Ransomware is increasingly impacting OT systems, and more.
Welcome to Cyber Security Today. It’s Friday, December 8th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Ransomware attacks are increasingly hitting not only IT environments but also OT, or operational technology, systems. These are internet-connected systems running factories, power stations and pipelines. The information comes from a new survey by researchers at Claroty. Some 1,100 IT and OT security professionals in a number of countries answered a questionnaire in November. Thirty-seven per cent said ransomware attacks this year affected both their IT and OT environments. That compares to 27 per cent in 2021 — a 10 per cent rise in two years. Of those who were hit, 22 per cent said the impact was severe or extreme, meaning operations were impacted for more than a week. An additional 32 per cent said the impact was moderate. Sixty-nine per cent of respondents said their organization paid a ransom to get access back to their data or systems.
Hackers are taking advantage of AWS’s Secure Token Service to break into cloud applications and data. According to researchers at Red Canary, they’re doing it by generating short-term login credentials. These tokens last no longer than 36 hours and are offered to users so they don’t have to create an AWS identity. Ironically, the hacker gets short-term tokens by first creating a long-term identity and access token. The advantage of a short-term token is the hacker can hide themselves better. The best defences include logging all CloudTrail event data to a data lake for analysis of AWS services, and building altering to detect role chaining events and multifactor authentication abuse.
Many cyber attacks are opportunistic, taking advantage of vulnerabilities that hackers trip over. But Bloomberg News has a story about the 2020 attack on the U.S. Department of Health and Human Services at the outset of the COVID-19 pandemic. According to a synopsis of the article by The Cyberwire, it started with a large denial of service attack. It was probably used to hide penetration of the department’s servers. The attackers might have been looking for information the U.S. had on COVID-19. Whatever the motive, a former department official told the news service that the attackers had done their homework and knew where the large stores of data were.
Taylor Swift, Justin Bieber, Jennifer Lopez, Oprah and other celebrities are not denouncing Ukraine for resisting the Russian invasion. But fake ads on Facebook and X make it look that way. The ads have fake quotes beside the pictures of celebrities. According to Wired.com, Russia is suspected of placing the ads. It’s part of the Doppelganger influence campaign I told you about on Wednesday’s podcast. Researchers at a firm called Reset believe the campaign takes advantage of loopholes in Facebook’s ad verification and content moderation systems.
A Russian military-associated group is still going after vulnerable installations of Microsoft Outlook. That warning comes from Palo Alto Networks. The group is known by security researchers as Fighting Ursa, APT28 or Fancy Bear. It’s been exploiting unpatched Outlook servers for the past 20 months in 14 countries. Most of those countries are members of NATO. Targets are government departments and energy companies. This hole was patched in March. This group is still trying to find unpatched Outlook servers.
The Canadian Centre for Cyber Security has issued advisories that patches and mitigations are available for a number of products. These include Atlassian’s Confluence Data Centre and Server and Atlassian Companion App for MacOS; FA engineering software products from Mitsubishi Electric; and certain Facilities Explorer and Metasys products from Johnson Controls. IT and OT administrators need to pay attention to these warnings.
That’s it for now. But later today the Week in Review podcast will be available. Guest David Shipley and I will discuss why 20,000 out-of-date Microsoft Exchange servers are still online, why vulnerable medical images are open to the internet and cyber attacks against water utilities.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon