Security & Resilience Update | 9-5-23

Cybersecurity,
Security Awareness – Smishing Campaign Targeting U.S. Citizens in Postal Scam

A group of cyber criminals, tracked as “Smishing Triad,” is conducting a large-scale smishing (SMS phishing) campaign targeting U.S. citizens and purporting to be from the United States Postal Service (USPS), according to security researchers at Resecurity. Since users typically trust SMS communication channels more than e-mail, this campaign has reportedly compromised over 100,000 victims.

According to security researchers, Smishing Triad’s latest campaign targeting U.S. users is unique because the victims were contacted solely through iMessages delivered from compromised Apple iCloud accounts. The message, purporting to be from USPS, urges victims to click the link and enter their information so they can receive their package. In reality, the threat actors collect the victims’ personal identifiable information (PII) and financial information to use for fraud and other malicious activities. Researchers previously observed similar scams targeting FedEx and UPS customers. Smishing Triad has also sold a range of country-specific postal service “smishing kits” to other cybercriminals. When the Resecurity team analyzed the kits, they discovered an SQL injection vulnerability, which they used to recover the compromised data of more than 108,000 Smishing Triad victims.

Water and wastewater systems continue to experience phishing and smishing attacks. WaterISAC has received reports this year of utilities being targeted in smishing attacks, with one case involving a spoofed text message purporting to be from a financial institution. In this instance, the utility notified its employees of the threat and submitted a report to WaterISAC to ensure others in the sector would be aware of the malicious activity.

Members are encouraged to report suspicious or criminal activity, including smishing attempts to their local FBI field office. WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email analyst@waterisac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form. Reporting to WaterISAC helps utilities and stakeholders stay aware of the threat environment of the sector. Access the original blog post at Resecurity or read a related article.

MSSQL Attack Demonstrates Advanced Attack Chain In Deploying FreeWorld Ransomware

Securonix has written a blog post describing an observed brute-force attack against Microsoft SQL servers to deploy Cobalt Strike and FreeWorld ransomware. The organization’s researchers found this attack interesting due to the relative sophistication of its tooling, infrastructure, and payloads.

Though brute-force techniques were used to discover the credentials for the servers, once inside, the attackers used a variety of techniques to perform reconnaissance and establish a robust persistent presence. The blog goes into detail for each step of the attack chain, as well as provides suggested mitigations for MSSQL attacks, including limiting the use of ‘xp_cmdshell’ and increasing monitoring of directories commonly used to stage malware. Read more at Securonix.

54 Percent of Executives Say Inappropriate Non-Employee Access Management Caused Security Issues

SC Media has written an article discussing the risks of not properly administering and updating an organization’s non-employee identity management systems.

Many companies provide identities to non-employees, such as contractors and non-humans, including for a specific application that needs data. However, 54 percent of executives have observed severe security issues, including data loss and security breaches, as a result of providing access to non-employees and non-humans. This statistic demonstrates many organizations are not providing these categories with access to their networks in a safe and secure manner. The article recommends organizations consider reassessing their current processes for providing identities and determining how to keep these databases updated and regularly pruned. Read more at SC Media.

Cyber Resilience – How to Detect and Defend Against Phishing Emails

Phishing continues to be one of the primary methods of attacks used by cyber criminals. Proofpoint’s latest “State of the Phish” report found that 84% of organizations around the world experienced at least one successful phishing attack in 2022. More than half (54%) of organizations reported facing three or more of these attacks.

Since phishing remains a relatively cost-free method of attack, threat actors continue to evolve their methods by inventing new techniques to bypass security controls. Some evolving phishing tactics include multi-factor authentication (MFA) phishing, telephone-oriented attack delivery (aka callback phishing), and generative AI (chatbot) phishing. Regarding generative AI, threat actors could use an AI-powered chatbots to improve the credibility and the quality of their phishing emails. Furthermore, since people are the primary target of these evolving phishing attacks, organizations should ensure their employees understand the threat landscape by conducting regular security awareness training. Proofpoint has compiled a quick tip list of Do’s and don’ts for employees to detect and avoid phishing emails.

Do:

  • Report anything suspicious
  • Validate the sender’s email address
  • Beware of urgent language
  • Confirm the request via another channel
  • Open a new window to access the official website

Don’t:

  • Be so quick to reply
  • Trust the display name
  • Give up personal or company information
  • Click on unexpected URLs or attachments
  • Believe everything you see

Read more at Proofpoint.

CISA ICS Vulnerability Advisories and Alerts, Updates, and Bulletins – September 5, 2023

The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:

ICS Vulnerability Advisories:

CISA Releases Two Industrial Control Systems Advisories

Products are used across multiple sectors, please check these latest advisories for specific equipment used across your ICS environments and address accordingly.

  • ‚ÄčFujitsu Limited Real-time Video Transmission Gear "IP series"
  • (Other advisory for medical device)

‚ÄčAlerts, Updates, and Bulletins:

Supplemental Cyber Highlights – September 5, 2023

The following posts are useful for general awareness of current threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.

Critical Infrastructure Resilience

IT Vulnerabilities & Threats

Ransomware Awareness

Cyber Resilience & General Awareness