Information Technology

The “abysmal” state of security for industrial control systems (ICSs) is putting critical services at serious risk, new research finds. 

You only need to look at the chaos caused by a ransomware attack launched against Colonial Pipeline this year — leading to panic buying and fuel shortages across part of the US — to see what real-world disruption cyber incidents can trigger, and their consequences can go far beyond the damage one company has to repair.   It was only last month that the Port of Houston fended off a cyberattack and there is no reason to believe cyberattacks on operational technology (OT) won’t continue — or, perhaps, become more common.  On Friday, CloudSEK published a new report exploring ICSs and their security posture in light of recent cyberattacks against industrial, utility, and manufacturing targets. The research focuses on ICSs available through the internet.”While nation-state actors have an abundance of tools, time, and resources, other threat actors primarily rely on the internet to select targets and identify their vulnerabilities,” the team notes. “While most ICSs have some level of cybersecurity measures in place, human error is one of the leading reasons due to which threat actors are still able to compromise them time and again.” Some of the most common issues allowing initial access cited in the report include weak or default credentials, outdated or unpatched software vulnerable to bug exploitation, credential leaks caused by third parties, shadow IT, and the leak of source code.  After conducting web scans for vulnerable ICSs, the team says that “hundreds” of vulnerable endpoints were found. 

CloudSEK highlighted four cases that the company says represents the current issues surrounding industrial and critical service cybersecurity today: An Indian water supply management company: Software accessible with default manufacturer credentials allowed the team to access the water supply management platform. Attackers could have tampered with water supply calibration, stop water treatments, and manipulate the chemical composition of water supplies. 
CloudSEK
The Indian government: Sets of mail server credentials belonging to the Indian government were found on GitHub.  A gas transport company: This critical service provider’s web server, responsible for managing and monitoring gas transport trucks, was vulnerable to an SQL injection attack and administrator credentials were available in plaintext.  Central view: The team also found hardcoded credentials belonging to the Indian government on a web server supporting monitors for CCTV footage across different services and states in the country.  The US Cybersecurity and Infrastructure Security Agency (CISA) was informed of CloudSEK’s findings, as well as associated international agencies.  “Owing to an increase in remote work and online businesses, most cybersecurity efforts have been focused on IT security,” says Sparsh Kulshrestha, Senior Security Analyst at CloudSEK. “However, the recent OT attacks have been a timely reminder of why traditional industries and critical infrastructure need renewed attention, given that they form the bedrock of our societies and our economies.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Ecoflow
What if you could have an emergency generator that didn’t require gasoline, could be used inside the house without fear of asphyxiation, didn’t make a mess, and was far, far quieter than a traditional gasoline engine? If you live in an area prone to power outages, it could be a game changer.

The key is switching from gasoline technology to battery technology. Yes, there are a few disadvantages to battery technology (like you can’t just fill it back up), but in the main, battery generator technology opens the door to, literally, opening the door and bringing that generator inside your house. As someone who’s lived through multiple week-long power outages in Florida, and a recent set of shorter outages due to wild fires in Oregon, I’m very interested in battery generators as an option. While a whole-house integrated gasoline generator is probably the best choice, it’s also gobsmackingly expensive. To install such a thing, you need to have a team of contractors put in a concrete pad, merge the generator into the house’s electrical system, and install a very permanently-mounted generator. Back in Florida, I test-priced such a thing. When I found that the base cost of entry was well above $50,000, I decided it wasn’t something particularly practical. But smaller portable gasoline generators are a pain to use. You have to set them up outside, where they become targets for thieves, especially after a long power outage turns neighbors into hostile competitors for scarce resources. You also have to have a way to safely store the gasoline — and this is an even bigger problem with permanently-mounted generators. Finally, you have to run a very long extension cord from outside to inside (usually through a cracked-open door or window), and then through much of your house. It’s just not fun.

Battery-based power station

When ZDNet’s long-time DIY-IT project partner Wellbots approached me to look at the Ecoflow Delta Max, I jumped at the opportunity. While I haven’t had a power outage in about a year, the possibility is always there.I’ve used gasoline generators, but the Ecoflow (and all battery-based generators) require a bit of a mindset shift.First, even though it’s a big battery you plug stuff into, it’s not a battery backup or surge suppressor. The difference is that it provides power like a generator, unlike a battery backup unit, which is designed to rapidly switch from wall power to battery power. Also, of course, the amount of battery even the biggest consumer UPSs put out is a tiny fraction of what something like the Ecoflow Delta Max is capable of.

