Information Technology

Colorado’s Delta-Montrose Electric Association (DMEA) is still struggling to recover from a devastating cyberattack last month that took down 90% of its internal systems and caused 25 years of historic data to be lost. In an update sent to customers this week, the company said it expects to be able to begin accepting payments through its SmartHub platform and other payment kiosks during the week of December 6.”We also tentatively estimate we will be able to resume member billing the week of December 6 – 10. We recognize this will result in members receiving multiple energy bills close together. As a reminder, we will not disconnect services for non-payment or assess any penalties through January 31, 2022,” the company said on a page that has been updated repeatedly over the last month. The company said it began noticing issues on November 7, and the cyberattack eventually brought down most of its internal network services. The attack affected all of the company’s support systems, payment processing tools, billing platforms and other tools provided to customers. DMEA said the hackers were targeting specific parts of the company’s internal network and corrupted saved documents, spreadsheets, and forms, indicating it may have been a ransomware incident. The attack even affected the company’s phone and email systems, but DMEA said the power grid and fiber network were not touched during the attack. The energy company hired cybersecurity experts to investigate the incident, but nearly a month later they are still having issues recovering. 

“We are currently operating with limited functionality and are focused on completing our investigation and restoring services as efficiently, economically, and safely as possible. We are committed to restoring our network and getting back to normal operations, but that will take time and requires a phased approach,” the company explained. They created temporary payment arrangements to deal with the outages and have suspended all penalty fees and disconnections for non-payment through January 31, 2022.Despite the damage to their system, DMEA claimed no sensitive data from customers or employees was breached. But they now have to work through a “phased restoration approach” as they rebuild their systems. DMEA CEO Alyssa Clemsen Roberts said the impact on their systems was “extensive” and that a good portion of their saved data, such as forms and documents, was corrupted. “The path to full restoration will take time, and it may result in many of our members receiving back-to-back energy bills. With colder weather approaching and the holiday season already here, we recognize this incident has come at an unfortunate time,” Roberts said. “This isn’t how we hoped to close out the year, and on behalf of all of us at DMEA, I am grateful for your patience, support, and understanding as we navigate this incident.”Saryu Nayyar, CEO at cybersecurity firm Gurucul, said utilities tend to have complex networks that often comingle enterprise operations with mission control.”It’s a bit of a surprise that we haven’t seen more attacks on public utilities, but there is no question that more are coming,” Nayyar explained. The headline-grabbing ransomware attack on Colonial Pipeline earlier this year involved similar issues. Attackers brought down the company’s business technology networks, forcing the energy producing side to struggle as well. SecurityGate CISO Bill Lawrence added that while the term ‘ransomware’ is not in any of the reporting or DMEA’s explanation of events, they had a large portion of their data corrupted and their internal phone system went down too. “It will be interesting to learn a motive behind this attack if there are no ransom demands,” Lawrence said. “Co-ops are owned by their local communities, so the local folks will be dealing with increased costs due to response and recovery from the attack.” More

The Department of Homeland Security (DHS) announced two new cybersecurity directives handed down by the Transportation Security Administration (TSA) on Thursday designed to better protect freight railroads and passenger rail transit in the US.

TSA said rail services are “higher risk” and that the new rules “need to be issued immediately to protect transportation security.”The new rules make it mandatory for rail company owners and operators to have a cybersecurity coordinator, report cybersecurity attacks to CISA in 24 hours or less, and create a cybersecurity incident response plan. The rules also require owners to complete cybersecurity vulnerability assessments.DHS also detailed voluntary measures to improve cybersecurity across the transportation sector following a series of attacks over the last two years. “These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” said Secretary of Homeland Security Alejandro Mayorkas. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.” These are just the latest cybersecurity directives handed down by DHS this year, as the agency seeks to charge government-adjacent industries to improve their cybersecurity measures. Following multiple attacks on critical infrastructure in the US this year — including oil pipelines, transportation companies, and agricultural organizations — DHS has regularly provided new guidance and mandatory rules. 

