In this issue:
- Impacts of Friday’s Earthquake near Anchorage, Alaska
GENERAL SECURITY & RESILIENCE
- Water Research Foundation Research Report: Wildfire Impacts on Drinking Water
- DHS Action Guide: Fire as a Weapon
- (U//FOUO) The Islamic State’s Use of UAS Outside of Conflict Zones
- (U//FOUO) Involvement of Minors in Terrorist Plots and Attacks
- NCCIC Malware Analysis Reports – SamSam Ransomware
- Perch Indicators - 4 Dec 2018
- Anti-Botnet Guide
- Protecting against Identity Theft
- Omron CX-One (ICSA-18-338-01)
- SpiderControl SCADA WebServer (ICSA-18-338-02)
- January 23: Water Sector Cyber Threat Web Briefing
- December 6: EPA Webinar on Sampling Guidance for Unknown Contaminants
- December 11: EPA Webinar on Preparing for Sampling and Analysis in Response to Distribution System Contamination Incidents
- December 13: EPA Webinar on Water Contaminant Information Tool (WCIT)
- December 18: EPA Webinar on Free Analytical Preparedness Full-Scale Exercise (AP-FSE) Toolkit
- January 8: EPA Webinar on Exercising Procedures for Responding to Contamination Incidents
- DHS IP Partnership Bulletin Events
Impacts of Friday’s Earthquake near Anchorage, Alaska
A magnitude 7.0 earthquake struck north of Anchorage, Alaska on Friday, November 30 at about 8:30 am local time. The U.S. Geological Survey (USGS) reports the earthquake rated a maximum of VIII (Severe) on the Modified Mercalli Intensity Scale. As of yesterday, the USGS reported the area had experienced over 170 aftershocks of magnitude 3 or above, with a magnitude 5.7 aftershock occurring just seven minutes after the initial earthquake. Buildings and infrastructure in the area did experience some damage and operational impacts. In the water and wastewater sector, the Anchorage Water and Wastewater Utility informed WaterISAC it had experienced multiple water main breaks and had instituted a system-wide boil water notice as a precautionary measure. By Sunday, it had lifted the boil water notice, indicating in a press release that “tests have confirmed that the water system is operating normally and was not contaminated as a result of the earthquake.” Private systems in the "Mat-Su" area near Anchorage continue to have boil water notices in place. The energy sector also experienced some impacts that resulted in power outages. The most impacted of the critical lifelines sectors seems to be the transportation sector, as numerous roads were damaged. Fortunately, no fatalities have been reported, although there have been some injuries. WaterISAC has posted to its portal a situation report from the U.S. Department of Homeland Security and a ShakeMap from the USGS. Read more at WaterISAC.
GENERAL SECURITY AND RESILIENCE
Water Research Foundation Research Report: Wildfire Impacts on Drinking Water
The Water Research Foundation has published a report on the impacts of wildfires on drinking water quality, treatment, plant performance, and operations. A team conducted research for this report by collecting soil and litter samples from watersheds serving four water utilities in different parts of the U.S. These samples were heated and leached into water, which was evaluated for quality and treatability by coagulation. The research team found the samples released different quantities and qualities of dissolved constituents following heating, with litter tending to release more dissolved organic matter compared to soil. Based on its findings, the team presents a series of recommendations for utilities whose watersheds are under threat of wildfires. These include increasing coagulant doses, expanding water storage capacity and diversifying water sources, and implementing a robust water quality monitoring plan, among others. Read more at WaterISAC.
DHS Action Guide: Fire as a Weapon
The U.S. Department of Homeland Security has published an Action Guide informing its partners of the potential for violent extremists using fire or arson-style tactics against critical infrastructure, noting such approaches have consistently been advocated for in terrorist propaganda. This product includes information on real-world attacks and plots that have involved these tactics, potential indicators of this activity, and lists of measures for preparedness, mitigation, and response. Read more at WaterISAC.
(U//FOUO) The Islamic State’s Use of UAS Outside of Conflict Zones
The Transportation Security Administration has released a Quick Look report describing the recent arrest of Islamic State-aligned individuals in Tunisia who were preparing to conduct an attack there that involved conventional explosives and toxic gases and an unmanned aerial system (UAS). This event marks the first public confirmation of Islamic State-aligned individuals attempting to use a UAS outside of Iraq and Syria. U.S. officials have increasingly warned about the potential for terrorist groups and radicalized individuals to conduct attacks within the nation’s borders using UAS. "The FBI assesses that, given their retail availability, lack of verified identification requirement to procure, general ease of use, and prior use overseas, UAS will be used to facilitate an attack in the United States against a vulnerable target," FBI Director Christopher Wray said in written testimony to the Senate Homeland Security and Governmental Affairs Committee in October. Read more at WaterISAC. FOR U.S. MEMBERS.
