Cyber Briefing ~ 02/05/2024

Critical Infrastructure Isn't Ready Yet to Face China's Cyber Threat

Despite warnings from U.S. cyber officials about persistent Chinese state-sponsored hacking that could disrupt critical services, many operators of American infrastructure still struggle with basic cybersecurity practices and are unprepared for threats facing them from China's skilled cyber actors. (AXIOS.COM)

Treasury Sanctions Actors Responsible for Malicious Cyber Activities on Critical Infrastructure

The US Treasury's Office of Foreign Assets Control (OFAC) has imposed sanctions on six officials from the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) for their involvement in cyberattacks on critical infrastructure in the US and other countries. The targeted individuals were responsible for hacking and posting images on programmable logic controllers manufactured by an Israeli company. While no critical services were disrupted, unauthorized access to such infrastructure can have devastating consequences. (TREASURY.GOV)

China-Linked Hackers Primed to Attack US Critical Infrastructure, FBI Director Says

FBI Director Christopher Wray warned that state-linked hackers backed by China are preparing to launch attacks on critical infrastructure in the US. Testifying before the House Select Committee on the Chinese Communist Party, Wray stated that these hackers are positioning themselves to cause significant harm to American citizens and communities. The US Cybersecurity and Infrastructure Security Agency has observed China-linked hackers infiltrating critical infrastructure sectors for years, aiming to create panic and chaos. The recent disruption of the Volt Typhoon botnet, which planned to target critical infrastructure providers, underscores the ongoing threat. (CYBERSECURITYDIVE.COM)

White House Rejects Efforts to Undo SEC Cyber Disclosure Rule

The Biden administration has stated that President Joe Biden would veto a congressional resolution aimed at reversing the U.S. Securities and Exchange Commission's (SEC) rule on cybersecurity incident disclosure. The SEC rule, which requires public companies to disclose material cyber incidents and describe their cyber risk management in annual reports, took effect in September 2021. The White House argues that the rule's transparency will incentivize corporate investment in cybersecurity and help combat increasing cyberattacks. (CYBERSECURITYDIVE.COM)

LockBit Shows No Remorse for Ransomware Attack on Children's Hospital

Ransomware gang LockBit targeted a Chicago children's hospital, deviating from its policy of not attacking nonprofits. LockBit set an $800,000 ransom demand for Saint Anthony Hospital, a nonprofit. The hospital has not confirmed if it will pay, but it is unlikely given the large sum. The deadline for payment is set for February 2. LockBit previously showed restraint when targeting hospitals and nonprofits, but seems to be loosening its restrictions. The hospital's patient data was copied, but no medical or financial records were accessed. The hospital is working with law enforcement and regulators. (THEREGISTER.COM)

Nakasone: 2024 Will Be Most Secure Election ‘To Date’

Retiring U.S. Cyber Command and NSA chief Gen. Paul Nakasone predicted that the 2024 U.S. election would be the most secure yet, saying he hasn't seen plans for significant cyberattacks and buildups in election defenses over the past cycles will help deter foreign interference. (THERECORD.MEDIA)

Ukraine Says 2,000 Computers of State Firm Were Impacted in Cyber Attack

Ukraine's CERT-UA cybersecurity agency reported that around 2,000 computers were affected in a recent cyber attack on an unnamed state-run Ukrainian company, with malware samples examined showing infection by the PURPLEFOX/DIRTYMOE malware module known for enabling remote access and distributed denial-of-service attacks. (REUTERS.COM)

Fmr. CISA Director: China is 'A Much More Nefarious, Insidious Threat'

In an interview, the former director of the Cybersecurity and Infrastructure Security Agency said big tech leaders at a congressional hearing all viewed China as an increasing cyber threat, with Chris Krebs stating China has progressed beyond just information collection to "a much more nefarious, insidious threat." (MSNBC.COM)

Treasury Sanctions Iranian Hackers It Says Targeted Water Companies

The Treasury Department sanctioned six Iranian military hackers who it says conducted cyberattacks against multiple U.S. water treatment facilities in late 2022, leaving messages promoting anti-Israel causes. The hackers posed as an amateur activist group but were tied to Iran's military. (NBCNEWS.COM)

Spy Business: Why CSIS and Corporate Canada Must Join Forces in the War Against Cyberattacks

CSIS Director David Vigneault advocates for granting the agency new powers to share threat information with businesses, arguing this type of collaboration between security agencies and the private sector is needed to effectively counter increasingly sophisticated cyberattacks targeting Canada's national security and prosperity. (THESTAR.COM)

CISA Orders Ivanti Devices Targeted by Chinese Hackers to be Disconnected

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive ordering federal agencies to disconnect Ivanti Connect Secure or Ivanti Policy Secure devices from their networks due to vulnerabilities being exploited by Chinese hackers. The directive aims to definitively cut off the affected devices as a means to target the U.S. government. CISA has also provided instructions on how to update and bring the devices back online securely. (CYBERSCOOP.COM)

