MM-ISAC Threat Summary
July 22, 2024
From the desk of the CISO-in-Residence
The CrowdStrike Incident - Resilience Matters
Now that most MM-ISAC member organizations impacted by CrowdStrike's issue on Friday are through the worst of the recovery, I want to share some of my thoughts on lessons we can take from this incident to help make us all more resilient this week than last.
I will avoid semantic discussions on whether this is or was not a security incident, if EDR solutions need to run in the Kernel or if other EDR/XDR solutions are or are not more susceptible to this type of failure. Why? As fun as those circular arguments are, they don't solve anything because they don't matter. Your business users and their leaders don't care if the reason they can't use their systems is a blue screen of death from a bad driver, a mistake made by an IT or Security team member, a backhoe taking out the fibre line, or Thunderstruck playing on a loop. At the same time, data gets encrypted by the next Ransomware as a Service offering. They care that business is stopped, they can't deliver value to their customers, and the organization can't execute its mission. From that perspective, this is an incident. Full stop.
The organizations I observed that handled this incident best were those who pulled out their incident response plan, turned to the section covering ransomware (the closest playbook to the situation they likely had) and executed. Those organizations had attributes in common. They followed ICS. That is why the MM-ISAC incident response plan template is based on the principles of ICS4ICS - it provides the necessary structure to execute a large-scale response, keep control of the incident, enable effective communications to shareholders and protect your responders from burnout.
If this incident impacted you, once your environment is stable and your teams have rested and recovered, please execute thorough lessons learned. The lessons-learned activity should be led by someone not involved in the incident. For those members of MM-ISAC, we can help you with that activity; for the rest of you, please reach out to your ISAC, an independent consultant, or an internal facilitator who was not involved... do the activity soon while memories are fresh. The goal of the process is not to assign blame; it must be a blame-free activity. However, you must walk through your response, what went well, where there are opportunities to improve resilience and bake those lessons back into your incident response plan. Please also share those learnings, share with your ISAC and other peers and speak at events. We all need to learn and get better.
This was a warning for those who watched this from the sidelines. You got lucky. Until we find a way to fix the foundational software quality issue, we have across IT/OT/Cloud... You will get your turn for something similar. Tabletop, your EDR is failing, and our core network is going down... Identify your "CrowdStrike" and test your Incident Response Plan. Don't wait; schedule that today and do the same lessons-learned activity.
Rob Labbe
Join us for a special webinar to discuss the CrowdStrike incident and how to protect operations from similar events.? Register here:
Microsoft Virtual Events Powered by Teams Microsoft Virtual Events Powered by Teams events.teams.microsoft.com
?*Edit July 30 We have hosted this event already if you would like to view it please see it at the link below.
Security Headlines?? ?
Cyber-crime super-crew Scattered Spider falls in love with RansomHub and Qilin
The Scattered Spider cybercrime group is now using RansomHub and Qilin ransomware variants in its attacks, illustrating a possible power shift among hacking groups. This is all according to the incident response engagements from the second quarter of the year involving Microsoft, which has described the group as one of the most sophisticated and threatening of its kind currently in operation.
Sibanye-Stillwater hit by cyberattack, says mining business unaffected
The cyberattack reportedly brought down the company’s servers, causing disruptions to certain areas of its global operations. On Wednesday, officials from its Montana operations told local media that the smelter operations in Columbus, Ohio were impacted after its automated systems all went down.
As of July 22nd, the ransomware group RansomHouse claimed responsibility for the attack, claiming to have 1.2TB of the company's data.
??
MM-ISAC Events
November 12th
Cyber tabletop exercise and AGM (MM-ISAC members)
November 13th & 14th
MM-ISAC ANNUAL CONFERENCE - Mining and Metals ISAC MM-ISAC ANNUAL CONFERENCE The world’s only mining focused cyber security event November 12, 13, & 14th 2024 What is it? mmisac.org
Security Advisories??
ICS CERT:
ICSA-24-200-02 Subnet Solutions PowerSYSTEM Center
Successful exploitation of this vulnerability could allow an authenticated attacker to elevate permissions.
ICSA-24-200-01 Mitsubishi Electric MELSOFT MaiLab
Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition in the target product.
ICSA-24-198-01 Rockwell Automation Pavilion 8
Successful exploitation of this vulnerability could allow an attacker to create new users and view sensitive data.
