Reading view
CISA Conducts First AI Cyber Incident Response Exercise
The US cybersecurity agency CISA has conducted a tabletop exercise with the private sector focused on AI cyber incident response.
The post CISA Conducts First AI Cyber Incident Response Exercise appeared first on SecurityWeek.
CISA Warns of Phone Scammers Impersonating Its Employees
CISA Impersonation Scam
The spammers behind the campaign make phone calls to victims in which they claim to be contacting targets on behalf of CISA; they then ask victims to share personal information or money under the guise of protecting their accounts from unauthorized activity. Fraudsters may also direct victims to download additional software or click on links to "verify" their identity. However, CISA confirmed that it would never make such demands. "CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret," CISA warned. Possible red flags to watch out for:- Unsolicited phone calls that claim to be from CISA.
- Callers requesting personal information, such as passwords, social security numbers, or financial information.
- Callers demanding payment or transfer of money to "protect" your account.
- Callers creating a sense of urgency or pressuring you to take immediate action.
- Do not pay the caller.
- Take record of the numbers used.
- Hang up the phone immediately while ignoring further calls from suspicious numbers.
- Report the scam to CISA by calling (844) SAY-CISA (844-729-2472).
FTC Observes Uptick in Impersonation Scams
The CISA impersonation scam is a recent example of the rise in impersonation fraud targeting both businesses and government agencies. According to the latest data from the Federal Trade Commission (FTC), the number of such scams has increased dramatically in recent years, and cost consumers more than $1.1 billion in 2023 alone. The FTC report showed that in 2023, the agency received more than 330,000 reports of fraud posing as a business and almost 160,000 reports of fraud posing as a government. Collectively, these incidents account for almost half of all fraud cases reported directly to the FTC. "The financial injury is breath-taking – and cash-taking," the FTC quipped in its Spotlight. It further added, "Reported losses to impersonation scams topped $1.1 billion in 2023, more than three times what consumers reported in 2020." While fraudsters employ various types of scams, the FTC noted that the below types accounted for nearly half of the reported/observed scams in 2023:- Copycat account security alerts: Scams that pretend to impersonate legitimate services such as Amazon while purporting to be about unauthorized activity or charges to their account.
- Phony subscription renewals: Usually email notices that alert targets of auto-renew charges to various online services.
- Fake giveaways, discounts, or money to claim: Fake rewards or winnings that claim to originate from legitimate providers such as internet providers or large retailers.
- Bogus problems with the law: Scammers try to deceive targets into believing that their identity had been used to commit heinous crimes such as money laundering or the smuggling of drugs.
- Made-up package delivery problems: Messages that alert you of fake delivery problems with legitimate delivery services such as the U.S. Postal Service, UPS, or FedEx.
NIST Hires External Contractor to Help Tackle National Vulnerability Database Backlog
Clearing the National Vulnerability Database Backlog
NIST is responsible for managing entries in the NVD. After being overwhelmed with the volume of entries amid a growing backlog of CVEs that have accumulated since February, the institute has awarded an external party with a contract to aid in its processing efforts. "We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months," the agency stated. To further alleviate the backlog, the NIST is also working closely with CISA, the Cybersecurity and Infrastructure Security Agency, to improve its overall operations and processes. "We anticipate that this backlog will be cleared by the end of the fiscal year," the NIST stated. In its status update, NIST referenced an earlier statement the agency made that it was exploring various means to address the increasing volume of vulnerabilities through the use of modernized technology and improvements to its processes. [caption id="attachment_73938" align="alignnone" width="2332"] Source: NIST NVD Status Updates[/caption] "Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance," the institute said. NIST reaffirmed its commitment to maintaining and modernizing the NVD, stating, "NIST is fully committed to preserving and updating this vital national resource, which is crucial for building trust in information technology and fostering innovation."CISA's 'Vulnrichment' Initiative
