The Forescout Cyber Roundup is a weekly blog series that highlights some of the major cyber headlines, as well as some of the more obscure stories from the week. The purpose of this curation is to raise cyber awareness, provoke thought and encourage discussion among cyber professionals at all levels. Articles are categorized by industry, not necessarily priority.
- Public Sector
- Question before you click: The Cybersecurity and Infrastructure Security Agency (CISA) confirmed this week that bad actors have launched a phishing campaign using a spoofed email address to mimic emails delivered by the National Cyber Awareness System. This latest variety of spamming threats targeting the U.S. government is particularly troubling, as CISA routinely releases critical information about new and emerging cyber threats to the public, including the recent alert on BlueKeep (CVE-2019-0708).
- Effort doesn’t always equate to achievement: This article penned by a former federal employee offers some very interesting insights into the Cyber Talent Initiative developed by the Partnership for Public Service. Although designed to attract recent college graduates into government service, there are a number of program features that prompt some doubt as to the efficacy of the program.
- CYBERCOM targeting Russia’s grid amid offensive cyber warnings: The United States Cyber Command has taken a more aggressive, offensive stance against Russia in recent months, recently deploying code inside Russia’s grid and other targets. Headline news typically focuses on how other nations are probing U.S. networks, including electrical grids, so while some may interpret CYBERCOM’s actions as escalatory, many would agree that these ‘offensive’ actions are simply necessary defensive measures.
- New cyber certification required for DoD contractors: Defense acquisition can be a time-consuming and arduous process, although there have been efforts to expedite in recent years. Now, the DoD is developing a new standard, the Cybersecurity Maturity Model Certification (CMMC), to address cybersecurity deficiencies in the defense industrial base. Neither cost nor performance can be traded for security, so cyber contracts will require the new CMMC levels once certification is released.
- Slow and steady won’t win the cyber race: New research has found that the retail industry in the United Kingdom is among the slowest to update its IT systems—specifically, updating to Windows 10. Legacy Windows has been a problem across every industry and is a major reason many networks are susceptible to malicious attack. As we recently explained, end of support for Windows 7 is fast approaching, and we may see a slew of attacks similar to those that occurred after end of support for Windows XP.
- Are we becoming cyber-weary? The question many consumers now ask when they receive another notice that their personal information has been compromised is: “My information’s out there anyway, so what good is another notification?” This article suggests that notifications, which are required by law, are typically designed as a means of enforcing business accountability and are not necessarily designed to provide affected consumers with guidance or mitigating actions.
- Hong Kong police take “intentional back door” to open patient files: In this particular case, many are concerned that an ‘intentional back door’ in a hospital system, Accident and Emergency Department Clinical Information System (AEIS), used in public accident and emergency (A&E) wards allowed police to access patient information and ultimately arrest injured protestors. While that’s a concern, it also suggests that anyone, not just police officials, can access sensitive patient data.
- Cyber hindrances in healthcare: This article highlights the proliferation of connected devices on healthcare networks as a major threat vector for healthcare network compromise. As explained in our recent research report, Putting Healthcare Security under the Microscope, connected medical devices aren’t the only thing on healthcare networks. The persistence of legacy operating systems and the convergence of traditional IT, Operational Technology (OT) and the Internet of Medical Things (IoMT) demand that Healthcare Delivery Organizations (HDOs) leverage network segmentation and other security controls to not only protect patient data, but to also defend their networks and the devices they require for patient care.
- When restoring system integrity isn’t an option anymore: British financial institutions have primarily focused on preventing service outages, but Britain’s security services have warned that state-sponsored attacks may seek to falsify transaction records. If such an attack were successful, restoring the system might prove challenging as it would be difficult to decipher corrupt records from true ones.
- Joint approach to financial cyber defense examination: Historically, regulators have examined banks’ credit risks through the Shared National Credit Review; however, that’s resulted in thousands of questions from regulators and made it difficult for banks to make significant, rapid improvements. The proposed joint approach would likely reduce the number of requests and questions from regulators, while also providing a more comprehensive and timely solution that would really test how quickly banks can identify and isolate cyber risks and attacks.
- Are sustainable, smart buildings secure? This article explores the growing number of smart and sustainable buildings—those that rely on internet connectivity and connected sensors and IoT devices for both efficiencies and convenience. However, the layering of new technology over legacy frameworks presents substantial security risks.
- Siegeware designed to target and ransom smart buildings: You’re probably familiar with malware, but cyber criminals are increasingly leveraging siegeware in building automation system (BAS) attacks to “make a credible extortion demand based on digitally impaired building functionality.” This article offers a number of security considerations for BAS operators.
- Florida city pays $600,000 in ransom to hackers: “The Riviera Beach City Council voted unanimously this week to pay the hackers’ demands, believing the Palm Beach suburb had no choice if it wanted to retrieve its records, which the hackers encrypted. The council already voted to spend almost $1 million on new computers and hardware after hackers captured the city’s system three weeks ago.”
- Strengthened cyber coordination: A new Senate bill, the State and Local Government Cybersecurity Act, would “encourage national cybersecurity watchdogs to share information, including threats, vulnerabilities, breaches and resources to prevent and recover from cyberattacks, with states and localities who are increasingly targeted by bad actors.”
- And the stack goes Array.pop(): Across programming languages, ‘popping’ an array typically means removing and then returning the last element of that array. Unfortunately for Firefox users, the latest Threat Intelligence from Mozilla indicates the active ‘in the wild’ exploit of a new vulnerability of critical impact. The issue also prompted guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), which encourage users to apply updates.
- IBM X-Force discovers a critical zero-day remote code execution (RCE) bug in TP-Link Wi-Fi extender: No authentication is needed to exploit, and upon code execution, no further privilege escalation is necessary because the devices already run their processes as root. As another IoT reminder to never trust user input, the device’s console screen quietly prints the user-supplied browser User-Agent field using a system call (and that’s all it takes for a breaker to escape data context and own a system).
- Regional IoT device security differences identified in major Avast study: Avast researchers scanned 83 million IoT devices in 16 million homes, identifying regional differences in IoT device security posture. Notable observations include ‘Eastern Europe has significantly more surveillance devices than Western Europe’ and ‘devices in Sub-Saharan Africa are weak; and more than half of the devices in Southeast Asia that support FTP have a guessable password’.
- Microsoft BlueKeep vulnerability keeps on keepin’ on: After more than a month in the limelight, BlueKeep remains a hot topic in cyber news. Heightened awareness is the result of constant supply of cyber and media attention to the topic—on Monday this week, CISA issued a formal US-CERT Alert regarding the issue, quietly noting that they had also proven RCE exploit against a target system. Forescout Research expects BlueKeep to remain relevant for years to come, especially in OT environments.
- The energy sector is facing an uptick in cyberattacks: Forescout’s Damiano Bolzoni offers advice on how the industry can protect itself. Further, Accenture notes that 71% of organizations say cyberattacks are still a “bit of a black box,” meaning they don’t know when or how breaches will impact them.
- Cyberattack on manufacturer Asco, a major aircraft supplier: OT and IT convergence in smart factories and manufacturing was highlighted by Forescout’s Elisa Costante in Dark Reading: “OT devices ranging from PLCs to sensors that were previously air-gapped are becoming connected to networks by the minute. This convergence of IT with OT networks offers substantial benefits but is also providing cyberattackers a greater opportunity to affect the physical world and impact the bottom line of the business and safety of operations and employees.”
Operational Technology / Industrial Control Systems
State, Local & Education