| Target: Water Utilities Water Utilities play a critical role in our society. They provide fresh, potable water to residents, businesses and industry as well as manage the wastewater from them. As with other utilities and critical infrastructure, they are increasingly a target for hackers, terrorists, and hostile nation states. A successful hack can contaminate the fresh water supply, impair availability or cause an environmental disaster. It’s a direct risk to the health of the local population and supply chains which depend on readily available fresh water and wastewater management. Becoming a Hard Target Managing the risks isn’t trivial, but it’s not rocket science either –the science of cyber security has greatly matured over the past 20 years. The following 5 steps are key to a water utility becoming a hard target that is resistant to cyberattacks. Assess your overall cyber security program. Test your organization’s current readiness to cyber attacks on an annual basis by assessing both your external perimeter and your internal networks. Make sure you include both the IT and the OT (SCADA) sides of the house. Perform ongoing vulnerability management throughout the year. Make sure you have someone watching for suspicious security events. Lastly, make sure you have a Cyber Security Incident Response (CSIR) program in place. Because a cyber security incident is a question of when, not if, you must have a plan in place before it happens. Strength In Numbers Recognizing the critical importance of the water supply, leading water associations in the U.S., along with the U.S. federal government, have become increasingly organized in the defense of this essential infrastructure. A key part of this organization has been the formation of the Water Information Sharing and Analysis Center (WaterISAC). Authorized by the United States’ 2002 Bioterrorism Act, the WaterISAC is the key security information source for all threats impacting water and wastewater systems. In support of their mission, they have developed the 15 Cybersecurity Fundamentals for Water & Wastewater Utilities. As part of their ongoing education and outreach, WaterISAC recently invited nGuard to speak about some of these key cybersecurity concepts at an association meeting. You can watch this webinar below. |
Compliance
Russia has launched a full-scale military invasion into the country of Ukraine and with that comes the increased risk of cyber-attacks across the globe. Over the last couple weeks, we have seen many of these threats come to fruition as Ukrainian web sites were defaced and taken offline. New strains of data-destroying malware were also found to be deployed on critical government systems. Below are some of the most current cyber incidents that are taking place as a result of recent Russian aggression.
More than 70 Ukrainian government website have been defaced in cyberattacks (npr.org)
In a call conducted by Mary Louise Kelly, NPR’s cyber security correspondent Jenna McLaughlin detailed a series of cyber attacks that left about 70 Ukrainian government websites defaced. Hackers posted concerning messages in multiple languages telling viewers to be afraid and expect the worst. Jenna says these attacks are unsophisticated operations linked to a hacking group located in Russia and Belarus.
Ukrainian crisis: ‘Wiper’ discovered in latest cyber-attacks (bbc.com)
Late last week, BBC reported that while the websites of several Ukrainian banks and government offices became inaccessible, “wiper” malware was also being deployed on compromised systems. This malware aims to locate and destroy data residing on system drives. “ESET telemetry shows that the malware was installed on hundreds of machines in the country.”
Biden has been presented with options for massive cyberattacks against Russia (nbcnews.com)
Last Thursday, NBC News reported that President Biden had been presented with a menu of options for the United States to carry out impactful cyber attacks against Russia in a response to their recent military action against Ukraine. Two U.S. intelligence officials say that while no final decision has been made, all options remain on the table. “You could do everything from slow the trains down to have them fall off the tracks,” one person briefed on the matter said.
Russian ransomware gang threatens countries that punish Moscow for Ukraine invasion (politico.com)
Last Friday, Politico reported that a Russian ransomware gang, Conti, was making threats to hack the critical infrastructure of any nation or organization that retaliates against Russia for its recent military operations in Ukraine. The Conti gang issued its full support for the Russian government. This group is well known for launching government sponsored cyber attacks across the globe that have had devastating impacts.
Anonymous Hacking Group Declares “Cyber War” Against Russia (infosecurity-magazine.com)
The hacking group Anonymous has made it known that they will be launching a retaliatory cyber campaign against the Russian government following the special military operation launched by President Putin in Ukraine. Posted on their official Twitter account last Thursday read “The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine.” Shortly after this tweet was posted, the group claimed to have taken down multiple Russian government websites.
The United States government has issued strong warnings to organizations that reiterate the need to have a strong security posture during these times of uncertainty. nGuard account executives are ready to discuss any and all cyber security needs to help boost the readiness of your organization.
NSO Group continues to stay at the top of the headlines as 2022 carries on. There have been 3 noteworthy updates since the last nGuard Security Advisory, let’s look into each. If you haven’t seen the prior Security Advisories covering the NSO Group they can be found here, here, and a video summary here.
