CHATGPT

What opportunities for the underground world of cybercrime ?

Need a refresh about ChatGPT?

Figure 1 – Screenshot from ChatGPT when prompted “Introduce ChatGPT in a funny way and at the first person”

Unless living under a rock, you have heard about the incredibly notorious AI powered chatbot developed by OpenAI: Chat GPT, a tool that relies on the Generative Pre-trained Transformer architecture. But just in case, you must know that ChatGPT has been trained on a vast amount of data from the Internet and is able to understand human speech and interact with users. Chat GPT has not finished to be talked about: on March 14^th 2023, Open AI has announced the arrival of Chat GPT 4.0[i].

The growing popularity and potential future applications of ChatGPT have also caught the attention of cybercriminals. Nord VPN’s examination of Dark Web posts from January 13th to February 13th revealed a significant increase in Darkweb forum threads discussing ChatGPT, jumping from 37 to 91 in just a month. The main topics of these threads included:

• Breaking ChatGPT
• Using ChatGPT to create Dark Web Marketplace scripts
• A new ChatGPT Trojan Binder
• ChatGPT as a phishing tool with answers indistinguishable from humans
• ChatGPT trojan
• ChatGPT jailbreak 2.0
• Progression of ChatGPT malware

Figure 2 – Screenshot from CheckPoint: Cybercriminal is using ChatGPT to improve Infostealer’s code

These threads give a first interesting overview of all the rogue usage that can involves ChatGPT or be carried out via the chatbot. Another key security concern could also be included in this list when thinking about ChatGPT’s limitations in terms of cybersecurity, which is the risk of personal and/or corporate data leak, that could lead to identity theft, fraud, or other malicious uses.

What are the plausible cybercriminal use cases?

 Figure 3 – Screenshot of a ChatGPT answer when prompted “Talk at the first person about possible cybercriminal usage of ChatGPT”

Use Case #1 – Support malware creation and kill chain attack

ChatGPT is designed to decline inappropriate requests but there are ways to bypass its restrictions and generate malicious code. For example, instead of directly requesting a ransomware script, users can describe step-by-step functions needed for such a script, ultimately receiving functional parts of malicious code.

Figure 4 – Screenshot of a ChatGPT answer to the request “Write me a function named “find_files” in Python that searches all files that end up with “txt, pdf, docx, ppt, xlsm” starting from the root directory and that return all paths of files that match with the criteria”.

It has been proven possible to use ChatGPT to insert harmful code into a commonly used computer program and create programs that constantly change their appearance, making them harder for security software to detect and block and to obtain an entire process of an artificial intelligence-driven cyberattack, starting with targeted phishing emails and ending with gaining unauthorized access to someone’s computer.

Figure 5 – Screenshot from CheckPoint: Example of the ability to create a malware code without anti-abuse restrictions in a Telegram bot utilizing the OpenAI API

However, as highlighted by NCSC and Kaspersky, using ChatGPT for creating malware is not that reliable, due to potential errors and logical loopholes in the generated code, and even if it provides a certain level of support, the tool doesn’t currently reach the level of cyber professional.

Use Case #2 – Discover and exploit vulnerabilities

When it comes to code vulnerabilities, ChatGPT raises several challenges in terms of detection and exploitation.

In terms of detection, ChatGPT is currently able to detect vulnerabilities in any piece of code submitted if properly prompted to do so, but it can also debug code. For example, when a computer security researcher asked ChatGPT to solve a capture-the-flag challenge, it successfully detected a buffer overflow vulnerability and wrote code to exploit it, with only a minor error that was later corrected.

In terms of exploitation, the risks posed by ChatGPT, and more generally Large Language Models (LLMs) can be used to produce malicious code or exploits despite restrictions, as they can be bypassed. Additionally, LLMs may generate vulnerable and misaligned code, and while future models will be trained to produce more secure code, it’s not the case yet. Moreover, some security researchers remain skeptical about AI’s ability to create modern exploits that require new techniques.

Use Case #3 – Create persuasive content for phishing and scam operations

Creating persuasive text is a major strength of GPT-3.5/ChatGPT, and GPT-4 performs even better in this area. Consequently, it’s highly probable that automated spear phishing attacks using chatbots already exist. Crafting targeted phishing messages for individual victims is more resource-intensive, which is why this technique is typically reserved for specific attacks.

Figure 6 – Screenshot from chatGPT, pishing mail generation

ChatGPT has the potential to significantly change this dynamic, as it allows cybercriminals to produce personalized and compelling messages for each target. To include all necessary components, however, the chatbot requires detailed instructions.

A notable advantage of ChatGPT is its capability to interact and create content in multiple languages, complete with reliable translation. In the past, this was a key way to identify scams and phishing attempts. While some methods are being developed to detect content created by ChatGPT, they haven’t yet proven entirely effective.

This poses a significant risk to all companies, as it makes their employees more susceptible to such attacks and may expose their resources if passwords are stolen in this manner. As mentioned earlier, it is essential to raise awareness about this issue while also strengthening authentication methods, such as implementing two-factor authentication as a potential solution.

Interestingly, other uses have been made of ChatGPT notoriety to develop scams without using the tool itself, such as phishing mails/Scams in order to push towards the purchase of a (fake) ChatGPT subscription and to provide personal data details

Use Case #4 Exploit companies’ data

ChatGPT has been trained on a massive amount of internet data, including personal sites and media content, meaning that it may have access to personal data that is currently hard to remove or control, as no “right to be forgotten” measures exist to date. Consequently, ChatGPT’s compliance with regulations like GDPR is under debate. GPT-4 can manage basic tasks related to personal and geographic information, such as identifying locations connected to phone numbers or educational institutions. By combining these capabilities, GPT-4 could be used to identify individuals when paired with external data.

Another significant concern is the sensitive information users might provide through prompts. Users could inadvertently share confidential information when seeking assistance or using the chatbot for tasks, like reviewing and enhancing a draft contract. This information may appear in future responses to other users’ prompts. They might not only find their confidential documents or research leaked on such platforms due to employees’ inattention, but also reveal information about their system or employees which will be used by hacker to facilitate an intrusion. The primary course of action should be to increase awareness on this subject by providing formation and explanation or to restrict access to the website in the sensitive domains until there is a better comprehension of how data is utilized.

Not only the real ChatGPT can be used for this objective, but the creation of other chatbots using the same model as ChatGPT but configured to trick victims into disclosing sensitive information or downloading malware has also been observed.

Use Case #5 Disinformation campaigns

ChatGPT can be used to quickly write very convincing articles and speeches based on fake news. The American startup Newsguard has conducted an experience on ChatGPT to demonstrate its disinformation potential: on 100 fake information submitted to ChatGPT, the tool has produced fake detailed articles, essays and TV scripts for 80 of them, including significant topics such as Covid-19 and Ukraine[ii].

As highlighted (again) by the war between Ukraine and Russia, the crucial role of information and disinformation through cyber channels, can have significant consequences.

