Information Technology

The White House, Environmental Protection Agency (EPA) and Cybersecurity and Infrastructure Security Agency (CISA) are rolling out a 100-day plan to improve the cybersecurity of the country’s water systems, which faced a variety of attacks over the last year. 

The “Industrial Control Systems Cybersecurity Initiative — Water and Wastewater Sector Action Plan” includes several measures that officials believe can be taken in the next few months to address cybersecurity gaps within the water utility industry. The plan will create a task force of leaders in the water utility industry, kickstart incident monitoring pilot programs, improve information sharing and provide technical support to water systems in need of help. EPA Administrator Michael Regan said cyberattacks represent an “increasing threat to water systems and thereby the safety and security of our communities.””As cyber-threats become more sophisticated, we need a more coordinated and modernized approach to protecting the water systems that support access to clean and safe water in America,” Regan said. “EPA is committed to working with our federal partners and using our authorities to support the water sector in detecting, responding to, and recovering from cyber-incidents.”The White House said the plan will offer owners and operators with technology that will provide “near real-time situational awareness and warnings.” The Washington Post noted that over 150,000 water utilities are serving the US population. “This sector is made up of thousands of systems that range in size from the very small to ones that service major metropolitan cities that have little or no cybersecurity expertise and are unsure what steps they should take to address cyber risks. EPA and CISA will work with appropriate private sector partners to develop protocols for sharing information,” the Biden Administration said. 

“The government will not select, endorse, or recommend any specific technology or provider. The plan will initially focus on the utilities that serve the largest populations and have the highest consequence systems; however, it will lay the foundation for supporting enhanced ICS cybersecurity across water systems of all sizes.”Also: The White House rolls out zero trust strategy for federal agenciesIn October, CISA warned the US water and wastewater system operators about an array of cyber threats to disrupt their operations.The notice listed several recent attacks since 2019, including one in August 2021 that involved the Ghost ransomware being deployed against a facility in California. Attackers spent a month inside the system before putting up a ransomware message on three supervisory control and data acquisition servers. An attack in July 2021 saw the ZuCaNo ransomware used to damage a wastewater facility in Maine. In March 2021, a Nevada water treatment plant was hit with an unknown ransomware variant. In September 2020, the Makop ransomware hit a New Jersey facility, and another attack in March 2019 involved an attempt to threaten the drinking water of a town in Kansas. There was also a headline-grabbing attack in February 2021 where an unidentified hacker accessed the computer systems of a water treatment facility in the city of Oldsmar, Florida and modified chemical levels to dangerous parameters.Recent reports indicate that 1 in 10 waste or wastewater plants has a critical security vulnerability. “Over the past year, we’ve seen cyber threats affecting the critical infrastructure that underpins our communities and the services we all rely on, including safe and clean water,” CISA Director Jen Easterly said. “To reduce the likelihood and impact of damaging cybersecurity intrusions to the water sector, we’re teaming up with our EPA partners to provide guidance, technology, and direct support to the sector. The action plan announced today will help us better understand and reduce the risks across the water and wastewater sector both in the near and long term, and keep the American people safe.”The White House noted in its statement that the recent attacks on Colonial Pipeline and food processor JBS “are an important reminder that the federal government has limited authorities to set cybersecurity baselines for critical infrastructure and managing this risk requires partnership with the private sector and municipal owners and operators of that infrastructure.”The EPA developed the water plan, National Security Council, CISA and the Water Sector Coordinating Council and Water Government Coordinating Council. National Cyber Director Chris Inglis explained that the plan will provide owners and operators of water utilities with a roadmap for high-impact actions to improve their operations’ cybersecurity. The 100-day plan is part of President Joe Biden’s Industrial Control Systems (ICS) Initiative that aims to help critical infrastructure organizations with tools that provide greater visibility, indicators, detections, and warnings about cyber threats. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said the action plans that were created for electric grids and pipeline operators “have already resulted in over 150 electricity utilities serving over 90 million residential customers and multiple critical natural gas pipelines deploying additional cybersecurity technologies.””This plan will build on this work and is another example of our focus and determination to use every tool at our disposal to modernize the nation’s cyber defenses, in partnership with private sector owners and operators of critical infrastructure,” Neuberger said. Secretary of Homeland Security Alejandro Mayorkas added that “American lives depend on protecting the Nation’s critical infrastructure from evolving cybersecurity threats.”Responses to the 100-day plan among ICS cybersecurity experts was mixed. Mark Carrigan, cyber VP of process safety and OT cybersecurity at Hexagon PPM, told ZDNet that the measures outlined “will not be nearly sufficient to reduce the risk to an acceptable level.” The state of detection technology today is not “fool-proof,” according to Carrigan, who noted that many infiltrations and subsequent attacks start with exploiting zero-day vulnerabilities that are not recognized until after the fact. “It’s like closing the barn door after the cows have gotten out. It is time for critical infrastructure to increase investments to improve operational resiliency so that we can respond to an attack, minimize the impact, and restore operations within an acceptable period of time,” Carrigan said. “We must accept the fact that we cannot prevent all cyber-attacks due to the nature of the control systems that deliver critical services. We must improve our ability to respond and recover.” More

