Information Technology

Three new threat groups targeting the industrial sector have appeared but over half of all attacks are the work of only two known cybercriminal outfits, researchers say. 

Cyberattacks launched against industrial players, providers of critical infrastructure, utilities, and energy companies — whether oil, gas, or renewables — are often less about making a quick buck and more about data theft or causing real-world disruption. The ransomware incidents experienced by Colonial Pipeline and JBS called attention to the ramifications of digital attacks on supply chains.  After Colonial Pipeline temporarily halted delivery services to investigate a cyberattack, fuel panic-buying took place across parts of the United States. JBS, a global meatpacker, paid an $11 million ransom but this was not enough to prevent delays in meat pricing and a drop in cattle slaughter due to market uncertainty.  Industrial cyberattacks, especially those conducted by advanced persistent threat (APT) groups, can also be political in nature.  There is brewing tension between Russia and Ukraine, and the former has been accused of responsibility for ongoing cyberattacks, including a distributed denial-of-service (DDoS) assault on government websites. Financial services in the country have also been impacted.  The Kremlin has denied any involvement. Russia has also been accused of a 2015 cyberattack that took down Ukraine’s power grid. 

Ukrainian officials have also pointed the finger at Russia for deliberately attempting to sow panic through the disruption — and as we’ve seen with past infrastructure-based attacks on private companies, the general public and its behavior can certainly be affected by such activities.  In Dragos’ fifth Year In Review report on Industrial Control System (ICS) & Operational Technology (OT) threats, the cybersecurity firm said that three new groups have been discovered “with the assessed motivation of targeting ICS/OT.” The discovery comes on the heels of last year’s research which detailed the exploits of four other activity groups, dubbed Stibnite, Talonite, Kamacite, and Vanadinite. Dragos’ new activity groups are called Kostovite, Petrovite and Erythrite. Kostovite: In 2021, Kostovite targeted a major renewable energy organization. The threat actors used a zero-day vulnerability in the remote access software solution Ivanti Connect Secure to obtain direct access to the firm’s infrastructure, move laterally, and steal data. Kostovite has targeted facilities in North America and Australia.  This group has overlaps with UNC2630, a Chinese-speaking cyberattack group, and is associated with 12 malware families.   Petrovite: Appearing on the scene in 2019, Petrovite has frequently targeted mining and energy businesses in Kazakhstan. This group makes use of the Zebrocy backdoor and conducts general reconnaissance. Erythrite: Erythrite, active since at least 2020, is a threat group that generally targets organizations in the US and Canada. The target list is broad and includes oil and gas, manufacturers, electricity firms, and one member of the Fortune 500.  “Erythrite performs highly effective search engine poisoning and deployment of credential-stealing malware,” Dragos says. “Their malware is released as part of a rapid development cycle designed to be evasive to endpoint detection. Erythrite has technical overlaps to another group labeled by multiple IT security organizations as Solarmarker.”Kostovite and Erythrite have demonstrated the skills to conduct sophisticated intrusions, “with a focus on access operations and data theft over disruption,” according to Dragos.”[These] adversaries are willing to spend time, effort, and resources targeting, compromising, and harvesting information from ICS/OT environments for future purposes,” Dragos says.  The new players on the scene join Lockbit 2.0 and Conti, estimated to be responsible for 51% percent of all ransomware attacks in the manufacturing sector.  Additionally, Dragos researched the general state of industrial security. According to the firm, OT threat triage is “incredibly difficult at scale” as 86% of engagements have an existing lack of network visibility. Previously undetected external connections, shared credentials, and improper network segmentation were common OT security issues, and over double the number of industry-related CVE vulnerabilities was published in 2021 in comparison to 2020. Dragos says that over a third of CVE advisories also contain inaccurate data and errors when it comes to ICS/OT, making the challenge of patching emerging vulnerabilities correctly more difficult. In addition, 65% of advisories for public vulnerabilities had a patch available, but no alternative means of mitigation.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybercriminals have invested their efforts into breaking supply chains over the past year, with the manufacturing sector now becoming a top target. 

