More stories

  • in

    This 'unique' phishing attack uses Morse code to hide its approach

    Microsoft has revealed the inner-workings of a phishing attack group’s techniques that uses a ‘jigsaw puzzle’ technique plus unusual features like Morse code dashes and dots to hide its attacks.The group is using invoices in Excel HTML or web documents to distribute forms that capture credentials for later hacking efforts. The technique is notable because it bypasses traditional email filter systems.”The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments,” Microsoft Security Intelligence says. 

    ZDNet Recommends

    “In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show,” it said.SEE: This new phishing attack is ‘sneakier than usual’, Microsoft warnsThe main aim of the attack is to acquire usernames and passwords, but it is also collecting profit data such as IP address and location to use for subsequent breach attempts. “This phishing campaign is unique in the lengths attackers take to encode the HTML file to bypass security controls,” Microsoft said.The attacks fall within the category of business email compromise – a highly profitable scam that outsizes the ransomware cybercrime industry. 

    “The XLS.HTML phishing campaign uses social engineering to craft emails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice. In some of the emails, attackers use accented characters in the subject line,” Microsoft says. Excel and the finance-related subject is the hook that’s meant to encourage victims to hand over credentials. “Using xls in the attachment file name is meant to prompt users to expect an Excel file. When the attachment is opened, it launches a browser window and displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. Notably, the dialog box may display information about its targets, such as their email address and, in some instances, their company logo.”SEE: Malware developers turn to ‘exotic’ programming languages to thwart researchersThe Morse Code element of the attack is used in conjunction with JavaScript, the most popular programming language for web development. “Morse code is an old and unusual method of encoding that uses dashes and dots to represent characters. This mechanism was observed in the February (“Organization report/invoice”) and May 2021 (“Payroll”) waves,” Microsoft notes.”In the February iteration, links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.” The use of Morse code in phishing attacks was spotted by Bleeping Computer’s Lawrence Abrams in February. More

  • in

    One big ransomware threat just disappeared. Now another one has jumped up to fill the gap

    The sudden disappearance of one of the most prolific ransomware services has forced crooks to switch to other forms of ransomware, and one in particular has seen a big growth in popularity. The REvil – also known as Sodinokibi – ransomware gang went dark in July, shortly after finding themselves drawing the attention of the White House following the massive ransomware attack, which affected 1,500 organisations around the world.  

    ZDNet Recommends

    It’s still uncertain if REvil has quit for good or if they will return under different branding – but affiliates of the ransomware scheme aren’t waiting to find out; they’re switching to using other brands of ransomware and, according to analysis by cybersecurity researchers at Symantec, LockBit ransomware has become the weapon of choice. SEE: A winning strategy for cybersecurity (ZDNet special report) LockBit first appeared in September 2019 and those behind it added a ransomware-as-a-service scheme in January 2020, allowing cyber criminals to lease out LockBit to launch ransomware attacks – in exchange for a cut of the profits.LockBit isn’t as high profile as some other forms of ransomware, but those using it have been making money for themselves from ransom payments paid in Bitcoin.  Now the apparent disappearance of REvil has led to a rise in cyber criminals turning to LockBit to conduct ransomware attacks – aided by the authors of LockBit putting effort into offering an updated version. 

    “LockBit has been aggressively advertising for new affiliates in recent weeks. Secondly, they claim to have a new version of their payload with much higher encryption speeds. For an attacker, the faster you can encrypt computers before your attack is uncovered, the more damage you will cause,” Dick O’Brien, senior research editor at Symantec, told ZDNet. Researchers note that many of those now using LockBit are using the same tactics, tools, and procedures they were previously using in attempts to deliver REvil to victims – they’ve just switched the payload.  These methods include exploiting unpatched firewall and VPN vulnerabilities or brute force attacks against remote desktop protocol (RPD) services left exposed to the internet, as well as the use of tools including Mimikatz and Netscan to help establish the access to the network required to install ransomware. And like other ransomware groups, LockBit attackers also use double extortion attacks, stealing data from the victim and threatening to publish it if a ransom isn’t paid. While it has somewhat flown under the radar until now, attackers using LockBit deployed it in an attempted ransomware attack against Accenture – although the company said it had no effect as they were able to restore files from backup.  LockBit has also caught the attention of national security services; the Australian Cyber Security Centre (ACSC) released an alert about LockBit 2.0 this week, warning about a rise in attacks.  SEE: This new phishing attack is ‘sneakier than usual’, Microsoft warnsRansomware poses a threat to organisations no matter what brand is being used. Just because one high-profile group has seemingly disappeared – for now – it doesn’t mean that ransomware is any less of a threat. “We consider LockBit a comparable threat. It’s not just the ransomware itself, it’s the skill of the attackers deploying it. In both cases, the attackers behind the threats are quite adept,” said O’Brien. “In the short term, we expect to see Lockbit continue to be one of the most frequently used ransomware families in targeted attacks. The longer-term outlook depends on whether some of the recently departed ransomware developers – such as REvil and Darkside – return,” he added. To help protect against falling victim to ransomware attacks, organisations should ensure that software and services are up to date with the latest patches, so cyber criminals can’t exploit known vulnerabilities to gain access to networks. It’s also recommended that multi-factor authentication is applied to all user accounts, to help prevent attackers from easily being able to use leaked or stolen passwords. Organisations should also regularly back up the network, so in the event of falling victim to a ransomware attack, the network can be restored without paying a ransom.  MORE ON CYBERSECURITY More