A wave of cyber attacks are exploiting Microsoft Excel add-in files in order to deliver several forms of malware in campaigns which could leave businesses vulnerable to data theft, ransomware and other cyber crime. Detailed by researchers at HP Wolf Security, the campaigns use malicious Microsoft Excel add-in (XLL) files to infect systems and there was an almost six-fold increase – a 588% rise – in attacks using this technique during the final quarter of 2021 when compared to the previous three months. XLL add-in files are popular because they enable users to deploy a wide variety of extra tools and functions in Microsoft Excel. But like macros, they’re a tool which can be exploited by cyber criminals. The attacks are distributed via phishing emails based around payment references, invoices, quotes, shipping documents and orders which come with malicious Excel documents with XLL add-in files. Running the malicious file prompts users to install and activate the add-in – which will secretly run the malware on the victim’s machine. Malware families identified as being delivered in attacks leveraging XLL files include – Dridex, IcedID, BazaLoader, Agent Tesla, Raccoon Stealer, Formbook and Bitrat. Many of these forms of malware can create backdoors onto compromised Windows systems, providing attackers with the ability to remotely access machines, monitor activity and steal data. Researchers also warn that malware backdoors provide attackers with ability to deliver other malware, including ransomware, meaning the XLL attacks could be exploited as a means of encrypting networks and demanding large ransom payments. These XLL attacks are effective at compromising victims – something that’s reflected in the prices of those offering services related to them on underground dark web forums.  

SEE: A winning strategy for cybersecurity (ZDNet special report)Some XLL Excel Dropper services are advertised as costing over $2,000, which is quite expensive for community malware but criminal forum users seem willing to pay the price. In addition to the XLL-based campaigns, researchers note that QakBot, a prominent form of trojan malware, often used as a precursor to ransomware attacks, is also abusing Excel to compromise victims. Attackers are hijacking email threads in order to deliver malicious Excel documents to their chosen victims, who are sent a ZIP archive containing a Microsoft Excel Binary Workbook (XLSB). If this is run, QakBot is downloaded onto the machine. “Abusing legitimate features in software to hide from detection tools is a common tactic for attackers, as is using uncommon file types that may be allowed past email gateways. Security teams need to ensure they are not relying on detection alone and that they are keeping up with the latest threats and updating their defenses accordingly,” said Alex Holland, senior malware analyst at HP Wolf Security. “Attackers are continually innovating to find new techniques to evade detection, so it’s vital that enterprises plan and adjust their defenses based on the threat landscape and the business needs of their users. Threat actors have invested in techniques such as email thread hijacking, making it harder than ever for users to tell friend from foe,” he added. In order to avoid falling victim to the spate of attacks abusing XLL files, it’s recommended that administrators configure email gateways to block incoming .xll attachments and only permit add-ins to be delivered by trusted partners – or even disable Excel add-ins entirely. MORE ON CYBERSECURITY More