Let’s talk about that power, and then I’ll circle back to how you should maintain and operate this thing. Understanding power The Ecoflow Delta Max is a  2016Wh power station. Wh is the abbreviation for watt hour. So, let’s back up a minute. A watt is a unit of power. Power, for those who slept through all those electrical engineering courses, is energy that is produced or consumed. Power is the flow of energy. If it were water, it would be water running in a river or through your pipes. It wouldn’t be water sitting in a glass or a tub.

So, a watt is a unit of power. We all know the term from incandescent bulbs. A 10W bulb is a lot less bright than a 100W bulb, and that’s because there’s one tenth of the power driving the light. By contrast, a watt hour is a unit of energy. Power is the flow of energy, but it’s the energy itself that does the work. That’s why your electric bill is often measured in kWh, or kilowatt hours. That’s the thousands of watt hours being put to work powering your home and place of work. Another way of thinking about it is watt measures the flow, while watt hours measures how much flow you’ve used or can use in a given time. The 2016Wh means that the Ecoflow can handle roughly two kWh. A more useful spec, however, is the wattage the device can produce. It can produce 2400W, which means it can power roughly 15 devices at once. A fridge uses somewhere between 100W and 250W, so even with a fridge on the circuit, quite a few devices can be powered.

Of course, since this is a battery, the more devices being used, the shorter the available power for those devices. The Ecoflow can interface with solar power, but I wasn’t sent any solar arrays for testing. Without solar to recharge, the Ecoflow has the charge that it has. Once depleted, you’re out of juice. It’s vaguely similar to being out of gas for your generator. The Ecoflow does recharge rather rapidly. So if you did have a situation where the power was out, but came back on for a bit, before failing again, the Ecoflow could recharge. It takes less than two hours to recharge using wall power. How long does it last? That, of course, depends on what you want it to do. If you want it to provide supporting power out in a shed, on a boat, or on a camping trip, it will support most small appliances and tools. You probably could run a table saw on it for an hour or so, but that’s about it. By contrast, if you wanted it to keep your phone topped up, you could charge your phone probably a hundred times. This also offers a particularly interesting work-at-home option. Many of us working at home have deadlines to meet and “show ups” to do, regardless of what our home situation is at the time. I’ve had to meet deadlines while driving through the desert during a hurricane evacuation. This unit could definitely power your phone to act as a Wi-Fi hotspot, and then keep your laptop charged up so you can get the job done. Add the ability to brew coffee to keep your brain running, and you have a work-from-home continuity plan. You might have some tradeoff decisions. It can keep a full size fridge cold for about 10 hours, a mini fridge cold for a little less than a day, but you might only get an hour or two from a window-shaker air conditioner. For an extended outage, you might want to plug in the fridge for an hour, then unplug for an hour, which would extend the service for a longer time. You could use it to cook dinner with an air fryer, but choose something that cooks fast. An hour or so use will deplete the charge. If you use a coffee maker (which uses roughly a thousand watts), make just a few cups and unplug it. It will deplete a coffee maker churning out coffee constantly in about an hour or two (the scenario for this might be where the coffee maker is brought to an event or, say, a scouting weekend where lots of people are filling up). According to the U.S. Energy Information Administration, power outages since 2013 averaged about two hours. However, starting in 2018, with increased wildfires and hurricanes, the average outage jumped to about 5.8 hours. It’s in these situations where the Ecoflow shines. If you’re concerned about help making it through a typical outage, the Ecoflow could keep your food from spoiling, brew a cup or two of coffee, and recharge your phones. It probably couldn’t keep you cool all night, but it could help make it easier to get through the outage. I, personally, have a bunch of battery-powered fans, and these use so little current that they can make it through most of the night on a set of D-cells. If, on the other hand, you live in hurricane country, where you’re likely to be without power for a week or more, the Ecoflow can’t help you on its own. You’ll need to invest in a set of solar panels. I haven’t done any testing of how fast these recharge and what the drain cycle would be. That’s something for a future article, if I ever get panels in to test. The best case is if you can connect solar power to the unit to recharge. But even without solar power, this unit could help you get through a typical power outage. Maintenance best practices Maintaining a gas generator is different than maintaining a battery-based generator. You can’t just leave the Ecoflow out in the shed and add gas and plug things in when the power goes out. You have to keep it charged up so it’s available in case of power failure. And that requires a maintenance practice.

