<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. en-us info@decipher.sc (Amy Vazquez) Copyright 2022 3600 <![CDATA[Attackers Exploiting Two Microsoft Exchange Zero Days]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/attackers-exploiting-two-microsoft-exchange-zero-days https://duo.com/decipher/attackers-exploiting-two-microsoft-exchange-zero-days

Microsoft and researchers across the community are investigating reports of a pair of possible zero day vulnerabilities in Microsoft Exchange that may have been exploited by attackers in at least one intrusion. The vulnerabilities emerged publicly on Thursday and Microsoft is still in the process of investigating them, but some researchers have confirmed that they are both exploitable and have been used in the wild.

The two flaws (CVE-2022-41040 and CVE-2022-41082) are similar to the notorious ProxyShell vulnerability from 2021 and the path to exploitation is similar. The first bug is a same-site request forgery (SSRF) flaw, while the second is a remote code execution flaw that an attacker can use when PowerShell is available. The end result of exploiting these bugs would be control of the target Exchange server. The main difference between the new bugs and ProxyShell is that an attacker needs to be authenticated to the Exchange server to exploit the new flaws.

Microsoft Exchange 2013, 2016, and 2019 are all affected by these vulnerabilities. The attacks targeting these vulnerabilities have been ongoing for several weeks already. Organizations that run Exchange Online may still be affected if they still have a hybrid Exchange server online as part of a migration from on-premises Exchange.

“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities,” Microsoft Security Response Center said in a blog post Thursday night.

Researchers at GTSC Cyber Security, a Vietnamese security firm, discovered the exploitation attempts of the new bugs and published details of the attacks and the post-exploitation behavior. The researchers observed attackers in multiple customer environments exploiting the bugs and installing webshells on compromised servers.

“After successfully exploiting the vulnerability, we recorded attacks to collect information and create a foothold in the victim's system. The attack group also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system,” GTSC said in a post explaining the activity.

“We suspect these exploits come from Chinese attack groups, based on the webshell codepage of 936, a Microsoft character encoding for simplified Chinese.”

GTSC submitted the bugs to the Trend Micro Zero Day Initiative on Sept. 8.

“Exploitation has been happening for at least one month in the wild, with the security vendor report accepted by ZDI 22 days ago. MS will be frustrated with the vendor going public… but it’s better customers know about a threat like this,” security researcher Kevin Beaumont said on Twitter.

“Also, another small detail - the issue is at the AutoDiscover phase, which doesn’t have MFA protection.”

There are a significant number of Exchange servers that are vulnerable to these flaws, and researchers recommend that organizations stop exposing Exchange servers to the Internet until a patch is available. Microsoft has published some mitigations, including blocking the use of PowerShell.

“Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks,” Microsoft said.

<![CDATA[Decipher Podcast: Source Code 9/30]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-9-30 https://duo.com/decipher/decipher-podcast-source-code-9-30

<![CDATA[Threat Actor Delivered Malware Via Trojanized Live Chat Installer]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/threat-actor-delivered-malware-via-trojanized-live-chat-installer https://duo.com/decipher/threat-actor-delivered-malware-via-trojanized-live-chat-installer

A threat actor recently delivered malware through a trojanized installer for a legitimate desktop-based live chat application from Comm100 that is used by organizations globally.

The signed, trojanized installer was available for download from Comm100’s official website from at least Sept. 27 through the morning of Sept. 29, according to CrowdStrike in a report first reported on by Reuters. Comm100, which makes customer engagement software that powers live chat, chatbots, ticketing, social media and messaging tools, removed the trojanized installer on Sept. 29 and released an updated one (10.0.9).

“The trojanized file was identified at organizations in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe,” according to CrowdStrike researchers in a Friday analysis.

While further information on the specific number of victim organizations was not disclosed, CrowdStrike researchers said Comm100 has over 15,000 customers across 51 countries, “so the possibility of affected customers and industries is widespread.”

The trojanized installer in question was signed on Sept. 26 with a valid Comm100 Network Corporation certificate. Researchers found that the installer contains a Javascript backdoor that then would download and execute a second-stage script, consisting of obfuscated JavaScript that provides the threat actor with remote shell functionality. Researchers also observed what they believed was likely follow-on activity, where the threat actor installed additional malicious files to the impacted host, including a malicious loader DLL. This DLL then executed a shellcode payload in memory and injected an embedded payload into a new instance of notepad.exe, which connected to an attacker-controlled C2 domain. The malicious loader DLL was executed using a legitimate Microsoft Metadata Merge Utility (mdmerge.exe) tool through DLL search-order hijacking, said researchers.

“The payload delivered in this supply chain attack differs from payloads identified in previous incidents related to the same actor, targeting online gambling entities in Asia,” said researchers. However, they said “the recent activity differs from activity targeting online gambling in both the target scope and the supply chain attack mechanism delivering a trojanized app via Comm100’s website.”

Researchers also assessed with moderate confidence that the attacker is “likely” a China-nexus threat actor due in part to the Chinese-language comments in the malware, its tactics and the connection to online gambling entities in East and Southeast Asia, which they said is a previously established target area of China-nexus intrusion actors. According to CrowdStrike, assessments are made with moderate confidence when they are based on information that is “credibly sourced and plausible, but not of sufficient quantity or corroborated sufficiently to warrant a higher level of confidence.”

Comm100, which is based in Canada, did not immediately respond to a request for comment. According to CrowdStrike, Comm100 has indicated it is performing a root cause analysis to obtain additional information on the incident.

<![CDATA[Novel Malware Installed in VMware ESXi Attacks]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/new-persistence-tactic-backdoors-seen-in-vmware-esxi-attacks https://duo.com/decipher/new-persistence-tactic-backdoors-seen-in-vmware-esxi-attacks

Threat actors that had previously gained administrative privileges on the compromised VMware ESXi servers of several organizations were observed leveraging a unique technique to install two novel, persistent backdoors.

After discovering attacker commands being sourced from a legitimate VMWare Tools process on a Windows virtual machine (hosted on a VMware ESXi hypervisor), researchers analyzed the hypervisor’s boot profile. In April, they found attackers leveraging a new tactic that used malicious vSphere Installation Bundles (VIBs) in order to install two new backdoors on the ESXi hypervisors. VIBs, or collections of files that can facilitate virtual system management, can be used in package format by administrators to deploy updates or maintain systems. But researchers observed attackers using malicious VIB packages as a persistence technique to maintain access across ESXi hypervisors.

