By the CyberWire staff
Water treatment cyberattack.
On Monday, Sheriff Bob Gualtieri of Pinellas County, Florida said his office was investigating an incident on February 5th in which a threat actor attempted to alter the level of chemicals in the city of Oldsmar's potable water supply. The actor remotely accessed control systems at the city's water utility and increased the level of sodium hydroxide (lye) from 100 parts per million to a potentially lethal 11,100 parts per million. A treatment plant operator noticed the adjustment and immediately corrected it, and the city's mayor stressed that there were controls in place that would have caught the change before any toxic water left the facility.
The attacker gained access to the system via TeamViewer remote access software, and the plant employee watched as the cursor moved across the screen. (WIRED notes that this in itself wasn't unusual, and the employee initially thought a coworker was accessing the system.) TeamViewer told CNN that there's no indication that the attackers exploited a vulnerability in its product. The FBI issued an alert stating that "The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system." A Cybersecurity Advisory for Public Water Suppliers from the Massachusetts Department of Environmental Protection describes the incident and notes that "All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system. Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed."
There's no word on who might be responsible for the attack. Researchers at Intel 471 note that in May 2020 someone was selling "access to a water treatment plant in Florida, via a virtual network computing (VNC) permission that granted system access to a 'Groundwater Recovery & Treatment System,'" and one of the screenshots showed controls for a sodium hydroxide pump. The researchers stress, however, that "Although Intel 471 could not definitively confirm or deny a link between the access offered by the actor and the Oldsmar, Florida incident, there was no information that directly tied the two events together at the time this report was published. The actor shared this information in a Telegram channel that is known for cyberattacks and account cracking."
The Washington Post's Ellen Nakashima quotes former Cybersecurity and Infrastructure Security Agency Chris Krebs as stating that the attacker was "very likely" a malicious insider; Krebs later clarified that "It's possible that this was an insider or a disgruntled employee. It's also possible that it's a foreign actor. But we should not jump to a conclusion that it's a sophisticated adversary." Jorge Orchilles, CTO at SCYTHE, points out that "The easiest way to get caught as a red teamer is to move someone's mouse. Nothing freaks people out more than their mouse moving when they aren't touching it. It is a psychological thing." Kevin Collier thinks this suggests that the attacker is probably more skid than mastermind, tweeting "We know almost nothing about who they are, but here's a strong indication this wasn't a masterminded plan." That's not necessarily reassuring, he added, "Is it comforting to know this probably wasn't some Russian master plan to poison some Floridians? Or more disturbing to think this is how close an amateur could get?"
Have you been hearing the buzz about SPACs in the news lately?
Be sure to tune in to the CyberWire's Daily Podcast on Monday, February 15th when the team shares an encore episode of "Getting the specs on the cyber SPAC" and, as a bonus, you will hear Dave's update interview with Hank Thomas, one of our original interviewees.
Bloomberg revives claims of Super Micro hardware backdoors.
Bloomberg has revived its 2018 story asserting that Chinese intelligence services placed hardware backdoors on Super Micro chips. The publication's first story was met with widespread skepticism, and AppleInsider says "there is nothing in the new story to corroborate the widely debunked original report." Dragos' Robert M. Lee stated that "it’s an insanely sensational claim" for which "no evidence has ever been presented," and that "the burden of proof is on the journalists." Super Micro has again denied the accuracy of the story, stating in part:
"Super Micro Computer, Inc. (SMCI), a global leader in enterprise computing, storage, networking solutions and green computing technology, strongly refutes the accuracy of information in a recent Bloomberg article.
"Bloomberg's story is a mishmash of disparate and inaccurate allegations that date back many years. It draws farfetched conclusions that once again don't withstand scrutiny. In fact, the National Security Agency told Bloomberg again last month that it stands by its 2018 comments and the agency said of Bloomberg's new claims that it "cannot confirm that this incident—or the subsequent response actions described—ever occurred." Despite Bloomberg's allegations about supposed cyber or national security investigations that date back more than 10 years, Supermicro has never been contacted by the U.S. government, or by any of our partners or customers, about these alleged investigations.
"Bloomberg has produced no conclusions from these alleged investigations. Nor could Bloomberg confirm to us if any alleged investigation was even ongoing. To the contrary, several of the U.S. government agencies Bloomberg claims had initiated investigations continue to use our products and have done so for years."
Video game studio refuses to pay ransom.
