The IT Nerd

In a joint advisory, CISA, the FBI, and MS-ISAC has published new guidance, Understanding and Responding to Distributed Denial-Of-Service Attacks, for federal, state and local government agencies to help prevent disruption to critical services.

The advisory noted that DDoS attacks are difficult to trace and block and are commonly used by politically motivated attackers, with government websites often targeted by one of three types of DDoS attacks: Volume-based, Protocol-based attacks, and Application layer-based attacks. 

• The guidelines emphasized that there are steps that can be taken to mitigate the possibility of being hit. These include:
• Use risk assessments to identify potential vulnerabilities
• Implement robust network monitoring tools and detection systems 
• Integrate a Captcha challenges
• Configure your firewalls to filter out suspicious traffic 
• Regularly patch and update all software, operating systems and network devices
• Train employees about DDoS attacks, and how to recognize and report suspicious activities

The advisory also emphasized the importance of putting in place measures to maintain service availability during a DDoS attack such as increasing bandwidth capacity and implementing load balancing solutions to distribute traffic to handle sudden spikes in traffic during an attack. Also, establish redundancy and failover mechanisms to redirect traffic and regularly back up critical data to allow for fast recovery and minimize data loss.

Stephen Gates, Principal Security SME, Horizon3.ai had this to say:

   “Although volumetric DDoS attacks have been pretty much defeated by those who offer cloud-based DDoS defenses, protocol-based attacks and application layer-based attacks are still a resounding problem. These attacks are often low-and-slow attacks are extremely difficult to defeat in the cloud since defenses regularly end up blocking legitimate traffic.

   “For those who are concerned about DDoS attacks, the best approach is a hybrid one. Subscribe to cloud-based DDoS defensive services to defeat volumetric attacks and deploy specialty-built DDoS defenses on-premises in front of your border firewalls to defeat the low-and-slow attacks. This way, all types of DDoS attacks can be defeated.”

A DDoS attack can be highly disruptive if an organization isn’t prepared to defend against one. So it is in any organization’s interest to add this to the list that they need to have a playbook for. Fortunately this joint advisory will help with that.

Cyber-attacks are costing suppliers higher auditing fees, even when it was their customer that experienced the attack, not them. 

According to a recent study in Science Direct magazine, “The impact of customer firm data breaches on the audit fees of their suppliers”, a suppliers auditing fees often jump as much as 6% when a big customer experiences a cyberattack, “when the supplier itself didn’t suffer a breach.”

“It’s not enough to know that your company is secure. A cyber breach at a key customer could have a big financial impact for your company,” said Tom Smith, co-author of the study and associate professor at the University of South Florida.

“Other possible repercussions for suppliers in the wake of a cyberattack at a key customer: Earnings could be significantly lower, inventory could sit longer than expected or there may not be enough cash on hand to make debt payments, says Smith, who is also associate director at the University of South Florida’s Lynn Pippenger School of Accountancy.

“Auditors for public companies are required to account for supply-chain risk. When a company in the supply chain suffers a cyberattack, auditors may need more time or people to get a full grasp of the impact of the cybersecurity breach on a supplier’s financial statement. Accountants might also face increased litigation and reputational risk for auditing a company in the same supply chain as a company that has been hacked.”

Jason Keirstead, VP of Collective Threat Defense, Cyware:

“Today’s organizations need to broaden the scope of their security programs to include aiding in the defense of suppliers as well as the organization itself. Collective defense for supply chains enables critical intelligence sharing, operationalization, and collaboration for interconnected business ecosystems. This collaborative approach fosters a more proactive and resilient stance against cyber threats, getting beyond individual organizational boundaries.”

The fact that supply chain attacks for example are incredibly devastating show the need for everybody you deal with to be on the same page as you. There’s simply no option anymore as the threat landscape is too great.

New Zealand’s central bank announced that banks must report major cyber incidents within 72 hours, as it plans to implement formal cyber reporting requirements over the next year after regulators supported proposals by the Reserve Bank of New Zealand (RBNZ) on the importance of having access to information on cyber resilience from the central bank.