Use Case #6 Create darknet marketplace

Cybercriminals have also been observed using ChatGPT to support the creation of DarkWeb marketplaces. ChekPoint has illustrated this phenomenon with some examples[iii]:

• A cybercriminal post on a Darkweb forum showing how to code with ChatGPT a DarkWeb Market script that does not rely on Python or Java Script, using third-party API to get up-to-date cryptocurrency (Monero, Bitcoin and Etherium) prices as part of the Dark Web market payment system.
• Dark web discussions threads linked to fraudulent usage of ChatGPT, such as how to generate an e-book or a short chapter using ChatGPT and then sell its content online.

Figure 2 – Screenshot from CheckPoint: Multiple threads in the underground forums on how to use ChatGPT for fraud activity

What are the key take aways?

Even if ChatGPT tends to lack of the necessary level of features, it can still be a useful tool to facilitate cyberattacks. Even if it is an obvious support tool mostly for script kiddies and unexperimented actors, ChatGPT – as any AI tool – can be a facilitator for any type of hackers, either to completely conceive a malware, to accelerate malicious actions such as phishing or to increase the sophistication level of cyberattacks.

With the release of GPT-4, OpenAI has made efforts to counter inappropriate requests, however ChatGPT  still raise serious security issues and challenges for business security. It is important to keep in mind that the malicious use cases detailed in the previous section are only hypothetical scenarios: malicious use of ChatGPT has already been observed and it is essential to convey strong cybersecurity messages on the topic:

• Don’t include sensitive info in queries to #ChatGPT : Avoid personal/sensitive information sharing while using ChatGPT
• Stay informed and vigilant: AI-related topics are evolving quickly, it is central to stay put regarding tools evolution (e.g. release of Chat GPT 4.0), and new security topics that can emerged over time
• Scams and phishing are likely to become more and more realistic in their crafting: continue raising awareness about this risk and train yourself and your ecosystem
• Basic cybersecurity practices are still true: have a regular vulnerability management, set up doble authentication, train your teams and raise awareness…
• ChatGPT opening the door to the possibility of creating realistic fake content, it is central to stay informed about tooling initiatives aiming at detecting machine-written text such as GPT Zero, a tool developed by Princeton student (Note: OpenAI is also working on a tool to detect machine-written text, but is for now far from being perfect since it detect machine-written text only one in four times)

Reading of the Month

CERT-EU : RUSSIA’S WAR ON UKRAINE: ONE YEAR OF CYBER OPERATIONS

https://cert.europa.eu/static/MEMO/2023/TLP-CLEAR-CERT-EU-1YUA-CyberOps.pdf

[i] https://cdn.openai.com/papers/gpt-4.pd

[ii] https://www.newsguardtech.com/misinformation-monitor/jan-2023/

[iii] https://research.checkpoint.com/2023/opwnai-cybercriminals-starting-to-use-chatgpt/

Cet article CDT Watch – March 2023 est apparu en premier sur RiskInsight.

BLINDSIDE

Facing the EDR behavioral supervision, attackers develop techniques for successful attacks by staying under the radars. One of these techniques is called Blindside. This technique works on many EDRs relying on a hook and was revealed by Cymulate. 

According to Cymulate, the author of Blindside, the technique is not immune to detection. Some mitigations can be implemented such as:

• Monitor the use of the SetThreadContext function: the function context can inform on breakpoint setting (write inside debug address registers)
• Monitor the presence of suspicious debug functions
• Edit EDR settings for checking debug registers

It remains difficult to bypass EDR solutions as their detection methods vary between vendors. Nevertheless, it is important to remember that it is possible and that the security should not rely solely on the solution.

CERT-W: FROM THE FRONT LINE

THE FIRST RESPONDER WORD

READING OF THE MONTH

SOPHOS: MATURING CRIMINAL MARKETPLACES PRESENT NEW CHALLENGES TO DEFENDERS

Maturing criminal marketplaces present new challenges to defenders, Sophos 2023 Threat Report

VULNERABILITY OF THE MONTH

PROXYNOTSHELL: WHEN APPLYING MITIGATIONS KEEPS YOU VULNERABLE

CVE-2022-41040 & CVE-2022-41082

Published by NVD: 02/10/2022

Products: Microsoft Exchange server

Versions: on-site/on premise 2013, 2016 and 2019

Score: 8.8 HIGH

Context   PoC

Microsoft Exchange is a mailbox server exclusively running on the Windows operating système.

In September 2022, a vulnerability to compromise the underlying Exchange server was discovered. It was named ProxyNotShell after its similarities with the ProxyShell vulnerability. To exploit ProxyNotShell, attackers need to have an authentified access to the Microsoft Echange server. The exploitation of the vulnerability allows attacker to deploy a webshell on the targeted server, giving them an initial access.

Around November, a number of mitigations (Hotfix) were released awaiting for a patch. As a result, some 60 000 servers worldwide still are vulnerables since the few mitigations rules can be bypassed by attackers.

According to CrowdStrike, Play ransomware group, which has been active since last June, took advantage of this in using a new exploit to bypass the URL rewrite mitigations for the Autodiscover endpoint. Early December the managed cloud hosting services company Rackspace technology complies to having been attacked after a successful exploit of the vulnerability in Microsoft Exchange Server.

The Microsoft Exchange server should have at least the KB5019758 patch. If not, the main action to perform is to immediately install the updates on the vulnerable servers. If some factors make the installation impossible, it is adviced to disable OWA until it can be applied. In addition, it is strongly recommended to disable remote PowerShell for non-admin users and use EDR tools to detect if web services are spawning PowerShell processes.

SEE YOU NEXT MONTH!!

Cet article CDT Watch – January 2023 est apparu en premier sur RiskInsight.

The marketplaces of stolen data

Which type of data are sold?

The different platforms of marketplaces sell different types of data. While some platforms are really focused on selling one specific “product” (eg. hacking forums where Initial Access to companies is sold, as well as auction sites to sell stolen data eg. REvil and its auction site back in 2020), other platforms thrive with a very wide panel of goods, ranging from various weapons to “fullz” (full data about people: Social Security numbers, Bank account numbers, ID,…) without forgetting per-install malware service and financial information about a company. Overall, personal data is one of the most common types one can find on these marketplaces, as well as organization initial access, and non-financial or financial accounts/credentials.

When it comes to prices, whereas the number and variety of data items sold are increasing, the prices are declining as the market grows.

The price of an Initial Access depends on its quality, but it ranges from a couple of hundred USD for a small company to hundreds of thousands of dollars for the bigger ones. The average price is $7,100 in 2021. Patricia Ruffio listed here the prices found per type of data, from credit card data with account balance up to 5K ($120) to social media account ($65 for a gmail account), going through PayPal account logins ($150 for 50 accounts) and European Passport ($3,800). In comparison, DDOSing an unprotected website for a month now costs $850 on average and installing malware on a thousand devices ranges from $45 to $5500 depending on its quality and success rate.

Last but not least, some ransomware groups such as BlackByte go as far as selling stolen data on dedicated auction sites, not only as a means of pressure on victim companies, but also as a very juicy second revenue stream, with starting bids reaching up to $500,000.

What’s the selling process?

Besides a classical strategy of competitivity between the different marketplaces, based on discounts or fidelity points, the platforms are fighting over a security aspect in order to gain the buyer’s trust.