The FBI has issued an alert detailing the tools, techniques and tactics of an Iranian group, giving US organizations tips to defend against its malicious cyber activities.Back in October 2021, a grand jury in the US District Court for the Southern District of New York indicted two Iranian nationals employed by Emennet Pasargad for computer intrusion, computer fraud, voter intimidation, interstate threats, and conspiracy offenses for their alleged participation in a campaign aimed at influencing and interfering with the 2020 US Presidential Election. 

ZDNet Recommends

The Department of the Treasury Office of Foreign Assets Control designated Emennet along with four members of the company’s management and the two indicted employees for attempting to influence the election. The Department of State’s Rewards for Justice Program also offered up to $10 million for information on the two indicted actors. SEE: A winning strategy for cybersecurity (ZDNet special report)But the FBI information indicates Emennet poses a broader cybersecurity threat outside of information operations. “Since 2018, Emennet has conducted traditional cyber exploitation activity targeting several sectors, including news, shipping, travel (hotels and airlines), oil and petrochemical, financial, and telecommunications, in the United States, Europe, and the Middle East,” it said. Emennet is known to use virtual private network (VPN) services TorGuard, CyberGhost, NordVPN, and Private Internet Access. The group also uses web search to identify leading US business brands and then scans their websites for vulnerabilities to exploit. In some but not all cases, the exploit attempts were targeted and the group would also try to identify hosting and shared hosting services.  

Emennet was particularly interested in finding webpages running PHP code and identifying externally accessible MySQL databases, in particular phpMyAdmin. They also were keen on Wordpress, the most popular CMS on the web, as well as Drupal and Apache Tomcat.”When conducting research, Emennet attempted to identify default passwords for particular applications a target may be using, and tried to identify admin and/or login pages associated with those same targeted websites. It should be assumed Emennet may attempt common plaintext passwords for any login sites they identify,” the FBI warned. It said the group has attempted to leverage cyber intrusions conducted by other actors for their own benefit, for example searching for data hacked and leaked by other actors, and attempting to identify webshells that may have been placed or used by other cyber actors.  The group also uses a range of open-source penetration testing and research tools, including SQLmap, and it probably uses additional tools: DefenseCode Web Security Scanner, Wappalyzer, Dnsdumpster, Tiny mce scanner, Netsparker, Wordpress security scanner (wpscan), and, of course, Shodan.  More

EyeMed has agreed to $600,000 in penalties to settle the case of a 2020 data breach that exposed the information of roughly 2.1 million consumers. 

The agreement was announced this week. According to New York Attorney General Letitia James, the data breach exposed sensitive information, including names, mailing addresses, full or partial Social Security numbers, dates of birth, driving licenses, healthcare IDs, diagnoses and condition notes, and treatment information. Out of the 2.1 million individuals involved in the security incident, 98,632 New York state residents.  Based in Cincinnati, Ohio, EyeMed Vision Care is a network provider for independent optometrists, opticians, ophthalmologists, as well as eye doctors in retail settings. The organization caters to over 60 million users.  According to court documents (.PDF), on or around June 24, 2020, an unknown attacker used stolen credentials to access an enrollment email account used by EyeMed. Over the course of a week, the threat actor was able to view correspondence and access sensitive consumer data.  The cybercriminal was able to exfiltrate this data, in theory, but a cyberforensics firm hired to investigate the incident was unable to conclude whether or not they did steal consumer information.  In July, the attacker then used the email account to send roughly 2,000 phishing emails to clients. 

