This week, we discuss new research into attacks on industrial control systems, Reddit’s recent breach, and an apparent crackdown on SIM swap fraud
Hello and welcome to the IT Governance podcast for Friday, 10 August. Here are this week’s stories.
A new report from Cybereason has highlighted the alarming scale and variety of attacks faced by ICS or industrial control systems, and it seems that it’s not only nation-state attackers but also opportunistic traditional cybercriminals that are now targeting utility providers.
Cybereason’s researchers recently set up a honeypot environment with a network architecture that replicated that of “typical power substation” and waited. Only two days after the honeypot was launched, it was attacked by a black-market seller, who installed backdoors that would allow anyone to access it, even if admin passwords were changed. This asset was then, it seems, listed for sale on the xDedic black market.
“For the next few days,” Cybereason says, “the honeypot was hit with cryptomining bots, phishing bots, DDoS bots, activity that Internet-connected assets typically experience”. But then, ten days after the honeypot went live, another actor – who’s believed to have bought access from the seller – “connected to it using one of the backdoors created by the seller” and conducted reconnaissance “aimed at finding an entry point from the IT environment to the [operational technology] environment.”
According to Cybereason, the biggest lesson to be learned from their research is “that multiple tiers of attackers find ICS environments interesting. That’s increasing risk for people who operate those types of systems. The security basics are really what’s going to prevent a bad day from becoming a catastrophic day”.
UK operators of essential services, including those in the energy sector, must comply with the NIS Regulations – which enact the provisions of the EU’s Directive on security of network and information systems – which, among many other obligations, requires them to implement appropriate technical and organisational measures to secure their network and systems.
Reddit’s recent data breach came to light too late to be included in last week’s podcast, and I imagine you’ve all heard about it by now, but it’s still worth mentioning, I think, not least because of the surprising way Reddit responded – and because of the issues it raises about using SMS or text messages rather than tokens as part of two-factor authentication.
A quick summary in case you missed it: in June, an attacker compromised some Reddit staff accounts by intercepting SMS two-factor authentication codes, presumably via SIM swapping, and gained read-only access to logs containing “email digests” from 3 June to 17 June this year. These included recipients’ usernames and email addresses.
They also accessed a 2007 backup database containing Redditors’ usernames, email addresses, encrypted passwords and all content, including private messages, dating from 2005, when the site launched, to May 2007.
An unspecified amount of corporate data, including “source code, internal logs, configuration files and other employee workspace files”, was compromised too.
Reddit didn’t disclose how many users might have been affected, nor did it say it was going to notify those whose current email addresses and usernames were accessed via the compromised email digests – a decision that has, according to the BBC, “baffled prominent, independent security researchers”, especially as the information could be used to associate Redditors’ accounts with their actual identities, which, given the fact that Reddit accounts are anonymous and some sub-Reddits contain sensitive information and opinions that people might not want to be made public, is likely to be causing many users concern.
Instead, Reddit encouraged users to check themselves if their details were affected and then reset their passwords. It also advised them to “think about whether there’s anything on [their] Reddit account that [they] wouldn’t want associated” with their email address, and provided instructions on removing information from Reddit.
Reddit has also tightened its security and switched from SMS-based two-factor authentication to token-based two-factor authentication, which is less susceptible to interception – a timely reminder that all companies need to keep up with evolving threats by continuing to invest in appropriate security measures. Although SMS authentication is better than nothing, you’re better off switching to a different secondary authentication factor, such as an app-generated token.
So, how do criminals intercept SMS or text messages? Mobile or, for our US listeners, cell phones’ SIM cards can of course be changed legitimately – for example if they’re damaged or if you upgrade to a new phone that takes a different sized one.
However, criminals often pose as customers and take advantage of mobile phone companies’ lax security, or work directly with corrupt phone shop staff, in order to illegitimately obtain new SIM cards, which give them access to victims’ phone numbers. They can then receive authentication texts from banks and other online services, enabling them, among other things, to access and empty victims’ accounts.
There appears to have been something of a crackdown on SIM swap fraud of late: Brian Krebs reported this week that a 25-year-old man, Ricky Joseph Handschumacher, had been arrested in Florida for his involvement in “a multi-state cyber fraud ring that hijacked mobile phone numbers in online attacks that siphoned hundreds of thousands of dollars worth of bitcoin and other cryptocurrencies from victims”.
And last month, as reported by Motherboard, twenty-year-old Joel Ortiz was arrested in California, accused of being a member of a criminal group that stole more than $5 million in cryptocurrency. Ortiz faces 28 charges, of identity theft, hacking and grand theft. According to Motherboard, other members of the OGUSERS community – a market place “that SIM swapping hackers use to sell stolen accounts” – are bracing themselves for further arrests.
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.