At a glance.
- Sudan closes its Internet.
- Chinese influence campaign targets US elections.
- Cyberattacks on Polish and Slovak parliaments reported.
- FBI warns of Iranian threat group's activity.
- IBM announces grants to schools.
- Communications security and compliance.
- LogCrusher and OverLog.
- Trends in employee attitudes about cybersecurity.
- Software supply chain security study.
- A look at vulnerability scanning tools.
- Trojans being spread through scanners.
- Cyber seed rounds an exception to a general downtrend in venture investment.
- A look at the state of OT/ICS cybersecurity.
- From SecurityWeek’s ICS Cyber Security Conference: distinguishing attacks from ordinary failures.
- CISA alert: Daixin Team ransomware is an active threat.
- Misconfigured Thomson Reuters databases left unprotected.
Sudan closes its Internet.
On the first anniversary of the military coup that brought the current regime to power, the Record reports, Sudan has shut down most of the country's Internet access. The measure, likely to be temporary, comes as civil unrest spreads through the country. According to Reuters, protesters number in the tens of thousands.
Chinese influence campaign targets US elections.
Mandiant Wednesday morning described what it characterizes as a "pro-PRC influence campaign" actively directed against the US midterm elections. The themes of the campaign (Mandiant calls it "DRAGONBRIDGE") are familiar and unconvincing stuff. The researchers outline three:
- "Claims that the China-nexus threat group APT41 is instead a U.S. government-backed actor.
- "Aggressive attempts to discredit the U.S. democratic process, including attempts to discourage Americans from voting in the 2022 U.S. midterm elections.
- "Allegations that the U.S. was responsible for the Nord Stream gas pipeline explosions."
Taken individually, it's sad stuff, but the opportunistic, scattershot quality of the narratives coupled with new sophistication in impersonation, plagiarism and alteration of sources, and the use of inauthentic personae to amplify messaging suggest that the objective may be the more attainable one of confusion than the heretofore more common Chinese aim of persuasion.
Cyberattacks on Polish and Slovak parliaments reported.
According to AFP (via Barron's) the parliaments of both Poland and Slovakia sustained cyberattacks yesterday that knocked out various parliamentary networks, including those supporting both voting and telecommunications. From descriptions of the attacks, the incidents appeared to be distributed denial-of-service (DDoS) attacks. "We have identified a cyber security incident... There is a signal coming from some point which jams our systems, computers, we cannot even serve the lawmakers in our cafeteria," Reuters quotes Bruno Kollar, speaker of the Slovak parliament, as saying. Polish sources said that some of the attack traffic originated from Russia, and it's widely suspected that the attacks were a Russian operation retaliating for Polish and Slovak support for Ukraine in the present war.
FBI warns of Iranian threat group's activity.
The FBI has warned enterprises that Iranian hacker group Emennet Pasargad, a hacker group with ties to the Iranian government that tried to interfere in the 2020 election, is currently active. It is, the Bureau says, engaged in hack-and-leak operations of a kind familiar from earlier election cycles. Decipher reports that the FBI says the group uses “network intrusions along with information operations and fake personas that exaggerate and amplify the group’s operations.” They have also been seen exploiting vulnerability CVE-2021-44228, or Log4Shell, to get into a US organization’s server, Gov Info Security reports. The threat actors use open-source penetration testing tools, look for vulnerabilities in content management systems, and websites running PHP code or those with externally accessible mySQL databases are preferable to the group. For more on Emennet Pasargad, see CyberWire Pro.
IBM announces grants to schools.
IBM Monday announced the recipients of the 2022 IBM Education Security Preparedness Grants. The grants total about $5 million, and eight recipients have been selected so far to address cybersecurity resiliency for their school districts. For more on IBM's grants and their recipients, see CyberWire Pro.
Communications security and compliance.
Theta Lake released its 2022 Modern Communications Security and Compliance Report Tuesday, detailing the use of communications tools today, existing methods for handling security and compliance, and the challenges faced by organizations. It was found that unmonitored communication channels are the biggest risk. For more on this study, see CyberWire Pro.