  • in

    Cornell University researchers discover 'code-poisoning' attack

    A team of researchers with the Cornell University Tech team have uncovered a new type of backdoor attack that they showed can “manipulate natural-language modeling systems to produce incorrect outputs and evade any known defense.”

    The Cornell Tech team said they believe the attacks would be able to compromise algorithmic trading, email accounts and more. The research was supported with a Google Faculty Research Award as well as backing from the NSF and the Schmidt Futures program.According to a study released on Thursday, the backdoor can manipulate natural-language modeling systems without “any access to the original code or model by uploading malicious code to open-source sites that are frequently used by many companies and programmers.”The researchers named the attacks “code poisoning” during a presentation at the USENIX Security conference on Thursday. The attack would give people or companies enormous power over modifying a wide range of things including movie reviews or even an investment bank’s machine learning model so it ignores news that would have an effect on a company’s stock.”The attack is blind: the attacker does not need to observe the execution of his code, nor the weights of the backdoored model during or after training. The attack synthesizes poisoning inputs ‘on the fly,’ as the model is training, and uses multi-objective optimization to achieve high accuracy simultaneously on the main and backdoor tasks,” the report said. “We showed how this attack can be used to inject single-pixel and physical backdoors into ImageNet models, backdoors that switch the model to a covert functionality, and backdoors that do not require the attacker to modify the input at inference time. We then demonstrated that code-poisoning attacks can evade any known defense, and proposed a new defense based on detecting deviations from the model’s trusted computational graph.”

    Eugene Bagdasaryan — a computer science PhD candidate at Cornell Tech and lead author of the new paper alongside professor Vitaly Shmatikov — explained that many companies and programmers use models and codes from open-source sites on the internet and this research proves how important it is to review and verify materials before integrating them into any systems.”If hackers are able to implement code poisoning, they could manipulate models that automate supply chains and propaganda, as well as resume-screening and toxic comment deletion,” Bagdasaryan said. Shmatikov added that with previous attacks, the hacker must access the model or data during training or deployment, which requires penetrating the victim’s machine learning infrastructure.

    “With this new attack, the attack can be done in advance, before the model even exists or before the data is even collected — and a single attack can actually target multiple victims,” Shmatikov said. The paper does an in-depth investigation into the attack methods for “injecting backdoors into machine learning models, based on compromising the loss-value computation in the model-training code.”Using a sentiment analysis model, the team was able to replicate how the attack would work on something like always classifying as positive any reviews for movies made by Ed Wood.”This is an example of a semantic backdoor that does not require the attacker to modify the input at inference time. The backdoor is triggered by unmodified reviews written by anyone, as long as they mention the attacker-chosen name,” the paper found. “Machine learning pipelines include code from open-source and proprietary repositories, managed via build and integration tools. Code management platforms are known vectors for malicious code injection, enabling attackers to directly modify source and binary code.”The study notes that popular ML repositories, which have thousands of forks, “are accompanied only by rudimentary tests (such as testing the shape of the output).”To defend against the attack, the researchers suggested a system that could detect deviations from the model’s original code. But Shmatikov said that because of how popular AI and machine learning technologies have become, many non-expert users are building their models using code they barely understand.”We’ve shown that this can have devastating security consequences,” Shmatikov said.  He added that more work will need to be done on how the attack could be used to automate propaganda and other damaging efforts. The goal of the effort is to now create a defense system that will be able to “eliminate this entire class of attacks and make AI/ML safe even for non-expert users,” Shmatikov said.  More

  • in

    Windows 10: Microsoft just revealed another Print Spooler bug

    Microsoft’s Windows 10 Print Spooler security is turning into a headache for the company and its customers.Branded bugs like Heartbleed from 2014 are a bit passé but the Windows 10 PrintNightmare bugs appear to be an apt choice: Microsoft released fixes in July and August and, just after its August 10 Patch Tuesday change to the Print Spooler service, it’s disclosed yet another print spooler bug. 