“The phishing messages purported to be a request for proposal to deceive recipients into providing credentials to the attacker,” the settlement document reads.  EyeMed was alerted to the intrusion once the scam messages were sent and booted the attacker from its system.  It took a further two months before impacted clients began to be notified of the data breach — and as this has been conducted on a rolling basis, customers were still being told up to January 2021. Clients have been offered credit monitoring services, fraud consultation, and identity theft restoration. Minors, too, were affected — and for this group, EyeMed has also offered Social Security Number trace.  The Office of the Attorney General launched its own investigation into the data breach and concluded that the original email account was not protected with multi-factor authentication (MFA).  “Additionally, EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account given that it was accessible via a web browser and contained a large volume of sensitive personal information,” the office says. “The company also failed to maintain adequate logging of its email accounts, which made it difficult to investigate security incidents.” Under the terms of the agreement, EyeMed will pay the state of New York penalties totaling $600,000. In addition, the company must improve its cybersecurity posture maintain “reasonable” account management protocols, including the implementation of MFA in remote and administrative settings, and sensitive information collected from consumers must be encrypted.  If it is no longer necessary to store consumer information, the company is now under orders to permanently delete it.  A penetration testing program must also be implemented to identify any vulnerabilities or further security issues in the EyeMed network.  “New Yorkers should have every assurance that their personal health information will remain private and protected,” commented Attorney General James. “EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals. Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest.” ZDNet has reached out to EyeMed with additional queries, and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has raised an alarm about a new multi-phase phishing campaign that first enrolls an attacker’s BYOD device on a corporate network and then begins sending thousands of convincing phishing emails to further targets. The purpose of enrolling or registering a device on a target company’s network was to avoid detection during later phishing attacks, according to Microsoft.   

Microsoft says “most” organizations that had enabled multi-factor authentication (MFA) for Office 365 were not impacted by phishing emails spread by attacker-controlled registered devices, but those that had not enabled MFA were all affected. SEE: A winning strategy for cybersecurity (ZDNet special report)The attack exploited instances where MFA was not enforced during the process of registering a new device with a company’s instance of Microsoft’s identity service, Azure Active Directory (Azure AD); or when enrolling a BYOD device to a mobile device management (MDM) platform like Microosft’s Intune.”While multiple users within various organizations were compromised in the first wave, the attack did not progress past this stage for the majority of targets as they had MFA enabled. The attack’s propagation heavily relied on a lack of MFA protocols,” Microsoft said. “Enabling MFA for Office 365 applications or while registering new devices could have disrupted the second stage of the attack chain,” it added. 

The first wave of the attack targeted organizations in Australia, Singapore, Indonesia, and Thailand, according to Microsoft. “Hundreds” of credentials stolen in this phase were then used in the second phase where a device was registered or enrolled, allowing for broader penetration of the target. The first phase relied on a DocuSign-branded phishing email requesting the recipient review and sign the document. It used phishing domains registered under the .xyz top level domain (TLD). Each email’s phishing link was also uniquely generated and contained the target’s name in the URL. The phishing link directed victims to a spoofed Office 365 login page. The attackers used stolen credentials to set up a connection with Exchange Online PowerShell and used this to create inbox rules that deleted messages based on keywords in the subject or body of the email, including ‘junk’, ‘spam’, ‘phishing’, ‘hacked’, ‘password’, and ‘with you’. This was likely to to avoid detection.  In the second phase, the attackers installed Microsoft’s Outlook email client on to their own Windows 10 PC, which was then successfully connected to the victim’s Azure AD. All the attackers had to do was accept Outlook’s onboarding experience that prompts the user to register a device. In this case, the attackers were using credentials acquired in phase one. “An Azure AD MFA policy would have halted the attack chain at this stage,” Microsoft notes. Azure AD does have tools to mitigate these threats by time-stamping and logging new device registrations. But with compromised credentials and a registered Windows 10 device with Outlook, the attackers could then launch the second phase, which involved sending “lateral, internal, and outbound” phishing messages to over 8,500 other email accounts. These messages used a SharePoint invitation to view a “Payment.pdf” file.  “By using a device now recognized as part of the domain coupled with a mail client configured exactly like any regular user, the attacker gained the ability to send intra-organizational emails that were missing many of the typical suspect identifiers. By removing enough of these suspicious message elements, the attacker thereby significantly expanded the success of the phishing campaign.”      

