Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks, scams, frauds, malware including Ransomware and DDoS, in order to ensure you stay safe online.
Here are the most prominent threats which you should be aware of:
Small Utilities, Hospitals Struggle With Newer Cyber Threats
Lack of Money, Expertise Creates Big Challenges For Small Infrastructure Providers
Small electric utilities, wastewater facilities and hospitals struggle with defending their organizations against emerging cyber threats given their small resources, U.S. government officials told a congressional oversight panel Tuesday.
lightly fewer than 100,000 drinking water systems and 16,000 wastewater systems serve the United States and its territories, with customer bases ranging in size from more than eight million to just 500 people, said David Travers, head of the Environmental Protection Agency’s Water Infrastructure and Cyber Resilience Division.
“The most significant cyber risk in the water sector remains the failure of many utilities to adopt best practices,” Travers said. “This critical vulnerability is apparent both from a recent industry survey – which showed that most utilities had not taken key steps to protect their operation – and from cyber incidents at water systems, which have exploited the failure to implement cybersecurity best practices.”
Travers testified before a House Energy and Commerce subcommittee panel alongside Puesh Kumar of the Energy Department and Brian Mazanec of the Health and Human Services Department.
The EPA has provided one-on-one technical assistance to hundreds of smaller water and wastewater systems, with subject matter experts identifying gaps in cybersecurity best practices and implementing remediation actions tailored to the resources and goals of the utility entities. The agency in March said it will start assessing cybersecurity as a factor in periodic safety assessments (see: US EPA Regulates Public Drinking Water for Cybersecurity).
“These systems, though small, are critical to the viability of the communities they serve,” Travers said. Their smallness often puts them at greater risk since they lack the dedicated cybersecurity personnel of larger systems, he told lawmakers.
The EPA focuses on best practices such as strong and unique passwords rather recommending resource-intensive interventions. Travers said the EPA also offers ‘train the trainer’ programs to third parties like the National Rural Water Association and the Agriculture Department’s Rural Community Assistance Program, who often serve as a source of technical expertise.
The Energy Department provides tools to smaller utilities that help them both gauge their existing cyber posture and make investment decisions, said Kumar, director of the Office of Cybersecurity, Energy Security, and Emergency Response. The department’s rural and municipal utility grant program delivers cybersecurity technical assistance and funding right to rural cooperatives and waste utilities nationwide.
Why Incidents At Small Hospitals Are More Severe
The Health and Human Services Department has developed separate sets of industry best practices for small, medium, and large hospital systems with off-the-shelf resources that small hospitals can use as is, said Mazanec, deputy director for the Office of Preparedness.
“Our focus is on safety and health impacts for smaller, rural hospitals located in an area where there aren’t multiple hospitals and less ability to divert when there is a need,” Mazanec said. “In some respects, that can make the incidents even more severe when they do occur, in addition to the fact that they may have less resources to harden their target.”
In response to this bifurcation, Mazanec said HHS has developed tailored resources that will make it easier and more efficient for smaller, less resourced hospitals to harden their infrastructure. In addition to off-the-shelf tools, the agency offers an “on-demand” series of courses to help small institutions that lack resident cyber experts and will collect data on how existing tools are used to drive future revisions.
“We engage closely with the sector, we coordinate with them, and we’re developing tailored tools,” Mazanec said. “This is also why we think we need to elevate our activity. The threat is growing.”
DSIT publishes guide for cyber security in smart cities
The Department for Science, Innovation and Technology (DSIT) has published a guide for local authorities to protect against cyber threats in connected places and smart cities initiatives.
It said the alpha Secure Connected Places Playbook comes in response to the interconnected systems of smart places making them attractive targets for hostile actors.
The guide has been created in collaboration with a group of local authorities – Bradford, Westminster, Dorset, Merthyr Tydfil, Perth and Kinross and the South London Partnership – and provides practical support for maintaining cyber security in the use of solutions such as automated traffic and waste management systems and smart environmental monitoring.
It covers several key cyber security challenges that local authorities face in the deployment of the technologies, including cyber security governance, risk management, procurement and supply chain security, as well as guidance on how to conduct threat analysis.
It also includes a flowchart for understanding which of its resources may be of most use to an organisation, and links to the Connected Places Cyber Security Principles, published by the National Cyber Security Centre (NCSC) in 2021.
Minister for Cyber, AI, and Intellectual Property, Viscount Camrose, said: “Connected places offer enormous benefits for the entire country, not just through improved public services for our communities, but through new innovations which will unlock better paid jobs and grow our economy.
“We are already world leaders in cyber security, as demonstrated by through pioneering measures such as the Product Security Regime. It’s vital that this expertise carries over to the development of our connected places.
“This playbook will help do exactly that – offering practical and accessible support to local authorities as we work collaboratively to grow secure and sustainable connected places across the UK.”
The playbook will be subject to testing and iteration.
The publication has come soon after the NCSC released a guide on best practice in cyber security in the development of smart cities.
China’s Mustang Panda Hackers Exploit TP-Link Routers for Persistent Attacks
The Chinese nation-state actor known as Mustang Panda has been linked to a new set of sophisticated and targeted attacks aimed at European foreign affairs entities since January 2023.
An analysis of these intrusions, per Check Point researchers Itay Cohen and Radoslaw Madej, has revealed a custom firmware implant designed explicitly for TP-Link routers.
“The implant features several malicious components, including a custom backdoor named ‘Horse Shell’ that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks,” the company said.
“Due to its firmware-agnostic design, the implant’s components can be integrated into various firmware by different vendors.”
The Israeli cybersecurity firm is tracking the threat group under the mythical creature name Camaro Dragon, which is also known as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.
The exact method used to deploy the tampered firmware images on the infected routers is currently unknown, as is its usage and involvement in actual attacks. It’s suspected that initial access may have been acquired by exploiting known security flaws or brute-forcing devices with default or easily guessable passwords.
What is known is that the C++-based Horse Shell implant provides attackers the ability to execute arbitrary shell commands, upload and download files to and from the router, and relay communication between two different clients. The altered firmware also hides from a user the ability to flash another image via the router’s web interface.
But in an interesting twist, the router backdoor is believed to target arbitrary devices on residential and home networks, suggesting that the compromised routers are being co-opted into a mesh network with the goal of creating a “chain of nodes between main infections and real command-and-control.”
In relaying communications between infected routers by using a SOCKS tunnel, the idea is to introduce an additional layer of anonymity and conceal the final server, as each node in the chain contains information only about the nodes preceding and succeeding it.
Put differently, the methods obscure the origin and destination of the traffic in a manner analogous to TOR, making it a lot more challenging to detect the scope of the attack and disrupt it.
“If one node in the chain is compromised or taken down, the attacker can still maintain communication with the C2 by routing traffic through a different node in the chain,” the researchers explained.
That said, this is not the first time China-affiliated threat actors have relied on a network of compromised routers to meet their strategic objectives.
In 2021, the National Cybersecurity Agency of France (ANSSI) detailed an intrusion set orchestrated by APT31 (aka Judgement Panda or Violet Typhoon) that leveraged a piece of advanced malware known as Pakdoor (or SoWat) to allow the infected routers to communicate with each other.
“The discovery is yet another example of a long-standing trend of Chinese threat actors to exploit internet-facing network devices and modify their underlying software or firmware,” the researchers said.