With the growth of marketplaces comes a strong trend for the sellers to strengthen their client’s trust. Taking advantage of legal uncertainty, these websites or events like the Evolution Marketplace exit scam with over $12 million in Bitcoin have greatly tarnished their reputation and taken its toll on customer and vendor trust.

As a result, along with the numerous DDOS protection, layers marketplaces now hide behind to prevent attacks from rivals, the quality of vendors and their items is now more thoroughly assessed and monitored. Direct scams are supposedly prevented by using the marketplace platform as an intermediate deposit for payment so that a client may be refunded in case of deception by the vendor. All transactions are currently mainly in Bitcoin and Monero for anonymity purposes.  Some auction and IAB platforms even sometimes use mandatory referral systems to shield themselves from outsiders & untrustworthy members.

Consequently, dark web marketplaces seem more reliable and stolen data is more prone to be sold quickly.

Once sold, what are the stolen data used for?

The financial reason is undoubtedly the main aspect for many actors in the market: most of these data can be used directly for blackmail of course, or to launch another cyberattack with a bigger impact…and more gains. It can be “standard” attacks such as personal data simply used as a basis for phishing operations and for compromising, for example, bank accounts, or it can be larger attacks. In fact, the average ransom paid by companies rose up to $541k according to the 2022 Unit 42 Ransomware Threat Report, highlighting the high profitability of simple ransom and blackmail with the stolen data. While not as straightforward, leveraging stolen Social Security Numbers, IDs, Credit cards are other ways to generate profit or to gain access to companies using identity theft.

However, stolen data may be used for more varied purposes. Corporate espionage is one of them: should a competitor be informed of a potential data leak, and what prevents it from looking at your deepest hidden secrets? It can also be a political matter: for example when Lockbit2.0 hits the French ministry of Justice, the main concerns shift to who laid their hands on such potentially sensitive pieces of information and what their intentions are. Another example of societal impact would be the data breach of Pfizer/BioNTech vaccines data in 2020, which led to attackers modifying the stolen data on the vaccine and publishing them with the headline “Vaccines are malicious”.

What are the impacts on my organization?

As mentioned, the collected data such as initial access can be the essential vector to compromise an organization’s SI and lead to even more impacting attacks. Besides, the main victim’s perimeter is not the only one compromised: the whole ecosystem of partners, clients, and providers… can be affected. If the ransomware is the first type of attack coming to mind after a data breach, one should not underestimate the impacts of identity impersonation and fraud, targeted DDoS…

As it has often been proven and discussed these last years, the financial impact of such compromission can be colossal and even led organizations to their end. Besides, the cost of the attack itself is not the only one to be taken into account. Other components must be considered: loss of customer’s trust, loss due to potential system’s unavailability, cost of intervention from experts to investigate, but also cost of new customer acquisition to win back those that have been lost. Just as an example, Equifax announced that the data breach it faced in 2017 cost around $1.5 billion dollars if not more.

The financial and reputational impacts are intrinsically linked. Indeed, upon facing a data breach, a company is very likely to get customer or partner disengagement. According to a report from IBM, the lost business contributes to 38% of data breach costs. Companies also handle PII (Personally Identifiable Information) which, if stolen, can lead to additional legal costs, class-action settlements, or fines from public institutions.

The total cost of a data breach could be deadly for some companies and must be acknowledged. Equifax spent several million in fines and settlements after dealing with its massive data breach in 2017.

Last but not least, the social and political aspects must not be neglected. Last year, the Labour Party suffered a data breach through a ransomware attack on a third-party supplier. This kind of attack can lead to disinformation campaigns or even interferences in the election process.

In order to prevent a data breach, beyond cybersecurity basic actions, companies must enhance their maturity level when it comes to data security. Evaluating the value of the data is one of the key: the more attractive the data is, the greater chance an attacker will try to steal it. Storage and network security, Identity and Access Management, Cyber Resilience are some of the topics to be addressed at first. On top of this, companies should also focus on creating a strong watch on cybersecurity events and implement, even small, Cyber Threat Intelligence programs. Looking at the cybercrime ecosystem as well as spotting potential attack vectors and modus operandi is never a bad idea to anticipate a cyberattack.

CERT-W: FROM THE FRONT LINE

The First Responder Word

Reading Of The Month

We recommend the Citalid overview of the

Russio-Ukrainien conflit’s cyber aspect

(click on the picture)

SEE YOU NEXT MONTH!!

Cet article CDT Watch – May 2022 est apparu en premier sur RiskInsight.

Conti Kill Chain

SOURCES :

CERT-W: FROM THE FRONT LINE

The First Responder Word

READING OF THE MONTH

We recommend the interview of Pompompurin, a cyber activist who’s work ranges from leaking the data of thousands of WeLeakInfo Users to abusing the FBI’s Servers to send thousands of false emails.

The interview by Data Knight

Cet article CDT Watch – March 2022 est apparu en premier sur RiskInsight.

SysJoker: Windows Version

To produce this tech focus, we used data from:

New SysJoker Backdoor Targets Windows, Linux, and macOS – Intezer

CERT-W: FROM THE FRONT LINE

The First Responder Word

Reading Of The Month

To learn more about the main trends anticipated by Sophos for cybersecurity in 2022, it is here:

Interrelated threats target an interdependent world, Sophos

Cet article CDT Watch – January 2022 est apparu en premier sur RiskInsight.

CERT-W: FROM THE FRONT LINE

The First Responder Word

For more information for vulnerability detection and remediation, contact Wavestone CERT-W!

Reading Of The Month

To learn more about the evolution of cybercrime, we recommend reading the Internet Organized Crime Threat Assessment 2021 of Europol. This report focuses on changes and developments of cybercrime threats during the last 12 months.

Internet Organized Crime Threat Assessment 2021, Europol

Cet article CDT Watch – December 2021 est apparu en premier sur RiskInsight.

File Obfuscation

Discover Cobalt Strike capabilities with the technical zoom of the month:

To learn more about the given malwares:

Cobalt Strike Training videos

CERT-W: FROM THE FRONT LINE

The First Responder Word

We recommend the 2021 Benchmark on cybersecurity incidents which reviews the interventions of the CERT-W carried out between September 2020 and October 2021. This Benchmark provides keys to understanding the security issues and a snapshot of current cybersecurity threats in France.

CERT-W’s 2021 Benchmark on cybersecurity incidents

Reading Of The Month

To learn more about Conti, one of the most dangerous Ransomware, we recommend reading the Conti Ransomware Group In-Depth Analysis of Prodaft. According to Prodaft, this report will show you how the gang works with details obtained by their team who accessed Conti’s infrastructure.

Conti Ransomware Group In-Depth Analysis by Prodaft

Cet article CDT Watch – November 2021 est apparu en premier sur RiskInsight.

DECRYPTION

CYBER CRIMINAL NETWORK DISMANTELING

The last 6 months, large-scale coordinated international actions have dismantled several of the biggest cybercriminal networks such as Emotet, Netwalker, Egregor or even Cl0p. Let’s have a closer look at some of them.

What is Emotet?

