Risky Biz News: EPA releases cybersecurity guidance for US public water sector

In other news: BitBNS hid $7.5 million hack; vulnerabilities expose location of DJI drone operators; new FiXS malware found on ATMs in Mexico.

This newsletter is brought to you by Airlock Digital, Proofpoint, runZero, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The US Environmental Protection Agency (EPA) is directing states to include cybersecurity in their sanitary surveys, which are periodic audits of public water systems.

To help states get underway, the EPA has published a technical document with guidance [PDF] intended to assist states with integrating cybersecurity into sanitary surveys.

EPA officials say they issued the memorandum after efforts to improve cybersecurity through voluntary measures "yielded minimal progress." The EPA says the document "is designed to be used right away" and can play a major role in "improving the cybersecurity of operational technology used for safe drinking water."

The EPA's memorandum marks the first major new critical infrastructure initiative announced following the White House unveiling National Cybersecurity Strategy last week.

It also comes after a series of high-profile hacks of US water utilities across the US, including attempts to modify water treatment chemical levels in the San Francisco Bay Area, Oldsmar, Florida, and Belle Vernon, Pennsylvania.

The Record reports that in a press call following the launch of its new cybersecurity memorandum, EPA officials say they've tracked down cyberattacks on water facilities to cybercriminals, state-backed groups, but also disgruntled employees.

"Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health," says EPA Assistant Administrator for Water Radhika Fox.

Breaches and hacks

GunAction leak: Hackers have breached GunAction.com, an online auction portal for US gun owners. The data of more than 550,000 gun owners who sold or bought guns through the site has been stolen, according to TechCrunch. The incident came to light after a security researcher found the hackers' server where the stolen GunAuction user data was being stored. The researcher says the storage server had been left unprotected online. GunAuction confirmed the hack and says it plans to notify all affected users.

Flutterwave hack: Hackers have stolen ₦2.9 billion ($6.3 million) from the accounts of Flutterwave, a Nigerian company that creates software for banks and financial services providers. The incident took place in early February, and according to Techpoint Africa, the hack is still under investigation by Nigerian authorities. Flutterwave says the stolen funds were sent to accounts at 28 local banks, from where they were laundered to new locations.

BitBNS hack: Gaurav Dahake, the CEO of India-based cryptocurrency exchange BitBNS, confirmed in a YouTube AMA session that his company was hacked at the start of last month, in February 2023. Dahake says the company kept the incident private at the request of local law enforcement. The CEO's admission came after a blockchain security expert named ZachXBT linked a "system maintenance" event on February 1 to the exfiltration of $7.5 million worth of assets from customer accounts.

TheSandbox incident: Blockchain metaverse company TheSandbox has disclosed a security incident. The company says that on February 26, one of its employees was hacked, and their account was used to send emails to its users with a link to a malware-laced file. TheSandbox says the incident was traced back to malware installed on the employee's laptop, which has since been formatted to remove the infection.

Chick-fil-A cred-stuffing: Fast-food restaurant chain Chick-fil-A says it's been under a near-constant credential-stuffing attack from December 18, 2022, to February 12, this year. The company says that more than 71,000 customers had their accounts compromised in the attacks. Chick-fil-A says that where funds were loaded, it is now restoring balances to compromised accounts, but also prompting users to reset passwords and remove any stored credit/debit card payment methods.

Mastodon DDoS attacks: Fosstodon, the largest Mastodon instance dedicated to open-source software experts, says it suffered a major DDoS attack that took down both its mobile and desktop clients. The attack marks the latest in a long string of DDoS attacks that have hit Mastodon instances over the past few months. Most of the attacks took place after Twitter users started migrating to the platform after Elon Musk's acquisition, his unban of right-wing and QAnon nutjob accounts, and the birdsite's issues with porn spam and political propaganda.

River cameras hack: Japanese officials say that in mid-January of this year, hackers gained access to 261 river monitoring cameras across the Kansai region. That's around a third of all the river monitoring cameras installed across the region. The cameras, installed in February 2020, capture images of local river levels every 10-to-15 minutes. Officials haven't yet attributed the hack.

