IT/OT Security News Update

24th November 2023

Steven Lane, OT Security Consultant

This Week's Overall Theme: Dynamic Threat Landscape and Adaptive Responses

This week's IT cybersecurity and OT security developments have highlighted a dynamic and increasingly complex threat landscape. We constantly face an escalating threat, and measuring how much it increases is challenging. But it feels like year after year, the problem is getting worse.

The integration of AI in OT security, the adoption of Zero Trust models, and the proactive approach towards threat detection and response exemplify the evolving nature of cybersecurity strategies.

Simultaneously, the highlighted cyber incidents in various sectors illustrate the broadening scope of cyber threats. Organisations across different sectors, including public services and education, recognise the need for robust cybersecurity measures to protect against these growing threats.

These insights underscore once again the importance of adaptive and forward-thinking cybersecurity strategies. The threat landscape is moving forward at a considerable pace, and companies need to keep up.

As cyber threats continue evolving and expanding, organisations must adopt a holistic approach encompassing advanced technology, rigorous security models, and proactive defence mechanisms. This approach is crucial for safeguarding against the multifaceted and ever-changing cyber threats in today's interconnected world.

So much is happening; how do you keep up with it? I hope I can help, so let's get right into the important stuff.

Scattered Spiders: FBI Warns Against Scattered Spider Hacker Group

This week, I have been reading about the Scattered Spider hacker group known for breaching dozens of American organisations in the past year. Scattered Spider, also known as UNC3944, Scatter Swine, or Muddled Libra, is a relatively new but notable hacking group believed to have been formed in May 2022. Their activities include stealing sensitive data for extortion purposes.

A crucial part of their strategy involves using social engineering techniques to gain unauthorised access to targeted systems. This includes posing as employees or using other deceptive methods to trick personnel into providing access. There overall approach could be categorised as being brazen and confident of not being caught. Their expertise lies in social engineering, employing various techniques like phishing, push bombing, and SIM swap attacks to compromise credentials and bypass multi-factor authentication (MFA). They often target large companies and their IT help desks, demonstrating a deep understanding of corporate structures and security weaknesses.

Let's dive into their tactics, techniques, and procedures (TTPs) as mapped onto the MITRE ATT&CK framework.

Modus Operandi

TTPs and MITRE ATT&CK Mapping

Initial Access: Scattered Spider employs phishing and smishing attacks to gain entry into target networks. They have also been observed conducting SIM-swapping attacks to control targeted users’ phone numbers, aiding in bypassing MFA.

Execution: After gaining access, they use publicly available remote access tools for execution and persistence.

Persistence and Privilege Escalation: The group registers their own MFA tokens and adds federated identity providers to victims' SSO tenants, facilitating continuous access and privilege escalation.

Defence Evasion: They evade detection using living-off-the-land techniques and legitimate applications, often modifying their TTPs to stay ahead of defenses.

Credential Access: Tools like Raccoon Stealer obtain login credentials, browser histories, cookies, and other data.

Discovery and Lateral Movement: The group conducts thorough discovery on compromised networks, searching for valuable data sources and infrastructure before moving laterally across the network.

Collection and Exfiltration: Data collection and staging are significant aspects of their operations, often leading to data exfiltration for extortion purposes.

Impact and Response

Scattered Spider’s activities have significant implications. Their targeted attacks have led to substantial financial loss and operational disruptions for victim organisations. The FBI and CISA have released advisories detailing their TTPs and urging organisations to implement recommended security measures.

Read More

Roundup

Here is a roundup of things that I have read this week or subjects I have investigated.

CyberWire's Control Loop

The November 22, 2023, issue of CyberWire's Control Loop newsletter covers a range of critical cybersecurity topics. Highlights include the recovery of Australian ports from a significant cyberattack, Sandworm's targeted cyber operations against Ukraine's power grid and Danish electrical power providers, and analyses of cyber threats in hybrid warfare. Additionally, it discusses vulnerabilities in Rockwell Stratix routers, the US's Shields Ready campaign for critical infrastructure resilience, cybersecurity challenges in space systems, UK nuclear plant cyber concerns, advancements in AI governance and safety, and a significant rise in malware attacks on IoT devices. Read More.

Thousands of routers and cameras vulnerable to new 0-day attacks by hostile botnet

The article "Thousands of routers and cameras vulnerable to new 0-day attacks by hostile botnet" from Ars Technica, reported on November 22, 2023, highlights the discovery of two new zero-day vulnerabilities actively exploited by attackers. These vulnerabilities, previously unknown to manufacturers and the security research community, allow for remote execution of malicious code on affected devices, particularly when these devices use default administrative credentials.

Akamai researchers identified that one of the vulnerabilities is present in one or more models of network video recorders. At the same time, the other affects an outlet-based wireless LAN router designed for hotels and residential applications produced by a Japan-based manufacturer. These vulnerabilities have been exploited to compromise these devices, infecting them with Mirai. Mirai is a potent open-source software that turns routers, cameras, and other Internet of Things (IoT) devices into a botnet capable of conducting Distributed Denial of Service (DDoS) attacks of significant scale.

The true extent of the vulnerability is concerning, with internet scans indicating that around 7,000 devices could be vulnerable, though the actual number might be higher. Read More.

Artificial Intelligence (AI) in Operational Technology (OT) Security

I am currently involved in a project securing operational technology using intelligent threat detection. So, I have been reading about AI and OT security.

