Articles

Oldsmar cyberattack raises importance of water utility assessments, training

The attempt to poison a city’s water supply by remotely accessing its ICS underscores the need for cybersecurity assistance at under-resourced critical infrastructure facilities.

On Monday, February 8, a press conference hosted by Pinellas County, Florida, sheriff Bob Gualtieri dropped an industrial cybersecurity bombshell that reverberated worldwide. Gualtieri, along with the mayor and city manager of Oldsmar (population 15,000), revealed that a hacker had infiltrated the Oldsmar water treatment system to change the city’s water supply levels of sodium hydroxide from 100 parts per million to 11,100 parts per million. Sodium hydroxide, also called lye, is a highly caustic chemical that is a key ingredient in liquid drain cleaners.

The hackers gained unauthorized access to an internal industrial control system (ICS), likely using stolen or lost credentials, via TeamViewer, a remote desktop application that allows users to log into systems from afar, a ubiquity across many organizations during the COVID-19 crisis. Gualtieri and the city officials offered only a few other details of the disturbing breach.

The attacker was caught in the act by a water utility employee who happened to see the cursor moving on the screen executing commands which were discovered hours later to be the malicious chemical composition changes. When the changes were discovered, the sodium hydroxide levels were restored to their original levels and no harm was done to the water supply. System checks and redundancies would have caught the deadly changes anyway, the officials maintained.

No one has yet determined whether the hacker was domestic or originated outside the United States. The FBI and the Secret Service are working on an investigation.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Sime Basioli on Unsplash

 

Articles

Biden administration brings expertise, new attitude to cybersecurity

The US president promises a reckoning for SolarWinds hackers and places cybersecurity at the top of the administration’s agenda.

The Biden administration has hit the ground running on cybersecurity, reportedly getting ready to nominate what some have called a “world-class” cybersecurity team of officials and prioritizing efforts to tackle the worst hack in US history, the SolarWinds breach. The renewed effort to tackle cybersecurity matters couldn’t come soon enough. The Trump administration all but gutted the White House and other government offices of cybersecurity expertise. In a series of steps that started with the elimination of a White House cybersecurity coordinator and ended with the firing of Christopher Krebs, the highly respected head of the Cybersecurity and Infrastructure Security Agency (CISA), the government suffered a serious cybersecurity brain drain during the Trump era.

The first sign that the current administration plans to take cybersecurity more seriously than the previous one did is the hiring of National Security Agency (NSA) official Anne Neuberger to fill the new position of Deputy National Security Adviser for cyber and emerging technology. Neuberger led the NSA’s cybersecurity defense operations and created the Russia small group at the agency to protect the 2018 mid-term elections from the kind of digital damage that marred the 2016 presidential election.

Biden has also tapped former senior national security officials with expertise in cybersecurity. Among them are Michael Sulmeyer, who serves as senior director for cybersecurity; Elizabeth Sherwood-Randall, named homeland security adviser; Russ Travers, deputy homeland security adviser; and Caitlin Durkovich, now a senior director for resilience and response at the National Security Council.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by René DeAnda on Unsplash

 

Articles

Sprite Spider emerging as one of the most destructive…

Having flown under the radar for several years, the Sprite Spider group is using a ransomware code suite that is effective and hard to detect.

At the recent SANS Cyber Threat Intelligence Summit, two CrowdStrike cybersecurity leads, Senior Security Researcher Sergei Frankoff and Senior Intelligence Analyst Eric Loui, offered details on an emerging major ransomware actor they call Sprite Spider. Like many other ransomware attackers, the gang behind Sprite Spider’s attacks has grown rapidly in sophistication and damage capacity since 2015.

Today Sprite Spider is poised to become one of the biggest ransomware threat actors of 2021 and has a threat profile on par with what advanced persistent threat actors were five or ten years ago. Sprite Spider’s rise as a sophisticated threat is not surprising given that it, like many other organized ransomware gangs are filled with hackers who are often gainfully employed by nation-state threat actors.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Dev Leigh on Unsplash

 

Advanced Persistent Threat

SolarWinds hack is quickly reshaping Congress’s cybersecurity agenda

More cybersecurity funding for states and Capitol, new breach reporting rules, and ransomware-related bills will likely be on the agenda for the 117th Congress.

The federal government and private sector are still reeling from the SolarWinds supply chain hack, and Congress is on edge as it begins a new term beset by fears of domestic terrorism. It would seem all bets are off in terms of the previous legislative agenda for cybersecurity, at least in the near-term. The relevant committees in the new 117th Congress have yet to weigh in on specific pieces of legislation, but it’s clear that cybersecurity will be a big focus across both the House and Senate.

First, in the wake of the discovery of the SolarWinds breach, the incoming Biden administration committed to making cybersecurity a top priority. Late last week, the Biden team made good on that promise when announcing its Rescue Plan that calls for around $10 billion in cybersecurity spending, including $690 million for CISA to improve security monitoring and incident response at the agency.

