by Gary Mintchell | Sep 4, 2024 | Automation, Security
Cybersecurity initiatives resemble the Whack-a-Mole game. As long as everything is connected, especially to outside environments, securing digital assets will be impossible.
Certainly companies formed to combat these threats are trying. Take this news from Tenable. It has added new risk prioritization and compliance features for Tenable Nessus. Nessus supports new and updated vulnerability scoring systems – Exploit Prediction Scoring System (EPSS) and Common Vulnerability Scoring System (CVSS) v4 – to help customers implement more effective prioritization for risk reduction and maintain compliance.
Due to evolving threats and expanding attack surfaces, organizations rely on multiple risk scoring systems, which are not effective risk qualifiers on their own to determine criticality. With Tenable Nessus, customers can take advantage of the latest industry-adopted vulnerability scoring systems – EPSS and CVSS v4 – and Tenable Vulnerability Priority Rating (VPR) to identify and take action on the vulnerabilities that pose the greatest risk specific to their environment. Leveraging an advanced data science algorithm developed by Tenable Research, Tenable VPR combines and analyzes Tenable proprietary vulnerability data, third-party vulnerability data and threat data to effectively and efficiently measure risk.
Key features in this release include:
- EPSS and CVSS v4 Support enables users to see and filter plugins by EPSS and CVSS v4 score, further informing prioritization strategy. This feature enables security teams to remain compliant with organizational policies that require the use of EPSS or CVSS as the primary scoring system.
- Nessus Offline Mode addresses challenges with conducting vulnerability scans offline in air-gapped environments. Building upon existing offline scanning capabilities, Nessus runs critical services only, removing unwanted traffic generated by functions that rely on an active internet connection, thereby ensuring the security of sensitive data within a secure environment.
- Declarative Agent Versioning On-Prem enables users to create and manage agent profiles in Nessus Manager for Tenable Security Center. Users can specify a product version for an agent deployed in an environment, thereby reducing disruptions in day-to-day operations and enabling users to adhere to enterprise change control policies.
by Gary Mintchell | Aug 28, 2024 | Automation, Security
Every day my news feed pushes information about cybersecurity attacks from nation-state actors around the globe. No wonder that fully half of the press releases coming my way are from cybersecurity protection suppliers. Many, if not most, attacks seem to be on industrial companies.
This news from Dragos regards the latest release of the Dragos Platform—focusing on OT network visibility and cybersecurity. The updates provide industrial and critical infrastructure organizations with deeper and enriched visibility into all assets in their OT environments, streamlined workflows for threat detection and vulnerability management that allow for efficient and effective response, and integration of Dragos WorldView intelligence and Neighborhood Keeper community intelligence on current and emerging threats.
Updates include new local collector and file ingestion capabilities that expand data collection options for increased flexibility; also included are new filtering capabilities that create asset inventory views to answer key visibility questions for IT security and operations alike. The evolved integration of the Platform with Dragos’s Neighborhood Keeper and WorldView threat intelligence streamlines vulnerability management, threat detection, and response workflows to meet emerging threats like FrostyGoop and PIPEDREAM malware; Unitronics vulnerabilities; and VOLTZITE, CyberAveng3rs, and CHERNOVITE threat groups targeting OT environments.
Highlights
- Expanded asset enrichment with project file and data import: The new file ingest feature allows for seamless import and enrichment of asset data from existing project files or other devices.
- New lightweight collector for enhanced monitoring: A containerized traffic forwarding solution, this collector operates on edge switches and routers to provide data collection for space-constrained locations deep within OT environments. It captures and processes critical data.
- Expanded environment support: Dragos sensors now support Hyper-V and ESXi environments.
- Advanced asset filtering features: The introduction of customizable filters allows users to efficiently manage and analyze asset data.
- Automated alerts with Neighborhood Keeper trusted insights: Context of newly discovered vulnerabilities or threat activity relevant to users’ environment can be pushed via Neighborhood Keeper to their Platform console from Dragos directly or from our Trusted Insight Partners, often before the vulnerabilities or threat activity are disclosed publicly.
- Added intelligence context with pivots to WorldView OT analysis: In-Platform pivots to WorldView intelligence analysis & reporting on specific vulnerabilities providing deep intelligence analysis to enable risk management (additional license required).
