EVENTS 
APPRENTICESHIP 
EMPLOYMENT 
STORE Security & Resilience Update | 9-5-23
A group of cyber criminals, tracked as “Smishing Triad,” is conducting a large-scale smishing (SMS phishing) campaign targeting U.S. citizens and purporting to be from the United States Postal Service (USPS), according to security researchers at Resecurity. Since users typically trust SMS communication channels more than e-mail, this campaign has reportedly compromised over 100,000 victims.
According to security researchers, Smishing Triad’s latest campaign targeting U.S. users is unique because the victims were contacted solely through iMessages delivered from compromised Apple iCloud accounts. The message, purporting to be from USPS, urges victims to click the link and enter their information so they can receive their package. In reality, the threat actors collect the victims’ personal identifiable information (PII) and financial information to use for fraud and other malicious activities. Researchers previously observed similar scams targeting FedEx and UPS customers. Smishing Triad has also sold a range of country-specific postal service “smishing kits” to other cybercriminals. When the Resecurity team analyzed the kits, they discovered an SQL injection vulnerability, which they used to recover the compromised data of more than 108,000 Smishing Triad victims.
Water and wastewater systems continue to experience phishing and smishing attacks. WaterISAC has received reports this year of utilities being targeted in smishing attacks, with one case involving a spoofed text message purporting to be from a financial institution. In this instance, the utility notified its employees of the threat and submitted a report to WaterISAC to ensure others in the sector would be aware of the malicious activity.
Members are encouraged to report suspicious or criminal activity, including smishing attempts to their local FBI field office. WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email analyst@waterisac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form. Reporting to WaterISAC helps utilities and stakeholders stay aware of the threat environment of the sector. Access the original blog post at Resecurity or read a related article.
Securonix has written a blog post describing an observed brute-force attack against Microsoft SQL servers to deploy Cobalt Strike and FreeWorld ransomware. The organization’s researchers found this attack interesting due to the relative sophistication of its tooling, infrastructure, and payloads.
Though brute-force techniques were used to discover the credentials for the servers, once inside, the attackers used a variety of techniques to perform reconnaissance and establish a robust persistent presence. The blog goes into detail for each step of the attack chain, as well as provides suggested mitigations for MSSQL attacks, including limiting the use of ‘xp_cmdshell’ and increasing monitoring of directories commonly used to stage malware. Read more at Securonix.
SC Media has written an article discussing the risks of not properly administering and updating an organization’s non-employee identity management systems.
Many companies provide identities to non-employees, such as contractors and non-humans, including for a specific application that needs data. However, 54 percent of executives have observed severe security issues, including data loss and security breaches, as a result of providing access to non-employees and non-humans. This statistic demonstrates many organizations are not providing these categories with access to their networks in a safe and secure manner. The article recommends organizations consider reassessing their current processes for providing identities and determining how to keep these databases updated and regularly pruned. Read more at SC Media.
Phishing continues to be one of the primary methods of attacks used by cyber criminals. Proofpoint’s latest “State of the Phish” report found that 84% of organizations around the world experienced at least one successful phishing attack in 2022. More than half (54%) of organizations reported facing three or more of these attacks.
Since phishing remains a relatively cost-free method of attack, threat actors continue to evolve their methods by inventing new techniques to bypass security controls. Some evolving phishing tactics include multi-factor authentication (MFA) phishing, telephone-oriented attack delivery (aka callback phishing), and generative AI (chatbot) phishing. Regarding generative AI, threat actors could use an AI-powered chatbots to improve the credibility and the quality of their phishing emails. Furthermore, since people are the primary target of these evolving phishing attacks, organizations should ensure their employees understand the threat landscape by conducting regular security awareness training. Proofpoint has compiled a quick tip list of Do’s and don’ts for employees to detect and avoid phishing emails.
Do:
- Report anything suspicious
- Validate the sender’s email address
- Beware of urgent language
- Confirm the request via another channel
- Open a new window to access the official website
Don’t:
- Be so quick to reply
- Trust the display name
- Give up personal or company information
- Click on unexpected URLs or attachments
- Believe everything you see
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
CISA Releases Two Industrial Control Systems Advisories
Products are used across multiple sectors, please check these latest advisories for specific equipment used across your ICS environments and address accordingly.
- Fujitsu Limited Real-time Video Transmission Gear "IP series"
- (Other advisory for medical device)
Alerts, Updates, and Bulletins:
The following posts are useful for general awareness of current threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.
Critical Infrastructure Resilience
- Nozomi finds vulnerabilities in SEL software applications used in engineering workstations (Industrial Cyber)
- The Essential Guide to the NIST SP 800-82 document (Industrial Cyber)
- Securing the future: Safeguarding cyber-physical systems (CSO Online)
- A Brief History of ICS-Tailored Attacks (Dark Reading)
IT Vulnerabilities & Threats
- Exploit released for critical VMware SSH auth bypass vulnerability (Bleeping Computer)
- Okta: Hackers target IT help desks to gain Super Admin, disable MFA (Bleeping Computer)
- Chrome extensions can steal plaintext passwords from websites (Bleeping Computer)
- What's in a NoName? Researchers see a lone-wolf DDoS group (The Record)
- How attackers exploit QR codes and how to mitigate the risk (CSO Online)
- Why is .US Being Used to Phish So Many of Us? (Krebs on Security)
- Prompt injection could be the SQL injection of the future, warns NCSC (Malwarebytes)
Ransomware Awareness
Cyber Resilience & General Awareness
- House cyber committee chair seeks update from CISA on info-sharing relationships (SC Media)
- How companies can get a grip on ‘business email compromise’ (Check Point)
- Understand the fine print of your cyber insurance policies (Help Net Security)
- Data Protection Best Practices (Mandiant)
- Revisiting Traditional Security Advice for Modern Threats (Mandiant)
- Supply chain related security risks, and how to protect against them (Malwarebytes)
- How to stop your site from being a partner in crime (Kaspersky)
- 2023 Cost of a Data Breach: Key Takeaways (Tripwire)