Last year, after New Zealand saw a rise in cyber-attacks, the government was motivated to boost its cyber defenses by setting up a lead agency to make it easier for the public and businesses to seek help during network intrusions. Furthermore, RBNZ collaborated with the Financial Markets Authority (FMA), New Zealand’s financial markets regulator, to develop shared reporting requirements that can be used for both agencies.

The following RBNZ cyber resilience reporting requirements will be implemented in phases through 2024:

• Material cyber incident reporting requirement: within 72 hours
• Periodic reporting of all cyber incidents: large entities to be required to report all cyber incidents every six months and other entities annually
• Self-assessment using the RBNZ’s Guidance on Cyber Resilience: large entities every year and other entities every two years.

Dave Ratner, CEO, HYAS had this comment:

   “Regulations requiring timely reporting are popping up across multiple geographies and verticals, and while they are in general a good thing, the definition of what is and isn’t ‘material’ is often not entirely clear.  Nevertheless, for an organization to be in a position to comply with these new regulations will require cyber resiliency solutions that are capable of alerting them to the telltale signs of a breach and see the initial digital exhaust indicating an attack in progress.  Most organizations are likely not prepared today and need to prioritize resiliency in 2024 to ensure that they are.”

Mark B. Cooper, President & Founder, PKI Solutions follows with this comment:

   “With regulators adopting stricter notification requirements, now more than ever, banks need to respond with their own stricter, higher levels of security posture management practices if they’re going to avoid having to report incidents.

   “The challenges organizations face is no longer limited to just advanced encryption or identity protection measures, but it highlights the critical need for pro-active, vigilant monitoring to quickly identify misconfigurations and alert security resources and staff. Prompt remediation is essential to defend against attacks that lead to triggering a notification.”

Requirements like these are a good thing from two perspectives. First it makes sure that any incident isn’t covered up. Second, it will “encourage” organizations to up their game in terms of their cyber defences to make sure that they don’t get pwned. These sorts of requirements need to be put into effect everywhere as that is one thing that will make us safer.

The CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an advisory warning of TTPs Phobos ransomware attacks are using to target government and critical infrastructure entities.

“Structured as a ransomware as a service (RaaS) model, […] Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars,” the advisory said.

Attack chains typically leveraged phishing as an initial access vector, or vulnerable networks are breached by hunting for exposed RDP services and exploiting them by means of a brute-force attack.

Once successful, the threat actors deploy additional remote access tools, taking advantage of process injection techniques to execute malicious code and evade detection, and making Windows Registry modifications to maintain persistence within compromised environments.

“Additionally, Phobos actors have been observed using built-in Windows API functions to steal tokens, bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process. Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access,” the agencies said.

Phobos has been active since May 2019, with multiple variants identified. Cisco Talos disclosed in November that those behind 8Base ransomware are utilizing a variant of Phobos for their attacks.

BullWall Executive, Carol Volk had this to say:

   “The recent Phobos advisory from CISA, the FBI, and the MS-ISAC sheds light on the continued rise of ransomware attacks targeting government and critical infrastructure sectors. As with many ransomware attacks, the Phobos attacks employed phishing and exploitation of vulnerable RDP services and highlights the importance of robust cybersecurity measures at every level.

   “Organizations must prioritize implementing multi-layered defense mechanisms, including strong email security protocols and regular security awareness training to thwart phishing attempts.  Additionally, securing remote access points and promptly patching vulnerabilities in RDP services can significantly reduce the risk of exploitation.

   “However, we continue to see that even well prepared defenses will be breached by determined actors, so regular air-gapped backups, a ransomware containment system and MFA to protect RDP sessions should be part of the defense stack for the day your defenses are breached.”

John Benkert, CEO, Cigent follows with this:

   “Broken record here. Protecting critical infrastructure from Ransomware-as-a-Service (RaaS) attacks requires a multifaceted approach that spans technological, regulatory, and educational domains. Given the increasing sophistication and accessibility of RaaS platforms, which allow even low-skilled attackers to launch ransomware campaigns, the security of essential services such as healthcare, energy, transportation, and water systems has never been more important.

