Government-run water systems and other critical infrastructure are still at risk from state-sponsored actors, according to a renewed warning from the U.S. Cybersecurity and Infrastructure Security Agency.
CISA released an advisory last week on the matter of days after a small water treatment facility in Kansas was forced into manual operations after a cyber attack.
I feel like this is just the latest in a string of warnings that we’ve been talking about since the Colonial Pipeline attack in 2021 that forced a gasoline shortage across the Eastern U.S. We’ve been discussing the importance of defending critical infrastructure for years now, so what’s new now?
For starters, it seems like the frequency of these attacks seems to be on the rise. And many efforts to regulate cybersecurity policies and procedures in the industry have thus far fallen flat.
The White House is reportedly working on rolling out a second wave of cybersecurity recommendations for water treatment facilities on the back of the attack in Kansas that affected the public water supply of 11,000 people. Although the cyber attack did not actually affect anyone from getting their water, it does raise the question of how much of an issue this could be if a state-sponsored actor were to target a facility in a town with a larger population, or if there weren’t backup plans in place to operate the facility manually.
The U.S. Environmental Protection Agency (EPA) said last year that it had to pull a memo outlining cybersecurity standards at water treatment plants because of constant legal action from state and federal lawmakers and private water companies. And the American Water Works Association (a non-profit lobbying organization representing more than 50,000 members) has advocated for facilities and groups like the AWWA to write their own cybersecurity policies rather than relying on the U.S. government.
All of that is to say, despite what lessons we thought we learned from Colonial Pipeline, none of those lessons have been able to be put into practice, and we’re still where we were with cybersecurity policies and regulations three years ago.
Despite urging from the industry and some lawmakers, I’ve yet to see these groups write any of their own policies, so even if they have that power, they don’t seem to be taking advantage of it. So when CISA puts out this type of alert again in a few months after whatever future incident lies ahead, I would expect to see more action from all parties involved rather than another round of words warning that attacks can, and will, happen.
The one big thing
Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” This actor has been active since at least late 2022 and targets organizations worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries. We assess with medium confidence that the actor is financially motivated, likely working as an IAB or an affiliate of a ransomware cartel.
Why do I care?
The actor behind these attacks seems to be particularly active, infecting more than 100 organizations per month, according to Talos telemetry. This reveals the professional and highly aggressive nature of the attacks and is coherent with the activity we would expect from an IAB or ransomware affiliate. As with any ransomware, BabyLockerKZ looks to encrypt targets’ files and lock them down until the target pays the request ransom.
So now what?
Talos has released several new Snort rules and ClamAV signatures that detect the activity of this group and BabyLockerKZ. This group is also known to use several publicly available tools in their attacks, such as Mimikatz, which are well-known to the security community at this point. For more on living-off-the-land binaries (LoLBins) that attackers like this one are increasingly using, read our blog post here.
Top security headlines of the week
International law enforcement agencies worked together to arrest and unmask four individuals believed to be associated with the LockBit ransomware group. As part of this campaign, investigators have also linked one of the LockBit members to Evil Corp, a Russian-backed cybercrime gang. At a press conference announcing the arrests, representatives from the U.K.’s National Crime Agency said that Evil Corp maintained a “privileged” relationship with the Russian government and was often asked to carry out targeted cyber attacks against NATO countries. LockBit is traditionally associated with financially motivated ransomware attacks targeting private companies, regardless of the country in which they reside. Europol, the U.K. NCA, the U.S. FBI and Japan’s National Police have also worked together to create and release a decryptor that can unlock files affected by the LockBit ransomware. The same agencies have been working since last year to target and seize assets and servers belonging to LockBit. The threat actor has taken credit for several major attacks over the past several years, including those targeting Boeing, Volkswagen, multiple major international ports and government-owned computers in Fulton County, Georgia. (Europol, TechCrunch)
The latest version of the U.S.’s National Institute of Standards and Technology’s password recommendations drop complexity in favor of length. NIST’s latest version of its Password Guidelines removes the recommendations that passwords use a mixture of character types and that they be changed often. Instead, the draft states that credential service providers (CSPs) recommend users create passwords between 15 and 64 characters that may include ASCII or Unicode characters. The previous version of the NIST standards led many users to adopt easy-to-guess passwords such as “Password1234!” or store the complicated passwords in easy-to-access places, such as written down on a piece of paper near their computer. CSPs are also instructed to drop knowledge-based authentication or security questions when selecting passwords. NIST standards are important because they formalize principles widely adopted by the U.S. government and major technology companies like Microsoft and Google. The latest draft also states that users only need to change their passwords in the event of a publicly reported data breach. (Infosecurity Magazine, Dark Reading)
A vulnerability in a web app from car manufacturer Kia could allow an attacker to view a car’s license plate, unlock the doors, and even remotely start the ignition. The since-patched vulnerability in Kia’s web portal could allow attackers to essentially build and deploy their own web app and reassign control of the internet-connected features of most modern Kia vehicles. The vulnerability could have allowed an adversary to immediately ping the location of a targeted vehicle, process its license plate number, and even honk the horn. This is the second such vulnerability the group of researchers has disclosed to a Hyundai-owned company in the past two years. The vulnerability highlights the risk that modern vehicles come with, many of which rely on internet connectivity for some of their features or interface with web apps, websites or mobile phone apps. A proof of concept from the researchers included a dashboard that could allow an attacker to type in a license plate number and then retrieve the owner’s personal information, eventually adding themselves as an “owner” of the car and executing commands on the vehicle. (Wired, Security Week)
Can’t get enough Talos?
- Resurgence of Spam: Cisco Talos Sound Alarm on New Tactics
- Critical RCE vulnerability found in OpenPLC
- Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam
Upcoming events where you can find Talos
MITRE ATT&CKcon 5.0 (Oct. 22 - 23)
McLean, Virginia and Virtual
Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.
it-sa Expo & Congress (Oct. 22 - 24)
Nuremberg, Germany
White Hat Desert Con (Nov. 14)
Doha, Qatar
misecCON (Nov. 22)
Lansing, Michigan
Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.
Most prevalent malware files from Talos telemetry over the past week
SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: RF.Talos.80
SHA 256: 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8
MD5: b209df2951e29ab5eab4009579b10b8d
Typical Filename: FileZilla_3.67.1_win64_sponsored2-setup.exe
Claimed Product: FileZilla
Detection Name: W32.76491DF69A-95.SBX.TG
SHA 256: c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a
MD5: 3bc6d86fc4b3262137d8d33713ed6082
Typical Filename: 8c556f0a.dll
Claimed Product: N/A
Detection Name: Gen:Variant.Lazy.605353
SHA 256: f0d7a2bb0c5db162332418747ba4987027b8a746b24c919a24235ff3b70d25e3
MD5: 0d849044612667362bc88780baa1c1b7
Typical Filename: CryptX.dll
Claimed Product: N/A
Detection Name: Gen:Variant.Lazy.605353
SHA 256: 331fdf5f1f5679a6f6bb0baee8518058aba8081ef8f96e57fa3b74291fcbb814
MD5: f23b90fc9bc301baf3e399e189b6d2dc
Typical Filename: B.dll
Claimed Product: N/A
Detection Name: Gen:Variant.Lazy.605353