PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

Agency News, Cyber Security CII sector, Industry News
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state sponsored cyber actors are seeking to pre position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.
Actions to take today to mitigate Volt Typhoon activity:
• Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
• Implement phishing-resistant MFA.
• Ensure logging is turned on for application, access, and security logs and store logs in a central system.
CISA, NSA, FBI and partners released this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus)
The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts. CCCS assesses that the direct threat to Canada’s critical infrastructure from PRC state sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration. ASD’s ACSC and NCSC-NZ assess Australian and New Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors.
As the authoring agencies have previously highlighted, the use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure. The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years. Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.
The authoring agencies urge critical infrastructure organizations to apply the mitigations in this advisory and to hunt for similar malicious activity using the guidance herein provided, along with the recommendations found in joint guide Identifying and Mitigating Living Off the Land Techniques.
These mitigations are primarily intended for IT and OT administrators in critical infrastructure organizations. Following the mitigations for prevention of or in response to an incident will help disrupt Volt Typhoon’s accesses and reduce the threat to critical infrastructure entities.
If activity is identified, the authoring agencies strongly recommend that critical infrastructure organizations apply the incident response recommendations in this advisory and report the incident to the relevant agency.
Leave a comment

Global ransomware threat expected to rise with AI, NCSC warns

Agency News, Cyber Security CII sector, Organisation Types
Artificial intelligence (AI) is expected to increase the global ransomware threat over the next two years cyber chiefs have warned in a new report published.
The near-term impact of AI on the cyber threat assessment, published by the National Cyber Security Centre (NCSC), a part of GCHQ, concludes that AI is already being used in malicious cyber activity and will almost certainly increase the volume and impact of cyber attacks – including ransomware – in the near term.
Among other conclusions, the report suggests that by lowering the barrier of entry to novice cyber criminals, hackers-for-hire and hacktivists, AI enables relatively unskilled threat actors to carry out more effective access and information-gathering operations. This enhanced access, combined with the improved targeting of victims afforded by AI, will contribute to the global ransomware threat in the next two years.
Ransomware continues to be the most acute cyber threat facing UK organisations and businesses, with cyber criminals adapting their business models to gain efficiencies and maximise profits.
To tackle this enhanced threat, the Government has invested £2.6 billion under its Cyber Security Strategy to improve the UK’s resilience, with the NCSC and private industry already adopting AI’s use in enhancing cyber security resilience through improved threat detection and security-by-design.
The Bletchley Declaration, agreed at the UK-hosted AI Safety Summit at Bletchley Park in November, also announced a first-of-its-kind global effort to manage the risks of frontier AI and ensure its safe and responsible development. In the UK, the AI sector already employs 50,000 people and contributes £3.7 billion to the economy, with the government dedicated to ensuring the national economy and jobs market evolve with technology as set out under the Prime Minister’s five priorities.
Leave a comment

NCSC and partners issue warning about state-sponsored cyber attackers hiding on critical infrastructure networks

Agency News, Cyber Security CII sector, Industry News
The UK and allies have issued a fresh warning to critical infrastructure operators about the threat from cyber attackers using sophisticated techniques to camouflage their activity on victims’ networks.
The National Cyber Security Centre – a part of GCHQ – and agencies in the US, Australia, Canada and New Zealand have detailed how threat actors have been exploiting native tools and processes built into computer systems to gain persistent access and avoid detection.
This kind of tradecraft, known as ‘living off the land’, allows attackers to operate discreetly, with malicious activity blending in with legitimate system and network behaviour making it difficult to differentiate – even by organisations with more mature security postures.
The NCSC assesses it is likely this type of activity poses a threat to UK critical national infrastructure and so all providers are urged to follow the recommended actions to help detect compromises and mitigate vulnerabilities.
The new ‘Identifying and Mitigating Living Off The Land’ guidance warns that China state-sponsored and Russia state-sponsored actors are among the attackers that have been observed living off the land on compromised critical infrastructure networks.
Leave a comment

Ministry of Defence of the Netherlands Uncovers COATHANGER, a Stealth Chinese Fortigate RAT

Agency News, Cyber Security CII sector, Industry News
The Ministry of Defence (MOD) of the Kingdom of the Netherlands was impacted in 2023 by an intrusion into one of its networks. The effects of the intrusion were limited because the victim network was segmented from the wider MOD networks.
During an incident response case, the Netherlands’ MIVD found a Remote Access Trojan (RAT) present on the FortiGate device that had been used for initial access.
The victim network had fewer than 50 users. Its purpose was research and development (R&D) of unclassified projects and collaboration with two third-party research institutes. These organizations have been notified of the incident.
MIVD & AIVD assess with high confidence that the intrusion at the MOD, as well as the development of the malware described in this report, was conducted by a state-sponsored actor from the People’s Republic of China.
MIVD & AIVD emphasize that this incident does not stand on its own, but is part of a wider trend of Chinese political espionage against the Netherlands and its allies.
The COATHANGER malware provides access to compromised FortiGate devices after installation. The implant connects back periodically to a Command & Control server over SSL, providing a BusyBox reverse shell.
Leave a comment