Congress is also mulling a variety of bills related to incident reporting and other cybersecurity measures. While previous administrations sought to promote cybersecurity hygiene through voluntary measures, the Biden Administration has handed down more stringent measures as ransomware incidents continue. DHS has faced backlash from some private sector companies and Republican members of Congress over the cybersecurity rules, with many arguing that they are being forced on companies without advance guidance. In its statement on Thursday, DHS made a point of saying TSA worked with “industry stakeholders,” “federal partners,” and CISA to create the directives. Victoria Newhouse, a TSA deputy assistant administrator, confirmed to Congress on Thursday that private industry experts were consulted on the new rules. Newhouse said she and other officials met with rail companies to discuss the range of threats facing their industry. One of the criticisms Republican lawmakers have levied against DHS is that the directives are being handed down in the absence of detailed, specific threats. On Thursday, DHS said CISA “provided expert guidance on cybersecurity threats to the transportation network and countermeasures to defend against them.”TSA suggested “all other lower-risk surface transportation owners and operators” also institute the rules, although it would be voluntary. TSA already released guidance for aviation industry operators, pipelines, and other enterprises. A DHS official told The Wall Street Journal that Thursday’s directives will affect 90% of passenger rail systems in the US and 80% of freight rail systems that they consider high risk. More

Meta announced on Thursday that it is expanding its Facebook Protect service — which provides specialized security services for certain Facebook accounts being targeted by hackers — to more countries.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Nathaniel Gleicher, head of security policy at Meta, said the company will be rolling out Facebook Protect services to more than 50 countries by the end of 2021. Over 1.5 million accounts have already enrolled since the latest expansion began in September. The program was started in 2018 and expanded during the 2020 US election cycle to include human rights defenders, journalists, and government officials who are highly targeted by hackers. Both Google and Microsoft have created similar programs for groups that tend to be targeted by both cybercriminals and government hackers. Gleicher noted that of the 1.5 million accounts that have already signed up, almost 950,000 have two-factor authentication. He added that no action is required unless you are prompted to enroll. Gleicher encouraged everyone to enable two-factor authentication for their Facebook accounts, but he noted that Meta wants to make it as “frictionless as possible” for certain users. In some cases, they require that users have it. “These people are at the center of critical communities for public debate. They enable democratic elections, hold governments and organizations accountable, and defend human rights around the world,” Gleicher said. “What we’ve seen so far is encouraging: in early testing, simplifying our enrollments flows, improving customer support, and mandating Facebook Protect brought adoption rates to over 90 percent in one month for these groups,” Gleicher added. “Over the next several months, we’re going to carefully expand this requirement globally.”

Facebook will be launching the program in countries like the US, India, Portugal, and others. The news came as Meta released its Adversarial Threat Report, where it detailed a range of threats disrupted by the company’s security team. Meta said it removed malicious networks in Italy, France, Vietnam, Palestine, Poland, Belarus, and China. Facebook, and now parent company Meta, have faced withering criticism for years over lackluster security measures and a general failure to protect certain accounts from malicious activity. Former employees of the company have bashed Facebook for not doing enough to stop — and in some cases actively helping — dictators and others across the world from using the site to attack and harass critics, human rights activists, and others.  More

Planned Parenthood Los Angeles has sent out breach notification letters to about 400,000 patients after the organization suffered from a ransomware incident between October 9 and October 17.

ZDNet Recommends

In a letter shared with the California Attorney General’s office and sent out on November 30, the organization said it identified suspicious activity in its computer network on October 17. “We immediately took our systems offline, notified law enforcement, and a third-party cybersecurity firm was engaged to assist in our investigation. The investigation determined that an unauthorized person gained access to our network between October 9, 2021, and October 17, 2021, and exfiltrated some files from our systems during that time,” the organization said.”On November 4, 2021, we identified files that contained your name and one or more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information.”The organization is not offering any identity protection services for those affected, only urging victims to review statements received from health insurers or healthcare providers. They said they planned to hire a cybersecurity firm to help with the incident and improve their cybersecurity systems. Law enforcement was called in to help with the attack, according to CNN, but it is unclear which group is behind the attack. The attack was first reported by The Washington Post, which noted that other branches of the organization had been hacked in the past, both by opportunistic cybercriminals and anti-abortion activists. Despite the vital role healthcare organizations have played in addressing the COVID-19 pandemic, cybercriminals have shown little reticence in attacking hospitals and clinics. Over the last two years, multiple healthcare organizations have announced attacks and breaches involving sensitive patient data, including Social Security Numbers and bank account information. 