Polish video game studio CD Projekt Red, creator of the Witcher series and Cyberpunk 2077, disclosed that it had sustained a ransomware attack that involved theft of data. The hackers claimed to have stolen the source code for Cyberpunk 2077 and an unreleased version of the Witcher 3, and threatened to release the data if the company didn't pay up. CD Projekt Red refused, stating, "We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data. We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach. We are still investigating the incident, however at this time we can confirm that – to our best knowledge – the compromised systems did not contain any personal data of our players or users of our services. We have already approached the relevant authorities, including law enforcement and the President of the Personal Data Protection Office, as well as IT forensic specialists, and we will closely cooperate with them in order to fully investigate this incident."
The Verge reports that the hackers initially tried to auction the stolen code for a starting price of $1 million and a "buy-it-now" price of $7 million. Security firm KELA says the attackers have since ended the auction, stating that an outside buyer purchased the code. Vice says some of the data have also been posted publicly.
For more, see the CyberWire Pro Privacy Briefing.
Empower your modern security operations center.
Red Canary is your security ally offering security operations teams detection and response capabilities to maintain visibility of and protect all the critical areas of their environment—endpoints, network, and cloud. Red Canary is relentless in their mission to improve security for the entire community and committed to sharing open-source tools and educational content. See what it’s like to have a partner in the fight today.
Iranian cyberespionage activities.
Researchers at Check Point are tracking the activities of "Domestic Kitten," an Iranian threat actor known for conducting "extensive surveillance operations against Iranian citizens that could pose a threat to the stability of the Iranian regime, including internal dissidents, opposition forces, ISIS advocates, the Kurdish minority in Iran, and more." The researchers have found four campaigns that are currently active. The actors use compromised websites, Telegram channels, and SMS messages to trick their victims into installing malware. Domestic Kitten's malware, dubbed "FurBall," is capable of "collecting device identifiers, grabbing SMS messages and call logs, surround recording with the device microphone, call recording, stealing media files (such as videos and photos), obtaining a list of installed applications, tracking the device location, stealing files from the external storage, and more." The vast majority of Domestic Kitten's victims were located in Iran, with some in the US, Pakistan, Afghanistan, the UK, and Turkey.
Check Point and SafeBreach Labs also describe "Infy," another threat actor attributed to Iran. In the latest campaign, the researchers say the Infy was able to "fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and tooling capabilities." Infy is using malicious macros in Word documents to deliver new versions of its Foudre malware. Notably, none of the known victims in the latest campaign are located in Iran. In the past, the majority of Infy's victims were Iranian. The researchers speculate that the actor "had the DNS records in Iran changed preemptively" to prevent the Iranian victims from being discovered.
For more, see the CyberWire Pro Research Briefing.
Want to get your message to leaders in cyber?
Security leaders across the globe trust the CyberWire and depend on us every day to deliver the news and analysis they need to do their jobs. That’s also why so many top security companies and hot startups trust us to help get the word out about their brand and fill their sales funnels. We have lots of great sponsorship opportunities that can help you get the word out too. Learn more at thecyberwire.com/sponsorship.
Cyber operations against ISIS.
The Grey Zone podcast featured an interview with GCHQ Director Jeremy Fleming and General Sir Patrick Sanders, head of the UK’s Strategic Command, also responsible for military cyber operations, in which they described Britain’s cyber operations against ISIS. British cyber forces disrupted the terrorist group’s drone operations, denied their operators’ mobile service, and interfered with online propaganda.
The campaign by Britain’s National Cyber Force, most active in 2016 and 2017, is, Sky News says, the UK’s only publicly avowed offensive cyber operation to date. The counter-propaganda, influence operation, is in some ways the most interesting and intrusive of the efforts. Fleming is quoted as saying, "We prevented their propaganda, both through physical actions on the battlefield, but also remotely getting to their servers, getting to the places that they stored their material." The intrusion into ISIS networks extended to locking ISIS members out of accounts, deleting or altering the group’s information, and taking down online posts and videos.
"We wanted to ensure that when they tried to co-ordinate attacks on our forces, their devices didn't work, that they couldn't trust the orders that were coming to them from their seniors," General Sanders said, adding that deception and misdirection were important ways of degrading ISIS combat power.
Tactically, British cyber operators (said to have been working closely with allies, including the US) were able to block ISIS commanders’ orders from reaching subordinates, and were also able to misdirect ISIS forces on the ground.
It was, General Sanders explained, a multidomain effort. The cyber operations didn’t stand on their own. "We wanted to deceive them and to misdirect them,” he said, “to make them less effective, less cohesive and sap their morale. But you can't just do that in cyberspace. You have to co-ordinate and integrate that with activities that are going on on the ground, whether it's from our own forces, special forces and others."
For more, see the CyberWire Pro Disinformation Briefing.
How'd you like to be the office cybersecurity hero?