One of the legislators leading the fight for cybersecurity legislative initiatives in Congress, Representative Jim Langevin (D-RI), applauded Biden’s push for more cybersecurity spending. “I’m also grateful to see the president-elect pushing for important investments in cybersecurity in the wake of the SolarWinds hack, which has placed a spotlight on the need to act now to protect Americans and our interests in cyberspace,” he said in a statement lauding the overall rescue package.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

US bulk energy providers must now report attempted breaches

US bulk energy providers must now report attempted breaches as well as successful breaches. Guidance is murky over what constitutes an “attempted” breach.

One of the most pernicious aspects of the far-reaching and potentially devastating SolarWinds supply chain hack is that it successfully evaded detection for at least ten months by hiding inside seemingly normal software operations. The hack of SolarWinds’ Orion product enabled Russian actors to embed surveillance malware into widely used management software. It pushed the so-called SUNBURST malware deep into public and private networks using the invisibility cloak of ordinary activity, causing no harm or disruption as it silently operated.

The SolarWinds hack is largely considered a turbo-charged nation-state espionage campaign. Most experts, however, won’t rule out that out the possibility that the Russian intelligence team behind the breach weren’t also paving the way for attacks that could damage operations. One of the biggest concerns about the hack’s impact is how it affected the nation’s power grid.

New regulations aimed at spotting attempted compromises in the power grid that don’t cause damage, like SolarWinds, went into effect on January 1, 2021. It’s not at all clear that the new requirements will help the energy industry spot these kinds of attacks.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

 

Articles

Egregor ransomware group explained: And how to defend against…

Newly emerged Egregor group employs “double ransom” techniques to threaten reputational damage and increase pressure to pay.

Egregor is one of the most rapidly growing ransomware families. Its name comes from the occult world and is defined as “the collective energy of a group of people, especially when aligned with a common goal,” according to Recorded Future’s Insikt Group. Although descriptions of the malware vary from security firm to security firm, the consensus is that Egregor is a variant of the Sekhmet ransomware family.

It arose in September 2020, at the same time the Maze ransomware gang announced its intention to shut down operations. Affiliates who were part of the Maze group appear, however, to have moved on to Egregor without skipping a beat.

Insikt and Palo Alto Networks’ Unit 42 think Egregor is associated with commodity malware such as Qakbot, which became prominent in 2007 and uses a sophisticated, evasive worm to steal financial credentials, as well as other off-the-shelf malware such as IcedID and Ursnif. These pieces of malware help attackers gain initial access to victims’ systems.

All security researchers seem to agree with Cybereason’s Nocturnus Team that Egregor is a rapidly emerging, high-severity threat. According to security firm Digital Shadows, Egregor has claimed at least 71 victims across 19 different industries worldwide

This article appeared in CSO Online. To read the rest of the article please visit here.

 

 

Advanced Persistent Threat

How to prepare for the next SolarWinds-like threat

It is possible to minimize the risk from nation-state attacks like SolarWinds. This is the best advice based on what experts have learned so far.

The insertion of malware into SolarWinds’ popular Orion network management software sent the federal government and major parts of corporate America scrambling this week to investigate and mitigate what could be the most damaging breach in US history. The malware, which cybersecurity company FireEye (itself the first public victim of the supply chain interference) named SUNBURST, is a backdoor that can transfer and execute files, profile systems, reboot machines and disable system services.

Reuters broke the story that a foreign hacker had used SUNBURST to monitor email at the Treasury and Commerce Departments. Other sources later described the foreign hacker as APT29, or the Cozy Bear hacking group run by Russia’s SVR intelligence agency. Subsequent press reports indicated that the malware infection’s reach throughout the federal government could be vast and includes—only preliminarily—the State Department, the National Institutes of Health, the Department of Homeland Security (DHS), and likely parts of the Pentagon.

Former director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs said in a tweet after news broke of the intrusion, “this thing is still early,” meaning that it will likely be months—possibly years—before the true scope of the damage is known. SolarWinds said that up to 18,000 of its 300,000 customers downloaded the tainted update, although that doesn’t mean that the adversary exploited all infected organizations.

CISA issued a rare emergency directive calling on all federal agencies to “review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.” The FBI, CISA and the Office of the Director of National Intelligence (ODNI) issued a joint statement acknowledging they established a Cyber Unified Coordination Group (UCG) to mount a whole-of-government response under the direction of the FBI.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by NASA – NASA, Public Domain, https://commons.wikimedia.org/w/index.php?curid=6422993

 

Articles

26 Cyberspace Solarium Commission recommendations likely to become law…

Once passed, the National Defense Authorization Act will create a White House cybersecurity director role, expand CISA’s capabilities, and create a K-12 security education assistance program.

