Cybersecurity Update for September 29, 2022
Topics Include
- Federal Cyber Mandates for Water Infrastructure Are Too Costly to Implement, Experts Say
- Universities Urged to Defend Sensitive Research From Hackers
- Iranian State Actors Conduct Cyber Operations Against the Government of Albania
- Colonial Pipeline ransomware group using new tactics to become more dangerous
About the “Cybersecurity Update”
The Cybersecurity Update is a periodic post in Medium and contains news about Cybersecurity, Information Technology, Network Security, and Securing our IoT/SCADA Networks and Databases. Updates are selected items taken from publicly available resources and present a select set of items to support learning about Cybersecurity.
Aside from the news being presented, a discussion of approaches that a cybersecurity professional (or individual) can take pertaining to the updates is also discussed. The intention is to not only bring you the cybersecurity news, but to also discuss with your possible strategies of addressing items posted in the cybersecurity update.
Please follow along. Please send me any additional suggestions for addressing any of the updates, suggestions for videos/content that you’d like to see/read, or just keep in contact. My info is provided in the “About the Author” section at the end of this article.
Item 1: Federal Cyber Mandates for Water Infrastructure Are Too Costly to Implement, Experts Say
A US House of Representatives hearing heard expert testimony stressing the need for enhanced funding to support cybersecurity measures in water utility providers — especially in rural regions (September 21). Witnesses emphasized the significant challenges of applying more robust cybersecurity technologies to water infrastructure systems — specifically in underserved communities.
“Maintaining a strong cyber defense is just as much a part of our infrastructure as maintaining our pipes and filtration systems. Robust planning for cybersecurity is no longer optional in the water sector. It is a key part of what we do every day.” David Gadis, the CEO of D.C. Water, testified. Federal regulations place a disproportionate amount of strain on utility companies to comply with cybersecurity measures without adequate funding support. The US EPA released a report to congress “Technical Cybersecurity Support Plan for Public Water Systems — Report to Congress” in August 2022 (link in reference section).
CISA is tasked by Congress
CISA is tasked to lead a national effort to understand, manage, and reduce cyber and physical to the US infrastructure including water systems. CyberSentry, a CISA-sponsored voluntary pilot program has been established to define:
• Cybersecurity best-practices for Industrial Control Systems
• Securing Industrial Control systems
• Addressing the Rising threat Operational Technology assets
• “StopRansomware.gov” initiative.
Testimony indicated that federal engagement and partnerships (private entities/organizations) can result in ample funding, which are key to strong cyber defenses and creating a ‘resilient’ water infrastructure. While the infrastructure needs good cybersecurity practices, including items like layered architecture, zero-trust architecture, and VLAN/IP segmentation for IoT/SCADA devices, the initial ‘initiative’ is training. “Bottom line is training and resources to provide that training at a no cost situation,” National Rural Water Association Senior Vice President John O’Connell said.
Item 2: Universities Urged to Defend Sensitive Research from Hackers
Increased Cyberattacks against Universities and Colleges have forced academia to implement new rules to handle ‘sensitive’ data. As an example of initiatives placed to secure data, Texas A&M in 2016 established an office to oversee the security of security around scholarly activity which:
- Mandated disclosure of all foreign collaboration,
- Notification of foreign travel (and approval),
- Established a continuous network to monitor and identify foreign actors,
- Established a review/approval cycle to approve all research collaborations.
U.S. Senate Intelligence Committee hearing Wednesday, September 21 — highlighted quotes:
1. “Understanding our collaborators and their funders is the most critical aspect of our research security program.” Gamache stated (Texas A&M).
2. “Higher education should be looked at as part of the national security defense program,” said former NCSC Director William Evanina.
Setting a Security Standard for Universities — Recommendation:
· Lawmakers should set a minimum standard around what constitutes acceptable security for any research institutions that are either federally funded or receive federal subsidies.
In contrast:
• FBI has led an effort by going all-in on initiatives such as the Academic Security and Counter Exploitation Program
• Department of Commerce also has related criteria.
- However, there is not an over-arching set of standards for cybersecurity… yet.
Compliance is Coming
The crux of the matter is ‘implied’ in this statement: “International scholars in our universities enhance innovation and knowledge but also present risks. Partnering with federal agencies to mitigate existing and emerging threats, educate our researchers, and provide clear avenues to address security concerns is crucial.” Gamache from Texas A&M. The Bottom line is — Compliance is coming. But keep in mind that “compliance” does not mean being secure!!
Item 3: Iranian State Actors Conduct Cyber Operations Against the Government of Albania
A CISA/FBI Advisory was released: The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September.
Timeline of the Attack
July 2022:
• Iranian state cyber actors identified as “HomeLand Justice” launched a destructive cyber-attack against the Albanian Government which rendered websites and services unavailable.
• An FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber-attack.
• The attack included a ransomware-style file encryptor and disk wiping malware.
• The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating e-mail content.
May/June 2022:
• Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks.
July 2022:
• Iranian actors launched ransomware on the networks, leaving an anti-Mujahideen E-Khalq (MEK) message on desktops.
• When network defenders identified and began to respond to the ransomware activity, the cyber actors deployed a version of ZeroClear destructive malware.
June 2022:
• HomeLand Justice created a website and multiple social media profiles posting anti-MEK messages.