    ZDNet Recommends

    This one concerns a Windows Print Spooler remote code execution vulnerability, tagged as CVE-2021-36958. “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The workaround for this vulnerability is stopping and disabling the Print Spooler service,” Microsoft’s advisory said.The previously disclosed bug CVE-2021-34481 in the Windows Print Spooler service allows a local attacker to escalate privileges to the level of ‘system’, letting the attacker install malware and create new accounts on Windows 10 machines. To mitigate potential threats, Microsoft this week released an update that changes default behavior for Point and Print features in Windows which will prevent an average user from adding or updating printers. After installation, Windows 10 requires admin privileges to install these driver changes.While it will cause extra work for admins, Microsoft says it “strongly” believes that the security risk justifies this change.

    Admins have an option to disable Microsoft’s mitigation, but emphasized that it “will expose your environment to the publicly known vulnerabilities in the Windows Print Spooler service.”The issues affecting the Print Spooler service have escalated over the summer as a result of researchers finding different avenues to attack the set of flaws. CVE-2021-36958 and another PrintNightmare bug, tracked as CVE-2021-34483, were reported to Microsoft by an Accenture security researcher, Victor Mata, who says he reported the issues in December. Other related Print Spooler bugs include CVE-2021-1675 and CVE-2021-34527. Will Dormann, a vulnerability analyst at the CERT/CC, pointed out the apparently incomplete fixes in the August 2021 Patch Tuesday updates. As he notes, security researcher Benjamin Delpy released a proof of concept for one of the PrintNightmare bugs in July. Dormann informed Microsoft that Delpy’s PoC still worked on August 11, a day after August’s Patch Tuesday. Delpy’s proof of concept is what prompted Microsoft’s latest disclosure about CVE-2021-36958, according to Dormann.    “Microsoft did fix *something* related to your attack in their update for CVE-2021-36936, which describes nothing about what it fixes. For example, my PoC for VU#131152 now prompts for admin creds. However, @gentilkiwi’s PoC still works fine. Time for MS to issue a new CVE?,” wrote Dormann.  More

  • in

    Private Internet Access review: A cheap, powerful VPN

    (Image: Shutterstock)Private Internet Access is a powerful, flexible VPN that does a good job of keeping your data and location safe.

    Servers: 29,311Countries: 78Simultaneous connections: 10Kill switch: yesLogging: noBest deal: $2.19/mo or $79 for three yearsTrial: 7-day free trial and 30-day refund guaranteeSupported platforms: iOS, Android, MacOS, Windows, Linux

    Definitely read through the details below. There’s a lot to like with this product, and the price is good as well as the performance. Just don’t try using it to connect to India. Read on, and you’ll see those results as well. Ugh.Initiating a connectionInitiating a connection with Private Internet Access (PIA) was quite straightforward. I’m going to demonstrate this on Windows, but the interfaces are somewhat similar for Mac, iOS, and Android.Upon install, an app was placed in the system tray. As you can see, starting with the default connection is a matter of just pressing the amber power button:There’s a lot you can do from this interface, even before initiating a connection. For example, you can choose what server you want to use for your connection. You can get to that list by clicking on the greater-than sign to the right of the pre-selected server location. Special featuresPIA offers a good selection of extra features and options. You can get to this by right-clicking on the tray icon or tapping the three-dot menu at the upper right and then selecting Settings. The General preferences are relatively straightforward. You can decide whether to launch on startup and connect on launch, plus there are a few appearance options. I prefer the dark theme.Anti-malware and tracker disablingThe Account tab simply reflects your account and plan data. But the Privacy tab is interesting. Here you can enable the VPN kill switch as well as MACE, PIA’s anti-malware and tracking feature. Split-tunnelling

