Category: Cyber Security CII sector

Cyber Security CII sector

GAO Report: Cybersecurity - Federal Actions Urgently Needed to Better Protect the Nation's Critical Infrastructure

Agency News, Cyber Security CII sector, Industry News

Recent events—including the ransomware attack on a major U.S. fuel pipeline—illustrate the need to strengthen the cybersecurity of the nation's critical infrastructure.

We testified on the need for the federal government to develop and execute a comprehensive national cyber strategy, and to strengthen the role that it plays in protecting the cybersecurity of critical infrastructure. Ensuring the cybersecurity of the nation is on our High Risk List, and we have urged federal agencies to act on it.

If the federal government doesn't act with greater urgency, the security of our nation's critical infrastructure will be in jeopardy.

GAO has previously reported on major cybersecurity challenges facing the nation and the critical federal actions needed to address them (see figure).

Four Major Cybersecurity Challenges and 10 Associated Critical Actions

To address critical infrastructure cybersecurity, key actions the federal government needs to take include (1) developing and executing a comprehensive national cyber strategy and (2) strengthening the federal role in protecting the cybersecurity of critical infrastructure.

Develop and execute a comprehensive national cyber strategy. In September 2020, GAO reported that the White House's 2018 National Cyber Strategy and related implementation plan addressed some, but not all, of the desirable characteristics of national strategies, such as goals and resources. GAO also reported that it was unclear which official within the executive branch ultimately maintained responsibility for coordinating the execution of the National Cyber Strategy. Accordingly, GAO recommended that the National Security Council update the cybersecurity strategy and for Congress to consider legislation to designate a position in the White House to lead such an effort.

In January 2021, a federal statute established the Office of the National Cyber Director within the Executive Office of the President. In June 2021, the Senate confirmed a Director to lead this new office. In October 2021, the National Cyber Director issued a strategic intent statement, outlining a vision for the Director's planned high-level lines of efforts. The establishment of a National Cyber Director is an important step toward positioning the federal government to better direct activities to address the nation's cyber threats. Nevertheless, GAO's recommendation to develop and execute a comprehensive national cyber strategy is not yet fully implemented. As a result, a pressing need remains to provide a clear roadmap for addressing the cyber challenges facing the nation, including its critical infrastructure.

Strengthen the federal role in protecting the cybersecurity of critical infrastructure. Pursuant to legislation enacted in 2018, the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS) was charged with responsibility for, among other things, enhancing the security of the nation's critical infrastructure in the face of both physical and cyber threats. In March 2021, GAO reported that DHS needed to complete key activities related to the transformation of CISA, including finalizing the agency's mission-essential functions and completing workforce planning activities. GAO also reported that DHS needed to address challenges identified by selected critical infrastructure stakeholders, including having consistent stakeholder involvement in the development of related guidance (see figure). Accordingly, GAO made 11 recommendations to DHS. As of November 2021, DHS had not yet implemented them, though it stated its intent to do so.

Cybersecurity and Infrastructure Security Agency (CISA) Coordination Challenges Reported by Stakeholders Representing the 16 Critical Infrastructure Sectors

Regarding specific critical infrastructure sectors, since 2010 GAO has made about 80 recommendations to enhance the cybersecurity of these sectors and subsectors, including within the aviation and pipeline industries. In October 2020, GAO reported that, although the Federal Aviation Administration had established a process for certification and oversight of U.S. commercial airplanes, it had not prioritized risk-based cybersecurity oversight or included periodic testing as part of its monitoring process, among other things. In July 2021, GAO testified that the Transportation Security Administration had not fully addressed pipeline cybersecurity-related weaknesses that GAO had previously identified, such as aged protocols for responding to pipeline security incidents. Until GAO's recommendations to address issues such as these are fully implemented, federal agencies will not be effectively positioned to ensure critical infrastructure sectors are adequately protected from potentially harmful cybersecurity threats.

Leave a comment

2nd edition of National Cybersecurity Strategy Guide Launched

Agency News, Cyber Security CII sector, Industry News

The Guide to Developing a National Cybersecurity Strategy is one of the most comprehensive overviews of what constitute successful cybersecurity strategies. It is the result of a unique, collaborative, and equitable multi-stakeholder effort.

