Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Critical Infrastructure. Show all posts
Spear Phishing
Critical Infrastructure Cyber Attacks cybercrime group Defense Kaspersky Russian Government Spear Phishing

Awaken Likho Targets Russian Agencies with MeshCentral Remote Access Tool

 

Awaken Likho, also referred to as Core Werewolf or PseudoGamaredon, is a cyber threat group targeting Russian government agencies and industrial entities. Since June 2024, a new campaign has been observed, where attackers have shifted from using UltraVNC to MeshCentral’s legitimate agent for remote access to compromised systems. The campaign primarily focuses on Russian government contractors and industrial enterprises, as reported by Kaspersky. Spear-phishing is a key method employed by Awaken Likho, with malicious executables disguised as Word or PDF files. 

These files trick victims by using double extensions such as “.doc.exe” or “.pdf.exe,” making them appear like standard document formats. When opened, these files trigger the installation of UltraVNC or, in the new campaign, MeshCentral’s MeshAgent tool, which grants the attackers full control over the compromised system. Awaken Likho’s cyberattacks date back to at least August 2021, first gaining attention through targeting Russia’s defense and critical infrastructure sectors. However, more recently, the group has shifted to using self-extracting archives (SFX) to covertly install UltraVNC, along with presenting decoy documents. 

In its latest campaigns, an SFX archive triggers the execution of a file named “MicrosoftStores.exe,” which unpacks an AutoIt script. This script eventually runs the MeshAgent tool, facilitating ongoing remote control via the MeshCentral server. By creating a scheduled task, Awaken Likho ensures persistence within the infected system. The scheduled task consistently runs the command file, which in turn launches MeshAgent, allowing communication with the MeshCentral server. This tactic gives the attackers access to the system long after the initial breach. Russian cybersecurity company Kaspersky has revealed that the campaign’s primary focus remains within Russian government bodies, contractors, and industrial enterprises. 

Additionally, earlier findings from BI.ZONE in June 2023 indicated that Awaken Likho has targeted sectors including defense and critical infrastructure, emphasizing the group’s intent on penetrating Russia’s most vital industries. A notable attack in May 2023 targeted a Russian military base in Armenia, as well as a research institute involved in weapons development. These actions suggest Awaken Likho’s primary focus on entities involved in Russia’s security and defense sectors, with significant consequences for the country’s critical infrastructure. 

This new chapter in Awaken Likho’s activity signals the group’s evolving tactics and its continued interest in leveraging spear-phishing attacks with more sophisticated tools. By transitioning to the MeshCentral platform, the group showcases its adaptability in maintaining control over systems while evading detection, making it a significant threat to Russian entities in the future.
Read more »
Software update
Critical Infrastructure critical infrastructure risk Cyber Security faulty software update software se Software update

Faulty Software Update Shuts Down Critical Infrastructure, Highlighting Major Risks

 

A recent incident involving a faulty software update has underscored the significant risks associated with system updates and the potential vulnerabilities in critical infrastructure. This incident, which caused a widespread shutdown of essential services, serves as a stark reminder of the importance of rigorous testing and robust cybersecurity protocols. The issue arose when a routine software update, intended to enhance performance and security, instead led to a catastrophic failure in several systems. 

The update, which was pushed out without adequate testing, contained a critical bug that disrupted the operation of numerous infrastructure services. As a result, vital operations were halted, causing widespread inconvenience and highlighting the fragility of digital infrastructure. One of the most affected sectors was the energy industry, where the software update caused several power plants to go offline. This led to significant disruptions in power supply, affecting both residential and commercial users. The outage also had a ripple effect on other critical services, including healthcare and transportation, further amplifying the impact of the incident. The problem was traced back to a flaw in the software update process. The update was not thoroughly vetted before being deployed, and the critical bug went unnoticed. Once the issue became apparent, emergency protocols were initiated to roll back the update and restore normal operations. 