In response to the growing NVD backlog at NIST, CISA had launched its own initiative called "Vulnrichment" to help enrich the public CVE records. CISA's Vulnrichment project is designed to complement the work of the originating CNA (Common Vulnerabilities and Exposures Numbering Authority) and reduce the burden on NIST's analysts. CISA said it would use an SSVC decision tree model to categorize vulnerabilities. The agency will consider factors like exploitation status, technical impact, impact on mission-essential functions, public well-being, and whether the exploitation is automatable. CISA welcomes feedback from the IT cybersecurity community on this effort. By providing enriched CVE data, CISA aims to improve the overall quality and usefulness of the NVD for cybersecurity professionals. "For those CVEs that do not already have these fields populated by the originating CNA, CISA will populate the associated ADP container with those values when there is enough supporting evidence to do so," the agency explained. As NIST and CISA work to address the current challenges, they have pledged to keep the community informed of their progress as well as on future modernization plans. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.CISA Says 4-Year-Old Apache Flink Vulnerability Still Under Active Exploitation
Researchers Observed Active Exploitation of Apache Flink Vulnerability
CISA describes vulnerabilities such as the Apache Flink Vulnerability which have been added to its Known Exploited Vulnerabilities catalog as "frequent attack vectors for malicious cyber actors" and as posing significant risks to the federal enterprise. The catalog serves as a critical resource for identifying and mitigating vulnerabilities actively in use. CVE-2020-17519 is a critical vulnerability in Apache Flink, an open-source framework for stream-processing and batch-processing. The flaw arises from improper access control in versions 1.11.0, 1.11.1, and 1.11.2 of the framework, potentially enabling remote attackers to access files specific to the local JobManager filesystem through the use of specially crafted directory traversal requests, leading to unauthorized access. While precise details of ongoing campaigns exploiting the Apache Flink Vulnerability remain unclear, the bug has existed for at least four years and has been acknowledged by a project maintainer. The project Apache Flink thread states:A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process.The discovery of the vulnerability was credited to "0rich1" from Ant Security FG Lab, with working exploit code of the vulnerability available on the public web. In the same year, researchers from Palo Alto Networks had observed the vulnerability among the most commonly exploited vulnerabilities during the Winter 2020 period using information collected between November 2020 and January 2021.
Mitigation Measures and Binding Directives
The Apache Software Foundation addressed this issue in January 2021 with the release of Flink versions 1.11.3 and 1.12.0 to the master branch of the project. Users running affected versions are strongly urged to upgrade to these versions to secure their systems. CISA has mandated federal agencies to apply necessary patches by June 13, 2024. This directive operates under the Binding Operational Directive (BOD) which requires Federal Civilian Executive Branch (FCEB) agencies to implement fixes for listings in the Known Exploited Vulnerabilities Catalog to protect agency networks against active threats. Although the directive only applies to FCEB agencies, CISA has urged all organizations to reduce their exposure to cyberattacks through applying the mitigations in the catalog as per vendor instructions or to discontinue the use of affected products if mitigations are unavailable. In 2022, a critical vulnerability discovered in Apache Commons Text potentially granted threat actors access to remote servers. While fixes were soon released for both vulnerabilities, these incidents highlight the importance of timely updates and patches for vulnerabilities present in widely deployed open-source projects, frameworks and components. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Rockwell Automation Urged Customers to Keep ICS Away from the Internet
The company advised customers to disconnect devices not specifically meant to face the public internet such as its cloud and edge offerings. Air gapping ICS systems from the public-facing internet can significantly reduce the attack surface of the organizations and protect their critical infrastructure from cyber threats, an advisory from the company suggested.
