Security & Resilience Update | 9-8-23
Every organization is vulnerable to insider threats. As more organizations migrate their business operations to digital platforms the risk of a compromise due to an insider threat will continue to grow. Research for the latest Data Breach Investigations Report from Verizon found that 74% of data breaches involved a human element, highlighting the enduring risk both malicious and unintentional insider threats pose.
According to the cybersecurity firm Tessian, insider threat incidents increased by 47% between 2018 and 2020. Water and wastewater utilities, specifically, have experienced multiple insider threats incidents over the past few years, such as the incident in Kansas where a former employee pleaded guilty to unauthorized computer access with intent to harm. This summer, a former water utility employee was charged for reportedly accessing the network of the utility and then purposefully uninstalled the main operational and monitoring system for the water treatment plant and then turned off the servers running those systems causing a threat to public health and safety. With September also being National Insider Threat Awareness Month, now is the time for organizations to assess their risk and implement an effective insider threat program. Proofpoint classifies insider threats as careless insiders, malicious insiders, and compromises. Despite the differences, an effective insider threat management program will help mitigate against all potential insider threats.
The best defense against an insider threat is creating an insider threat program. Some important considerations for managing insider threats include fostering a more open work environment, particularly employing positive incentives over negative ones. For instance, researchers at Carnegie Mellon University recommend that organizations leverage positive-incentive-based organizational practices centered on increasing job engagement, perceived organizational support, and connectedness at work. In addition, leaders throughout an organization should be trained to be aware of factors that put employees at risk of becoming an insider threat. More often than not, leaders are best positioned to spot and help struggling employees before they become an intentional or unintentional insider threat. Implementing frequent user awareness training is also an important consideration, treating training as a process and not a singular event can help to socialize the expectations of managing insider threats throughout an organization. Additionally, the program should consist of strict policies for identity and access management, conduct regular account auditing, and establish processes and procedures for collecting and monitoring employee data and activity. Read more at Proofpoint or at Forcepoint.
CISA has released actionable guidance for Federal Civilian Executive Branch (FCEB) agencies to help them evaluate and mitigate the risk of volumetric distributed denial-of-service (DDoS) attacks against their websites and related web services. The Capacity Enhancement Guide: Volumetric DDoS Against Web Services Technical Guidance:
- Helps agencies prioritize DDoS mitigations based on mission and reputational impact.
- Describes DDoS mitigation services so agencies can make risk-informed tradeoff decisions on how to use available resources most effectively.
Members are recommended to review the guidance for potential inspiration. Read more at CISA.
Group-IB has posted a blog discussing its research into W3LL, a mature, phishing-focused threat actor that has developed and is selling a phishing kit capable of bypassing MFA.
Group-IB’s researchers have observed W3LL’s underground store, which has over 500 active users who can buy 16 regularly updated custom tools that cover all steps of a BEC attack. W3LL tools are largely used to target victims in the United States, Australia, and the UK, with the most targeted industries being manufacturing, IT, and financial services. The report provides a description of all the tools on offer, as well as how they might be used in an example attack. Read more at Group-IB.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
Products are used across multiple sectors, please check these latest advisories for specific equipment used across your ICS environments and address accordingly.
- Dover Fueling Solutions MAGLINK LX Console
- Phoenix Contact TC ROUTER and TC CLOUD CLIENT
- Socomec MOD3GP-SY-120K
- Delta Electronics CNCSoft-B DOPSoft (Update)
Alerts, Updates, and Bulletins:
- CISA, FBI, and CNMF Release Advisory on Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
- Cisco Releases Security Advisories for Multiple Products
- CISA Releases Update to Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
- CISA Releases Capacity Enhancement Guide to Strengthen Agency Resilience to DDoS Attack
- CISA Adds One Known Vulnerability to Catalog
The following posts are useful for general awareness of current threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.
Critical Infrastructure Vulnerabilities & Resilience
- Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication (Talos Intelligence)
- Cybersecurity Builds Trust in Critical Infrastructure (Dark Reading)
- Feds seek industry guidance on protecting, fostering critical technologies (SC Media)
- Get Ready for Dragos Industrial Security Conference (DISC) 2023 (Dragos)
- The Power of Building Management System (BMS) Cybersecurity (Claroty)
- You’re ready for the new SEC cybersecurity rules. Have you included your OT? (Cisco)
- New Armis data discloses riskiest connected assets introducing threats to global businesses (Industrial Cyber)
- MITRE, CISA publish open-source MITRE Caldera for OT plugins, supporting common industrial protocols (Industrial Cyber)
- Ukraine’s CERT discloses cyberattack on critical energy infrastructure by APT28 hacker group (Industrial Cyber)
IT Malware & Threats
- New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs (Hackread)
- Hackers stole Microsoft signing key from Windows crash dump (Bleeping Computer)
- Information disclosure through insecure design (Pen Test Partners)
- Cybercrime Tremors: Experts Forecast Qakbot Resurgence (Data Breach Today)
- It's a Zero-day? It's Malware? No! It's Username and Password (The Hacker News)
- Your non-employee “identity junk drawer” could lead to major security issue (SC Media)
- A Vulnerability in Cisco BroadWorks Application Delivery Platform and Xtended Services Platform Could Allow for Arbitrary Code Execution (CIS)
- Dozens of Unpatched Flaws Expose Security Cameras Made by Defunct Company Zavio (Security Week)
Cyber Resilience & General Awareness
- Securing Your Legacy: Identities, Data, and Processes (Dark Reading)
- FAIR: A Framework for Revolutionizing Your Risk Analysis (CIS)
- Nudging Minds, Enhancing Defenses: 4 Ways to Unleash the Power of Nudge Theory in Security Awareness (Proofpoint)
- Easterly: CISA wrapping up cyber incident reporting rule (The Record)
Insider Threats (September is Insider Threat Awareness Month)
Technical Posts (for security analysts, sysadmins, and other nerds)
- Wrong system time and insecure Secure Time Seeding (Kaspkersky)
- Steal-It Campaign (Zscaler)
- Creative Process Enumeration (TrustedSec)
- Security Relevant DNS Records (SANS Internet Storm Center)
- Analysis of a Defective Phishing PDF (SANS Internet Storm Center)