However, the process was not straightforward, and it took several hours to bring all affected systems back online. This incident has raised serious concerns about the security and reliability of software updates, particularly for systems that underpin critical infrastructure. It has also highlighted the need for more stringent testing procedures and better contingency planning. Experts argue that while updates are necessary for maintaining security and performance, they must be handled with extreme caution to avoid such catastrophic failures. In response to the incident, several companies have announced plans to review and enhance their software update processes. This includes implementing more rigorous testing procedures, improving communication channels to quickly address any issues that arise, and developing more robust rollback mechanisms to quickly revert to previous versions in case of problems. 

Moreover, there is a growing call for industry-wide standards and best practices for software updates, particularly for critical infrastructure. These standards would ensure that updates are thoroughly tested and that there are adequate safeguards in place to prevent widespread disruptions. The incident serves as a sobering reminder of the delicate balance between maintaining security through updates and ensuring the stability of critical systems. As digital infrastructure becomes increasingly integral to everyday life, the stakes for getting this balance right have never been higher. 

Moving forward, it is imperative for companies and regulatory bodies to work together to strengthen the processes and protocols surrounding software updates, ensuring that they enhance security without compromising the reliability of essential services.
Read more »
Technology
Critical Infrastructure Ransom Payment Ransomware Sophos Technology

How Ransomware is Draining Resources from Critical Infrastructure

How Ransomware is Draining Resources from Critical Infrastructure

The Rising Cost of Ransomware Attacks on Critical Infrastructure

The costs of ransomware attacks on critical national infrastructure (CNI) firms have soared over the last year.

According to Sophos' newest numbers, which were revealed today, the typical ransom payment increased to $2.54 million, more than 41 times last year's total of $62,500. The mean payment for 2024 is considerably greater, at $3.225 million, representing a less dramatic 6-fold rise.

IT, technology, and telecoms were the least likely to pay large sums to hackers, with an average payment of $330,000, but lower education and federal government organizations reported the highest average payments of $6.6 million.

The figures are based solely on ransomware victims who were willing to reveal the specifics of their mistakes, thus they do not provide the full picture.

The Escalating Financial Burden

Only 86 of the 275 CNI organizations surveyed provided statistics on ransom payments. There's a significant risk that the results would be distorted if all of the CNI ransomware victims polled were completely upfront with their information.

Costs to recover from ransomware attacks have also increased dramatically since the researchers' findings last year, with some CNI industries' costs quadrupling to a median average of $3 million per event.

The Impact on Critical Infrastructure

According to the report, only one in every five people were able to recover in a week or less, down from 41 percent the previous year and 50 percent the year before that. The percentage of victims who take more than a month to recuperate has also increased to 55%, up from 36% last year. 

Sophos stated in its analysis that this could be due to attacks getting more sophisticated and complicated, requiring more work from the IT team to effectively repair all of the damage caused by the crimes. However, the vendor's global field CTO, Chester Wisniewski, believes the industries should reevaluate their propensity to pay ransoms.

Read more »
Ransomware
Colonial Pipeline Critical Infrastructure Cyber Attacks Data Leak Ransomware

Securing India’s Infrastructure: Key Takeaways from the Colonial Pipeline Hack

Securing India’s Infrastructure: Key Takeaways from the Colonial Pipeline Hack

In 2021, a major supplier of oil and gas to the American east coast, Colonial Pipeline, was taken offline, after a reported ransomware attack. The 5,500-mile pipeline attack triggered a call for increased regulations to protect and strengthen critical infrastructure against cyberattacks.

Since the incident, there’s been more awareness and willingness to invest in securing critical infrastructure in India, with the much-awaited Cybersecurity Bill 2024 being tabled in the Parliament in March this year. 

The Indian government has continuously increased its cybersecurity investment with successive incremental budgetary allotments towards this cause. Three years on, the attack still begs the question: How exposed to attacks is India’s critical infrastructure?