I reached out to the company for guidance and they told me that Ecoflow does NOT recommend keeping the unit plugged in, “as it may hurt the battery.” Instead, it requires a “charging-discharging maintenance every 3 months.” They recommend you discharge the device to 30%, and then recharge it to 85% every three months. I’m not sure why they want it charged to 85% and not 100%, but that’s their recommendation. So, if you truly do want a power station that will get you through most power outages, you’ll need to add the discharge/charge maintenance cycle to your quarterly to-do list. That’s probably not too big a price to pay to have food-loss free power outages. Bottom line The Ecoflow Delta Max is not cheap. Wellbots sells it for a little over $2,000. For that price, you’re going to want the device to work for you when you need it. That means you’re going to need to do some proactive planning. Decide what devices you want it to power during a power outage. Make sure you know where you’re going to deploy it, make sure you have the proper extension cords (best if stored with the unit). Perhaps even conduct a dry run or two to be sure your plans will work. And, of course, conduct the quarterly maintenance we discussed above. Finally, there are a few things worth noting about this power station. The Ecoflow Delta Max isn’t the only power station in the Ecoflow line. Wellbots offers units ranging from about $350 and up, but of course the smaller units provide less power. Also, I dug around on forums and reviews to get a feel for how customers liked the units and found an interesting set of mixed reviews. Overall, it seems that those who knew what they were getting were very happy with the device, while those who expected more of a magical power source were somewhat disappointed. One particular trend is something that’s easy to be aware of. Apparently, the unit doesn’t provide its full power output right after a charge. Charging heats up the unit, so to manage heat, the unit throttles output until it’s cool enough to provide full power. Can you say “first law of thermodynamics”? Sure. I knew you could. So, my bottom line is that this is what it is, and that’s a pretty cool thing. It’s a battery-based power station. If you understand how batteries and power work, and your expectations aren’t that of a mystical, never-ending power source, this is a solid solution. If you want it to offer more, you might want to invest in additional add-on batteries and solar panels. What about you? Do you live somewhere where there are regular power outages? Do you have a plan for keeping going? Have you bought a generator? Do you like the idea of a battery-powered generator compared to a gasoline-powered one? Let us know in the comments below. See also:You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Google’s policy to send alerts to people with Google Accounts that are targeted by suspected state-sponsored hackers is getting a full work out in 2021. The company says it has already sent over 50,000 such warnings to users, marking a 33% increase from the same period in 2020. “So far in 2021, we’ve sent over 50,000 warnings, a nearly 33% increase from this time in 2020. This spike is largely due to blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear,” Google security engineer and TAG team member Ajax Bash notes in a blogpost. 

ZDNet Recommends

Shane Huntley from Google’s Threat Analysis Group (TAG) tweeted on October 7 that the group had sent an “above average batch of government-backed security warnings yesterday”. TAG sends warnings over phishing attempts and malware attacks. SEE: This new ransomware encrypts your data and makes some nasty threats, tooGoogle’s suggestion that Kremlin-backed hackers are a major problem chimes with Microsoft’s data that 58% of nation-state cyberattacks came from Russia over the past year. The US National Security Agency warned in July that APT28 had run a massive password-guessing campaign targeting US and European organizations for the past two years. APT28 was one of several nation-state groups using password attacks and exploiting Microsoft Exchange email server vulnerabilities tracked as CVE-2020-0688 and CVE-2020-17144. 

Google says it sends the warnings in batches to all users who may be at risk so as not to alert attackers to its defense strategies. “On any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. This means that there is typically more than one threat actor behind the warnings,” says Bash. Another nation-state hacker group that TAG is tracking closely is APT35, an Iranian group known for phishing attempts against high-value targets in government and defense. The group, also known as Charming Kitten or Phosphorus, has targeted victims in the Persian Gulf, Europe, and the US. APT35 has been actively targeting the US defense industry for years and Google disrupted the group’s efforts to phish campaign staffers of Joe Biden and Donald Trump in the lead up to the 2020 US presidential election.   Microsoft this week warned that 250 Office 365 customers in the US and Israeli defense technology sector were targeted with password-spraying attacks by a separate emerging Iranian threat it tracks as DEV-0343. “In early 2021, APT35 compromised a website affiliated with a UK university to host a phishing kit,” notes Google’s Bash. “Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo. Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices.”APT35 has been using the same methods since 2017 to target accounts in government, academia, journalism, NGOs, foreign policy, and national security. 