According to IBM’s annual X-Force Threat Intelligence Index, based on security incidents and threat data gathered over 2021, businesses are now being “imprisoned” by the active exploitation of vulnerabilities and the deployment of ransomware. The tech giant’s researchers say that phishing remains the most common attack vector for cyberattacks but there has also been a 33% increase in the use of vulnerabilities against unpatched systems. In total, vulnerability exploits are considered to be responsible for 44% of the reported, known ransomware attacks included in the report.  Supply chain attacks can have severe ramifications: central service providers may be compromised to deploy poisoned software updates to their customer bases, ransomware may be executed to cause as much disruption to vendors as possible, ramping up the pressure to pay, or attacks may be triggered to deliberately wreak havoc in the real world, such as taking down utilities or core services in a target country.  CrowdStrike’s latest threat report says that ransomware attacks leading to data leaks increased from 1,474 in 2020 to 2,686 in 2021 and the most impacted sectors were technology, engineering, manufacturing, and the industrial sector.  This appears to back up IBM’s findings, which says that ransomware operators tried to “fracture” global supply chains by targeting manufacturing, bearing the brunt of 23% of overall attacks.  “Attackers wagered on the ripple effect that disruption on manufacturing organizations would cause their downstream supply chains to pressure them into paying the ransom,” IBM says. 

In total, 47% of cyberattacks against this industry were caused by the exploitation of vulnerabilities in unpatched software. Vulnerabilities disclosed in Industrial Control Systems (ICS) have risen by roughly 50% year-over-year, however, it should be noted that not all bugs are equal — and the ones that matter generally relate to interrupted network visibility, remote hijacking, or damage.  Reconnaissance is also on the rise. As an example, IBM reported a 2,204% increase in the intrusion of internet-connected SCADA Modbus Operational Technology (OT) devices during 2021. According to IBM, the pivot to manufacturing has “dethroned financial services and insurance after a long reign.” Another interesting note in the report is the signs of an increasing focus on cloud environments. Docker is becoming a more common target for threat actors and in total, there has been a 146% increase in new Linux-based ransomware code.  Charles Henderson, Head of IBM X-Force, says that 2021 trends reveal a cultural change from “chasing the money” to “chasing the leverage.” “The attack surface is only growing larger, so instead of operating under the assumption that every vulnerability in their environment has been patched, businesses should operate under an assumption of compromise, and enhance their vulnerability management with a zero-trust strategy,” Henderson commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

On Wednesday afternoon, the Australian government joined the governments of the United States and United Kingdom by placing sanctions on Russian banks and individuals, and at the same time issued a warning to organisations to boost their cyber defence. Australian Prime Minister Scott Morrison said the government had already privately reached out to some entities and that local organisations should read guidance issued by the Australian Cyber Security Centre (ACSC).”We have already been taking action on cyber defences and that has been done privately already with many companies, alerting them to the risk of potential counter responses by Russia and other actors in response to these decisions,” Morrison said. “There is no evidence that any such attacks have taken place to date, I’m advised, but we are now publicly saying right across the country to go to [cyber.gov.au] so you can be clearly informed of the steps that you should be taking to ensure that you are protected as best as you can be from any cyber attacks.” The prime minister added that cyber was the most obvious vector for Russian retaliation, and that companies could be targeted as well as be cyber collateral damage. “The cyber attacks can sometimes come from miscalculation and misadventure, we have seen that in the past, where cyber attacks have sought to let loose various worms … or viruses and they get out of control of those who put them in the system,” he said. In its guidance, the ACSC says organisations should be reviewing and enhancing their detection, mitigation, and response capabilities.

