A quick Saturday digest of cybersecurity news articles from other sources.
CISA Releases Security Advisory on Siemens Nucleus Real-Time Operating Systems
Original release date: November 9, 2021
CISA has released an Industrial Control Systems (ICS) advisory detailing multiple vulnerabilities found in Siemens Nucleus Real-Time Operating Systems (RTOS) and supporting libraries. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review ICS Advisory: ICSA-21-313-03 Siemens Nucleus RTOS TCP/IP Stack for more information and apply the necessary mitigations.
Kaseya ransomware suspect nabbed in Poland, $6m seized from absent colleague
Suspects nabbed, millions seized, in ransomware busts across the globe.
The name “Kaseya” has become one of the biggest words in ransomware infamy.
Cybercriminals penetrated the IT management business Kaseya earlier this year and used the company’s own remote management tools to wreak simultaneous ransomware havoc across its customer base.
Unfortunately for the many victims of the attack, Kaseya’s software required customers to designate a specific area on their hard disks as exempt from anti-malware scanning.
The reason, we’re guessing, is that someone decided that a staging directory for collecting and distributing software updates, where application files would be temporarily stored as data but not executed as programs, didn’t need to be protected as strongly as the rest of the computer.
After all, why scan the files over and over again while they’re merely being downloaded, shuffled, organised and packaged for delivery, instead of waiting to do a final scan only of those files that ultimately get used?
The problem with anti-malware “exclusion zones” of this sort, however, is that they become a perfect hiding place for well-informed crooks, because rogue code that’s secretly injected into the unprotected area can be launched without generating any of the the usual alarms. More…
Thinking of upgrading your company’s tech gear? Now’s not the time.
Thanks to supply chain problems, getting new PCs, smartphones, routers, hubs, or what-have-you is harder and more expensive than ever. For now, stick with what you’ve got or consider used equipment. More…
New Federal Government Cybersecurity Incident and Vulnerability Response Playbooks
Original release date: November 16, 2021
The White House, via Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, tasked CISA, as the operational lead for federal cybersecurity, to “develop a standard set of operational procedures (i.e., playbook) to be used in planning and conducting cybersecurity vulnerability and incident response activity” for federal civilian agency information systems. In response, today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.
FCEB agencies should use the playbooks to shape their overall defensive cyber operations. The playbooks apply to information systems used or operated by an FCEB agency, a contractor of the agency, or another organization on behalf of the agency. CISA encourages agencies to review the playbooks and CISA’s webpage on EO 14028 for more information.
Although CISA created the playbooks for FCEB agencies, we encourage critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review them to benchmark their own vulnerability and incident response practices.
[Bob’s comment – the problem with playbooks is the bad guys can get the playbook, learn the playbook, and use your own tactics against you. Typical government thinking.]
Stop looking over my shoulder!
New ZLoader Ransomware Variant
Search engines like Google are displaying search results that redirect the user to malicious links when they search for TeamViewer remote desktop software. These links download ZLoader malware onto the users’ system, creating a stealthy infection path that allows the attacker to install additional malware without detection.
This latest ZLoader campaign is an indirect method of infection compared to the traditional approach of phishing. Clicking the link executes a downloader that retrieves the core module and injects it into processes that are currently running on the host system. The latest version of ZLoader also includes other components, which is common practice for this malware family. Malwarebytes has published a paper in collaboration with HYAS that performs a detailed analysis of ZLoader, especially its Command-and-Control (C2) panel. It groups ZLoader variants according to values in their config files and also compares them with Zbots like Terdot that have recently become popular.
Ransomware Attacks against Water Treatment Plants
[Bob’s comment: I’ve been warning about attacks on water supply utilities for a while now. This article is from Bruce Schneier’s blog.]
[2021.10.19] According to a report from CISA last week, there were three ransomware attacks against water treatment plants last year.
WWS Sector cyber intrusions from 2019 to early 2021 include:
- In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
- In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
- In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).
NOV
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com