Incident Response Guide for the WWS Sector

Agency News, Industry News

CISA, the Federal Bureau of Investigation (FBI), and the Environmental Protection Agency released a joint Incident Response Guide for the Water and Wastewater Systems (WWS) Sector. The guide includes contributions from over 25 WWS Sector organizations spanning private industry, nonprofit, and government entities. This coordination enabled CISA, FBI, and EPA to develop a guide with meaningful value to WWS Sector organizations.

Specifically, the guide provides information about the federal support available at each stage of the cyber incident response (IR) lifecycle and aims to enhance WWS Sector cybersecurity by:

• Establishing clear guidance for reporting cyber incidents;
• Connecting utilities with available cybersecurity resources, services, and no-cost trainings;
• Empowering utilities to build a strong cybersecurity baseline to improve cyber resilience and cyber hygiene; and
• Encouraging utilities to integrate into their local cyber communities.

CISA, FBI, and EPA urge all WWS Sector and critical infrastructure organizations to review this guidance and incorporate it into their organizational cyber incident response planning. Organizations can visit CISA.gov/water for additional sector tools, information, and resources.

Leave a comment

Enabling Threat-Informed Cybersecurity: Evolving CISA’s Approach to Cyber Threat Information Sharing

Agency News, Cyber Security CII sector, Industry News

One of CISA’s most important and enduring roles is providing timely and actionable cybersecurity information to our partners across the country. Nearly a decade ago, CISA stood up our Automated Indicator Sharing, or AIS, program to widely exchange machine-readable cyber threat information. We know that the only constant in cybersecurity is change, and we’re evolving our information sharing approaches to maximize value to our partners and keep pace with a changing threat environment.

How Did We Get Here?

Every day, CISA evaluates the cyber threat environment, considers the impact of known vulnerabilities, and assesses the defensive posture of entities across our Nation to determine how we can most effectively safeguard critical infrastructure and government networks. Our insight is derived from a variety of sources to include classified and open-source reporting; operational collaboration with government and industry partners; findings from CISA assessments and incident response; and from information shared by members of our broad cybersecurity community through mechanisms such as AIS.

CISA then translates these insights into timely and relevant information. We share information broadly on a global scale, through alerts, advisories, and our Known Exploited Vulnerabilities catalog. We enrich our shared services and cyber capabilities with cyber threat information (CTI). And we leverage these insights to design and prioritize new cyber capabilities for programs such as Continuous Diagnostics and Mitigation (CDM). Across the board, CISA incorporates our unique insights of the global cyber threat environment into everything we offer to provide value to our partners.

While these threat-informed products and capabilities are important to many of our stakeholders, we know that organizations also benefit from receiving cyber threat information to shape investment decisions and prioritize mitigation actions. It is not enough to monitor broad cyber threats generally; organizations must apply threat information to their own risk and technology environments. AIS was established to satisfy legislative requirements and to provide stakeholder communities with a cost-effective means by which to exchange cyber threat indicators and defensive measures with CISA and, in doing so, with thousands of cybersecurity practitioners across the country and with partners across the globe. When it was first established, AIS was a novel model that helped many organizations around the world. But now, it’s time for a change.

Where Are We Going?

As the cyber threat environment evolves, so must our capabilities to analyze and share cyber threat information. When AIS was first designed, the U.S. Government was focused on filling an identified gap in cyber threat intelligence for many organizations and ensuring strong privacy controls. In the early days of AIS, the priority was speed. A decade later, the cybersecurity industry has matured substantially; current products and services are addressing information requirements for most organizations and, in an era of information overload, practitioners still require speed but value context, precision, and tailored insights over volume and velocity alone.

In 2024, CISA will begin a strategic effort to modernize our approach to enterprise cyber threat information sharing. This effort will drive three key areas of progress:

- Simplification: We will refocus and consolidate our customer-facing cyber threat intelligence offerings under a new initiative called Threat Intelligence Enterprise Services (TIES). The TIES Exchange Platform will unify our information sharing capabilities under a single banner for federal agencies and certain user communities, enabling streamlined provision of cyber threat information from our partners and commercial sources. This will offer a common view which will facilitate communications and enable threat-specific engagement. As we design and implement this central solution, CISA is working in parallel to modernize our AIS capability which, in the future, will further complement CISA-curated threat feeds made available by this shared service platform.