Emotet was originally a banking trojan, stealing emails and contact list, retrieving passwords on navigators and systems, spreading within the infected network. In 2019, Emotet lost its banking module and became a dropper of malwares. The trojan used a botnet of 1.6 million machines  to realize phishing campaign and install itself on victims’ machines.

Why is Emotet called the “king of malware”?

At the end of 2020, Emotet was identified as one of the most dangerous malwares. Additionally, being a dropper as well as a botnet, Emotet also served as a front door to many other malwares. It was used to drop malicious payloads directly onto the victims’ assets: for example, TrickBot was dropped onto the targeted machine which in turn, would drop Ryuk or Conti ransomware. According to Checkpoint Research, Emotet was at the top of the Global Threat Index in October 2020 and was linked to a wave of ransomware attacks. According to CISA, the U.S. Cybersecurity & Infrastructure Security Agency, Emotet infections cost is estimated at $1 million per incident.

Main TA542’s customer base, “The Malware As a Service EMOTET”, ANSSI 2021

During several months, Europol used the help of Eurojust, France, Germany, United States of America and announced their successful dismantle of the Emotet network in January 2021.

Does this dismantling mean the end of the malware?

The end of one botnet actually led to the rise of several others, such as TrickBot, which even though existed since 2016, replaced Emotet as one of the most well-established MaaS (Malware as a Service) not long after the events on January.

This turn of events might not be so surprising, as threat actors often pivot and change their tools along the way, whether by choice or by necessity as it was the case here. Taking one malware down would only force them to use another one. Yet, what is interesting is that TrickBot also suffered a dismantlement of its own, back in October 2020. In an attempt to disrupt one of the most used distributors of ransomware, Microsoft joined forces with other security teams to take down TrickBot servers. As you may have noticed, this was months before law-enforcement took down Emotet, and now TrickBot or other versions of this malware, still lives on. These actions only disrupted TrickBot activities for a few days, before going back to what it was and even overtaking Emotet dominance.

Moreover, TrickBot seems to be somehow connected to the Bazar malware (BazarLoader and BazarBackdoor), as some part of its infrastructure is shared with TrickBot and both show code similarities. This new toolset is now the most seen malware used to deploy Ryuk ransomware instead of the previous Emotet-TrickBot-Ryuk or TrickBot-Ryuk chain of infection. These changes might have to do with the previously mentioned dismantlements, or due to a new collaboration between threat actors.

What about the people behind these groups?

More recently, on June 4th, Alla Witte was charged on multiple counts for participating in TrickBot criminal activities. Is this arrest, serving as a warning with several hundreds of years of prison if convicted, going to change cybercriminals’ operations? A few months before that, the Ukrainian authorities cooperated with the French law enforcement to conduct an arrest against Egregor members, while a Canadian tied to Netwalker ransomware was charged by the police for distributing the malware. Last year was also marked by several other arrests of cybercriminals around the world. For instance, the arrest of members of the Infinity Black website selling user credentials, lead to the end of the website and the group altogether. On the other hand, the arrests mentioned regarding Netwalker and Egregor seem to concern ransomware affiliates. And as the operators are still free and collaborate with other affiliates, their ransomware continues being deployed around the world. Alla Witte’s case is different since she is suspected to be a malware developer for the TrickBot Group. While her possible conviction might slightly disrupt TrickBot, it seems like their operations still go on, as according to the any.run website and its malware trend tracker, the trojan was last seen on June 16th, 2021. Last but not least, some mid-tier members of the Cl0p gang may have been arrested mid-June in Ukraine even though it seems no core actor behind Cl0p were apprehended.

What could be the long-term consequences of these takedown for the cybercriminal activities?

It’s still early to draw meaningful conclusions on the consequences for cybercriminal activities with the recent arrests. Yesterday, June 16th, at the Geneva summit, U.S. President Joe Biden met with Russian President Vladimir Putin. One of the hot topics of discussions was the ransomware attacks on U.S. entities from Russian soil. Biden warned Putin that United States would not tolerate any other cyber-attacks, especially on 16 critical sectors. The G7 and the NATO also stated that in order not to consider cyber-attacks as armed attacks, Russia should try to identify and disrupt ransomware organizations within its borders.

Even with the arrests of criminal gang members and cybersecurity talks at the presidential levels, some experts say there would be no or little impact on ransomware groups that will still operate with impunity. The near future will give hints about the possible evolution of the cyber-attacks landscape. On one hand, the rising of a broader international collaboration against cyber-criminal gangs which could lead to less opportunistic and lucrative attacks. On the other hand, growing tensions between two blocks: U.S.-Europe and Russia-China with possible sanctions from either side and more cyber espionage, supply-chain or state-sponsored attacks.

CERT-W: FROM THE FRONT LINE

The First Responder Word

FOCUS TECH

Phishing

Think like a cybercriminal and understand how a spear phishing campaign is built to avoid them!

The technical zoom of the month:

To learn more about this:

Reading Of The Month

We recommend the short report “APT trends report Q1 2021”, which reviews the highlight events and findings observed by the Global Research and Analysis Team at Kaspersky during the Q1 2021 around the world.

Cet article Newsletter CERT-W, from the front line – June 2021 est apparu en premier sur RiskInsight.

Cet article CERT-W Newsletter February 2021 est apparu en premier sur RiskInsight.

Cet article CERT-W Newsletter January 2021 est apparu en premier sur RiskInsight.

Cet article CERT-W Newsletter December 2020 est apparu en premier sur RiskInsight.

Cet article CERT-W Newsletter November 2020 est apparu en premier sur RiskInsight.

Cet article CERT-W Newsletter October 2020 est apparu en premier sur RiskInsight.

Indicators of the month

Top attack – French shipping giant CMA CGM hit by ransomware cyber attack

CMA CGM announces that it has been affected by a ransomware attack, which disabled its reservation system and affected some of its Chinese offices. The RagnarLocker gang reportedly asked the company to contact them within two days “via a live chat and pay for a special decryption key”. In a statement, the company said it had shut all external accesses to their network and computer applications as a precautionary measure and that the group’s information system was gradually resuming.

Top exploit – Microsoft warns of attackers now exploiting “Zerologon” flaw

Microsoft’s Security Intelligence team says it’s monitoring new attacks that employ public exploits of the recently patched CVE-2020-1472 Netlogon EoP vulnerability, aka Zerologon. The vulnerability carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System as it lets anyone with a network toehold obtain domain-controller password.

Top leak – Microsoft leaks 6.5TB in Bing search data via unsecured elastic server

Microsoft earlier this month exposed a 6.5TB Elastic server to the world that included search terms, location coordinates, device ID data, and a partial list of which URLs were visited. According to a report from cyber-security outfit WizCase, the server was password-protected until around 10 September, when “the authentication was removed”.

Cybercrime watch

US CISA report shares details on web shells used by iranian hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a malware analysis report (MAR) that includes technical details about web shells employed by Iranian hackers. According to the CISA’s report, Iranian hackers from an unnamed APT group are employing several known web shells, in attacks on IT, government, healthcare, financial, and insurance organizations across the United States. The malware used by the threat actors includes the ChunkyTuna, Tiny, and China Chopper web shells.