“It is important to highlight that this is not an external remote code execution vulnerability; the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy malware,” said Mandiant researchers in a Thursday analysis. “Mandiant has no evidence of a 0-day vulnerability being used to gain initial access or deploy the malicious VIBs at the time of writing this post.”

VIBs are made up of XML descriptor files, a payload (a .vgz archive) and a signature file used to verify the host acceptance level of a VIB. The latter involves four levels that are set for hosts, image profiles and individual VIBs, which can be changed manually by ESXi administrative accounts using the –force flag option. The malicious VIBs uncovered by researchers were labeled under the default acceptance level, “PartnerSupported,” which indicates that the VIBs are published by a trusted VMware partner. Upon further investigation, however, researchers found that the signature files of the malicious VIBs were empty. Instead, an attacker had modified the XML descriptor file to change the VIB to the “PartnerSupported” level, even though the files only met the requirements of the basic “CommunitySupported” level, which is for VIBs created by third parties that are not reviewed or signed by VMware or its trusted partners.

“While the acceptance-level field was modified in the Descriptor XML by the attacker, the ESXi system still did not allow for a falsified VIB file to be installed below the minimal set acceptance level. To circumvent this, the attacker abused the --force flag to install malicious CommunitySupported VIBs,” said researchers.

Attackers also leveraged two backdoors in the attack, including a malware family that researchers called VIRTUALPITA that supports arbitrary command execution, file upload and download, capabilities to start and stop vmsyslogd, and the ability to listen on and log the activity of a Virtual Machine Communication Interface. The malware has several tactics used to cover its tracks, including using VMware service names to disguise its activity as a legitimate service. The other malware discovered by researchers is called VIRTUALPIE, a backdoor written in Python that supports arbitrary code execution, as well as file transfer and reverse shell capabilities. Researchers found samples for VIRTUALPIE that were targeted for VMware ESXi and for Linux.

Researchers found that attackers had executed several commands to guest machines via these backdoors that primarily focused on the enumeration and compression of files across the system, as well as the targeting of virtualized systems for credential harvesting (using MiniDump to dump process memory and search for cleartext credentials). Researchers suspect the activity, which they track as UNC3886, is cyber espionage related.

Charles Carmakal, CTO with Mandiant Consulting said that the malware was deployed on less than ten organizations; however, researchers anticipate that more organizations will discover compromised VMware infrastructure. VMware and Mandiant both outlined guidance for VMware customers to secure their vSphere environments and apply additional mitigations.

“While we noted the technique used by UNC3886 requires a deeper level of understanding of the ESXi operating system and VMware’s virtualization platform, we anticipate a variety of other threat actors will use the information outlined in this research to begin building out similar capabilities,” they said.

<![CDATA[Lazarus Group Affiliate Uses Trojanized Open Source Apps in New Campaigns]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/lazarus-group-affiliate-uses-trojanized-open-source-apps-in-new-campaigns https://duo.com/decipher/lazarus-group-affiliate-uses-trojanized-open-source-apps-in-new-campaigns

The North Korean attack group responsible for the compromise of Sony Pictures Entertainment and many other operations has been running long-term phishing campaigns that rely on social engineering and impersonation, and deliver trojanized versions of legitimate open source applications to compromise targets inside technology, media, and other companies.

The campaigns are the work of a threat actor that Microsoft calls ZINC and is affiliated with the Lazarus group, a highly active threat actor that performs cyber espionage and other operations. The group has targeted a wide range of companies in the past decade, and is known to use a variety of tools and piece of malware. In the new campaigns, Microsoft researchers saw the actor using an implant called ZetaNile, which ZINC actors have inserted into copies of several legitimate open source tools, including the PuTTY and KiTTY SSH clients.

“Both utilities provide terminal emulator support for different networking protocols, making them attractive programs for individuals commonly targeted by ZINC. The weaponized versions were often delivered as compressed ZIP archives or ISO files. Within that archive, the recipient is provided a ReadMe.txt and an executable file to run,” the researchers with Microsoft Threat Intelligence and LinkedIn Threat Prevention and Defense said in an analysis of the recent campaigns.

“As part of the evolution of ZINC’s malware development, and in an effort to evade traditional defenses, running the included executable does not drop the ZetaNile implant. For ZetaNile to be deployed, the SSH utility requires the IP provided in the ReadMe.txt file.”

One key piece of the campaigns is the use of LinkedIn personas as initial outreach vectors for victims. ZINC actors create fake persons on LinkedIn, posing as recruiters at defense, tech, or entertainment companies, and then luring the victims into moving the conversations onto WhatsApp. ZINC actors would at some point deliver the ZetaNile-compromised application to the victims. The actor has used the compromised PuTTY infection method in the past, but only recently started using KiTTY, too. KiTTY is a fork of PuTTY, and in both cases, ZINC uses DLL search order hijacking in order to load a malicious DLL onto the victim’s machine.

In the last few weeks, ZINC also has been using a trojanized version of the TightVNC Viewer remote administration application, as well as two PDF readers, Sumatra PDF and muPDF/Subliminal Recording installer.

“As part of the threat actor’s latest malware technique to evade traditional defenses, the malicious TightVNC Viewer has a pre-populated list of remote hosts, and it’s configured to install the backdoor only when the user selects ec2-aet-tech.w-ada[.]amazonaws from the drop-down menu in the TightVNC Viewer,” the analysis says.

The ZINC/Lazarus group attackers have shown tenacity and the ability to innovate and shift their tactics as needed over the years. Despite intense focus on the group’s activities fro both the research and law enforcement communities, the group has continued to run operations against significant targets. The organizations that the group targeted in the recent campaigns were in the United State, UK, Russia, and India.

<![CDATA[New Chaos Malware Targets Windows and Linux Devices]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-chaos-malware-targets-windows-and-linux-devices https://duo.com/decipher/new-chaos-malware-targets-windows-and-linux-devices

A threat actor possibly based in China is deploying a new multiplatform piece of malware named Chaos that is infecting SOHO routers, brute-forcing SSH password, ising known vulnerabilities to propagate, and launching DDoS attacks against a variety of targets.