General tech and privacy

TikTok's data collection: A Gizmodo investigation found more than 28,000 mobile applications are collecting data from their users and then re-selling that information to ByteDance, TikTok's parent company, even if those users have never installed the TikTok app.

Chrome 111: Early versions of the Chrome 111 release rolled out to some users last week. Only 10% of users received this update. The rest of the userbase will receive this version later this week. New stuff in this release is support for Azure AD single sign-on (SSO), first support for the new Privacy Sandbox project, and a new Chrome Sync screen.

Risky Business Demo

In this Risky Business demo, Tines CEO and co-founder Eoin Hinchy demonstrates the Tines no-code automation platform to host Patrick Gray.

Government, politics, and policy

Australia's critical infrastructure plan: Australia's Cyber and Infrastructure Security Centre (CISC) has published its Critical Infrastructure Resilience Strategy and Plan, a guide to help secure Australia's critical infrastructure interests from 2023 to 2028.

Australia and UK sign spam cooperation memorandum: Australia and the UK's privacy watchdogs have signed a joint memorandum of understanding to coordinate their efforts against nuisance calls and spam messaging.

New Pegasus case in Poland: Poland's intelligence services have allegedly hacked the phone of Jacek Karnowski, the mayor of a small Polish resort town named Sopot. According to a report from Gazeta Wyborcza, the hack took place between 2018 and 2019, when Karnowski was working on his party's campaign for the upcoming Parliamentary election.

Apple warns Armenians about state-sponsored attacks: Apple sent out private notifications to Armenian political figures last week warning of state-backed hacking activity that targeted their devices. Among those who received the alerts was Alen Simonyan, President of Armenia's National Assembly. Local security experts believe the government of Azerbaijan is behind the attacks in an attempt to spy on Armenian officials in relation to a Nagorno-Karabakh conflict that broke out last fall between the two countries. This marks the fourth wave of state-backed notifications that Apple has sent to Armenian users, with the first wave being sent out in 2020, during the second Nagorno-Karabakh war.

USSS, ICE warrantless surveillance: A report from the Office of the Inspector General for the Department of Homeland Security has found that the US Secret Service and the US Immigration and Customs Enforcement have not obtained court orders for multiple operations in 2020 and 2021 where they deployed cell-site simulators (also known as stingrays) to intercept mobile communications. The report found that one Secret Service field office had deployed stingrays on multiple occasions on behalf of a local law enforcement agency without obtaining court warrants. The report also found that the ICE "did not believe court authorization was required" for some of its operations. Furthermore, the report also found that neither the USSS nor the ICE were documenting operations related to supervisory approval and data deletion procedures.

Cybercrime and threat intel

UniCC admins plead guilty: Four Russian nationals have pleaded guilty to running UniCC, a carding forum for selling and buying stolen payment card data. Russian authorities say the four were part of Infraud, a large cybercrime cartel first exposed by international law enforcement in 2018. The four suspects were detained in Moscow in January 2022 following a local investigation by the FSB. Cryptocurrency worth more than 1 billion rubles ($13 million) was seized from the group, funds believed to have been made via the UniCC website.

Subdomain takeover campaign: UK security researcher Kieran M. has discovered a threat actor engaging in a sprawling subdomain takeover campaign.

"Taking ownership of 700 Elastic IPs/EC2 instances just to display a mysterious message is an expensive stunt. This is roughly a $2000/month operation so they are clearly well-funded. Perhaps this is a research company looking to claim some publicity? If so, why not put their logo straight on the front page? Why not inform the owners of the domain in good faith?

Perhaps this is just an eccentric side-hobby of a well-funded and patient independent actor. The Riddler of subdomain takeovers. If so, they have definitely given me some interesting food for thought!"

BEC phishing campaign: Palo Alto's Unit42 says it's tracking a BEC phishing campaign that's spreading a version of the LokiBot infostealer.

2020 BEC campaign still active: ElasticIQ says that a BEC threat actor they first saw in 2020 is still active and engaging in new attacks. ElasticIQ says the attacker is trying to infect victims with versions of the Agent Tesla or Formbook remote access trojans. After all these years, the attacker's targeting has remained the same—still targeting the maritime transport industry.

