The IT Nerd

Yesterday, the House Homeland Security Committee held a hearing, Securing Operational Technology: A Deep Dive into the Water Sector, before the Subcommittee on Cybersecurity and infrastructure Protection that focused on securing US water systems from cyberattacks.

ICS and OT security specialists from MITRE and Dragos addressed members of the Subcommittee regarding what many water facility operators and defenders may be lacking in terms of technology, staff, and funding, and what operators can do to raise the level of security.

The witnesses emphasized the differences between IT and OT networks and the challenges of defending the latter, especially on the limited budgets.

“Only two to three percent of vulnerabilities even matter to OT operators. If you steal from IT, you steal people’s data. If you target OT, you can kill people,” said Robert M. Lee, CEO of Dragos.

To address the weaknesses in utilities and other CI environments, CISA and other agencies should expand their OT-specific cybersecurity expertise, establish baseline security requirements for OT networks, create uniform incident reporting standards all in an effort to reduce the burden on operators, Lee, Clancy, and the other witnesses suggested.

“There is a considerable opportunity for EPA to step up, CISA and FBI to systematically engage across, and the network of security vendors to make it easier for everyone to coordinate. But these modest reforms should be kept in context with the scale of the threat, and the limited amount of resources available to critical infrastructure operators, particularly in the water sector,” said Charles Clancy, senior vice president and general manager of MITRE Labs.

Mark Cooper, President & Founder, PKI Solutions:

   “The role of critical infrastructure and use of OT segmentation has been a foundational approach to protecting vital infrastructure. However, the evolving cybersecurity threat, shrinking expertise, and staffing issues represent a new threat. The use of automation and intelligence tools to directly address the cyber threat and augment available skills and staffing is the only option to ensure future resilience.”

Critical infrastructure is just that. Critical. There needs to be a concerted and cross agency effort to make sure that this infrastructure is protected before it costs lives.

Yesterday, the UK, France and allied countries signed a declaration calling for international guidelines for the responsible use of spyware in an effort to combat the use of commercial spyware in ways that violate human rights.

Participants at the UK-France Cyber Proliferation conference in London included Belgium, the Czech Republic, France, Greece, Italy, Poland, the US, the UK and the African Union and technology companies such as Apple, Google, Meta and Microsoft.

The spyware initiative, the “Pall Mall Process,” will tackle the proliferation and irresponsible use of commercially available cyber tools, establishing guidelines for developing, selling, facilitating, purchasing, and using these types of tools and services and create a framework for transparent and accountable use.

“The scope [of our efforts] must be broad, not just looking at spyware, but also considering the ‘hackers for hire’ phenomenon, the exploit marketplace, alongside the broader range of ‘off the shelf’ intrusion capabilities, including tools for disruptive and destructive effect,” The UK Deputy Prime Minister Oliver Dowden announced noted.

Ted Miracco, CEO, Approov Mobile Security said this:

   “The market for commercial spyware tools and digital espionage is murky at best. These vendors cater in virtual arms that are sold to any repressive power willing to pay for them, and then cast themselves as shepherds of justice. We will see if the ‘Pall Mall Process’ reins in any bad behavior or it is just a facade for corralling the unbridled market for powerful spyware. The stakes are the very essence of privacy itself.”

Commercial spyware is something that absolutely needs to be curtailed, if not entirely outlawed. Thus I for one am in favour of any effort that achieves that.

Heads up. There was a joint cybersecurity advisory issued by the US today that Volt Typhoon has infiltrated and existed in critical infrastructure networks for at least five years. This link is a TL:DR of that joint advisory. This somewhat echoing an analysis by Microsoft from almost a year ago.

Ken Westin, Field CISO, Panther Labs had this comment:

The methods being utilized by Volt Typhoon, although not new, should be cause for concern given their intent and targets. Unlike ransomware operators whose goal is to get in and cause damage quickly, this nation-state operator is leveraging valid accounts and “living off the land” techniques to evade detection for long periods of time. These methods allow the group to monitor their targets and provide a foothold to cause kinetic damage — damage that can affect equipment and pose a physical threat to critical infrastructure. By targeting energy, water, communications and transportation infrastructure, it is apparent that Volt Typhoon is seeking to disrupt operations of critical infrastructure to cause panic, discord and distract leadership and the public. Many of the OT environments being targeted are notorious for running outdated software, either out of negligence or necessity, if the systems cannot be updated, which increases the risk posed by this threat.

This is another one of those wake up calls that everyone needs to heed as the PRC who are the ones behind Volt Typhoon are serious about their aims to get into networks and steal data. That makes keeping them out a top priority.

UPDATE: Damir J. Brescic, CISO, Inversion6 adds this comment:

This development represents a significant escalation in something warned last year — the underscoring of the sophisticated capabilities of APT (Advanced Persistent Threat) groups.