Chaos is related to the Kaiji malware, which has been circulating for about two years, and is mainly used for DDoS attacks. Both Chaos and Kaiji are written in Go and use SSH brute force attacks as one of their propagation methods. Researchers at Lumen Technologies’ Black Lotus Labs have discovered Chaos infections around the world, all of which are communicating with C2 infrastructure based in China and said the DDoS attacks launched by the malware have targeted financial, gaming, and technology companies, as well as at least one cryptocurrency exchange. The botnet itself is not very large at this point, but has the potential to grow quickly, given that there are Windows and Linux variants of Chaos, and the malware can run on a number of different architectures, including ARM, Intel, and PowerPC.

The initial infection vector for Chaos isn’t clear at this point, but once the malware is on a new device, it contacts the C2 server, which is hard-coded in the malware, and waits for commands.

“The host then receives one or more staging commands depending on the sample and the host environment: these include commands to initialize propagation through exploiting a known CVE, to automatically propagate through SSH via brute-forcing or leveraging stolen SSH keys and to begin IP spoofing,” the Black Lotus Labs analysis says.

“Based on the first set of commands, the host may receive a number of additional execution commands including performing propagation via the designated CVE and specified target lists, further exploitation of the current target, launching a specific type of DDoS attack against a specified domain or IP and port, and performing crypto mining.”

“Not only does it target enterprise and large organizations but also devices and systems that aren’t routinely monitored."

Chaos has the ability to exploit some known vulnerabilities, and Black Lotus Labs researchers observed the malware targeting at least two flaws, one in the Zyxel Firewall and one in the Huawei HG532 personal firewall. Both of those bugs are several years old and the actors using Chaos have the ability to update the exploit portion of the malware with commands for other bugs. Chaos also has the ability to establish a reverse shell on an infected device and in some cases installs a cryptominer. There is a module to launch several types of DDoS attacks against specific IP addresses, as well.

“Based upon our analysis of the functions within the more than 100 samples we analyzed for this report, we assess Chaos is the next iteration of the Kaiji botnet. Kaiji was originally discovered in 2020 targeting Linux-based AMD and i386 servers by leveraging SSH brute forcing to infect new bots and then launch DDoS attacks,” the analysis says.

“Given the suitability of the Chaos malware to operate across a range of consumer and enterprise devices, its multipurpose functionality and the stealth profile of the network infrastructure behind it, we assess with moderate confidence this activity is the work of a cybercriminal actor that is cultivating a network of infected devices to leverage for initial access, DDoS attacks and crypto mining.”

Researchers believe Chaos first emerged in April, and its activity has been increasing steadily in the months since. The malware has infected SOHO routers, embedded Linux devices, and enterprise servers. The shift to remote work in the last couple of years has made home routers and other devices that typically sit outside of a corporate network juicy targets for attackers.

“Not only does it target enterprise and large organizations but also devices and systems that aren’t routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS. And with a significant evolution from its predecessor, Chaos is achieving rapid growth since the first documented evidence of it in the wild,” the Black Lotus Labs analysis says.

<![CDATA[Phishing Attack Targets Microsoft Flaw to Deliver Cobalt Strike]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/phishing-attack-targets-microsoft-office-rce-flaw-to-deliver-cobalt-strike https://duo.com/decipher/phishing-attack-targets-microsoft-office-rce-flaw-to-deliver-cobalt-strike

Threat actors are targeting a years-old remote code execution vulnerability in Microsoft Office in order to deliver Cobalt Strike beacons that can be used in future follow-on attacks.

The attack was first discovered in August after victims received phishing emails containing malicious document attachments. One email claimed to be collecting personally identifiable information in order to decide if the victim was eligible for employment with a U.S. federal government contractor and to determine the enrollment status in the government’s life insurance program. The attached document was purportedly a U.S. Office of Personnel Management declaration with job details. Attackers used various other lures associated with this campaign, including one related to a job description for PSA plus, a trade union in New Zealand.

Once opened, the malicious Microsoft Word attachment contained an exploit that attempted to target a remote code execution flaw in Microsoft Office (CVE-2017-0199), which was disclosed and patched five years ago. The payload at the end of the attack chain was the Cobalt Strike beacon, a modular attack framework that is configurable based on attackers’ intentions. The beacon used in this campaign gave attackers the ability to set up a command-and-control (C2) server and execute arbitrary code in the target processes through process injection. Researchers also found a "high-reputation domain" that was defined in the beacon configuration’s HostHeader component, which they believe was used as a redirector tactic, a technique previously leveraged in Cobalt Strike campaigns to make the beacon traffic appear legitimate.

“Employing Cobalt Strike beacons in the attacks' infection chain allows the attackers to blend their malicious traffic with legitimate traffic and evade network detections,” said Chetan Raghuprasad and Vanja Svajcer, with Cisco Talos, in a Wednesday analysis. “Also, with its capabilities to configure commands in the beacon configuration, the attacker can perform various malicious operations such as injecting other malicious binary into the running processes of the infected machines and can avoid having a separate injection module implants in their infection chain.”

“The attack stands out because the infection chain abuses legitimate source code repositories such as Bitbucket or Github to host additional malicious components."

Researchers said that the threat actor in the campaign used highly modularized attack methodologies with multiple stages in the infection chain. Both methods involved the attached malicious document containing an embedded URL hosted on an attacker-controlled Bitbucket repository. In the first method, when a victim opened the document it downloaded a malicious DOTM file, which in turn executed multiple stages of malicious Visual Basic for Applications (VBA) scripts. These led to the execution of PowerShell scripts that were generated in the victim’s system memory, including an obfuscated downloader that deployed the Cobalt Strike DLL beacon. The second attack chain method was similar, except that it additionally made use of a 64-executable downloader that executed a PowerShell command to download the Cobalt Strike DLL to the “userprofile local application” temporary directory with a spoofed .png extension.

“The attack stands out because the infection chain abuses legitimate source code repositories such as Bitbucket or Github to host additional malicious components,” said Svajcer. “The attackers have created a number of new user names which are then used to deploy the remote Word document template that eventually installs the payload.”

Svajcer said that the attacks are not widespread and researchers have identified only a small number of phishing emails associated with the campaign. He said that researchers assess with low confidence (based on the content of the document lures, in the absence of additional context) that targeted users may have interest in the business of the Department of Defense or a union with a relationship to the New Zealand government.

After tracking down the attacker’s Bitbucket account in VirusTotal, researchers found that the account was also used to host two other executables in addition to the malicious DOTM template and Cobalt Strike: The Redline information stealer and Amadey botnet. Cisco Talos researchers said that organizations should implement layered defense capabilities in order to block attacker attempts in the earlier stage of the attack's infection chain.