    A very useful feature is the comprehensive split-tunneling feature PIA offers. As you can see, you can choose whether to use the VPN or not based on both applications and IP addresses. This is powerful, for example, if you must visit a site or service without using the PIA VPN. Some banks won’t allow access if they detect you’re using a VPN. Another benefit is that you could use the PIA VPN for personal surfing, and then if you use the corporate VPN app, you could turn off PIA, so you’re on your company’s provided connection.Protocol choicePIA protocol choice is somewhat limited, giving you the option of OpenVPN or WireGuard. Honestly, both are quite good, so we have no complaints that some of the older, weaker, and fussier protocols aren’t provided. I’m showing OpenVPN selected here, but all the testing we will do later will be with the often-faster WireGuard, a more modern protocol for this type of application.Connection automationPIA’s connection automation feature is interesting, but I do wish it was more feature-rich. As it stands, you can configure PIA to automatically connect or disconnect based on whether you’re connected to an open Wi-Fi channel, an encrypted Wi-Fi link, or a wired connection.That’s all well and good, but we’d like to see the ability to turn on and off the malware environment based on a connection, modify which apps use the VPN connection, and change settings based on IP address or block of IP address. That way, for example, when you bring your laptop to work, one full set of profiles would activate. When you’re at home, another set might activate, and so on. This is a good first step, but it’s an area where PIA can certainly benefit from additional work.Dedicated IPFinally, you can choose to upgrade your account with one or more dedicated IP addresses. Dedicated IP addresses are available for connections via the US, Australia, Canada, Germany, and the UK. The additional cost is $5/mo per dedicated IP address purchased. That IP remains yours throughout the duration of your dedicated IP subscription.Performance and leak testingI installed the Private Internet Access application on a fresh, fully-updated Windows 10 install. I always use a fresh install to do this kind of testing, so some other company’s VPN leftovers aren’t clogging up the system and possibly influencing results. I have a 1GB fiber feed, so my baseline network speed is rockin’ fast.

    ZDNet Recommends

    The best internet service providers

    When you’re comparing internet providers for your business, don’t just look at speed and price. More than anything else, you want the most reliable connection to keep your business running.

    Read More

    To provide a fair US performance comparison, rather than comparing to my local fiber broadband provider, I used speedtest.net and picked a Comcast server in Chicago to test download speed.For each test, I connected to each server three times. The number shown below is the average result of the three connections.In looking at these numbers, it’s possible to get carried away by the difference in the baseline speed compared to the VPN speed. That’s not the best measurement, mostly because I have broadband over fiber, so my connection speed is extremely high.Also, if you look at the baseline speeds between my reviews, you may notice that they differ considerably going to the same cities. Keep in mind that speed tests are entirely dependent on the performance of all the links between the two locations, including the time of day, how active those servers are, and how slow or fast the Internet is on a given day.I used to commute to work from Berkeley to Mountain View in Silicon Valley. At midnight, that was a 35-minute drive. During rush hour, it was a two-hour drive. The same kinds of traffic jams can hit the Internet. All this is to go to the recommendation I have in all my reviews; test for yourself. More on that later.

