The advisory comes the same week as a warning from the EU's ENISA about potential for ransomware attacks on OT systems in the transportation sector.

The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued advisories for a total of 49 vulnerabilities in eight industrial control systems (ICS) used by organizations in multiple critical infrastructure sectors — some unpatched.

The need for organizations in critical infrastructure sectors to consider cybersecurity is growing. ICS and operational technology (OT) environments are no longer air-gapped, segmented as they once used to be, and are increasingly accessible over the Internet. The result is that both ICS and OT networks have become increasingly popular targets for both nation-state actors and financially motivated threat groups.

That's unfortunate given that many of the vulnerabilities in CISA's advisory are remotely exploitable, involve low attack complexity, and allow attackers to take control of affected systems, manipulate and modify settings, escalate privileges, bypass security controls, steal data, and crash systems. The high-severity vulnerabilities are present in products from Siemens, Rockwell Automation, Hitachi, Delta Electronics, Keysight, and VISAM.

The CISA advisory coincided with a report from the European Union on threats to the transportation sector that also warned about the potential for ransomware attacks on OT systems used by aviation, maritime, railway, and road transport agencies. At least some of the vulnerable systems in CISA's advisory pertain to organizations in the transportation sector as well.

**Low-Complexity, High-Impact Vulnerabilities**

Seven of the 49 vulnerabilities in CISA's advisory are in Siemens' RUGGEDCOM APE1808 technology and currently have no fix. The vulnerabilities allow an attacker to elevate privileges on a compromised system, or to crash it. Organizations in multiple critical infrastructure sectors around the globe currently use the product to host commercial applications.

Seventeen other flaws are present in various third-party components that are integrated into Siemens' Scalance W-700 devices. Organizations in multiple critical infrastructure sectors use the product including those in chemical, energy, food, and agriculture and manufacturing. Siemens has urged organizations using the product to update its software to v2.0 or later and to implement controls for protecting network access to the devices.

Thirteen of the newly disclosed vulnerabilities affect Delta Electronic' InfraSuite Device Master, a technology that organizations in the energy sector use to monitor the health of critical systems. Attackers can exploit the vulnerabilities to trigger denial-of-service conditions or to steal sensitive data that could be of use in a future attack.

Other vendors in CISA's advisory, with multiple vulnerabilities in their products are Visam, whose Vbase Automation technology accounted for seven flaws and Rockwell Automaton with three flaws in its ThinManager product used in the critical manufacturing sector. Keysight had one vulnerability in its Keysight N6845A Geolocation Server for communications and government organizations and Hitachi updated information on a previously known vulnerability in its Energy GMS600, PWC600, and Relion products.

This is the second time in recent weeks where CISA has warned organizations in critical infrastructure sectors about serious vulnerabilities in systems they use in industrial and operational technology environments. In January, the agency issued a similar alert on vulnerabilities in products from 12 ICS vendors, including Siemens, Hitachi, Johnson Controls, Panasonic, and Sewio. As with the current set of flaws, many of the vulnerabilities in the previous advisory also allowed threat actors to take over systems, escalate privileges and create other havoc in ICS and OT settings.

**OT Systems in the Crosshairs**

Meanwhile, a report this week from the European Union Agency for Cybersecurity (ENISA) on cyberthreats to the transportation sector warned of potential ransomware attacks against OT systems, based on an analysis of 98 publicly reported incidents in the EU transportation sector between January 2021 and October 2022. 

The analysis showed that financially motivated cybercriminals were responsible for some 47% of the attacks. A plurality of these attacks (38%) was ransomware related. Other common motivations included operational disruptions, espionage, and ideological attacks by hacktivist groups.

Though OT systems were sometimes collaterally damaged in these attacks, ENISA's researchers found no evidence of directed attacks on them in the 98 incidents it analyzed. "The only cases were OT systems and networks were affected were either when entire networks were affected or when safety-critical IT systems were unavailable," the ENISA report said. However, the agency expects that to change. "Ransomware groups will likely target and disrupt OT operations in the foreseeable future."

The European cybersecurity agency's report pointed to an earlier ENISA analysis that warned of ransomware actors and other new threat groups tracked as Kostovite, Petrovite, and Erythrite targeting ICS and OT systems and networks. The report also highlighted the continued evolution of ICS specific malware such as Industroyer, BlackEnergy, CrashOverride, and InController as signs of growing attacker interest in ICS environments.

"In general, adversaries are willing to dedicate time and resources in compromising their targets to harvest information on the OT networks for future purposes," the ENISA report said. "Currently, most adversaries in this space prioritize pre-positioning and information gathering over disruption as strategic objectives."