“This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory,” said Raghuprasad and Svajcer. “Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats.”

<![CDATA[Node.js Update Fixes High Severity Flaws]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/node-js-update-fixes-high-severity-flaws https://duo.com/decipher/node-js-update-fixes-high-severity-flaws

A new security update for the Node.js JavaScript framework fixes several vulnerabilities, including a pair of HTTP request smuggling flaws and an updated patch for a DNS rebinding bug that was not fixed completely in a previous release.

The DNS rebinding vulnerability only affects macOS devices and was disclosed originally in July. However, the fix for the vulnerability only addressed part of the issue, so the Node.js maintainers released an updated fix for it/

“The fix for CVE-2022-32212, covered the cases for routable IP addresses, however, there exists a specific behavior on macOS devices when handling the URL that allows an attacker-controlled DNS server to bypass the DNS rebinding protection by resolving hosts in the .local domain,” the September advisory says.

“An attacker-controlled DNS server can, resolve .local to any arbitrary IP address, and consequently cause the victim's browser to load arbitrary content at This allows the attacker to bypass the DNS rebinding protection.”

The bug affects all versions of 18.x, 16.x, and 14.x of Node.js.

One of the HTTP request smuggling bugs (CVE-2022-32215) is also an update to address an incomplete fix. The other (CVE-2022-35256) is a newly discovered bug that involves the way that Node.js handles headers in some cases.

“This vulnerability relates to the handling of header fields immediately preceding a header such as Transfer-Encoding. When the preceding header is not properly terminated with a CLRF - and when the value is empty - node will accept the Transfer-Encoding header (or most other headers such as Content-Length). This malformed request should be rejected by the HTTP server. If it is not rejected, it may be used for HTTP request smuggling,” an analysis by Octavia Johnston of Prelude, which discovered the bug, says.

This flaw also affects all of the 18.x, 16.x, and 14.x releases.

The Node.js updates also include a fix for an issue in the way that the framework sources entropy for key generation.

“Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail,” the advisory says.

Users should upgrade to versions 14.20.1, 16.17.1, or 18.9.1 to protect against these bugs.

<![CDATA[Watchdog Report Highlights Nuclear Agency’s Security Shortcomings]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/watchdog-report-highlights-nuclear-agency-s-security-shortcomings https://duo.com/decipher/watchdog-report-highlights-nuclear-agency-s-security-shortcomings

A watchdog report has detailed several cybersecurity weak points afflicting the National Nuclear Security Administration (NNSA), including a lack of consistently enforced risk management practices in the agency’s operational technology (OT) environment and lax oversight of subcontractor cybersecurity policies.

The NNSA, a semi-autonomous agency within the Department of Energy, is in charge of the safety and security of the U.S. nuclear weapons reserve. Cybersecurity has previously been an issue for the NNSA; the agency was targeted in 2005, for instance, by hackers who exfiltrated a file with the names and social security numbers of 1,502 NNSA employees. Since then, IT systems have become further integrated into the agency’s equipment for designing nuclear weapons and automating manufacturing processes, making cybersecurity an even more significant priority for the NNSA.

After a Senate committee report in 2020 charged the Government Accountability Office (GAO) with reviewing the agency’s cybersecurity policies, the GAO found that the NNSA’s “foundational risk management practices” are not complete or consistent, particularly across its OT and contractor environments. These practices include the identification of risk management roles and responsibilities, the establishment of an organization-wide risk management strategy, the continual assessment of security risks, the designation of controls available for information systems and the development of a strategy for continually monitoring risks across the entity.

“The OT environment is vast and highly complex, encompassing hundreds of thousands of systems potentially at risk,” according to the GAO report released on Friday. “However, NNSA’s [Operational Technology Assurance] initiative is still in its inception phase after 3 years and is proceeding at a pace out of sync with the potential scope and severity of the cybersecurity risk present in this environment.”

Operational Technology Security 'Weaknesses'

While the NNSA has fully implemented most of these pillar risk management practices in the traditional IT environment, the GAO raised concerns that the agency has lagged behind in implementing those same practices for its OT devices. The agency has not identified the resources necessary to achieve full implementation, but it is also managing its OT security with a risk management program developed for traditional IT, according to GAO. OT devices are drastically different from IT devices and that impacts how - and the level to which - they are secured. For instance, OT devices need to be managed by control engineers, as opposed to IT teams, and may not have certain features like error logging or password protection that are present in IT systems.

“Consequently, OT systems may require different approaches when selecting and implementing cybersecurity safeguards or compensating controls for their unique circumstances, such as network segmentation,” according to GAO. “NNSA officials acknowledged that there are weaknesses in managing OT under a cybersecurity program developed to address traditional IT risks.”

In 2018, the NNSA began launched an initiative called the Operational Technology Assurance (OTA) in order to better implement these types of policies in the OT environment. As part of that initiative the agency has taken some steps in securing OT devices, such as attempting to identify the highest priority mission-impact OT function at each NNSA site. However, the OTA program's rollout has taken years, the GAO said.

“Notwithstanding these efforts, NNSA officials told us that they did not have an overall plan or roadmap to guide its future actions on OT cybersecurity—including efforts to provide guidance and expectations to contractors operating the sites—and to ensure that those actions will be consistent with the foundational risk management practices,“ according to GAO.

Lax Contractor Cybersecurity Oversight

The GAO report also found gaping holes around how cybersecurity measures are enforced and assessed when it comes to the contractors that manage and operate its nuclear security enterprise sites.

NNSA, which has over 50,000 federal and contract employees at labs, plants, and sites nationwide, requires contractors to document how their subcontractors are complying with security standards through its Baseline Cybersecurity Program, which is incorporated into NNSA contracts. However, contractors’ efforts to provide this type of oversight are mixed, and three of seven contractors do not believe it is a contractual responsibility, according to GAO.

“Representatives from each of the M&O [management and operating] contractors told us that they complied with the requirement by including cybersecurity provisions in their subcontracts,” according to the GAO report. “However, through interviews and written responses from representatives of each of the seven M&O contractors, we found that once a subcontract was awarded, M&O contractors’ monitoring of such measures was inconsistent among the sites.”

Another challenge inherent in the Baseline Cybersecurity Program is that the onus for cybersecurity oversight falls on the contractors, and no further supervision from the NNSA exists. The GAO said that while an NNSA official had proposed adding an evaluation of such oversight to its annual contractor performance evaluation process, there was no evidence that the NNSA had applied this measure.