Over the last two decades, people worldwide have benefitted from the growth and adoption of information and communication technologies (ICTs) and associated socio-economic and political opportunities. Digital transformation can be a powerful enabler of inclusive and sustainable development, but only if the underlying infrastructure and services that depend on it are safe, secure, and resilient. To reap the benefits and manage the challenges of digitalization, countries need to frame the proliferation of ICT-enabled infrastructures and services within a comprehensive national cybersecurity strategy.

To help governments in this endeavour, a consortium of partner organisations jointly developed and published the first Guide to Developing a National Cybersecurity Strategy (NCS) in 2018. Since then, the number of national cybersecurity strategies or frameworks worldwide has increased significantly. In 2018, only 76 countries had adopted a strategy while today more than 127 countries have such strategies in place, and many have used the Guide as a reference and blueprint.1

However, the fast-changing nature of cyberspace, the increased dependency on ICT, and the proliferation of digital risks all call for continuous improvements to national cybersecurity strategies. Most countries have both accelerated their digital transformation and become increasingly concerned about the immediate and future threats to their critical services, infrastructures, sectors, institutions, and businesses, as well as to international peace and security, that could result from the misuse of digital technologies and inadequate resilience.

This second edition of the Guide could not come at a more critical time. The updated content reflects the complex and evolving nature of cyberspace, as well as the main trends that can impact cybersecurity and should, therefore, be included into national strategic planning. The objective of the Guide is to instigate strategic thinking and continue supporting national leaders and policy-makers in the ongoing development, establishment, and implementation of such national cybersecurity strategies and policies. We are confident that this new Guide will serve as a useful tool for all stakeholders with cybersecurity responsibilities.

The purpose of the report is to guide national leaders and policy-makers in the development of a National Cybersecurity Strategy, and in thinking strategically about cybersecurity, cyber-preparedness and resilience.

This Guide aims to provide a useful, flexible and user-friendly framework to set the context of a country’s socio-economic vision and current security posture and to assist policy-makers in the development of a Strategy that takes into consideration a country’s specific situation, cultural and societal values, and that encourages the pursuit of secure, resilient, ICT-enhanced and connected societies.

The Guide is a unique resource, as it provides a framework that has been agreed on by organisations with demonstrated and diverse experience in this topic area and builds on their prior work in this space. As such, it offers the most comprehensive overview to date of what constitutes successful national cybersecurity strategies.

Leave a comment , ,

Risk Management: Helping the EU Railways Catch the Cybersecurity Train

Agency News, Cyber Security CII sector, Industry News

European railway undertakings (RUs) and infrastructure managers (IMs) need to address cyber risks in a systematic way as part of their risk management processes. This need has become even more urgent since the Network and Information Security (NIS) Directive came into force in 2016.

Objectives of the Railway Cybersecurity report

The purpose of the report is to provide European RUs and IMs with applicable methods and practical examples on how to assess and mitigate cyber risks.

The good practices presented are based on feedback from railway stakeholders. They include tools, such as assets and services list, cyber threat scenarios and applicable cybersecurity measures, based on the standards and good practices used in the sector. These resources can be used as a basis for cyber risk management for railway companies. They are therefore intended to be a reference point and to promote collaboration between railway stakeholders across the EU while raising awareness on relevant threats.

The main takeaways

  • Existing risk management approaches vary for railway IT and OT systems

For the risk management of railway Information Technology (IT) systems, the most cited approaches were the requirements of NIS Directive at a national level, the ISO 2700x family of standards, and the NIST cybersecurity framework.

For Operational Technology (OT) systems, the frameworks cited were ISA/IEC 62443, CLC/TS 50701, and the recommendations of the Shift2Rail project X2Rail-3, or the ones from the CYRail Project.

Those standards or approaches are often used in a complementary way to adequately address both IT and OT systems. While IT systems are normally evaluated with broader and more generic methods (such as ISO 2700x or NIS Directive), OT systems need specific methods and frameworks that have been designed for industrial train systems.

There is no unified approach available to railway cyber risk management yet. Stakeholders who participated in this study indicated that they use a combination of the abovementioned international and European approaches to tackle risk management, which they then complement with national frameworks and methodologies.

  • Asset taxonomies

For RUs and IMs to manage cyber risks, identifying what needs protection is essential. In this report, a comprehensive list is broken down to 5 areas; the services that stakeholders provide, the devices (technological systems) that support these services, the physical equipment used to provide these services, the people that maintain or use them, and the data used.