CISA Warns on Unpatched ICS Vulnerabilities Lurking in Critical Infrastructure

**SAN JOSE, Calif.****,** **March 22, 2023** **/PRNewswire/ --** Vectra AI, the leader in AI-driven hybrid cloud threat detection and response, today announced the introduction of Vectra Match. Vectra Match brings intrusion detection signature context to Vectra Network Detection and Response (NDR), enabling security teams to accelerate their evolution to AI-driven threat detection and response without sacrificing investments already made in signatures.

"As enterprises transform embracing digital identities, supply chains and ecosystems — GRC and SOC teams are forced to keep pace. Keeping pace with existing, evolving and emerging cyber threats requires visibility, context and control for both known and unknown threats. The challenge for many security organizations is doing so without adding complexity and cost," says Kevin Kennedy, SVP Products at Vectra. "Vectra NDR now enables security teams to unify signatures for known threats and AI-driven behavior-based detection for unknown threats in a single solution."

With the addition of Vectra Match, Vectra NDR addresses core GRC and SOC use cases enabling more efficient and effective:

*   Correlation and validation of threat signals for accuracy.
*   Compliance for network-based CVE detection with compensating controls.
*   Threat hunting, investigation and incident response processes.

According to Gartner®, "recent trends in the NDR Market indicate many NDR offerings have expanded to capture new categories of events and to analyze additional traffic patterns. This includes **new detection techniques:** by adding support for more traditional signatures, performance monitoring, threat intelligence and sometimes malware detection engines. This move toward more multifunction network detection aligns well with the use case of network/security operations convergence, but also with midsize enterprises."1

"The attack surface cyber attackers have at their disposal continues to grow exponentially creating unknown threats on top of the tens of thousands of known vulnerabilities that exist. Attackers simply have exponentially more ways to infiltrate an organization and exfiltrate data — and do so with far more frequency, velocity and impact. Keeping pace with attackers exploiting known vulnerabilities and unknown threats is an immense challenge for every Security, Risk and Compliance officer," says Ronald Heil, Global Risk Advisory Lead for Energy and Natural Resources and Partner at KPMG Netherlands. "Today, cyber-resilience and compliance requires complete visibility and context for both known and unknown attacker methods. Without it, disrupting and containing their impact becomes an exercise in brand reputation and customer trust damage control. Vectra Match capabilities allow us to combine both worlds, having the continued AI-based detection of real-time "movement", while also having the ability to check against specific Suricata indicators — often required during incident response or proof of compliancy (e.g., Log4J). Consolidating AI-based and signature-based detection enables optimization, because in our case, less is more."

"When it comes to shadow IT, we know people with admin rights are 'building boxes off the grid.' Our SOC team cannot protect what we cannot see, thus making these unknown systems prime targets for attackers. No doubt, behavior-based AI-driven detections are great for catching attackers deploying new, evasive methods, but when it comes to attackers leveraging CVEs to compromise unknown, unpatched systems, we need signature-based detection. Combining signature-based detection with behavior-based detection gives our SOC team visibility for both the known-unknown and unknown-unknown threats. It's the best of both worlds," says Brett Fernicola, Sr. Director, Security Operations at Anywhere.re.

**Vectra NDR with Vectra Match**

Vectra NDR — a key component of the Vectra platform — provides end-to-end protection against hybrid and multicloud attacks. Deployed on-premises or in the cloud, the Vectra NDR console is a single source of truth (visibility) and first line of defense (control) for attacks traversing cloud and data center networks. By harnessing AI-driven Attack Signal Intelligence, Vectra NDR empowers GRC and SOC teams with:

*   AI-driven Detections that think like an attacker by going beyond signatures and anomalies to understand attacker behavior and zero in on attacker TTPs across the entire cyber kill chain post compromise, with 90% fewer blind spots and 3x more threats proactively identified.
*   AI-driven Triage that knows what is malicious by utilizing ML to analyze detection patterns unique to the customer's environment to score how meaningful each detection is, thus reducing 85% of alert noise — surfacing only relevant true positive events that require analyst attention.
*   AI-driven Prioritization that focuses on what is urgent by automatically correlating attacker TTPs across attack surfaces, evaluating each entity against globally observed attack profiles to create an attack urgency rating enabling analysts to focus on the most critical threats to the organization.

Vectra NDR empowers security and risk professionals with next-level intrusion detection. Armed with rich context on both known and unknown threats, GRC and SOC teams not only improve the effectiveness of their threat detection, but the efficiency on their threat hunting, investigation and incident response program and processes. Vectra NDR with Vectra Match is available for evaluation and purchase today. For additional information, please visit the following resources.

**Blog:** Vectra AI Announces Vectra Match for Signature-Based Detections

**Solution Brief:** Stop Network Exploits with Vectra NDR and Vectra Match 

**Product page:** Vectra NDR

**About Vectra**

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. Only Vectra optimizes AI to detect attacker methods — the TTPs at the heart of all attacks — rather than simplistically alerting on "different." The resulting high-fidelity threat signal and clear context enables cybersecurity teams to rapidly respond to threats and stop attacks from becoming breaches. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure — both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization. For more information, visit vectra.ai. 