With a CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis, and trends across the evolving cybersecurity landscape, save some money, and look like a hero at the same time. To learn more, visit our CyberWire Pro page and click on the Contact Us link in the Enterprise box.
Mergers and acquisitions.
Appgate, a zero-trust access management firm based in Miami, is merging with Newtown Lane Marketing. The company stated, " Upon consummation of the transaction, Appgate will become a public company with significant financial resources to accelerate growth, scale, and go-to-market strategies. Appgate also announced that a leading alternative investment manager with over $12.5 billion in assets under management is investing up to $100 million in convertible notes at a $1 billion post-money valuation."
Insight Partners is in the early stages of preparing to sell Washington, DC-based privileged access management company Thycotic, PE Hub reports.
Mountain View, California-based endpoint security company SentinelOne is acquiring Scalyr, a log management platform provider headquartered in San Mateo, for $155 million in equity and cash. SentinelOne's CEO and co-founder Tomer Weingarten stated, "Through our acquisition of Scalyr, SentinelOne is solving one of the industry’s biggest data challenges for delivering fully integrated XDR capabilities. Scalyr’s big data technology is perfect for the use cases of XDR, ingesting terabytes of data across multiple systems and correlating it at machine speed so security professionals have actionable intelligence to autonomously detect, respond, and mitigate threats."
Collibra, a data intelligence platform provider headquartered in Belgium, has acquired Maryland-based predictive data quality company OwlDQ. Collibra stated, "The integration of OwlDQ into the Collibra Data Intelligence Cloud introduces a new offering, Collibra Data Quality, which will allow organizations to centralize and automate data quality workflows to comply with global regulations and streamline their data and analytics processes across the enterprise."
More business news can be found in the CyberWire Pro Business Briefing.
Patch news.
Microsoft patched 56 vulnerabilities in Windows, including four that could lead to remote code execution, Naked Security writes. Redmond also issued a fix for an elevation-of-privilege flaw (CVE-2021-1732) that's being actively exploited in the wild.
Adobe issued fixes for Acrobat and Reader, Dreamweaver, Photoshop, Illustrator, Animate, and Magento, Help Net Security reports.
CISA released twenty-three Industrial Control Systems Advisories. The agency added three more Advisories on Thursday, one for the Wibu-Systems CodeMeter, a second for Rockwell Automation DriveTools SP and Drives AOP, and a third for TCP/IP stacks embedded in a range of vendors' products.Help Net Security has a good rundown of Microsoft and Adobe Patch Tuesday fixes. One noteworthy upgrade from Microsoft, isn't a patch, but more of an enhancement: henceforth Windows Defender will alert users if it detects that some cyber threat actor in the service of a nation state is beginning to attend to them.
Crime and punishment.
The UK's National Crime Agency (NCA) has arrested eight individuals in England and Scotland suspected of launching SIM swapping attacks, ZDNet reports. Europol, which coordinated the international investigation that preceded the arrests, stated, "These arrests follow earlier ones in Malta (1) and Belgium (1) of other members belonging to the same criminal network. The attacks orchestrated by this criminal gang targeted thousands of victims throughout 2020, including famous internet influencers, sport stars, musicians and their families. The criminals are believed to have stolen from them over USD 100 million in cryptocurrencies after illegally gaining access to their phones. This international sweep follows a year-long investigation jointly conducted by law enforcement authorities from the United Kingdom, United States, Belgium, Malta and Canada, with international activity coordinated by Europol." Paul Creffield, head of operations in the NCA’s National Cyber Crime Unit, stated that "those arrested face prosecution for offences under the Computer Misuse Act, as well as fraud and money laundering as well as extradition to the USA for prosecution."
A 25-year-old man from Rochester, New York, has pleaded guilty to hacking social media accounts and stealing nude photos of dozens of female victims.
Ukrainian police have arrested the alleged creator of uPanel, one of the most popular phishing kits on the market, ZDNet reports.
Courts and torts.
A Federal judge has rejected Target's $138 million insurance claim against ACE (an insurance firm now known as Chubb) involving the retailer's 2013 data breach, Insurance Journal reports. The claim was related to the cost of replacing payment cards that were compromised in the breach. The judge wrote, "Here, the record is devoid of any allegation or evidence as to what the value of the use of the payment cards is, either to Target’s customers or to the payment card companies."
Policies, procurements, and agency equities.
Virginia is close to passing its Consumer Data Protection Act, the Wall Street Journal reports. The law would take effect in 2023, and would allow residents to request, amend, or scrub data gathered by larger businesses, and decline to have their data sold or used for targeted advertising.
The New York Times says the Biden Administration has revealed that Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger is leading the Solorigate response.
For more, see the CyberWire Pro Policy Briefing.