At a glance.

  • Cyberattack suspected of causing rocket-attack false alarms in Israel.
  • Risk surface assessments.
  • Fitness app’s geolocation feature may be a privacy and security risk.
  • ToddyCat APT is active in European and Asian networks.
  • ICEFALL ICS vulnerabilities described, with advice and reactions.
  • Fancy Bear sighted in Ukrainian in-boxes.
  • CISA issues an updated version of its Cloud Security Technical Reference Architecture.
  • Another warning of spyware in use against targets in Italy and Kazakhstan.
  • Cyberespionage uses ransomware as misdirection.
  • Lithuania’s NKSC warns of increased DDoS threat.
  • Think tanks as targets.
  • CISA’s tabletop exercises.

Cyberattack suspected of causing rocket-attack false alarms in Israel.

Sirens used to warn Israelis of rocket attacks sounded a false alarm in Israel last weekend. Haaretz reports that “Sirens sounded in Eilat and parts of Jerusalem Sunday night due to a cyberattack on local public address systems, Israel’s Home Front Command said on Monday, in what is being investigated as a possible Iranian attack.” Citing “diplomatic sources,” the Jerusalem Post emphasizes that the attribution is preliminary, and that the incident remains under investigation. Israel Hayom notes that some of the evidence of cyberattack remains circumstantial: the systems apparently compromised were civilian warning systems, not presumably better protected military ones.

Risk surface assessments.

RiskRecon and Cyentia have published a report on risk surface assessment, finding that organizations that are “cloud-first” are 85% more likely to be a top performer in risk management: “When we take a look at the cloud adoption rates of the top and bottom performers, we start to see some very clear separation…. Every 10% increase in host cloud concentration, results in a 2.5% increase in the probability of being a top performer.” The researchers add that “Choosing to go majority cloud with one of the ‘big three’ cloud providers, namely AWS, Azure, or GCP, has inconsequential effects rather than being simply cloud-first.”

Fitness app’s geolocation feature may be a privacy and security risk.

Computing reports that the fitness app Strava may constitute a risk to users’ privacy and to operational security when those users are military service members. That risk may be an active threat. Computing writes, “Unidentified operatives have been exploiting a security weakness in the popular fitness tracking app Strava to track the movements of Israeli defence personnel, according to Israeli open source investigative group FakeReporter.” This isn’t the first time fitness trackers in general and Strava in particular have been flagged as a potential opsec problem: the US Department of Defense expressed its concerns about Strava in January 2018.

ToddyCat APT is active in European and Asian networks.

Kaspersky describes ToddyCat, a hitherto unremarked APT active against “high-profile” European and Asian targets. The threat actor works against vulnerable Microsoft Exchange instances, has been active since late 2020, and deploys at least two distinctive tools, the Samurai backdoor and the Ninja Trojan. It’s not clear whom ToddyCat is working for, and its disparate target list offers few obvious suggestions. The threat actor is said to have been active against Taiwan, Vietnam, Afghanistan, India, Iran, Malaysia, Pakistan, Russia, Slovakia, Thailand, the United Kingdom, Kyrgyzstan, Uzbekistan, and Indonesia.

ICEFALL ICS vulnerabilities described, with advice and reactions.

Researchers at Forescout describe “OT:ICEFALL,” which they characterize as “a set of 56 vulnerabilities affecting devices from 10 OT vendors.” Forescout rather sternly calls the affected systems “insecure by design,” and divides the vulnerabilities into five categories:

  • “Remote code execution (RCE): Allows an attacker to execute arbitrary code on the impacted device, but the code may be executed in different specialized processors and different contexts within a processor, so an RCE does not always mean full control of a device. This is usually achieved via insecure firmware/logic update functions that allow the attacker to supply arbitrary code.”
  • “Denial of service (DoS): Allows an attacker to either take a device completely offline or to prevent access to some function.”
  • “File/firmware/configuration manipulation: Allows an attacker to change important aspects of a device such as files stored within it, the firmware running on it or its specific configurations. This is usually achieved via critical functions lacking the proper authentication/authorization or integrity checking that would prevent attackers from tampering with the device.”
  • “Compromise of credentials: Allows an attacker to obtain credentials to device functions, usually either because they are stored or transmitted insecurely.”
  • “Authentication bypass: Allows an attacker to bypass existing authentication functions and invoke desired functionality on the target device.”