Changing landscape of operational technology (OT)

Traditionally, operational technology (OT) systems were isolated and “air-gapped” from the internet. However, the convergence of IT and OT has led to increased connectivity. The Colonial Pipeline attack exploited this connectivity, highlighting the need for robust security protocols. India’s critical infrastructure sectors (energy, transportation, and water supply) must assess their OT networks and implement necessary safeguards.

Compliance vs. security

While regulatory compliance provides a baseline, it alone is insufficient. Organizations should move beyond compliance and adopt a risk-based approach. Regular security assessments, vulnerability scans, and penetration testing are crucial. India’s proposed Cybersecurity Bill 2024 emphasizes the importance of proactive security measures.

Investment in cybersecurity

India must allocate adequate resources to strengthen its critical infrastructure cybersecurity. Budgetary provisions should cover training, threat intelligence, incident response, and technology upgrades. Collaborating with international partners and adopting best practices can enhance India’s cyber resilience.

Recommendations for India

The Colonial Pipeline incident demonstrated that critical infrastructure is becoming a significant issue in cybersecurity and that businesses must constantly be ready. This incident, one of the most disruptive attacks in history, forever altered the cybersecurity environment, paving the way for increased discussions about OT security among the general public, government officials, and the cybersecurity sector. It sparked a trend, pressing the public sector to be more proactive and invest more in operational technology security.

As a result, legislators and politicians are looking for measures to improve regulations to strengthen cyber defenses. More importantly, the attack emphasizes the importance of a comprehensive risk management approach and understanding the trajectory of where we want to be in terms of cyber security in ten years. With OT at the center of the discourse, strengthening our cyber defenses is more important than ever.

Read more »
Scattered Spider
Critical Infrastructure Cyber Attacks Data Extortion data security Scattered Spider

Scattered Spider: Hackers Attacking Commercial Sectors, Cops Troubled

Scattered Spider

Scattered Spider threat actors primarily steal data for extortion using a variety of social engineering approaches, and they have recently used BlackCat/ALPHV ransomware in addition to their usual TTPs.

According to a senior bureau official, the FBI must "evolve" to effectively stop a group of hackers who have wreaked havoc on some of the largest firms in the United States, who asked the public to be patient as law enforcement combats the criminal network.

CISA and FBI issue joint notice

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity Advisory (CSA) on Scattered Spider, a cybercriminal gang that targets commercial facilities and subsectors. The advice contains tactics, methods, and procedures (TTPs) gathered from FBI investigations as recent as November 2023.

The FBI and CISA encourage network defenders and critical infrastructure companies to study the joint CSA for proposed mitigations to decrease the possibility and severity of a cyberattack by Scattered Spider actors. 

Last year, the hacking collective called Scattered Spider made international headlines for its destructive cyberattacks on gambling behemoths MGM Resorts and Caesars Entertainment. Analysts identified the hackers in 2022, who employ social engineering to trick people into disclosing their login credentials or one-time password codes to defeat multifactor authentication.

Once inside, the group — Star Fraud, UNC3944, and Octo Tempest — builds persistence in networks, living off the territory as some state-sponsored hackers do, before deploying ransomware, stealing data, and demanding ransoms from victims.

The Scattered Spider Phenomenon

1. Data Theft and Extortion

Scattered Spider’s modus operandi revolves around data theft. They infiltrate systems, exfiltrate sensitive information, and then hold it hostage for ransom. Their victims include high-profile organizations, and the stakes are high. The group’s ability to extract valuable data without detection is a testament to their skill.

2. BlackCat/ALPHV Ransomware

Scattered Spider doesn’t rely solely on traditional hacking methods. They’ve embraced ransomware, specifically the BlackCat/ALPHV variant. This malicious software encrypts victims’ files, rendering them inaccessible until a ransom is paid. The group’s proficiency in deploying ransomware underscores their adaptability.

The Social Engineering Twist

1. Human Manipulation

What sets Scattered Spider apart is their mastery of social engineering. They exploit human psychology to gain access to systems. Whether through phishing emails, impersonation, or psychological manipulation, they find the weakest link—the human element—and exploit it. Their ability to deceive and manipulate individuals is their secret weapon.