1Gartner Market Guide for Network Detection and Response, Published 14 December 2022 \- ID G00730869 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

SOURCE Vectra

Vectra Unifies AI-Driven Behavior-Based Detection and Signature-Based Detection

**HERZLIYA,** **Israel** **and** **PALO ALTO, Calif.****,** **March 22, 2023** **/PRNewswire/ --** XM Cyber, the leader in hybrid cloud security, announced today the acquisition of Confluera, a pioneer in next-generation cyber attack detection and response for the cloud. XM Cyber now offers a comprehensive CNAPP (Cloud Native Application Protection Platform) solution using its unique attack path modeling to prioritize and assess real risk to the critical assets in your cloud environment.

Together with Confluera, XM Cyber's Continuous Exposure Management platform will provide all aspects of cloud security, from identifying and fixing risk regarding cloud identities (CIEM), identifying vulnerabilities and the detection and response of actual cyber attacks in real time (CWPP), and best practice and compliance management (CSPM).

The rapid rise in sophisticated attacks across hybrid cloud environments requires organizations to equip themselves with a dual strategy that combines advanced preventative capabilities with active detection and response. Classic EDRs that were originally meant for endpoint protection aren't equipped to deal with the runtime protection of cloud infrastructures. Detection in the cloud requires the next-generation capabilities of CxDR (Cloud eXtended Detection and Response), which leverages visibility from different vantage points and accurately combines them to identify multi-stage attacks propagating across distributed cloud environments.

The XM Cyber solution enables organizations to see their on-prem and cloud environments just like an attacker would and identify weaknesses that can potentially be exploited on attack paths to critical assets. With the addition of Confluera, organizations will now have the ability to continuously monitor their cloud environments in real-time to see if they are actually being exploited and effectively block the attacker's progress before any damage is caused.

"We work so well together because we're both looking at the environment through attack path modeling," said Boaz Gorodissky, co-founder and CTO of XM Cyber. "For example, XM Cyber shows our customers how an attacker could take advantage of a cloud secret found in the on-prem environment, move into the cloud, escalate privileges of an EC2, and compromise S3 buckets with sensitive information through a chain of events. Now with Confluera, we will detect if this attack path is actually happening in real time, alert our customers and help them stop the attack before it reaches the S3 buckets."

Confluera co-founder and CTO Abhijit Ghosh, who will be leading the development and integration of the CxDR with XM Cyber as VP CxDR, added: "We are very excited to join forces with XM Cyber to deliver a comprehensive cloud security platform. The technologies complement one another. They cover the prevention and detection aspects of security, with a common attack path modeling-based approach of unifying diverse visibility to identify multi-stage attacks. We are thrilled about leveraging this synergy to address our shared mission of protecting hybrid cloud environments from advanced attacks." Confluera co-founder Niloy Mukherjee further added that "the offensive cybersecurity knowledge of XM Cyber's research team will greatly enrich Confluera's engine to discover and intercept any form of security threat possible across any cloud plane."

The acquisition of Confluera comes less than a year after XM Cyber acquired Cyber Observer to expand its CSPM capabilities.

"Integrating Confluera into our offering just made so much sense. We compared their detection capabilities on workloads with a prominent CWPP solution and were able to detect several attacks that the other CWPP solutions did not. And perhaps just as significantly, it did not create unnecessary noise for the security teams," said Noam Erez, co-founder and CEO of XM Cyber. "Today, security teams are overwhelmed with an overwhelming amount of alerts and multiple security tools that they can't keep track of. They are demanding the consolidation of solutions that can accurately and holistically analyze risk and pinpoint high priority exposures to be remediated efficiently. Confluera aligns perfectly with this core value that we deliver within our suite of services and is a natural fit for us."

The new real-time detection and response capabilities will be available to XM Cyber customers soon. To learn more, please visit: confluera.com. XM Cyber will be attending RSA 2023 and providing demos at their booth #1755 in the South Hall Expo. 

**About XM Cyber** 

XM Cyber is a leading hybrid cloud security company that's changing the way organizations approach cyber risk. XM Cyber transforms exposure management by demonstrating how attackers leverage and combine misconfigurations, vulnerabilities, identity exposures, and more, across AWS, Azure, GCP, and on-prem environments to compromise critical assets. With XM Cyber, you can see all the ways attackers might advance, and all the best ways to stop them, pinpointing where to remediate exposures with a fraction of the effort. Founded by top executives from the Israeli cyber intelligence community, XM Cyber has offices in North America, Europe, and Israel.

