MM-ISAC Threat Summary
June 25, 2024
From the MM-ISAC? ?
Mental Health and Burnout ?
How does your incident response plan (IRP) help prevent burnout? You must have burnout prevention built into your IRP, as even during an incident, the health and safety of the team must come first! You still need these people when the incident is over!
Burnout also makes a significant difference in the effectiveness of the response. Burnt-out people make many mistakes, and critical ones to boot. While you might think that working people to the bone will get the job done faster, the reality is it doesn't (by the way, your adversaries are sleeping well. Why give them yet another advantage.)
Some burnout prevention items that must be in your IRP:
1. Have enough people! Small team? Get an incident response retainer, look to your ISAC... do something, but have enough people. I suggest a "volunteer fire department" model, where you train the entire IT team as basic-level incident responders you can leverage for manpower under the guidance of experienced security staff.
2. Have a maximum number of working hours per day for everyone - including and especially the incident manager - I suggest 10 hours as a maximum - 12 hours as an absolute upper bound for short periods (1-2 days maximum)
3. Assign someone not involved in the incident to monitor team mental health or burnout. Assign someone with people skills, not a technical resource, to monitor the response team for signs of burnout and have them report those to the Incident Manager, who must then relieve them. No questions asked. Some organizations have arrangements with their corporate EAP provider to send somebody in a major incident for this role. What a fantastic idea!
4. Assign somebody to look after logistics. Food, hotel rooms, taxi vouchers so people don't drive tired. These things are often overlooked but are critical.
5. Have a good, trained scribe and incident notebook. If this is done well, you'll have a lot of people going in and out of the incident. A good scribe and incident notebook will keep everyone on the same page. 6. Use all the external resources at your disposal. Use MM-ISAC to assist you in an incident to take the load off, use your peers, your retainers and other support. ?
Finally, make sure you have a look at the MM-ISAC sample incident response plan. (Contact us for a copy) – it includes a good start at ensuring your team is well taken care of during an incident.
?
?
Security Headlines?? ?
Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany
In a recent example of geo political hacktivist groups directly targeting OT/Scada devices, threat actor group Hunt3r Kill3rs claim on telegram to have infiltrated Schneider Electric Systems in Germany. The group claims to have accessed the configuration settings to Schneider Electric PowerLogic ION7650 meters in Germany. These modules are used for energy management systems. ?
Alleged Scattered Spider sim-swapper arrested in Spain?
Good News! With so few threat actors ever being arrested, it is rare that those who attack our organizations are held accountable. According to Bleeping Computer and Krebs on Security, A 22-year-old man from the United Kingdom arrested in Spain last week in Spain is allegedly one of the leaders of Scattered Spider, a cybercrime group responsible for hacking over 130 organizations, including multiple mining organizations. Those closer to the investigation purport this person to be “Tyler” on Telegram. Read more here:?Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested ?
Brazilian Entities Increasingly Targeted by Nation-State Phishing Attacks
Russian cyber espionage groups have targeted users in Brazil regularly dating back more than a decade; however, since the start of Russia’s war in Ukraine, Russian activity targeting Brazil has scaled back considerably - likely an indication of Russia’s efforts to focus resources on Ukrainian and NATO targets in the context of the Russia-Ukraine war.” North Korean threat actors are targeting Brazilian entities with a combination of financially motivated and espionage-focused spear phishing attacks. Mandiant notes that Brazilian organizations, especially startups, should be on the lookout for North Korean individuals attempting to gain fraudulent employment.? Also Read: Insights on Cyber Threats Targeting Users and Enterprises in Brazil
MM-ISAC Events
?
November 12th
Cyber tabletop exercise and AGM (MM-ISAC members)
November 13th & 14th
MM-ISAC Annual Conference - Tickets Live!
?
Security Advisories??
ICS CERT:
ICSA-24-172-03 Westermo L210-F2G Successful exploitation of these vulnerabilities could crash the device being accessed or may allow remote code execution.
ICSA-24-172-02 CAREL Boss-Mini Successful exploitation of this vulnerability could allow an attacker to manipulate an argument path, which would lead to information disclosure.
领英推荐
ICSA-24-172-01 Yokogawa CENTUM Successful exploitation of this vulnerability could allow an attacker to execute arbitrary programs.
ICSA-24-170-01 RAD Data Communications SecFlow-2 Successful exploitation of this vulnerability could allow an attacker to obtain files from the operating system by crafting a special request.
ICSA-24-165-19 Motorola Solutions Vigilant License Plate Readers Successful exploitation of these vulnerabilities could allow an attacker to tamper with the device, access sensitive information and credentials, or perform a replay attack.