  • Threats taxonomies and risk scenarios

RUs and IMs need to identify which cyber threats are applicable to their assets and services. The report reviews available threat taxonomies, and provides a list of threats that can be used as the basis.

Examples of cyber risk scenarios are also analysed, which can assist railway stakeholders when performing a risk analysis. They show how asset and threat taxonomies can be used together and are based on the known incidents of the sector and the feedback received during the workshops.

  • Applying cybersecurity measures

Each scenario is associated with a list of relevant security measures. The report includes cybersecurity measures derived from the NIS Directive, current standards (ISO/IEC 27002, IEC 62443) and good practises (NIST’s cybersecurity framework).

Leave a comment , , , ,

Joint global ransomware operation sees arrests and criminal network dismantled

Agency News, Cyber Security CII sector, Industry News

A four-year operation across five continents has disrupted a ransomware cybercrime gang and seen the arrest of seven suspects believed to be behind global malware crime operations.

Codenamed ‘Quicksand’ (GoldDust) and carried out by 19 law enforcement agencies in 17 countries, the transcontinental operation saw officers collect and examine intelligence to establish a global threat picture about attacks by ransomware families - particularly GandCrab and Revil-Sodinokibi - and the suspects behind them.

The organized crime group that used these malwares is known for breaking into business and private networks using a range of infiltration techniques, and then deploying ransomware against their victims. The ransomware then encrypts files which are then used to blackmail companies and people into paying huge ransoms.

The suspects arrested during Operation Quicksand are suspected of perpetrating tens of thousands of ransomware infections and demanding more than EUR 200 million in ransom
Tangible results: multiple arrests worldwide

Intelligence exchanged during the operation enabled:

- Korean law enforcement to arrest three suspects in February, April and October;
- Kuwaiti authorities to arrest a man thought to have carried out ransomware attacks using the GandGrab ransomware;
- Romanian authorities to arrest two individuals suspected of ransomware cyber-attacks and believed to be responsible for 5,000 infections as well as half a million euros profit in ransom payments;
- The arrest of a man believed to be responsible for the Kaseya ransomware attack, thought to have been carried out last July by the REvil gang with more than 1,500 people and 1,000 businesses affected worldwide.

“Ransomware has become too large of a threat for any entity or sector to address alone; the magnitude of this challenge urgently demands united global action which INTERPOL can uniquely facilitate as a neutral and trusted global partner,” said INTERPOL Secretary General Jürgen Stock.

“Policing needs to harness the insights of the cyber security industry to identify and disrupt cyber criminals as part of a true coalition, working together to reduce the global impact of ransomware cybercrime,” added the Secretary General.

A powerful global coalition

A joint INTERPOL-Europol operation, Quicksand was coordinated from INTERPOL’s Cyber Fusion Centre in Singapore where stakeholders shared live intelligence in an interactive and secure environment via INTERPOL’s global network and capabilities.

Through INTERPOL’s Gateway project, INTERPOL’s private partners Trend Micro, CDI, Kaspersky Lab and Palo Alto Networks also contributed to investigations by sharing information and technical expertise.
Gateway boosts law enforcement and private industry partnerships to generate threat data from multiple sources and enable police authorities to prevent attacks.

Bitdefender supported operations by releasing tailor-made decryption tools to unlock ransomware and enable victims to recover files. These innovative tools enabled more than 1,400 companies to decrypt their networks, saving them almost EUR 475 million in potential losses.

Leave a comment , , , ,

IOCTA 2021 unveils the most recent cyber threat (r)evolutions

Agency News, Cyber Security CII sector, Industry News

The accelerated digitalisation related to the COVID-19 pandemic has significantly influenced the development of a number of cyber threats, according to the new edition of Europol’s Internet Organised Crime Threat Assessment. Criminals have been quick to abuse the current circumstances to increase profits, spreading their tentacles to various areas and exposing vulnerabilities, connected to systems, hospitals or individuals. While ransomware groups have taken advantage of widespread teleworking, scammers have abused COVID-19 fears and the fruitless search for cures online to defraud victims or gain access to their bank accounts. The increase of online shopping in general has attracted more fraudsters. With children spending a lot more time online, especially during lockdowns, grooming and dissemination of self-produced explicit material have increased significantly. Grey infrastructure, including services offering end-to-end encryption, VPNs and cryptocurrencies continue to be abused for the facilitation and proliferation of a large range of criminal activities. This has resulted in significant challenges for the investigation of criminal activities and the protection of victims of crime.

