#SIEM

As the cyber landscape faces ever-growing cyber threats, critical infrastructure entities continue to be prime targets. This Security Advisory explores significant cyber incidents from breaches in U.S. water facilities to ransomware attacks on power generation and municipal water authorities. As these incidents unfold, the imperative for proactive cybersecurity measures becomes even more pronounced.

CISA Alert: Breach at U.S. Water Facility by Exploiting Unitronics PLCs

CISA’s alert revealed a concerning breach at a U.S. water facility, exposing vulnerabilities in Unitronics programmable logic controllers (PLCs). Despite quick action preventing harm to drinking water, the incident emphasizes the need for heightened security measures. Some of the highlights of the CISA Alert for system administrators are:

• Change all default passwords on PLCs and HMIs and use a strong password.
• Ensure the Unitronics PLC default password “1111” is not in use.
• Require multifactor authentication for all remote access to the Operational Technology (OT) network, including from the IT network and external networks.
  • Implement a Firewall/VPN in front of the PLC to control network access to the remote PLC.
  • Use an allowlist of IPs for access.
• If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC.
• Update PLC/HMI to the latest version provided by Unitronics.

nGuard’s services, such as a comprehensive device configuration audit, play a crucial role in securing critical devices within your infrastructure. By meticulously evaluating your assets against established benchmarks and industry-leading security practices, we ensure the elimination of insecure default settings. This meticulous process ensures that your baseline configuration aligns seamlessly with the highest security standards, enhancing the overall resilience of your system.

Iranian Cyber Av3ngers: Municipal Water Authority Breach

Iranian threat actors, identified as Cyber Av3ngers, breached the Municipal Water Authority of Aliquippa in Pennsylvania on November 25th. They gained control of a booster station, though the Authority emphasized that this did not impact the facility’s operations, water supply, or drinking water. Matthew Mottes, the chairman of the board, attributed the attack to Cyber Av3ngers, noting its immediate detection. The Pro-Palestine group targeted a system by Unitronics, the devices discussed in the CISA Alert mentioned earlier, with the attackers claiming to have accessed several SCADA systems at Israeli water facilities as well. Despite these claims, no serious damage has been reported from the attacks on the targeted facilities.

The ability to detect and alert on attacks like these depends on having well-managed endpoint detection and a SIEM to collect logs and correlate the activity within your network so you can react when the time is right.

Cyberattack on North Texas Municipal Water District: Daixin Team at Play

The North Texas Municipal Water District faced a cyberattack that disrupted its operations, including its phone system. The Daixin Team claimed responsibility for the attack and reportedly stole over 33,000 files containing customer information from the water utility, which serves two million people across 13 cities in North Texas. While the business network has mostly been restored, the phone system remains affected. The core water, wastewater, and solid waste services to member cities and customers have not been impacted.

If your organization finds itself in a situation where incident response services are needed like the North Texas Municipal Water District, nGuard’s Cyber Security Incident Response service can jump in and help you triage.

Ransomware Strikes Slovenian Power Generation: HSE Under Attack

Slovenian power generation company Holding Slovenske Elektrarne (HSE) experienced a ransomware attack on November 22, compromising its systems without affecting power production. Control was regained, and the attack contained by November 24. The National Office for Cyber Incidents and the Ljubljana Police Administration were notified, and HSE collaborated with third-party experts to mitigate the attack’s effects and prevent the spread of malware to other critical infrastructure systems in Slovenia. The Rhysida ransomware gang is suspected, although no ransom demand has been made. The disruption is limited to the Šoštanj Thermal Power Plants and the Velenje Coal Mine websites, with HSE officials asserting control over the situation.

In the face of escalating cyber threats against critical infrastructure, the recent incidents in the U.S. and Slovenia underscore the critical need for robust cybersecurity measures. CISA does offer free vulnerability scanning for water utilities, but if your organization is seeking a deeper evaluation, nGuard’s comprehensive services, including vulnerability management, incident response, and strategic assessments, offer a proactive defense against emerging threats. The uphill battle for strong, defense-in-depth cybersecurity requires constant vigilance, and nGuard stands ready to assist organizations in safeguarding your infrastructure and digital assets.