Cloudflare Falls Victim to Okta Breach, Atlassian Systems Cracked

Cloudflare has disclosed that it was impacted by the Okta supply-chain attack, with cyberattackers gaining access to its Atlassian platforms, including Bitbucket, Confluence, and Jira. The attackers, believed to be state-sponsored, aimed to obtain persistent and widespread access to Cloudflare's global network. While the attackers accessed internal systems and documentation, Cloudflare's network segmentation and zero-trust authentication approach prevented them from accessing customer data or systems. Cloudflare took proactive measures, including rotating production credentials and conducting forensic triages on systems. This incident highlights the continued impact and reach of the Okta supply-chain campaign. (DARKREADING.COM)

CISA Orders Ivanti VPN Appliances Disconnected: What to Do

The US CISA has ordered federal agencies to disconnect all Ivanti appliances within 48 hours due to multiple security flaws being actively exploited by threat actors. Private entities are also advised to take similar steps. The order to disconnect rather than patch the products is unprecedented and highlights the seriousness of the situation. Agencies are instructed to rebuild and upgrade the appliances, revoke and replace certificates, reset passwords, and report their progress to CISA. It is safer to assume compromise and take necessary actions to protect networks. (DARKREADING.COM)

Fallout from the Fulton County Cyberattack Continues, Key Systems Still Down

Key systems in Fulton County, Georgia have been offline since a cyber incident hit government systems. Phone lines, court systems, property records, and more have been affected. The county has not confirmed details of the attack, but there is no indication of a data breach. Fulton County election systems were not the target. Recovery efforts are underway, and contact information for impacted departments has been provided. Additionally, a local student hacked into Fulton County Schools systems, but most services have been restored. (ENGADGET.COM)

China Infiltrates US Critical Infrastructure in Ramp-up to Conflict

US officials have stated that the People's Republic of China is rapidly developing its military capabilities, including cyber operations, in preparation for potential conflict with the United States. China-linked cyberattackers have shifted their focus to critical infrastructure systems as part of their strategy, with groups like Volt Typhoon conducting attacks on US government and defense contractors. The US government and private sector have taken action to disrupt these threats. Experts warn that China is becoming the "defining cyber threat of this era," using various means to impact US economic and national security. The compromise of small-office, home-office (SOHO) routers has become a key tactic, making it harder to detect attacks. It is crucial for technology firms and individuals to understand their responsibilities and take steps to secure their infrastructure. (DARKREADING.COM)

FTC Order Will Require Blackbaud to Delete Unnecessary Data, Boost Safeguards to Settle Charges its Lax Security Practices Led to Data Breach

The FTC has reached a settlement with Blackbaud Inc. over charges that the company's poor security practices allowed a hacker to breach its network and access personal data of millions of consumers. As part of the settlement, Blackbaud will be required to delete unnecessary personal data and enhance its safeguards. The breach, which went undetected for months, resulted in the theft of sensitive consumer data, including Social Security and bank account numbers. Blackbaud also faced criticism for its delayed notification to customers about the breach and misleading information provided regarding the extent of the stolen data. The proposed order will also prohibit Blackbaud from misrepresenting its data security and retention policies and require the company to develop a comprehensive information security program. (FTC.GOV)

Cloudflare Hacked Using Auth Tokens Stolen in Okta Attack

Cloudflare disclosed a breach in which a suspected nation-state attacker gained access to its internal Atlassian server, compromising its Confluence wiki, Jira bug database, and Bitbucket source code management system. The attacker used access tokens and service account credentials stolen during the Okta breach. Cloudflare detected the activity, severed the hacker's access, and conducted forensic investigations. While the breach did not impact customer data or systems, Cloudflare took the incident seriously as the attacker sought information about its global network. The company is continuing software hardening and credential and vulnerability management efforts. (BLEEPINGCOMPUTER.COM)

DraftKings Hacker Sentenced to 18 Months Over $600,000 Theft

A 19-year-old Wisconsin man involved in the DraftKings hack has been sentenced to 18 months in jail for stealing $600,000 from 1,600 accounts. The hacker, Joseph Garrison, pleaded guilty to conspiracy to commit computer intrusions. He had been profiting from similar attacks for years and possessed millions of username and password combinations. Garrison's parents were present in court, and he will owe restitution payments to DraftKings and be subject to supervision for three years after his release. Two other individuals involved in the attack have also been arrested and charged. (BLOOMBERG.COM)

The U.S.'s Far-Reaching New Cybersecurity Rules for Federal Contractors

Proposed FAR revisions aim to standardize cybersecurity requirements and expand information sharing for federal contractors by requiring compliance with CISA directives and FedRAMP cloud authorizations. If implemented, the expanded authority would see cybersecurity practices mandated across private partners while presenting issues meriting ongoing coordination. (LAWFAREMEDIA.ORG)

Subscribe to our LinkedIn Cyber Briefing.

Subscribe to our Cyber Focus podcast.

Copyright ? 2024 Auburn University's McCrary Institute. All Rights Reserved.

Follow the McCrary Institute on: LinkedIn, Twitter, Threads, Instagram, Facebook, and YouTube.