In addition to expanding the efforts to tackle these threats from a law enforcement perspective, it is crucial to add another level of protection in terms of cybersecurity. The implementation of measures such as multi-factor authentication and vulnerability management are of utmost importance to decrease the possible exposure to cyber threats. Awareness raising and prevention are key components in reducing the effectiveness of cyberattacks and other cyber enabled criminal activities.

The key threats:

- Ransomware affiliate programs enable a larger group of criminals to attack big corporations and public institutions by threatening them with multi-layered extortion methods such as DDoS attacks.
- Mobile malware evolves with criminals trying to circumvent additional security measures such as two-factor authentication.
- Online shopping has led to a steep increase in online fraud.
- Explicit self-generated material is an increasing concern and is also distributed for profit.
- Criminals continue to abuse legitimate services such as VPNs, encrypted communication services and cryptocurrencies.

The new edition of Europol’s Internet Organised Crime Threat Assessment, launched today, looks into the (r)evolutionary development of these trends, catalysed by the expanded digitalisation of recent years. The report was presented during the Europol-INTERPOL Cybercrime Conference. The conference gathered about 100 experts together to share their insights into the latest cybercrime trends and threats and to discuss how innovation is essential in countering cybercrime acceleration.

Leave a comment , , ,

CISA Releases Directive on Reducing the Significant Risk of Known Exploited Vulnerabilities

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries. The Directive establishes a CISA-managed catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.

CISA issued BOD 22-01 to drive federal agencies to mitigate actively exploited vulnerabilities on their networks, sending a clear message to all organizations across the country to focus patching on the subset of vulnerabilities that are causing harm now, and enable CISA to drive continuous prioritization of vulnerabilities based on our understanding of adversary activity. The Directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. With this Directive, CISA is imposing the first government-wide requirements to remediate vulnerabilities affecting both internet-facing and non-internet facing assets.

“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” said CISA Director Jen Easterly. “The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks. While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

With over 18,000 vulnerabilities identified in 2020 alone, organizations in the public and private sector find it challenging to prioritize limited resources toward remediating the vulnerabilities that are most likely to result in a damaging intrusion. This Directive addresses this challenge by driving mitigations of those vulnerabilities that are being actively exploited to compromise federal agencies and American businesses, building upon existing methods widely used to prioritize vulnerabilities by many organizations today.

This Directive applies to federal civilian agencies however, CISA strongly recommends that private businesses and state, local, tribal and territorial (SLTT) governments prioritize mitigation of vulnerabilities listed in CISA’s public catalog and sign up to receive notifications when new vulnerabilities are added.

Leave a comment , , ,

Joint global ransomware operation sees arrests and criminal network dismantled

Agency News, Cyber Security CII sector, Industry News

A four-year operation across five continents has disrupted a ransomware cybercrime gang and seen the arrest of seven suspects believed to be behind global malware crime operations.

Codenamed ‘Quicksand’ (GoldDust) and carried out by 19 law enforcement agencies in 17 countries, the transcontinental operation saw officers collect and examine intelligence to establish a global threat picture about attacks by ransomware families - particularly GandCrab and Revil-Sodinokibi - and the suspects behind them.

The organized crime group that used these malwares is known for breaking into business and private networks using a range of infiltration techniques, and then deploying ransomware against their victims. The ransomware then encrypts files which are then used to blackmail companies and people into paying huge ransoms.

The suspects arrested during Operation Quicksand are suspected of perpetrating tens of thousands of ransomware infections and demanding more than EUR 200 million in ransom

Intelligence exchanged during the operation enabled

- Korean law enforcement to arrest three suspects in February, April and October;
- Kuwaiti authorities to arrest a man thought to have carried out ransomware attacks using the GandGrab ransomware;
- Romanian authorities to arrest two individuals suspected of ransomware cyber-attacks and believed to be responsible for 5,000 infections as well as half a million euros profit in ransom payments;
- The arrest of a man believed to be responsible for the Kaseya ransomware attack, thought to have been carried out last July by the REvil gang with more than 1,500 people and 1,000 businesses affected worldwide.

