awareness Month, we are reducing registration fees through October 2021 by $70. Visit our site and get your special promo code today!

Data breach extortion.

NCC Group describes an extortion operation that skips the customary ransomware stage of the process. "SnapMC," which NCC Group says it's been unable to link to any other known actor, is simply moving directly to data theft, with no encryption of the victims' data. This probably represents a trend, as more gangs can be expected to engage in "data breach extortion." This kind of attack requires even less technical capability than the already highly commodified ransomware attacks need.

NCC Group explains, "Extortion emails threatening their recipients have become a trend over time. The lion’s share of these consists of empty threats sent by perpetrators hoping to profit easily without investing in an actual attack. SnapMC however has shown itself capable of actual data breach attacks. The extortion emails we have seen from SnapMC give victims 24 hours to get in contact and 72 hours to negotiate. Even so, we have seen this actor start increasing the pressure well before countdown hits zero. SnapMC includes a list of the stolen data as evidence that they have had access to the victim’s infrastructure. If the organization does not respond or negotiate within the given timeframe, the actor threatens to (or immediately does) publish the stolen data and informs the victim’s customers and various media outlets."

MysterySnail connected to Chinese APT.

Kaspersky discusses an activity cluster they're calling "MysterySnail," and which they connect to the "Chinese-speaking APT" IronHusky. MysterySnail exploits a Windows zero-day to install a remote-access Trojan.

The researchers state, "In late August and early September 2021, Kaspersky technologies detected attacks with the use of an elevation of privilege exploit on multiple Microsoft Windows servers. The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that it was a zero-day. We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules. We promptly reported these findings to Microsoft. The information disclosure portion of the exploit chain was identified as not bypassing a security boundary, and was therefore not fixed. Microsoft assigned CVE-2021-40449 to the use-after-free vulnerability in the Win32k kernel driver and it was patched on October 12, 2021, as a part of the October Patch Tuesday."

Security Unlocked: exploring applied AI, threat research and more

In the Security Unlocked podcast we hear from data scientists, researchers, analysts and threat hunters from across Microsoft’s cybersecurity workforce to learn how AI is being applied to combat the ever-growing sophistication of cyberattacks, how new threat types and techniques are being discovered and mitigated, and what security practitioners can do today to prepare for the next wave of challenges. New episodes every Wednesday.

Mitigating a major DDoS attack.

Microsoft disclosed that in August it successfully mitigated a distributed denial-of-service attack against an unnamed Azure customer. At 2.4 terabytes per second, the incident was at the time, according to the Record, the biggest volumetric attack so far observed. (The Meris botnet broke the record shortly after the attack against the Azure customer.)

“The attack traffic originated from approximately 70,000 sources and from multiple countries in the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as from the United States,” Microsoft wrote in their account of the incident. “The attack vector was a UDP reflection spanning more than 10 minutes with very short-lived bursts, each ramping up in seconds to terabit volumes. In total, we monitored three main peaks, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.”

Microsoft has in general seen a year-over-year rise in the number of DDoS attacks. While the attacks’ total throughput is down, a bit, the number of attacks is up by about 20%.

Breach at Visibility.

Verizon recommended on Wednesday that users of its Visible wireless service should change any Visible usernames and passwords they may have used to access other sites or services. "Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services." The Record says Verizon denied any compromise of its backend infrastructure.

Miscellaneous threats: privilege escalation, information leaks, and cryptojacking.

Field Effect claims to have identified a cluster of seven Windows zero-days the security firm refers to, collectively, as Blackswan. Six represent a privilege escalation risk; the seventh the researchers characterize as an information leak vulnerability. Microsoft has since patched the flaws.

The Necro botnet (a Python bot) is actively installing a Monero cryptojacker in vulnerable Visual Tools DVR VX16 4.2.28.0 instances, Juniper Networks reports. Juniper states, "We have noted a few changes on this bot from the previous version. First, it removed the SMB scanner which was observed in the May 2021 attack. Second, it changed the url that it injects to script files on the compromised system. Previously, it used a hardcoded url, ‘ublock-referer[.]dev/campaign.js’ and injects this on the scripts and now it uses the DGA for its url, i.e., ‘DGA_DOMAIN/campaign.js’. As noted in the previous reports, this bot will find HTML, PHP, JS and HTM files in the system and will inject a javascript code in every file. This is an attempt for that attacker to not only compromise the server but also clients connecting to it. Using a DGA domain to host the javascript makes it more resilient against defenses."

Patch news.

October's Patch Tuesday fell this week, and the Zero Day Initiative summarizes six Adobe and seventy-one Microsoft security updates. Three of the problems Microsoft (a CyberWire sponsor) patched are rated “critical” by Redmond. One of these involves Microsoft Word. The other two are remote code execution issues in Windows Hyper-V.

Adobe issued patches for Reader, Acrobat, Commerce, and Connect. The Zero Day Initiative said of the flaws, "All require some form of user interaction, such as browsing to a web page or opening a PDF."

Apple has new versions of iOS (version 15.0.2) and iPadOS (also designated 15.0.2) out. They address a vulnerability (CVE-2021-30883) currently being exploited in the wild. If unpatched, BleepingComputer writes, the vulnerability could be used for either staging malware or stealing information from affected devices. A proof-of-concept exploit has been published that was developed by reverse-engineering Apple’s fix.

