Articles

Rare and dangerous Incontroller malware targets ICS operations

A coalition of U.S. government agencies, security researchers, and companies warn about this new malware that can gain complete access to ICS and SCADA systems.

In the second major industrial control system (ICS) threat development this week, the U.S. Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) issued a Cybersecurity Advisory (CSA) warning of a complex and dangerous ICS threat. The CSA says that specific unnamed advanced persistent threat (APT) actors have exhibited the capability to gain complete system access to multiple ICS and supervisory control and data acquisition (SCADA) devices.

These agencies collaborated with a group of top-tier industrial control and security leaders including Dragos, Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric in drafting the alert. The CSA pointed specifically to three categories of devices vulnerable to the malware:

  • Schneider Electric programmable logic controllers (PLCs)
  • OMRON Sysmac NEX PLCs
  • Open Platform Communications Unified Architecture (OPC UA) servers

The malware consists of a package of dangerous custom-made tools targeting ICS and SCADA devices that can scan for, compromise and control affected devices once they have established initial access to the operational technology (OT) network.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by Frauke Feind from Pixabay

Articles

Ukraine energy facility hit by two waves of cyberattacks…

Sandworm succeeded in planting a new version of the Industroyer malware to disrupt ICS infrastructure at multiple levels, but was thwarted from doing serious damage.

Ukraine’s Governmental Computer Emergency Response Team (CERT-UA) announced that Russia’s state-backed threat group Sandworm launched two waves of cyberattacks against an unnamed Ukrainian energy facility. The attackers tried to decommission several infrastructural components of the facility that span both IT and operational technology, including high-voltage substations, Windows computers, servers running Linux operating systems, and network equipment.

CERT-UA said that the initial compromise took place no later than February 2022, although it did not specify how the compromise occurred. Disconnection of electrical substations and decommissioning of the company’s infrastructure were scheduled for Friday evening, April 8, 2022, but “the implementation of the malicious plan” was prevented.

The Ukrainian team received help from both Microsoft and ESET in deflecting any significant fallout from the attacks. ESET issued a report presenting its analysis of the attacks, saying its collaboration with CERT-UA resulted in its discovery of a new variant of Industroyer malware, the same malware that the Sandworm group used to take down the power grid in Ukraine in 2016.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

With AI RMF, NIST addresses artificial intelligence risks

The new framework could have wide-ranging implications for the private and public sectors. NIST is seeking comments on the current draft by April 29, 2022.

Business and government organizations are rapidly embracing an expanding variety of artificial intelligence (AI) applications: automating activities to function more efficiently, reshaping shopping recommendations, credit approval, image processing, predictive policing, and much more.

Like any digital technology, AI can suffer from a range of traditional security weaknesses and other emerging concerns such as privacy, bias, inequality, and safety issues. The National Institute of Standards and Technology (NIST) is developing a voluntary framework to better manage risks associated with AI called the Artificial Intelligence Risk Management Framework (AI RMF). The framework’s goal is to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.

The initial draft of the framework builds on a concept paper released by NIST in December 2021. NIST hopes the AI RMF will describe how the risks from AI-based systems differ from other domains and encourage and equip many different stakeholders in AI to address those risks purposefully. NIST said it can be used to map compliance considerations beyond those addressed in the framework, including existing regulations, laws, or other mandatory guidance.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

New threat group underscores mounting concerns over Russian cyber…

Crowdstrike says Ember Bear is likely responsible for the wiper attack against Ukrainian networks and that future Russian cyberattacks might target the West.

As fears mount over the prospects of a “cyberwar” initiated by the Russian government, the number of identified Russian threat actors also continues to climb. Last week CrowdStrike publicly revealed a Russia-nexus state-sponsored actor that it tracks as Ember Bear.

CrowdStrike says that Ember Bear (also known as UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear) is likely an intelligence-gathering adversary group that has operated against government and military organizations in eastern Europe since early 2021. The group seems “motivated to weaponize the access and data obtained during their intrusions to support information operations (IO) aimed at creating public mistrust in targeted institutions and degrading government ability to counter Russian cyber operations,” according to CrowdStrike intelligence.

Ember Bear is responsible for using the WhisperGate wiper malware against Ukrainian networks in January before Russia invaded Ukraine. The malware masquerades as ransomware but lacks a payment or data recovery mechanism, masking WhisperGate’s true intent, which is the destruction of data. The WhisperGate campaigns began with website defacements containing threatening messages in Ukrainian, Russian and Polish languages.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Zdeněk Macháček on Unsplash

Articles

U.S. State Department unveils new Bureau of Cyberspace and…

The new Bureau could enhance the United States’ ability to work effectively with other nations on cybersecurity matters.

The U.S. State Department announced that its Bureau of Cyberspace and Digital Policy (CDP) began operations on Monday as part of Secretary Antony Blinken’s modernization agenda. The Department says the CDP will address the national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy.

