Hello and welcome back to our weekly wrap-up of all things cybersecurity.
For the second time in only a matter of months, on Tuesday the Department of Homeland Security (DHS) announced that owners and operators of critical pipelines transporting hazardous liquids and natural gas are now required to drastically improve their cybersecurity to protect against intrusions. And it is needed “urgently”. Not surprisingly, the department said the action was in response to "the ongoing cybersecurity threat to pipeline systems,” most notably May’s Colonial Pipeline attack.
Attacks and breaches of pipeline companies are nothing new since it turns out that Chinese state-sponsored attackers breached 13 US oil and natural gas pipeline companies for nearly a decade. That’s according to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Both agencies said this week that the spearphishing and intrusion campaigns were carried out between December 2011 to 2013.
That’s not all China is accused of by the US, and in some cases, NATO-member countries... News of this latest attack joins a list which includes:
- Exploiting flaws in Microsoft Exchange Server, which has resulted in the recent global ransomware attacks on tens of thousands of victims.
- Backing four hackers to breach U.S. companies and institutions over a span of seven years.
- According to a technical report first mentioned by CyberScoop last week, the country has a continued appetite to target the defense, medical, semiconductor and other industries to steal intellectual property.
Moving on to non-China related news, several of the largest Russian ransomware cybercriminal gangs are now truly partners in crime. The most active collaborators are four groups known as Wizard Spider, Twisted Spider, Viking Spider and LockBit. Apparently they are sharing hacking techniques, purloined data-breach information, malware code and technology infrastructure. However, they do not appear to share profits from criminal activity. Shocking!!
In the Middle East, colossal oil producer Saudi Aramco confirmed on Wednesday that some of its company files had been leaked via a contractor, and not their own systems. The company did not name the supplier or how the data was compromised. But they did acknowledge that the attackers demanded a $50 million ransom.
Apple appeared to be taken surprise upon learning that spyware tool Pegasus from the Israeli company NSO Group can breach the latest iPhones through “zero-click” attacks via iMessage that don’t require human interaction to inject malware on a device. The spyware was allegedly used to target the phones of journalists, activists, and politicians. NSO has said that its customers are to blame for the "misuse" of its products.
Finally, ethical hackers at Wizcase uncovered a major breach of more than 100 U.S. cities. The breach includes sensitive information such as citizens’ physical addresses, phone numbers, IDs, tax documents, and more. Wizcase says the U.S. cities appeared to be using the same product, mapsonline.net, provided by Massachusetts-based PeopleGIS.
According to Wizcase, the hackers discovered there was no need for a password or login credentials to access information, and the data was not encrypted. The data was stored in several misconfigured Amazon S3 buckets that were sharing similar naming conventions to MapsOnline, which is why they believe these cities have been using the same software solution. But after Wizcase contacted PeopleGIS, the buckets have since been secured.
That is all for this week. Please stick around to read some of the more intriguing cybersecurity stories around. Have a great weekend!
Top Global Security News
CBS News (July 22, 2021) The world's top ransomware gangs have created a cybercrime "cartel"
"Several of the largest Russian ransomware cybercriminal gangs have partnered up and are sharing hacking techniques, purloined data-breach information, malware code and technology infrastructure.
The most active collaborators are four groups known as Wizard Spider, Twisted Spider, Viking Spider and LockBit. The gangs in this cluster jointly control access to illicit data leak sites and custom ransomware code. They also associate with the larger criminal ransomware ecosystem, exert influence over smaller gangs and license their tools to affiliates, said Jon DiMaggio, chief security strategist at Analyst1. The groups do not appear to share profits from criminal activity.
'They're not a cartel in the traditional sense, like oil companies that have a lock on the supply of crude,' DiMaggio explained. 'But they do have technology infrastructure, and some are big enough to have their own [ransomware] code. These are limited resources.'"
Ars Technica (July 22, 2021) Saudi Aramco confirms data leak after $50 million cyber ransom demand
"Saudi Aramco, the world’s largest oil producer, confirmed on Wednesday that some of its company files had been leaked via a contractor, after a cyber extortionist claimed to have seized troves of its data last month and demanded a $50 million ransom from the company.