(U//FOUO) Involvement of Minors in Terrorist Plots and Attacks
The National Counterterrorism Center, the U.S. Department of Homeland Security, and the FBI have co-authored a report as part of their “First Responder’s Toolbox” series that is intended to provide awareness of the potential involvement of minors in terrorist attacks and to encourage discussion and collaboration among public and private stakeholders to aid in prevention efforts. The report provides a background of the threat, discussing how terrorist groups like al Qa’ida and the Islamic State attempt to influence minors through online technologies, includes characteristics for some of the more notable attacks or plots involving minors that have occurred, and lists indicators of mobilization to violence and resources for partners to access to help prevent and reverse cases of youth radicalization. Read more at WaterISAC. FOR U.S. MEMBERS.
NCCIC Malware Analysis Reports – SamSam Ransomware
The NCCIC has published four Malware Analysis Reports (MARs) on the SamSam ransomware, providing technical information based on samples of the malware and the techniques that were employed. The MARs include:
The indicators of compromise identified in the MARs are entered automatically into DHS’s Cyber Information Sharing and Collaboration Program (CISCP) information feed. WaterISAC members can have seamless access to the CISCP information feed via Perch.
As noted in the lead item in Cybersecurity section for last Thursday's SRU, the U.S. Department of Justice reported two Iranian men were indicted for have developed the SamSam ransomware and perpetrating a 34-month -long international hacking and extortion campaign whose victims included municipalities, public institutions, and hospitals.
Perch Indicators - 4 Dec 2018
In the last few days, WaterISAC entered 91 indicators of compromise from open source and trusted third party reporting into the Perch Security network monitoring platform. Perch users subscribed to the WaterISAC Community will be able to detect the following within their environments:
- Zekapab (Zebrocy) trojan activity delivered through BREXIT-themed lures, attributed to cyber espionage group SNAKEMACKEREL (a. k. a., Sofacy, Pawn Storm, Sednit, Fancy Bear, APT28, Group 74, Tsar Team, and Strontium)
- Global phishing campaign dubbed Pied Piper that delivers various Remote Access Trojan (RAT) payloads, including FlawedAmmyy RAT, and Remote Manipulator (RMS) RAT
- Butter, a low and slow Linux targeting campaign that executes brute force SSH attacks and on every breached Linux machine leaves a backdoor user named butter, together with a Trojan registered as a service; Butter also has a customized RAT with a cryptocurrency miner and DDoS capability
- Adware and PUPs (potentially unwanted programs) delivered through WakeNet AB
Want to know more about Perch, an add-on service to a WaterISAC membership for detecting malicious activity on networks? Please contact WaterISAC’s Michael Arceneaux at firstname.lastname@example.org or 202-331-0479.
International Anti-Botnet Guide
Botnets indiscriminately affect every type of business. They are damaging and costly, and are available for rent to any malicious actor with little to no skill. Botnet’s highly distributed and automated nature makes them proficient at disabling websites and services, conducting distributed denial-of-service attacks (DDoS), and proliferating other types of malware, such as ransomware. To help organizations block botnets and other automated, distributed cyberattacks, the Council to Secure the Digital Economy (CSDE) and Consumer Technology Association (CTA) have released the International Anti-Botnet Guide. The guide offers best practices and actionable mitigation steps to apply across various stakeholder communities to help combat the botnet-siege, including security updates, real-time information sharing, and improved identity and access management processes. Read more at WaterISAC.
Protecting against Identity Theft
As the holidays draw near, many consumers turn to the internet to shop for goods and services. Although online shopping can offer convenience and save time, shoppers should be cautious online and protect personal information against identity theft. Identity thieves steal personal information, such as a credit card, and run up bills in the victim’s name. The Cybersecurity and Infrastructure Security Agency (CISA) encourages consumers to review the following tips to help reduce the risk of falling prey to identity theft:
Omron CX-One (ICSA-18-338-01)
The NCCIC has released an advisory on stack-based buffer overflow and use after free vulnerabilities in Omron CX-One. Versions 4.42 and prior are affected. Successful exploitation of these vulnerabilities could allow an attacker to execute code under the privileges of the application. Omron has released an updated version of CX-One to address the reported vulnerabilities. The NCCIC also recommends a series of defensive measures to minimize the risk of exploitation of these vulnerabilities. NCCIC/ICS-CERT.