Malware technical reports

Debunk: Łukasz Siewierski, an Android malware reverse engineer at Google, has debunked a paper from a US security researcher named Jonathan Scott in which Scott claimed that Citizen's Lab research on the use of NSO Group spyware by Moroccan authorities was wrong.

FiXS ATM malware: Security researchers at Metabase Q have discovered a new malware strain named FiXS that has been used in ATM jackpotting attacks in Mexico throughout February 2023. FiXS is vendor-agnostic and can work on any ATM that supports CEN XFS, a suite of protocols and APIs supported by the banking industry. The malware comes with its own interface menu through which threat actors can order the ATM to dispense cash from its internal cassettes. Researchers say it's unclear how threat actors install FiXS on ATM devices, but the malware appears to be very advanced.

Redirection Roulette attacks: Since September 2022, a threat actor has compromised tens of thousands of websites aimed at East Asian audiences to redirect visitors to gambling and adult portals. The attacks, discovered by cloud security firm Wiz, have hit websites hosted on a wide array of infrastructure, and the method they are being compromised is still unknown. Once the attackers get access to a website, they insert a JavaScript file on the site that will selectively redirect incoming users to a desired destination. Wiz notes that clues in this script suggests the threat actor might soon be preparing to redirect Android users to websites hosting malicious apps.

Magbo injections: Similarly, Sucuri has documented a threat actor compromising WordPress sites to inject a script that shows popup ads.

RunZero is one of this newsletter's four main supporters and this week's featured sponsor. The company's main product is its network discovery and asset inventory platform, which can be used to find any managed and unmanaged assets inside a customer's network. To learn more, please check out this runZero product demo below:

APTs and cyber-espionage

ScarCruft: AhnLab has a report out on a recent ScarCruft (APT37, RedEyes) targeting South Korean audiences.

Vulnerabilities and bug bounty

DJI drone research: A team of academics has identified 16 vulnerabilities in the firmware and radio signals of DJI drones. Researchers say the vulnerabilities can be used to pinpoint the location of a drone operator, change a drone's serial number and disguise its identity, and even hijack drones and make them land. The research team says it was able to spot these vulnerabilities in a DJI tracking protocol named DroneID, which DJI left unencrypted, and the researchers were able to reverse-engineer and analyze for the first time.

Microsoft out-of-band security update: Microsoft has released emergency out-of-band security updates to fix "potential security vulnerabilities" in Memory Mapped I/O (MMIO) on some Intel processors. The update is only available via the Microsoft Update Catalog and not the classic Windows Update mechanism.

Sonicwall updates: Sonicwall has pushed a security update for its SonicOS web management panel that "allows an unauthenticated remote attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash."

DataHub audit: GitHub's security team has published the results of a security audit of DataHub, a platform many of its customers use to find and manage GitHub metadata. All discovered issues have since been fixed.

"Through our audit, we discovered several vulnerabilities in the platform's authentication and authorization modules, which could have enabled an attacker to bypass authentication and gain access to sensitive data stored on the platform. We also identified several other vulnerabilities, such as Unsafe Deserialization, JSON Injection, Server-Side Request Forgery, and Cross-Site Scripting (XSS). All of these vulnerabilities could have been leveraged to compromise user accounts, gain access to sensitive data, and perform other malicious activities."

CVE-2023-21839 (Oracle WebLogic): Chinese security researcher 4ra1n has released a PoC for CVE-2023-21839, an RCE in the Oracle WebLogic server, patched by Oracle in January.

Infosec industry

The Daily Swig shuts down: PortSwigger's news reporting arm, The Daily Swig, shut down operations last week.

"We have written stories about numerous bad actors, some of whom are well-funded, and we have been obliged to pay settlements for malicious legal actions. We have sometimes been targeted by activists seeking to damage our software business because they dislike our story. This reality made it harder to justify continuing with the Swig."

Audit Logs Wall of Shame: A team of security researchers has put together a database with reviews on the type of audit logs provided by various companies and their usefulness in SOC investigations—the Audit Logs Wall of Shame.

Candiru victims database: GranittHQ is assembling a database of all known victims who have been infected with Candiru's Predator spyware.

Acquisition news: Hewlett Packard Enterprise has acquired Axis Security, a provider of cloud security solutions. HPE plans to integrate Axis products into its existing Aruba secure networking offerings.