- Partner-Centered Design: Throughout this process, we will be driven by the requirements of our partners, including federal agencies, critical infrastructure organizations, and state, local, tribal, territorial governments, to ensure that we are adding value rather than duplicating capabilities. We will continuously seek feedback and ensure that the platform itself is built around human-centered design principles to enable ease-of-use even for under-resourced organizations.

- Learning from Experience: We will rigorously learn from known challenges with the legacy AIS system: we know that it must be easy to both share and receive, that shared information must have sufficient context to enable prioritized action; and that every participant must recognize meaningful value that is additive to existing cybersecurity capabilities. At the same time, we will build upon the successes of the AIS program, including a rigorous focus on privacy and confidentiality by design.

What to Expect Next?

CISA's goal is to facilitate collective, automated cyber defense through increased sharing and context, shaped by an acute understanding of the threat environment. While CISA implements this transition over the next two years, the AIS program will remain available, and we encourage users to continue leveraging this capability and actively share indicators back with CISA.

The shared visibility into cyber threats is our best defense. When an organization identifies threat activity and keeps it to itself, our adversaries win. When we rapidly share actionable information across a community of partners, we take back the advantage. And, when we turn actionable information into strategic investments to drive the most important mitigations, we achieve enduring change. In this new year, we encourage every organization to make a commitment- perhaps a New Year’s resolution- to cybersecurity information sharing, including incident information, indicators of compromise, or even feedback and insights that could benefit peers across the Nation. We look forward to sharing more details about TIES and our cyber threat exchange modernization initiatives throughout the year.

Leave a comment

CISA Releases Key Risk and Vulnerability Findings for Healthcare and Public Health Sector

Agency News, Cyber Security CII sector, Health & Social Care, Industry News

Report provides recommended actions and mitigation strategies for HPH sector, critical infrastructure and software manufacturers

The Cybersecurity and Infrastructure Security Agency (CISA) published a Cybersecurity Advisory (CSA), Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment, detailing the agency’s key findings and activities during a Risk and Vulnerability Assessment (RVA) conducted at a healthcare and public health (HPH) organization in early 2023. The advisory also provides network defenders and software manufacturers recommendations for improving their organizations’ and customers’ cyber posture, which reduces the impact of follow-on activity after initial access.

The CISA assessments team identified several findings as potentially exploitable vulnerabilities that could compromise the confidentiality, integrity, and availability of the tested environment. Tailored for HPH organizations of all sizes as well as for all critical infrastructure organizations, the advisory provides several recommended mitigations mapped to 16 specific cybersecurity weaknesses identified during the RVA. Also, the advisory provides three mitigation strategies that all organizations should implement: (1) Asset management and security, (2) Identity management and device security, and (3) Vulnerability, patch, and configuration management. Each strategy has specific focus areas with details and steps on how HPH entities can implement them to strengthen their cybersecurity posture.

“Exposure of common vulnerabilities and insecure configurations can result in detrimental cyber activity for U.S. healthcare organizations, such as ransomware, data breaches, or denial-of-service. The intent of this advisory is to help organizations maintain the availability, confidentiality, and integrity of their critical healthcare and public health systems, functions, and data,” said CISA Deputy Director Nitin Natarajan. “Adversaries and criminals will continue to target organizations seen as target rich, cyber poor. To reduce the burden of cybersecurity on customers, manufacturers of HPH technology products should implement the recommended actions in the advisory that are aligned to our Principles and Approaches for Secure by Design Software white paper. Also, we strongly encourage healthcare entities and all organizations to review this advisory, implement the mitigations and enroll in our vulnerability scanning service which can further help reduce cyber risk.”

This advisory builds on the CISA and Health and Human Services Healthcare Cybersecurity Toolkit and CISA’s Mitigation Guide for HPH Sector that were recently released. The recommended mitigations for network defenders are mapped to the Cross-Sector Cybersecurity Performance Goals (CPGs).

The recommended actions for software manufacturers are aligned to the recently updated, Principles and Approaches for Secure by Design Software, a joint guide co-sealed by 18 U.S. and international agencies. It urges software manufacturers to take urgent steps necessary to design, develop, and deliver products that are secure by design.

Leave a comment

Action against digital skimming reveals 443 compromised online merchants

Agency News, Cyber Security CII sector, Industry News

Europol, law enforcement authorities from 17 countries and the European Union Agency for Cybersecurity (ENISA) have joined forces with the private sector partners, including Group-IB and Sansec, to fight digital skimming attacks.

