EPA Withdraws Interpretive Memorandum on PWS Cybersecurity
Note: WaterISAC does not maintain a position on this action, we are providing this development for your awareness.
Note: WaterISAC does not maintain a position on this action, we are providing this development for your awareness.
In a recent report from Cofense, the significance of using voice messages for communication was brought to the forefront. The report highlighted an ongoing phishing campaign where threat actors strategically included an access key in the email content, alluring users into accessing what appeared to be a genuine voice message.
Colonial Pipeline reported that there has been no disruption to its pipeline operations or systems following threats from a ransomware group known as Ransomed.vc, stating the claims made by Ransomed.vc are "unsubstantiated." To validate the security of its systems, Colonial Pipeline collaborated with its security and technology teams and CISA, confirming there had been no disruption to pipeline operations and that its system remained secure. It is believed that the files initially posted online appeared to be related to a third-party data breach that was unrelated to Colonial Pipeline.
The following posts are useful for general awareness of current threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.
ICS/OT/SCADA Vulnerabilities & Threats
Cofense detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it. Also, because Smart Link uses LinkedIn's domain followed by an eight-character code parameter, they appear to originate from a trustworthy source and bypass email protections” (Bleeping Computer, 2023).
Google says it mitigated a series of DDoS attacks reaching a peak of 398 million requests per second (rps), which is nearly 9 times bigger than the largest-recorded DDoS attack last year, peaking at 46 million rps. The latest set of attacks started in August and are still ongoing. According to Google, the attacks rely on a novel technique dubbed “Rapid Reset” which leverages stream multiplexing, a feature of the widely adopted HTTP/2 protocol.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
CISA Releases Nineteen Industrial Control Systems Advisories
Members are encouraged to review this update for newly observed IOCs and TTPs not included in the previous advisory and a YARA rule FBI developed after analyzing a tool associated with an AvosLocker compromise.
The following posts are useful for general awareness of current threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.
Critical Infrastructure Resilience
HelloKitty is a ransomware group operated with a great deal of human interaction which has been active since November 2020. The groups’ notoriety comes from infiltrating corporate networks, stealing data, and encrypting systems to demand ransoms to include double extortion. One of their most significant attacks was on CD Projekt Red in February 2021, where they claimed to have stolen source code for games like Cyberpunk 2077 and Witcher 3. In the summer of 2021, they expanded their targets to include the VMware ESXi virtual machine platform using a Linux variant.