Tag Archives: CISA

Security News for the Week Ending November 19, 2021

Old Scams Never Die, They Just Get a Fresh Coat of Paint

Scammers have been posing, according to a warning by DHS, as Immigration and Customs Enforcement (ICE) Homeland Security Investigations (HSI) agents in San Antonio. The scammers call the mark, pretending to be HSI and tell them there is a problem with their passport and if they just pay the scammer/HSI agent some money, the problem will go away. They threaten that they will be arrested if they don’t pay. The victim’s passport, they say, was involved in a crime and police will be dispatched to their house to arrest them. Marks can call the ICE tip line at 866-347-2423 if they are able to “mark the mark”, so to speak. This type of scam is decades old; the only things that change are the targets and the agency who the scammers claim to represent, although DHS is a popular one. Credit: Infosecurity

Hackers Use Real FBI Email Account to Send Spam Cyberattack Spam

I don’t think this qualifies as a hack. Instead it is really poor software design. The FBI runs a portal for law enforcement, but until Saturday anyone could sign up for an account. The prankster sent out at least 100,000 emails and the FBI was flooded with calls. For admins, it was hard to disregard the alert since it came from the real FBI email server and was signed with DMARC. A bit of a black eye for the FBI and they only said that they were working on fixing the hole. Their temporary fix was to shut the system down. Probably a good idea. The hacker talked to Brian Krebs and explained what he did and why. To point out crappy security. Credit: Brian Krebs

Election Conspiracy Theory Lives On

For those of us in Colorado, there is a full blown election conspiracy fight still going on. Tina Peters, the election official in Mesa county, the reddest part of the state, is in the middle of a fight for her political life. A Republican, she was booted out of her role as election chief by Jena Griswold, a Democrat and the state’s chief election official. Griswold appointed another Republican to oversee Mesa County’s elections. So far, the courts have sided with the state. Peters did things like turn off the cameras in the secure counting area and made covert copies of the disk drives from the counting machines Somehow, copies of all of her voting system passwords and a copy of the rogue disk drive image were posted on the Internet for anyone to download. She says that she doesn’t know how that happened. Her legal expenses are being paid for by the MyPillowMan. Check out the story here.

CISA About to Name Members of New Advisory and Investigation Panels

DHS’ CISA officially created the Cybersecurity Advisory Committee this month. It was authorized in the 2021 NDAA. The committee is limited to 35 people and must include one each from 12 key industries including finance, tech, communications and healthcare. The remaining slots will be appointed by CISA’s director. The Cyber Safety Board was created by executive order this year and will operate similar to the way the NTSB examines transportation accidents. It will include both Govies and private sector people and will convene when needed. Credit: The Record

CISA Issues Cyber Goals & Objectives for Critical Infrastructure Control Systems

While goals are CURRENTLY voluntary, CISA issued guidelines for what it expects from pipelines and other critical infrastructure in light of the Colonial Pipeline attack. While it appears that the hackers were not able to take over the control systems in that attack, they did take over the control systems in the Florida and Kansas water system attacks.

And, while this legally only applies to critical infrastructure, if it makes sense, you might want to do it also.

Here are some highlights.

CISA already has a raft of documents, so they reviewed and harmonized them and came up with a single list. See the link at the end for more information. Here are some of the highlights. Each goal comes with a rationale and objectives.

RISK MANAGEMENT AND CYBERSECURITY GOVERNANCE

GOAL: Identify and document cybersecurity risks to control systems using established recommended practices (e.g., NIST Cybersecurity Framework, NIST Risk Management Framework, International Society of Automation/International Electrotechnical Commission (ISA/IEC) 62443, NIST Special Publication (SP) 800-53, NIST SP 800-30, NIST SP 800-82) and provide dedicated resources to address cybersecurity risk and resiliency through planning, policies, funding, and trained personnel.

ARCHITECTURE AND DESIGN

GOAL: Integrate cybersecurity and resilience into system architecture and design in accordance with established recommended practices for segmentation, zoning, and isolating critical systems (e.g., Industrial Control Systems-Computer Emergency Response Team Defense in Depth guide, Purdue Diagram) and review and update annually to include, as appropriate, any lessons learned from operating experience consistent with industry and federal recommendations.

CONFIGURATION AND CHANGE MANAGEMENT

GOAL: Document and control hardware and software inventory, system settings, configurations, and network traffic flows throughout control system hardware and software lifecycles.

PHYSICAL SECURITY

GOAL: Physical access to systems, facilities, equipment, and other infrastructure assets, including new or replacement resources in transit, is limited to authorized users and are secured against risks associated with the physical environment.

SYSTEM AND DATA INTEGRITY, AVAILABILITY AND CONFIDENTIALITY

GOAL: Protect the control system and its data against corruption, compromise, or loss.

CONTINUOUS MONITORING AND VULNERABILITY MANAGEMENT

GOAL: Implement and perform continuous monitoring of control systems cybersecurity threats and vulnerabilities.