LogCrusher and OverLog.
Researchers at Varonis discovered two Windows vulnerabilities they’re callling “LogCrusher” and “OverLog,” located in the operating system’s Internet Explorer-specific Event Log. The vulnerabilities can be used to carry out denial-of-service attacks:
- “LogCrusher, which allowed any domain user to remotely crash the Event Log application of any Windows machine on the domain.
- “OverLog, which causes a remote denial-of-service (DoS) attack by filling the hard drive space of any Windows machine on the domain. (CVE-2022-37981)”
Varonis says Microsoft has patched the OverLog vulnerability and offered recommendations for mitigating LogCrusher. For more on LogCrusher and OverLog, see CyberWire Pro.
Trends in employee attitudes about cybersecurity.
Terranova Security has published a report on security awareness among employees in the US, finding that “just over a third (35%) of employees express little-to-no concern about data theft at work, and 20% believe they can't be targeted at all by cyber criminals.” Somewhat less than half say they've taken cybersecurity awareness training, and about a third say their company doesn't offer any. Less than 10% thought their company was doing a good job with cybersecurity, which suggests there's plenty of room for improvement in the workplace. For more on employee attitudes, see CyberWire Pro.
Software supply chain security study.
BlackBerry has released the results of a survey focused on supply chain software security, conducted by research firm Coleman Parkes. Surveyed were 1,500 IT decision makers and cybersecurity professionals from North America, the United Kingdom, and Australia. 81% of those surveyed reported experiencing cyberattacks in the last 12 months, with 29% indicating that they had been compromised via operating systems. For more on the study, see CyberWire Pro.
A look at vulnerability scanning tools.
Rezilion Wednesday released a report, the “Vulnerability Scanner Benchmark,” detailing inaccuracies they’ve found across popular commercial and open-source scanning technologies. Rezilion found that in using six different, popular vulnerability scanners, only 73% of relevant results were returned out of all vulnerabilities that should have been detected. Only 82% of the results were identified correctly and relevant. Across the examined 20 containers from DockerHub, over 450 high and critical-severity vulnerabilities were wrongly identified. On average, the scanners also missed more than 16 vulnerabilities per observed container. For more on the results of Rezilion's study, see CyberWire Pro.
Trojans being spread through scanners.
Scanners are being used to send Trojans, Avanan says in a report released Thursday. Discussed in the report are the attack itself, the techniques, and the best practices recommended by Avanan. The hackers are using spoofed scanner notification emails to send malicious files. The example email was titled “Commission Receipt” and may attract people to click as they think they are getting a paycheck. Check Point research identified the attachment and verified that there is a Trojan. The file, if clicked, would attempt to take over the end-user’s computer. For more on the scanner exploit, see CyberWire Pro.
Cyber seed rounds an exception to a general downtrend in venture investment.
DataTribe released a report Thursday detailing the state of venture capital investments and cyber startups in Q3 2022. Venture activity is down, overall, and continues to fall as the years pass. The exception, DataTribe discovered, is cybersecurity seed investment activity, which increased 37.5%, from 24 to 33 deals year over year. Overall, cybersecurity activity is only down 3.3% year over year, compared to a decline of 23.7% across other verticals. For more on DataTribe's report, see CyberWire Pro.
A look at the state of OT/ICS cybersecurity.
The SANS 2022 OT/ICS Cybersecurity Report, sponsored by Nozomi Networks, was released Friday morning. The survey indicates that OT cybersecurity has improved in certain respects compared to last year’s survey. Ransomware comprised the leading threat, closely followed by nation-state attacks, non-ransomware cybercrime, and threats to hardware and software supply chains. One disturbing trend is a rise in attacks where engineering workstations were the initial attack vector, but in general most attacks (41%) arrived through IT networks and often spread through removable media (in 37% of the attacks). See CyberWire Pro for more on the study.
From SecurityWeek’s ICS Cyber Security Conference: distinguishing attacks from ordinary failures.