Garret Grajek, CEO of YouAttest, listed off multiple recent healthcare-related cyberattacks, including ones involving the Tardigrade malware, which was released upon vaccine manufacturers. He added that the DeepBlueMagic hackers recently shut down the computer system in a major Israeli hospital. “The PII/PHI that has been stolen from Planned Parenthood go beyond the usual threat actor’s desire for identity data to resell on the dark web. Given that not only was standard identity information stolen, but the theft was coupled with medical background and procedure data, the ramifications of malicious use of this data are easy to imagine,” Grajek said.  “The mechanism has not been revealed, but previous hacks on medical institutions have shown a proclivity to both social and technical hacking methods, given the amount of personnel involved and the difficulty of enacting safe security conduct by all team members.”Ekram Ahmed, spokesperson at cybersecurity firm Check Point, said those affected should be watchful for a hacker technique called ‘Triple Extortion’. “In this tactic, hackers are not only encrypting files and then ransomware, but they go to patients directly, threatening to reveal sensitive information unless paid. Here, over 400,000 patients, which is a staggering number for a data breach, can potentially become victims to Triple Extortion, which could be devastating,” Ahmed said. “Healthcare records are known to be one of the most valuable types of information that hackers look for. The reason being is that cybercriminals can use this data to create false identities, commit health insurance fraud and illegally obtain prescription drugs. Furthermore, stolen patient information can be stolen for top dollar on the dark web. This year, the healthcare sector sees 752 ransomware attacks a week on average, marking a 55% increase compared to last year.”Gurucul vice president Jane Grafton noted that the ransomware attack on Planned Parenthood Los Angeles occurred right as the Supreme Court actively debates a direct challenge to the 1973 Roe v. Wade ruling. “Women’s personal procedures and diagnosis are just that: personal. Having them stolen for potential exposure puts women in the political crosshairs,” Grafton said. “Securing medical records has never been more important. We can only hope that this information stays out of the public eye.”  More

Meta has detailed takedowns of what it described as six ‘adversarial networks’ from across the world that were using Facebook for behaviour including spreading false information, harassment and trying to have genuine information taken down.It said the groups violated its rules around Coordinated Inauthentic Behavior and two new policies: Brigading and Mass Reporting.

ZDNet Recommends

Facebook defines Brigading as networks of people work who together to mass comment, mass post or engage in other types of repetitive mass behaviors to harass others or silence them. Mass Reporting is when people work together to mass-report an account or content to get it incorrectly taken down by Facebook.SEE: Facebook: Here comes the AI of the MetaverseMeta said it had removed a network in Italy and France for Brigading: “We removed a network of accounts that originated in Italy and France and targeted medical professionals, journalists, and elected officials with mass harassment,” said Nathaniel Gleicher, Meta’s Head of Security Policy in its Adversarial Threat Report. “Our investigation linked this activity to an anti-vaccination conspiracy movement.”In Vietnam, Meta targeted networks attempting to use mass reporting, via duplicated but legitimate accounts, to have accurate news reports criticizing the government taken down. “The network coordinated to falsely report activists and other people who publicly criticized the Vietnamese government for various violations in an attempt to have these users removed from Facebook,” explained Gleicher. 

Meta also removed four networks from Palestine, Poland, Belarus, and China for violating its policy on Coordinated Inauthentic Behavior: each of these networks targeted people in multiple countries at once. The report also notes the shifting environment Facebook faces, what it deems to be a security threat, and how it responds to them.”In this environment, we build our defenses with the expectation that adversarial groups will not stop, but rather adapt and try new tactics to persist,” wrote Gliecher with other Meta security leads. “Our focus has been to study malicious behaviors and add new layers of defense to our arsenal to make sure we prevent and address potential gaps from multiple angles. Our goal over time is to make these behaviors more costly and difficult to hide, and less effective. It is a significant, ongoing effort that spans teams, departments and time zones across Meta.”Facebook has in the past been criticized for its slow response to groups using its platform to spread disinformation. This report follows claims by a former employee about the negative impact of Instagram on the wellbeing of some young users.Meta says it will share its findings with industry peers, independent researchers, law enforcement agencies, and policymakers.  More

Nation state-backed hacking groups are exploiting a simple but effective new technique to power phishing campaigns for spreading malware and stealing information that’s of interest to their governments.  Cybersecurity researchers at Proofpoint say advanced persistent threat (APT) groups working on behalf of Russian, Chinese and Indian interests are using rich text format (RTF) template injections. 

ZDNet Recommends

While the use of RTF text file attachments in phishing emails isn’t new, the technique being used by hackers is easier to deploy and more effective because it’s harder for antivirus software to detect – and many organisations won’t block RTF files by default because they’re part of everyday business operations. SEE: A winning strategy for cybersecurity (ZDNet special report) The technique is RTF template injection. By altering an RTF file’s document-formatting properties, it’s possible for attackers to weaponise an RTF file to retrieve remote content from a URL controlled by the attackers, enabling them to secretly retrieve a malware payload that gets installed on the victim’s machine.  Attackers can use RTF template injections to open documents in Microsoft Word, which will use the malicious URL to retrieve the payload while also using Word to display the decoy document.   This approach might require luring users into enabling editing or enabling content to begin the process of downloading the payload, but with the right form of social engineering, especially off the back of a convincing lure, a victim can be tricked into allowing this process to take place. 