2. The Insider Threat

Scattered Spider often targets employees within organizations. An unsuspecting employee may unwittingly click a malicious link or share sensitive credentials. The group’s understanding of human behavior allows them to bypass technical defenses. Cybersecurity professionals must recognize this insider threat and educate employees accordingly.

The FBI’s Battle

1. Resource Allocation

The Federal Bureau of Investigation (FBI) is actively pursuing Scattered Spider. Their dedicated cybercrime units are tracking down group members. However, the group remains elusive, operating across borders and leaving minimal traces. The FBI’s challenge lies in balancing resources to combat this agile adversary.

2. Collaboration and Information Sharing

The FBI collaborates with international agencies, sharing intelligence and pooling resources. Scattered Spider’s attacks span continents, and global cooperation is essential. By working together, law enforcement agencies can build a comprehensive profile of the group and disrupt their operations.

Scattered Spider is a formidable adversary in the cybercrime landscape, and law enforcement agencies are actively working to counter their activities. For more information, check this advisory.

Read more »
Trust
Critical Infrastructure Cyber Security Organization security State Actors Trust

Trust in Cyber Takes a Knock as CNI Budgets Flatline

Trust in Cyber Takes a Knock as CNI Budgets Flatline

Trust in cybersecurity technologies has become one of the most difficult hurdles for critical national infrastructure (CNI) providers as sophisticated nation-state threats grow, according to a recent Bridewell assessment.

The Trust Deficit

The IT services firm's most recent Cyber Security in Critical National Infrastructure report is based on interviews with over 1000 CISOs and equivalents from CNI providers in the United States and the United Kingdom.

It found that over a third (31%) identified "trust in cybersecurity tools" as a key challenge this year, up 121% from the 2023 edition of the survey.

Confidence in tools took a hit last year when the UK joined the US and other nations in warning providers of key services about China-backed action against CNI, according to the research.

74% of respondents expressed fear about Chinese state actors, which is comparable to 73% anxiety about Russian state operatives.

These worries are likely to have been heightened recently, with the United States warning in February that Chinese agents have pre-positioned themselves in several CNI networks to unleash damaging strikes in the event of a military conflict.

Budget Constraints

Budgets have declined in tandem with trust in tooling. According to the research, the share of IT (33%) and OT (30%) budgets set aside for cybersecurity has dropped drastically from 44% and 43% the previous year, respectively.

The dramatic reduction is evident across the board, from new recruits to training and risk assessments to technological investments.

Despite these financial challenges, nearly a third (30%) of CNI respondents who were victims of a ransomware attack last year informed Bridewell that they paid the extortionists.

Bridewell cautioned that, in addition to the fees, CNI enterprises could face legal consequences.

Ransom payments could, for example, be sent to persons facing legal repercussions from the United Kingdom, the United States, or the European Union. The UK's Office of Financial Sanctions Implementation has warned that payments may violate the law in other jurisdictions, according to the report.

Interestingly, more than a quarter (27%) of respondents reported that ransomware intrusions had a psychological impact on employees.

The Way Forward

Bridewell CEO Anthony Young expressed sympathy for those firms that do wind up paying.

If the firm is unable to recover, paying the ransom may be the only viable alternative for resuming operations short of reinstalling its systems from the start, he argued.

However, this tough decision can be avoided by implementing a security plan that reduces the possibility of threat actors obtaining access and moving through your systems without being detected and effectively removed.

Read more »
ransomware-as-a-service
BlackByte ransomware Critical Infrastructure Cyberattack Cybersecurity Cybersecurity Agencies Data Breach Encina Wastewater Authority ransomware-as-a-service

Encina Wastewater Authority Reportedly Targeted by BlackByte Ransomware

Carlsbad, California – Encina Wastewater Authority (EWA) has become the latest target of the notorious BlackByte ransomware group. The group, known for its aggressive tactics, has hinted at a cyberattack on EWA's platform, suggesting the potential sale of sensitive company documents obtained during the intrusion.