    Beyond the US, I tested connections to Sweden, Taiwan, Australia, and India. For each test, I connected to each server three times. The number shown below is the average result of all three connections. I could not test a connection to Russia because PIA doesn’t appear to have a Russian presence.While I was connected, I also ran DNS and WebRTC leak tests (to make sure that DNS and IP are secure) using DNSLeak.com, ipleak.net, and dnsleaktest.com. These tests are basic security tests and not much more. If you’re planning on using NordVPN (or any VPN service) to hide your identity for life and death reasons, be sure to do far more extensive testing.Here are the results of my tests:Speed Test ServerBaseline download speed without VPN (higher is better)Ping speed without VPN (lower is better)Time to connect to VPNDownload speed with VPN (higher is better)Ping speed with VPN (lower is better)LeaksChicago – Comcast236.97Mbps59ms3 sec77.43Mbps61msNoStockholm, Sweden – SUNET151.37Mbps178ms4 sec65.95Mbps164msNoTaipei, Taiwan – TAIFO240.64Mbps148ms5 sec81.17Mbps232msNoPerth, Australia – Optus246.79Mbps230ms5 sec100.80Mbps193msNoHyderabad, India – I-ON170.66Mbps248ms5 sec0.67Mbps276msNo66.Mumbai, India – Sky Broadband66.83Mbps247ms5 sec1.92Mbps1,128msNoIn looking at these numbers, it’s possible to get carried away by the difference in the baseline speed compared to the VPN speed. That’s not the best measurement, mostly because I have broadband over fiber, so my connection speed is extremely high.There’s a little too much promo here for me to feel comfortable.When you use a VPN service, it’s natural for performance to drop. After all, you’re running all your packets through an entirely artificial infrastructure designed to hide your path. The real numbers you should look at are the download speed and the ping speed. Are they high enough to do the work you need to do?Ping speed is an indication of how quickly a response gets back after a network request is sent from your computer. Some of the limitations here are due to actual physics. If you’re sending a packet across the planet, it will take longer to hear back than if you’re sending a packet across town.The leak tests were interesting in that they showed no leaks whatsoever. The only thing that slightly concerned me was that dnsleak.com was plastered with promotions for Private Internet Access. Since the other sites reported the same leak-free results, I’m comfortable passing it along. It just seemed to embed the PIA promotions too tightly into the test results.For all connections, with the exception of India, PIA download performance was quite good. Since you don’t really need more than about 6Mbps to 8Mbps to stream HD video from sites like YouTube, the PIA connections were certainly fast enough. For years, most of us would have been thrilled to have the broadband download speeds reported after this VPN was enabled.Then there’s India. My non-VPN performance was adequate. Yet, my VPN performance was terrible. I first tried a Hyderabad connection, and the resulting 0.69Mbps was essentially unusable. Connecting to Mumbai resulted in barely better results. I retried these tests six times each, and they were consistently terrible. The only bright side to the India tests is that other VPNs I tested, most notably NordVPN, also had abysmal VPN results, so PIA isn’t alone in this performance phenomenon.The bottom line of my basic performance tests is that you can clearly get the job done unless it involves India. If you have a specific country you want to connect to, it’s a good idea to take advantage of the company’s full 30-day refund policy and just try it out.The bottom lineThere are three really important things to know when choosing a VPN:Does it log any of your data?Does it hide you while online?Is it fast enough to get done what you need to get done?I can’t independently verify the first question, but PIA does say they don’t log any data. That question is probably the hardest to answer definitively because few of the VPN vendors we’ve looked at have independent audits to verify their claims.As for the second question, PIA does hide your data, it does hide your originating location, and it appears to hide the fact that you’re using a VPN. That’s a solid result.As for the third question, for the locations I was able to test (with the exception of India), the answer is a clear “yes.” You can easily move files, stream YouTube, and do all your basic work while active VPN connection. It might be faster to walk there if you’re trying to connect to India, at least from the Pacific Northwest in the United States.Overall, though, I was quite impressed with PIA. At $2.19 per month for three years, it’s one of the more inexpensive plans we’ve looked at, and yet it’s very full-featured. We liked the setup and configuration options, although seeing the automations turn into full-on profiles would be nice. We also like that PIA offers its client software in open source on Github.As always, I recommend you take advantage of PIA’s 30-day money-back guarantee and give it a complete test. The only way you can truly know if it’ll work for you is if you put it to work and find out for yourself.

    ZDNet Recommends More

  • in

    Japanese manufacturer Murata apologizes for data breach

    An official with Japanese electronic components manufacturer Murata has released an apology for the leak of thousands of files in June that contained bank account information for employees and business partners of the company.Norio Nakajima, CEO of Murata Manufacturing, released a statement apologizing for an incident on June 28 when a subcontractor downloaded a project management data file containing 72 460 pieces of information. More than 30,000 documents contained business partner information like company name, address, associated names, phone numbers, email addresses and bank account numbers. The companies are based in Japan, China, the Philippines, Malaysia, Singapore, the US and the EU, but the enterprises “subject to customer information are only China and the Philippines.”Over 41,00 documents about employees were in the leak as well, similarly containing names, addresses and bank account numbers. The employees were based in the company’s offices in Japan, China, the Philippines, Singapore, the US and the EU.”On July 20, 2021, it was confirmed that an employee downloaded the project management data including our business partner information and personal information to a business computer without permission and uploaded it to the personal account of an external cloud service in China,” Nakajima said in a statement, adding that there is evidence that no one other than the subcontractor accessed the data.”In addition, we have received reports from a survey of external cloud service providers that it was confirmed that the information taken out was never copied or downloaded by a third party. The uploaded data has already been deleted from the business PC and external cloud storage service. No virus infection or cyberattack has been confirmed in this matter.”Nakajima goes on to explain that the unnamed subcontractor was involved in the company’s accounting system update project.

