Since the Colonial Pipeline and JBS meat manufacturing security incidents, attention is finally being paid to the cybersecurity vulnerabilities of critical infrastructure in the U.S. and in particular, the potential effect on day to day life and national security if large and significant manufacturers’ production are disrupted. In the wake of these recent incidents in the manufacturing sector, Unit 42 of Palo Alto Networks has published research that may be considered a warning to the manufacturing sector and is worth notice. The warning is about the activities of Prometheus, “a new player in the ransomware world that uses similar malware and tactics to ransomware veteran Thanos.”
According to the Executive Summary, Unit 42 “has spent the past four months following the activities of Prometheus” which “leverages double-extortion tactics and hosts a leak site, where it names new victims and posts stolen data available for purchase.” Prometheus claims to be part of REvil, but Unit 42 says it has “seen no indication that these two ransomware groups are related in any way.” Unit 42 further states that Prometheus claims to have victimized 30 organizations in different industries, in more than a dozen countries, including the U.S.
Prometheus came on the scene in February 2021 as a new variant of the strain Thanos. Unit 42 is unable to provide information on how the Prometheus ransomware is being delivered, but surmise that it is through typical means, such as “buying access to certain networks, brute-forcing credentials or spear phishing for initial access.” It then first kills backups and security processes and enables the encryption process. It then “drops two ransom notes” that contain the same information about the fact that the network has been hacked and important files encrypted and instructions of how to recover them. If the ransom demand is not met, the data will be published on a shaming site and publishes the “leak status” of each victim. According to Unit 42 “[M]anufacturing was the most impacted industry among the victim organizations we observed, closely followed by the transportation and logistics industry.”
What we have seen in the past is that when ransomware groups are successful in one industry, they use the information learned from initial attacks to target other companies in that sector. They leverage the knowledge from one attack to future attacks assuming that since the first one was successful, subsequent attacks will be successful as well. Since industry specific networks are similar, it is seamless to attack one victim, learn from it, then leverage that knowledge to attack similarly situated victims.
With threat attackers’ focus on the manufacturing sector right now, we anticipate seeing more attacks against manufacturers from groups such as Prometheus.
The Associated Press has reported that the Metropolitan Washington, D.C. police department has been the victim of a hacking incident for which the Russian-based ransomware group Babuk is claiming responsibility. According to the department, the FBI is investigating the incident.
It is reported that the department’s police operations were not affected. Babuk claims that it stole sensitive data from the department. Some of the department’s data were being leaked on the internet this week, including lists of arrests and persons of interest to the department. Babuk alleges on its dark web site that it has downloaded 250 gigabytes of data from the department.
PCS Revenue Control Systems, Inc. (PCS) was hit with a proposed class action lawsuit last week alleging that it discovered a data breach from a hacking attack in December 2019 but failed to notify the affected students until March of 2021.
According to the lawsuit, student information was collected by PCS’s predecessor, Advanced Business Technologies (ABT), which provided food, nutrition, and technology services for K-12 schools. The information alleged to have been collected by ABT and in the possession of PCS after the acquisition included the names, dates of birth, Social Security numbers, and student identification numbers of 867,209 students who attended K-12 schools in Alabama, Florida, Georgia, and Texas. It is unclear why a nutrition vendor needs Social Security numbers of students to provide services.
Although the incident was allegedly discovered in December 2019, PCS sent notification letters to affected students and parents only in March 2021, offering one year of free credit monitoring.
In the category of “you can’t make this up but satisfyingly ironic,” it was recently reported that criminals who used the WeLeakInfo database to buy stolen credentials of individuals have had their own information compromised. It’s about time criminals get their just reward. Why would hackers treat other hackers any differently than the rest of us?
According to techrader.com and CyberNews, 24,000 criminals who used WeLeakInfo to purchase and sell compromised credentials of victims are now themselves victims and their personal information is being sold on online forums. CyberNews reported that “the forum user is now selling highly sensitive information of former WeLeakInfo customers that made their illicit purchases using Stripe. The data available for sale includes their full names, IP addresses, addresses, partial credit card data, transaction dates, Stripe reference numbers and phone numbers…”
If it is being sold online, the information can also get into the hands of law enforcement, which should be a concern to the former WeLeakInfo customers, as the information should be very helpful to law enforcement.
A Tampa, Florida area water facility was recently hacked using a popular remote-access software tool. The unidentified hacker also used the software to connect to an on-site computer and then used that computer to access the facility’s control panel. Once there, the hacker programmed a 100x-increase in the levels of sodium hydroxide (lye) to be added to the water supply. While small amounts of lye are used to control the acidity of water, at these massively-increased levels, lye is corrosive. Drinking the water could be like drinking liquid drain cleaner.
There are many valuable and legitimate uses of remote-access software. This software allows a user to take full control of another computer as if they were sitting in front of it. The particular brand of remote-access software involved in this incident is popular with consumers and businesses and has more than 200 million users globally. It can be used by individuals to remotely access and troubleshoot their family members’ computer issues. However, there are now questions about whether remote-access software is appropriate to monitor and change controls at critical infrastructure facilities.
There are alternative approaches. Some critical infrastructure facilities permit remote-access software, but only to monitor the facility systems. Any changes must be completed on site from computers not connected to external systems or software. Some in the critical infrastructure industry recommend requiring a secure VPN to remotely access the internal network. After using the VPN, any additional access by the remote user would be done via a secured login with mandatory, multi-factor authentication. Some recommend a second secure login inside the network that controls the critical infrastructure.