Volt Typhoon is known for targeting critical infrastructures, government facilities, and the manufacturing sector. Oh, did I mention that they are a Chinese-sponsored hacking group?

The group operations demonstrate a deep understanding of network defense and evasion techniques that allow them to remain undetected for extended periods of time. Their TTP’s (Tactics, Techniques, and Procedures) point to their technical expertise and resources typically found with state-sponsored APT groups.

Their presence is a warning call, highlighting the need for proactive cybersecurity measures, continuous monitoring and sharing of information among various stakeholders. I believe the Volt Typhoon poses a significant risk to critical infrastructure networks – underscoring the need for robust cybersecurity measures across industries and government partners.

I have to admit that this has stunned me as the conventional thinking is that you don’t pay threat actors to get your data back. But apparently there are plenty of people don’t buy into that as this report states that ransomware payments exceed $1 Billion in 2023:

In 2023, ransomware actors intensified their operations, targeting high-profile institutions and critical infrastructure, including hospitals, schools, and government agencies. Major ransomware supply chain attacks were carried out exploiting the ubiquitous file transfer software MOVEit, impacting companies ranging from the BBC to British Airways. As a result of these attacks and others, ransomware gangs reached an unprecedented milestone, surpassing $1 billion in extorted cryptocurrency payments from victims.

And:

2023 marks a major comeback for ransomware, with record-breaking payments and a substantial increase in the scope and complexity of attacks — a significant reversal from the decline observed in 2022, which we forewarned in our Mid-Year Crime Update.

 Ken Westin, Field CISO, Panther Labs had this comment:

The fact the numbers have increased this year shouldn’t be surprising. Ransomware groups operating in Russia were emboldened by the Ukraine conflict and many ransomware groups removed a lot of restrictions they previously had regarding targeting of schools, government agencies and critical infrastructure. The exploitation of software vulnerabilities such as MOVEit has also played a devastating role in the compromise of companies and institutions. Many IT departments were unaware the tool was running in their environments. In addition to the money paid to ransomware gangs, there is also the increasing cost of damage imposed by ransomware on organizations that don’t pay the ransom.

This has to serve as a wake up call that all of us can no longer sleepwalk though this ransomware crisis. Everyone needs to take action. Every part of a defensive playbook from detection, remediation, and a no paying threat actors policy needs to be on the table and acted upon. Because this is the only way to stop this crisis.

On Tuesday, the Government Accountability Office reported findings of a year-and-a-half long performance audit of the federal agencies charged with overseeing the manufacturing, energy, health care and transportation sectors concluding that “none” know whether protections against ransomware have been implemented.

The six agencies include: CISA, the Department of Energy, the Department of Health and Human Services, the U.S. Coast Guard, Transportation Security Administration, and the Department of Transportation.

It was found that “none have fully assessed the effectiveness of their support to sectors” as directed in the Department of Homeland Security’s 2013 National Infrastructure Protection Plan and they also haven’t “determined the extent of adoption of the National Institute of Standards and Technology’s recommended practices for addressing ransomware.”

The GAO made 11 recommendations to four agencies to, among other things, determine selected sectors’ adoption of cybersecurity practices. DHS and HHS agreed with their recommendations while the DOE and DOT partially agreed.

“Given that ransomware remains one of the most serious and concerning cybersecurity challenges to our nation’s critical infrastructure, it is vital that the SRMAs assess risks and measure the effectiveness of their support activities to better protect their respective sectors from this pervasive threat,” the report said.

Emily Phelps, VP, Cyware had this comment:

   “This situation underscores the paramount importance of intelligence sharing and collaborative, proactive cybersecurity to safeguard our nation’s critical infrastructure. By fostering an environment where information and strategies are shared across agencies and sectors, we can build a more resilient and responsive defense system.”

Mark B. Cooper, President & Founder, PKI Solutions adds this comment:

   “The GAO report reveals a crucial gap in the understanding and implementation of protections for core systems like identity and encryption in critical infrastructure. Agencies overseeing sectors like manufacturing, energy, healthcare, and transportation lack comprehensive assessments on the adoption of recommended ransomware protections. This situation also highlights the need for a more coordinated approach across agencies and a requirement for deeper level of assessment to Identity and Encryption systems. This is crucial for strengthening the operational resilience of critical infrastructure against ever changing cyber security threat landscape.”

Given how dangerous and pervasive ransomware attacks are, everyone needs to step up their game to ensure that they aren’t the next victim of a ransomware attack. Thus I hope that these agencies take the advice of the GAO and take immediate action.

No one in the government seems to know whether agencies must use MFA (Multi Factor Authentication) on social media.

