The Good, the Bad and the Ugly in Cybersecurity – Week 31

The Good

These last few years have been, at the very least, challenging as well as eye-opening. The rate of high-profile, high-impact ransomware and extortion attacks has been and continues to be on a steep rise. The stakes are higher than ever before, with entire countries’ infrastructure at risk. This week, in the wake of attacks against the likes of Kaseya, SolarWinds, the Colonial Pipeline and more, the Biden administration unveiled the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.

This updated memorandum aims to bring together multiple federal agencies, including CISA and NIST, to develop updated cybersecurity goals and metrics, as well as new guidelines for the support of critical infrastructure. The memorandum also includes the Industrial Control Systems Cybersecurity Initiative. This is a voluntary collaborative effort between the private and public sector to work towards improving critical infrastructure security. Expanding on the ICS, it also aims to greatly accelerate improvements around visibility and monitoring of these systems. As stated in Section 3:

“We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response…is central to ensuring the safe operations of these critical systems.”

All this comes on the heels of recent remarks from President Joe Biden, essentially stating that an escalation of cyber threats can potentially lead to a ‘real shooting war’.

While that is an extreme we hopefully will never see, proactive measures such as these are a welcome effort. Updating and modernizing security of these critical systems is crucial to the ongoing security of all countries.

The Bad

Iran has been in the cyber wars again with two stories breaking this week in which the country has both been on the giving and receiving end of APT campaigns. According to one research paper, the Iranian nation-state APT group TA456 targeted a U.S defense contractor over a period of years by masquerading as an attractive female aerobics instructor by the name of “Marcella Flores”.

The ruse was designed to infect the device of an employee at the aerospace defense contractor with malware that could exfiltrate sensitive information over SMTPS. The employee was “groomed” from at least 2019 through email and social media chat before being sent a malicious link in June 2021 to a cloud-hosted document purporting to be a diet survey. The document contained macros to infect the user’s device. The fake persona included a Facebook profile first created in 2018 that linked ‘Marcy’ with multiple social media ‘friends’ working at defense contractors. While it appears that the plot was unsuccessful, it demonstrates just how much time and resources APTs are prepared to dedicate when it comes to high-value targets.

Source: Proofpoint

Meanwhile, SentinelLabs reported this week that Iran was itself on the receiving end of a sophisticated attack that disrupted its national train service earlier this year with a previously unknown wiper malware dubbed ‘MeteorExpress’. The threat actor behind the attack also seems to be a new player, displaying TTPs that do not track to any other known group. A full analysis of the malware is given here, but much remains to be discovered about the motives and identity of the attacker.

The Ugly

This week a cybersecurity advisory was released covering the top routinely exploited vulnerabilities. The new report was released as a joint effort between the FBI, NCSC (UK Cyber Security Centre), ACSC (Australian Cyber Security Centre), and CISA (U.S. Cybersecurity and Infrastructure Security Agency. The report encompasses data from 2020 to current and goes into detail on related indicators of compromise and associated mitigations. The 2021 list should be of little surprise to those of us that made it through the Hafnium (aka ProxyLogon/Exchange) attacks just a few months ago.

Source: CISA

The top targeted applications (so far) for 2020 include:

For 2020, the bulletin provides the top 10 specific CVEs regularly targeted, which are as follows:

Citrix CVE-2019-19781
Pulse CVE 2019-11510
Fortinet CVE 2018-13379
F5- Big IP CVE 2020-5902
MobileIron CVE 2020-15505
Microsoft CVE-2017-11882
Atlassian CVE-2019-11580
Drupal CVE-2018-7600
Telerik CVE 2019-18935
Microsoft CVE-2019-0604
Microsoft CVE-2020-0787
Netlogon CVE-2020-1472

Many of these flaws have been actively exploited by numerous threat actors since their public disclosure. CVE-2017-11882, for instance, has been leveraged by the Ramsay Trojan, Agent Tesla, and it is incorporated into numerous exploit kits and Malware-as-a-Service (MaaS) products distributed among threat actors. Pulse is another standout, having been heavily leveraged by REvil across multiple campaigns. Also worthy of special mention is CVE-2019-1150, which allows attackers to read sensitive files or data off a remote host. This includes the ability for remote, unauthenticated, attackers to siphon usernames and passwords in cleartext from exposed devices.

Those tasked with enterprise security can learn an important lesson from this list. These CVEs are not all from 2021 or even 2020. Some were disclosed as far back as 2017. In other words, despite constant outcries to patch and update exposed and vulnerable systems, attackers know this does not always transition into timely action. Targeting old flaws remains a successful attack vector and is less work than discovering and developing new zero days.

Unfortunately, the list in this new joint alert is only a subset of what is being leveraged by threat actors and it is vital to keep our sense of awareness grounded in the reality of our threat landscape. There is always room for improvement when it comes to patch deployment and threat mitigation.