The Forescout Cyber Roundup is a weekly blog series that highlights some of the major cyber headlines, as well as some of the more obscure stories from the week. The purpose of this curation is to raise cyber awareness, provoke thought and encourage discussion among cyber professionals at all levels. Articles are categorized by industry, not necessarily priority.
- U.S. Department of Energy to update Cybersecurity Capability Maturity Model: Created in 2012 and last revised in 2014, the framework helps federal agencies and private companies better assess the maturity of their cyber defenses. The most recent update is based on industry interviews and expertise as well as standards and best practices outlined in the most recent iteration of the National Institute of Standards and Technology’s (NIST) cybersecurity framework.
- One battle won, but the war wages on: According to a recent White House report, for the first time in three years the federal government did not incur any major cybersecurity incidents. That doesn’t mean there weren’t any cyber events, unfortunately. But, it is a sign that our defenses might be improving, or the government is having greater success deterring adversaries. Of course, the attacks won’t stop and we still have a long way to go, but at least we’re learning from each battle.
- Inaction is the greatest risk: Several discussions at TechNet Augusta this week focused on the Army’s current and planned efforts to reorganize, develop new units, and bring together disparate disciplines in an effort to increase the speed, agility, and efficiency of its cyber operations. Moving fast can increase risk; however, most would agree that failure to act is the greatest risk of all.
- Firing in the dark: U.S. Cyber Command has taken a more aggressive stance over the last year by ‘defending forward’ in everyday activities—and many are hoping to see tangible results, like a decline in attacks. However, just as the volatile and obscure nature of cyberspace allows many hackers to obfuscate themselves from attribution and apprehension, it’s also difficult to link any sort of decline in cyber activity to an action taken by CYBERCOM.
- Why cyber isn’t always a priority in retail: This article sets out to examine the true cost of online retail. Brick and mortar stores operate at a cost, but ecommerce retailers face equally heavy costs—from customer acquisition, picking and packing orders, delivery and, of course, the perennial problems of returns and fraud. The volume of ecommerce expenses and potential headaches can push cyber to the bottom of the pile of priorities. And, somewhat ironically, the term ‘cyber’ only appears in this article once.
- Even grocery stores aren’t safe anymore: A U.S. supermarket chain recently advised customers to check their card statements for fraudulent activity. So far, it appears that hackers compromised some of the point of sale (PoS) devices at the company’s fuel pumps, drive-thru coffee shops and restaurants. As is often the case when it comes to consumer protection, the onus is on the individual consumer.
- If only they didn’t last for so long: Despite the fact that connectivity is becoming increasingly important to patient care, the security of the devices transmitting data about those patients is still lagging. While some devices are following new security guidance, the trouble is that many devices in use now are built to last for at least decade.
- Why the healthcare industry is a top target: Healthcare is often cited as one of the most targeted industries when it comes to cyberattacks. New research has found that nearly a third of respondents in North America (32%) said that they had never received cybersecurity training from their workplace, but think they should have. That lack of training, combined with a need for education on cyber- and privacy-related policies and regulation are among the reasons the industry so often finds itself in the crosshairs of malicious actors.
- New notification requirements in New York: From hospitals to licensed home care services agencies, healthcare providers are now required by the New York State Department of Health to not only notify the Department of cyber incidents where unauthorized access was successfully gained, but also when attempts were unsuccessful.
- The European Central Bank (ECB) has confirmed that “unauthorized parties” succeeded in breaching the security of its Banks’ Integrated Reporting Dictionary (BIRD) website. The bank stated that no internal ECB systems or market-sensitive data were compromised. Much like attackers targeted third-party vendors in the recent ransomware attacks in Texas (see below story), this attack also appears to have stemmed from a compromised third-party vendor.
- Be suspicious, very suspicious of that SMS: New Payments Platform (NPP) Australia, a real-time payments platform, was advised on late Friday that “a number of PayID records and associated data in the Addressing Service were exposed by a vulnerability in one of the financial institutions sponsored into the NPP by Cuscal Limited.” Evidence so far suggests that for the information to be used by a hacker, they would still need additional customer information. However, as we’ve seen in other similar events, a little phishing campaign and some social engineering are all that’s needed to collect the information required.
- “We’ve got another ID-10-T error”: New research has found that 52% of incidents affecting operational technology (OT) and industrial control system (ICS) networks in the past year were due to human error or unintentional actions. The findings suggest that operator re-tooling and security training may better inform those responsible for maintaining critical networks of the consequences of human error, and may also equip them with the tools necessary to mitigate risks and repercussions downstream of a mistake.
- IT outsourcers beware: This week, computer systems in 22 municipalities in Texas have been infiltrated by hackers demanding a ransom. It appears that the attackers gained access through an outsourced IT vendor, not the municipalities directly. From there, the attackers were then able to coordinate their attack across multiple targets. This is an ongoing issue and has been escalated to a “Severity Level 2” by the state governor.
- No industry is immune: This article cites financial gain, data theft, lack of resources, cultural issues and an absence of policy as the primary reasons that universities have come under attack more frequently in recent years. Cyber training and education, policy enforcement and password protection on university computers are among the basic ways to defend against attack.
- “Air” on the side of caution—approaching avionics VxWorks security: At Black Hat this month, IOActive researcher Ruben Santamarta claimed that exploitable bugs in the Boeing 787 Dreamliner codebase allow for multi-stage attacks that could ultimately impact the giant passenger jet’s avionics and safety systems. Although Boeing flatly denies that such attacks are possible thanks to mitigating controls, experts point out that “planes, like cars, depend on increasingly complex networked computer systems and they don’t get to escape the vulnerabilities that come with this.” The bugs were discovered in a Honeywell-tailored version of VxWorks.
- Tenable goes digging in healthcare’s OpenEMR open source software: Sure, maybe the findings were mostly just a pile of XSS from web app fuzzing—but the efforts also uncovered a potentially more serious command injection vulnerability. What’s more troubling is that the culprit PHP code, $formid = $_GET[‘id’];, is an AppSec 101 case of trusting and not sanitizing user input. Hopefully it’s the only case of its kind.
- DejaBlue vulnerability lifecycle progresses toward weaponization: In the aftermath of this month’s DejaBlue RDP bug that affected every Microsoft OS from Windows 7 to 10, researcher Marcus Hutchins has detailed a fascinating new heap overflow PoC exploit. While some might call it progress, the news is not good for admins of OT environments sporting hard-to-update embedded Windows operating systems. Hutchins was able to repurpose his recent BlueKeep exploit code to expedite achievement of arbitrary data write—and cybercriminal operations might not be so far behind.
Operational Technology / Industrial Control Systems
State, Local & Education