Despite BlackByte's claims, EWA's website, http://encinajpa.com, remains operational without immediate signs of intrusion. However, cybersecurity experts speculate that the threat actor may have infiltrated the organization's backend systems or databases rather than launching a visible front-end attack like a distributed denial-of-service (DDoS) assault.

Encina Wastewater Authority serves over 379,000 residents and businesses across North San Diego County, playing a crucial role in wastewater treatment, resource recovery, and environmental protection for public health and regional water sustainability.

The Cyber Express has reached out to Encina Wastewater Authority for clarification on the alleged cyberattack. As of writing, no official statement or response has been issued by the organization, leaving the claims unconfirmed. The BlackByte ransomware group has also shared sample documents, indicating the attack and offering their sale or removal via email.

BlackByte has been a concern for cybersecurity agencies since its emergence in July 2021, targeting critical infrastructure and gaining attention from the Federal Bureau of Investigation (FBI) and the US Secret Service (USS). Despite mitigation efforts, such as the release of a decrypter by Trustwave in October 2021, BlackByte continues to evolve its tactics and persists in targeting organizations worldwide through a ransomware-as-a-service (RaaS) model.

The situation regarding the alleged cyberattack on Encina Wastewater Authority will be closely monitored by The Cyber Express, and updates will be provided as more information becomes available or any official statement from the organization is issued.
Read more »
water system security
Critical Infrastructure Cyber Threats cybersecurity posture Data Breach ransomware attacks Southern Water Veolia North America water supply water system security

Major Water Suppliers Hit by Ransomware Attacks

 

Recent ransomware attacks have impacted two major water supply systems in the United States and the United Kingdom, with Boston-based Veolia North America and England's Southern Water falling victim to cyber threats. In both instances, attackers have reportedly seized employee or customer data and are demanding ransom payments. Fortunately, neither organization has reported prolonged service disruptions due to encrypted files or folders, and no ransom payments have been disclosed.

Veolia North America, serving approximately 550 communities, acknowledged a ransomware incident affecting its Municipal Water division. The attack prompted the temporary shutdown of some software applications and systems, causing delays in online bill payment systems for customers. The company assured that no operational technology, including industrial control systems, was compromised. Digital forensics investigators were promptly engaged to investigate the intrusion, and affected individuals will be directly notified about the stolen personal information.

Similarly, Southern Water in the UK confirmed a ransomware attack by the Black Basta group but asserted that no data encryption occurred, and critical operations remained intact. The utility, serving 2.5 million water customers and over 4.7 million wastewater customers, is still evaluating the extent of potential data theft. The Black Basta group claimed to have stolen 750 gigabytes of data, including corporate documents and users' personal information. Southern Water emphasized that customer relationships and financial systems remained unaffected, and services continued without disruption.

These incidents come amid a broader surge in ransomware attacks, as highlighted in a report by British consultancy NCC Group, revealing an 84% increase in known ransomware attacks in 2023 compared to the previous year. The U.S. Cybersecurity and Infrastructure Security Agency recently released an incident response guide for the water and wastewater sector, emphasizing the potential cascading impacts of a compromise in critical infrastructure sectors.

The White House has been urging various critical infrastructure sectors to enhance their cybersecurity posture, with a focus on reviewing and improving defenses. The attacks also underscore the ongoing challenges in ensuring the cybersecurity of essential services, prompting organizations to remain vigilant and proactive in safeguarding their systems.
Read more »
Vulnerable Systems
CISA Critical Infrastructure Ransomware Groups RWVP Vulnerabilities and Exploits Vulnerable Systems

RWVP: CISA Shares Vulnerabilities and Misconfigurations Targeted by Ransomware Groups


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently revealed an insight into the misconfigurations and security vulnerabilities exploited by ransomware groups, in order to help critical infrastructure companies tackle their attacks. 