Two Russians charged in $17m cryptocurrency phishing spree

U.S. authorities today announced criminal charges and financial sanctions against two Russian men accused of stealing nearly $17 million worth of virtual currencies in a series of phishing attacks throughout 2017 and 2018 that spoofed websites for some of the most popular cryptocurrency exchanges.

Google Chrome bugs open browsers to attack

Google’s release of Chrome 85.0.4183.121 for Windows, Mac and Linux fixed 10 vulnerabilities. The successful exploitation of the most severe of these could allow an attacker to execute arbitrary code in the context of the browser, according to Google. Google Chrome versions prior to 85.0.4183.121 are affected.

Vulnerabilities watch

CVE-2020-1472 – Netlogon Elevation of Privilege Vulnerability

CVSS score: 10.0 CRITICAL

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.

CVE-2020-0922 – Microsoft COM* for Windows Remote Code Execution Vulnerability

CVSS score: 8.8 HIGH

A remote code execution vulnerability exists in the way that Microsoft COM for Windows handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system.

*The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft’s OLE (compound documents), ActiveX (Internet-enabled components), as well as others.

CVE-2020-1380 – Scripting Engine Memory Corruption Vulnerability

CVSS score: 7.5 HIGH

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current.

Cet article Review of the current news by CERT-W – September 2020 est apparu en premier sur RiskInsight.

Cybercrime watch

The most consequent Patch Tuesday in the history of Patch Tuesday

On March, Tuesday 10th, Microsoft has released updates no less than security vulnerabilities, targeting either the Windows operating systems or associated software. 26 of these vulnerabilities are considered “critical”, which is the highest level of severity. The exploit of some of them allow remote code execution and takeover of vulnerable assets without user interaction.

Mukashi: the new variant of the famous Mirai botnet is targeting Zyxel NAS

The Mukashi botnet has been found performing bruteforce attacks on random hosts. The botnet is using various combinations of credentials in an attemps to log in and seize control of the asset. It is now targeting the Network Access Storage (NAS) from the Zyxel brand by using the recent CVE-2020-9054, which allows for remote code execution on the 5.21 version of the firmware.

Coronavirus is now the most used decoy of all times

During the sanitary crisis linked to COVID-19, the coronavirus has become the most used decoy of all times in phishing attacks. The FBI Internet Crime Complaint Center (IC3) mentions that it can either be email pretending to offer information on the virus itself, test kits, vaccines. Attackers even go to such length like posing as charities asking for donations.

Vulnerability watch

CVE-2020-0684 – Remote code execution in Microsoft Windows

A new remote code execution vulnerability has been found in the Windows operating system that is triggered when a .LNK file is processed (analyzed or executed). An attacker could gain the same privileges as the local user by exploiting this vulnerability.

CVE-2020-3946 – Denial of Service in Vmware Workstation

Some versions of Vmware Workstation and Fusion are exposed to a “use-after-free” vulnerability in the vmnetdhcp service. The successful exploit of this vulnerability currently leads to denial of service but could be used in theory to execute arbitrary code.

CVE-2020-10887 – Firewall bypass in TP-Link routers

A version of the TP-Link firmware is exposed to firewall bypass. This vulnerability originates from an insufficiant filtering when handling IPv6 SSH connections. It can be exploited without authentication and can even be used to peform privilege escalation and code execution, up to root.

Weekly top

The top leak – A 5-million record leak of Mariott’s clients

Cybercriminals have succeeded in obtaining the credentials of two employees on a third-party piece of software used in Mariott resort to provide clients with various services. They used them to access numerous information on Mariott’s clients, including names, email addresses, phone numbers, etc.
It is the second data leak in 24 months for the brand!

The top exploit – CVE-2020-0796 – Remote code execution vulnerability in the SMB protocol

SMB is a network protocol used for file sharing, printers, and for other network purposes. The Microsoft SMB 3.1.1 (SMBv3) is suject to a vulnerability in the way it handles some requests. Unauthenticated attackers can use this vulnerability to remotely execute code on SMB servers as well as clients.

The top attack – One of the largest Czech hospital hit by a cyberattack

The Brno university hospital in Czech Republic has been hit by a major cyberattack in the midst of the COVID-19 outbreak. It has been forced to shut down all IT equipment and information system. Consequently, surgical procedures have been rescheduled and newly infected patients transferred to other hospitals.

Software version watch

Cet article Review of the current news by CERT-W – March 2020 est apparu en premier sur RiskInsight.

Cybercrime watch

Google Chrome’s update fight against Cybercrime

Google Chrome version 80 now supports AES-256 to user data stored locally. The change has made an impact on AZORult’s ability to steal user’s information. AZORult is a user profile malware that appeared in 2016 thieving big amounts of information including passwords, web browsing history, cookies, etc.

Bouygues Construction another’s ransomware victim

Bouygues Construction was victim of a ransomware attack. First detected on January 30, the company announced the attack in Twitter only few days before the MAZE‘s group expressed to be behind the attack.

Internet Complain Center reporting (FBI IC3 report)

The Federal Bureau of Investigation (FBI) released the Internet Complaint Center (IC3) reporting an increment up to 1300 complaints every single day. The report shows how the Business email compromise (BEC) cost organizations $1.7 billion in 2019. Since companies have implemented “volume spam” campaigns, attackers are becoming more sophisticated targeting high-value individuals such as CEOs and finance employees.

Vulnerability watch

CVE-2020-0688 – Remote code execution vulnerability in Microsoft Exchange software

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka ‘Microsoft Exchange Memory Corruption Vulnerability’.

CVE-2019-15126 – All-zero encryption key to encrypt part of the user’s communication

An issue was discovered on Broadcom Wi-Fi client devices. Specifically, timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic.

CVE-2020-0022 – Critical Bluetooth vulnerability in Android

Android Bluetooth stack that lets attackers silently deliver malware to and steal data from nearby phones simply knowing the Bluetooth MAC address of the target. As result, possibility to Deny of Service (DoS), if the device is running Android 8.0, 8.1 or 9.0 then Remote Code Execution (RCE)

Weekly top

Top leak: Decathlon leaks 123 Million records

A database misconfiguration let a vpnMentor team to reveal 123 million records including customer and employee information. Over 9GB database was found from an unsecured Elasticsearch server, exposing information from Decathlon – Spain.

Top exploit: CVE-2020-6418 – Confusion flaw in V8, Google Chrome

Confusion flaw in V8 (JavaScript engine used by Google Chrome) letting to arbitrary code execution within the browser sandbox.

Top attack: Cyber-attack cripples’ wool sales across Australia

A ransomware attack affected more than 75 per cent of the wool industry across Australia. Secretary of National Auction Selling Committee (NASC) confirmed the compromising of Talman. Talman is the major software supplier to the industry.

Cet article Review of the current news by CERT-W – February 2020 est apparu en premier sur RiskInsight.