The group uploaded a bogus VPN app to Google’s Play Store last May that could have been used to collect data from Android phones. However, Google says it removed the app before any users could install it. SEE: This is how Formula 1 teams fight off cyberattacksOnline video meetings have become essential in the pandemic and APT35 has adapted its phishing techniques to suit this, according to Google. “Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence,” Bash noted. Those links often included link shorteners and click trackers, frequently embedded in PDF documents. The attacks abused Google Drive, Google Sites pages, Dropbox, Microsoft services, and messaging app Telegram.   Like Microsoft, Google recommends Workspace admins and general users enable two-factor authentication or sign up to its Advanced Protection Program, which requires two-factor authentication. “Workspace administrators are also notified regarding targeted accounts in their domain. Users are encouraged to take these warnings seriously and consider enrolling in the Advanced Protection Program or enabling two-factor authentication if they haven’t already,” notes Bash. More

The long-running botnet known as MyKings is still in business and has raked in at least $24.7 million by using its network of compromised computers to mine for cryptocurrencies. MyKings, also known as Smominru and Hexmen, is the world’s largest botnet dedicated to mining cryptocurrencies by free-riding off its victims desktop and server CPUs. It’s a lucrative business that gained attention in 2017 after infecting more than half a million Windows computers to mine about $2.3 million of Monero in a month. 

ZDNet Recommends

Security firm Avast has now confirmed its operators have acquired at least $24.7 million in various cryptocurrencies that have been transferred to Bitcoin, Ethereum and Dogecoin accounts. SEE: This new ransomware encrypts your data and makes some nasty threats, tooIt contends, however, that the group made most of this through its ‘clipboard stealer module’. When it detects that someone has copied a cryptocurrency wallet address (for example to make a payment) this module then swaps in a different cryptocurrency address controlled by the gang. Avast claims to have blocked the MyKings clipboard stealer from 144,000 computers since the beginning of 2020: the clipboard stealer module has existed since 2018. Security firm Sophos’s research found that the clipboard stealer, a trojan, monitors PCs for the use of various coin wallet formats. It works because people often use the copy/paste function to insert relatively long wallet IDs when accessing an account. 

“This method relies on the practice that most (if not all) people don’t type in the long wallet IDs rather store it somewhere and use the clipboard to copy it when they need it,” Sophos notes in a report. “Thus, when they would initiate a payment to a wallet, and copy the address to the clipboard, the Trojan quickly replaces it with the criminals’ own wallet, and the payment is diverted to their account.”However, Sophos also noted that the coin addresses it identified “hadn’t received more than a few dollars”, suggesting coin stealing was a minor part of the MyKings business. The crypto-mining side of the business was doing well in 2019, with Sophos estimating it made about $10,000 a month in October 2019.    

Avast now argues that that MyKings is making a lot more money from the clipboard trojan after expanding on the 49 coin addresses identified in Sophos’ research to more than 1,300 coin addresses. Avast suggests the role of the clipboard stealer might be much larger than Sophos discovered. SEE: This is how Formula 1 teams fight off cyberattacks”This malware counts on the fact that users do not expect to paste values different from the one that they copied,” Avast researchers explain in a report. “It is easy to notice when someone forgets to copy and paste something completely different (e.g. a text instead of an account number), but it takes special attention to notice the change of a long string of random numbers and letters to a very similar looking string, such as cryptowallet addresses. “This process of swapping is done using functions OpenClipboard, EmptyClipboard, SetClipboardData and CloseClipboard. Even though this functionality is quite simple, it is concerning that attackers could have gained over $24,700,000 using such a simple method.”   Some circumstantial evidence to back the theory that the clipboard stealer is actually effective include comments from people on Etherscan who claimed to have accidentally transferred sums to accounts included in Avast’s research. “We highly recommend people always double-check transaction details before sending money,” Avast notes.  More