SpiderControl SCADA WebServer (ICSA-18-338-02)
Water Sector Cyber Threat Web Briefing
Wednesday, January 23, 2019, 2:00 – 3:00 PM ET; webinar
On January 23, WaterISAC will convene its monthly Water Sector Cyber Threat Web Briefing. Presenters will cover the latest cyber threats facing the water and wastewater sector. Register at WaterISAC.
EPA Webinar – Sampling Guidance for Unknown Contaminants
Thursday, December 6, 2018; 11:00 a.m. – 12:00 p.m. ET; webinar
The Water Laboratory Alliance's “Sampling Guidance for Unknown Contaminants in Drinking Water” provides comprehensive guidance on sample collection, preservation and transport when dealing with unknown contaminants in drinking water. This training, intended for utilities, emergency responders and laboratory personnel, covers:
- The challenge of dealing with unknown contaminants
- How the Sampling Guidance can help your organization
- An overview of the Sampling Guidance
- Available EPA support
EPA Webinar – Preparing for Sampling and Analysis in Response to Distribution System Contamination Incidents
Tuesday, December 11, 2018; 1:00 – 2:00 p.m. ET; webinar
This webinar will provide an overview of capabilities necessary for field and laboratory response to a possible drinking water contamination incident. It will include a discussion of priority contaminants, analytical methods, emergency response sampling kits, and field testing equipment. Lessons learned from utility implementation of emergency response sampling and analysis capabilities will also be presented. WaterISAC has posted a flyer to its portal with additional information about this learning opportunity. Register at GoToWebinar.
EPA Webinar – Water Contaminant Information Tool (WCIT)
Thursday, December 13, 2018; 1:00 – 2:00 p.m. ET; webinar
The Water Contaminant Information Tool (WCIT) is a secure on-line database with comprehensive information about chemical, biological and radiochemical contaminants of concern for the Water Sector. WaterISAC members have direct, single-sign-on access to WCIT via the Contaminant Databases section of WaterISAC's portal. This training, intended for members of the water utility, laboratory and emergency response communities, covers:
- An overview of WCIT
- A description of the information contained within WCIT
- How the tool can be used
- The benefits of use for different stakeholders
EPA Webinar – Free Analytical Preparedness Full-Scale Exercise (AP-FSE) Toolkit
Tuesday, December 18, 2018; 1:00 – 2:00 p.m. ET; webinar
EPA’s newly released Analytical Preparedness Full-Scale Exercise (AP-FSE) Toolkit is a comprehensive guide to planning and executing a multi-organization exercise to simulate a water emergency, with a focus on tools and best practices for laboratory analytical support. This webinar, intended for members of the water utility, laboratory and emergency response communities, covers:
- How an AP-FSE can increase preparedness
- An overview of the contents and functionality of the Toolkit
- How you can get started planning an exercise of your own
- Available EPA support
EPA Webinar – Exercising Procedures for Responding to Contamination Incidents
Tuesday, January 8, 2018; 1:00 – 2:00 p.m. ET; webinar
This webinar will focus on the development of training and exercises to plan and prepare for responding to a distribution system contamination incident. The webinar will include utility experiences in designing and conducting exercises. WaterISAC has posted a flyer to its portal with additional information about this learning opportunity. Register at Eventbrite.
DHS IP Partnership Bulletin Events (November 6, 2018 Edition)
The U.S. Department of Homeland Security Office of Infrastructure Protection (IP) has published the latest version of its Partnership Bulletin, which provides a snapshot of upcoming training and exercise opportunities, critical infrastructure events, and key announcements. Some of the events include:
- The annual conference of the International City County Management Association (ICMA), which will be held in Nashville, Tennessee from October 20 to 23, 2019 (the last conference, conducted in Baltimore in September 2018, included a session on disaster recovery assessment);
- Russian Activity Against Critical Infrastructure Briefing, which was conducted in July 2018 and for which the recording is now available online;
- Risk Management Process and Facility Security Committee Training, with a convening in Portland, Oregon on December 6;
- Corporate Security Symposia, which is intended to inform public and private sector audiences on the most challenging security issues the nation faces today, with convenings in Los Angeles, California on December 6; Biloxi, Mississippi on March 20, 2019; Norfolk, Virginia on April 3, 2019; and Bentonville, Arkansas on August 14, 2019; and
- DHS Office of Bombing Prevention Training Courses, with both computer-based and in-person training opportunities on a variety of topics from now until late-December.