**About Confluera**

Confluera is the leading provider of next-generation Cloud eXtended Detection and Response (CxDR) solutions. Founded by Abhijit Ghosh and Niloy Mukherjee, Confluera's patented real-time attack storyboarding, built for hybrid cloud environments, gives organizations full visibility into active attack progressions and helps to drastically reduce the industry average time to detect and respond to advanced attacks. To learn more about Confluera's award-winning solution, visit confluera.com.

XM Cyber Announces Acquisition of Confluera, Adding Run-Time Protection on Cloud Workloads

A new Tech Insight report examines how the enterprise attack surface is expanding and how organizations must deal with vulnerabilities in emerging technologies.

Keeping applications and networks secure can seem like a Sisyphean task. No matter how much time and resources security and IT teams devote to vulnerability assessment, patching, and other mitigations to reduce cyber-risk, they are not enough. In fact, vulnerability management can feel like a series of never-ending tasks.

There is no shortage of vulnerabilities under attack by criminals. Last year saw major vulnerabilities, such as Log4Shell, Ruby on Rails (Follina), and Spring4Shell, plus flaws in Google Chrome, F5 BIG-IP, Microsoft Office, and Atlassian Confluence, to name a few.

The Cybersecurity Infrastructure Agency's Known Exploited Vulnerabilities catalog currently lists vulnerabilities in widely used enterprise applications, such as Oracle eBusiness suite, SugarCRM, Zoho, Control Web Panel, and Microsoft Exchange Server.

And common, yet dangerous vulnerabilities persistently make their way into Web applications, such as broken access control, cryptographic failures, security misconfigurations, and vulnerable and outdated components.

However, enterprise security teams can’t consider their jobs done just by mitigating these types of vulnerabilities. As they adopt new technologies, enterprises need to expand their vulnerability and attack surface management programs accordingly.

A new Dark Reading Tech Insight report examines key areas for enterprise security teams to pay attention to: firmware, 5G networks, edge computing, operational technology and IT convergence, cloud vulnerabilities and misconfigurations, vulnerabilities in open source software, and vulnerabilities in continuous software development pipelines. The report details these types of vulnerabilities and how to mitigate them.

10 Vulnerability Types to Focus On This Year

**WOBURN, Mass.****,** **March 22, 2023** **/PRNewswire/ --** Kaspersky has released new survey results showing that one third of crypto owners in the U.S. have experienced theft of their currency or other assets, at an average cost of $97,583. This, and other findings, are part of a new report, "Crypto Threats 2023," based on a survey of 2,000 American adults in October 2022.

Crypto trading has skyrocketed in popularity in recent years. Twenty-four percent of respondents to the survey said they currently own cryptocurrency or other crypto assets. However, scammers are continuously seeking new ways to capitalize on that popularity and defraud users, with tactics such as impersonating legitimate exchanges or launching phishing attacks to steal login credentials. They also use cryptojacking malware to generate currency by stealing computing resources from unknowing victims.

A third of respondents who said they own or have owned cryptocurrency or other crypto assets said they have fallen victim to a fraudulent crypto\-related website, app or investment scam at some point. Among those victims, 19% said they experienced identity theft as a result, while 27% had payment details stolen and money taken from their bank account.

"From fake apps to cryptojacking, there is a long list of threats lurking online to target cryptocurrencies," said Marc Rivero, senior security researcher at Kaspersky's Global Research and Analysis Team. "Without any regulation or established common knowledge, people need to take care to protect themselves. This survey data shows a lot of people are getting their crypto stolen and even experiencing identity theft. Users should keep a close eye out for scams, and should employ any extra security measures that are available to them, such as multi-factor authentication."

The survey revealed that there is often more users could be doing to protect their crypto assets. On average, respondents said the last time they checked on their crypto investments was six weeks ago. Twenty-seven percent of users said they keep their crypto stored in an exchange account with no added protection, while only 34% use multi-factor authentication to protect their account. Only 15% of users said they use a "cold wallet," storing their crypto in external storage not connected to the internet. Thirty-two percent of respondents who own or have owned cryptocurrency or other crypto assets said they have lost access to a crypto\-related account at some point.

The survey also yielded some interested findings with respect to age differences among crypto traders. Thirty-six percent of respondents aged 25-44 said they currently own cryptocurrency or crypto assets, compared to just 10% of respondents aged 55 and up. Older respondents who do own crypto, however, appeared to be doing a much better job at protecting their assets. Just 8% of crypto owners aged 55+ said they have had cryptocurrency or a crypto asset stolen, and only 14% in that age group said they have fallen victim to a fraudulent crypto\-related app, website or investment scam. Meanwhile, nearly half (47%) of crypto owners aged 18-24 said they had been victimized by theft, with 46% saying they've fallen victim to a scam.

The full report is available here.