   “The foundational step in defending against these threats involves the implementation of robust cybersecurity measures that already exist. This includes regular software updates and patch management to close vulnerabilities, advanced threat detection systems to identify and neutralize threats early, and comprehensive data backup strategies to ensure data integrity in the event of a breach.

   “Let me be clear, solutions already exist in the commercial sector to protect against these threats. Instead of cultivating these commercial solutions, the government is more concerned with putting out regulations and standards that take years to approve and become obsolete before they are published.”

This should be a clear warning that defences for critical infrastructure specifically, but all organizations and sectors in general need to be a priority. The question is, how many warnings will it take for organizations to get the message?

Starting today, the Pentagon’s main network defense command, Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN), will launch the Cyber Operational Readiness Assessment (CORA) program, a new model for measuring the readiness of the network shifting from compliance to operational preparedness.

CORA is intended to be risk-informed for defensive cyber operations internal defense measures, for specific actions taken on the network in response to either intelligence, a threat or an incident. Officials explained it as a “living inspection” that can flex to operational, emerging needs given the unpredictability of future vulnerabilities.

“[CORA] enables commanders and directors to make the right decision when applying resources to increase the security posture of their network. It allows us to iterate and change on a dime to figure out what is important now. As everyone understands, technology changes so frequently, so fast, it’s hard for everyone else to keep up. […] With the flexibility of CORA, we’re able to shift and adapt and overcome to start focusing on those unknown or newly discovered vulnerabilities for what is important to JFHQ-DODIN because of intel and threat reporting,” Nicholas DePatto, inspections branch chief said.

Officials began the shift by developing key indicators of risk to assure alignment with JFHQ-DODIN’s cybersecurity priorities and to direct focus onto the most critical areas of remediation. In turn, this will allow organizations to focus their mitigation efforts on risk and exposure to common adversaries’ TTPs allowing the DOD to concentrate resources and staffing on high-risk areas.

Troy Batterberry, CEO and Founder, EchoMark had this comment:

   “Shifting to a threat-informed approach, the CORA program aligns closely with our ethos of operational readiness and agile responsiveness, focusing on risk-informed defenses and ability to address emerging threats quickly. This aspirational standard underscores the importance of evolving security measures to outpace rapid technological changes and often unpredictable and sophisticated threats. It’s not just about being prepared; it’s about staying ahead.

   “This initiative and directed focus on risk indicators prioritizes adaptability and informed decision-making in security practices which will bring companies closer to where our security is as dynamic and resilient as the threats we face.”

Stephen Gates, Principal Security SME, Horizon3.ai follows with this:

   “To gain the highest level of consistent mission readiness, organizations must view their cyber infrastructures through the eyes of their adversaries. Therefore, it makes complete sense to establish the Cyber Operation Readiness Assessment (CORA) program and shift from mere compliance to actual operational readiness. Trying to remain complaint to a host of different regulations and standards does not always mean you are more secure. Continuous assessment of risk has been proven to vastly improve operational effectiveness.

   “Today, organizations are equipping their security teams with offensive-based autonomous assessment solutions allowing them to perform adversarial exercises against their internal, external, and cloud infrastructures with nothing more than click. Being able to load, aim, and fire an autonomous assessment solution against yourself tells organizations where their greatest weaknesses are so they can remediate them before adversaries discover them.

   “This cyber terrain assessment approach goes way beyond simple network and vulnerability scans since autonomous assessment solutions are using the exact same TTPs that attackers are using – and can be safely launched against any production environment. The advancements of autonomous assessment technologies are increasing the security postures for those that capitalize on this emerging technology and massively reducing risk in the context of the cyber threat landscape.”

This is a good move by the Pentagon as this will make it far easier to defend against cyber threats because this will be far simpler for defenders to navigate. Which means they will be in a better position to defend.

