The latest episode of the CyberHub Podcast, hosted on August 29, 2024, focused heavily on critical infrastructure threats, reflecting the host's experiences at a recent power plant user group conference. The episode covered a range of topics, including a new Iranian cyber campaign, vulnerabilities in industrial control systems, and the latest in ransomware tactics.
The podcast also touched on disruptions in the Netherlands caused by an IT malfunction at the Dutch Defense Ministry and the arrest of a former industrial company engineer involved in an extortion attempt.
Iranian Cyber Threats
Iranian-backed group, Peach Sandstorm. U.S., UAE, Israel, Azerbaijan, among others. Custom backdoor malware "Tickler" for intelligence gathering, password spraying, targeting sectors like defense, education, and government. Espionage, intelligence theft, and supporting military operations through stolen IP.
Action Items:
Review and align threat hunting efforts with the TTPs and IOCs from recent advisories.
Increase monitoring of internet-facing assets, especially VPNs and other critical infrastructure elements.
Collaborate with federal agencies (FBI, DHS, CISA) for updated intelligence and threat assessments.
Critical Infrastructure Vulnerabilities
Beckhoff Automation TwinCAT & PSD OS: Vulnerabilities disclosed by Nozomi, impacting industrial PCs. Remote monitoring, PLC logic tampering, potential for widespread power disruptions. Urgent patch advisory for MicroSCADA X600 product used in critical infrastructure.
Action Items:
Apply patches immediately to Beckhoff and Hitachi Energy systems to mitigate severe vulnerabilities.
Review incident response plans for potential exploitation scenarios in SCADA environments.
Schedule downtime for patching, ensuring minimal disruption while securing critical infrastructure.
CCTV Botnet Campaign
Exploitation of zero-day vulnerability in AFTEC CCTV cameras for crypto mining botnet. Critical infrastructure at risk due to widespread use of vulnerable cameras.
Action Items:
Replace vulnerable CCTV cameras as no patches are available.
Increase network segmentation to limit exposure of IoT devices to critical networks.
VMware ESXi Ransomware Threat
CVE-2024-37085 allows attackers to use Active Directory privileges to access VMware ESXi hosts. Groups like BlackByte, Manty Tempest, Scattered Spider leveraging this for ransomware attacks.
Action Items
Review Active Directory configurations to ensure proper access controls are in place.
Enhance visibility into VMware ESXi environments to detect and prevent unauthorized access.
Dutch Defense Ministry IT Disruption
IT malfunction causing significant disruption in the Netherlands, affecting air traffic, emergency services, and civil servants. Investigation ongoing; potential cyber attack not ruled out.
Action Items:
Monitor updates from Dutch authorities for developments on the cause and impact of the disruption.
Review contingency plans for similar scenarios, particularly in air traffic control and emergency services.
Insider Threat and Extortion Case
Daniel Rhyan, former core infrastructure engineer. Attempted to extort his former employer by launching a ransomware attack and demanding 20 bitcoins. Arrested and facing charges of extortion, intentional computer damage, and wire fraud.
Action Items:
Conduct thorough background checks and monitoring of employees with elevated access.
Review and update insider threat programs to detect and prevent unauthorized access by disgruntled employees.
CrowdStrike Earnings Impact
$60 million sales pipeline impact due to blue screen of death incident from recent sensor update. CrowdStrike confident in recovery, maintaining strong ARR despite the setback.
Conclusion:
The episode highlighted the escalating threats to critical infrastructure, the need for vigilance in cybersecurity practices, and the importance of swift action in patching and threat mitigation. Practitioners are urged to stay informed and proactive in addressing these evolving challenges.
👀 SHOW Supporters:
Today’s Episode is supported by our friends at Nudge Security free 14-day trial to all CyberHub Podcast community members at https://www.nudgesecurity.com/cyberhub
✅ Story Links:Â
https://www.securityweek.com/iranian-hackers-use-new-tickler-malware-to-collect-intel-from-us-uae/
https://therecord.media/iran-government-working-with-ransomware-hackers-fbi-advisory
https://www.darkreading.com/ics-ot-security/cctv-zero-day-targeted-by-mirai-botnet-campaign
https://therecord.media/netherlands-defense-ministry-data-center-malfunction-outages
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1 Â
✅ Important Links to Follow:Â
👉Substack:
👉Listen here: https://linktr.ee/cyberhubpodcast  Â
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/Â
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/Â
👉Twitter (X): https://twitter.com/cyberhubpodcastÂ
👉Instagram: https://www.instagram.com/cyberhubpodcastÂ
✅ For Business Inquiries: info@cyberhubpodcast.com
=============================
✅ About The CyberHub Podcast.
The Hub of the Infosec Community.Â
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.Â
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
🚨 Iran Targets Critical Infrastructure & Colludes with Ransomware Gang, Our Grid is Vulnerable, Crowdstrike News