ZDNet Recommends

Accounts where victims clicked the link in the second wave were similarly subjected to automated rules that deleted emails containing the same keywords used in the first wave.SEE: This mysterious malware could threaten millions of routers and IoT devicesMicrosoft offers directions to security teams that can revoke active sessions and tokens of compromised accounts, delete unwanted mailbox rules, and disable rogue devices registered with Azure AD.Notably, Microsoft says organizations can reduce their attack surface by disabling “basic authentication”, and in Exchange Online and by disabling Exchange Online Powershell for end users. Admins can also enable Microsoft’s new “conditional access control”. Microsoft in February announced that, due to the pandemic, it was delaying its plan to turn off basic authentication in Exchange Online for legacy email authentication protocols, such as Exchange Web Services (EWS), Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, MAPI, RPC, SMTP AUTH, and OAB. That move would eliminate instances where single factor authentication is used. Microsoft’s replacement for basic authentication, dubbed Modern Authentication, enables both conditional access and MFA.    Microsoft in September said it would “begin to permanently disable Basic Auth in all tenants, regardless of usage, with the exception of SMTP Auth”, from October 1, 2022.  More

Screenshot via ZDNet
The operator of the DeepDotWeb platform has been sentenced to just over eight years in prison. 

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

This week, the US Department of Justice (DoJ) said that Tal Prihar’s sentence, 97 months, was based on charges of conspiracy to commit money laundering, of which Prihar pleaded guilty to in March last year. Owned by Prihar and co-defendant Michael Phan, DeepDotWeb (DDW) started operating in 2013 and provided a platform for Dark Web news and links to marketplaces, redirecting visitors to their .onion addresses — websites which are not available through standard search engines in the clear web.  The website was seized by law enforcement in 2019.  According to US prosecutors, both defendants earned substantial profits by advertising these links through kickbacks provided by the underground marketplaces. Goods and services on offer included hacking tools, firearms, drugs, and stolen data collections.   Prihar and Phan received 8,155 in Bitcoin (BTC) — worth roughly $8.4 million at the time they were paid, although worth substantially more nowadays – and these funds were then shifted around cryptocurrency wallets and traditional bank accounts held under the names of fake shell companies.  In April 2021, Prihar pleaded guilty to his role in DDW and agreed to forfeit $8,414,173. 

His co-conspirator is currently in Israel and extradition proceedings are underway.   The investigation into DDW involved the FBI’s Pittsburgh Field Office, French authorities, Europol, the IRS, German law enforcement,  the Israeli National Police, and the UK’s National Crime Agency (NCA), among other organizations.  In other Dark Web news this week, law enforcement seized and shut down Canadian HeadQuarters, a large marketplace that facilitated the purchase and sale of spam services, phishing kits, stolen credential data dumps, and access controls to compromised machines. Four individuals allegedly linked to the marketplace have also been fined.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Konni Remote Access Trojan (RAT) has recently received “significant” updates, researchers say, who also urge the community to keep a close eye on the malware.  

On Wednesday, cybersecurity firm Malwarebytes published an advisory on the malware’s latest developments, noting that the Trojan is under active development resulting in “major” changes. Konni has been detected in the wild for roughly eight years. A report on the malware published by BlackBerry in 2017 said that the malware made use of “basic” anti-analysis techniques and was employed for surveillance purposes, rather than the typical financial attacks often linked to RATs.  Past campaigns have hinted strongly at a link with North Korea. Phishing documents used to spread the Trojan tend to have themes connected to the Hermit Kingdom, including content relating to missile capabilities, hydrogen bombs, and articles copied from the Yonhap news agency that talked about the country. The attached documents contained the payload, and once executed on a vulnerable Windows machine, Konni would gather data through file grabs, keystroke logs, and screen capturing.  Konni is believed to be the work of the Kimsuky threat group, which has attacked South Korean think tanks, political groups in Russia, and entities in both Japan and the United States.  According to Malwarebytes, the old Trojan has now evolved into a “stealthier” version of itself. New samples show that the phishing attack vector has primarily stayed the same – with the payload deployed through malicious Office documents — but the Trojan, a .DLL file linked to a .ini file, now contains revised functionality.