UPDATE: Troy Batterberry, CEO and Founder, EchoMark added an additional comment:

“Given the ever-changing environment, being both risk-informed and agile are paramount to establishing modern security practices. In addition, and akin to good general systemic design, organizations also need to continue to utilize ”defense in depth” through multiple layers of protection and access control governance to help avoid a single point of failure causing a broad breach.”

It appears that the recent takedown of the LockBit ransomware gang only took them offline briefly. I say that because the gang appears to be up and running again based on this:

It will be interesting to see a bunch of things. Starting with how long they remain online as I suspect that the same law enfacement groups who recently took them down will be planning to do it again. And it will be interesting to see how effective their operations are as being taken down in the manner that they were has to have some sort of negative effect.

Today, the White House will issue an executive order starting a rulemaking process to add cyber requirements to US ports aimed at increasing defenses through additional authorities to the Coast Guard. The administration also pledged to invest over $20 billion in port infrastructure over five years.
 
The executive order will require the maritime sector to increase digital defenses and report cyber incidents to the Coast Guard also giving the Coast Guard the authority to respond to cybersecurity incidents, such as controlling the movement of vessels that present a cyber threat.
 
With concern over Chinese companies owning almost 80% of US ship-to-shore cranes and many controlled remotely, the Coast Guard is issuing a nonpublic maritime security directive that requires cranes manufactured by China to face “a number of security requirements”.

“America’s system of ports and waterways accounts for over $5.4 trillion of our nation’s annual economic activity, and our ports serve as a gateway for over 90% of all overseas trade. Any disruption to the [maritime transportation system], whether manmade or natural, physical or in cyberspace has the potential to cause cascading impacts to our domestic or global supply chains,” Rear Adm. Jay Vann, commander of the U.S. Coast Guard Cyber Command said.

Troy Batterberry, CEO, EchoMark has this comment:

   “It is not only systems that have been infiltrated by foreign states. In my discussions with CISOs across the country, many believe there are employees within their organization that are capable of acting in alignment with foreign states. Unfortunately, 90% of organizations are completely unprepared for the risks imposed by insiders. Dealing with insider risk is the next big area of growth for the cybersecurity industry.”
 
Emily Phelps, Director, Cyware shares this thought:

   “The executive order is a good step towards securing critical national infrastructure. By mandating enhanced cyber defenses and incident reporting in the maritime sector, we’re addressing a significant vulnerability in our national security framework. The focus on the maritime sector, especially given the strategic importance of ports to our economy and supply chain, is timely and essential. This move, coupled with the substantial investment in port infrastructure, demonstrates a proactive approach to cybersecurity, ensuring the resilience of vital assets against emerging threats.”

Neal Dennis, Senior Threat Intelligence Specialist, Cyware had this to say:

   “This completely makes sense. However, this threat is nothing new overall. Government extension of authority to support mitigating the threat is just a sign of validation on the reality of the threat.”

Hopefully this executive order forces those in this sector to improve their preparation for cyber threats both new and old. Because critical infrastructure is a prime target for threat actors.

Usually when you speak about anything sexual, the only thing to worry about besides pregnancy is catching an STD. Well, I’m here to tell you that you may now need to worry about catching something else. Malware. I’ll let 404 Media give you the details:

Reddit user VegetableLuck posted to r/malware that they bought a small vibrator from the mall, plugged it into their computer’s USB port to charge “without any thought,” and claimed that it downloaded a file flagged by their system’s anti-virus protection software as malware. 

“Opened my web browser and a file is instantly downloaded without opening any webpages, malwarebytes has flagged it as malware and stopped the download,” they wrote. This supposed virus-laden vibrator post went viral on Reddit and Twitter over the weekend.

“No damage was done! Malwarebytes did catch it before I even knew what was happening and then I only investigated where I was able to see the file and get the download source/link from it,” VegetableLuck told 404 Media. “I was very confused as something like this has never happened before, and I hadn’t done anything out of the ordinary on my computer, I had also just turned it on for the day and opened my web browser, the only new variable was I had this vibrator plugged into the usb port!”

