Friday Five: 2/21 Edition
Chinese hackers breach online gambling sites, CISA warns of ransomware attacks across the critical infrastructure sector, and more - catch up on the week's news with the Friday Five.
Although the U.S. government has previously steered clear of attributing specific hacking activities to specific governments, they are now taking a new approach to publicly identify foreign-based hackers and the campaigns they carry out. In an advisory posted on Friday, the U.S. Pentagon, FBI, and Department of Homeland Security exposed a hacking operation orchestrated by a North Korean government-sponsored hacking group. The U.S. government refers to the group as Hidden Cobra but security researchers in the private sector also identify the group by other names, such as Lazarus and Zinc. The advisory was posted on VirusTotal, the Alphabet-owned malware repository that provides technical details that can help defenders identify compromises and protect themselves. The malware used in the attack was for phishing and obtaining remote access to carry out further illegal activity, steal funds, and evade sanctions. The government was able to upload information on six of the seven malware families that the group is using, including the names, purposes, and tactics of each.
2. US Gov’t Warns of Ransomware Attacks on Pipeline Operations by Sergiu Gatlan
The Cybersecurity and Infrastructure Agency (CISA) issued a national alert to all organizations across critical U.S. infrastructure sectors to warn them about a recent ransomware attack that targeted a natural gas compression facility. The natural gas organization has not been named, and its unclear exactly when the incident occurred, but the attack caused a two-day operational shutdown of the entire pipeline asset. The attack began with spear-phishing tactics to gain initial access to the IT’s network, and then it traveled to the operational technology (OT) network and deployed commodity ransomware that encrypted files to Windows machines on both the IT and OT networks. It affected the control and communication assets on the victim’s OT network, which led to the disruption of human-machine interfaces (HMIs), data historians, and polling servers, leaving them unable to process data from low-level industrial control systems. Although programmable logic controllers (PLCs) were not affected and the organization never lost control of operations, the victim decided to shut down all operations as a precautionary measure. The alert stated that “geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies” following the shut down of the one control facility.
3. Chinese Hackers Have Breached Online Betting and Gambling Sites by Catalin Cimpanu
A group of professional Chinese hackers have been exposed for targeting and hacking online gambling and betting sites since the summer of 2019. The group is called DRBControl and their operational tactics and malware functionalities closely align with tools and tactics used by Winnti and Emissary Panda, two hacking groups that have conducted attacks on behalf of the Chinese government. It is unclear whether or not this group is carrying out attacks in the interests of Beijing but researchers believe that they are most likely not. Recently, it has become a trend of many state-sponsored groups to carry out their own attacks as a sort of side-hustle for their own gains and interests. The group in question here has infected hundreds of computers between July and September 2019 and attacks are ongoing. They appear to be espionage-focused, rather than cybercrime motivated, as the attacks have been used to steal company databases and source code, but not money. The attack begins with a spearphishing link, and employees who open the documents are infected with backdoor trojans that use Dropbox file hosting and file sharing service as a command-and-control service and storage medium. The backdoors are used to download other hacking tools and malware that DRBControl can use to move laterally through a company’s network. The tactics used by the group are neither complex nor unique in relation to their efforts to infect victims and steal their data, but they have been relatively successful.
4. Scottish Armed Forces Veterans Get Retrained in Cyber Security by Hannah Carmichael
A project recently launched in Scotland is working to fix two problems: the shortage of cybersecurity professionals and the lack of available, well-paid jobs for veterans. The partnership project formed between Skills Development Scotland, SaluteMyJob, Abertay University, IBM and tech start-up Skillzminer was launched on Sunday as part of Cyber Scotland Week. The goal of the project is to help fill some of the 13,000 digital jobs in Scotland, and former forces personnel will be given the opportunity to take part in an eight-week course to learn ethical hacking and penetration testing skills at Abertay University and through online courses and job shadowing. The global cyber security workforce gap is expected to reach 1.8 million professionals by 2022 according to the Scottish Government’s Cyber Resilience: Learning and Skills Action Plan. Because most cybersecurity jobs are deeply technical, the military training background of these veterans can make them ideal candidates for these positions. SaluteMyJob managing director Andrew Jackson said: “Service men and women have the knowledge, skills and experience to transition relatively easily into well paid jobs in cyber security.”
5. Hackers Were Inside Citrix for Five Months by Brian Krebs
Citrix Systems, the networking software giant used by hundreds of thousands of clients worldwide, disclosed an incident that involved malicious hackers invading their network for a period of five months between 2018 and 2019. The FBI had alerted Citrix back in March 2019 that cybercriminals may have gained access to the company’s internal network through probing employee accounts for weak passwords, a tactic known as “password spraying”. In the letter sent to affected individuals, Citrix acknowledged that the hackers may have gained access and made off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. This information could have included Social Security Numbers and other tax identification numbers, driver’s license numbers, passport numbers, financial account numbers, payment card number, and limited health claims information. The laws that are enforced in almost all U.S. states and require companies to notify affected consumers of any incident that jeopardizes their sensitive information is what prompted Citrix’s letter, but it is still unclear just how many individuals may have been affected.