Even after the SEC “X” account was hacked and it was found to be the result of a sim-swapping attack, made possible because the SEC had disabled multi factor authentication, “policy makers” still have no clear guidance on MFA.

Scoop News Group asked multiple federal agencies and experts if the government required the use MFA for social media and not one could give a definitive answer:

• Office of Management and Budget
• Cybersecurity and Infrastructure Security Agency
• Former White House cybersecurity officials
• cybersecurity policy lawyers
• congressional staffers and federal identity experts

This should not be a hard question, as it’s been almost three years since the White House issued their “Executive Order on Improving the Nation’s Cybersecurity.” A key directive of that Order required the adoption of Zero Trust and more specifically, allowed just 180 days to implement MFA:

“Within 60 days of the date of this order (5/12/21), the head of each agency shall… develop a plan to implement Zero Trust Architecture”
“Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit”

Apparently, there is widespread use of MFA throughout the government, but with no unified approach, where some agencies require it, some use 3rd party security methods and others do not.

John Benkert , CEO, Cigent had this comment:

   “I think there is a trust issue that the government has an obligation to uphold by protecting the authenticity of the channels our government uses to communicate with the public, hence the need to better monitor, standardize, and secure the social media accounts – including the use of social media.

   “The extension of Multi-Factor Authentication (MFA) policies to media tools used by government agencies is a pertinent although complex issue. The diversity in the missions and operational frameworks of various government entities complicates the implementation of a unified security protocol, such as MFA. For instance, the Department of Defense (DoD) employs Common Access Cards (CAC), which offer a high level of security by tying access to a specific individual with designated permissions. This system is effective in maintaining security within the DoD’s operational scope but for some reason is not universally adopted across all government branches.

   “The disparity in security measures across different government organizations highlights the need for a top-down approach to standardize security protocols. The implementation of MFA across all media tools used by government agencies could serve as a robust barrier against the dissemination of fake news and misinformation. MFA, by requiring multiple forms of verification before granting access, significantly reduces the risk of unauthorized or malicious entities infiltrating government communication channels.

   “However, the challenge lies in harmonizing these security measures across diverse agencies, each with its own set of tools, sensitivities, and operational requirements. A one-size-fits-all approach might not be feasible given the varied nature of government operations. Therefore, the development of a flexible yet rigorous MFA policy, overseen by a central governing body, could offer a solution. This policy would need to accommodate the specific needs of different agencies while upholding a high standard of security to guard against the risks associated with digital media tools. Such a centralized strategy would not only enhance security across the board but also facilitate a more cohesive and coordinated response to the threats posed by misinformation and fake news within government channels.”

The bigger issue for me is this. Where else is MFA not used? By not using that or a password less solution, you are simply asking to get pwned. Just ask the SEC.

Well this is embarrassing, and a national security threat at the same time. The GSA was ratted out to the US Inspector General for the purchase of some Chinese made videoconferencing cameras. Here’s how that went down:

In 2022, our office was contacted by a GSA employee who was concerned about GSA’s purchase and use of Chinese-manufactured videoconference cameras. Since these cameras were manufactured in China, they were not compliant with the Trade Agreements Act of 1979 (TAA). Our audit objective was to determine whether GSA’s purchase and use of these Chinese-manufactured videoconference cameras were in accordance with federal laws, regulations, and internal guidance.

And:

GSA Office of Digital Infrastructure Technologies (IDT) employees misled a contracting officer with egregiously flawed information to acquire 150 Chinese-made, TAA-noncompliant videoconference cameras. Before completing the purchase, the contracting officer requested information from GSA IDT to justify its request for the TAA-noncompliant cameras, including the existence of TAA-compliant alternatives and the reason for needing this specific brand. In response, GSA IDT provided misleading market research in support of the TAA-noncompliant cameras and failed to disclose that comparable TAA-compliant alternatives were available.

The TAA-noncompliant cameras have known security vulnerabilities that need to be addressed with a software update. However, GSA records indicate that some of these TAA-noncompliant cameras have not been updated and remain susceptible to these security vulnerabilities.

Well, that’s really freaking bad. Andrew Borene, Executive Director for Global Security, Flashpoint had this comment:

“The GSA’s procurement of unauthorized Chinese-made cameras with known vulnerabilities is certainly a matter of concern, echoing similar apprehensions we’ve had in the past about other technology products, such as drones, from China. 

These cameras, like any technology that connects to IT systems, can become a potential vector for espionage, malware, or maintaining a persistent presence in federal networks. The PRC’s Communist government has passed a number of increasingly totalitarian laws mandating that all Chinese corporations share information with the government for national security purposes. This creates an inherent risk when using their manufactured technology in sensitive environments. 