This information is part of a Ransomware Vulnerability Warning Pilot (RVWP) program conducted by CISA, which shows concern over the ransomware devices discovered on the networks of critical infrastructure organizations. 

To date, RVWP has discovered and identified over 800 vulnerable systems with internet-accessible vulnerabilities that are often targeted by different ransomware activities.  

CISA stated that "Ransomware has disrupted critical services, businesses, and communities worldwide and many of these incidents are perpetrated by ransomware actors using known common vulnerabilities and exposures (CVE) (i.e., vulnerabilities)." 

"However, many organizations may be unaware that a vulnerability used by ransomware threat actors is present on their network[…]Now, all organizations have access to this information in our known exploited vulnerabilities (KEV) catalog as we added a column titled, 'known to be used in ransomware campaigns.' Furthermore, CISA has developed a second new RVWP resource that serves as a companion list of misconfigurations and weaknesses known to be used in ransomware campaigns," CISA added.

RVWP is a component of a much larger effort that was initiated in response to the growing ransomware threat to critical infrastructure that first surfaced almost two years ago with a wave of cyberattacks targeting key infrastructure companies and U.S. government organizations, including Colonial Pipeline, JBS Foods, and Kaseya.

In June 2021, CISA broadened its horizon by launching the Ransomware Readiness Assessment (RRA), a component of its Cyber Security Evaluation Tool (CSET), whose goal is to help companies analyze and evaluate their preparedness in order to mitigate the risks and tackle from potential ransomware attacks. 

By August 2021, CISA also made recommendations to help vulnerable public and commercial sector organizations stop data breaches brought on by ransomware incidents.

In addition, CISA further formed an alliance with the business sector to defend vital US infrastructure against ransomware and other online dangers. All federal agencies and businesses who joined the cooperation have a collective response strategy embodied in this collaborative initiative, the Cyber Defense Collaborative.  

Read more »
phishing
Critical Infrastructure Cyber Security Cyber-attacks ISRO phishing

Cybersecurity Challenges Faced by ISRO: Chief S Somanath

The Indian Space Research Organisation (ISRO) has been facing over 100 cyber-attacks daily, according to a statement by ISRO Chief S Somanath. The attacks are mostly phishing attempts and malware attacks. 

During the concluding session of the 16th edition of the c0c0n, a two-day international cyber conference in Kerala’s Kochi, Somanath stated that rocket technology, which employs advanced software and chip-based hardware, is more susceptible to cyber-attacks.

ISRO’s Cybersecurity Challenges

"The organization is equipped with a robust cybersecurity network to face such attacks," said Mr. Somnath. "Earlier, the way of monitoring one satellite has changed to a way of software monitoring many satellites at a time. This indicates the growth of this sector. During COVID, it was possible to launch from a remote location which shows the triumph of technology."

During the concluding session of the c0c0n, Kerala Revenue Minister P Rajeev stated that the state government is capable of providing sufficient security to the cyber arena, making it a model for cyber security governance. He stated that The Kerala state government is capable of ensuring cybersecurity and supporting the sector by establishing a Digital University in the state. Additionally, K-Fone ensures internet access in every household in Kerala.

The ISRO is responsible for India’s space program and has been instrumental in launching several satellites and missions. The organization has been targeted by hackers in the past, with reports of cyber-attacks dating back to 2017. The recent statement by the ISRO Chief highlights the increasing threat of cyber-attacks on critical infrastructure.

ISRO’s Cybersecurity Measures

The ISRO has taken several measures to improve its cybersecurity posture. In 2020, the organization launched a cybersecurity policy aimed at protecting its critical infrastructure from cyber threats. The policy outlines guidelines for secure coding practices, access control, incident management, and other security-related aspects.

"We can face the challenges posed by cyber criminals using technology like artificial intelligence with the same technology. There should be research and hard work towards this end," Mr. Somnath said.


Read more »
Subscribe to: Posts (Atom)