ICSA-24-165-18 Rockwell Automation FactoryTalk View SE Successful exploitation of this vulnerability could allow a user from a remote system with FTView to view an HMI project.
ICSA-24-165-17 Rockwell Automation FactoryTalk View SE Successful exploitation of this vulnerability could allow low-privilege users to edit scripts, bypassing access control lists, and potentially gain further access within the system.
ICSA-24-165-16 Rockwell Automation FactoryTalk View SE Successful exploitation of this vulnerability could allow an outside attacker to view an HMI project.
ICSA-24-165-14 Fuji Electric Tellus Lite V-Simulator Successful exploitation of these vulnerabilities could allow a local attacker to perform code execution.
ICSA-24-165-13 Siemens SINEC Traffic Analyzer Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition, disclose sensitive information, or modify files.
ICSA-24-165-12 Siemens SCALANCE W700 Successful exploitation of these vulnerabilities could allow an authenticated attacker to execute arbitrary code, extract configuration information, or execute system-level commands.
ICSA-24-165-11 Siemens SCALANCE XM-400, XR-500 Successful exploitation of these vulnerabilities could allow an attacker to cause a memory leak or execute arbitrary code.
ICSA-24-165-10 Siemens SIMATIC and SIPLUS Successful exploitation of these vulnerabilities could allow an attacker to leak memory, create a denial-of-service condition, or execute arbitrary code.
ICSA-24-165-09 Siemens SICAM AK3/BC/TM Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code or create a denial-of-service condition.
ICSA-24-165-08 Siemens Teamcenter Visualization and JT2Go Successful exploitation of these vulnerabilities could allow an attacker to create a denial-of-service condition or execute code within the context of the current process.
ICSA-24-165-07 Siemens PowerSys Successful exploitation of this vulnerability could allow a local attacker to bypass authentication, thereby gaining administrative privileges for the managed remote devices.
ICSA-24-165-06 Siemens TIM 1531 IRC Successful exploitation of these vulnerabilities could result in leaked information, improper input validation, a denial-of-service condition, an out-of-bounds read on heap memory, privilege escalation, memory exhaustion blocking the server, system crash, and arbitrary code execution.
ICSA-24-165-05 Siemens SITOP UPS1600 Successful exploitation of these vulnerabilities could allow an attacker to cause limited impact in the affected systems.
ICSA-24-165-04 Siemens ST7 ScadaConnect Successful exploitation of these vulnerabilities could allow an attacker to disclose information, cause a denial-of-service (DoS) condition, or execute arbitrary code.
ICSA-24-165-03 Siemens TIA Administrator Successful exploitation of this vulnerability could allow an attacker to disrupt the update process.
ICSA-24-165-02 Siemens SIMATIC S7-200 SMART Devices Successful exploitation of this vulnerability could allow an attacker to create a denial-of-service condition.
ICSA-24-165-01 Siemens Mendix Applications Successful exploitation requires to guess the identification of a target role which contains the elevated access rights.
ICSA-24-163-04 Intrado 911 Emergency Gateway Successful exploitation of this vulnerability could allow an attacker to execute malicious code, exfiltrate data, or manipulate the database.
ICSA-24-163-03 AVEVA PI Asset Framework Client Successful exploitation of this vulnerability could allow malicious code execution.
ICSA-24-163-02 AVEVA PI Web API Successful exploitation of this vulnerability could allow an attacker to perform remote code execution.
ICSA-24-163-01 Rockwell Automation ControlLogix, GuardLogix, and CompactLogix Successful exploitation of this vulnerability could compromise the availability of the device.
US CERT:
Juniper Networks Releases Security Bulletin for Juniper Secure Analytics A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.
Microsoft Releases June 2024 Security Updates A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.??
Fortinet Releases Security Updates for FortiOS? A cyber threat actor could exploit this vulnerability to take control of an affected system.
ASCS?CERT:
01 JUN 2024? Alert rating: High? Increased cyber threat activity targeting Snowflake customers The ASD’s ACSC is aware of increased cyber threat activity regarding Snowflake customers.
31 MAY 2024? Alert rating: High? CVE-2024-24919 - Check Point Security Gateway Information Disclosure The ASD’s ACSC is aware of CVE-2024-24919 that enables access of sensitive information to an unauthorized actor.
08 MAY 2024? Advisory:?Understanding Ransomware Threat Actors: LockBit The Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) alongside international partners have released a joint advisory on the ransomware variant LockBit. It functions as an affiliate-based Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure.
03 MAY 2024 ?Alert rating: Critical ?OS Command Injection Vulnerability in GlobalProtect Gateway ASD’s ACSC is aware of a vulnerability (CVE-2024-3400) that enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.