Tag Archive for: Infrastructure

Forescout: Security threats to exposed critical infrastructure go ignored

/in


HANNOVER, Germany — Internet exposure of Operational Technology (OT) and Industrial Control Systems (ICS) continues to be a critical infrastructure security issue despite decades of raising awareness, new regulations, and periodic government advisories. 

Forescout, a global cybersecurity leader, unveiled Better Safe Than Sorry, a seven-year analysis of internet-exposed OT/ICS data. The study was conducted by Forescout Research – Vedere Labs, a leading global team dedicated to uncovering vulnerabilities in and threats to critical infrastructure.

In the Better Safe Than Sorry report, Forescout researchers examine the realistic opportunities for a mass target attack of internet-exposed OT/ICS devices. These devices are fertile ground for abuse as attackers look no further than using basic rationale driven by current events, copycat behavior, or the emergencies found in new, off-the-shelf capabilities or readily available hacking guides to create chaos.

Forescout released Better Safe Than Sorry from HANNOVER MESSE, the world’s leading trade fair for industrial technology. Forescout researchers can discuss these findings in Hall 16, Booth: A12 in the IT & OT Circus, April 22-26.

“If these warnings sound familiar, it’s because they are. The looming potential for a mass target scenario is high,” said Elisa Costante, VP of Research at Forescout Research – Vedere Labs. “Forescout calls on vendors, service providers, and regulatory agencies to work collectively to prevent attacks on critical infrastructure that will spare no one.”

Top research highlights in the Better Safe Than Sorry report include:

  1. North America is making strides to close the gap, but there is still work to do around the world. The US and Canada significantly reduced the number of exposed devices during the study period by 47% in the US and 45% in Canada. The other top 10 countries increased the number of exposed devices:
    • Spain: 82%
    • Italy: 58%
    • France: 26%
    • Germany: 13%
    • Russia: 10%
  2. Proactive, targeted notification is urgently required. The Unitronics hacking incidents and a combination of regulatory alerts and media coverage led to a 48% reduction in internet exposed Unitronics PLCs within two…

Source…

FBI’s Chris Wray warns Chinese hackers preparing to attack US infrastructure ‘to induce panic’

/in


FBI Director Christopher Wray warned Thursday that a hacking group linked to the Chinese government is waiting for the right moment to “deal a devastating blow” to U.S. critical infrastructure.

Wray delivered a keynote speech at the Vanderbilt Summit on Modern Conflict and Emerging Threats in Nashville, and told national security and intelligence experts that the risks posed by the government of China to U.S. national and economic security are “upon us now.”

The director said a recent bureau investigation found that the Chinese government had gained illicit access to networks within America’s “critical telecommunications, energy, water, and other infrastructure sectors.”

“The PRC [People’s Republic of China] has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage, and that its plan is to land low blows against civilian infrastructure to try to induce panic and break America’s will to resist,” Wray said — the FBI explained “these vital sectors—everything from water treatment facilities and energy grids to transportation and information technology—form the backbone of our society.”

“The fact is, the PRC’s targeting of our critical infrastructure is both broad and unrelenting,” he added. “It’s using that mass, those numbers, to give itself the ability to physically wreak havoc on our critical infrastructure at a time of its choosing,”

Wray said CCP-sponsored cyber actors “prepositioned” themselves to potentially mount cyber offenses against American energy companies in 2011—targeting 23 different pipeline operators, with Wray saying this helps understand current motivations.

“When one victim company set up a honeypot—essentially, a trap designed to look like a legitimate part of a computer network with decoy documents—it took the hackers all of 15 minutes to steal data related to the control and monitoring systems, while ignoring financial and business-related information, which suggests their goals were even more sinister than stealing a leg up economically,” he said.

The CCP also targeted critical infrastructure organizations through more…

Source…

What is Volt Typhoon? A cybersecurity expert explains the Chinese hackers targeting US critical infrastructure

/in


Volt Typhoon is a Chinese state-sponsored hacker group. The United States government and its primary global intelligence partners, known as the Five Eyes, issued a warning on March 19, 2024, about the group’s activity targeting critical infrastructure.

The warning echoes analyses by the cybersecurity community about Chinese state-sponsored hacking in recent years. As with many cyberattacks and attackers, Volt Typhoon has many aliases and also is known as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite and Insidious Taurus. Following these latest warnings, China again denied that it engages in offensive cyberespionage.

Volt Typhoon has compromised thousands of devices around the world since it was publicly identified by security analysts at Microsoft in May 2023. However, some analysts in both the government and cybersecurity community believe the group has been targeting infrastructure since mid-2021, and possibly much longer.

Volt Typhoon uses malicious software that penetrates internet-connected systems by exploiting vulnerabilities such as weak administrator passwords, factory default logins and devices that haven’t been updated regularly. The hackers have targeted communications, energy, transportation, water and wastewater systems in the U.S. and its territories, such as Guam.

In many ways, Volt Typhoon functions similarly to traditional botnet operators that have plagued the internet for decades. It takes control of vulnerable internet devices such as routers and security cameras to hide and establish a beachhead in advance of using that system to launch future attacks.

Operating this way makes it difficult for cybersecurity defenders to accurately identify the source of an attack. Worse, defenders could accidentally retaliate against a third party who is unaware that they are caught up in Volt Typhoon’s botnet.

Why Volt Typhoon matters

Disrupting critical infrastructure has the potential to cause economic harm around the world. Volt Typhoon’s operation also poses a threat to the U.S. military by potentially disrupting power and water to military facilities and critical supply chains.

FBI Director…

Source…

Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure

/in


U.S. Critical Infrastructure

U.S. cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy the file-encrypting malware.

“Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars,” the government said.

The advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Active since May 2019, multiple variants of Phobos ransomware have been identified to date, namely Eking, Eight, Elbie, Devos, Faust, and Backmydata. Late last year, Cisco Talos revealed that the threat actors behind the 8Base ransomware are leveraging a Phobos ransomware variant to conduct their financially motivated attacks.

There is evidence to suggest that Phobos is likely closely managed by a central authority, which controls the ransomware’s private decryption key.

Attack chains involving the ransomware strain have typically leveraged phishing as an initial access vector to drop stealthy payloads like SmokeLoader. Alternatively, vulnerable networks are breached by hunting for exposed RDP services and exploiting them by means of a brute-force attack.

Cybersecurity

A successful digital break-in is followed by the threat actors dropping additional remote access tools, taking advantage of process injection techniques to execute malicious code and evade detection, and making Windows Registry modifications to maintain persistence within compromised environments.

“Additionally, Phobos actors have been observed using built-in Windows API functions to steal tokens, bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process,” the agencies said. “Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access.”

The e-crime…

Source…