Last year, the National Health Service England (NHS) faced its most important cybersecurity crisis due to the Wannacry ransomware attack. In October 2017, the National Audit Office (NAO) published a report showing that at least 34% of trusts in England were disrupted, and around 19,494 patient appointments canceled including canceled patient operations. This was mainly due to the fact that the information system managing the appointments, the patients’ records or test results were infected by the ransomware.

However, the report points out that medical devices such as MRI scanners (that have Windows XP embedded within them) were also locked by the ransomware. Only 1,220 devices were infected representing 1% of the overall amount, because several equipments were disconnected to avoid the ransomware propagation. So why the healthcare sector suffered from such an attack and how come the ransomware spread that easily?

Healthcare cybersecurity: Low maturity level

The NAO report highlighted the challenges that the NHS had to face to tackle the attack. These challenges seem similar to the ones that several industries and manufacturers have been facing showing that an analogy of the healthcare information systems and the industrial control systems (ICS) have the same weaknesses.

Indeed, both ICS and Health Information Systems (HIS)face the same cybersecurity challenges, among them:

• The wide use of legacy devices and operating systems (such as Windows XP);
• The length of the window of exposure of these systems (the window of exposure is the time between the vulnerability disclosure and the patching of the system): the vendors support or the quality guidelines and regulations may represent obstacles for a fast patching (a recent survey conducted on 3000 security professionals working for healthcare and pharmaceutical organizations, show that 57% of the respondents had experienced at least a data breach which was conducted after the exploitation of a vulnerability for which a patch had been previously released);
• Critical and unsecure devices directly connected to the Internet exposing the medical network. For example, McAfee published a report explaining how they exploited an unsecure and connected Picture Archiving and Communication System (PACS – device that stores and shares images coming from imaging devices such as scanners) to use personal medical data;
• Lack of security by design: several organizations and researchers have been alerting on several flows affecting medical devices such as pacemakers (Cyber-flaw affects 745,000 pacemakers – BBC), insulin pumps (J&J warns diabetic patients: Insulin pump vulnerable to hacking – Reuters) or infusion pumps (Black hat conference [PDF])

A growing threat on the healthcare sector

The low cybersecurity maturity level of the healthcare sector combined with the continuous interest of some actors on personal data or life threatening made the threat skyrocket these past few years. Indeed, several cybersecurity companies have been alerting on a growing number of cyber threat actors who are targeting healthcare sector, for example:

• In the last newsletter was reported that a US hospital was hit by Samsam ransomware in January 2018. Samsam is only one of the numerous ransomware that targeted hospitals among them Locky;
• In March 2018, Kaspersky researchers discovered that a Chinese-speaking group used PlugX malware (remote access tool which has been used previously by several groups since 2012) in pharmaceutical organizations for stealing information;
• In April 2018, Symantec identified a new attack group named Orangeworm. This group has been targeting healthcare sector companies (equipments manufactures, pharmaceutical, health organizations) for several years. Orangeworm has been using a backdoor called Kwampirs which collects data in the infected systems. This malware propagates easily in Windows XP devices.

Protecting against

In order to curb the number of security incidents in the healthcare sector, several measures can be, and in some cases have already been, implemented among them:

• Design of a global cybersecurity governance by implementing a cybersecurity policy;
• Conduction of awareness campaigns towards the hospital staff on the cybersecurity threats;
• Implementation of patch management procedure in order to reduce the window of exposure of the system (a combined work with the vendors and the regulation organizations may be required so the patching covers the largest amount of device as possible);
• Network segregation into several levels of protection matching the level of criticality (medical devices should be highly protected).

Several governmental agencies and institutions have been publishing reports and guidelines in order to help healthcare organizations and the medical devices suppliers in securing their network or providing more secure medical devices. You will find here after some of the documents:

• Cyber security and resilience for Smart Hospitals – ENISA
• Security and Resilience in eHealth Infrastructures and Services – ENISA
• Guide Pratique : Règles pour les dispositifs connectés d’un Système d’Information de Santé – Agence des systèmes d’information partagés de santé [PDF]
• Information for Healthcare Organizations about FDA’s “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software” – FDA
• The U.S Food & Drug Administration released its Medical Device Safety Action Plan in April 2018