“Organisations should ensure that logging and detection systems in their environment are fully updated and functioning and apply additional monitoring of their networks where required,” it states. “Organisations should also assess their preparedness to respond to any cyber security incidents, and should review incident response and business continuity plans.” Similar warnings have already been issued by Australia’s Five Eyes partners, with the UK National Cyber Security Centre stating that “there has been a historical pattern of cyber attacks on Ukraine with international consequences”. Since last month, the Canadian Centre for Cyber Security has been warning administrators to isolate critical infrastructure from the internet if they would be deemed an attractive target. “When using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted,” the warning said. The US issued its warning in January. In the past 24 hours, Russian President Vladimir Putin recognised two breakaway republics in eastern Ukraine and ordered forces into the regions on a so-called “peacekeeping” mission, triggering the responses from the Western democracies. Related Coverage More

A ransomware attack on cookware giant Meyer Corporation has caused thousands of employee social security numbers and sensitive information to be leaked.The company filed paperwork with the Attorney General offices in California and Maine, notifying both that the information of 2,747 employees was involved in the attack. The pots and pans manufacturer reported more than $128 million in sales in 2021. In notification letters sent to victims, the company said the attack began “on or around October 25, 2021” and involved driver’s licenses, passports, Permanent Resident Cards and information regarding immigration status, among a host of sensitive information. Employees working for Meyer subsidiaries like Blue Mountain Enterprises, Hestan Commercial Corporation, Hestan Smart Cooking and Hestan Vineyards were also affected. “Meyer was the victim of a cybersecurity attack by an unauthorized third party that impacted our systems and operations. Upon detecting the attack, Meyer initiated an investigation with the assistance of our cybersecurity experts, including third-party forensic professionals. On or around December 1, 2021, our investigation identified potential unauthorized access to employee information,” the California-based company said. “The types of personal information that may have been accessed during this incident will depend on the types of information you have provided to your employer, but may include: first and last name; address; date of birth; gender; race/ethnicity; Social Security number; health insurance information; medical condition(s) and diagnoses; random drug screening results; COVID vaccination cards and status; driver’s license, passport, or government-issued identification number; Permanent Resident Card and information regarding immigration status; and information regarding your dependents (including Social Security numbers), if applicable that you may have provided to the company in the course of your employment.”Victims of the attack and their dependents are being offered two years of free identity protection services.

The company would not confirm whether it was a ransomware attack, but the Conti ransomware gang added the company to its list of victims in November. The leak site had about about 245 MB of data, representing 2% of what Conti claimed to have stolen. The ransomware group never updated the entry.  More

The Brazilian Congress has enacted an Amendment to the Constitution that makes personal data protection a fundamental citizen right. The changes make personal data protection an unchangeable clause, meaning any changes to this theme will have to be aimed at expanding and protecting citizen rights.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Under the amendment to article 5 of the country’s Constitution, which relates to individual and collective rights, a new section has been added, noting “the right to protection of personal data, including in digital media, is ensured under the terms of the law.”The president of the Brazilian Senate, Rodrigo Pacheco, said that the enactment of the amendment focused on personal data protection is a demonstration of Congress’ commitment “to the non-negotiable value of individual liberty.” Pacheco also noted the measure reinforces legal certainty and improves the environment for investments in the technology and communication sector in Brazil. The proposal underpinning the amendment establishes that the federal government is solely responsible for the organization and supervision of the protection and processing of personal data and has exclusivity in terms of legislation relating to the protection and processing of personal information.

According to supporters of the proposals, this avoids the decentralized treatment of the theme by state and city legislation. Brazilian politicians in favor of the amendment  say the centralization of legislative competence around data protection matters is important as it also brings the General Data Protection Law (LGPD) to the Constitution. Introduced in September 2020, LGPD regulates personal data processing by individuals, public or private entities in Brazil across any medium, including digital media, with a goal of ensuring the privacy of data subjects.The sanctions relating to the data protection regulations were enforced in August 2021, and fines can reach up to 2% of the company’s revenue in cases of non-compliance. The board members of the body responsible for enforcing the regulations, the National Data Protection Authority (ANPD), were appointed in October 2020, and the body announced its strategy in February 2021.