In order to avoid falling victim to cryptocurrency\-related scams, Kaspersky recommends:

*   Use strong and unique passwords for each of your crypto accounts. This will help prevent password cracking and brute force attacks.
*   Avoid phishing attacks: Be wary of suspicious emails and links, and always double-check the URL before entering your login information.
*   Don't share your private keys: your private keys unlock your cryptocurrency wallet. Keep them private and never share them with anyone.
*   Use security solutions: a reliable security solution will protect your devices from various types of threats. Kaspersky's consumer portfolio prevents cryptocurrency fraud, as well as unauthorized use of your computer's processing power to mine cryptocurrency.

**About Kaspersky**

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments, and consumers around the globe. The company's comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies, and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

SOURCE Kaspersky

Kaspersky Survey Finds One in Three Users Have Experienced CryptoTheft

With more than $36M nearly swindled away, an almost-successful BEC attempt in the commercial real estate space shows how sophisticated and convincing fraud attacks are becoming.

In an attempt to fraudulently obtain more than $36 million, a threat actor emailed an escrow officer and their client, a commercial real estate company, while impersonating the senior vice president and general counsel of a trusted partner company. The business email compromise (BEC) attack was caught due to a flaw in a domain name, behavioral AI, and an advanced modeling system.

Included in the email was an invoice and instructions for payment for a loan worth $36.4 million. While this may be a number that might ring alarm bells for anyone else, commercial real estate involves the use of large-sum loans, according to an analysis from Abnormal Security, so there was no initial concern. A false company letterhead was used to legitimize the scam, and the cyberattackers added another reputable real estate investment company to the email chain to make it even more convincing. 

The escrow officer may have fallen for it, but the BEC attempt was caught due to artificial intelligence (AI) technology spotting signs of fraud, such as discrepancies in the wiring instructions, newly registered email domains, and irregular language patterns in the email. In addition to this, there was a minor change in the sender domain from ".com" to ".cam."

Though this attempt was caught, BEC attacks are becoming more popular — increasing by 84% in the first half of 2022 alone. They are continuing to prove to be successful against organizations, particularly those without multifactor authentication or security awareness training.

AI might be increasingly necessary to catch ever-more-savvy BEC attacks. "As attackers shift from executive impersonation to vendor fraud and increase their payment requests, the need for security leaders to keep their organizations safe increases," according to Abnormal Security. "Because modern supply chain attacks use seemingly genuine messages, traditional tools which look for indicators like malicious attachments are becoming less effective."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

$36M BEC Fraud Attempt Narrowly Thwarted by AI

Attackers claiming to be part of the Chinese navy are making calls to commercial Qantas pilots midair, while GPS, comms systems, and altimeter instruments are all experiencing denial of service.

Australia's Qantas Airways is warning pilots about ongoing signal interference on VHF communications channels from "stations purporting to represent the Chinese military," on commercial flights over the western Pacific Ocean and South China Sea.

The Australian flagship airline also warned that some flights are experiencing jamming of their GPS systems, causing denial of service (DoS), in incidents "suspected to originate from warships operating off the northwest shelf of Australia."

To boot, this is not the only China-related activity in the world of aviation in the region; on March 2, the International Federation of Air Line Pilots' Associations (IFALPA) noted that military warships located in the South China Sea, Philippine Sea, and the Eastern Indian Ocean were placing VHF calls to some passenger flights and military aircraft.

"In some cases, the flights were provided vectors to avoid the airspace over the warship," according to the alert. "We have reason to believe there may be interferences to GNSS and RADALT as well."

GNSS, short for global navigation satellite system, can be used interchangeably with GPS; RADALT stands for "radar altimeter," and refers to the instrumentation that pilots use to gauge how far above the ground an airplane is flying.

**Calculating the Physical Safety Dangers**

Though the news seems alarming, Qantas is telling flight crews to carry on with their designated flight plan should they see the unusual activity but to report the interference to the controlling air traffic control (ATC) authority. Meanwhile, a spokesperson told Aviation International News that Qantas does not consider the activity to be a physical safety threat.

Ken Munro, a co-founder at Pen Test Partners and a specialist in operational technology (OT) cybersecurity for aviation, says that while the incidents on their face "shouldn’t be of immediate concern," that's not to say the activity couldn't become dangerous in the right situation.

"GPS is only one of a number of methods for pilots to determine their position, though it is generally the most relied upon," he explains. "Inertial reference and radio navigation aids can be used to cross-check position. Indeed, these were the primary methods used prior to the advent of GPS."

He adds, "GPS and RADALT jamming are less of a concern when in the cruise at high altitude. However, errors in position or altitude when on approach are another matter, though much harder to intentionally create when near an airport."

Munro notes that jamming can also be concerning if it's part of a chain of attack or coincides with other alert-worthy activity that might be going on.

"Incidents in the airplane often start with cascade of issues, often with a simple problem starting a chain of events that leads to a more significant problem," he says.

