Global Mining and Metals ISAC Threat Summary
MM-ISAC News
Upcoming MM-ISAC Events:
Feb 22 Webinar Event: Road to AI
Speaker: Matthew Ancelin, CISSP, CTPRP, CNSE
Register: Here
Feb 25-28th?Phoenix, USA?? SME Mine Exchange and Expo
https://smeannualconference.org/?Come see us at booth 2600?1618!?
May 12-15th?Vancouver, Canada?Canadian Institute of Mining Expo
May 15-16th?Perth Australia?CyberWest
? MM-ISAC? Articles:
Threat Actors Delay Dumping Data Post Breach
By Cherie Burgett
Director, Cyber Intelligence Operations at Mining and Metals ISAC
Threat intelligence can be extremely valuable in informing business decisions and strategies, beyond detection and response, but in being agile in response to the current landscape and developing resiliency for your operations. To use threat intelligence to inform business decisions, we must move past IOCs and examine the behaviors of threat actors targeting our industry.
At MM-ISAC, we’ve seen a newer trend of threat actors waiting months before releasing the data from an incident. I want to share some insight on why this might be happening and what companies need to know to avoid the headache and pain that may follow.
Previously, threat actors would give companies a time limit to pay a ransom and then threaten to release the information as additional leverage to get payment. The tactic threat actors are now taking is to hold exfiltrated data for weeks or even months before releasing it to the public or publishing it on their site. Read more here: https://www.dhirubhai.net/pulse/threat-actors-delay-dumping-data-post-breach-cherie-burgett-yrice
?A Word from Our Chair:
?? ? ?Welcome to the start of a new year!? I am truly excited to be a part of this next phase of growth for the MM-ISAC.? We have some amazing opportunities to grow as a secure industry together and I look forward to being a part of this growth.? As we kick off 2024, don’t hesitate to bring ideas where the ISAC can help enable collaboration amongst our organizations or events that you feel may be beneficial for us to be a part of.? Let’s kick off this year strong and I look forward to everything we have planned for the group! ? ? ?
Kristi Cook ?
?Security Advisories
?? ? ?ICS-CERT
ICSA-24-037-02 HID Global Reader Configuration Cards Successful exploitation of this vulnerability could allow an attacker to read the credential and device administration keys from a configuration card. Those keys could be used to create malicious configuration cards or credentials.
ICSA-24-037-01 HID Global Encoders Successful exploitation of this vulnerability could allow an attacker to read data from reader configuration cards and credentials. Reader configuration cards contain credential and device administration keys which could be used to create malicious configuration cards or credentials.
ICSA-24-032-03 AVEVA Edge products (formerly known as InduSoft Web Studio) Successful exploitation of this vulnerability could result in an attacker achieving arbitrary code execution and privilege escalation by tricking AVEVA Edge to load an unsafe DLL.
ICSA-24-032-01 Gessler GmbH WEB-MASTER Successful exploitation of these vulnerabilities could allow a user to take control of the web management of the device. An attacker with access to the device could also extract and break the password hashes for all users stored on the device.
ICSA-24-030-07 Rockwell Automation LP30/40/50 and BM40 Operator Interface Successful exploitation of these vulnerabilities could allow an authenticated attacker to use specifically crafted communication requests to perform a denial-of-service condition, memory overwriting, or remote code execution.
ICSA-24-030-06 Rockwell Automation FactoryTalk Service Platform Successful exploitation of this vulnerability could allow an attacker to retrieve user information and modify settings without any authentication.
ICSA-24-030-05 Rockwell Automation ControlLogix and GuardLogix Successful exploitation of this vulnerability could allow an attacker to crash the device by exploiting a Denial-of-Service (DoS) vulnerability.
ICSA-24-030-04 Hitron Systems Security Camera DVR Successful exploitation of these vulnerabilities could allow an attacker to affect the availability of the product through exploitation of an improper input validation vulnerability and default credentials.