Integrating Artificial Intelligence (AI) into Operational Technology (OT) security represents a significant evolution in the defence against cyber threats. AI enhances OT security by strengthening authentication and authorisation processes, enabling the early identification of vulnerabilities before attackers exploit them.

This proactive approach is crucial in operational environments where the security of critical systems is paramount. AI's capability to balance security requirements with user experience is another key advantage, ensuring that robust security measures do not impede the efficiency or effectiveness of operational processes.

The role of AI in OT security is becoming increasingly pivotal in the Internet of Things (IoT) context and the growing complexity of industrial networks. As more devices become interconnected, the potential attack surface for cybercriminals expands. This scenario is creating what can be described as an 'AI arms race', where cybersecurity professionals continually develop new AI-based solutions to protect OT environments. At the same time, cybercriminals simultaneously seek ways to exploit these systems. This landscape's dynamic and evolving nature underscores the importance of sophisticated AI tools in identifying and mitigating threats in real-time.

In the modern industrial sector, adopting technologies like cloud computing, machine automation, and IoT has dramatically increased the number of connected devices within OT environments. For example, a factory that once relied on a thousand computers might now operate with ten thousand IoT devices. Securing such a vast and complex network is a challenging task that increasingly relies on machine learning and AI solutions. These technologies enable an autonomous and rapid response to potential security breaches, ensuring the resilience and integrity of OT systems. The use of AI in this context is not just a matter of enhancing security measures but is essential for managing modern OT networks' sheer scale and complexity. Read More here and here. Got more articles in this space? Could you send me links?

Security News Update

NSERC's GridEx VII tests grid security and resilience against evolving, hard-to-detect threats (November 23, 2023) Read More.

Tenable study reveals 43% of cyberattacks in Mexico have been successful in last two years" (November 22, 2023) Read More

Australia publishes Cyber Security Strategy focused on navigating cyber landscape, releases Action Plan (November 22, 2023) Read more

Watchdog Cyber, Waterfall align to assist manufacturers in connecting their IT, OT networks (November 22, 2023) Read more

US, Australian security agencies warn of LockBit 3.0 ransomware exploiting Citrix Bleed vulnerability Read More

New Phobos ransomware variant impersonates VX-Underground malware-sharing group" by Laura French (November 22, 2023) Read More

Kinsing malware exploits critical Apache ActiveMQ flaw to mine crypto (November 21, 2023) Read more

Russian Hackers Used OT Attack to Disrupt Power in Ukraine Amid Mass Missile Strikes (November 9, 2023) Read more

Podcasts to Listen to over the Weekend

Darknet Diaries

I have not yet listened to the Darknet Diaries Episode 139, "D3F4ULT," so I will do that over the weekend. Darknet Diaries Episode 139, "D3F4ULT," tells the story of Default, a hacker who began his journey driven by curiosity and eventually joined Anonymous. The episode explores the intense, sometimes disturbing culture within Anonymous, the power and dangers of collective hacking actions, and the ethical dilemmas of hacking. It highlights incidents where government systems and high-profile individuals were vulnerable to hacking, emphasising the need for solid cybersecurity and digital privacy. The story also reflects on societal issues, such as the decline in empathy and the consequences of illegal online activities, concluding with the importance of safeguarding digital presence and personal growth in the face of adversity.

Listen here.

Security Now

I also need to catch up on the weekly instalment of Security Now hosted by Steve Gibson & and Leo Laporte — this week's episode covers various cybersecurity topics.

Key discussions include:

• Signal’s financial challenges: Despite being a widely used private messaging app, Signal faces high operational costs and relies on donations for funding, highlighting the expenses involved in maintaining privacy-focused technology.
• Ransomware evolution: The episode touches on the increasing sophistication of ransomware attacks, including a case where hackers filed a complaint with the U.S. SEC against a victim company for not disclosing a breach.
• TETRA radio encryption vulnerabilities: Flaws in the TETRA radio encryption standard used in critical infrastructure are discussed, emphasizing the dangers of secret encryption algorithms and the need for open scrutiny.
• Apple's adoption of RCS for iPhone: RCS (Rich Communication Services) will enhance messaging features between iPhone and Android users, marking a significant update in cross-platform communication.
• Ethernet's 50th anniversary: The episode commemorates Ethernet's 50 years, reflecting on its invention and its role in shaping modern networking technology.

Listen here

Upcoming Conferences

1. Black Hat Europe 2023, Date: December 4-7, 2023 Location: ExCel London, United Kingdom Details: A major event in the cybersecurity calendar, Black Hat Europe offers a range of sessions and workshops.
2. Registration: Black Hat Europe 2023.
3. NICE K12 Cybersecurity Education Conference, Date: December 4-5, 2023 Location: Phoenix, Arizona Details: Focuses on cybersecurity education at the K12 level. Registration: NICE K12 Conference.
4. Cybersecurity Outlook 2024 Date: December 14, 2023 Format: Full-day virtual event Details: Co-hosted by Black Hat, Dark Reading, and Omdia, this event explores the cyber threats and technology trends for the coming year. Registration: Cybersecurity Outlook 2024.

Feedback

I am keen to hear what you think of this newsletter. This is basically a brain dump of how I keep up to speed and stay aware of threats, vulnerabilties, news, hacks and things that interest me.

If you have feedback or ideas, could you connect with me and send me a message?

Have a great week ahead!