Security & Resilience Update | 9-5-23
A group of cyber criminals, tracked as “Smishing Triad,” is conducting a large-scale smishing (SMS phishing) campaign targeting U.S. citizens and purporting to be from the United States Postal Service (USPS), according to security researchers at Resecurity. Since users typically trust SMS communication channels more than e-mail, this campaign has reportedly compromised over 100,000 victims.
According to security researchers, Smishing Triad’s latest campaign targeting U.S. users is unique because the victims were contacted solely through iMessages delivered from compromised Apple iCloud accounts. The message, purporting to be from USPS, urges victims to click the link and enter their information so they can receive their package. In reality, the threat actors collect the victims’ personal identifiable information (PII) and financial information to use for fraud and other malicious activities. Researchers previously observed similar scams targeting FedEx and UPS customers. Smishing Triad has also sold a range of country-specific postal service “smishing kits” to other cybercriminals. When the Resecurity team analyzed the kits, they discovered an SQL injection vulnerability, which they used to recover the compromised data of more than 108,000 Smishing Triad victims.
Water and wastewater systems continue to experience phishing and smishing attacks. WaterISAC has received reports this year of utilities being targeted in smishing attacks, with one case involving a spoofed text message purporting to be from a financial institution. In this instance, the utility notified its employees of the threat and submitted a report to WaterISAC to ensure others in the sector would be aware of the malicious activity.
Members are encouraged to report suspicious or criminal activity, including smishing attempts to their local FBI field office. WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email email@example.com, call 866-H2O-ISAC, or use the confidential online incident reporting form. Reporting to WaterISAC helps utilities and stakeholders stay aware of the threat environment of the sector. Access the original blog post at Resecurity or read a related article.
Securonix has written a blog post describing an observed brute-force attack against Microsoft SQL servers to deploy Cobalt Strike and FreeWorld ransomware. The organization’s researchers found this attack interesting due to the relative sophistication of its tooling, infrastructure, and payloads.
Though brute-force techniques were used to discover the credentials for the servers, once inside, the attackers used a variety of techniques to perform reconnaissance and establish a robust persistent presence. The blog goes into detail for each step of the attack chain, as well as provides suggested mitigations for MSSQL attacks, including limiting the use of ‘xp_cmdshell’ and increasing monitoring of directories commonly used to stage malware. Read more at Securonix.
SC Media has written an article discussing the risks of not properly administering and updating an organization’s non-employee identity management systems.
Many companies provide identities to non-employees, such as contractors and non-humans, including for a specific application that needs data. However, 54 percent of executives have observed severe security issues, including data loss and security breaches, as a result of providing access to non-employees and non-humans. This statistic demonstrates many organizations are not providing these categories with access to their networks in a safe and secure manner. The article recommends organizations consider reassessing their current processes for providing identities and determining how to keep these databases updated and regularly pruned. Read more at SC Media.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
Products are used across multiple sectors, please check these latest advisories for specific equipment used across your ICS environments and address accordingly.
- Fujitsu Limited Real-time Video Transmission Gear "IP series"
- (Other advisory for medical device)
Alerts, Updates, and Bulletins:
The following posts are useful for general awareness of current threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.
Critical Infrastructure Resilience
- Nozomi finds vulnerabilities in SEL software applications used in engineering workstations (Industrial Cyber)
- The Essential Guide to the NIST SP 800-82 document (Industrial Cyber)
- Securing the future: Safeguarding cyber-physical systems (CSO Online)
- A Brief History of ICS-Tailored Attacks (Dark Reading)
IT Vulnerabilities & Threats
- Exploit released for critical VMware SSH auth bypass vulnerability (Bleeping Computer)
- Okta: Hackers target IT help desks to gain Super Admin, disable MFA (Bleeping Computer)
- Chrome extensions can steal plaintext passwords from websites (Bleeping Computer)
- What's in a NoName? Researchers see a lone-wolf DDoS group (The Record)
- How attackers exploit QR codes and how to mitigate the risk (CSO Online)
- Why is .US Being Used to Phish So Many of Us? (Krebs on Security)
- Prompt injection could be the SQL injection of the future, warns NCSC (Malwarebytes)
Cyber Resilience & General Awareness
- House cyber committee chair seeks update from CISA on info-sharing relationships (SC Media)
- How companies can get a grip on ‘business email compromise’ (Check Point)
- Understand the fine print of your cyber insurance policies (Help Net Security)
- Data Protection Best Practices (Mandiant)
- Revisiting Traditional Security Advice for Modern Threats (Mandiant)
- Supply chain related security risks, and how to protect against them (Malwarebytes)
- How to stop your site from being a partner in crime (Kaspersky)
- 2023 Cost of a Data Breach: Key Takeaways (Tripwire)