The Bureau, ultimately to be led by a Senate-confirmed ambassador-at-Large, will, in the interim, be guided by Jennifer Bachus, a career member of the Senior Foreign Service, as principal deputy assistant secretary for the Bureau. The CDP will include three policy units led by acting deputy assistant secretaries, including international cyberspace security, international information and communications policy, and digital freedom.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Cristina Glebova on Unsplash

 

 

 

 

Articles

Russia-linked cyberattacks on Ukraine: A timeline

Cyber incidents are playing a central role in the Russia-Ukraine conflict. Here’s how events are unfolding along with unanswered questions.

It’s been almost six weeks since Russian troops entered Ukraine and the large-scale “cyberwar” expected to accompany the invasion has not yet materialized. Observers and experts have offered many theories about why Russia hasn’t launched a destructive cyberattack on Ukraine yet despite its full capability to do so.

The reasons range from Russia saving its most dangerous cyberattack until the bitter end to the Kremlin’s fear of a devastating Western response. The most intriguing explanation for why Russia hasn’t seemingly unleashed its cyber arsenal is because we’re already in the middle of what Thomas Rid, professor of strategic studies at Johns Hopkins University’s School of Advanced International Studies, calls a secret cyberwar.

The digital cyberwar is playing out in the shadows, Rid argues, with the more apparent cyberattacks taking place to divert attention from the incidents that we’re not supposed to see. Cyberwar has been playing tricks on us, he argues, emerging in the form of seemingly random attacks and then slipping away into the future.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by opsa from Pixabay

 

 

 

Articles

Why metrics are crucial to proving cybersecurity programs’ value

Methodologies to measure the effectiveness of cybersecurity efforts exist. Tying them to the real world is the trick.

As solutions to managing cybersecurity threats increase, surprisingly few metrics are available on how well these methods work to secure organizational assets. The National Institute of Standards and Technology (NIST) has pioneered information security performance measurement models that can produce metrics. (Note: NIST’s work in this area is now being updated.)

Aside from government agencies’ requirements to produce information security performance measures, the measurement models NIST recommends can also be used for internal overall IT improvement efforts. Either way, NIST recommends considering four factors while developing and implementing an information security measurement program:

  • Quantifiable measures
  • Readily available data that support the measures
  • Repeatable information security processes
  • Utility for tracking performance and directing resources

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by Clker-Free-Vector-Images from Pixabay

 

 

Articles

States step up cybersecurity efforts as threats increase

Spurred by recent attacks, some U.S. states are taking action and allocating funds to boost their defenses against cyber threats.

Earlier this month, Mandiant announced that it had responded to an intrusion by a Chinese-backed hacking group, APT41, that targeted a U.S. state government’s computer network. The security company ultimately discovered a persistent effort that allowed the malicious hackers to successfully compromise at least six U.S. state government networks by exploiting vulnerable internet-facing web applications using a zero-day vulnerability.

Mandiant couldn’t determine the hackers’ motives but said the intrusions were consistent with an espionage operation. The company also predicted that further investigation would reveal even more states whose agencies were affected by the effort.

These incidents underscore that state governments are just as attractive, if not even juicier, targets for malicious hackers as the federal government or any other organization. It’s no surprise then that state governments are stepping up their efforts to bolster their cybersecurity protections, launching task forces, hiring advisors, creating security centers, and boosting cybersecurity spending.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by OpenClipart-Vectors from Pixabay

 

Articles

SEC filings show hidden ransomware costs and losses

A review of 2021 8-K filings with the U.S. Securities and Exchange Commission reveals a more complete picture of the financial damage from ransomware.

The ransomware scourge reached unprecedented levels in 2021, with ransomware threat actors demanding, and in many cases receiving, ransom payments in the millions of dollars. The world’s largest meat processor, JBS, confirmed in June 2021 that it paid the equivalent of $11 million in ransom to respond to the criminal hack against its operations.

Colonial Pipeline paid $4.43 million to its ransomware attackers in May 2021, although in a subsequent operation, the U.S Department of Justice (DOJ) seized $2.3 million of that amount. In May, backup appliance supplier ExaGrid paid a $2.6 million ransom to cybercriminals that targeted the company with Conti ransomware.

The actual costs of ransomware attacks, including lost revenue, can far eclipse the simple dollar amount of any ransom paid. For most private companies, the costs of ransomware attacks, and even the attacks themselves, can be hidden from view, which is one reason why mandatory ransom payment reports for all organizations became law last week.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

 

Articles

Cyber incident reporting measures approved in the omnibus spending…

Critical infrastructure entities and federal agencies will have to report significant cyber incidents to CISA within 72 hours and ransomware attacks within 24 hours under legislation passed by the House that will likely become law.

The U.S. House of Representatives has passed key provisions of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which would require critical infrastructure operations to alert the government when they are hacked or pay a ransom to threat actors. It is part of the $1.5 trillion omnibus spending bill passed by the House on Wednesday, which funds the federal government for the rest of the year.

The incident report provisions contained in the Act, part of the broader Strengthening American Cybersecurity Act, failed to become law last year but passed the Senate unanimously on March 1.

This article appeared in CSO Online. To read the rest of the article please visit here.