This year’s National Defense Authorization Act (NDAA), the annual “must-pass” spending bill that ensures the continued funding of the nation’s military, has a wealth of information security recommendations that come from the bi-partisan, bi-cameral, public-private initiative known as the Cyberspace Solarium Commission (CSC). The CSC was itself established in 2019’s NDAA bill and was asked to come up with a new strategic approach to cybersecurity.

Last spring, the CSC issued a report that offered 82 policy and legislative recommendations to improve cybersecurity. Of those, 26 will likely become law given that both the House and Senate last week passed the bill by overwhelming margins. The veto-proof vote count is needed given that President Donald Trump has repeatedly vowed to veto this year’s NDAA unless it also contains provisions that strip internet companies of legal liability protections granted them in Section 230 of the Communications Decency Act of 1996. Over the weekend, Trump reiterated via Tweet his intention to veto the NDAA.

Solarium co-chairs Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) expressed their delight in turning substantive cybersecurity recommendations into legislative provisions. “From the first day we embarked on crafting America’s cyberdoctrine, we were determined to create a plan of action, not a report collecting dust on a shelf. It is only because of the hard work and commitment of our commissioners and tireless staff that we were able to create such a robust report earlier this year. It is due to them that we were able to inform national policy on such a remarkable level,” the pair said in a statement.

The Commission’s top accomplishment in the bill is the reestablishment of cybersecurity leadership in the White House by creating a national cyber director position. Senator Mike Rounds (R-SD) garners much of the credit for this achievement. “The creation of a national cyber director position in this year’s NDAA was the result of years of hard work,” Rounds said in a statement.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Louis Velazquez on Unsplash

 

Articles

New AI privacy, security regulations likely coming with pending…

CISOs should prepare for new requirements to protect data collected for and generated by artificial intelligence algorithms.

Regulation surrounding artificial intelligence technologies will likely have a growing impact on how companies store, secure, and share data in the years ahead. The ethics of artificial intelligence (AI), particularly facial recognition, by law enforcement authorities, have received a lot of attention. Still, the US is just at the beginning of what will likely be a surge in federal and state legislation regarding what companies can and cannot do regarding algorithmically derived information.

“It’s really the wild west right now in terms of regulation of artificial intelligence,” Peter Stockburger, partner in the Data, Privacy, and Cybersecurity practice at global law firm Dentons, tells CSO. Much like the California Consumer Protection Act (CCPA), which spelled out notice requirements that companies must send to consumers regarding their privacy protections, “a lot of people think that’s where the AI legislation is going to go, that you should be getting giving users notification that there’s automated decision making happening and get the consent.”

AI encompasses a wide range of technical activities, from the creation of deepfakes to automated decision-making regarding credit scores, rental applications, job worthiness, and much more. On a day-to-day basis, many, if not most, companies now use formulas for business decision-making that could fall into the category of artificial intelligence.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Markus Winkler on Unsplash

 

Articles

Cybersecurity under fire: CISA’s former deputy director decries post-election…

Matt Travis talks about CISA’s role in the recent US elections and how President Trump and his surrogates have politicized the security function.

Matt Travis, the former deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), kicked off this year’s Aspen Cyber Summit yesterday with a keynote interview by journalist Kara Swisher. Travis provided an insider’s view of the events leading up to the firing of CISA director Christopher Krebs and discussed the fallout from President Donald Trump’s attempts to undermine the agency.

The just-concluded president election represented “the most secure election in American history,” according to Krebs. Despite this achievement, or perhaps because of it, Krebs was summarily fired by Donald Trump via a tweet on November 17. Before Krebs was dismissed, the White House asked for the resignation of Brian Ware, the highly regarded assistant director for cybersecurity for CISA. After Krebs’ forced departure, Matt Travis, CISA deputy director and Krebs’ right-hand man at CISA, resigned from the agency.

On Sunday, Krebs, a lifelong Republican, told 60 Minutes’ Scott Pelley that he has complete confidence in the election outcome. He dismissed as conspiracy theories some of Trump’s increasingly convoluted stories of how President-Elect Joe Biden “stole” the election. Krebs said that Trump’s attorney Rudy Giuliani’s promotion of unproven election fraud was an “attempt to undermine confidence in the election, to confuse people, to scare people.”

Following the 60 Minutes interview, another Trump attorney, Joseph DiGenova, said that Krebs should be “taken out and shot” for contradicting Trump’s unsubstantiated claims of voter fraud. Yesterday, Krebs told CBS’s Savannah Guthrie that he is looking into potential legal action following DiGenova’s bald threat. Alex Stamos, former Facebook CISO and founder of the Stanford Internet Observatory, filed a complaint against DiGenova with the DC Bar’s Office of Disciplinary Counsel and encouraged his fellow infosec peers to do the same.

This article appeared in CSO Online. To read the rest of the article please visit here.