| Target: Water Utilities Water Utilities play a critical role in our society. They provide fresh, potable water to residents, businesses and industry as well as manage the wastewater from them. As with other utilities and critical infrastructure, they are increasingly a target for hackers, terrorists, and hostile nation states. A successful hack can contaminate the fresh water supply, impair availability or cause an environmental disaster. It’s a direct risk to the health of the local population and supply chains which depend on readily available fresh water and wastewater management. Becoming a Hard Target Managing the risks isn’t trivial, but it’s not rocket science either –the science of cyber security has greatly matured over the past 20 years. The following 5 steps are key to a water utility becoming a hard target that is resistant to cyberattacks. Assess your overall cyber security program. Test your organization’s current readiness to cyber attacks on an annual basis by assessing both your external perimeter and your internal networks. Make sure you include both the IT and the OT (SCADA) sides of the house. Perform ongoing vulnerability management throughout the year. Make sure you have someone watching for suspicious security events. Lastly, make sure you have a Cyber Security Incident Response (CSIR) program in place. Because a cyber security incident is a question of when, not if, you must have a plan in place before it happens. Strength In Numbers Recognizing the critical importance of the water supply, leading water associations in the U.S., along with the U.S. federal government, have become increasingly organized in the defense of this essential infrastructure. A key part of this organization has been the formation of the Water Information Sharing and Analysis Center (WaterISAC). Authorized by the United States’ 2002 Bioterrorism Act, the WaterISAC is the key security information source for all threats impacting water and wastewater systems. In support of their mission, they have developed the 15 Cybersecurity Fundamentals for Water & Wastewater Utilities. As part of their ongoing education and outreach, WaterISAC recently invited nGuard to speak about some of these key cybersecurity concepts at an association meeting. You can watch this webinar below. |
Compliance
Russia has launched a full-scale military invasion into the country of Ukraine and with that comes the increased risk of cyber-attacks across the globe. Over the last couple weeks, we have seen many of these threats come to fruition as Ukrainian web sites were defaced and taken offline. New strains of data-destroying malware were also found to be deployed on critical government systems. Below are some of the most current cyber incidents that are taking place as a result of recent Russian aggression.
More than 70 Ukrainian government website have been defaced in cyberattacks (npr.org)
In a call conducted by Mary Louise Kelly, NPR’s cyber security correspondent Jenna McLaughlin detailed a series of cyber attacks that left about 70 Ukrainian government websites defaced. Hackers posted concerning messages in multiple languages telling viewers to be afraid and expect the worst. Jenna says these attacks are unsophisticated operations linked to a hacking group located in Russia and Belarus.
Ukrainian crisis: ‘Wiper’ discovered in latest cyber-attacks (bbc.com)
Late last week, BBC reported that while the websites of several Ukrainian banks and government offices became inaccessible, “wiper” malware was also being deployed on compromised systems. This malware aims to locate and destroy data residing on system drives. “ESET telemetry shows that the malware was installed on hundreds of machines in the country.”
Biden has been presented with options for massive cyberattacks against Russia (nbcnews.com)
Last Thursday, NBC News reported that President Biden had been presented with a menu of options for the United States to carry out impactful cyber attacks against Russia in a response to their recent military action against Ukraine. Two U.S. intelligence officials say that while no final decision has been made, all options remain on the table. “You could do everything from slow the trains down to have them fall off the tracks,” one person briefed on the matter said.
Russian ransomware gang threatens countries that punish Moscow for Ukraine invasion (politico.com)
Last Friday, Politico reported that a Russian ransomware gang, Conti, was making threats to hack the critical infrastructure of any nation or organization that retaliates against Russia for its recent military operations in Ukraine. The Conti gang issued its full support for the Russian government. This group is well known for launching government sponsored cyber attacks across the globe that have had devastating impacts.
Anonymous Hacking Group Declares “Cyber War” Against Russia (infosecurity-magazine.com)
The hacking group Anonymous has made it known that they will be launching a retaliatory cyber campaign against the Russian government following the special military operation launched by President Putin in Ukraine. Posted on their official Twitter account last Thursday read “The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine.” Shortly after this tweet was posted, the group claimed to have taken down multiple Russian government websites.
The United States government has issued strong warnings to organizations that reiterate the need to have a strong security posture during these times of uncertainty. nGuard account executives are ready to discuss any and all cyber security needs to help boost the readiness of your organization.
If you are not familiar with NSO Group, nGuard released a Security Advisory in August detailing the history of the NSO Group and their spyware platform, Pegasus. If you haven’t read the advisory, check it out here, or you can watch the summary video below:
In late November, Apple announced that it is suing the Israeli spyware firm NSO Group and its parent company OSY Technologies for targeting its users with their spyware. This is the second lawsuit against NSO Group with the first coming from Facebook, now owned by Meta, for targeting its users on the message application WhatsApp.