It isn’t a complex technique, but because it is simple and reliable to use, it has become popular with several nation-state hacking operations, which can deploy RTF attacks instead of other, more complex attacks, but still get the same results.  Despite the “Advanced” designation, if APT actors are doing their job well, they will exert the least amount of resources and sophistication necessary to gain access to organisations, said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.  “This prevents actors from exposing more sophisticated tools if discovered, resulting in a greater operational disruption for threat actor groups to replace technical capabilities when discovered,” she added.  According to researchers, the earliest known instance of an APT group using RTF template injections in a campaign was in February 2021. These injections were undertaken by DoNot Team, an APT group that has been linked to Indian state interests.  Since then, several other state-linked hacking operations have also been seen deploying RTF injections as part of campaigns. These include a group Proofpoint refers to as TA423, also known as Leviathan, which is an ATP group that is linked to China, which has used RTF attacks in several campaigns since April.   SEE: Dark web crooks are now teaching courses on how to build botnets One of these campaigns took place in September and targeted entities in Malaysia related to the energy exploration sector – and came with specifically designed phishing emails to lure targets into inadvertently executing the payload.  Then in October, researchers spotted Gamaredon – an offensive hacking group that has been linked to the Russian Federal Security Service (FSB) that uses RTF template injection documents in attacks, which impersonated the Ukrainian Ministry of Defence.  While only a handful of APT groups have attempted to deploy RTF-based attacks so far, researchers warn that the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape – and this could mean campaigns leveraging this technique are adopted by financially motivated cyber criminals.  “The ease of weaponisation in this technique will also likely attract low-end and low-sophistication actors, expanding the presence of this technique in the wild, including crimeware actors,” said DeGrippo. 
MORE ON CYBERSECURITY More

When it comes to fuzzing, Mozilla has plenty of cred, and has been doing so for some time, and yet, its prized Network Security Services (NSS) library was busted by Google Project Zero’s Tavis Ormandy quite easily. In a blog post well worth your time, entitled This shouldn’t have happened, Ormandy found that if NSS was made to create an ASN.1 signature bigger than the maximum 16384 bits it expected, overwriting of memory would occur. “What happens if you just … make a signature that’s bigger than that? Well, it turns out the answer is memory corruption. Yes, really,” Ormandy wrote. “The untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data. The bug is simple to reproduce and affects multiple algorithms.” Given the designation CVE-2021-43527, Mozilla said in its advisory that Firefox was not impacted, but the likes of Thunderbird, LibreOffice, Evolution, and Evince were “believed to be impacted”. In Mozilla’s defence, Ormandy said it has a world-class security team, and has been leading the way in fuzzing, but thanks to the modular design of NSS, the library did not have end-to-end testing as each part was fuzzed independently. This was compounded by the fuzzers having a limit of 10,000 bytes on input while NSS has no such limit. “This issue demonstrates that even extremely well-maintained C/C++ can have fatal, trivial mistakes,” Ormandy wrote.

The hole has been patched in versions 3.73.0 and 3.68.1 of NSS. Related Coverage More

Australia is looking to create a new national data commissioner role that will be responsible for applying the data reforms presented in the Data Availability and Transparency (DAT) Bill 2020. The DAT Bill, which is still awaiting passage, seeks to create a scheme of controlled access to public sector data. Under the legislation, data would only be shared for three purposes: Government services delivery, informing government policy and programs, and research and development. As part of making this new role official, Minister for Employment, Workforce, Skills and Family Business Stuart Robert announced that Gayle Milnes would become Australia’s first national data commissioner designate once the DAT Bill passes. The Governor-General will be asked to consider this appointment as a statutory office holder after the Bill’s passage. Milnes will be responsible for implementing the country’s data sharing and release framework, and oversee the data sharing and release activities of Commonwealth agencies. “Milnes is an experienced public service leader with an excellent record of driving nationally-significant outcomes in senior Australian Government statutory, data and regulatory roles,” Robert said. Milnes’ appointment will see Deborah Anton move on from her role as interim National Data Commissioner.

Prior to the appointment, Milnes was the first assistant secretary of the Data, Analytics and Policy Division at the Department of Infrastructure, Transport, Regional Development and Communications. She has also held other senior leadership positions across the Australian Public Service, such as CEO of the Climate Change Authority. If appointed to the statutory office, Milnes would be appointed for a period of five years. Related Coverage More