>>Latest news

	Aerial tramway with security holes Golem.de, April 19th Two white hackers found the control system of a new aerial tramway in the internet without any security measures. According to them, the commands were sent unencrypted, the authentication wasn’t provided and the web application was vulnerable to cross-site scritping and HTTP header injection attacks. Link to the article
	Patch Plugs More Than a Dozen Vulnerabilities Affecting Industrial Secure Router Series Tripwire, April 16th Cisco Talos published a report revealing several vulnerabilities affecting the Moxa EDR-810 industrial secure router with firewall/NAT/VPN and manager layer 2 switch functions. This router sets perimetric security for critical assets such as pumping/treatment systems in water stations, Distributed Control Systems (DCS) in oil and gas stations … Many of the flaws received a CVSS score of 8.8. Moxa released an updated version of the firmware. Link to the article
	Advisory: Hostile state actors compromising UK organisations with focus on engineering and industrial control companies NCSC, April 5th The National Cyber Security Centre (NCSC) published an advisory revealing that several ongoing attacks have been targeting mainly engineering and industrial control companies since March 2017. The attacks are involving the harvesting of credentials using strategic web compromises and spear-phishing. The advisory also refers to the Department of Homeland Security (DHS) and FBI joint Technical Alert (see below for more information). Link to the advisory
	Sentryo Provides Anomaly Detection Technology to Siemens to Address the Cybersecurity Challenges of industrial infrastructures Sentryo, April Siemens and Sentryo signed an agreement in which Siemens AG will provide Sentryo ICS CyberVision solution to its clients among Siemens products and services. Sentryo’s solution is an asset management and anomaly detection tool designed for Industrial Control Systems. Link to the press release [FR][PDF]
	ISA announces newly published ISA/IEC 62443-4-1-2018 security standard Automation.com, March 28th The international Society of Automation released the Part 4-1 of the ISA/IEC 62443 standard. This part tackles the Product Security Development Life-Cycle Requirements. “It defines a secure development life-cycle for developing and maintaining secure products.” This includes several concepts such as security by design, patch management and product end-of-life. Link to the article
	Schneider Electric Launches Cybersecurity Virtual Academy ISS Source, March 27th Schneider Electric launched the Cybersecurity Virtual Academy which is a website that provides several materials to raise the awareness of the cybersecurity risks in the industrial control systems. Link to the article
	Threat landscape for industrial automation systems in H2 2017 Kaspersky lab, March 26th Kaspersky has published a report on the threat landscape over the industrial control systems during the second semester of 2017. In the report, Kaspersky analyses the vulnerabilities discovered by the ICS-CERT and the ones identified by Kaspersky Lab ICS Cert. Here are some figures given in the report: 322 vulnerabilities were identified by ICS-CERT and more than 50% of them are impacting the energy sector; 3,3% of industrial automation system computers were attacked by cryptocurrency mining programs during the period from February 2017 to January 2018; 10,8% of all ICS systems were attacked by botnet agents during 2017. The mains sources of botnet agent attacks on ICS systems in 2017 were internet, removable media and email messages; The Kaspersky figures show also a certain decrease on the number of attacks on ICS systems between 2016 and 2017. This can be explained by the fact that more and more companies are training their employees and began implementing simple cybersecurity measures. Link to the report
	Draft NIST Special Publication 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems NIST, March 21st The National Institute of Standards and Technology (NIST) released a public draft of the NIST SP 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the engineering of Trustworthy Secure Systems. This document aims to provide guidelines to organizations on how to apply cyber resiliency concepts during the engineering of systems. These guidelines may be applied on new systems, modification of systems, Critical infrastructure systems … Link to the release | Link to the document [PDF]
	Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors US-CERT, March 15th The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) published a joint Technical Alert in which give details on how the Russian government targeted several American organizations operating in the energy, nuclear, water, commercial facilities aviation and critical manufacturing sectors (DHS and FBI have already warned about this threat in another alert published in October). The alert analyzed the attacks using the Lockheed Cyber Kill Chain (stage1:reconnaissance, stage 2: weaponization, stage 3: delivery, stage 4: exploitation, stage 5: installation, stage 6: command & control, stage 7: actions and objectives). The threat actors after gaining access to their victims information system, they conducted reconnaissance operations within the network. They mainly focused on identifying and browsing file servers. They viewed information and files regarding Industrial Control Systems (ICS) or Supervisory Control And Data Acquisition (SCADA) systems. Link to the alert
	‘Cyber event’ disrupts power in Mich. – but don’t blame hackers E&E News, March 8th An employee of a public utility that provides electricity in Michigan (Consumers Energy) inadvertently cut the electricity to about 15000 consumers. During an “internal testing” the employee overstepped his authority in a control center leading to the outage. The utility the event as a “cyber event” and reported it to the department of Energy even tought the outage had nothing to do with a malware or cyber attack. Since the event, the company adjusted the access controls. Link to the news
	A Qualitative View of 2017 Across vulnerabilities, threats, and lessons learned in hunting and incident response Dragos, March Dragos published 3 reports in which they reveal their findings and analysis regarding the industrial control systems vulnerabilities during 2017, the industrial threat landscape incident response and hunting lessons. Some of the results of these reports are the following:  “64% of 2017 ICS-related vulnerability patches don’t fully eliminate the risk because the components were insecure by design”; 5 activity groups are working on developing tools and malwares (as Crashoverride that attacked the Ukrainian electric grid in 2016); The main infection vectors are: unprotected interconnectivity with IT systems, removable media, unprotected interfacility connection and phishing. Link to the Vulnerabilities report [PDF] Link to the threat activity groups report [PDF] Link to the hunting and responding report [PDF]
	Siemens report: Mideast’s oil and gas sector needs readiness boost as cyber risk grows Siemens, March A recent report published by Siemens shows that the Middle East facing more and more attacks targeting Operational Technology (OT) (according to the report 30% of the attacks are targeting OT). The report gives the results of a survey on 176 individuals working in the Middle East who are responsible for overseeing the cybersecurity of their organisations. Here are some figures: “75% of organizations have suffered at least one security compromise that resulted in the loss of confidential information or disruption to operations in the OT environment over the past 12 months”; “68% of respondents say the top cyber security threat is the negligent of careless insider”; “31% of respondents say their organization’s industrial control systems” protection and security are adequate”. Link to the press release
	NERC Full Notice of Penalty regarding Unidentified Registered Entity NERC, February 28th The North American Electric Reliability Corporation (NERC) files a Notice of Penalty of two million seven hundred thousand dollars ($ 2,700,000), in accordance with the Federal Energy Regulatory Commission (FERC), regarding noncompliance by an Unidentified Registered Entity (URE). Indeed, a third-party URE contractor failed to comply with the information protection program and copied very sensitive data, including records associated with Critical Computer Assets (CCA), from the URE environment on its own unsecured environment. While the data was on the contractor’s network, a subset of data was available online without the need to enter a username or password for a total of 70 days. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s systems and access to internal CCAs. Link to the article

>>Main ICS vulnerabilities

>>Upcoming ICS events

Jun. 30-1	Nuit du Hack Paris, France
Jun. 18	IEEE Workshop on Smart Industries (IEEE SIW) Taormina, Italy
Jun. 15	European Maritime Cyber Risk Management Summit London, UK
May. 22-23	Annual Nuclear Industrial Control Cybersecurity and Resilience Conference (ICCS) Warrington, UK
May. 3-4	Global Cyber Security in Healthcare & Pharma Summit London, UK

Cet article Industrial Control Systems Cybersecurity News #2 – Radiology of the cybersecurity level of the healthcare sector est apparu en premier sur RiskInsight.

Industrial Control Systems (ICS) are complex systems that aim to control industrial processes. ICS can be found in several sectors: energy, nuclear, transport, chemistry… In brief these systems control many of the critical productive assets of companies or states making their compromise by adversaries a high risk on the environment or people’s lives.

Thus, the cybersecurity of these systems is crucial. Moreover, securing these systems may be challenging due to their complexity (mainly because ICS are a mix of technologies and their lifetime is longer than usual information systems’).

In order to meet our clients’ needs and answer to their future concerns, Wavestone has been conducting an ICS cybersecurity watch where every recent study, attack or incident and report regarding the security of Industrial Control Systems are studied. In 2017, more than 80 news were reported from which we can retrieve a lot of teachings.

So, what did we notice this year?

First of all, ICS had its share of attacks. However, this year’s attacks, more than the other years’, had an unusual worldwide impact. Indeed, while ICS attacks were usually localized on a device (for instance on health devices), factory (for example a cryptomining malware found in a water utility – for more information see below) or a region (Dallas emergency sirens ignition in April 2017), 2017’s attacks started locally and spread quickly impacting several production lines in the world (WannaCry and NotPetya).

During 2017, many attacks have been reported in the news. Moreover, we noticed that several national agencies, governments or political figures alerted on ongoing attacks or attempts on critical infrastructure. The sector that was the most targeted seems to be the Energy sector. Indeed, several news were reported from Turkey (in January), USA (in March, July), Baltic States (in May), UK (in July) and Ireland (in July) showing that this sector was a privileged target by hackers (state sponsored or not).

The energy sector wasn’t the only hot topic of the year, as a matter of fact, autonomous cars cybersecurity hit many times the headlines (even if that topic may or may not be considered as related to industrial control systems). This is mainly due to the fact that cars’ cybersecurity is a new market. Therefore, cybersecurity experts and researchers try to find vulnerabilities and exploits (for example vulnerability found in airbag control units), while car manufacturers launch partnerships and initiatives showing that cybersecurity is now one of their main concerns (for example GM invited ethical hackers to try and hack its cars).

Finally, the ICS cybersecurity market tends to grow as demonstrated by the several fundraisings and partnerships signed during this year. In a broader perspective, we can notice three kinds of actors in the ICS cybersecurity market:

• ICS cybersecurity companies: usually small-sized companies or start-ups. They are pure-players that develop and put in the market ICS-dedicated solutions (Sentryo, CyberX, Nozomi …);
• ICS vendors: we noticed last year, some vendors that conceive ICS launched partnerships with ICS cybersecurity companies to improve their systems’ security (for example Siemens-PAS partnership in September, Schneider-Claroty partnership in August);
• IT security companies: these companies (well known in the IT world) tailor their solutions for industrial context. They show a growing interest for ICS by publishing reports and attack analysis (for example Kaspersky, McAfee).*

So, what is coming next?