FBI discloses it tested the Pegasus spyware in 2019
Earlier this month, the FBI and the Justice Department confirmed they had tested Pegasus but stated it had not been deployed for use in any of their investigations. The FBI stated, “The FBI works diligently to stay abreast of emerging technologies and tradecraft — not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties,” the statement said. “That means we routinely identify, evaluate, and test technical solutions and problems for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands. There was no operational use in support of any investigation, the FBI procured a limited license for product testing and evaluation only.” The NSO Group has since been blacklisted from the United States, however The New York Times reported the FBI ran up roughly $5 million in charges in its contract with the NSO Group prior to this occurring.
Although the NSO Group has stated they cannot deploy their software Pegasus against U.S. based phones with a +1 number, they have created another product called Phantom which allows the monitoring of those types of numbers. A company called Westbridge, NSO’s North American branch, was handing out this brochure to law enforcement for Phantom. It looks very similar to the one leaked for Pegasus when this story originally broke last year.
NYPD Received Demo of Pegasus
The NYPD intel group was in communication to receive a demo of the Pegasus software, as seen in the email below courtesy of Motherboard. This is a very similar brochure the FBI received from Westbridge.
The email came from James Sheehan who is a program manager for Northern New Jersey-Newark and Jersey City Urban Area Security Initiative, which is administered by the United States Department of Homeland Security (DHS). Others that were invited to attend the demonstration were Bergen County Prosecutor’s Office, Jersey City’s public safety agency, and the Paterson Police Department. The NYPD has not responded to these revelations, so it is still unknown if they took any steps to acquire the Pegasus software.
The Israeli Government Announced its Investigation into Domestic Use of Pegasus
As more and more eyes have focused on the NSO Group, Israel has announced they are investigating reports of the Israeli police illegally using Pegasus against its own citizens without a court order. One individual that has been reported to have been spied on is a witness in the trial of former Israeli Prime Minister Benjamin Netanyahu. Pegasus continues to draw negative attention and is being labeled as a “threat to democracy” with Aylet Shaked, a cabinet minister, saying, “I am shocked,” she added. “I cannot believe this is my country.”
The police in Israel have been using Pegasus since 2015 and deployed it on over 100 phones each year since. In a list recently revealed, it seems as if nobody was immune. The list includes protesters, Ministry CEOs, and journalists. It was also used to determine witness credibility. When the news about Pegasus initially broke last year we discovered Pegasus was used on all types of individuals throughout the world, but nobody knew it was used domestically in Israel against its own people.
Threats Are on The Rise
As tensions rise on the border separating Russia and its south-west neighbor Ukraine, threats of cyber attacks have the Western World on edge. There have been nearly 500 documented cyber-attacks impacting the geopolitical landscape around the globe since 2009, with approximately 30% originating from Russia or China. History shows us that Russia has found success in launching cyber attacks against nations it feels “threaten their long-term national security.” On January 23rd, 2022, the Department of Homeland Security (DHS) released a memo stating “Russia maintains a range of offensive cyber tools that it could employ against US networks—from low-level denials-of-service to destructive attacks targeting critical infrastructure.”
History of Conflict
Since the 2014 annexation of Crimea by the Russian Federation, cyberattacks have been a recurring militaristic theme in this conflict. In December 2015, Russian hackers exploited vulnerabilities in three Ukrainian energy distribution companies, disrupting the electricity supply for over 230,000 Ukrainians. The complex cyberattacks followed a similar exploit path that we see utilized by adversaries to this day. Social engineering campaigns were followed by the seizing of Supervisory Control And Data Acquisition (SCADA) systems, resulting in denial of service attacks on call centers, the destruction and encryption of critical file servers, and the disablement of OT infrastructure components.
Current Conflict
In 2022, it seems that the Kremlin is more than ready to use the same cyber tactics that led to the successful annexation of Crimea in 2014. On January 15th, 2022 Microsoft reported that dozens of Ukrainian government agencies had fallen victim to a website defacement attack. The message on the affected websites read “be afraid and expect the worst.”
Russia is suspected of using similar tactics to launch “false-flag” operations that are intended to stir up domestic tension in Ukraine and/or cast blame on Ukraine for the conflict. U.S. and international information security teams are ramping up preparations for any possible scenario as diplomatic negotiations continue.
Preventative Measures
The continued discovery of critical vulnerabilities that affect internet-facing systems (see Log4j) requires organizations to conduct ongoing vulnerability scanning and penetration testing to ensure attackers can’t gain a foothold on internal networks. By incorporating internal security awareness training and table-top exercises, standard employees and information security teams can be prepared for any scenario. As a leading provider of cyber security services, nGuard is ready to discuss your organization’s needs and help implement protective measures.