However, there are critics to the current data protection set up in Brazil. Consumer protection body Idec noted the provision for the creation of an independent data protection regulator was removed from the proposals when they were voted by the Lower House of the Congress. According to Idec, the fact that ANPD is linked to the president’s office is “something that goes against international recommendations for the constitution of authorities on the subject and jeopardizes the necessary supervision of data processing in the country.””Although the final proposal does not address the issue of [ANPD’s] independence, the new amendment to the Federal Constitution strengthens the fundamental right to the protection of personal data, previously recognized by the Federal Supreme Court, providing Brazil with yet another powerful legal instrument to protect rights of consumers and citizens”, the consumer body noted.

Government More

New York state governor Kathy Hochul unveiled a new centralized cybersecurity center after White House officials met with her on Friday to discuss their concerns about potential cyberattacks.  Hochul announced the new statewide Joint Security Operations Center alongside mayors from New York City, Albany, Buffalo, Rochester, Syracuse, and Yonkers on Tuesday afternoon. 

The cybersecurity hub, located in Brooklyn and called the first of its kind in the nation, will serve as a centralized location for state officials to turn in times of cybercrisis.  Officials said the Joint Security Operations Center will be comprised of experts from federal and state law enforcement entities, representatives from local and county governments, and NYC3. NYC3 was created in 2017 as a body coordinating New York City’s cyber defenses across more than 100 agencies and offices.The mayors said the command center will strengthen the state’s threat detection capability “by centralizing telemetry data — allowing officials to assess and monitor potential threats in real time.” The center will also help officials “streamline threat intelligence and responses in the event of a significant cyberattack.”Hochul explained that she had been working throughout the weekend after federal officials held meetings warning of the potential for cyberattacks coming in response to sanctions against senior officials in the Russian government. Cybersecurity and Infrastructure Security Agency director Jen Easterly said there are no specific or credible threats to the US but wrote that “Russia may consider taking retaliatory action in response to sanctions that may impact our critical infrastructure.”

Easterly lauded the New York effort, writing that collaboration between local, state, federal, and private sector players is how they can successfully ensure the resilience of businesses and organizations.”In light of current geopolitical uncertainty, earlier today I convened cabinet members from relevant areas to review our ongoing cybersecurity preparedness efforts and make sure that New Yorkers, our institutions, and our critical infrastructure are protected from cyber-facilitated disruptions. We are in regular touch with the White House and the US Department of Homeland Security to ensure coordination,” Hochul said. 

“The reality is that because New York State is a leader in the finance, healthcare, energy, and transportation sectors, our state is an attractive target for cyber criminals and foreign adversaries. My Administration has taken significant steps to prepare for what have become increasingly sophisticated cyberattacks, including my recent budget proposal to invest $62 million in our cybersecurity protections, which is more than double from last year. Cabinet leaders will continue reviewing their cyber-risk management readiness and communicate with relevant industry and government partners to ensure threat intelligence is being relayed as quickly as possible,” Hochul added. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

At the event, local mayors spoke at length about the trouble they face in defending government offices against waves of sophisticated attacks.  “There is no greater threat to the day-to-day operations of city and state government, then cybersecurity,” Syracuse mayor Ben Walsh said. Albany’s mayor spoke about their ordeal with a ransomware attack in 2019 while New York City mayor Eric Adams said his predecessor, former mayor Bill de Blasio, told him cybersecurity was one of the biggest crises the city was facing. New York City announced its own slate of measures designed to protect the city from cyberattacks. Adams released an executive order requiring each city agency to designate a cyber command liaison who will work with the Office of Cyber Command to share information, monitor threats, and adopt best practices around cybersecurity.