**Motivation: A New Cyber-Air Frontier?**

Researchers note that if the perpetrators are the Chinese military, the signal interference could have several motivations.

"It's one thing for a warship to ask a commercial airliner to 'please go around us,' and something else entirely to directly interfere with their signals," says Mike Parkin, senior technical engineer at Vulcan Cyber. "On many levels, this feels like an extension of the tactics we've seen from cybersecurity threats originating with Chinese state and state-sponsored groups. Though this presents more of a potential physical threat, and interfering with commercial air traffic is a much more blatant show of power than a typical cyberattack."

NetRise CEO Tom Pace, a firmware security expert specializing in aviation, cautions that the jamming might be unintentional and that no one should jump to conclusions. "It is impossible to state the intention of the Chinese military or even if these actions are purposeful," he says. "This could simply be commercial airlines flying through a region in which the Chinese military is operating, or it could be a more active engagement where the Chinese military is seeing what they can get away with."

Mike Hamilton, CISO of Critical Insight, suspects that the activity was triggered by geopolitical events.

"This is yet another example of how geopolitical tensions are showing up as cyber events that are directed at infrastructure," he says. "I note that the Biden administration just announced a nuclear submarine deal with Britain and Australia, and this is likely the Chinese government expressing its feelings about that deal."

**Better Aviation Security Must Take Flight**

Hamilton notes that the activity points to the need for better OT security in the aviation space.

"The constellation of GPS satellites has been known to be vulnerable for some time because of our dependence for navigation and time synchronization," he says. "This act should be a wake-up call for the administration to take swift action to deploy compensating security controls around GPS before this act becomes commonplace. Longer term, GPS signal integrity controls must be developed and deployed."

NetRises' Pace explains that commercial airliners don't have sophisticated anti-jamming technologies like military aircraft, and while planes can be flown manually if need be, a better failsafe for DoS events might be putting resources into identifying weaknesses in communications systems and instrumentation.

"The top airline safety concern/challenge regarding the cybersecurity of that OT environment is that there is a significant lack of visibility which translates to an inability to identify risk in these environments," he says.

Chinese Warships Suspected of Signal-Jamming Passenger Jets

Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.

An analysis of data associated with zero-day attacks in 2022 suggests that threat actors are increasingly probing for security weaknesses in edge-infrastructure technologies, including VPNs, firewalls, and IT management products.

Researchers from Mandiant tracked a total of 55 zero-day vulnerabilities that adversaries exploited in various malicious campaigns last year and found that 10 of them involved an Internet-facing edge device.

Among them were CVE-2022-1040 and CVE-2022-3236 in Sophos firewalls, CVE-2022-20821 in Cisco IOS, CVE-2022-42474 and CVE-2022-41226 in Fortinet's FortiOS, CVE-2022-288810 in Zoho ManageEngine, and CVE-2022-35247 in SolarWinds Serv-u.

**Hunting on the Edge**

Casey Charrier, Mandiant senior analyst at Google Cloud, says adversaries are focusing on edge technologies likely because they perceive enterprise organizations as having fewer capabilities around endpoint detection and response (EDR) than they have around network monitoring.

"That's definitely an element that we assess is a focus of Chinese threat groups right now," Charrier says. "As more organizations integrate Internet of Things (IoT) devices into their environment, they'll need to take this into consideration when evaluating security tools and the security of these devices."

The 55 zero-days that Mandiant observed adversaries using in 2022 are fewer than the all-time high of 81 that its researchers observed in 2021. Even so, the number was nearly three times higher than the 20 zero-days Mandiant observed being exploited in 2020.

**Chinese Actors Continue to Be Most Active Exploiters of Zero-Days**

As has been the case for some time now, Chinese state-sponsored threat groups exploited more zero-days in 2022 than any other threat group. Of the 13 zero-days that Mandiant was able to identify as likely exploited by a state-backed group, seven — or more than half — involved a Chinese advanced persistent threat (APT) group.

One example is CVE-2022-30190, a vulnerability in the Microsoft Windows Support Diagnostic Tool that enables remote code execution (RCE) via malicious Office documents, even when a user might have disabled macros. Chinese threat actors used the vulnerability, also referred to as "Follina," in numerous threat campaigns throughout the year, making it one of the most heavily exploited flaws of 2022.

Several of the zero-days that Chinese state actors leveraged in attacks last year targeted network devices. One example is CVE-2022-42475, a buffer-overflow flaw in FortiOS SSL VPN technology that a China-based actor used in a campaign last year to deliver a highly customized tool for exploiting Fortinet's FortiGate firewalls. Another flaw in this category that a Chinese actor abused is CVE-2022-41328, a path traversal vulnerability in FortiOS. Mandiant observed a Chinese group identified as UNC3886 exploiting the vulnerability in a potential cyber-espionage campaign. The same actor was previously associated with an attack campaign targeting VMware ESXi hypervisors using a new technique with malicious vSphere Installation Bundles.