“In light of the increasing threat to systems with federal information, NNSA needs to have greater assurance that contractors and subcontractors are implementing a standardized cybersecurity framework,” according to the GAO report. “These oversight gaps, at both the contractor and NNSA level, leave NNSA with little assurance that sensitive information held by subcontractors is effectively protected.”

Moving Forward

The GAO made sweeping recommendations for the NNSA to improve its cybersecurity measures, including advocating that site contractors develop and maintain cybersecurity continuous monitoring strategies and a risk management strategy that incorporates NIST guidance and that is reviewed annually. Contractors also need more transparent communication that they are required to monitor subcontractor security measures, and a better process should be in place for evaluating the contractor oversight of these subcontractor security measures as part of the performance evaluation process, according to the GAO.

Additionally the GAO recommended that the Office of Information Management identify resources needed to implement foundational practices for the OT environment, including the development of an OT “business case” to be made across the NNSA planning, programming, budgeting and evaluation processes. According to GAO, NNSA agreed with the recommendations and has started to develop planned actions to address them.

“The Department of Energy’s National Nuclear Security Administration recognizes the importance of cybersecurity, including nuclear weapon cybersecurity and for the associated equipment used for production and testing,” according to Jill Hruby, NNSA administrator, in a September statement provided to the GAO. “As noted in the report, DOE/NNSA has taken positive steps to address the ever-growing digital threat to our programs.”

<![CDATA[CISA: Critical Zoho ManageEngine Flaw Actively Exploited]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/cisa-critical-zoho-manageengine-flaw-actively-exploited https://duo.com/decipher/cisa-critical-zoho-manageengine-flaw-actively-exploited

A previously patched, critical vulnerability in Zoho ManageEngine, which offers enterprise IT management software, is now being exploited, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The unauthenticated remote code execution bug (CVE-2022-35405) exists in several Zoho ManageEngine tools for managing privileged accounts and their access. Specifically, ManageEngine Password Manager Pro before 12101 and PAM360 (ManageEngine’s privileged access management program) before 5510 are vulnerable (ManageEngine Access Manager Plus before 4303 is also affected but an attacker would need previous authentication).

“CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation,” according to CISA’s Thursday alert. “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.”

Zoho fixed the flaw in June by removing the vulnerable components from PAM360 and Access Manager Plus, as well as removing the vulnerable parser from Password Manager Pro. However, a proof-of-concept (POC) exploit for the flaw is available, and customers are strongly recommended "to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus immediately,” according to Zoho's advisory.

CISA did not provide further details about how the flaw is being exploited and how widespread exploitation efforts are. Bob Rudis, VP of data science with GreyNoise, said GreyNoise started seeing exploitation attempts for CVE-2022-35405 on Sept. 7, "but has not seen widespread exploitation attempts since those initial ones."

The ManageEngine platform has previously been a popular attack vector for threat groups, with APT groups in December targeting a months-old remote code execution vulnerability in ManageEngine ServiceDesk Plus in order to upload malicious files, drop webshells and other malicious activities. In November, the U.S. government also warned that APT actors were using several different tools in attacks exploiting an authentication bypass flaw in the Zoho ManageEngine ADSelfService Plus password management application.

Per CISA’s previously issued binding operational directive (BOD 22-01), federal agencies have until Oct. 13 to fix the bug on its Known Exploited Vulnerabilities catalog.

However, “although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice,” according to CISA.

<![CDATA[Decipher Podcast: Source Code 9/23]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-9-23 https://duo.com/decipher/decipher-podcast-source-code-9-23

<![CDATA[The NSA is Here to Help]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/the-nsa-is-here-to-help https://duo.com/decipher/the-nsa-is-here-to-help

PHOENIX–The National Security Agency does not spend much time showing its work publicly. Indeed, the agency’s work depends on most people not knowing what’s going on inside Fort Meade. But recently, NSA has stepped up its efforts to work with cybersecurity analysts and researchers in the private sector, hoping to gain insights from outside practitioners while also lending context to the discoveries and research private companies produce.

The centerpiece of that effort is the NSA’s Cybersecurity Collaboration Center, a new group created about two years ago with the mission of building lasting, productive relationships with private sector partners that help defenders on both sides of the fence react more quickly and efficiently. The CCC is not meant to be another in the endless list of public-private partnerships or information-sharing silos that the federal government has created over the years. Instead, it is meant as a two-way street, with NSA giving as well as taking.

“We only know one part of the picture. The intelligence community has to be in that conversation. We need to bring our data and understanding of what’s happening to get ahead of it.” Morgan Adamski, director of the CCC, saud during a keynote at the LabsCon conference here Thursday.

“Operational collaboration is a conversation between us government defenders and you, sharing unique and timely info with context.”

That last word is the real crux of the effort. NSA and its partners in the signals intelligence community collect massive amounts of information on a daily basis and have insights into networks and environments that private organizations don’t. That gives the agency the ability to add context and color to discoveries that other organizations make, creating a more complete picture of a given threat or attacker’s activities. In the past, NSA and other government agencies typically have shared very limited information on attacks or vulnerabilities, and usually on a case by case basis. Adamski wants to change that.

“We were only helping one company at a time. Ninety percent of the time, when we share technical indicators, people already know them. What we were missing is real time sharing with context and actionable unique information. The intelligence community had to come to the table,” she said.

To underscore the spirit of cooperation and openness, the CCC itself is physically located outside the fence line on NSA’s Maryland campus and Adamski said much of the work the group does with outside partners is done on an unclassified level. The goal is to build a level of trust with the private sector that has not always been there in the past.

“We have to make sure we care about the same things. We need trust. If you don’t trust me with your data, things can break down pretty quickly, she said.

Though the CCC is meant to share information with outside organizations and help defenders protect their networks, the NSA is benefitting, as well.

“We’re learning a ton back about things we didn’t know. We’re moving faster. Attribution is coming faster because everyone is feeding data into ont place and we’re building a more complete picture,” Adamski said.

One recent example of that is the advisory that CISA published in April 2021 warning that state-sponsored attackers from China were targeting users of the Pulse Connect Secure VPN, including federal government employees. Adamski said NSA became aware of the attacks when a partner in the private sector alerted the agency, which then set off NSA’s own investigation.

“We saw significant targeting of VPN users after the shift to remote work. We were able to take the information from our partner and add context and color and put out the advisory,” she said.