Rockwell Automation is a major provider of ICS products that has been in business for nearly a decade. Headquartered in Milwaukee, Wisconsin the industrial automation giant provides services for Architecture and Software segments meant for controlling the customer's industrial processes as well as Industrial Control Product Solution segments such as intelligent motor control, industrial control products, application expertise, and project management capabilities. "Due to heightened geopolitical tensions and increased adversarial cyber activity globally, Rockwell Automation is issuing this notice urging all customers to take immediate action to assess whether they have devices facing the public internet and, if so, to urgently remove that connectivity for devices not specifically designed for public internet connectivity," Rockwell Automation stated.Rockwell Automation Discourages Remote Connections to ICS
In its latest security advisory, Rockwell Automation stressed that network defenders should never configure ICS devices to allow remote connections from systems outside the local network. It advised organizations that disconnecting these systems from the public-facing internet could significantly reduce their attack surface. This action prevents threat actors from gaining direct access to vulnerable systems that may not yet have been patched against security vulnerabilities, thus protecting internal networks from potential breaches. Rockwell Automation has also cautioned customers to implement necessary mitigation measures against several security vulnerabilities in its ICS devices. These vulnerabilities, identified by their CVE IDs, span across several Rockwell products like Logix Controllers, Studio 5000 Logix Designer, and FactoryTalk platforms. The list of these vulnerabilities is as follows:- CVE-2021-22681: Rockwell Automation Logix Controllers (Update A)
- CVE-2022-1159: Rockwell Automation Studio 5000 Logix Designer
- CVE-2023-3595: Rockwell Automation Select Communication Modules
- CVE-2023-46290: Rockwell Automation FactoryTalk Services Platform
- CVE-2024-21914: Rockwell Automation FactoryTalk View ME
- CVE-2024-21915: Rockwell Automation FactoryTalk Service Platform
- CVE-2024-21917: Rockwell Automation FactoryTalk Service Platform
Broader Efforts and Mitigation Actions for ICS Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert advising Rockwell customers to implement the recommended security measures as these products are in use at several critical infrastructure organizations across the country. Earlier in September 2022, the agency along with the NSA had issued recommendations and a "how-to guide" for reducing exposure across ICS and related operational technologies. The urgency of enhancing ICS security is further highlighted by the collaborative efforts of multiple U.S. federal agencies, including the NSA, FBI, and CISA, along with cybersecurity agencies from Canada and the U.K. These agencies have previously issued several public statements about the threats posed by hacktivists targeting critical infrastructure operations through unsecured OT systems. CISA has already recommended defensive measures on industrial control systems such as minimizing network exposure, isolating control system networks, and securing remote access through the implementation of Virtual Private Networks (VPNs). The present administration also issued the 2021 national security memorandum instructing CISA and NIST to develop cybersecurity performance goals for critical infrastructure operators as part of the broader initiatives in recent years to secure critical infrastructure within the United States. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Google Cites ‘Monoculture’ Risks in Response to CSRB Report on Microsoft
Google is invoking the 'monoculture' word in response to a scathing U.S. government report on Microsoft's inadequate cybersecurity practices.
The post Google Cites ‘Monoculture’ Risks in Response to CSRB Report on Microsoft appeared first on SecurityWeek.
Eric Goldstein Leaving CISA for Private Sector Role
CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.
The post Eric Goldstein Leaving CISA for Private Sector Role appeared first on SecurityWeek.
Arrests in $400M SIM-Swap Tied to Heist at FTX?
Three Americans were charged this week with stealing more than $400 million in a November 2022 SIM-swapping attack. The U.S. government did not name the victim organization, but there is every indication that the money was stolen from the now-defunct cryptocurrency exchange FTX, which had just filed for bankruptcy on that same day.
A graphic illustrating the flow of more than $400 million in cryptocurrencies stolen from FTX on Nov. 11-12, 2022. Image: Elliptic.co.
An indictment unsealed this week and first reported on by Ars Technica alleges that Chicago man Robert Powell, a.k.a. “R,” “R$” and “ElSwapo1,” was the ringleader of a SIM-swapping group called the “Powell SIM Swapping Crew.” Colorado resident Emily “Em” Hernandez allegedly helped the group gain access to victim devices in service of SIM-swapping attacks between March 2021 and April 2023. Indiana resident Carter Rohn, a.k.a. “Carti,” and “Punslayer,” allegedly assisted in compromising devices.
In a SIM-swapping attack, the crooks transfer the target’s phone number to a device they control, allowing them to intercept any text messages or phone calls sent to the victim, including one-time passcodes for authentication or password reset links sent via SMS.