Mandiant said it also observed zero-day exploit activity involving North Korean threat actors ticking up slightly in 2022 compared with previous years. The two zero-days that Mandiant identified North Korean actors exploiting were: CVE-2022-0609, a Google Chrome vulnerability that a North Korean group exploited in a campaign targeting the high tech, media, and financial sectors, and CVE-2022-41128, an RCE in Windows Server that North Korea's APT37 exploited in a phishing campaign.

**Financially Motivated Cyberattackers Want in on the Action Too**

Financially motivated threat actors continued to be another set of adversaries that actively exploited zero-day vulnerabilities last year, though not to the same extent as in 2021. Of the 16 zero-days for which Mandiant was able to attribute a motive, four were used in financially motivated attacks. Many of these attacks involved ransomware deployments. Examples include CVE-2022-29499, an RCE flaw in a Mitel VoIP appliance that a threat actor used to deploy Lorenz ransomware, and CVE-2022-41091, i.e. a Windows Mark of the Web flaw that the operator of the Magniber ransomware used in one campaign.

Since 2019, zero-day exploit activity involving ransomware groups has been increasing, says Charrier. "This is the case for a variety of reasons," Charrier notes. "For one, ransomware, as a proportion of all financially motivated activity, has continued to grow and take over the criminal ecosystem. Second, it can be more obfuscated in terms of tracking the money as well as tracking any sort of victim payments."

Microsoft, Google, and Apple topped the charts — as they always have — in terms of the number of zero-day vulnerabilities in their respective products. The three vendors together accounted for 37 of the 55 zero-days that Mandiant tracked last year. Fifteen of the zero-days in operating systems affected Windows and nine out of 11 browser zero-days were in Google Chrome.

At the same time, the number of zero-days that threat actors found and exploited in other technologies grew as well. As zero-day numbers increase, so do the number of vendors that are victims, Charrier says: "While the top three targeted vendors remain consistent, the variety of additional targeted vendors generally continues to expand and vary each year."

Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products

The government should not issue infrastructure regulations without the involvement of the industries it's regulating.

Last summer, the US Transportation Security Administration (TSA) rolled back some of its rules governing cybersecurity for oil and natural gas pipelines. While the oil and gas industry welcomed the changes, and the new rules marked a promising step toward public-private collaboration, there's still more work to be done. Particularly now, following the newly released National Cybersecurity Strategy, information sharing and collaboration are key to effectively protecting our critical infrastructure.

To start, the TSA's rollback — or some revision at least — was necessary. The TSA issued an initial directive in 2021, in the wake of the Colonial Pipeline hack, which exposed vulnerabilities to cyberattackers in a core component of the nation's energy infrastructure. But these rules were not well received by the industry. Pipeline operators were concerned about the directive's "aggressive" timelines. Some claimed that "the directive could require them to replace thousands of pieces of equipment all over the country," according to Tennessee Sen. Marsha Blackburn. Operators expressed concerns that the overhaul of so much equipment so quickly might itself create even worse security issues by introducing new technologies that hadn't yet been fully vetted into systems that had been running stably for decades.

The new rules, issued through a pair of directives (in June and July), and enhanced toward the end of the year, simultaneously extend and ease the TSA's cybersecurity requirements, bringing them more in line with what the industry was asking for. The new guidelines focus on more performance-based measures, rather than the prescriptive measures issued in 2021.

Progress, right? It depends on who you ask.

**Prescriptive vs. Pragmatic Rules**

The TSA's new pipeline rules are more pragmatic and more suited to the oil and gas industry's needs, but there's a trade-off: They are weaker.

The prescriptive nature of the first memo was out of touch with the reality of operational technology (OT). Many of the requirements were reasonable for the IT networks used by pipeline operators but were either not useful or directly unhelpful for the OT world, which has different technologies and different requirements, and operates in different environments.

The new memo effectively reduces the prescriptiveness to more realistic standards, so pipeline operators won't be penalized for failing to meet impossible requirements.

On the other hand, the new rules may be too loose to make any drastic improvements in our pipeline security. They are extremely simplified best practices, and it's difficult to see how anyone can be held accountable to them. For example, phrases like "timely manner" and "risk-based methodology" are qualitative measurements. Is a pipeline operator truly responding in a timely manner or not? Is their methodology risk-based or not? It's a judgment call.

So while this memo gives more flexibility for operators to enact reasonable changes, it may also leave too much wiggle room to pipeline operators.

**The Challenge of Patching OT Systems**

The reality is that ironclad regulation is nearly impossible. It's difficult for the government to push prescriptive guidelines with binary outcomes ("secure" or "not secure") in complex environments.