Given the PRC’s history of espionage, and the increasingly intertwined relationship between the state and private enterprises, the use of these cameras in federal settings poses a significant risk, not just due to their known vulnerabilities, but also due to the potential for hidden backdoors or other compromised elements in their hardware or software.

The prevalence of unauthorized Chinese-made technologies in government agencies, despite known risks, is a multifaceted issue. One primary factor is China’s dominance in manufacturing and global supply chains, making their products readily available and often more cost-effective. 

However, this convenience comes with heightened risks, especially when considering critical infrastructure and national security. 

The challenge in keeping these products out of federal networks lies in the complexity of supply chains and the difficulty in thoroughly vetting every component for security risks. The PRC’s significant role in technology production, combined with its aggressive espionage tactics, necessitates a more cautious approach. The focus should not only be on direct components but also on an extensive evaluation of the entire supply chain, acknowledging the -nth party risks. 

In light of China’s continued efforts to infiltrate Western networks for intelligence and espionage, it is crucial for government agencies to exercise heightened diligence and opt for more secure alternatives, even if they come at a higher cost or require more rigorous procurement processes.”

Hopefully those people in the GSA who were stupid enough to buy these cameras get what’s coming to them. Because given China’s history of espionage, this was a completely unacceptable purchase.

The UK’s National Cyber Security Centre (NCSC) has announced plans to convene public and private experts in a new Cyber League in an effort to combat cyber threats facing the UK.

Members of Cyber League will be a diverse group of industry experts, working with NCSC analysts and each other. The group will take part in a range of engagements, analytic workshops and discussion groups with the intention to improve visibility and tracking of existing and emerging threats.

“We continue to operate in a world of greater competition, instability, and contention than we have in over 30 years; a time before which cyber was material.

“As such we need to go beyond the excellent work already in place […] and prepare for when the big cyber event hits organizations, the UK, and the globe. Our adversaries, criminal and otherwise, are more aggressive and technically able than ever before, and show no sign of slowing down,” Ollie Whitehouse, new NCSC CTO warned earlier this week.

The initiative will complement the NCSC’s Industry i100 program, where third-party cyber experts are seconded to work at the agency on a part-time basis. 

Jason Keirstead, VP of Collective Threat Defense, Cyware:

   “It is extremely encouraging to see this announcement from the NCSC. As we have seen with the JCDC program in the United States, there are tangible benefits whenever the public and private sectors increase their collective defense efforts. Cybersecurity is a whole-of-nation problem and cannot be solved by industry and government working alone, we must continue to engage as frequently and as widely as practical.”

This almost sounds like UK has pulled a team of superheroes together to fight cybercrime. Jokes aside, this is a good idea. And more countries should do something similar.

Here’s a mind blowing stat for you. US finance firm JPMorgan Chase gets attacked by hackers an astonishing 45 million times a day. Here’s the details:

Mary Callahan Erdoes, Chief Executive of JPMorgan’s Asset & Wealth Management line discussed the increasing numbers of hacking attempts during a panel at the World Economic Forum in Davos.

‘The fraudsters get smarter, savvier, quicker, more devious, more mischievous,’ Erdoes said. 

‘It’s so hard and it’s going to become increasingly harder and that’s why staying one step ahead of it is really the job of each and everyone of us.’

JPMorgan isn’t the only bank dealing with a surge in cyberattacks.

Since Russia invaded Ukraine two years ago – rising global geopolitical tensions have caused cyber crime to skyrocket. 

Over 70 per cent of bank leaders in a 2023 KPMG survey reported being concerned about cyber crime and cyber insecurity. 

JPMorgan spends $15 billion each year just on technology to prevent cyber attacks as part of an effort to bolster its cyber defenses. 

This budget is up substantially from the $14.3 billion that the company spent on technology in 2022. 

Edroes also reported that JPMorgan Chase had employed 62,000 technologists to help secure systems and prevent hacking. 

Ken Westin, Field CISO, Panther Labs had this comment:

This type of messaging is not helpful to the industry without providing more specifics. It feels similar to the  “cyber apocalypse” we experienced a few years back to instill fear in consumers and businesses. In this instance, I am pretty sure they’re referring to vulnerability scans, DDoS attempts, bots etc. – most of which are automated and not really attacks, but I guess that depends on how they define an attack – context that I believe is lacking in this statement. Erdoes’ quote also refers to “fraudsters” which can also include credit card fraud, BEC attempts, etc. and not just “hackers.” We need to get beyond the fear, uncertainty and doubt (FUD) narratives in security, and focus on real threats with appropriate context – not push “monsters under the bed” narratives to keep CISOs up at night.

The fact that JPMorgan Chase hasn’t been taken out, at least not that we know of, is likely a good sign that their cyber defences are working. Whatever they are. It also highlights that other companies need to put in their level of effort to stay secure.