Completely mitigating the ICEFALL vulnerabilities will require vendor-delivered patches, in the meantime network isolation (particularly isolation of OT and industrial control systems from business networks and the wider Internet), restricting network connections to specifically selected engineering workstations, and, of course “focusing on consequence reduction.”

CISA Wednesday noted Forescout’s report of ICEFALL, and CISA has advised attention to the Forescout report and the mitigation recommendations it contains. CISA also pointed out that five of its recent alerts address issues associated with ICEFALL: ICSA-22-172-02 (JTEKT TOYOPUC), ICSA-22-172-03 (Phoenix Contact Classic Line Controllers), ICSA-22-172-04 (Phoenix Contact ProConOS and MULTIPROG), ICSA-22-172-05 (Phoenix Contact Classic Line Industrial Controllers) and ICSA-22-172-06 (Siemens WinCC OA).

SecurityWeek has a round-up of industry comments on ICEFALL. In general, the experts aren’t surprised that vulnerabilities of this kind were found, and they’re in agreement that ICEFALL is to be taken seriously, and the available remediations applied.

Fancy Bear sighted in Ukrainian in-boxes.

CERT-UA warns that APT28, the GRU operators familiarly known as Fancy Bear, have opened a renewed campaign of exploitation against systems still vulnerable to Follina, the Microsoft Microsoft Diagnostic Tool vulnerability tracked as CVE-2022-30190. Fancy Bear is running two distinct campaigns, Ukraine’s SSSCIP warns, both of which use phishing as their mode of access. The phishbait appeals to two very different sets of fears. The first campaign, which Malwarebytes has also described, counts on an email recipient’s fear of nuclear war (topical, given the ongoing Russian nuclear saber-rattling described by the Telegram). The malicious document, “Nuclear Terrorism A Very Real Threat,” carries CredoMap malware as its payload, CERT-UA says. The other campaign uses a more proximate if less existential dread to induce the recipient to click: fear of the taxman. Anyone in wartime might be forgiven an understandable lapse of memory where paying taxes is concerned. The phishbait sample CERT-UA shares is sternly entitled “Imposition of penalties.” and the malicious document carries a CobaltStrike beacon as its payload. The email’s subject is “Notice of non-payment of tax.” The goal of both campaigns appears to be espionage, although it’s worth noting that CERT-UA sees the tax-themed campaign as directed against critical infrastructure.

CISA issues an updated version of its Cloud Security Technical Reference Architecture.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued version 2.0 of its Cloud Security Technical Reference Architecture. The document singles out two efforts for particular attention: the familiar Federal Risk and Authorization Management Program (FedRAMP), in place since 2011, and a more recent program, the Cloud Smart Initiative, which succeeded the Federal Cloud Computing Strategy “Cloud First.” “Cloud Smart emphasizes the three pillars of security, procurement, and workforce.” While the document is addressed primarily at the US Federal agencies whose security CISA oversees, others will find its recommendations of interest, especially if they do business with the US Government.

Another warning of spyware in use against targets in Italy and Kazakhstan.

Google’s Threat Analysis Group reported late Thursday that spyware developed by the Italian firm RCS has been found in use against targets in Italy and Kazakhstan. “Today, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android. We have identified victims located in Italy and Kazakhstan,” the report said. Targets appear to have been infected by phishing or through the installation of malicious apps, and the malware comes in both iOS and Android versions. One surprising conclusion is that in some cases the spyware operators worked with the victims’ ISPs to “disable the target’s mobile data connectivity.”

In some cases RCS had earlier cooperated in its business with the now-defunct Hacking Team. The tools RCS apparently sold to government customers were described last week by researchers at Lookout under the name “Hermit.” TechCrunch reports that Google is notifying the victims it’s been able to identify.

Cyberespionage uses ransomware as misdirection.

Secureworks reports that a Chinese threat actor it tracks as Bronze Starlight is conducting ransomware campaigns against selected targets, but that the ransomware is probably misdirection to cover cyberespionage and theft of intellectual property. “The victimology, short lifespan of each ransomware family, and access to malware used by government-sponsored threat groups suggest that BRONZE STARLIGHT’s main motivation may be intellectual property theft or cyberespionage rather than financial gain. The ransomware could distract incident responders from identifying the threat actors’ true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group.”

Lithuania’s NKSC warns of increased DDoS threat.