With the support of national Computer Security Incident Response Teams (CSIRT), the two-month action has enabled Europol and its partners to notify 443 online merchants that their customers’ credit card or payment card data had been compromised. This action, led by Greece, falls under the EMPACT priority, which targets the criminals behind online fraud schemes.

Digital skimming is the act of stealing credit card information or payment card data from customers of an online store. Criminals use sophisticated information technology to intercept data during the online checkout process, without customers or online merchants noticing anything unusual.
Data theft often goes unnoticed

Digital skimming attacks can go undetected for a long time. Payment or credit card information stolen as a result of these criminal acts is often offered for sale on illicit marketplaces on the darknet. Customers are usually not aware that their payment details have been compromised until the criminals have already used them to carry out an unauthorised transaction. Generally, it is difficult for customers to find the point of compromise.

Europol is participating in the digital skimming action with the aim of informing affected e-commerce platforms and other online merchants that they have been unintentional points of compromise for such stolen payment data. Europol, national law enforcement authorities, national Computer Security Incident Response Teams and trusted private industry partners identify affected online merchants and provide technical support to these platforms to resolve the issues and protect future customers.

Leave a comment

NCCoE Announces Technology Collaborators for Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector Project

Agency News, Cyber Security CII sector, Industry News

The NCCoE has invited technology providers and industry experts from Amazon Web Services, Cisco, Dragos, Garland Technology, Inductive Automation, Qcor, Rockwell, Siemens, TDI Technologies, and Tenable to collaborate on the Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector project.

These collaborators will work with the NCCoE project team to demonstrate a practical solution to assist organizations in detecting, responding, and recovering from a cyber incident within an operational technology environment.

The result will be a freely available NIST Cybersecurity Practice Guide that includes a reference design and a detailed description of the practical steps needed to implement the solution based on the NIST Cybersecurity Framework and industry standards and best practices.

Each of these organizations responded to a notice in the Federal Register to submit capabilities that aligned with desired solution characteristics for the project. The accepted collaborators were extended a Cooperative Research and Development Agreement, enabling them to participate in a consortium in which they will contribute expertise and hardware or software to help refine a reference design and build example standards-based solutions.

Leave a comment

CISA Issues Request For Information on Secure by Design Software Whitepaper

Agency News, Cyber Security CII sector, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector

The Cybersecurity and Infrastructure Security Agency (CISA) has published a Request for Information from all interested parties on secure by design software practices, including the Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software whitepaper, as part of its ongoing, collective secure by design campaign across the globe.

To better inform CISA’s Secure by Design campaign, CISA and its partners seek information on a wide range of topics, including the following:

- Incorporating security early into the software development life cycle (SDLC): What changes are needed to allow software manufacturers to build and maintain software that is secure by design, including smaller software manufacturers? How do companies measure the dollar cost of defects in their SDLC?
- Security is often relegated to be an elective in education: What are some examples of higher education incorporating foundational security knowledge into their computer science curricula; When new graduates look for jobs, do companies evaluate security skills, knowledge, and experience during the hiring stage, or are employees reskilled after being hired?
- Recurring vulnerabilities: What are barriers to eliminating recurring classes of vulnerability; how can we lead more companies to identify and invest in eliminating recurring vulnerabilities; how could the common vulnerabilities and exposures (CVE) and common weakness enumeration (CWE) programs help?
- Operational technology (OT): What incentives would likely lead customers to increase their demand for security features; Which OT products or companies have implemented some of the core tenants of secure by design engineering?
- Economics of secure by design: What are the costs to implement secure by design and default principles and tactics, and how do these compare to costs responding to incidents and breaches?

“While we have already received a wide range of feedback on our secure by design campaign, we need to incorporate the broadest possible range of perspectives,” said CISA Director Jen Easterly. Our goal to drive toward a future where technology is safe and secure by design requires action by every technology manufacturer and clear demand by every customer, which in turn requires us to rigorously seek and incorporate input. The President’s National Cybersecurity Strategy calls for a fundamental shift in responsibility for security from the customer to software manufacturers, and input from this RFI will help us define our path ahead, including updates to our joint seal Secure by Design whitepaper.

Co-sealed by 18 U.S. and international agencies, our recent Secure by Design guidance strongly encourages every software manufacturer to build products in a way that reduces the burden of cybersecurity on customers. More recently, CISA launched a new series of Secure by Design Alerts outlining the real-world harms that result from technology products that are not secure by design.

With its partners, CISA encourages technology manufacturers and all interested stakeholders to review the Request for Information and provide written comment on or before 20 February 2024. Instructions for submitting comment are available in the Request for Information. The feedback on current analysis or approaches will help inform future iterations of the whitepaper and our collaborative work with the global community.

Leave a comment
1 2 3 4 54