Older versions of the RAT relied on two branches to execute using a Windows service: svchost.exe and rundll32.exe strings. Malwarebytes explained: “New samples will not show these strings. In fact, rundll is no longer a valid way to execute the sample. Instead, when an execution attempt occurs using rundll, an exception is thrown in the early stages.”The malware has also transitioned from base64 encoding to AES encryption to protect its strings and for obfuscation purposes. In addition, Konni now utilizes AES when configuration and support files are dropped — such as the .ini file that contains the command-and-control (C2) server address — as well as when files are sent to the C2. Some recent Konni samples also used a previously-unknown packer, but threat data collected by the cybersecurity firm suggests it may have been left out of real-world scenarios.  “As we have seen, Konni is far from being abandoned,” Malwarebytes commented. “The authors are constantly making code improvements. In our point of view, their efforts are aimed at breaking the typical flow recorded by sandboxes and making detection harder, especially via regular signatures as critical parts of the executable are now encrypted.” Earlier this month, Cisco Talos documented a recent campaign in which vendors’ cloud infrastructure, including Microsoft Azure and Amazon Web Services (AWS), was being abused to spread commercial RATs.  Strains including Nanocore, Netwire, and AsyncRAT were being deployed by the operators, who also abused DuckDNS to facilitate the download of malicious packages.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Officials with the Canadian Radio-television and Telecommunications Commission (CRTC) said they took down dark web marketplace Canadian HeadQuarters on Wednesday and fined four of those involved in the platform. In a statement, CRTC chief compliance and enforcement officer Steven Harroun said Canadian HeadQuarters, also known and Canadian HQ, was “one of the largest Dark Web marketplaces in the world and significantly contributed to harmful cyber activity in Canada.”CRTC staff executed warrants in the greater Montreal area through 2020 and 2021 that led to the marketplace being taken offline. They also issued fines to Chris Tyrone Dracos, Marc Anthony Younes, Souial Amarak and Moustapha Sabir. Dracos was given a $150,000 fine and the other three were given $50,000 fines. Dracos, Younes, Amarak and Sabir are accused of sending phishing emails and violating Canada’s anti-spam legislation. Dracos was given a higher fine because he is allegedly the “creator and administrator” of Canadian HQ. “Some Canadians are being drawn into malicious cyber activity, lured by the potential for easy money and social recognition among their peers. This case shows that anonymity is not absolute online and there are real-world consequences when engaging in these activities,” Harroun said.”Canadian Headquarters was one of the most complex cases our team has tackled since CASL came into force. I would like to thank the cyber-security firm Flare Systems, the Sûreté du Québec and the RCMP’s National Division for their invaluable assistance. Our team is committed to investigating CASL non-compliance on all fronts.”CRTC explained that the marketplace allowed people to sell spamming services, phishing kits, stolen credentials and access to compromised computers. Since the country passed anti-phishing laws, they have issued penalties or more than $1.4 million. 

Canadian officials noted that the investigation led them to uncover several other cybercriminal vendors and that more “enforcement actions” are planned. On the same day, the US Department of Justice said Canadian Slava Dmitriev was sentenced to three years in prison for access device fraud after he was involved in the sale of more than 1,700 stolen identities on the dark web. He was arrested in Greece while on vacation and was extradited to the US in January 2021. “Dmitriev stole the identities of hard-working citizens of the United States and thought he was safe from prosecution while overseas,” said Phil Wislar, Acting Special Agent in Charge of FBI Atlanta. He went by the name “GoldenAce” and sold 1,764 items on AlphaBay for approximately $100,000, offering customers stolen names, dates of birth, social security numbers, and other personally identifiable information. More