All Articles by Dan McCarthy
New Iranian APT Group Said to Target Critical Infrastructure
Security firm Cybereason claimed that a previously unknown advanced persistent threat (APT) group, likely backed by the Iranian government, has been carrying out a highly targeted cyber-espionage campaign against aerospace and telecommunications companies in the Middle East, US, Russia, and Europe since at least 2018. The campaign, dubbed Operation GhostShell, aims to steal sensitive information about critical assets, organizations’ infrastructure, and technology. Cybereason has named the Iranian threat actor MalKamak and uncovered a previously undocumented and stealthy remote access trojan which was used as the primary espionage tool [1]. Iranian-nexus actors have shown willingness to conduct reconnaissance, and occasionally conduct destructive attacks against regional adversaries [2-3]. Given Iran’s increased collaboration with Russia and China on matters of policy, security, and trade, cooperation on matters of cybersecurity is within reason.
FERC Releases Recommendations for Critical Infrastructure Protection
The Federal Energy Regulatory Commission (FERC) released recommendations to help users, owners, and operators of the bulk-power system (BPS) improve their compliance with the mandatory Critical Infrastructure Protection (CIP) Reliability Standards and overall cybersecurity posture. FERC recommends entities enhance their policies and procedures to include the following: 1) evaluation of cyber asset misuse and degradation during asset categorization; properly document and implement policies, procedures, and controls for low-impact transient cyber assets; and 3) improve vulnerability assessments to include credential-based scans of cyber assets [1]. While FERC makes recommendations for entities in the BPS space, many of them are applicable across other critical infrastructure sectors.
CISA Warns Critical Infrastructure Organizations of BlackMatter Ransomware
US cybersecurity agencies released a joint advisory notifying organizations of cyber attackers using BlackMatter ransomware. Since July 2021, BlackMatter ransomware has been used to target multiple US critical infrastructure entities, including two organizations in the food and agriculture sector. The advisory claims that BlackMatter may be connected to DarkSide, the ransomware-as-a-service responsible for the Colonial Pipeline breach. Using previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol and Server Message Block protocol to access the Active Directory to discover all hosts on the network. It then remotely encrypts the hosts and shared drives as they are found [1]. Although BlackMatter’s website claims it does not attack critical infrastructure facilities [2], at least one event indicates that attackers have violated that claim [3]. Critical infrastructure organizations have a short window of acceptable downtime and are thus attractive targets for ransomware attacks. We recommend organizations review the seven mitigations provided in the joint cybersecurity advisory.
Russian Threat Group behind SolarWinds Continues Supply Chain Attacks
Microsoft reports that the same Russian state-sponsored threat group behind the SolarWinds attacks in 2020, is now targeting other elements of the software supply chain, such as resellers and technology management firms. The recent attacks have used password spray and phishing techniques to gain privileged access to systems. Microsoft believes the group hopes to piggyback on any direct access that resellers may have to their customers’ IT systems to gain access to their downstream customers [1]. Suppliers are a weak point for providers of critical infrastructure. We recommend reviewing the technical guidance released by Microsoft for defending against the recent activity by this group [2, 3].
NIST Draft Report Covers Cybersecurity Supply Chain Risk Management
The National Institute of Standards and Technology (NIST) released the second public draft of its Cybersecurity Supply Chain Risk Management (C-SCRM) Practices for Systems and Organizations. It provides guidance to organizations on identifying, assessing, and mitigating cyber supply chain risks [1]. The complex and interconnected nature of globally distributed supply chains presents a vulnerable threat landscape, making the collaboration between asset owners, suppliers, other operational technology-related service providers, and the public sector crucial [2]. We recommend reviewing the draft report and tracking any revised drafts that may be released based on comments NIST receives during the public comment period, which is open until December 3.
Industry Report Identifies Primary Challenges Facing Industrial Cybersecurity
Dragos and Ponemon Institute released their annual report on the state of the industrial cybersecurity sector. It identifies cultural differences, technical barriers, and lack of clear ownership as the primary challenges facing OT and IT collaboration. The report advises that bridging the IT-OT cultural divide should be an organization’s first priority. Of note, the report found that these challenges are often not caused by competition for budget allocation and new security projects. Rather, it is caused by the cultural and technical differences between traditional IT-specific best practices and what is possible in OT environments, such as patch management and unique requirements of industrial automation equipment vendors [1]. Organizations should develop clear standard operating procedures around industrial cyber risk and security programs to eliminate uncertainty regarding who 1) leads the initiative, 2) implements the controls, and 3) supports the program. We recommend reviewing the report for insights that may be applicable to your organization.
Iranian APT Exploiting Fortinet and Microsoft Exchange Flaws to Target US Critical Infrastructure
A joint advisory from government agencies in the US, UK, and Australia warns that an Iranian state-sponsored advanced persistent threat (APT) group is exploiting Fortinet and Microsoft Exchange vulnerabilities in attacks targeting Australian organizations and US critical infrastructure. Targets include entities in the transportation, healthcare, and public health sectors in the US. According to the advisory, after initial access, the attackers likely modified Task Scheduler tasks for payload execution and created new accounts on domain controllers, active directories, servers, and workstations to achieve persistence. During the attacks, the APT group employed various tools for credential harvesting (Mimikatz), privilege escalation (WinPEAS), data archiving (WinRAR), and file transfer (Filezilla), among others [1]. The Iranian APT group can exploit these vulnerabilities for follow-on operations such as data exfiltration, ransomware, and extortion. Given the ongoing nature of the threat, we recommend reviewing the indicators of compromise, targeted vulnerabilities, and mitigations provided in this advisory.
Industry Report Claims Threats to ICS Will Present a Greater Challenge in 2022
According to a Kaspersky report, cybercriminals in 2021 compromised thousands of industrial organizations worldwide and 2022 may present even more of a challenge. For some of these organizations, the consequences of a security compromise in 2021 may not actually catch up with them until 2022, the report claims. The report points out that to counter detection, cybercriminals are adopting the strategy of frequently upgrading malware in their chosen family. They use malware at its peak effectiveness to break through the defenses of security solutions and then switch to a new build as soon as the current one becomes readily detectable. The evolution of modern malware-as-a-service platforms makes it much easier for malware operators globally to use this strategy [1]. Industry must take notice of attackers adopting initiatives to reduce the number of targets per individual attack, decrease the life cycle of malware, minimize the use of malicious infrastructure, and realize that modern advanced persistent threats are more persistent than advanced in nature. We recommend reviewing the trends and attack vectors contained in the report.
DOE Seeks Input from Stakeholders on Cybersecurity Challenges Facing the Energy Sector Supply Chain
The Department of Energy (DOE) published a request for information (RFI) seeking consultation from stakeholders on various issues facing the energy sector supply chain, including cybersecurity. The input will reportedly assist the department in building an energy sector industrial base that is resilient and competitive while meeting economic and national security objectives. As part of the RFI, DOE seeks responses to improve its understanding of the cybersecurity policy needs of the private sector. Additionally, the RFI requests direction from industry on how the government should approach hardening of digital components against physical and virtual tampering, and how it should prioritize the protection of digital component supply chains [1]. The RFI comes at a time when cyber threats to critical infrastructure are a growing national security concern, prompting several national initiatives. Therefore, it is important that energy sector stakeholders participate in RFI processes to help shape effective security policy. We recommend reviewing the RFI for information and requests that may be relevant to your organization.