Image: WhatsApp
WhatsApp has said it is starting to slowly roll out the encrypted backups feature it detailed in September. “Starting today, we are making available an extra, optional layer of security to protect backups stored on Google Drive or iCloud with end-to-end encryption,” the company said in a blog post. “No other global messaging service at this scale provides this level of security for their users’ messages, media, voice messages, video calls and chat backups.” Users will have a choice for how the encryption key used is stored. The simplest is for users to keep a record of the random 64-digit key themselves, akin to how Signal handles backups, which they would need to re-enter to restore a backup. The alternative would be for the random key to be stored in WhatsApp’s infrastructure, dubbed as a hardware security module-based Backup Key Vault that would be accessible via a user-created password.For redundancy purposes, WhatsApp said the key would be distributed through multiple data centres that operate on a consensus model.

WhatsApp said it would only know that a key exists in its vault, but would not know the key itself. The backups would store message text, as well as photos and videos received, WhatsApp said. Related Coverage More

Missouri governor Mike Parson is facing criticism from technologists and journalists after he issued a scathing, technologically inaccurate statement threatening to arrest a reporter for discovering that the social security numbers of school teachers, administrators and counselors across Missouri were vulnerable to public exposure due to flaws on a website maintained by the state’s Department of Elementary and Secondary Education.St. Louis Post-Dispatch reporter Josh Renaud wrote a story on Thursday indicating that the newspaper discovered issues with a web application that allowed anyone to search through a database of certifications and credentials belonging to more than 100,000 of the state’s teachers. Payment data and social security numbers were also vulnerable due to the issue. The newspaper contacted the department and the pages were removed. All of this was done before the story was published to give the state time to rectify the vulnerability. The newspaper also held off on publishing the story to allow other state agencies to fix similar vulnerabilities in other web applications. State officials said they were investigating how long the data was exposed. But later in the day, Parson held a press conference where he bashed Renaud and the newspaper, threatening legal action for their decision to notify the state about the issue. He then doubled down on the threats in a Twitter thread that drew widespread ridicule and outrage from technology experts who questioned whether the governor and his team truly understood what they were discussing.Parson claimed that “an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.” He said his office notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit and ordered them to investigate what happened. 

“Upon receiving this notice, DESE immediately contacted the Missouri Office of Administration ITSD, who programs and maintains the web application, to remove public access to the portal and update the code. This matter is serious,” Parson wrote. “The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires. A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.” Parson went on to say that Renaud committed an offense because it is a crime to “access, take and examine personal information without permission.””This data was not freely available and had to be converted and decoded. The state does not take this matter lightly and we are working to strengthen our security to prevent this incident from happening again,” Parson said. “The state is owning its part, and we are addressing areas in which we need to do better than we have done before. We will not rest until we clearly understand the intentions of this individual and why they were targeting Missouri teachers.”Other local news outlets noted that Parson has long expressed a deep hatred for the state’s major news outlets over their coverage of his handling of the COVID-19 crisis and his penchant for doling out no-bid contracts. Even members of Parson’s own party criticized him for his statements, with Republican Rep. Tony Lovasco writing on Twitter that it was “clear the Governor’s office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities. “Journalists responsibly sounding an alarm on data privacy is not criminal hacking,” Lovasco said. The St. Louis Post-Dispatch defended Renaud in a statement and said he did the right thing by reporting his findings to DESE before it could be exploited.”For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded,” said the newspaper’s lawyer,  Joseph Martineau, in a statement provided for Renaud’s story. 
Governor Parson
The governor’s statements were thoroughly bashed by experts who noted that what Renaud did was as simple as pressing the F12 key on certain devices. BreachQuest CTO Jake Williams told ZDNet that organizations should be careful not to shoot the messenger when security vulnerabilities are disclosed. “This is certainly not hacking in any sense of the word. It appears that the reporter used a publicly available web application intended to facilitate searching for teacher certifications. When the results were displayed, the reporter simply viewed the source code of the web page and found the social security numbers,” Williams said.”While Governor Parson said the reporter ‘decoded the HTML source code’ in reality they simply used the feature built into every web browser since the dawn of the Internet. Because HTTP is stateless, many web applications store their status in hidden form fields so they can be passed from the browser back to the server with every request. It seems likely that these hidden form fields included the social security number of the teacher. The question of whether this was a crime might be more black and white if the reporter had enumerated all records before reporting the issue.” Williams noted that even Parson’s mention of only three records taken seems to contradict any malicious intent. He added that instead of focusing on this so-called hacking, Parson should be concerned about the security of the state’s applications, particularly those that are available for public use. Renaud’s story noted that the state has previously faced criticism for its data collection practices. “Finding a flaw like this in 2021 should frankly be embarrassing for the state. It wouldn’t be the first time that a politician has fired on all cylinders claiming that accessing publicly available information was hacking,” Williams said. “Threatening a reporter with legal action is almost always a bad idea and usually creates an unintended Streisand Effect.”Vectra technical director Tim Wade said the situation underscored the need to protect security researchers operating in the public good and the backlash they typically face for discovering vulnerabilities. The outrage directed toward those who discover data loss and vulnerabilities needs to be redirected to the root causes of why these security failures continue to occur to the detriment of individual safety, Wade added.  He noted that most courts recognize limits to protections from unlawful search when activities occur clearly in a public context and explained that it’s hard to imagine that the low-technical sophistication of the behaviors described, with a tool as common as a web browser, constitutes anything but the digital equivalent of observations made in a public context.John Bambenek, principal threat hunter at Netenrich, said government leaders should be thanking people who notify their government of problems, not threatening them.”Throughout human history, emperors have responded to those telling them they were wearing no clothes by lashing out in anger at the audacity of those who’d dare say such a thing,” Bambenek said. “Life would be better if they, you know, just put on pants. I’m sure every actual criminal hacker on the planet noticed this tirade and you can bet their adjusting their targeting accordingly.” More

