Security & Resilience Update | 8-31-23

CISA and FBI Publish Joint Advisory on QakBot Infrastructure

CISA and the FBI have released a joint Cybersecurity Advisory (CSA), Identification and Disruption of QakBot Infrastructure, to help organizations detect and protect against newly identified QakBot-related activity and malware. Originally used as a banking trojan to steal banking credentials for account compromise, QakBot has since grown to deploy multiple types of malware, trojans, and highly-destructive ransomware variants targeting the U.S. and other global infrastructures, including in the election infrastructure subsector and the financial services, emergency services, and commercial facilities sectors.

CISA and FBI urge organizations to implement the recommendations contained within the joint CSA to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Read more at CISA.

Security Awareness – Threat Actors Craft Alluring Subject Lines in Phishing Emails

As people become more aware of phishing attacks, threat actors are constantly evolving their social engineering tactics to continue to compromise victims. To help organizations stay ahead of the latest phishing tactics, Cofense has written a report highlighting threat actors’ use of misleading dates in subject lines to influence the emotions of recipients and create a false sense of urgency. 

Researchers at Cofense analyzed phishing emails from July 2023 to create the report. According to the researchers, “the subject lines seen were intentionally deceptive, and the dates used in the subjects covered a range from a few days before the email was sent to several days afterwards. Subject lines such as these are specially designed to create a false sense of urgency requiring the victim’s immediate interaction, and not allowing them time to consider how suspicious the email is.” The report divides the phishing emails into the ratios of subjects with dates to those without, late emails (emails with subject times before the date they were accessed), early emails (emails with subject times after the date they were accessed), and on time emails (subjects that had dates in them which matched to the date they were accessed). The report found that in over two-thirds of the emails with dates in their subject line, the listed dates are before the email is accessed, which is not surprising since threat actors employ this tactic to create a false sense of urgency. Therefore, if the date in a subject line is before the date the email is accessed, the recipient should apply additional scrutiny.

Phishing attacks continue to increase every year, according to recent research reports. In fact, just this month a water utility reported a credential phishing attack to WaterISAC. To defend against this activity, members are encouraged to conduct regular security awareness training and implement technical controls, such as multifactor authentication (MFA). Read more at Cofense.

CISA Releases IOCs Associated with Malicious Barracuda Activity

CISA has released additional indicators of compromise (IOCs) associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions Malicious threat actors exploited this vulnerability as a zero day as early as October 2022 to gain access to ESG appliances. 

Members are encouraged to download the newly released IOCs associated with this activity. Read more at CISA.

CISA ICS Vulnerability Advisories and Alerts, Updates, and Bulletins – August 31, 2023

The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:

ICS Vulnerability Advisories:

CISA Releases Four Industrial Control Systems Advisories

Products are used across multiple sectors, please check these latest advisories for specific equipment used across your ICS environments and address accordingly.

  • ​ARDEREG Sistemas SCADA
  • ​GE Digital CIMPLICITY
  • ​PTC Kepware KepServerEX
  • ​Digi RealPort Protocol

​Alerts, Updates, and Bulletins:

Supplemental Cyber Highlights – August 31, 2023

The following posts are useful for general awareness of current threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.

ICS/OT/SCADA Threats and other Critical Infrastructure Resilience

Qakbot Takedown News

IT Vulnerabilities & Threats

Ransomware Awareness

Cyber Resilience & General Awareness

Technical Posts (for security analysts, sysadmins, and other nerds)