- Over 1,000 new threat detections, vulnerabilities and response playbooks added: The latest updates introduce over 1,000 new threat detections, addressing emerging threats such as CyberAveng3rs, FrostyGoop and other advanced threats.
by Gary Mintchell | Aug 26, 2024 | Automation, Security
New (to me) cybersecurity companies continue to spring up. They all try to inform industry leaders about specific areas of attack and vulnerability. This report comes from a study by Critical Start who bills itself as “a leader in Managed Detection and Response (MDR) cybersecurity solutions and a pioneer in Managed Cyber Risk Reduction (MCRR).
Its biannual Cyber Threat Intelligence Report released Aug. 22, features top threats observed in the first half of 2024, and emerging cybersecurity trends. The report also includes actionable insights to help organizations strengthen their security posture and proactively mitigate potential cyber risk.
Global cybercrime has shown no sign of decline and is expected to grow by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015. To identify the most urgent cybersecurity threats of the first half of 2024, the Critical Start Cyber Research Unit (CRU) analyzed 3,438 high and critical alerts generated by 20 supported Endpoint Detection and Response (EDR) solutions, as well as 4,602 reports detailing ransomware and database leak activities across 24 industries in 126 countries.
Key findings include:
- Manufacturing and Industrial Products remains the top targeted industry by cyber threat actors in H1 2024, leading with 377 confirmed reports of ransomware and database leak hits in the first half of the year
- Professional Services saw an increase in reported database leaks and ransomware attacks, jumping by 15% compared to 2023 with 351 cases reported vs. 334. Legal services organizations, including courthouses, and supply chains have become prime targets due to the wealth of intellectual property and sensitive data they possess
- Healthcare & Life Sciences ransomware and database leak incidents surged by 180% in February 2024 compared to the same period in 2023, coinciding with the attack on Change Healthcare and other healthcare providers
- Engineering and Construction remained a consistent target for cyberattacks in the first half of both 2023 and 2024 with the United States bearing the brunt of cyberattacks in the first half of 2024, experiencing a staggering 46.15% increase compared to 2023
- Technology Critical Start found a 12.75% decrease (from H1 2023) in database leaks and ransomware attacks targeting technology companies
“The first half of 2024 has painted a concerning picture of the ransomware threat landscape. We are continuing to observe a surge in ransomware and database leak activities,” said Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start. “With bad actors becoming more sophisticated, it is vital for organizations to have a strong security culture and strategy in place. Managed Detection and Response (MDR) solutions that integrate asset inventory, endpoint controls security coverage, and MITRE ATT&CK Mitigations, help organizations proactively mitigate risk, leading to a reduced attack surface and a more resilient security infrastructure.”
The report also highlights trending concerns for businesses, including:
- Business Email Compromise (BEC) Attacks: Previously focused on large corporations, BEC scammers are now targeting smaller, less cybersecurity-conscious businesses
- Deepfakes and Social Engineering: Findings show a surge in deepfake attacks, with an exponential 3,000% increase in deepfake fraud attempts
- Abuse of Open-Source Repositories: Attackers are increasingly using these repositories to launch two main types of attacks: repo confusion attacks and supply chain attacks
by Gary Mintchell | Aug 21, 2024 | Automation, News, Security
Cybersecurity companies release periodic reports trying to alert people to recent threats and new awareness. This report, Industrial Ransomware Analysis: Q2 2024, comes from Dragos, written on his blog by Abdulrahman H. Alamri.
The report shows a resurgence in ransomware group activity, almost doubling the number of attacks in Q2 (312 incidents) compared to Q1(169 incidents) after law enforcement crackdowns earlier this year. Major groups like ALPHV (BlackCat) and LockBit 3.0 have quickly adapted by intensifying attacks and disrupting industrial operations.
The industrial sector remains a primary target due to the nature of its operations and the potentially high impact of disruptions. Notable incidents include Frontier Communications, Clevo, Allied Telesis, Inc., and the Gijón Bio-Energy Plant. Dragos also notes the rebranding of Royal ransomware to BlackSuit and Knight ransomware to RansomHub, both of which have adopted advanced encryption and lateral movement techniques.