Overview
On December 10th, 2021, CVE-2021-44228 (Log4Shell) was released affecting the Log4j Java logging framework. This vulnerability received the highest possible CVSS score of 10 out of 10. There have been three other vulnerabilities released related to Log4j since then, but the original is the most critical by far. Initially discovered by Chen Zhaojun, who works for Alibaba’s security team, back on November 24th, 2021 which was the privately disclosed to Apache. The risk of this vulnerability is so severe, as a precautionary measure, Canada shut down 4,000 government sites. Since the public release there has been reports of millions of attempts to exploit the vulnerability across the world, but as of January 10th, CISA stated they have not seen any significant intrusions related to Log4j.
So, what is Log4j, what makes it so vulnerable, and how do you exploit it?
Log4j is a piece of software, which most surprisingly is developed and maintained by a group of volunteers, that was coded in Java and logs activity of users on computers. An example of activity that is captured and logged would be navigating to a nonworking link on a web page and receiving a 404 error. Log4j is also used for diagnostic messages in software such as amount of memory being used and user commands entered. The logging of this information isn’t the issue, it’s the fact that the code actively interprets the activity that it is logging, meaning that remote code can be executed. Within Log4j there is a feature called Java Naming Directory Interface (JNDI) that allows commands to be run that are wrapped in ${…}. This feature allows live lookups both inside and outside of your network. With this correct sequence of input, this feature can be used to place malware on the server and have full remote code execution on the host. An example input would reach out to an attacking machine IP on port 9999 and download the malware file that is being hosted.
Products affected
At this time, it’s almost safe to assume that all products are affected as Log4j has been discovered to be deeply embedded in so many pieces of software, even to some that were not aware of its existence. Popular products like Minecraft, Apple’s iCloud, AWS, the NSA’s reverse engineering tool Ghidra, and the list goes on. CISA continues to update their GitHub with a list of known products to be affected.
Detection & Patching
To discover what systems to patch, here are a few steps to take:
- Identify any internet facing assets.
- Use authenticated vulnerability scanning to detect devices that have been impacted.
- If you have an endpoint detection and response (EDR) system, you can use that to search for Log4j files.
- Determine the version of Log4j being used. Version 2.0 to 2.14.1 are the versions that are vulnerable.
- Update to the current version 2.17.1.
- Repeat the above steps on internal IT and OT systems.
To prevent Log4j from being exploited, there are a few steps to take.
- Search logs for IPs that have known to be scanning for the vulnerability and add them to your block list. A running list of known IPs can be found here.
- Block a list of IPs that have been used to host a malicious payload to execute the vulnerability.
- Review the list of IOCs being updated by Microsoft.
- Review the additional list of IOCs being updated by the Curated Intelligence Trust Group.
Additional links
There have been many articles and resources that have been published since the release of this vulnerability, so in addition to the links in this Security Advisory, nGuard wanted to provide a few additional for further reading.
- If you want to try and exploit the vulnerability yourself, John Hammond and TryHackMe have created a room for you to do so. https://tryhackme.com/room/solar
- A Growing List of Tenable Nessus Plugins being release for detection of Log4j. https://community.tenable.com/s/article/Plugins-associated-with-CVE-2021-44228-Log4Shell
- The team at Huntress has had great coverage and updates, including an open-source tool to help detect the vulnerability. https://log4shell.huntress.com/
- The National Cyber Security Centrum (NCSC-NL) has been maintaining another GitHub repository with a list of information for hunting, IOCs, detection and mitigation, scanning, and vulnerable software. https://github.com/NCSC-NL/log4shell
- CISA Released an open-source Log4j Scanner. https://github.com/cisagov/log4j-scanner
If you feel you need assistance with the detection of vulnerable Log4j instances, have discovered a Log4j related incident, or need general security services related to this vulnerability or anything else, reach out to nGuard. nGuard offers Log4j scanning, consulting services, log management and event collection, and penetration testing services.
If you are not familiar with NSO Group, nGuard released a Security Advisory in August detailing the history of the NSO Group and their spyware platform, Pegasus. If you haven’t read the advisory, check it out here, or you can watch the summary video below:
In late November, Apple announced that it is suing the Israeli spyware firm NSO Group and its parent company OSY Technologies for targeting its users with their spyware. This is the second lawsuit against NSO Group with the first coming from Facebook, now owned by Meta, for targeting its users on the message application WhatsApp.
In addition to the lawsuit, which is seeking unspecified damages, Apple is requesting the NSO Group be banned from using Apple software, services, or devices. NSO Group created over 100 fake Apple IDs used to deploy their spyware Pegasus, which violates the iCloud terms of service. NSO Group still states they only sell spyware to government for lawful interceptions and says, “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers.” Although the NSO group states it has ethical purposes, evidence has shown otherwise and has led to the United States implementing sanctions and a blacklist on them for enabling “transnational repression.”
Apple did release software updates to patch the vulnerabilities exploited by NSO Group and has not seen any indications of Pegasus or any other NSO tools being used against their latest software, iOS 15. Apple has strongly urged iOS users to upgrade to the latest version of software to protect themselves from these types of attacks.