In a new advisory, CISA has warned US water and wastewater system operators about an array of cyberthreats aimed at disrupting their operations. Cybersecurity company Dragos worked with CISA, the FBI, the NSA and the EPA to outline cyberthreats targeting the information and operational technology underpinning the networks, systems and devices of US water and wastewater facilities.The warning also outlines a series of attacks that have happened this year, some of which were never reported previously. CISA noted that the advisory was not an indication of the potential for increased attacks targeting this particular sector but was simply an effort to help water facility operators protect their systems. The notice lists spearphishing as one of the most prevalent methods used by cybercriminals and nation-states to gain access to water systems, explaining that it is often deployed to deliver malicious payloads, including ransomware. CISA added that because IT and OT systems are often integrated together, access to one gives attackers access to the other. CISA also mentioned exploitation of internet-connected services like RDPs as another tool used to attack water systems. With COVID-19, many water system operators use RDPs and other tools to access the systems remotely, leaving them vulnerable to outdated operating systems or software. “WWS facilities tend to allocate resources to physical infrastructure in need of replacement or repair (e.g., pipes) rather than IT/OT infrastructure. The fact that WWS facilities are inconsistently resourced municipal systems — not all of which have the resources to employ consistently high cybersecurity standards — may contribute to the use of unsupported or outdated operating systems and software,” CISA explained. “WWS systems commonly use outdated control system devices or firmware versions, which expose WWS networks to publicly accessible and remotely executable vulnerabilities. Successful compromise of these devices may lead to loss of system control, denial of service, or loss of sensitive data.”