Key highlights from the report include:
- The manufacturing sector was the most affected, with 210 observed incidents, accounting for approximately 67 percent of all ransomware incidents
- Compared to the same time frame in 2023, with 467 incidents in Q1/Q2 2023, there has been a slight increase
- Lockbit group was behind most attacks against industrial organizations, with approximately 21 percent (or 66 incidents) of observed ransomware events
- Out of 86 known ransomware groups targeting industrial organizations, 29 were active in Q2 2024, an increase from 22 active groups in Q1 2024
- Government-affiliated groups are adapting ransomware tactics, and hacktivists are increasingly using and developing their own ransomware tools, illustrating a convergence of ideological and financial motivations
Alamri concludes his report with this:
In the second quarter of 2024, ransomware groups demonstrated a significant capacity for adaptation, with some groups rebranding and others emerging with new tactics and techniques. This suggests that these groups will continue to refine their operations, leveraging sophisticated methods such as zero-day vulnerabilities to enhance their attacks.
As we move forward, Dragos assesses with moderate confidence that the ransomware threat landscape will continue to evolve, characterized by the introduction of new ransomware variants and increasing coordinated campaigns targeting industrial sectors. Despite significant law enforcement actions, the observed resilience and adaptability of ransomware groups indicate a likely continuation of this trend.
While Dragos did not identify any ransomware attacks directly targeting ICS/OT processes, the interconnected nature of IT and OT environments means that disruptions to IT systems can have significant downstream effects on OT operations. This interdependency suggests that ransomware groups may increasingly target OT networks to amplify the impact of their attacks, potentially compromising the safety and operational integrity of industrial organizations.
by Gary Mintchell | Aug 5, 2024 | Operations Management, Security
Without context more data becomes as useful as counting stars on a clear night in the desert. Too much; can’t comprehend. Such is the state of cybersecurity.
Tenable has released a couple of new capabilities to its portfolio using understanding of its vast data to provide context to users seeking to find real vulnerabilities in their systems.
First up, two definitions that Tenable provided (and I hate shortened words):
- Vulnerability Intelligence: brings together a vast number of sources pulled from decades of vulnerability data collection to streamline analysis and help security teams quickly understand the important details
- Exposure Response: prioritizes vulns and exposures based on criticality, monitors remediation trends, tracks progress and communicates value to stakeholders in business terms
Tenable, the Exposure Management company, announced August 5 the release of Vulnerability Intelligence and Exposure Response, two powerful context-driven prioritization and response features available in Tenable Vulnerability Management and Tenable One, and accessible through Tenable Cloud Security. The combined power of these features contextualizes vulnerability data from internal and external sources, enabling organizations to close the exposures that pose the greatest risks to their businesses.
Those of us in process control have dealt with the problem of too many alarms demanding response, many of which are not critical. Tools that evaluate context have alleviated pain for a generation of operators. Similarly, Tenable’s research reveals a similar lack of context driving problems.
Cybersecurity teams are inundated with troves of fragmented vulnerability and threat intelligence data. The lack of contextualization exacerbates their ability to effectively prioritize remediation efforts. Tenable Research reveals that only 3% of vulnerabilities most frequently result in impactful exposure. In addition, traditional tools lack comprehensive reporting, making it difficult to track progress, identify areas where teams may need additional support and communicate status to stakeholders.
Therefore introducing these new capabilities that allow customers to pinpoint these key vulnerabilities with rich context, curated by Tenable Research, and close risky exposures.
“Without threat context and research insights, every vulnerability is a priority, creating a high-stress, low efficiency whack-a-mole scenario for security teams,” said Tenable’s Gavin Millard, VP of product management for Vulnerability Management. “Tenable is unleashing more than two decades of carefully curated exposure data to enable security teams to focus on the risk that matters most to their organization and communicate succinctly to stakeholders. The enriched intelligence and contextualization takes prioritization and response to a new level, providing security teams with the critical data needed to identify and reduce risk.”
Cybersecurity companies are also watching you—for a good reason.
In the last two decades, Tenable has collected and analyzed 50 trillion data points on more than 240,000 vulnerabilities, capturing detailed vulnerability information and deep context. This enriched database supercharges Tenable Vulnerability Intelligence, enabling efficient proactive defense. Backed by the expertise of Tenable Research, Vulnerability Intelligence integrates comprehensive vulnerability sources, streamlining data analysis and enabling security teams to quickly understand vulnerability details. With comprehensive, action-oriented workflows from Exposure Response, security teams can prioritize asset exposures based on criticality, monitor remediation trends against SLAs and track progress against desired outcomes. This helps them to ensure resources are used efficiently, reduces risk and communicates value to stakeholders in business terms.