“Ransomware has become too large of a threat for any entity or sector to address alone; the magnitude of this challenge urgently demands united global action which INTERPOL can uniquely facilitate as a neutral and trusted global partner,” said INTERPOL Secretary General Jürgen Stock.

“Policing needs to harness the insights of the cyber security industry to identify and disrupt cyber criminals as part of a true coalition, working together to reduce the global impact of ransomware cybercrime,” added the Secretary General.

A joint INTERPOL-Europol operation, Quicksand was coordinated from INTERPOL’s Cyber Fusion Centre in Singapore where stakeholders shared live intelligence in an interactive and secure environment via INTERPOL’s global network and capabilities.

Through INTERPOL’s Gateway project, INTERPOL’s private partners Trend Micro, CDI, Kaspersky Lab and Palo Alto Networks also contributed to investigations by sharing information and technical expertise.
Gateway boosts law enforcement and private industry partnerships to generate threat data from multiple sources and enable police authorities to prevent attacks.

Bitdefender supported operations by releasing tailor-made decryption tools to unlock ransomware and enable victims to recover files. These innovative tools enabled more than 1,400 companies to decrypt their networks, saving them almost EUR 475 million in potential losses.

KPN, McAfee, S2W helped investigations by providing cyber and malware technical expertise to INTERPOL and its member countries.

Operation Quicksand continues to supply evidence that is feeding into further cybercrime investigations and enabling the international police community to disrupt numerous channels used by cybercriminals to launder cryptocurrency and commit ransomware crime.

With the combined global financial impact in ransom payments from ransomware families believed to be within the billions of dollars and thousands of victims worldwide, INTERPOL’s private partners and member countries work together to provide support to victims hit by the ransomware.

Research from Chainalysis found that criminals made USD 350 million in 2020 from ransomware payments, representing an increase of 311 per cent in one year. Over the same period, the average ransom payment increased by 171 per cent, according to Palo Alto Networks.

Leave a comment , , ,

12 targeted for involvement in ransomware attacks against critical infrastructure

Agency News, Cyber Security CII sector, Industry News

A total of 12 individuals wreaking havoc across the world with ransomware attacks against critical infrastructure have been targeted as the result of a law enforcement and judicial operation involving eight countries.

These attacks are believed to have affected over 1 800 victims in 71 countries. These cyber actors are known for specifically targeting large corporations, effectively bringing their business to a standstill.

The actions took place in the early hours of 26 October in Ukraine and Switzerland. Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions.

As the result of the action day, over USD 52 000 in cash was seized, alongside 5 luxury vehicles. A number of electronic devices are currently being forensically examined to secure evidence and identify new investigative leads.

The targeted suspects all had different roles in these professional, highly organised criminal organisations. Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments.

Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire, to stay undetected and gain further access.

The criminals would then lay undetected in the compromised systems, sometimes for months, probing for more weaknesses in the IT networks before moving on to monetising the infection by deploying a ransomware. These cyber actors are known to have deployed LockerGoga, MegaCortex and Dharma ransomware, among others.

The effects of the ransomware attacks were devastating as the criminals had had the time to explore the IT networks undetected. A ransom note was then presented to the victim, which demanded the victim pay the attackers in Bitcoin in exchange for decryption keys.

A number of the individuals interrogated are suspected of being in charge of laundering the ransom payments: they would funnel the Bitcoin ransom payments through mixing services, before cashing out the ill-gotten gains.
International cooperation

International cooperation coordinated by Europol and Eurojust was central in identifying these threat actors as the victims were located in different geographical locations around the world.

Initiated by the French authorities, a joint investigation team (JIT) was set up in September 2019 between Norway, France, the United Kingdom and Ukraine with financial support of Eurojust and assistance of both Agencies. The partners in the JIT have since been working closely together, in parallel with the independent investigations of the Dutch and U.S. authorities, to uncover the actual magnitude and complexity of the criminal activities of these cyber actors to establish a joint strategy.

Eurojust established a coordination centre to facilitate cross-border judicial cooperation during the action day. In preparation of this, seven coordination meetings were held.

Europol’s European Cybercrime Centre (EC3) hosted operational meetings, provided digital forensic, cryptocurrency and malware support and facilitated the information exchange in the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol’s headquarters in The Hague.