For example, many pipeline operators are running OT systems that are 30 or 40 years old. Some of these systems have been running continuously for decades and have never been connected to the Internet. The people who wrote the site-specific code are long since retired, and those who wrote the operating system are probably dead. Who are you going to call if something goes wrong?

The fact is, patching very old OT systems is riskier than leaving them unpatched. Regulation of any kind is not well suited to handling such situations — what's needed is deep local knowledge of the systems, complete awareness of what components are involved (especially any that connect to the Internet in any way) and what data they are transmitting (and to where), and a willingness to maintain security to the best of one's ability.

**Embracing Public-Private Cybersecurity Partnerships**

However, the TSA's new pipeline rules do show a way forward. While imperfect, the new rules are more reflective of public-private partnership than the initial directive, and that collaborative approach is reason to be hopeful.

When preparing their directive, the TSA asked for and received extensive input from industry stakeholders, as well as federal partners, including the Department's Cybersecurity and Infrastructure Security Agency (CISA).

The TSA has stated that it will continue to propose regulations to codify a number of cybersecurity requirements for pipelines over the year, and we hope that will continue to be done in partnership with the industry.

In short, the TSA should be commended for its multistakeholder approach. The type of industry consultation and review that went into the newer directives should be part of any future cybersecurity regulations affecting critical infrastructure. This is especially true given that 80% of critical infrastructure is run by the private sector.

When it comes to infrastructure, the government should not issue regulations without the active involvement of the industries it's regulating. True public sector cybersecurity depends on more public-private partnerships like this.

Pipeline Cybersecurity Rules Show the Need for Public-Private Partnerships

Administrator shutters the forum on fears that it had been breached by federal authorities but assured members it's not the end for the popular underground hacking site.

The BreachForums underground hacker site — which emerged to replace RaidForums nearly a year ago — now also has gone offline less than a week after its leader was arrested in New York.

The forum's administrator, who goes by the online moniker "Baphomet," said in a post on the group's Telegram channel March 19 that he was closing down the forum due to concerns that the FBI had access to the site, researchers from Dark Owl, a provider of Dark Web data and intelligence, said in a blog post.

Baphomet apologized to members of the forum for closing it down but said he would set up another Telegram group for further information and news, teasing that the launch of another site or other support for their activities was in the works, according to the post.

"I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is," he wrote in the message, according to a screenshot shared in the Dark Owl blog post. "You are allowed to hate me, and disagree with my decision, but I promise what is to come will be better for us all."

**BreachForums Leader Apprehended**

The shutdown came just five days after US federal agents arrested man called Conor Brian Fitzpatrick, who they allege is behind the forum's administrator handle "pompompurin," and its chief operator. Fitzpatrick was arrested in Peekskill, NY, on March 15, according to an affidavit made in a New York district court.

Fitzpatrick was charged with one count of conspiracy to commit access device fraud, and bail was set at $300,000, which was paid for by his parents, Dark Owl researchers said. When arrested, he admitted to his role as admin on BreachForums and the use of the alias, which the researchers said was surprising.

BreachForums emerged in April 2022 in the wake of the takedown of RaidForums, allowing users to buy and sell data obtained from cybercriminal activity, with site administrators running an escrow service ensuring that sellers received the funds that they had requested, the researchers said.

Cybercriminals widely used BreachForums to purchase stolen data and host data from controversial leaks, such as data stolen from the Washington, DC, healthcare exchange, they said. Pompompurin also conducted cyberattacks of his own, revealing in an interview for the KrebsOnSecurity site in November 2021 that he was responsible for sending fake emails using the fbi.gov domain, the researchers said.

This behavior is likely what put him in the crosshairs of federal authorities, according to Dark Owl. "He claimed at the time this was done to point out vulnerabilities in the FBI systems, but it undoubtedly put him higher on the FBI's radar, leading to his recent arrest," the researchers wrote.

**What Comes Next?**

Since BreachForums itself came about after the Department of Justice seized what at the time was one of the world's largest hacker forums — RaidForums — and arrested its founder and chief administrator, Portuguese national Diogo Santos Coelho, it's likely that a new forum will emerge from its ashes.

RaidForums was founded in 2015 and, prior to its seizure, was used by its members to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally.

BreachForums' Baphomet practically acknowledged that a new underground hacker site is in the works in his post on Telegram, the researchers noted. He said he is working to create new infrastructure that would replace BreachForums and even may collaborate with competitor marketplaces to keep support for members going.

However, for now, the BreachForums onion site is no longer reachable, and cybercriminals who used the site will have to take a wait-and-see approach until its current administrators regroup and create a new forum on which they can conduct their nefarious activity, the researchers said.

For its part, Dark Owl researchers said they "will continue to monitor the Dark Web and adjacent sources, such as Telegram, to identify any news of emerging groups and sites which may take the place of BreachForums."

Source

DARKReading