Vulnerability Intelligence and Exposure Response are available to Tenable Vulnerability Management and Tenable One customers, empowering proactive security for the modern enterprise. Vulnerability Intelligence is also accessible directly from Tenable Cloud Security.
Key features include:
- Threat Landscape Overview – Seven curated exposure risk categories provide a unique way to proactively surface key exposures that warrant further review by highlighting CVEs under CISA known exploits, active exploitation, ransomware campaigns, emerging threats in the news and more.
- Natural Language and Advanced Search – Easy to use search function that enables security teams to search for specific vulnerabilities by CVE number or common name, review distilled knowledge available on a vulnerability and surface impacted assets quickly. Buildable advanced query that enables security teams to zero in on high-impact vulnerabilities by identifying groups of vulnerabilities based on VPR key drivers, common vulnerability scoring system (CVSS) metrics and Tenable Research metadata.
- Campaign-Based Initiatives: Targeted campaigns and business segments using an end-to-end workflow that streamlines prioritization and mitigation of critical vulnerabilities, ensuring efficient use of resources and improved security outcomes.
- Progress Tracking and Advanced Reporting: Advanced reporting capabilities provides clear accountability and visibility into remediation efforts and detailed reports on vulnerability trends, empowering data-driven decision-making and proactive security improvements, such as identifying bottlenecks, assisting with resource allocation and facilitating data-driven decisions.
by Gary Mintchell | Jul 24, 2024 | Automation, Security
A cybersecurity in action warning. In April 2024, FrostyGoop, an ICS malware, was discovered in a publicly available malware scanning repository. FrostyGoop can target devices communicating over Modbus TCP to manipulate control, modify parameters, and send unauthorized command messages. Modbus TCP is a commonly used protocol across all industrial sectors.
The Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine, shared details with Dragos about a cyber attack that impacted a municipal district energy company in Ukraine in January 2024. At the time of the attack, this facility fed over 600 apartment buildings, supplying customers with central heating. Remediation of the incident took almost two days, during which time the civilian population had to endure sub-zero temperatures. Dragos assessed that FrostyGoop and internet-exposed ICS devices facilitated this attack.
Telling manufacturers that their technology systems are vulnerable to attack happens so often as to be almost trite. Yet, new vulnerabilities emerge with the regularity of a heartbeat. This attack perpetrated through Modbus TCP was detected in Ukraine.
This brief provides a strategic summary of information on this OT threat and attack as reported in Dragos WorldView threat intelligence, with clear guidance for OT asset owners and operators.
Information provided here is sourced from Dragos OT Cyber Threat Intelligence adversary hunters and analysts who conduct research on adversary operations and their tactics, techniques, and procedures (TTPs). Dragos OT cyber threat intelligence is fully reported in Dragos WorldView threat intelligence reports and is also compiled into the Dragos Platform for threat detection and vulnerability management.
Dragos discovered the FrostyGoop ICS Malware in April 2024. FrostyGoop is the ninth known ICS malware. This malware can interact directly with industrial control systems (ICS) in operational technology (OT) environments using the Modbus protocol, a standard ICS protocol used across all industrial sectors and organizations worldwide.
Additionally, the Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine (Служба безпеки України), shared details with Dragos about a disruptive cyber attack on a district energy company in Ukraine, which resulted in a two-day loss of heating to customers. The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions – taking almost two days to remediate the issues. Dragos assesses that FrostyGoop was likely used in this attack. An associated FrostyGoop configuration file contained the IP address of an ENCO control device, leading Dragos to assess with moderate confidence that FrostyGoop was used to target ENCO controllers through Modbus TCP port 502 open to the internet.
We want to express our gratitude to the Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine (Служба безпеки України), for its continued commitment to collaborative intelligence sharing and for allowing us to report on the disruptive OT incident impacting communities in Lviv, Ukraine.
Dragos leaves us with a summary of recommended guidance:
- Identify impacted assets. Access your Asset Inventory and search for ENCO control servers and devices communicating over Modbus.
- Look for potential malicious behavior. Review the FrostyGoop-specific dashboard to determine if related detections and IOCs have been triggered.
- Perform a retrospective search for potential malicious behavior across your SiteStore forensics for signs of past activity involving this malware.