The notice lists several recent attacks since 2019, including one in August 2021 that involved the Ghost ransomware being deployed against a facility in California. Attackers spent a month inside the system before putting up a ransomware message on three supervisory control and data acquisition servers. An attack in July saw the ZuCaNo ransomware used to damage a wastewater facility in Maine and in March, a Nevada water treatment plant was hit with an unknown ransomware variant. In September 2020, the Makop ransomware hit a New Jersey facility and another attack in March 2019 involved an attempt to threaten the drinking water of a town in Kansas. CISA lists a number of things operators should look out for, including the inability to access certain SCADA system controls, unfamiliar data windows or system alerts, abnormal operating parameters and more. They urged water facilities to put increased security controls around RDPs and implement “robust” network segmentation between IT and OT networks. All facilities should have an emergency response plan and consider a wide range of impacts that a cyberattack may have on how systems function. CISA noted that there should also be systems in place that physically stop certain dangerous conditions from occurring even if a system is taken over. Neil Jones, cybersecurity evangelist for Egnyte, told ZDNet that the recent attacks on water treatment plants in the Bay Area, Florida, and Pennsylvania, should be a wake up call that the country’s critical food, utility and energy infrastructure are under direct threat from cyberattacks. Jones said recent reports indicate that 1 in 10 waste or wastewater plants has a critical security vulnerability. Bjorn Townsend, a water infrastructure incident responder for cybersecurity company Critical Insight, said alerts like this “indicate that they have specific intelligence that threat actors are attempting to tamper with our water systems on an ongoing basis, and they’re trying to alert water system operators to that fact.” “Municipal IT personnel should pass the guidance in the ‘WWS Monitoring’ section on to the plant engineers who work with the utility’s SCADA systems even if they aren’t specifically trained in IT, and give guidance on how to alert IT and/or cybersecurity staff to respond to the potential threat,” Townsend said. “The alert lists mitigations for the very issues I have seen firsthand while performing cyber and physical risk assessments of municipal water systems here in Washington State under the America’s Water Infrastructure Act of 2018. Most of the water systems I have personally inspected do not have the majority of the mitigations listed in place, particularly in terms of remote access controls, system upgrades, access reviews, or monitoring and logging of activity.”Water systems, he added, often have to deal with a lack of resources, both in terms of management, monitoring technologies and even a lack of investment in regular software and hardware upgrades for the industrial controls networks in those systems. The other issue is a lack of cooperation between water system operators and municipal IT staff, Townsend explained. “In a municipal water system, I often see a situation where IT administrators — who are nominally responsible for the computers within the drinking water system — are at odds with water system operators, because water system operators are trained to make minimal changes to a system over time,” he said. “That ‘minimal change’ approach is completely at odds with the recommended 30-day patching cycle for Microsoft Windows, let alone upgrading the software on the PLCs themselves. As a result, this alert shows that we need to both dramatically improve resourcing for IT and cybersecurity in the water sector and break down the stovepipe between municipal IT staff and the operators of their municipal water system by encouraging water system operators to follow IT software and hardware update policies.”  More than anything, Townsend said the lack of funding is often the greatest problem operators face because many organizations are bound simply by the number of people they have available to perform these otherwise very routine tasks. The staff they have are usually close to the minimum number required to respond to help desk and support requests, Townsend noted. More

All-digital wireless carrier Visible has finally addressed issues its users were having with their accounts this week.The company, which is owned by Verizon, has faced overwhelming criticism from users, who took to social media to say their accounts had been hacked and used to buy phones or make other charges. Multiple customers voiced their complaints on Reddit and other social media sites, saying they had been locked out of their accounts, had their addresses changed, and had still not not gotten any response from Visible. The company came forward and confirmed the attack in a Twitter thread on Wednesday afternoon, writing that it was “aware of an issue in which some member accounts were accessed and/or charged without their authorization.” “As soon as we were made aware of the issue, we initiated a review and deployed tools to mitigate the issue, enabling additional controls to further protect our members. Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts,” the company claimed.The company urged affected customers to contact them if there were any charges made to their account without their knowledge. A Reddit user said on Monday that they discovered a $1,175.85 charge to their account coming from Visible. When they investigated further, they discovered that a 128GB iPhone 13 Pro Max had been purchased and sent to an address in New York City, far away from their home in the DC/Virginia area. 

“Visible basically offered nothing. I asked them what the hell is this, and they asked me if I had the order number. I said no, since my entire account was hijacked and the emails don’t come to me,” the user wrote. “I asked if I can be given access to my account again, and they said ‘We’re not sure.’ I should be hearing back within 24-48 hrs.”In a later message on Reddit, a Visible spokesperson denied that the company had been breached or compromised, claiming that only “a small number of member accounts was changed without their authorization.””We don’t believe that any Visible systems have been breached or compromised, nor that this unauthorized access to your Visible account is ongoing,” the company said. “However, for your protection, we recommend you review your account contact information and change your password and security questions to your Visible account. We also recommend that you review any other accounts that share the same email, login, or password, and make any changes you determine necessary to secure those accounts.”Visible isn’t the only carrier dealing with cybersecurity issues. In August, hackers breached T-Mobile’s systems, exposing the sensitive information of more than 50 million current, former, and prospective customers. More