TRAINING AND AWARENESS

GOAL: Train personnel to have the fundamental knowledge and skills necessary to recognize control system cybersecurity risks and understand their roles and responsibilities within established cybersecurity policies, procedures, and practices.

INCIDENT RESPONSE AND RECOVERY

GOAL: Implement and test control system response and recovery plans with clearly defined roles and responsibilities.

SUPPLY CHAIN RISK MANAGEMENT

GOAL: Risks associated with control system hardware, software, and managed services are identified and policies and procedures are in place to prevent the exploitation of systems through effective supply chain risk management consistent with best practices (e.g. NIST SP 800-161).

For more details go to this CISA web site here.

Security News for the Week Ending July 16, 2021

Supply Chain Attacks Roll On

The Accellion File Transfer Appliance vulnerabilities have been the source of many breach notifcations over the last several months. For whatever reason, they seem to be dribbling out. The newest one is Morgan Stanley. In this case, it was a Morgan Stanley VENDOR that was using Accellion, so instead of the third party attacks we talk about all the time, this is a fourth party attack. Of course, Morgan Stanley will take the heat, fines and lawsuits. Are you sure your vendors have your back? What about their vendors? Credit: Data Breach Today

Senate Finally Confirms Jen Easterly as Head of DHS/CISA

After CISA has not had an official chief for 8 months and after one Senator pulled a pre-July 4th political stunt that delayed her confirmation, the Senate unanimously confirmed Easterly this week. Easterly, who retired from the Army in 2011, was the deputy director for counterterrorism at the NSA, was on the National Security Council staff at the White House and is a two time Bronze Star recipient, is an outstanding person to lead CISA after Chris Krebs was fired last year for not following the party line. Credit: CNN

Did Russia Get the Message?

Remember the Revil ransomware gang? The folks that hacked Kaseya and JBS, among others? Well their web sites are no more. Did the U.S. take them down? Did Putin decide he didn’t like the heat? Will they come back later under a different name? Not clear. But what is clear is that people who were trying to get their files decrypted by paying the ransom – they have a bit of a problem as in kinda out of luck. My guess is Biden told Putin to fix the problem or we would fix it for him and he probably would not like the collateral damage. Credit: MSN

Hackers are Hard to Kill Off

Last year around election time the Pentagon was all full of press releases that they took down a Russian hacking operation called Trickbot. They have millions of victims around the globe. Bitdefender found that they are resurrecting their tools; updating them, etc. While Bitdefender found this particular tool using a honeypot, it doesn’t that was their only tool and it certainly does not mean they will shut down. It does mean that hacker networks are so profitable, that they will come back from the dead. Credit: The Daily Beast

Want a $10 Million Prize?

The feds are offering a reward of up to $10 million for information on operations conducted by actors working for a foreign government. On Thursday, the U.S. Department of State announced that its Rewards for Justice (RFJ) program now incentivizes reports of foreign malicious activity against U.S. critical infrastructure. The actions may include extortion as part of a ransomware attack, stealing information from protected systems, “and knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer.” The feds set up a Tor site to report information confidentially. Credit: Bleeping Computer

Security News for the Week Ending July 2, 2021

WD NAS Devices Are Being Wiped Worldwide

The downside of using computers beyond their end of support is that you can get hacked and all of your data can get wiped. This is what has happened to many WD My Book owners. Western Digital stopped patching them in 2015 and hackers have figured out how to remotely execute a factory reset, wiping all the data. The second thing not to do is to not have offline backups, which, apparently, a lot of these Western Digital owners also did not have. The result is many sad Western Digital owners. It does not appear that Western Digital’s own servers were hacked. Users, at this point, are just outta luck if they did not make backups. Credit: Bleeping Computer

As if this wasn’t bad enough, there is now a second zero-day way to wipe the devices. Credit: Metacurity

Pentagon Official Accused of Disclosing Classified Information

Katie Arrington, a political appointee in the DoD’s office of acquisition and sustainment and who acted as A&S’s CISO was suspended and her security clearance deactivated after being accused of unauthorized disclosure of classified information. Rumors had been that she was walked out of the Pentagon several months ago, but no announcement was made until this week. If true, she could wind up in jail. Credit: Newsweek

Politics ‘R’ Us – CISA Don’t Need No Stinkin’ Director

CISA, the Cybersecurity and Infrastructure Security Agency, part of DHS, has been without a director since ex-president Trump fired Chris Krebs last year for saying that there was no massive election fraud. President Biden nominated Jen Easterly, a graduate of West Point and Oxford, an Army Lt. Colonel and long time intelligence and NSA official, however the Senate has not voted on her confirmation. The arcane Senate rules allow any Senator to put a hold on anything for any reason. In this case, Senator Rick Scott decided that since Kamala Harris had not visited the southern border, something he thinks is important, that the Senate should not vote on the nomination of Easterly to head DHS. This has nothing to do with Easterly or security, just some Senator on a power trip. It appears that maybe next week, after DHS has not had a director for more than 6 months, during which time a major oil pipeline was shut down due to a ransomware attack, the Russians compromised a number of federal agencies twice – once via SolarWinds and again using Microsoft Exchange, and numerous other attacks, Scott may decide to stop being a dictator and allow the Senate to vote on Easterly’s appointment. The political process is very messy. Credit: ZDNet