They told us they bought it in person on Valentine’s Day at Spencer’s Gifts, a store that largely sells Family Guy t-shirts, Rick and Morty bongs, and lava lamps. Spencer’s stores usually also have a section dedicated to adult toys. The specific item VegetableLuck told us they bought—”Pussy Power 8-Function Rechargeable Bullet Vibrator 4 Inch” by the brand Sexology, according to VegetableLuck—is still listed on the Spencer’s website but is sold out. It has mostly 5-star ratings, and none mention viruses or malware.

404 Media tried to buy the same vibrator but couldn’t get one online. So they went for another model and this is what happened:

The only interesting thing that happened during our test is that, at one point, when plugging the Pussy Power vibrator into the iMac, we captured a split-second popup. Jason happened to be recording the screen with his phone at the time, so he put that video into Adobe Premiere and went frame-by-frame. 

So there’s something that’s clearly on this vibrator. What it is, they don’t know. And more forensics work couldn’t come to a conclusion. But the thing is, if you stick anything into your computer, it could be infected with something. So the safe thing to do is to practise safe computing at all times, just like you practice safe sex.

Clearly the LockBit ransomware gang is on the radar screens of many. And they should be as they’ve proven to be one of the more dangerous ransomware gangs out there. But that notoriety may be having a negative effect on LockBit as 11 countries have teamed up to take a shot at them:

Reuters has more details:

Lockbit, a notorious cybercrime gang that holds its victims’ data to ransom, has been disrupted in a rare international law enforcement operation by Britain’s National Crime Agency, the U.S. Federal Bureau of Investigation and Europol, according to a post on the gang’s extortion website on Monday.

“This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” the post said.

An NCA spokesperson confirmed that the agency had disrupted the gang and said the operation was “ongoing and developing”.

The U.S. Department of Justice did not immediately respond to requests for comment.

The post named other international police organizations from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany.

Since LockBit is basically “ransomware as a service” where affiliate actors can use LockBit’s services to go after companies as long as LockBit gets a cut, this takedown is hugely disruptive. Sure these affiliates will go elsewhere eventually, but for the time being you may see a decrease in ransomware activity. It will be interesting to get more details of this takedown, and if any more are planned.

The United States has clearly had enough of the ALPHV/Blackcat ransomware gang. I say that because the U.S. State Department offering rewards of up to $15 million for information that could lead to the identification or location of ALPHV/Blackcat ransomware gang leaders:

The U.S. Department of State is offering a reward of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold a key leadership position in the Transnational Organized Crime group behind the ALPHV/Blackcat ransomware variant.  In addition, a reward offer of up to $5,000,000 is offered for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware activities.

On December 19, 2023, the Department of Justice (DOJ) and the FBI announcement of cooperation with an international group of law enforcement agencies from the United Kingdom, Australia, Germany, Spain, and Denmark, to conduct a disruption campaign against the notorious ransomware gang ALPHV/Blackcat.  FBI identified ALPHV/Blackcat actors as having compromised over 1,000 victim entities in the United States and elsewhere, including prominent government entities (e.g., municipal governments, defense contractors, and critical infrastructure organizations). To date, the FBI has worked with dozens of victims in the United States and internationally to disseminate a decryption tool to restore victim systems and prevent ransom demand payments of approximately $99 million.

 Shawn Loveland, COO, Resecurity had this to say:

According to Resecurity reporting, BlackCat (ALPHV) has increased its ransom demands to up to $2.5M per victim from the large enterprise segment. This is why the group is well-funded and has a significant number of access brokers and affiliates working for them. In fact, many of their attacks have not been publicly disclosed, which suggests that this figure could be much higher in practice. By offering a $15M reward, the law enforcement community aims to disrupt their activity by collecting intelligence from actors familiar with them, potentially causing “competition” between bad actors and their associates. This is especially relevant in light of recent conflicts, such as Lockbit experiencing a ban from certain Dark Web communities. It is possible that the group could be “burned” due to internal conflicts and other actors leaking data about them.

This is an interesting tactic to try and take this group down. Let’s see how successful this tactic is, or isn’t.