BleepingComputer reports that Lithuania’s National Cyber Security Center (NKSC) has issued a public warning that the threat of distributed denial-of-service attacks is rising. “Most of the attacks are directed against public authorities, the transport and financial sectors, leading to temporary service disruptions,” the alert says. “The NCSC urges all managers of critical information infrastructure and state information resources to take additional security measures and to follow the NCSC recommendations for protection against service disruption attacks.”

There’s no explicit mention of Russian operations in the alert, but it’s clear whence comes the threat. BleepingComputer notes that a nominally hacktivist group that claims to be acting in the Russian interest, “Legion – Cyber Spetsnaz RF” declared (in a Telegram post) cyberwar against Lithuania, and published an ambitious target list: “large banks, logistic companies, internet providers, airports, energy firms, mass media groups, and various state and ministry sites.” BleepingComputer reads the Cyber Spetsnaz as an offshoot of Killnet. “Spetsnaz,” we observe, is the Russian term for its military special forces.

The Cyber Spetsnaz declaration dates from Lithuania’s decision to forbid shipments of sanctioned goods through its rail corridor to the detached Russian enclave of Kaliningrad. Reuters reports that Moscow has blamed Lithuania’s action on Washington. “The so-called ‘collective West’, with the explicit instruction of the White House, imposed a ban on rail transit of a wide range of goods through the Kaliningrad region,” the Russian Foreign Ministry said in a statement.

Think tanks as targets.

Microsoft’s much-discussed report, “Defending Ukraine: Early Lessons from the Cyber War,” includes an account of Russian targeting in the cyber phases of its hybrid war against Ukraine. “Russian targeting has prioritized governments, especially among NATO members,” the report says. “But the list of targets has also included think tanks, humanitarian organizations, IT companies, and energy and other critical infrastructure suppliers.” While Russian cyber operations have, as many have observed, fallen as far short of the widespread devastation of infrastructure as Russian combined arms operations fell short of the conquest of Kyiv (both widely expected), they’ve enjoyed some success. “Since the start of the war, the Russian targeting we’ve identified has been successful 29 percent of the time. A quarter of these successful intrusions has led to confirmed exfiltration of an organization’s data, although as explained in the report, this likely understates the degree of Russian success.”

CISA’s tabletop exercises.

The Cybersecurity and Infrastructure Security Agency (CISA) hosted a workshop Thursday providing an overview of the CISA Tabletop Exercises Packages (CTEP), an unclassified, adaptable exercise resource focused on facilitating discussion around a scripted hazard or threat scenario. Robert Lauer, the workshop facilitator, explained that the CTEP is “designed to assist government and industry partners in developing your own tabletop exercises with pre-built templates.” There are over a hundred scenarios to choose from that encompass both cyber and physical security. Several of them involve both. The CTEP exercise materials include a situation manual, an exercise planner handbook, a facilitator and evaluator handbook, and various templates that can be used throughout the exercise. The ultimate goal of the resource is to “help facilitate understanding, identify strengths and areas for improvement, and/or changes in policies and procedures.”

GovTech reports that workshops on CTEP will be held monthly and hosted by CISA Exercises Infrastructure Security & Exercise Branch, with participation from private stakeholders and critical infrastructure owners and operators. There is no registration required for these workshops, which are open to the public. To use the CTEP exercises, however, you need a Critical Infrastructure community account on the Homeland Security Information Network (HSIN-CI), and you can learn how to create an account here.

For those interested in how to approach wargaming for cybersecurity, SearchSecurity offers some thoughts on how to plan and conduct an exercise.

Patch news.

The US Cybersecurity and Infrastructure Security Agency (CISA) Tuesday released six industrial control system (ICS) security advisories, for Mitsubishi Electric MELSEC Q and L Series (with “mitigations for an Improper Resource Locking vulnerability in Mitsubishi Electric MELSEC Q and L Series CPUs”), JTEKT TOYOPUC (“mitigations for a Missing Authentication for Critical Function vulnerability in the JTEKT TOYOPUC programmable logic controller”), Phoenix Contact Classic Line Controllers (“mitigations for an Insufficient Verification of Data Authenticity vulnerability in the Phoenix Contact Classic Line Controllers”), Phoenix Contact ProConOS and MULTIPROG (addressing “an Insufficient Verification of Data Authenticity vulnerability in the Phoenix Contact ProConOS and MULTIPROG software development kit”), Phoenix Contact Classic Line Industrial Controllers (“mitigations for a Missing Authentication for Critical Function Insufficient Verification of Data Authenticity vulnerability in the Phoenix Contact Classic Line Industrial Controllers), and, finally, Siemens WinCC OA (with “mitigations for a Use of Client-side Authentication vulnerability in the Siemens SIMATIC WinCC OA software management platform”).

