The Forescout Cyber Roundup is a weekly blog series highlighting some of the previous week’s cyber headlines and explaining why they matter. Each article includes a closer look at the potential implications of the news or event, predictions about what might happen next and suggestions for all readers, from the C-suite to end users. Articles are ordered by date, not necessarily priority.
- Security Firm Warns of New Global Campaign Targeting Critical Infrastructure (December 12, 2018)
- Some Chinese Companies Ban iPhones, Require Huawei after CFO’s Arrest: Report (December 10, 2018)
- Eastern European Bank Hackers Wield Malicious Hardware (December 10, 2018)
- Russian Critical Infrastructure Targeted by Profit-Driven Cybercriminals (December 11, 2018)
- The December 2018 Security Update Review (December 11, 2018)
Summary: A new campaign known as Operation Sharpshooter is targeting nuclear, defense, energy and financial groups.
Why it matters: Although this campaign uses what’s considered a never-before-seen implant framework, this isn’t the first time we’ve seen weaponized documents used in an attack. APT-28, also known as Fancy Bear, weaponized files to infiltrate DNC computer networks as early as 2013, and in 2015, hackers weaponized Word files with malicious macros as part of the attack on the Ukrainian power grid. These weaponized files were delivered via phishing, which doesn’t come as a surprise since 2018 has been recognized as the year targeted phishing went mainstream. We’re in the age of weaponized malware, with record numbers of Office-based malware at play, and it’s getting harder and harder to spot a phish. Initial investigations and analysis suggest that this attack is rooted in reconnaissance efforts and while attribution is yet to be determined, we can expect that due to the severity of a threat to critical infrastructure, there will be intensive collaboration—a threat-sharing collective—across critical industries to mitigate risks and combat the threat. As suggested by NIST SP 800-150, a broader set of data can help reveal information helpful in thwarting additional attacks. Other community-driven international technical specifications such as the Trusted Automated eXchange of Indicator Information (TAXII), the Structured Threat Information eXpression (STIX) and the Cyber Observable eXpression (CybOX) are free for public use and designed to enable automated information sharing for cybersecurity situational awareness, real-time network defense and sophisticated threat analysis. As these attacks continue in 2019, it’s going to become increasingly difficult to gain and retain cyber insurance and ultimately recover from an attack. In an unprecedented case, coverage was denied—and the case is now being disputed—because the attack was considered an act of war. While there’s been less focus on attribution more recently, insurance companies with similar ‘war exclusion’ clauses will have a strong interest in uncovering the actor behind an attack.
Summary: China responds to the arrest of Huawei’s Chief Financial Officer (CFO) in Canada last week.
Why it matters: In last week’s roundup we noted that the latest CFO arrest could result in Chinese retaliation. Since then, China has detained a former Canadian diplomat and now some Chinese companies are banning iPhones and requiring employees to use Huawei products—actions deemed by many as direct retaliation against the U.S. and Canada. And, now we’re also seeing more Huawei products banned—BT this week confirmed it is removing Huawei equipment from key areas of its 4G network and the head of MI6 questioned the Chinese firm’s involvement in UK telecoms infrastructure. The CFO, Meng Wanzhou, was granted a bail of 10 million Canadian dollars (~ U.S. 7.5 million) by the Canadian Court on Tuesday. What we’re seeing is a rapid escalation between multiple countries that may strain relationships, alter or inhibit trade agreements, and potentially result in a Chinese cyberattack against the U.S. and Canada. In 2017, Canada and the People’s Republic of China (PRC) agreed not to engage in state-sponsored hacking of each other’s trade secrets and business information and this recent series of events only complicates matters further. While we hope for a swift resolution, the executive’s next court date isn’t until February 6, 2019, and it’s possible we’ll see additional escalation. This is yet another example of the increasing complexity of today’s technological cold war —ramifications now span the geo-political, economic, physical and cyber arenas. As the story continues to unfold, it’s important to realize that the U.S. is taking action to halt further Chinese efforts to steal intellectual property (IP) and other data critical to national security. At a December 12 Judiciary hearing on Chinese espionage activities, China’s IP theft was noted as the most pressing economic and national security challenge facing the United States.
Summary: Hackers have stolen tens of millions of dollars with inexpensive hardware and strategic campaigns.
Why it matters: This story highlights yet another aspect of the cyber-physical domain; not only can we expect cyberattacks to have an increasingly kinetic impact, but bad actors will leverage easily attainable physical access to execute their plans. This article shows how attackers may pose as couriers or job seekers to gain physical access to a company’s network. Consider the job interview, in which candidates are sometimes left in a conference room unattended; while waiting for the interview panel to arrive with questions, the pseudo candidate could easily plug in malicious hardware before the interview, then gain remote access and run executable files from the nearby lobby after the interview. Attackers could take a similar tactic with financial institutions, posing as a loan applicant or potential client. While human curiosity has been a driving force behind the success of USB attacks in the past, many organizations across industries have developed employee training to curb the likelihood of those attacks. To mitigate potential risks, organizations should adhere to NIST guidance on media use and should also include additional training and guidance for employees who deal with visitors, as described in NIST 800-53, revision 5, section PE-3. The best security practices will increasingly need to account for both physical and cyber vulnerabilities. Enterprises should consider the Center for Internet Security (CIS) Controls; specifically the foundational controls for malware defense and control of network ports, protocols and services. While there’s already some guidance in place for U.S. financial institutions to address certain aspects of this cyber-physical threat, such as the Federal Financial Institutions Examination Council (FFIEC) technical controls to prevent unauthorized devices, the threat spans across all industries. Learn more about how you can meet FFIEC requirements and how Forescout can be used to actually enforce USB device compliance across the campus and enterprise.
Summary: Security researchers have discovered fake websites set up to impersonate the legitimate sites of major Russian critical infrastructure companies.
Why it matters: With a lot of U.S. news coverage on Russian attacks on the U.S. and other countries, it’s interesting to see some coverage highlighting that Russia, too, is subject to an attack on its own critical infrastructure. As noted in the first article, this is yet another example of how Business Email Compromise (BEC) and weaponized documents delivered via phishing emails remain effective methods for malicious actors. The attackers took additional steps to spoof the victim’s website for additional profit and protections—and are designed to steer victims away from legitimate incident response sites and redirect them to ‘fake’ data breach notification sites. In the case of the Marriott breach, the fake site was set up by a security company to warn users not to trust the domain after the Marriott breach. When breached, purchasing lookalike domains is one step companies can take to prevent further damages to victims and curb further damage to company reputation. For additional guidance on actions to take after a breach, see the NIST 5-Step Cybersecurity Framework.
Summary: The last Patch Tuesday was November 13, 2018 and this week’s Patch Tuesday will leave system administrators with plenty to do before the next one on January 8, 2019.
Why it matters: We saw at least 50 patches for Microsoft vulnerabilities each month this year, so it’s somewhat refreshing to see ‘only’ 39 critical vulnerabilities as 2018 comes to a close. While some of the bugs span everything from Win7 to Server 2019, this was also the fourth month in a row that Microsoft patched a Windows zero-day used in the wild. Although it requires the attacker to log on to the system, CVE-2018-8611 allows attackers to elevate privileges on a host system and has been exploited multiple times already. Users would be wise to update their machines as soon as possible, and because updates are sometimes ‘buggy’ it’s important to share any issues with the vendor so the issues can be resolved. What’s important to realize is that although these releases are intended to alert the general public, malicious actors are eager to exploit these vulnerabilities on unpatched systems, so it’s probable in the coming weeks that we’ll hear about the successful exploit on a victim who was just too slow to patch.