The indictment states that the perpetrators in this heist stole the $400 million in cryptocurrencies on Nov. 11, 2022 after they SIM-swapped an AT&T customer by impersonating them at a retail store using a fake ID. However, the document refers to the victim in this case only by the name “Victim 1.”
Wired’s Andy Greenberg recently wrote about FTX’s all-night race to stop a $1 billion crypto heist that occurred on the evening of November 11:
“FTX’s staff had already endured one of the worst days in the company’s short life. What had recently been one of the world’s top cryptocurrency exchanges, valued at $32 billion only 10 months earlier, had just declared bankruptcy. Executives had, after an extended struggle, persuaded the company’s CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, a new chief executive now tasked with shepherding the company through a nightmarish thicket of debts, many of which it seemed to have no means to pay.”
“FTX had, it seemed, hit rock bottom. Until someone—a thief or thieves who have yet to be identified—chose that particular moment to make things far worse. That Friday evening, exhausted FTX staffers began to see mysterious outflows of the company’s cryptocurrency, publicly captured on the Etherscan website that tracks the Ethereum blockchain, representing hundreds of millions of dollars worth of crypto being stolen in real time.”
The indictment says the $400 million was stolen over several hours between November 11 and 12, 2022. Tom Robinson, co-founder of the blockchain intelligence firm Elliptic, said the attackers in the FTX heist began to drain FTX wallets on the evening of Nov. 11, 2022 local time, and continuing until the 12th of November.
Robinson said Elliptic is not aware of any other crypto heists of that magnitude occurring on that date.
“We put the value of the cryptoassets stolen at $477 million,” Robinson said. “The FTX administrators have reported overall losses due to “unauthorized third-party transfers” of $413 million – the discrepancy is likely due to subsequent seizure and return of some of the stolen assets. Either way, it’s certainly over $400 million, and we are not aware of any other thefts from crypto exchanges on this scale, on this date.”
The SIM-swappers allegedly responsible for the $400 million crypto theft are all U.S. residents. But there are some indications they had help from organized cybercriminals based in Russia. In October 2023, Elliptic released a report that found the money stolen from FTX had been laundered through exchanges with ties to criminal groups based in Russia.
“A Russia-linked actor seems a stronger possibility,” Elliptic wrote. “Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges. This points to the involvement of a broker or other intermediary with a nexus in Russia.”
Nick Bax, director of analytics at the cryptocurrency wallet recovery firm Unciphered, said the flow of stolen FTX funds looks more like what his team has seen from groups based in Eastern Europe and Russian than anything they’ve witnessed from US-based SIM-swappers.
“I was a bit surprised by this development but it seems to be consistent with reports from CISA [the Cybersecurity and Infrastructure Security Agency] and others that “Scattered Spider” has worked with [ransomware] groups like ALPHV/BlackCat,” Bax said.
CISA’s alert on Scattered Spider says they are a cybercriminal group that targets large companies and their contracted information technology (IT) help desks.
“Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs,” CISA said, referring to the group’s signature “Tactics, Techniques an Procedures.”
Nick Bax, posting on Twitter/X in Nov 2022 about his research on the $400 million FTX heist.
Earlier this week, KrebsOnSecurity published a story noting that a Florida man recently charged with being part of a SIM-swapping conspiracy is thought to be a key member of Scattered Spider, a hacking group also known as 0ktapus. That group has been blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022.
Financial claims involving FTX’s bankruptcy proceedings are being handled by the financial and risk consulting giant Kroll. In August 2023, Kroll suffered its own breach after a Kroll employee was SIM-swapped. According to Kroll, the thieves stole user information for multiple cryptocurrency platforms that rely on Kroll services to handle bankruptcy proceedings.
KrebsOnSecurity sought comment for this story from Kroll, the FBI, the prosecuting attorneys, and Sullivan & Cromwell, the law firm handling the FTX bankruptcy. This story will be updated in the event any of them respond.
Attorneys for Mr. Powell said they do not know who Victim 1 is in the indictment, as the government hasn’t shared that information yet. Powell’s next court date is a detention hearing on Feb. 2, 2024.
Update, Feb. 3, 12:19 p.m. ET: The FBI declined a request to comment.