July 18, 2022:
• HomeLand Justice claimed credit for the cyber-attack on Albanian government infrastructure.
July 23, 2022:
• Homeland Justice posted videos of the cyber-attack on their website.
Late-July to mid-August 2022:
• Social media accounts associated with HomeLand Justice demonstrated a repeated pattern of advertising Albanian Government information for release, posting a poll asking respondents to select the government information to be released by HomeLand Justice, and then releasing that information — either in a .zip file or a video of a screen recording with the documents shown.
September 2022:
• Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.
Bottom line Protection Measures
The following items are necessary to protect a network (not a comprehensive list):
• Cybersecurity Training,
• Protection of key information assets
• Proper filtering of traffic
• Layering of network architecture
- Zero-Trust Architecture (ZTA): Trust nothing, verify everything.
Item 4: Colonial Pipeline ransomware group using new tactics to become more dangerous
Colonial Pipeline ransomware hack took place on May 7, 2021 (75 bitcoin or $4.4 M at the time). This month, Symantec noted that “Coreid,” has adopted a new version of its data exfiltration tool and is offering more advanced capabilities to profitable affiliates (as of Sept 26, 2022). The new version of ransomware is “Noberus”. Keep in mind that Affiliates are likened to ‘subscribers’ of the Coreid network, just like SaaS subscribers. FIN7 or Carbon Spider, Coreid is a ransomware-as-a-service (RaaS) operation that develops ransomware tools and services and then collects money from affiliates who use these tools to carry out the actual attacks. Initial group was known as “Darkside” (the group behind the ransomware attack) rebranded itself as “Blackmatter” after the attacks. But, Blackmatter was shut down in November 2021 due to pressure by law enforcement. The ‘offering’ (e.g. ransomware offering to Coreid’s affiliates) is now titled “Noberus” and researchers indicate that it poses a much greater threat than the initial attack.
Why is Noberus more dangerous than other ransomware?
The Bottom line — is that Noberus is more dangerous due to complexity. Noberus provides a challenge to its victims and law enforcement due to the complexity of the ransomware tool. Noberus has two different encryption algorithms and four encryption modes, which complicates investigations. Any of these 6 methods can be used to encrypt stolen files from a victim. The default method for encryption uses a process that is called “intermittent encryption” to encrypt data quickly and intermittently, which is intended to avoid detection.
Exmatter:
Within the Noberus suite, Exmatter is used extract files. Exmatter is designed to steal specific file types and upload those files to the attack server. Exmatter then exfiltrates data using FTP, SFTP, or WebDav to move files. Exmatter is designed to self-destruct if it is not executing in a corporate environment, indicating it’s focus for attack.
Infostealer.Eamfo:
Norberus can execute an info-stealing malware (name = Infostealer.Eamfo) that takes credentials from Veeam backup. Veeam is a data protection/disaster recovery product used by many organizations to store credentials for cloud services and domain controllers, in the event of an organizational disaster. Infostealer.Eamfo connects to the SQL database within the Veeam product to steal the organization’s credentials through specifically crafted SQL queries.
Incentivew
Coreid incitivizes their affiliates through what is termed as Incentivew. Any affiliate who brings in more than $1.5 million in ransomware is allowed access to DDoS attack tools, files for phone numbers of victims to contact them directly, and free brute force attack methods against specific systems, which will bring in more money to Coreid as well as their affiliate partners.
Protecting from Ransomware
Protecting information systems from ransomware is a complex endeavor. But here are a few highlights including:
• Build a Culture of Cybersecurity where everyone is made aware of the magnitude of cyber threats,
• Ensure that you have a training plan. Training includes:
1. Cybersecurity ‘hygiene’ training for everyone
2. Technical cybersecurity training for those in the IT/Networking area of the company (including IT Service Providers), and
3. C-suite training (as they set the strategy for the company).
References
· Federal Cyber Mandates for Water Infrastructure Are Too Costly to Implement, Experts Say: https://www.nextgov.com/cybersecurity/2022/09/federal-cyber-mandates-water-infrastructure-are-too-costly-implement-experts-say/377474/
· Technical Cybersecurity Support Plan for Public Water Systems — Report to Congress: https://www.waterisac.org/system/files/articles/EPA_TechnicalCybersecuritySupportPlan_August2022.pdf
ITEM 2:
• Universities Urged to Defend Sensitive Research From Hackers: https://www.govinfosecurity.com/universities-urged-to-defend-sensitive-research-from-hackers-a-20127
ITEM 3:
· Iranian State Actors Conduct Cyber Operations Against the Government of Albania: https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
ITEM 4:
· Colonial Pipeline ransomware group using new tactics to become more dangerous: https://www.techrepublic.com/article/colonial-pipeline-ransomware-group-using-new-tactics-to-become-more-dangerous/?web_view=true
· Colonial Pipeline Ransomware Attack: https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack
About the Author
Ron McFarland, PhD, CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security and other Cisco courses and was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications.
CONTACT Dr. Ron McFarland, PhD, MSc, CDNA, CISSP
· CMTC Email: rmcfarland@cmtc.com
· Email: highervista@gmail.com
· LinkedIn: https://www.linkedin.com/in/highervista/
· Website: https://www.highervista.com
· YouTube Channel: https://www.youtube.com/channel/UCJ57_1OgZ5H1nMVdGElcvrw