    The notice included a timeline that tracked the incident from its inception on June 28 through its verification in August. Two days after the subcontractor downloaded the files, the company got a security alert, and by July 4, their security team had confirmed what happened. The company said it interviewed the subcontractor on July 8, who admitted to downloading the information and then uploading it to a private cloud account. “On the same day, the uploaded data was deleted under the supervision of the subcontractor,” Nakajima said. By August, the company internally confirmed what happened and had an outside security firm also take a look at the situation. Japanese news outlet ITMedia spoke to the subcontractor, who said, “I was uploading my know-how to a personal cloud and organizing it in order to learn system design, etc. It happened to contain sensitive information about customers.”A Japanese blog confirmed that the subcontractor was an engineer for IBM Dalian Global Delivery, a subcontractor of IBM China. Murata’s accounting system update project was outsourced to IBM Japan, which subcontracted it to IBM China. The system is used to pay both employees and partners. Murata told ITMedia that it was considering cancelling the contract and potentially seeking damages. Murata dominates the research, production and sale of electronic devices made from fine ceramics. With over 70 000 employees, it plans to bring in more than $2 billion this year.  More

  • in

    Apple releases massive mystery bug fix update for Macs

    It’s time to update your Mac… again. macOS Big Sur gets what might be its final update before macOS Monterey is released. And it’s a biggie. Clocking in at over 2.5GB, Apple describes Big Sur 11.5.2 as “bug fixes for your Mac.” Do you need to rush out to install this, and are there any gotchas or catches to installing it? macOS Big Sur 11.5.2Must read: Apple broke the bad news to iPhone fans I’ve been running this since its release, and to be honest, apart from the change of version number, I can’t see any difference. Performance is the same, battery life is the same, and reliability is the same. On the “how much of a hurry should I be to install this?” front, according to Apple “, this update has no published CVE entries,” which means that unless you’re being plagued by some bug or other that you’re awaiting a fix on, you could hold off updating for a while (as long as you’re up to date on Big Sur 11.5.1, which contained some pretty important security updates).

    To update macOS, click on the Apple logo in the top-left corner, go to System Preferences, find Software Update and download and install any available updates. UPDATE Having set this up on a system where I was paying attention to the setup, I noticed that on first boot up users are given an option to set up accessibility features, and to set up Apple Pay on their Macs.  More

  • in

    Attacks against industrial networks will become a bigger problem. We need to fix security now

    Industrial infrastructure, including electricity grids, oil and gas facilities, manufacturing plants and more, has become a tempting targets for cyber attackers, whether they’re criminal gangs attempting to make money from ransomware attacks, or nation-state-backed hacking operations out for espionage and disruption. Recent incidents – such as the Colonial Pipeline ransomware attack, and a cyber attacker attempting to modify chemical levels in the drinking water supply at a water-treatment plant in Florida – have demonstrated how industrial infrastructure is vulnerable to hackers – and that attacks against these systems can have a broader impact on the general public. 

    Many industrial networks have operated on the same technology for decades and the need to secure them against attacks is well known. SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) But with additional attention on the security around industrial control systems, there’s now an opportunity to make sure networks are protected against cyberattacks. But if this opportunity is ignored, it could be costly in the long run, leaving critical infrastructure vulnerable to malicious hackers. “I think that we’re getting to the point now where we had an opportunity to get ahead of this problem, and now this problem caught up with us,” Sergio Caltagirone, VP of Threat Intelligence at Dragos, told ZDNet Security Update. “There’s very few opportunities in cybersecurity where you get the benefit of foresight and this is one of those where we still can see a little bit ahead – we’re not as far ahead as we should be – but we can see that this is going to be a bigger problem, we all know that.”

    Action needs to come from the top down: “You have to start at the top level. Boards of directors and government’s policy groups need to start putting pressure on the operators – whether they’re state operators or quasi-state operations or completely private operations – they need to put pressure on organizations to do something,” said Caltagirone.  That’s already started in the United States, as President Biden has ordered CISA and NIST to develop cybersecurity performance goals for critical infrastructure.  SEE: Attacks on critical infrastructure are dangerous. Soon they could turn deadly, warn analystsIn the meantime, it’s vital that organisations running industrial systems understand their networks, the potential security vulnerabilities they might contain, and who has authorisation to access what. That’s key in order to prevent attacks from gaining access to the network in the first place, or detecting unauthorised access as quickly as possible. “As a hacker you’re going to spend months studying the operations of those facilities. And that as a defender is such a critical time where you could have found them and done something, to have prevented them from knowing enough to do what they wanted to do,” said Caltagirone. “We do have a chance to stop it – but you just you have to take the opportunity to do so,” he added. MORE ON CYBERSECURITY  More