Andrew P. Sardaro

North American Electric Reliability Corp reports a first of its kind cyber attack against power grids in the western region os the US. There are many unknowns about the attack, whether it was targeted or exploratory recon for a larger attack later. By exposing firewall vulnerabilities, attackers were able to cause blind spots for grid operators for about 10 hours on March 5. By exposing these vulnerabilities, the attackers forced unexpected reboots of the firewalls resulting in a denial of service conditions. The attack compromised web portals for firewalls that linked parts of the power grid in California, Utah, and Wyoming.

NERC posted a lessons learned document: https://www.eenews.net/assets/2019/09/06/document_ew_02.pdf

https://www.eenews.net/stories/1061111289

At this year’s Defcon conference, the US Airforce brought along an F-15 fighter jet data system to be evaluated for vulnerabilities, and serious vulnerabilities were found. The US Airforce is changing the way it looks at cybersecurity and is embracing external cybersecurity experts to assist in securing military technology. Rather than work in a bubble, they agreed to allow a hand-picked number of researches to attempt to highjack an orbiting satellite.

The F-15 fighter jet data system has many parts that are built by smaller third-party companies who don’t always design with security in mind. Working with external researchers allows the Air Force to understand these vulnerabilities and can start writing stronger security requirements into its SLA contracts.

How is this going to work? The Air Force will put out a call for submissions to researchers who are interested, then handpick their contestants, and allow them to test in a non-prod environment against satellite components.

The winner will attempt to compromise the ground station controlling the satellite, or the satellite directly altering the camera that is pointing at the earth, and change the position to capture the moon.

https://www.wired.com/story/air-force-defcon-satellite-hacking/

The weakest link in security are humans. Iranian hackers launch credential-stealing phishing attacks against universities resulting in the theft of intellectual property and research data.

Universities in the US, UK and Australia are being targeted by the Colbalt Dickens hacking group who are linked to the Iranian government. It is speculated these attacks are in response to recent government sanctions and Iranian academic talent leaving for countries for collaborative academic research purposes.

The phishing emails look legitimate, and appear to come from online library services at the university. The email content claims the user’s account has been deactivated, and to reactivate, they follow a spoofed URL link and provide credentials. In addition to their phishing tactics, the group uses publicly available tools and code taken from GitHub instead of using malware. This tactic allows them to remain undetected by security software.

I have found that user education in the form of anti-phishing campaigns and enabling multi-factor authentication are crucial in combating phishing attacks.

https://www.zdnet.com/article/iranian-hackers-credential-stealing-phishing-attacks-against-universities-around-the-world/

I remember reading about this power grid attack against Ukraine in 2016, and experts were puzzled as to why the attack just accomplished a temporary outage. Some speculated that is was just probing the power grid for a more complex attack at a later date. This article has a different theory. The malware Russia used to overload the electric transmission station, just north of the city of Kiev, was “Crash Override” (https://www.us-cert.gov/ncas/alerts/TA17-163A). The malware interacts/attacks electric industrial equipment by sending multiple commands using  four different protocols to open circuit breakers causing mass power outages.

Researches recently discovered that the malware also attacked a vulnerability in a piece of Siemens equipment (protective relay) used as an electric grid fail safe. The disabling of the protective relays would be unknown to the first responders trying to restore power to the grids. Researchers now believe that the intention was for grid engineers to quickly respond to this outage and restore power to the failed equipment manually. The danger here is while restoring power to the grid, and without the protective relay fail-safes in place, a critical overload of electrical current to  transformers and power lines could have caused catastrophic damage to the electrical grid equipment, caused physical harm to workers, and  would have caused significant downtime of the electrical grid.

https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/

Here is a rare ransomware case with a happy ending. The city of New Bedford, Mass was hit with a ransomware attack the night of July 4^th. The hackers demanded 5.3 million in bitcoin to release the encrypted city-data. The ransomware included in the attack was Ryuk. Ryuk has unique features where it can encrypt network drives, as well as delete shadow copies on the endpoint resulting in the disabling of the Windows System Restore feature.

City officials lucked out that the attack occurred during a holiday and only 4% of systems were deemed comprised. They decided to contact the hackers using a provided email address and negotiate for the decryption key by offering the city’s allocated insurance payment of $400.000. The negotiation tactic worked, it stalled the payment demands by the hackers, and city officials were able to restore a good portion of data using external backups.

The city exercised its business continuity or disaster recovery plan and was able to restore the compromised data and operations quickly.

https://www.npr.org/2019/09/06/758399814/town-avoids-paying-massive-5-million-ransom-in-cyberattack

File this one under Ironic. PercSoft, the online cloud storage company for Digital Dental records (DDR) which offers DDS Safe, a backup service used by dental offices was hit by ransomware. DDS Safe is a HIPAA Compliant online dental backup service used by hundreds of dental practices across the US. The ransomware involved in the attack is called Sodinokibi also named Sodin or REvil malware.

The article states ransomware had been deployed on the remote management software their application uses to back up client data. The hackers were able to exploit a recently patched Oracle WebLogic Server vulnerability. Oracle WebLogic Server is a Java EE application used for may web applications and portals.

Oracle Security Alert Advisory – CVE-2019-2725 https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

The hackers could exploit this vulnerability remotely and execute commands without authorization (no credentials) by sending a specially crafted HTTP request. The vulnerability had a CVSS score  9.8/10, and Oracle addressed the flaw on April 26 by releasing an out-of-band update.

The ransom had been paid, and a tool was provided, and files were decrypted. Having a well-designed patch management process is crucial in reducing vulnerabilities. The question is, can you stay one step ahead of the hackers.

https://securityaffairs.co/wordpress/90570/malware/dds-safe-ransomware-attack.html