“Technology runs our water, controls our electricity, and notifies us during an emergency, so cyber attacks have the ability to bring our entire city to a halt if we are not prepared. Our city is a prime target for those who want to cause destruction, and while New York City Cyber Command is already a national model for impeding these threats, it’s time our cybersecurity gets moved to the next level,” Adams said. “The new Joint Security Operations Center will take an integrated and holistic approach to hardening our cyber defenses across the city and the state, building on the robust cyber infrastructure New York City has developed in recent years.”New York City Chief Technology Officer Matthew Fraser said the creation of the Joint Security Operations Center was a transformational moment for cybersecurity in the state because it could make New York “the most cyber-resilient state in the nation.”State officials also noted that the Joint Security Operations Center will work with local educational institutions like CUNY to build out cyber curriculums and expand talent pipelines.  More

Security technology titan Palo Alto Networks this afternoon reported fiscal Q2 revenue and profit that both topped Wall Street’s expectations and raised its outlook for the year. The report sent Palo Alto Networks shares up over 5% in late trading. 

CEO Nikesh Arora remarked that Palo Alto “continued to benefit from strength across our three security platforms, driven by strong cybersecurity demand, organizations architecting for hybrid work and growing their hyperscale cloud footprints.”Added Arora, “On the back of this strength, notably in our next-generation security offerings, we are raising our guidance for the year across revenue, billings, and earnings per share.”CFO Dipak Golechha remarked, “Total shareholder return was at the forefront of our Q2 results as we continued to deliver on accelerated revenue growth and strong cash flow generation as well as returned capital to shareholders.”Revenue in the three months ending in December rose 30%, year over year, to $1.3 billion, yielding a net profit of $1.74 a share, excluding some costs.Analysts had been modeling $1.28 billion and $1.65 per share.

Palo Alto said its “remaining performance obligation,” a measure of the total value of contracts with customers, rose by 36% to $6.3 billion.For the current quarter, the company sees revenue of $1.345 billion to $1.61 billion, and EPS in a range of $1.65 cents to $1.68. That compares to consensus for $1.35 billion and a $1.63 profit per share.For the full year, the company sees revenue in a range of $5.425 billion to $5.475 billion, and EPS of $7.23 to $7.30. That is above an outlook offered in November for $5.35 billion to $5.4 billion, and $7.15 to $7.25 per share. The forecast compares to consensus of $5.39 billion and a $7.23 profit per share.

Tech Earnings More

Security technology titan Palo Alto Networks this afternoon reported fiscal Q2 revenue and profit that both topped Wall Street’s expectations, and raised its outlook for the year. The report sent Palo Alto Networks shares up over 5% in late trading. CEO Nikesh Arora remarked that Palo Alto “continued to benefit from strength across our three security platforms, driven by strong cybersecurity demand, organizations architecting for hybrid work and growing their hyperscale cloud footprints.”Added Arora, “On the back of this strength, notably in our next-generation security offerings, we are raising our guidance for the year across revenue, billings, and earnings per share.”CFO Dipak Golechha remarked, “Total shareholder return was at the forefront of our Q2 results as we continued to deliver on accelerated revenue growth and strong cash flow generation as well as returned capital to shareholders.”Revenue in the three months ended in December rose 30%, year over year, to $1.3 billion, yielding a net profit of $1.74 a share, excluding some costs.Analysts had been modeling $1.28 billion and $1.65 per share.

Palo Alto said its “remaining performance obligation,” a measure of the total value of contracts with customers, rose by 36% to $6.3 billion.For the current quarter, the company sees revenue of $1.345 billion to $1.61 billion, and EPS in a range of $1.65 cents to $1.68. That compares to consensus for $1.35 billion and a $1.63 profit per share.For the full year, the company sees revenue in a range of $5.425 billion to $5.475 billion, and EPS of $7.23 to $7.30. That is above an outlook offered in November for $5.35 billion to $5.4 billion, and $7.15 to $7.25 per share. The forecast compares to consensus of $5.39 billion and a $7.23 profit per share.

Tech Earnings More