This week, at SecurityWeek’s ICS Cyber Security Conference, OT/ICS Security Practice Manager at IBM David Lancaster Jr. described a challenge industrial operations face: distinguishing system failures, asset failures, and cyber incidents. The question, an important one in organizing resiliency, has gained salience as the air-gaps that once protected legacy industrial systems disappear. “Fully air-gapped systems where we are today truly don’t exist,” Lancaster said, explaining that the line between IT and OT has blurred as legacy systems are decommissioned and replaced by digitally-connected IoT systems. This convergence has occurred as manufacturing and critical infrastructure have grown increasingly attractive to threat actors. See CyberWire Pro for more on the conference.
CISA alert: Daixin Team ransomware is an active threat.
CISA has warned that the Daixin Team, a criminal ransomware group, is currently active against US organizations. The Joint Alert says in part, "The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations." Listen to CISA's alert on the CyberWire.
Misconfigured Thomson Reuters databases left unprotected.
The researchers at Cybernews have discovered that multinational media giant Thomson Reuters left exposed three public-facing ElasticSearch databases, one of which contained at least 3TB of sensitive customer and corporate data, including third-party server passwords. The names of the indices indicated that the company was using the database as a logging server to collect data gathered through user-client interaction, making it a tempting target for threat actors looking to launch a supply chain attack. Mantas Sasnauskas, Cybernews’ Head of Security Research, explains, “This instance left sensitive data open and was already indexed via popular IoT [internet of things] search engines. This provides a large attack surface for malicious actors to exploit not only internal systems but a way for supply chain attacks to get through. A simple human error can lead to devastating attacks, from data exfiltration to ransomware.” Thomson Reuters claims that two of the three misconfigured servers were designed to be publicly accessible, while the third was a non-production server focused on pre-production/implementation. Still, experts say the breach could have serious consequences. Benjamin Fabre, co-founder and chief executive of bot protection company DataDome SAS, told SiliconANGLE that threat actors and the bots they deploy “can (and will) leverage personally identifiable information to conduct all sorts of attacks, including account takeover, credential stuffing, carding and more. This likely won’t be the last we hear of this breach.”
Patch news.
On October 25th, the US Cybersecurity and Infrastructure Security Agency (CISA) issued eight Industrial Control System (ICS) Advisories, for AliveCor KardiaMobile ("Authentication Bypass by Assumed-immutable Data, Missing Encryption of Sensitive Data"), Haas Controller ("Missing Authentication for Critical Function, Insufficient Granularity of Access Control, Cleartext Transmission of Sensitive Information"), HEIDENHAIN Controller TNC ("Improper Authentication"), Siemens Siveillance Video Mobile Server ("Weak Authentication"), Hitachi Energy MicroSCADA X DMS600 ("Reliance on Uncontrolled Component"), Johnson Controls CKS CEVAS ("Cross-site Scripting"), Delta Electronics DIAEnergie ("Cross-site Scripting, SQL Injection"), and Delta Electronics InfraSuite Device Master ("Deserialization of Untrusted Data, Path Traversal, Missing Authentication for Critical Function").
CISA also released four Industrial Control System (ICS) Advisories on Thursday, addressing vulnerabilities in Rockwell Automation FactoryTalk Alarm and Events Server, SAUTER Controls moduWeb, Rockwell Automation Stratix Devices Containing Cisco IOS, and Trihedral VTScada.
Crime and punishment.
The US Department of Justice Monday afternoon held a press conference to announce the unsealing of three cases against thirteen Chinese nationals, including ten Chinese intelligence officers. The first involved charges against two Chinese intelligence officers who allegedly bribed a US citizen, an insider, to reveal sensitive and non-public information about the US prosecution of a Chinese telecommunications company. The Justice Department declined to name the Chinese company involved in the prosecution, but the Wall Street Journal reports that sources confirm that the company involved is Huawei. The second case involved the activities of a front Chinese academic organization, “a fake think tank,” that had allegedly been engaged in both theft of US intellectual property and in the suppression of Constitutionally protected free speech regarded as embarrassing to China. Four individuals were charged in that case. Finally, the third case, in which seven individuals were indicted, involved China’s Operation Fox Hunt, a long-running program of forcibly repatriating Chinese who have emigrated to other countries, and who are regarded as a threat to the reputation or security of the People’s Republic. Chinese agents are alleged to have hounded victims and their families with physical intimidation, frivolous lawsuits, threats, and other harassment, with Foreign Policy reporting that the seven promised to make the victim’s life an “endless misery,” saying that these would not stop until the victims returned to China. For more on the indictments, see CyberWire Pro.