On Thursday, CISA released six industrial control system (ICS) advisories, for OFFIS DCMTK (“mitigations for a path traversal, relative path traversal, NULL pointer reference vulnerability in DCMTK, an OFFIS product of libraries and software that process DICOM image files”), Yokogawa STARDOM (“mitigations for Cleartext Transmission of Sensitive Information, and Use of Hard-coded Credentials vulnerabilities in the Yokogawa STARDOM network control system”), Yokogawa CAMS for HIS (“mitigations for a Violation of Secure Design Principles vulnerability in the Yokogawa Consolidation Alarm Management Software for Human Interface Station”), Secheron SEPCOS Control and Protection Relay (“mitigations for Improper Enforcement of Behavioral Workflow, Lack of Administrator Control over Security, Improper Privilege Management, and Insufficiently Protected Credentials vulnerabilities in the Secheron SEPCOS Control and Protection Relay”), Pyramid Solutions EtherNet/IP Adapter Development Kit (“mitigations for an Out-of-bounds Write vulnerability in the Pyramid Solutions EtherNet/IP Adapter Development Kit”), and Elcomplus SmartICS (“mitigations for Improper Access Control, Relative Path Traversal, and Cross-site Scripting vulnerabilities in the Elcomplus SmartICS web-based HMI”).

Crime and punishment.

The Record by Recorded Future reports that nine people were arrested in connection with a phishing gang in the Netherlands. 24 houses were raided and firearms, ammunition, jewelry, electronic devices, cash, and cryptocurrency were seized. Europol reports that this was a cross-border operation involving the Belgian Police and the Dutch Police that was supported by Europol that resulted in the “dismantling of an organised crime group involved in phishing, fraud, scams and money laundering.” 

Courts and torts.

SecurityWeek reports that MCG Health, which provides healthcare organizations with clinical guidance through artificial intelligence and technology solutions, is facing a proposed class lawsuit over a March 2022 data breach that compromised over 1.1 million patients’ information. The Herald-Times reports that nonprofit healthcare system Indiana University (IU) Health is among those impacted. On June 10th, the company started notifying affected parties of the breach, saying in a letter “MCG determined on March 25, 2022 that an unauthorized party previously obtained certain of your personal information that matched data stored on MCG’s systems.” Potentially affected data includes names, dates of birth, gender, addresses, Social Security numbers, email addresses, phone numbers, and medical codes, the company reports in their disclosure. “It is surprising how little information there is,” said Fred H. Cate, IU vice president for research, and former director of IU’s Center for Applied Cybersecurity Research. One victim is reportedly suing MCG for alleged negligence.

A $2.75 billion award against Cisco Systems has been thrown out after it was discovered that the trial judge’s wife owned Cisco stock, Reuters reports. The trial judge, US District Judge Henry Morgan in Norfolk, Virginia allegedly discovered that his wife held over $4,500 in Cisco shares two months before he ruled Cisco liable for patent infringement in 2020. He reports that he put the shares into a blind trust, and said that it “did not and could not have influenced” his handling of the case, but the appeals court ruled otherwise, saying that putting the money into a blind trust is not the same as selling the shares. This ruling also marks a loss for Virginia’s Centripetal Networks Inc, the company that had sued Cisco for copying five security patents.

Policies, procurements, and agency equities.

The White House Tuesday announced that President Biden signed two cybersecurity-focused bills into law. The State and Local Government Cybersecurity Act of 2021 directs the Department of Homeland Security on improving cybersecurity collaboration with state, local, tribal, and territorial governments. As the Record by Recorded Media explains, the legislation will allow the Cybersecurity and Infrastructure Security Agency (CISA) to offer state and local governments the opportunity to upgrade their digital security tools and procedures in order to increase cyber coordination while strengthening the cyber workforce at the federal level. The second bill, the Federal Rotational Cyber Workforce Program Act, will establish a rotational, inter-agency workforce development program that will allow cybersecurity professionals to sample jobs at various agencies. The idea is to give these employees the opportunity to learn new skill sets and be exposed to the full scope of government work in an effort to make these positions more competitive with private sector employment.