<![CDATA[New Metador APT Discovered Targeting ISPs, Telcos]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-metador-apt-discovered-targeting-isps-telcos https://duo.com/decipher/new-metador-apt-discovered-targeting-isps-telcos

PHOENIX–Researchers have identified a previously unknown, high line attack group that has compromised telcos, universities, ISPs, and other organizations across the MIddle East and Africa using custom malware platforms and tools that have been in play for many years. It’s not clear yet where the group originates from or whether it is affiliated with a government or is a private actor.

The group has been operating for some time, but researchers at SentinelLabs only just discovered its activities recently while investigating a series of intrusions at one organization. That organization had been compromised by several separate APT groups, including Chinese and Iranian teams, and researchers discovered that a new actor, known as Metador, was also in the environment and had deployed several custom pieces of malware, including Linux implants. The new threat group is highly skilled, has shown the ability to evade security tools, and uses unique infrastructure for different victims. Metador is mainly focused on cyber espionage and SentinelLabs researchers say it’s possible the actor is a high level contractor rather than an intelligence agency or other state entity.

“Metador is notable precisely in their pragmatic combination of rudimentary techniques (e.g. LOLbins) with carefully executed advanced techniques (like per victim infrastructure segmentation, port knocking, and inscrutable custom anti-analysis techniques). Their operations are massively successful precisely in that they’ve eluded victims, defenders, and threat intel researchers until now despite maintaining these malware platforms for some time,” said Juan Andres Guerrero-Saade, senior director of SentinelLabs at SentinelOne.

“At this time, there’s no clear sense of attribution. Traces point to multiple developers and operators that speak both English and Spanish, alongside varied cultural references. We encountered multiple languages, with diverse idiosyncrasies indicative of multiple developers. There are indications of a separation between developers and operators. And despite a lack of samples, the version history for at least one of the platforms suggests a history of development that extends far beyond the intrusions we’ve uncovered.”

Guerrero-Saade unveiled the new research into Metador at the LabsCon conference here Thursday.

The two main pieces of malware that SentinelLabs discovered on Windows machines are called metaMain and Mafalda, and they both operate only in memory. Matador maintains very tight operational security and uses a single IP address and build for each victim. Guerrero-Saade said the actor is well aware of common Windows security tools and has shown the ability to adapt quickly when new tools are deployed on a compromised system. The researchers were not able to determine the initial infection vector for any of the machines that Metador compromised.

“Once on the target, the Metador operators can choose between multiple execution flows to load one or more of their modular frameworks. For example, the execution flow used on our Magnet of Threats combines a WMI persistence mechanism with an unusual LOLbin in order to kick off the decryption of a multi-mode implant we named ‘metaMain’ directly into memory,” Guerrero-Saade said.

“Even though metaMain is a fairly feature-rich backdoor, in this case the Metador operators used the metaMain implant to decrypt a subsequent modular framework called ‘Mafalda’ into memory. Mafalda is a flexible interactive implant, supporting over 60 commands.”

Mafalda looks to be a key part of Metador’s arsenal, and the actor takes great care to protect it and prevent it from being detected by security tools. The backdoor implant has gone through many versions, and Guerrero-Saade said the actor is still actively developing and maintaining Mafalda. The researchers saw indications of some other Metador implants, as well, but were not able to find the malware variants themselves. One of those implants is called Cryshell, and the other is an unnamed Linux-based tool.

The Metador actors host their command-and-control servers at a Dutch hosting provider. “Being a highly OPSEC aware actor, Metador manages their infrastructure rather carefully. Throughout the analysis of Metador infrastructure, much like its implants, we found no obvious overlaps with previously reported actors,” Guerrero-Saade said.

“In all Metador intrusions we’ve observed so far, the operators use a single external IP address per victim network at a time. That IP is utilized for command-and-control over either HTTP (metaMain, Mafalda) or raw TCP (Mafalda).”

The earliest timestamp in a metaMain sample that the SentinelLabs researchers discovered was Dec. 29, 2020. Guerrero-Saade said that although there are no concrete indications of who Metador is, the actor is clearly well-resourced and skilled.

“The limited number of intrusions and long-term access to targets suggests that the threat actor's primary motive is espionage. Moreover, the technical complexity of the malware utilized and its continuous active development suggests a well-resourced group, not only in a position to acquire multiple frameworks but also maintain and develop them further. Internal comments support that claim, as the developers provide guidance for a separate group of operators,” he said.

Metador so far has only been seen on a small number of victim networks, most of which are ISPs, telecom companies, or universities, all of which are common targets for APTs.

<![CDATA[Attackers Deploying Noberus Ransomware Update Tactics]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/attackers-deploying-noberus-ransomware-update-tactics https://duo.com/decipher/attackers-deploying-noberus-ransomware-update-tactics

The prolific ransomware known as Noberus, BlackCat or ALPHV has undergone a major update, and researchers warn that attackers using the ransomware have also been spotted evolving their tactics by leveraging a new version of the Exmatter data exfiltration tool as well as an information stealer called Eamfo as part of their attack chain.

Noberus, which is coded in Rust and was first seen in November 2021, was developed by a group identified by Symantec as Coreid (also tracked as FIN7 or Carbon Spider). Since then, the ransomware has emerged in attacks across multiple countries, including the U.S., Australia and India, with the FBI saying it had compromised at least 60 entities as of March. Of note, Coreid runs a ransomware-as-a-service program, meaning that Noberus is being distributed by various affiliates that can sometimes explain the different TTPs and attack chains associated with the ransomware.

“There’s no doubt that Coreid is one of the most dangerous and active ransomware developers operating at the moment,” said researchers with the Symantec threat hunter team in a Thursday analysis. “Its continuous development of its ransomware and its affiliate programs indicates that this sophisticated and well-resourced attacker has little intention of going anywhere anytime soon.”

In June, Coreid made sweeping updates to Noberus by including an ARM build for the encryption of non-standard architectures and introducing additional encryption functionality to the Windows build (via rebooting into safe mode). Several updates were also made to the locker component of the ransomware, including the addition of new restart logic and a change that simplifies the Linux encryption process. The threat actors also began indexing stolen data on their data leaks website, meaning that leaks can be searched for by keyword, file type and more.

In August, researchers observed attackers starting to use an updated version of the known Exmatter data exfiltration tool alongside Noberus in ransomware attacks. This malware, initially seen in November 2021 being used alongside the Blackmatter ransomware, is designed to steal files from targeted directories. The newest Exmatter version reduced the number of file types it aims to exfiltrate. It also has added several new functionalities, including the capabilities to build a report listing all processed files, to corrupt processed files, and to self-destruct if executed in a non-corporate environment.