As usual, KrebsOnSecurity has a good, useful summary of the month’s patches. One of his observations is worth noting, especially given what Randori said about the importance of not overlooking the less highly rated vulnerabilities. KrebsOnSecurity thinks that the highly rated but still less than critical fixes are among the most interesting of the Microsoft patches. The ones that lend themselves to exploitation for privilege exploitation are, Krebs writes, particularly worth attention.

CISA on Thursday released more than twenty industrial control system advisories.

Crime and punishment.

A Maryland couple have been charged with violations of the Atomic Energy Act. Jonathan and Diana Toebbe [Tebby] are said to have sold Restricted Data related to submarine nuclear propulsion systems to an FBI undercover operative they believed to be an agent of a "foreign power." Jonathan Toebbe is an engineer employed by the US Department of the Navy. The Tebbes are said to have asked for $100,000 in Bitcoin (of course) in exchange for the Restricted Data they were offering. “Restricted Data” is a term of art defined in the US Atomic Energy Act as “all data concerning (1) design, manufacture, or utilization of atomic weapons; (2) the production of special nuclear material; or (3) the use of special nuclear material in the production of energy...” “Restricted Data” is not itself a classification, and data so marked may be controlled at any number of levels, running at least from the relatively low-level Confidential classification up through Top Secret. The information was, the Baltimore Sun reports, stored on SD cards, which were then hidden in a Band-Aid wrapper or a peanut-butter sandwich (no word on whether jelly was included) before being deposited in what spies call a dead drop, which the FBI told them would be out in West Virginia.

Police in Florida have taken a woman into custody on charges of accessing a flight training school's system to alter information on twelve aircraft, WESH reports. The most disturbing change was to alter the status of some planes that required maintenance to "airworthy."

Missouri Governor Mike Parson has denounced the Saint Louis Post-Dispatch for what he characterized as the newspaper's "hacking" of the Department of Elementary and Secondary Education (DESE). He said at a press conference that he's referring the newspaper and its reporter for prosecution. The Post-Dispatch had found some teachers' Social Security Numbers coded into the html of a publicly accessible DESE website where citizens could check teachers' credentials. The paper informed DESE, waited until DESE had taken the information down, and then published its story.

Governor Parson has since doubled down via Twitter, claiming that the Post-Dispatch's story places them on the wrong side of "Tampering with computer data" (a Class A misdemeanor, or, if the action involves theft of $750 or more, a Class E felony). See Ars Technica for a representative discussion of Governor Parson's excursus on that hackin' world. (Ars Technica's story is more measured than most of the others we've seen.)

Courts and torts.

Governor Parson's tweet also points out that "Tampering with computer data, computer equipment, or computer users" is a civil tort. Most of those covering or reacting to the governor's press conference aren't buying it.

Policies, procurements, and agency equities.

The BBC reports that the head of Britain's National Cyber Security Centre, speaking at Chatham House Cyber 2021, described Russian-tolerated criminal cybercrime, notably ransomware, as a threat to the security of British businesses. In this as in other matters the Five Eyes tend to see the threat landscape through similar lenses, with both Russia and China bulking large. The NCSC's Director Lindy Cameron emphasized that ransomware, however, represented the most immediate danger.

From CyberScoop's account, it appears that the theme of the US-convened conference on ransomware is that the threat is transnational, and therefore demands an international response. CyberScoop quotes US National Security Advisor Jake Sullivan as saying, “No one country, no one group can solve this problem. Transnational criminals are most often the perpetrators of ransomware crimes, and they often leverage global infrastructure and money laundering networks across multiple countries, multiple jurisdictions to carry out their attacks.”

The gangs may be transnational, but there seems to be little doubt that they receive a safe harbor and arguably a degree of toleration and encouragement from various states, especially Russia, which is most often mentioned in dispatches as the principal enabler of ransomware groups.

Australia’s government has used the occasion of the conference to explain its own national approach to ransomware, which its published strategy characterizes as aiming to make Australia a “harder target” for this particular kind of attack. The legislative goals of the strategy are worth quoting:

“Introducing a specific mandatory ransomware incident reporting to the Australian Government.
“Introducing a stand-alone offence for all forms of cyber extortion.
“Introducing a stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure (as proposed to be regulated by the Security Legislation Amendment (Critical Infrastructure) Bill 2020).
“Modernising legislation to ensure that cybercriminals are held to account for their actions, and law enforcement is able to track and seize or freeze their ill-gotten gains.”

Comparable laws are likely to emerge in other nations concerned about controlling ransomware.

From CyberScoop's account, it appears that the theme of the US-convened conference on ransomware is that the threat is transnational, and therefore demands an international response.

Fortunes of commerce.

Facebook continues to receive criticism for its role in the dissemination of mis- and disinformation. The Rappler's Maria Ressa has criticized the social network, which is a principal source of news in the Philippines and elsewhere, for not doing more to vet the stories that pass across it. And Frances Haughen, the Facebook whistleblower who testified before a US Senate subcommittee last week, framed the social network's impact in ways that lent themselves to a public health interpretation of Facebook's effect on its users. Younger users in particular, are harmed by Facebook's algorithmic pursuit of engagement, and the New York Times described bipartisan approval for treating her testimony as what Senator Blumenthal (Democrat of Connecticut) characterized as Big Tech's "tobacco moment."

Two journalists receive the Nobel Peace Prize.

The Nobel Committee Friday announced that two journalists, Maria Ressa (of the Rappler, in the Philippines), and Dmitry Muratov (of Novaya Gazeta, in Russia) would be awarded this year's Peace Prize. The Washington Post describes both journalists' critical engagement with their respective governments. Congratulations to both Laureates.