In addition to the lawsuit, which is seeking unspecified damages, Apple is requesting the NSO Group be banned from using Apple software, services, or devices. NSO Group created over 100 fake Apple IDs used to deploy their spyware Pegasus, which violates the iCloud terms of service. NSO Group still states they only sell spyware to government for lawful interceptions and says, “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers.” Although the NSO group states it has ethical purposes, evidence has shown otherwise and has led to the United States implementing sanctions and a blacklist on them for enabling “transnational repression.”
Apple did release software updates to patch the vulnerabilities exploited by NSO Group and has not seen any indications of Pegasus or any other NSO tools being used against their latest software, iOS 15. Apple has strongly urged iOS users to upgrade to the latest version of software to protect themselves from these types of attacks.
Yesterday afternoon Bleeping Computer reported on a critical Windows zero-day affecting all flavors of Windows client and server operating systems. A flaw in Microsoft’s patch for CVE-2021-41379 led to a post-authentication privilege escalation vulnerability that allows an attacker to pivot from a standard user account to NT AUTHORITY\SYSTEM with ease. Considering that there is currently no patch, it is essential that organizations begin alerting on this before breaking for Thanksgiving. Inform yourself and your team by reviewing the materials below.
Resources:
On Monday, CNN reported that nine organizations spread across multiple sectors have been breached by what is believed to be foreign hackers. Palo Alto made it known to CNN that organizations within health care, technology, education, defense, and energy had all been the target of recent security breaches. It is also being reported that officials from the NSA and CISA are actively tracking the threat and working to mitigate it.
By exploiting a vulnerability in ManageEngine ADSelfService Plus which corporations utilize for password management and stealing those passwords from targeted organizations, attackers have been able to maintain persistent access on internal networks. This buys the attackers time to further their attack vectors and compromise more endpoints, as well as work to compromise high privilege accounts and increase their chances of accessing critical information. The official from Palo Alto that provided this information to CNN believe this is just the “tip of the spear” of the likely spying campaign that is taking place by foreign adversaries.
While it is currently unknown who is responsible for this attack, Palo Alto is reporting that many of the tactics and toolkits discovered are consistent with a suspected Chinese hacking group. The NSA and CISA, when asked to comment on the likely identity of these hackers, refused to comment. Officials from Palo Alto are stressing that it is extremely important to stay on top of software updates. Attackers are exploiting well known software vulnerabilities that could have been easily patched by the target organization. They are also encouraging organizations that utilize Zoho software to update their systems and search for signs of potential breach.
Vulnerable software is one of the top things attackers looks for when attempting to target an organization. Many times, these vulnerabilities and their corresponding exploits are widely known and easily preventable if you are aware of them. Conducting periodic penetration testing on both the external perimeter and internal network can prevent this vulnerabilities from being present in your environment. Additionally, having vulnerability scans run on a regular basis can make you aware of these critical vulnerabilities and your security team can eliminate them from the environment.
The Open Web Application Security Project (OWASP) is a non-profit organization focused on improving the security of web application software. OWASP uses a community input model which welcomes input and contribution from the public. The Top 10 is a guidance document that ranks, what the community believes, are the top 10 most critical security risks that web applications face. Each risk is ranked in order of frequency discovered, severity of vulnerabilities, and potential impact.
OWASP recently released an update to its top 10 web application security threats for 2021. The last update to the list was in 2017, so this is something that was long overdue. With the ever-changing landscape in web application security, for 2021 OWASP has introduced 3 new categories, changed the names of categories, and consolidated a few items. OWASP Stated this is to, “focus on the root cause over the symptom.” Below is a summary of the changes.
The 3 new categories are:
- A04:2021- Insecure Design
- A08:2021- Software & Data Integrity Failures
- A10:2021- Server-Side Request Forgery (SSRF)
To update the Top 10, OWASP utilized data from researchers for 8 of the top 10 categories, and similar to 2017, included 2 from their community survey. Often, the data is a lagging indicator for the threats the community on the front lines sees as the top threats. These are threats that may never be reflected in the data. Certain threats will take time to fine tune a testing methodology and then more time to create a way to test against those threats in an automated fashion.
There are data factors that are listed for each of the Top 10 Categories, here is what they mean:
- CWEs Mapped: The number of CWEs mapped to a category by the Top 10 team.
- Incidence Rate: Incidence rate is the percentage of applications vulnerable to that CWE from the population tested by that organization for that year.
- Weighted Exploit: The Exploit sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalized, and placed on a 10pt scale.
- Weighted Impact: The Impact sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalized, and placed on a 10pt scale.
- (Testing) Coverage: The percentage of applications tested by all organizations for a given CWE.
- Total Occurrences: Total number of applications found to have the CWEs mapped to a category.
- Total CVEs: Total number of CVEs in the NVD DB that were mapped to the CWEs mapped to a category.
If you need to assess one of your web applications against the new OWASP Top 10, nGuard’s web application penetration testing is driven by the OWASP Top 10 and all findings are issued with a correlation to the application item within the top 10. Identify your weak points using the industry standard for web application assessments today!