“In addition to this, the malware was extensively rewritten, and even existing features were implemented differently,” said Symantec researchers. “This was possibly a bid to avoid detection. Whether Exmatter is the creation of Coreid or a skilled affiliate of the group is not clear, but its use alongside two different iterations of Coreid’s ransomware is notable.”

Researchers said that at least one Noberus affiliate was observed in late August using information-stealing malware called Eamfo that is designed to steal credentials stored by Veeam backup software, which can store credentials for systems ranging from domain controllers to cloud services. Eamfo has been around since at least August 2021, and researchers said there is evidence that it was previously used by attackers alongside Yanluowang and LockBit ransomware attacks.

“Stealing credentials from Veeam is a known attack technique that can facilitate privilege escalation and lateral movement, providing the attackers with access to more data they can potentially exfiltrate and more machines to encrypt,” said Symantec researchers.

<![CDATA[Government Makes Headway in Executing Cybersecurity Commission’s Recommendations]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/cyberspace-solarium-commission-significant-improvement-in-government-security-strategy https://duo.com/decipher/cyberspace-solarium-commission-significant-improvement-in-government-security-strategy

Since the Cyber Solarium Commission (CSC) first released its watershed recommendations for the government to overhaul its cybersecurity strategy in 2020, more than half (60 percent) of these recommendations have now been fully implemented or are nearing implementation, according to a new progress report released this week.

The annual implementation report points to significant developments made by the U.S. government as it overhauls the procedures and resources needed to tackle ongoing cybersecurity challenges. In a Wednesday briefing, Sen. Angus King (I-Maine), co-chair of CSC 2.0 (a project charged with continuing the work of the CSC), said he felt the government had certainly made progress over the past five years, pointing beyond the implementation of recommendations to a “much higher level of understanding of how urgent this problem is in Congress.”

“I do think we’re better off on a number of levels, in part because of the implementation of a number of these recommendations; for example the creation of the National Cyber Director, the development of a national cyber strategy… the development of a Bureau of Cyber in the Department of State, so a lot of progress,” said King during the event, “Assessing America’s Cyber Resiliency,” hosted by CSC 2.0 and the Foundation for Defense of Democracies (FDD).

The U.S. Cyberspace Solarium Commission (CSC) was created by Congress in the 2019 National Defense Authorization act to make recommendations for how the U.S. should approach its cybersecurity strategy. While Congress had directed the CSC to be sunset at the end of 2021, the commissioners upheld the work under the CSC 2.0 project in order to continually monitor and assess the implementation of different recommendations.

In an original report in March 2020, the commission made 82 recommendations for the government, which revolved around reforming the government’s structure and organization as it relates to its cybersecurity strategy, operationalizing federal collaboration with the private sector and more. Almost 60 percent of these recommendations are now fully implemented or nearing implementation, and more than 25 percent are on track to implementation, according to the Wednesday report.

The annual report referred to several significant changes made at the government level for cybersecurity, including critical legislation - like the Cyber Incident Reporting Act - becoming law. The level of funding for government cybersecurity efforts has also increased, especially for the Cybersecurity and Infrastructure Security Agency (CISA), with funding climbing 25 percent in Fiscal Year 2022.

“The reality is this is a problem that’s not going to go away and that will get worse."

Another win was the implementation of the National Cyber Director (NCD) to spearhead the charge on coordinating security efforts and strategy across government agencies. King said there will still be tensions around who is in charge of what when it comes to cybersecurity across different agencies, but director Chris Inglis has made key relationships with CISA and other agencies, as well as several measures to tackle challenges in the cyber workforce.

“The best sign of success was the fact that the president gave Chris [Inglis] the pen on writing the new cyber strategy, which will be done in a matter of weeks or months,” said King. “It wasn’t easy to get the White House to accept this new position, but it happened. That’s an indication that this office is having an impact.”

While many recommendations are listed as being "on track," some have faced roadblocks in their implementation. One recommendation that King said remains “unfinished business” is the codification of a proposal for “Systemically Important Critical Infrastructure,” which would help identify U.S. critical systems, give them special federal government security support and increase the responsibility needed for additional security requirements. However, the proposal has been met with private sector pushback, particularly from the software and banking industries, with organizations in these sectors saying they are already awash in regulation.

“We’re trying to strike that balance between the federal government saying ‘hey, private sector we need everyone in the C-Suite to understand why cyber is important, but we also don’t want to get the regulatory framework wrong,’” said Rep. Mike Gallagher (R-Wis.), co-chair of CSC 2.0, on Wednesday.

Other hurdles have existed in progressing the Bureau of Cyber Statistics, a provision introduced as part of the Defense of United States Infrastructure Act that would establish an agency for collecting and analyzing data related to cyber incidents and cybercrime, and sharing that data with federal agencies, the private sector and the public.

While the 2020 report had 82 recommendations, that number has since increased to 116. King said that while progress has been made, incidents like the Colonial Pipeline hack serve as “periodic reminders” that work is far from over in the implementation and evaluation of recommendations for shaping the government’s security strategy.

“The reality is this is a problem that’s not going to go away and that will get worse,” said King. “There’s plenty left to do, and there’s always a danger of relaxing and saying we’ve done all these things.”

<![CDATA[Decipher Podcast: Asheer Malhotra and Guilherme Venere]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-asheer-malhotra-and-guilherme-venere https://duo.com/decipher/decipher-podcast-asheer-malhotra-and-guilherme-venere

<![CDATA[Siemens Fixes Numerous Flaws in Wide Range of ICS Products]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/siemens-fixes-numerous-flaws-in-wide-range-of-ics-products https://duo.com/decipher/siemens-fixes-numerous-flaws-in-wide-range-of-ics-products

Siemens has released updates for a wide range of its industrial control products used in manufacturing and other settings that fix numerous security vulnerabilities, some of which can be used to run arbitrary code or gain administrator privileges.

The most serious issue, which allows remote code execution, affects the Siemens Parasolid and Simcenter Femap products. Both products are used for simulations and modeling in industrial settings. Parasolid allows users to model three-dimensional objects, and Simcenter Femap is a simulation app for complex systems. This issue is not just one single vulnerability, but rather includes 20 separate bugs, which are all file parsing bugs.