It may be easy to say that the ICS cybersecurity will still (unfortunately) hit the headlines. Especially with alerts of attacks targeting life threatening system such as the safety instrumented systems controllers. But, we may see more and more news on specific sectors such as maritime, transport, health… that weren’t somehow as exposed in the media as the energy or nuclear sector. The ICS cybersecurity market may continue to grow especially with partnerships and acquisitions. Industrial Control Systems will continue to face new threats, challenges and changes.

>>Latest news:

	CyberX raises $18 million in series B funding to combat rising threats to IIoT and critical infrastructure, bringing total funding to $30 million (CyberX, February 27th) CyberX announced that the company raised $18 million dollars to develop threat detection in the Industrial Internet of Things (IIoT) and critical infrastructures. The company develops a threat monitoring and risk mitigation platform that includes ICS-specific threat intelligence. Link to the press release
	Fun with Modbus 0x5A (Security Insider, February 9th) During the last edition of Defcon in Las Vegas, Wavestone presented its latest study regarding the ModBus protocol cybersecurity and specifically the function 90. An attacker may thanks to this function start, stop a controller or force it to send a determined output value,  Link to the article
	ICS detection challenge results (Dale Peterson, February 7th) At the S4x18 in January, took place the ICS Detection Challenge. The 4 companies that completed the challenge are: Claroty, Gravwell, Nozomi Networks and Security Matters. The first part of the challenge consists on evaluating the ICS Detection class of 3 products which are: Claroty, Nozomi Networks and Security Matters. It was won by Claroty over Nozomi Networks and Security Matters. The competitors’ products had to detect cyber-attacks and incidents occurring on an oil&gas company. Link to the results The second part which consists in the asset detection phase was also won by Claroty even though Nozomi provided the most details in their asset inventory. Link to the results
	Water utility in Europe hit by cryptocurrency malware mining attack (eWeek, February 7th) The security firm Radiflow discovered a cryptocurrency mining malware in the network of a water service provider in Europe. The malware was downloaded from a malicious advertising site infecting the Human Machine Interface and then spread to the SCADA network that was still running Microsoft Windows XP OS. The malware degraded the system performance. Tough the degradation wasn’t noticed by the operators. Link to the article
	Ukraine power distributor plans cyber defense system for $20 million (Reuters, February 6th) Ukraine’s state-run power distributor Ukrenergo, which was a target for cyber-attacks in the past two years (December 2016 and December 2017), will invest up to $20 million in a new cyber defense system. The acting head of Ukrainian state power distributor Ukrenergo, told that the company and international consultants had identified about 20 threats that would be eliminated with the new system. The main goal of this system is to make “physically impossible for external threats to affect the Ukrainian energy system”. Link to the article
	Increasing number of industrial systems accessible from web (study Security Week, February 2nd) According to a new report published by Positive Technologies, the number of industrial control systems (ICS) accessible from the Internet has increased significantly during the past year. Most of vulnerabilities of these systems could be exploited remotely without needing to obtain any privileges in advance. The most common types of vulnerabilities were remote code execution (24%), information disclosure (17%), and buffer overflows (12%).Most of these systems are accessible via HTTP, followed by the Fox building automation protocol associated with Honeywell’s Niagara framework, Ethernet/IP, BACnet, and the Lantronix discovery protocol. Link to the article | Link to the report [PDF]
	Flaws in gas station software let hackers change prices, steal fuel, erase evidence (Motherboard, January 31st) Security researchers were able to connect to a web interface that manages gas station thanks to Shodan (search engine of connected devices). After using the default admin login and password, and then a hardcoded username and password, the researchers were able to shut down fuel pumps, hijack credit card payments, and steal card numbers. Link to the article
	Government warns critical industry firms to prepare for cyberattacks (Sky news, January 29th) All companies which are involved in critical industry and essential services, such as energy, transport, water, health and digital infrastructure, have been warned by the British government that they face sanctions if they do not include cybersecurity rules in their systems.The fines come as the government implements the Network and Information Systems (NIS) Directive, which would cover events such as the WannaCry attack. Link to the article
	Gemalto licensing tool exposes ICS, corporate systems to attacks (Security week, January 22nd) Kaspersky Lab researchers found 14 vulnerabilities in Gemalto Sentinel LDK (software) and the associated USB Dongle (SafeNet). The USB dongle is used to activate the software. When connected, drivers are installed and the port 1947 is added to the list of exceptions in the Windows firewall. This port can be exploited to identify remotely accessible devices. Link to the article
	SamSam ransomware hits hospitals, city councils, ICS firms (Bleeping Computer, January 19th) Samsam ransomware hit several hospitals, city councils and an ICS firm. Hancock Health admitted paying the ransom ($55.000) even though they had backups. The Samsam ransomware spread by brute forcing RDP connections. Link to the article
	Industrial systems scrambling to catch up with Meltdown, Spectre (The Register, January 18th) Meltdown and Spectre vulnerabilities also had an impact on industrial control systems. Some vendors decided to publicly communicate about their vulnerable products (OSISoft for example), other vendors like Emerson and General electric keep the information only for their customers and finally some vendors are still investigating if their products are vulnerable to Meltdown and Spectre. Link to the article For more information on Meltdown and Spectre vulnerabilities, you can read this post by Wavestone on Security Insider [French]
	Researchers find 147 vulnerabilities in 34 SCADA mobile applications (SC Magazine, January 11th) IoActive and Embedi researchers found 147 vulnerabilities in 34 mobile applications used in tandem with Supervisory Control and Data Acquisition (SCADA) systems. The top vulnerabilities were: code tampering flaws, insecure authorization, insecure data storage… This security weaknesses could allow an attacker to compromise industrial network infrastructure by exploiting the vulnerable applications. Link to the article
	Industrial Cybersecurity Firm Nozomi Networks Raises $15 Million (Security Week, January 10th) Nozomi is an industrial cybersecurity firm that has recently raised $23.8 million. Nozomi’s offering which is “SCADAguardian”, consists on using machine learning and behavioral analysis to detect zero-day attacks in real-time. This technology allows rapid response to alerts by ICS incident alerting and notification systems. The company said the additional funding will be used to support worldwide expansion of marketing, sales, support and product innovation. Link to the article

>>Main ICS vulnerabilities

>>Recent and upcoming ICS events

Apr. 24-26	ICS Cyber security London, UK
Apr. 24-26	Industrial control systems (ICS) Cyber Security Conference Singapore
Apr. 9-10	Cyber Security for critical assets MENA Dubai, UAE
Mar. 27-29	Cyber Security for Energy & Utilities Abu Dhabi, UAE
Mar. 13-14	Maritime Cyber Security London, U.K
Mar. 6-7	Cyber Security for critical assets USA Houston, USA

Cet article Industrial Control System Cybersecurity News #1 – What to remember from 2017? est apparu en premier sur RiskInsight.