Aramco said in a statement that it had “recently become aware of the indirect release of a limited amount of company data which was held by third-party contractors.” The oil company did not name the supplier or explain how the data were compromised.
'We confirm that the release of data was not due to a breach of our systems, has no impact on our operations, and the company continues to maintain a robust cyber security posture,' Aramco added."
Bleeping Computer (July 21, 2021) Chinese state hackers breached over a dozen US pipeline operators
"Chinese state-sponsored attackers have breached 13 US oil and natural gas (ONG) pipeline companies between December 2011 to 2013 following a spear-phishing campaign targeting their employees. The end goal of the attacks was to help China develop cyberattack capabilities that would allow future intrusions to physically damage targeted pipelines or disrupt US pipeline operations.
This was revealed Tuesday in a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
'Overall, the US Government identified and tracked 23 US natural gas pipeline operators targeted from 2011 to 2013 in this spearphishing and intrusion campaign. Of the known targeted entities, 13 were confirmed compromises, 3 were near misses, and 7 had an unknown depth of intrusion,' the advisory reads. 'CISA and FBI assess that these intrusions were likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft. This assessment was based on the content of the data that was being exfiltrated and the TTPs used to gain that access.'"
Reuters (July 20, 2021) U.S. announces new cybersecurity requirements for critical pipeline owners
"The Department of Homeland Security on Tuesday required owners and operators of critical pipelines that transport hazardous liquids and natural gas to implement 'urgently needed protections against cyber intrusions.'
It was the second security directive issued by the department's Transportation Security Administration since May, after a hack of the Colonial Pipeline disrupted fuel supplies in the southeastern United States for days.
The department said the action was in response to 'the ongoing cybersecurity threat to pipeline systems.'"
TechRadar (July 20, 2021) Over 1TB of confidential US company data accidentally exposed
"Data breach watchdogs WizCase ran across over eighty such misconfigured cloud storage data silos that exposed data totaling over a terabyte.
According to redacted versions of the files seen by TechRadar Pro, the documents include real estate tax information about businesses, along with photographs of the properties, as well as the building and city plans from various municipalities, mostly in the state of Massachusetts.
'The breach could lead to massive fraud and theft from citizens of those municipalities. The highly-sensitive nature of the data contained within a local government’s database, from phone numbers to business licenses to tax records, are highly susceptible to exploitation by bad actors,' suggests WizCase in a blog post sharing details about the misconfigured buckets."
Cyberscoop (July 19, 2021) US blames China for Microsoft hacking, ransomware attacks as part of global condemnation
"The U.S. and its allies on Monday blamed China for exploiting flaws in Microsoft Exchange Server that enabled worldwide ransomware attacks on tens of thousands of victims.
It was part of a multi-front response Monday from the European Union, NATO U.S. intelligence partners that included the announcement of charges against four Chinese hackers that the Justice Department said worked on behalf of Beijing to breach U.S. companies and institutions over a span of seven years. For the first time, the U.S. government also accused the Chinese government of employing criminal hackers who have conducted criminal attacks.
U.S. government agencies also released a technical report Monday, first reported by CyberScoop, that warned of China’s ongoing appetite for targeting the defense, medical, semiconductor and other industries to steal intellectual property."
SC Mag (July 19, 2021) Security researchers say Apple has to ‘step it up’ in wake of NSO-Pegasus spyware case
"Apple was dealt a huge blow to its reputation as a security champion on Monday when it was widely reported that the spyware tool Pegasus from the Israeli company NSO Group can breach the latest iPhones through “zero-click” attacks via iMessage that don’t require human interaction to inject malware on a device.
The company’s stock was down 2.69% to $142.45 a share today on news of the security issue.
Security experts like Setu Kulkarni, vice president, strategy at NTT Application Security, said the industry needs get behind Apple, Google, and others as they find ways to protect users against spyware that was originally intended for legitimate defense and intelligence purposes."
Other Top Industry News
Like what you’re reading? Fill out the form in the sidebar to get insightful GlobalSign content delivered directly to your inbox.