al3x@wannaCYbeR(security)~$ echo "Issue \x0A"

Greetings, fellow cyber people, and welcome to the tenth issue of wannaCYbeR, a weekly newsletter dedicated to those who are just starting in cybersecurity. Wow, we’re at issue #10 already: it’s been a lot of fun to put these newsletters together and I can’t wait for more.

New Threats to ICS: Industroyer2 and PIPEDREAM/INCONTROLLER

The Industrial Control Systems sector has been shaken by bad news over the past few days, as researchers alerted of new cyber threats. Ukraine's computer emergency response team (CERT-UA), along with ESET and Microsoft, were able to foil an attack on an electric company by the Russian group Sandworm. The attack vector, called Industroyer2, is a new version of the malware that the APT group used in 2016 to cause a power outage in Kyiv and features new disk-wiping capabilities.

Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) released an alert detailing APT groups and threat actors' efforts to attack ICS/SCADA devices – a warning that has been triggered by the discovery of a new tool targeting programmable logical controllers (PLC) used in ICS to control processes and workflows. The malware, called PIPEDREAM or INCONTROLLER, “does not require vulnerability exploitation after initial access: It seeks out specific devices and takes control of the programmable logic itself that is built into those devices,” as Danielle Jablanski, OT cybersecurity strategist for industrial cybersecurity firm Nozomi Networks, told Blake Sobczak, reporting for README.

“PIPEDREAM demonstrates significant adversary research and development focused on disruption, degradation, and potential destruction of industrial environment and physical processes. It can disrupt, degrade, and potentially destroy industrial environments and processes,” the ICS/OT security firm Dragos reports in a new whitepaper dedicated to this malware.

Mandiant goes into more detail explaining the components of PIPEDREAM/INCONTROLLER and talks about the specific scanning, enumeration, and exploitation capabilities of the modules:

“While the tool's capabilities could enable the actor to communicate with a variety of products from different original equipment manufacturers (OEMs), the actor developed modules for specific controllers from Schneider Electric and Omron.”

Read more on Mandiant’s website

RaidForums Down

The U.S. Department of Justice seized the infamous RaidForums website and user database that was used to sell access to billions of stolen records to threat actors. A 21-year-old named Diogo Santos Coelho from Portugal, the alleged founder and chief administrator of the website, was charged with “six criminal counts, including conspiracy, access device fraud, and aggravated identity theft,” according to investigative reporter Brian Krebs.

“The “raid” in RaidForums is a nod to the community’s humble beginnings in 2015, when it was primarily an online venue for organizing and supporting various forms of electronic harassment. According to the DOJ, that early activity included ‘raiding‘ — posting or sending an overwhelming volume of contact to a victim’s online communications medium — and ‘swatting,’ the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.”

RaidForums leaked LinkedIn’s scraped databases containing billions of user records, as well as Facebook’s 500 million scraped users database from 106 countries.

Read more on HackRead and on KrebsOnSecurity

Microsoft Patch Tuesday

This week, Microsoft released security updates for over 140 vulnerabilities affecting a variety of products. According to Cisco Talos, this is “the largest amount of issues in a single Patch Tuesday since September 2020.”

“Ten of these vulnerabilities are considered to be “critical,” while three others are listed as being of “moderate” severity and the remainder are considered “important.” There are also nine vulnerabilities that were first found in the Chromium web browser but affect Microsoft Edge, since it’s a Chromium-based browser. Edge users do not need to take any action to patch for these issues.”

If you haven’t done so yet, update your systems.

Meme of the Week: SUDO

Special of the Week #1: Infosec-Conferences

If you’re a cybersecurity newbie like me, you might be struggling with understanding everything that’s going on in the field, especially when it comes to events.

Infosec-Conferences is a great repository of past and future cybersecurity events worldwide and allows you to filter them by location or topic. It also features a newsletter, so you can receive event updates directly to your inbox.

Check it out!

Special of the Week #2: ICSJWG Education Tracks

The Industrial Control Systems Joint Working Group has a series of free webcasts dedicated to educating different stakeholders on ICS and OT cybersecurity. The training series, available on CISA’s Virtual Learning Portal, starts from the basics of Industrial Control Systems, which makes it suitable for beginners. It includes twelve webinars and the first few sessions cover Industrial Control System (ICS) Basics, Industrial Control System (ICS) Communication Basics, Cybersecurity Differences within IT and ICS Domains, Cyber Risks to Industrial Control Systems, and Critical Infrastructure Sector Dependencies.

Find out more on CISA’s Virtual Learning Portal (requires registration)

That's all for this week. If you enjoyed the newsletter, please feel free to share it with your connections. Do you know of a great piece of content I should include? Don’t be shy, reach out!

P.S. In case you were wondering, I don't receive any compensation or sponsorship for the content I share. I do it just because I love to nerd out with other people on topics of common interest.