ICSA-24-193-20 HMS Industrial Networks Anybus-CompactCom 30
Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition, exfiltrate data, or obtain a high degree of control over the device and subsequent systems, including remote code execution.
Successful exploitation of these vulnerabilities could allow an attacker to obtain private keys, which would result in impersonating resources on the secured network.
ICSA-24-193-18 Rockwell Automation ThinManager ThinServer
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code or cause a denial-of-service condition.
ICSA-24-193-17 Siemens SIMATIC STEP 7 (TIA Portal)
Successful exploitation of this vulnerability could allow an attacker to cause a type confusion and execute arbitrary code within the affected application.
ICSA-24-193-16 Siemens SIMATIC WinCC
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to retrieve information such as users and passwords.
ICSA-24-193-15 Siemens SINEMA Remote Connect Server
Successful exploitation of these vulnerabilities could allow an authenticated local attacker to execute arbitrary code with system privileges.
ICSA-24-193-14 Siemens SIPROTEC
Successful exploitation of this vulnerability could allow an unauthorized attacker in a man-in-the-middle position to read any data passed over the connection between legitimate clients and the affected device.
ICSA-24-193-13 Siemens TIA Portal, SIMATIC, and SIRIUS
领英推荐
Successful exploitation of this vulnerability could allow an attacker to cause a type confusion and execute arbitrary code within the affected application.
ICSA-24-193-12 Siemens TIA Portal and SIMATIC STEP 7
Successful exploitation of this vulnerability could allow an attacker to cause a type confusion and execute arbitrary code within the affected application.
ICSA-24-193-11 Siemens RUGGEDCOM APE 1808
Successful exploitation of this vulnerability could allow remote attackers to bypass integrity checks.
ICSA-24-193-10 Siemens JT Open and PLM XML SDK
Successful exploitation of these vulnerabilities could could cause the application to crash or potentially lead to arbitrary code execution.
ICSA-24-193-09 Siemens SINEMA Remote Connect Server
Successful exploitation of these vulnerabilities could allow an authenticated attacker to execute arbitrary code with root privileges.
ICSA-24-193-08 Siemens Mendix Encryption Module
Successful exploitation of this vulnerability could allow an attacker to decrypt any encrypted project data.
ICSA-24-193-07 Siemens SIMATIC and SIMIT
Successful exploitation of this vulnerability could allow an attacker to cause a high load situation, memory exhaustion, and may block the server.
ICSA-24-193-06 Siemens RUGGEDCOM
Successful exploitation could allow an attacker to obtain user credentials, the MACSEC key, or create a remote shell to the affected system.
ICSA-24-193-05 Siemens SCALANCE, RUGGEDCOM, SIPLUS, and SINEC
Successful exploitation of this vulnerability could allow on-path attackers to gain access to the network with the attackers desired authorization without needing legitimate credentials.
ICSA-24-193-04 Siemens Simcenter Femap
Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process.
ICSA-24-191-05 Johnson Controls Software House C●CURE 9000
Successful exploitation of this vulnerability may allow an attacker to access credentials used for access to the application.
ICSA-24-191-04 Johnson Controls Software House C●CURE 9000
Successful exploitations of this vulnerability could allow an attacker to gain administrative access.
ICSA-24-191-03 Johnson Controls Illustra Pro Gen 4
Successful exploitation of this vulnerability could impact confidentiality and integrity of the device.
ICSA-24-191-02 Mitsubishi Electric MELIPC Series MI5122-VW
Successful exploitation of this vulnerability could allow an attacker to tamper with, destroy, disclose, or delete information in the product, or cause a denial-of-service (DoS) condition on the product.
ICSA-24-191-01 Delta Electronics CNCSoft-G2
Successful exploitation of these vulnerabilities could cause a buffer overflow condition and allow remote code execution.
US CERT:
Microsoft estimates the outage affected 8.5 million Windows devices. Microsoft notes that this number makes up less than one percent of all Windows machines. Read Here.
A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.
A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.?
A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.?
On July 12, AT&T released a public statement on unauthorized access of customer data from a third-party cloud platform. AT&T also provided recommendations and resources for affected customers.??
A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.
A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. ?
A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.?
ACSC?CERT:
Widespread outages relating to CrowdStrike software update A CrowdStrike software update has led to outages impacting Windows systems. Audience focus: Small & medium businesses Organizations & Critical Infrastructure Government ? ?
This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre and international partners, outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks. ?