“Simcenter Femap and Parasolid are affected by multiple file parsing vulnerabilities that could be triggered when the application reads files in X_T file formats. If a user is tricked to open a malicious file with the affected applications, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process,” the Siemens advisory says.

The vulnerabilities affect versions 33.1, 34.0, 34.1, and 35.0 of Parasolid, and versions 2022.1 and 2022.2 of Simcenter Femap.

Among the other vulnerabilities fixed by Siemens is an issue with the file permissions in the CoreShield One Way Gateway application, which is used to send information between network zones with different security levels.

“The default installation of the Windows version of the CoreShield One-Way Gateway (OWG) software sets insecure file permissions that could allow a local attacker to escalate privileges to local administrator,” the advisory says.

There are also several vulnerabilities fixed in SINEC Infrastructure Network Services, a web app that comprises a number of individual network components. Siemens released fixes for 14 vulnerabilities that affect the app, all of which are in third-party components used in SINEC INS.

Siemens also patched a denial-of-service bug in its RuggedCom ROS devices that can allow an attacker to consume all of the device’s resources by sending partial HTTP requests. This attack, first described by security researcher Robert Hansen several years ago, is known as Slowloris and can be quite effective.

“RUGGEDCOM ROS-based devices are vulnerable to a denial of service attack (Slowloris). By sending partial HTTP requests nonstop, with none completed, the affected web servers will be waiting for the completion of each request, occupying all available HTTP connections. The web server recovers by itself once the attack ends,” the Siemens advisory says.

The RuggedCom ROS software runs on switches and other network devices that are in difficult environments, including power substations.

<![CDATA[Decipher Podcast: Hack-a-Sat 2022]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-hack-a-sat-2022 https://duo.com/decipher/decipher-podcast-hack-a-sat-2022

<![CDATA[Decipher Podcast: Source Code 9/16]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-9-16 https://duo.com/decipher/decipher-podcast-source-code-9-16

<![CDATA[The Challenge of Securing Critical Operational Technology Systems at the Ground Level]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/the-challenge-of-securing-critical-operational-technology-systems-at-the-ground-level https://duo.com/decipher/the-challenge-of-securing-critical-operational-technology-systems-at-the-ground-level

Although a “shift in attitude” is happening around securing the operational technology (OT) that underpins critical infrastructure like manufacturing plants or utilities, the federal government is still working through challenges in targeting efforts toward smaller operators grappling with limited resources, and ensuring that the OT investments being made today have security built into them.

The Biden administration over the past year has spearheaded several initiatives that aim to better secure industrial control systems (ICS), including a National Security Memorandum passed last July, which directed the Cybersecurity and Infrastructure Security Agency (CISA) to work with the National Institute of Standards and Technology (NIST) to develop a number of security performance goals for critical infrastructure sectors. But at a Thursday hearing called “Building on our Baseline: Securing Industrial Control Systems Against Cyberattacks,” government officials discussed further security improvements needed at the ground level to secure critical infrastructure environments and the particularly complex challenge of building security into the design of OT systems.

“This is a topic that we, as lawmakers and Federal officials, don’t spend nearly enough time talking about, working on, or funding,” said Yvette Clarke (D-NY), chairwoman of the Cybersecurity, Infrastructure Protection and Innovation subcommittee. “We rely on industrial control systems and other operational technology, or OT, to make sure we have power in our houses, clean water to drink, and countless other functions and services essential to our health, safety, and livelihoods. Still, questions about how we secure these critical OT systems tend to take a backseat to traditional IT security.”

CISA has led many of the critical infrastructure security efforts at a federal level, in April expanding the Joint Cyber Defense Collaborative (JCDC) - an agency effort to develop cyber defense plans with both public and private sector entities - to focus on ICS security by bringing in new partners. The agency has also been working to finalize the performance goals required by the National Security Memorandum, according to CISA Executive Assistant Director for Cybersecurity Eric Goldstein during the hearing. These goals expand on the existing NIST Cybersecurity Framework, a standard for building and evaluating cybersecurity programs, by identifying significant IT and OT system controls “with known risk-reduction value that are broadly applicable across sectors,” he said.

“We need to find ways to educate those that are engineering and building systems and the components in those systems, that that work is done with cybersecurity in mind so they can be defended.”

Despite these efforts, Clarke and others reiterated a need previously emphasized by the Biden administration for further cooperation between federal agencies and critical infrastructure operators in order to better secure sectors like the electric grid, water, gas and more.

“I see these baseline standards as having real promise to reshape the OT security landscape – but they will only be as effective as CISA’s ability to engage and incorporate the feedback they are hearing from stakeholders,” stressed Clarke.

When asked how CISA is communicating with smaller organizations and utilities, Goldstein said CISA has expanded its regional offices to better partner with local critical infrastructure organizations and utilities, but acknowledged that currently “it’s asymmetric across sectors.”

“There are some sectors like the energy sector where there are a lot of electric co-ops or municipal utilities that are smaller,” said Goldstein. “I think CISA’s work in cooperation with the Energy Department has done an important job of understanding the risks and the controls. If we look across other sectors, for example the thousands upon thousands of small water utilities in this country, we have work to do to make sure we are identifying all possible means of communication and collaboration.”

While high-profile critical infrastructure attacks like the Colonial Pipeline hack have only recently occurred, security challenges in the OT space have long been discussed. OT devices are drastically different from IT devices and that impacts how - and the level to which - they are secured. While IT is actively managed, making it easy to install routine patches needed to fix critical security flaws, for instance, the critical nature of OT devices means that their downtime will have a much greater impact, adding a tangle of complexity to any sort of update or replacement.

Vergle Gipson, senior advisor at the Idaho National Laboratory, said other design issues exist as well that make the security and management of OT devices more complicated. While the refresh cycle for IT infrastructure calls for devices to be upgraded every few years, for instance, OT is designed to last for decades and many devices were built at least 20 years ago, long before the need for strong cybersecurity defenses was being discussed. The education of those who are currently building and designing these systems is one vital opportunity for bolstering security, he said.

“This is a big opportunity for us in the U.S.- a lot of the existing infrastructure simply isn’t securable from a cyber viewpoint, and so as we are upgrading and replacing infrastructure, it’s the perfect time to make that infrastructure cyber secure and defendable, and the design stage is the right place to start,” said Gipson. “We need to find ways to educate those that are engineering and building systems and the components in those systems, that that work is done with cybersecurity in mind so they can be defended.”