#NSBCS.030 - Escalating Cyber Threats to Critical Infrastructure Systems

Cyber DefenceCyber Threat Intelligence
Written By Shane Bell

Source: NSB Cyber

 

Escalating Cyber Threats to Critical Infrastructure Systems

Operational technology (OT) systems, integral to critical infrastructure, are increasingly vulnerable to cyberattacks as threat actors and hacktivists target these networks. According to a new 2023 Dragos OT Cybersecurity Year in Review report, ransomware incidents in industrial organisations have surged by nearly 50%, with sophisticated groups like VOLTZITE focusing on sectors such as electric power and defense. These groups utilise advanced techniques for prolonged surveillance and data exfiltration, exacerbating the risk to essential services.

Ransomware remains the leading attack vector in the industrial sector, with incidents increasing by 50% from 2022. Lockbit was responsible for 25% of global industrial ransomware attacks, followed by ALPHV and BlackBasta at 9% each. The manufacturing sector is the most targeted, accounting for 71% of all ransomware attacks. While ransomware groups do not specifically target ICS and OT systems, these environments are at risk due to precautionary shutdowns and flattened networks.

The report reveals that 80% of vulnerabilities in industrial control systems (ICS) are deeply embedded, making them difficult to detect and address. The Australian Cyber and Infrastructure Security Centre (CISC) and the Five Eyes Intelligence Alliance emphasise the critical need for robust cybersecurity measures to protect against foreign espionage and interference. Programs like the Critical Infrastructure Risk Management Program aim to bolster national resilience by enforcing stringent asset monitoring and intelligence-based threat detection protocols.

Enhanced cybersecurity measures are paramount in safeguarding critical infrastructure from sophisticated cyber threats. Implementing advanced threat intelligence, comprehensive security strategies, and strict monitoring protocols is crucial to maintaining the integrity and functionality of essential services. Strengthening these defenses through coordinated efforts between public and private sectors is imperative, and will aid to address the evolving landscape of cyber risks, preventing #NoStepsBackward!

For information on NSB Cyber’s Cyber Threat Intelligence or Defence capabilities, or to book a meeting with our team, click here.

What we read this week

  • VMware fixes critical vCenter RCE vulnerability, patch now - VMware has released patches for critical vulnerabilities in vCenter Server that could lead to remote code execution (RCE) and local privilege escalation. These flaws, identified as CVE-2024-37079, CVE-2024-37080, and CVE-2024-37081, allow attackers to send crafted packets or exploit misconfigurations to gain control over affected systems. The updates are crucial as no active exploitation has been detected yet, but admins are urged to apply them immediately. The patches ensure that ongoing workloads remain unaffected, though temporary management interface downtime is expected during updates.

  • Panasonic Australia Confirms Cyber Incident - Panasonic Australia has confirmed a cyber incident following claims by the Akira ransomware group, which listed the company on its darknet leak site. Despite these claims, Panasonic asserts that no business or customer data has been compromised. The company has taken immediate actions to secure its systems and initiated a thorough investigation. Continuous 24-hour monitoring has shown no further threats, and Panasonic's day-to-day operations remain unaffected.

  • New Malware Targets Exposed Docker APIs for Cryptocurrency Mining - A new malware campaign has been identified targeting exposed Docker API endpoints to deploy cryptocurrency miners and other malicious payloads. The malware uses a series of shell scripts and Golang binaries to conduct reconnaissance, escalate privileges, and propagate itself via SSH. Notably, it disables firewalls, installs scanning tools, and fetches additional payloads like XMRig miners. This attack, an update to the "Spinning YARN" campaign, reflects the ongoing threat to misconfigured Docker hosts, emphasizing the need for robust security practices.

  • AMD investigates breach after data for sale on hacking forum - AMD is investigating a potential data breach after a hacker claimed to possess and sell stolen data on a hacking forum. The data reportedly includes AMD employee information, financial documents, and confidential details. AMD is working with law enforcement and third-party partners to assess the legitimacy and impact of the breach. The hacker, known as IntelBroker, has a history of high-profile breaches and shared screenshots of the alleged data but has not disclosed the asking price or the method of acquisition.

  • Alleged Accenture IT data posted on BreachForums - A well-known threat actor named "888" has posted data allegedly stolen from Accenture on BreachForums, claiming it includes information on over 32,000 current and former employees. The leaked data purportedly contains full names, email addresses, and broadcast dates. Accenture has not yet commented on the incident, and this follows previous claims by 888 of other high-profile data breaches. The situation is evolving, and further updates are expected as more details emerge.

Shane Bell
Previous

#NSBCS.031 - Cyberattack on CDK Global: A Dual Blow
Next

#NSBCS.029 - Fortifying Defences Pays Off for Australian Organisations