Courts and torts.
Last week, Texas Attorney General Ken Paxton activated the state’s biometric privacy law, which has remained mostly dormant since its establishment in 2009, to bring a suit against tech giant Google. Paxton alleges that Google’s data practices violate the 2009 Capture or Use of Biometric Identifier (CUBI) Act, which states that users must be informed if records of their biometric identifiers are being captured and stored. The Record by Recorded Future explains that Google uses a facial recognition system to identify individuals depicted in Google Photos, and also employs face matching and voice recognition in its Nest smart home devices. The suit states, “Google records—without consent—friends, children, grandparents, and guests who stop by, and then stores their voiceprints indefinitely…Ultimately, Google has turned Texans’ desire to take, store, and share photos and videos into a testing ground for AI and other products in its ever-growing, advertising-revenue stream. And, Google has enlisted the friends and family members of those Texans as non-consenting, unknowing participants in Google’s scheme.” The suit could cost Google a pretty penny, as CUBI authorizes penalties of up to $25,000 per violation. Paxton is also seeking an injunction barring Google from collecting or maintaining biometric data in Texas without appropriate consent.
Google spokesperson José Castañeda said the Attorney General was “once again mischaracterizing” the company’s products, noting that the facial recognition feature is visible only to users of that account and can be deactivated by the user, He added that Google doesn’t use the content for advertising purposes. The case highlights the important role states can play in keeping tech giants’ customer data practices in check, an area in which federal lawmakers have struggled. In addition to Texas, states like California, New York, and Illinois have also used their influential economies and large populations to bolster their impact in tech regulation, setting standards when federal bodies have come up short. Electronic Frontier Foundation senior attorney Adam Schwartz told The Record, “States are leading the effort to protect biometric privacy, because Congress has failed to do so.”
Policies, procurements, and agency equities.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued voluntary cybersecurity performance goals. CISA explains, "The CPGs [Cybersecurity Performance Goals] are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance," especially those developed by the National Institute of Standards and Technology (NIST), "as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations, but also to the American people."
Described as voluntary and not comprehensive, the goals were formulated to be:
- "A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
- "A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
- "A combination of recommended practices for IT and OT owners, including a prioritized set of security practices.
- "Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation."
The US has published its National Defense Strategy. The document highlights the threat from four familiar adversaries (China, Russia, North Korea, and Iran) all of whom deploy notable offensive cyber capabilities. The Strategy emphasizes deterrence, and, with respect to cyberspace, deterrence through resilience, which it suggests is achievable through a range of measures that include encryption and implementation of zero-trust principles. It also says that the US will also pursue deterrence by direct and collective cost imposition, which could include offensive cyber operations. This represents a more assertive use of national power in cyberspace. "We will conduct cyberspace operations," the document says, "to degrade competitors' malicious cyber activity and to prepare cyber capabilities to be used in crisis or conflict."
The UK and the US have pledged to work together to combat cyberthreats by launching a joint military operation, and the UK Ministry of Defence (MoD) last week announced that the UK Strategic Command will play an important part. The organization, which oversees resources and operations across the three Armed Forces, will provide technology specialists from the MoD’s Defence Digital unit to collaborate with US Cyber Command. MoD explained that the “collaborative exercise which will identify threats that could impact the internal systems of participants.” Speaking of the new operation, Rear Admiral Nick Washer, Operations Director at Defence Digital, told Public Technology: “Cyber does not recognise geographic borders. Our relationships with partners offer huge shared benefits; operations like this with US Cyber Command put our expertise into practice and enhance our collective defence.”