Leave a comment , , ,

Risky business or a leap of faith? A risk based approach to optimise cybersecurity certification

Agency News, Cyber Security CII sector, Industry News

The European Union Agency for Cybersecurity (ENISA) has launched a cybersecurity assessment methodology for cybersecurity certification of sectoral multistakeholder ICT systems.

The Methodology for a Sectoral Cybersecurity Assessment - (SCSA Methodology) was developed to enable the preparation of EU cybersecurity certification schemes for sectoral ICT infrastructures and ecosystems. SCSA aims at market acceptance of cybersecurity certification deployments and supports the requirements of market stakeholders and the EU Cybersecurity Act (CSA). In particular, SCSA endorses the identification of security and certification requirements based on risks associated with the “intended use” of the specific ICT products, services and processes.

The SCSA Methodology makes available to the ENISA stakeholders a comprehensive ICT security assessment instrument that includes all aspects pertinent to sectoral ICT systems and provides thorough content for the implementation of ICT security and cybersecurity certification.

While SCSA draws from widely accepted standards, in particular ISO/IEC 27000-series and ISO/IEC 15408-series, the proposed enhancements tackle multi-stakeholder systems and the specific security and assurance level requirements concerning ICT products, processes and cybersecurity certification schemes.

This is achieved by introducing the following features and capabilities:

- Business processes, roles of sectoral stakeholders and business objectives are documented at ecosystem level, overarching the ICT subsystems of the individual stakeholders. Stakeholders are invited to actively contribute to the identification and rating of ICT security risks that could affect their business objectives.
- A dedicated method associates the stakeholders’ ratings of risks with the security and assurance level requirements to dedicated ICT subsystems, components or processes of the sectoral ICT system.
- SCSA specifies a consistent approach to implement security and assurance levels across all parts of the sectoral ICT system and provides all information required by the sectoral cybersecurity certification schemes.

Benefits of the SCSA Methodology for stakeholders

The sectoral cybersecurity security assessment provides a comprehensive approach of the multi-faceted aspects presented by complex multi-stakeholder ICT systems and it features the following benefits:

- The security of a sectoral system requires synchronisation across all participating stakeholders. SCSA introduces comparability of security and assurance levels between different stakeholders’ systems and system components. SCSA enables building open multi-stakeholder ecosystems even among competitors to the benefit of suppliers and customers.
- The risk-based approach supports transparency and a sound balance between the cost for security and certification and the benefit of mitigating ICT-security-related business risks for each concerned stakeholder.
- Security measures can focus on the critical components, optimising the security architecture of the sectoral system, hence minimising cost of security.
- SCSA generates accurate and consistent information on security and certification level requirements for all relevant ICT subsystems, components or processes. On this basis, suppliers can match their products to their customers’ requirements.
- SCSA supports the integration of existing risk management tools and information security management systems (ISMS).
- Due to a consistent definition of assurance levels, the re-use of certificates from other cybersecurity certification schemes is supported.

Leave a comment , ,

CISA and FBI observe the increased use of Conti ransomware

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. (See FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks.) In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.

To secure systems against Conti ransomware, CISA, FBI, and the National Security Agency (NSA) recommend implementing the mitigation measures described in this Advisory, which include requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.

Technical Details

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack.

Conti actors often gain initial access to networks through:

- Spearphishing campaigns using tailored emails that contain malicious attachments or malicious links;
- Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware.
- Stolen or weak Remote Desktop Protocol (RDP) credentials
- Phone calls;
- Fake software promoted via search engine optimization;
- Common vulnerabilities in external assets.

In the execution phase, actors run a getuid payload before using a more aggressive payload to reduce the risk of triggering antivirus engines. CISA and FBI have observed Conti actors using Router Scan, a penetration testing tool, to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces. Additionally, actors use Kerberos attacks to attempt to get the Admin hash to conduct brute force attacks.

Conti actors are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. The actors use tools already available on the victim network—and, as needed, add additional tools, such as Windows Sysinternals and Mimikatz—to obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges within a domain and perform other post-exploitation and lateral movement tasks. In some cases, the actors also use TrickBot malware to carry out post-exploitation tasks.

According to a recently leaked threat actor “playbook,” Conti actors also exploit vulnerabilities in unpatched assets, such as the following, to escalate privileges and move laterally across a victim’s network.

Leave a comment , , , ,
1 12 13 14 15 16 28