Industry members are quick to point out that critical infrastructure systems often have multiple safeguards to prevent extreme manipulation of the systems. For example, many water treatment facilities have physical size restriction limits on the quantities of chemicals that can be introduced into the system over any given period. This type of safeguard could restrict the speed and/or amount of chemicals that would actually be pumped into a system, even if programmed to do so. But if a hacker can remotely access the system controls to program changes in quantity, could they possibly program other changes, such as changes to these safeguards?
In the case of the Florida water facility, any possible crisis was averted because an attentive employee saw the controls being changed, and notified the company, which notified the police. The increases in sodium hydroxide were quickly reversed.
The incident remains under investigation by the FBI and Secret Service, as well as local law enforcement officials.
New York Governor Andrew Cuomo recently announced his proposal for a comprehensive data security law that will “provide New Yorkers with transparency and control over their personal data and provide new privacy protections.” The proposal also would establish a Consumer Data Privacy Bill of Rights that would guarantee “the right to access, control, and erase the data collected from them; the right to nondiscrimination from providers for exercising these rights; and the right to equal access to services.”
According to the state of New York’s website announcing the initiative, the proposal also “expressly protects sensitive categories of information including health, biometric and location data and creates strong enforcement mechanisms to hold covered entities accountable for the illegal use of consumer data. New York State will work with other states to ensure competition and innovation in the digital marketplace by promoting coordination and consistency among their regulatory policies.”
This proposal is promising and, if passed, it would mean that New York would join California in enacting a comprehensive consumer privacy law. We will follow the proposal closely to see if this new proposal will add to New York’s Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which passed in 2017 and established cybersecurity regulations for the financial services industry.
Indian news outlet Inc42 has reported that the ShinyHunters hacking group found some shiny objects when it was able to compromise the personal information of hundreds of thousands of individuals using the crypto exchange BuyUCoin.
The hackers were able to compromise and subsequently leak a BuyUCoin database that contained names, telephone numbers, email addresses, tax identification numbers and bank account information of users. Different reports say that the number of users who were affected by the compromise ranges from 161,000 to 325,000 users.
Although BuyUCoin initially denied the reports, it recently indicated that it is investigating and that no user funds had been affected.
Users of the Parler social media platform who participated in the riots last week at the U.S. Capitol are reportedly uneasy following the announcement that several activist hackers archived posts as they were happening in real time during the riots, and that they will release the posts publicly to assist law enforcement with investigations. Another activist hacker is reported to have said that she archived material as it was being posted to show how the platform was used to plan the attack and for communication by participants during the assault.
Parler is reported to have been a popular mode of communication during the months leading up to the election last fall after Facebook and Twitter began reviewing and labeling content that was false or misleading.
One of the activist hackers alleges that she archived 30 terabytes (equal to 30,000 gigabytes) of publicly-available posts of the events leading up to and during the riots so they would be preserved before the platform was taken down, which occurred on Monday.
Some of the data that were archived includes legally-obtained GPS data while posts were made by those participating in the riot. The GPS data show that Parler users were posting videos and pictures while they were inside the Capitol, including both chambers of Congress and offices of some politicians.
As the holiday shopping season comes to end, consumers should still be aware that hackers are sending fake delivery notifications appearing to come from companies like FedEx and UPS, especially as the last few days of package arrivals pass by. The hackers’ messages prompt consumers to enter their personal information like credit card information to resolve an issue with package delivery or immediately launch malware or ransomware upon clicking a link. According to a recent CNBC report on this ‘shipageddeon’ launched by hackers, one consumer received an email message appearing to be from UPS informing him that his package could not be delivered. Once he clicked the link provided to solve the issue, his screen started flashing and his computer was encrypted with ransomware requesting 150 bitcoins (or about $66,000). Upon the consumer’s refusal, his computer was wiped clean.
According to the CNBC report, fraudulent delivery messages rose by 440 percent from October to November, according to data from cybersecurity firm Check Point Software Technologies. Overall, fraudulent shipping messages overall rose 72 percent since November 2019. Don’t fall victim to these scams -at a minimum before clicking on a provided link or offering up your personal information make sure that the messages include correct spelling and company logos.
To file in the “no one is immune from a sophisticated attack,” category, well-known and respected security firm FireEye publicly announced this week that it has experienced an attack by a state-sponsored (which means a foreign government) hacking group, which successfully obtained its “red team tools.” This is very concerning, as the red team tools include the “special sauce” FireEye uses to test its clients’ security maturity and vulnerabilities, and could be used as a roadmap for adverse nation states to hack into the U.S. government’s or private companies’ systems.
Kudos to FireEye for making this public so the U.S. government, critical infrastructure and private companies can be on the alert for the tools to be used against them. FireEye has stated that it is working on over 300 countermeasures to assist in combatting the use of its proprietary tools by these adverse threat actors.
Unfortunately, this incident is a cold, hard, awful reminder that even the most sophisticated security firm can become the victim of a cyberattack, and since that is the case, all companies are at extreme risk of an attack and exfiltration of data.
FireEye appears poised to assist in combatting the effects of the incident, so keep a close eye on those measures. We will keep you updated as well.