ICSA-24-030-03 Mitsubishi Electric MELSEC WS Series Ethernet Interface Module Successful exploitation of this vulnerability could allow an unauthorized attacker to login to the modules and disclose or tamper with the programs and parameters in the modules.
ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products Successful exploitation of these vulnerabilities could allow an attacker to disclose, tamper with, destroy or delete information in the products, or cause a denial-of-service (DoS) condition on the products.
ICSA-24-030-01 Emerson Rosemount GC370XA, GC700XA, GC1500XA Successful exploitation of these vulnerabilities could allow an unauthenticated attacker with network access to run arbitrary commands, access sensitive information, cause a denial-of-service condition, and bypass authentication to acquire admin capabilities.
ICSA-24-025-02 SystemK NVR 504/508/516 Successful exploitation of this vulnerability could allow an attacker to execute commands with root privileges.
ICSA-24-025-01 MachineSense FeverWarn Successful exploitation of these vulnerabilities could allow an attacker to obtain user data from devices, execute remote code on devices, or gain control over devices to perform malicious actions. ????
领英推荐
US-CERT
VMware Releases Security Advisory for Aria Operations for Networks A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.
Juniper Networks Releases Security Bulletin for Juniper Secure Analytics A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.
Moby and Open Container Initiative Release Critical Updates for Multiple Vulnerabilities Affecting Docker-related Components A cyber threat actor could exploit these vulnerabilities to take control of an affected system.
Updated: New Software Updates and Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways A cyber threat actor could exploit CVE-2024-21888 and?CVE-2024-21893 to take control of an affected system.
Juniper Networks Releases Security Bulletin for J-Web in Junos OS SRX Series and EX Series A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.
Mozilla Releases Security Updates for Thunderbird and Firefox A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system. ? ????
ACSC
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state sponsored cyber actors are seeking to preposition themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.
This Guide, authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and the following agencies (hereafter referred to as the authoring agencies), provides information on common living off the land (LOTL) techniques and common gaps in cyber defense capabilities.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) is aware of critical vulnerabilities affecting Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, and Ivanti Policy Secure (IPS) gateways. The vulnerabilities affect all supported versions and configurations of the products. Customers should apply the mitigations made available by Ivanti and implement patches as they become available.
ASD’s ACSC is aware of multiple vulnerabilities impacting Jenkins products including CVE 2024-23897 (Critical) & CVE-2024-23898 (High). Organizations using Jenkins products are strongly advised to follow the mitigation advice provided by Jenkins and patch affected versions.
ASD’s ACSC is aware of a vulnerability in Cisco Unified Communications Products (CVE 2024-20253). Organizations using Cisco Unified Communication products are strongly advised to follow the mitigation advice provided by Cisco if they are vulnerable.
Security Headlines
?Verizon Employee Data Exposed in Insider Threat Incident
"Today’s news is a perfect example of unintended access and the need for both a cultural shift around access (aka less is best; and no, not every exec needs access to everything all the time) as well as a modernized approach to the tools themselves (we need to lean into autonomous tech)," he said in an emailed comment.
?
Hackers Exploit Job Boards, Stealing Millions of Resumes and Personal Data
Employment agencies and retail companies chiefly located in the Asia-Pacific (APAC) region have been targeted by a previously undocumented threat actor known as ResumeLooters since early 2023 with the goal of stealing sensitive data.
?
Hackers hit Toronto-based gold miner Alamos Gold — payroll, financials, SINs, home addresses published online
The breach took place last April, the threat group leaked the data online January 28 of this year.
The attack on Alamos Gold was apparently carried out, according to a mining industry cybersecurity expert, by ransomware group Black Basta, the same group that has been blamed for attacks on Sobeys, the Toronto Public Library and Yellow Pages Canada.
Energy giant Schneider Electric hit by Cactus ransomware attack
Energy management and automation giant Schneider Electric suffered a Cactus ransomware attack leading to the theft of corporate data. The ransomware attack hit the company's Sustainability Business division earlier this month on January 17th. ?