FBI: TRITON Malware Used in Attacks Against Energy Companies; CISA Adds 66 Vulnerabilities to Catalog; HHS Office of Civil Rights Enforcement Actions

TRITON malware has been around since 2017. If you are responsible for securing Industrial Control Systems, this should not be news to you. However, the recommended best practices are not trivial to implement in these environments but hopefully you are making progress.

Jorge Orchilles

The IC3 recommendations include using a one-way-link for receiving data from targeted systems such as the Schneider Electric Triconex safety instrumented system in addition to making sure they are properly isolated, security features enabled, and firmware/OS/applications kept updated. Leverage change management and logging to make sure things remain properly configured and any malicious activities are detected.

Lee Neely

You're watching this catalog right? Just because a vulnerability is old, doesn't mean the exploit doesn't still exist or isn't in use. Make sure that you're not ignoring or accepting the risks of these in your environment. Remind management that these are being exploited, not just hypothetical weaknesses.

Lee Neely

This list is now up to 602 entries. These are vulnerabilities that you should have patched by now, but we understand vulnerability management is hard. This is another useful resource that helps your organization prioritize.

Jorge Orchilles

CISA deserve a lot of kudos for this initiative. I recommend everyone response for cybersecurity in their organization to become familiar with the Known Exploited Vulnerabilities catalog and to implement it within their own vulnerability management program.

Brian Honan

HHS OCR averaged over 740 corrective actions over 2017 – 2021, with on average 411 breach-related penalties and corrective actions. The three incidents noted here are kind of different – two were refusal by small practices to send patients their medical records and the other was a dentist responding to a bad online review by posting details of a patient’s treatment. If you work in a small medical practice, these are good items to use to show why access policies need to be in place and employees trained.

John Pescatore

Information protection is a balance between providing allowed access to information and protecting it, made more difficult by ever evolving regulations and increased system interconnection. If you're not sure, contact your legal or other informed expert, the fine will exceed the cost of counsel. Use caution responding to negative feedback, particularly when delivering “the facts.” Compose what you really want to say, delete it, count to 100, re-compose, count again, and have a peer check it, then maybe post it. It's easy to get drawn into an argument you cannot win, so skipping the response may be prudent.

Lee Neely

This is the type of flaw that has often been compromised in the past to gain access to networks. An attacker controlling the firewall is not only able to disable it, but also able to intercept and redirect traffic passing through the firewall. Patch this flaw as soon as possible even if there is currently no publicly known exploit.

Johannes Ullrich

It is interesting to note that the default configuration for the affected Sophos firewalls is to apply the patch automatically, but note that many updates require the system to be rebooted before it takes effect.

Brian Honan

Make sure that your Sophos firewall user portal and Webadmin interfaces are not Internet or WAN accessible. Next, apply the hotfixes and make sure that you're on supported versions of the Sophos firewall. Verify boundary protection devices are at the top of your priority list for lifecycle replacement.

Lee Neely

Implementing this block list requires testing in audit mode first and then enabling the block to ensure devices don’t blue screen or get bricked.

Jorge Orchilles

If you're not allowing only approved drivers, this provides an opportunity to at least block known bad ones. Microsoft also recommends running devices in Hypervisor-protected code integrity (HVCI) devices or S mode. Test in audit mode before fully implementing this change to prevent malfunction/BSOD.

Lee Neely

Make it a habit to check your browser for update at least once a week, and restart the browser at least once a day. Restarting the browser will often trigger an update.

Johannes Ullrich

CVE-2022-1096 is being actively exploited in the wild. Your IT staff may have pinged you over the weekend about this update pushed. Let them know now is a good time to do it. Don't forget to update your chromium-based browsers as well.

Lee Neely

The recovery plan included restoring service to priority customers, e.g. Ukraine's Armed Forces and related military organizations, before private users or business-clients. Make sure that you've considered service restoration to priority customers vs everyone at once. As a customer, understand what key provider service restoration plans entail so you can plan accordingly.

Lee Neely

Much like a compromised reusable password, it will continue to work until changed. This is a bit different than password capture as the signal has to be captured over the air, so proximity matters. If you have a garage door opener with a static code, you have the same replay scenario, albeit the capture opportunity is different. Most late model vehicles do support non-static codes; verify this when purchasing. Double check your vehicles and other devices with wireless operation to determine your potential risks consider replacement where static codes are used.

Lee Neely

These replay and relay attacks are not new to cars or the industry. A HackRF One costs a little more than $300. Similar replay attacks for RFID are possible with a Proxmark. I am glad these vulnerabilities are getting more visibility.

Jorge Orchilles

The sentence of 66 months included an order to repay $36 million in restitution to his victims. His specialty was cash-outs and drops. Cash-outs use stolen credit cards to withdraw money or make fraudulent purchases while drops are a mechanism where money or goods are transferred to circumvent fraud detection by making the transactions hard to trace. This continues the trend where investigators are getting expert at discovery of crypto operations associated with malfeasance, reducing the viability of cryptocurrency payments.

Lee Neely