Microsoft Testifies it Gets 10 Info Demands a Day from the Feds

Microsoft testified this week that it gets 7-10 secrecy orders every single day from the feds, demanding that they turn over customer information and not notify the customer that their information has been targeted. Since these orders are secret and often stay that way forever, cloud service customers have no way of knowing if their personal and/or sensitive information is in the hands of the government, for some unknown purpose, under likely poor security (the FBI just told Congress that it needs millions and millions of more dollars in order to protect their systems, so it is reasonable to assume that at least some FBI systems have been compromised and data stolen. We know, for example, that the Department of Justice was a victim of the SolarWinds attack). This may mean that companies that use the cloud (which is almost everyone) may need to take more security measures than they are taking – at least for sensitive data. Credit: The Register

Is Russia More Tech-Savvy Than the US?

Russia’s main military intelligence unit, called, among other names, APT28, Fancy Bear and Iron Twilight, is using cloud containers (Kubernetes) to massively scale brute force attacks against American and European businesses targeting government, military, defense contractors, energy companies, education, logistics, law firms, media, politics and think tanks. Does that leave anyone out? After they use these brute force attacks to get login information, they use those credentials to move around inside the company and steal information, often undetected. The feds (NSA, CISA, FBI and the UK’s NCSC) publicly warned businesses this week. That means that businesses need to up their security game if they want to protect their systems and information. Credit: The Hacker News

NSA/FBI/CISA Issue Alert – Russia SVR

While China is a serious threat and the last administration pushed on that hard, that administration ignored Russia.

Today the National Security Agency, the FBI and the Cybersecurity and Infrastructure Security Agencies issued a joint alert titled Russian SVR Targets U.S. and Allied Networks.

The NSA, FBI and CISA said that the Russian Foreign Intelligence Service or SVR is behind the exploitation of 5 publicly known vulnerabilities.

The Feds also announced that Russia and the SVR were the ones behind the SolarWinds attack and all the other attacks surrounding SolarWinds.

In addition to the SolarWinds attack, they are crediting/blaming Russia for:

  • Fortinet Fortigate VPN
  • Synacor Zimbra Collaboration Suite
  • Pulse VPN
  • Citrix Application Delivery Gateway
  • VMWare Workspace ONE Access

The advisory is available here.

The FBI and their cousins also provided some very specific actions to take, here.

Here is the problem. These actors are pros. These are not random attacks.

In the SolarWinds attack they went after heavily defended federal agencies as well as a lot of big companies.

The Feds are saying that you should assume a breach will happen. Note that they did not say assume a breach might happen.

They said to implement network segmentation.

Enable robust logging

Prepare for incident response.

It seems like they are saying that we are fighting a war.

The feds will do their part to try and identify them and slow them down, but this is more of an art than a science.

One bit of good news is that the NSA is sufficiently embarrassed for missing SolarWinds that they are on high alert. That should help. HELP, but not prevent.

Historically, the NSA spent 90% of their budget on offense and 10% on defense. While we don’t know what those numbers are today, the pendulum has definitely moved.

And this is good for every business in America.

Be prepared. Credit: NSA

Security News for the Week Ending November 20, 2020

Oracle POS Back Door Discovered

Oracle bought the Micros Point of Sale System a few years ago and now needs to deal with the challenges from that. The newest challenge is a modular back door that affects the 3700 POS series. It is used by hundreds of thousands of hotels, restaurants, bars and other hospitality locations. The malware, which has been around for a year, can download new modules to increase the damage it can do. Credit: Help Net Security

New Facebook Feature

Okay, many people use Facebook a lot while others find it useless. Ransomware extortion artists have found a new use. Hack Facebook advertiser’s accounts and buy ads telling victims to pay up. These ads get taken down but not before someone (else) gets to pay for them and not before the victim gets outed very publicly. Credit: Brian Krebs

White House Fires Chris Krebs, As Expected

As anticipated, the White House fired Chris Krebs, head of DHS’s CISA unit. Krebs was the person who was in charge of protecting the 2020 elections and, by all accounts, did a great job. Part of the White House’s upset with Krebs is the web site he ran called rumor control where he debunked the myths about election fraud that the White House has been peddling. The good news is that he will be able to find a job at any number of consulting companies making double or triple what he was making at DHS. This is a loss for the country. Credit: Bleeping Computer

Ransomware: 56% of Organizations Get Hit

56% of organizations responding to a recent survey say that they have been hit by ransomware in the last year. 27% of those hit chose to pay the ransom with an average payout to the hackers of just over a million bucks.

87% of the respondents said that nation-state sponsored cyberattacks are far more common than people think, posing the single biggest threat (check your cyber insurance for an exclusion for that). Credit: Help Net Security