The Good
“Ring! Ring!”
“Who’s There?”
“Multi-Factor Authentication !!!”
On February 18, Ring (parent company Amazon) announced that they would be implementing new, mandatory layers of security for Ring customer accounts. Specifically, MFA will be required for all customers upon logging in to their Ring accounts. Customers can choose to receive a token via email or SMS as the second method of authentication. These changes come after multiple stories came to light surrounding the hijacking of Ring accounts…and as a result..devices. While not all are accustomed to ‘mandatory’ MFA, this should be viewed as a positive and necessary step forward.
Recent history has already shown that strong controls are required in order to secure these and all other IoT devices. MFA, while not perfect, is a step in the right direction for the ongoing quest to secure IoT devices and services. We all like to resist change, and it can be hard to work against that ‘friction’. However, the same could be said for giving up on floppy disk drives, or headphone jacks, etc. When driving toward the greater-good, a small process change (mandatory MFA), which stands between the good guys and the villains, should be seen as an admirable example of moving forward.
The Bad
Critical Plant Shuts Down for Two Days After Ransomware ‘Hits the Gas’
A ransomware attack recently forced the shutdown of a U.S.-based natural gas plant. The infection had a direct effect on safety and operational systems. According to reports, The Department of Homeland Security said that “personnel were prevented from receiving crucial real-time operational data from control and communications equipment”.
It is reported that the attack started with a malicious email. This serves as a great reminder that email is still the top delivery vector for malware. The US Cybersecurity and Infrastructure Security Agency (CISA) released Alert (AA20-049A), providing additional information surrounding the event. The alert confirms the spear-phishing delivery mechanism. This established a foothold on the “IT network” and subsequently pivoted to the OT network, which provided access to HMIs (human machine interfaces), polling servers and historical data storage. CISA states that no PLCs were affected, nor was control lost on any specific system. The shutdown was done in direct response to events as they unfolded, with the decision being made to shutdown the plant’s operations in a deliberate and controlled manner.
The Ugly
APT28 and 2019 Attack Campaigns Against Georgia
By now we should all be familiar with APT28 (aka Fancy Bear, G74, Sofacy, Sednit, etc). The state-backed group has been focusing their efforts on high-value targets in the Chemical Engineering, Defense, Government, Industrial Systems, and Intelligence agencies for well over a decade. Notable campaigns include “Pawn Storm”, “Russian Doll”, breaching the International Olympic Committee, and more. This week the UK’s NCSC (National Cyber Security Centre) announced that it was this same group behind a series of cyberattacks against Georgia in October 2019. The NSCS emphasized this claim with “the highest level of probability”.
The attacks in question were focused on a number of Georgian web hosting companies, along with media entities. Multiple Georgian TV stations were forced offline in addition to the defacements and availability attacks. The U.K. has come out strongly on this series of attacks (and subsequent attribution). Britain and Georgia are allies and therefore there are both cyber & political ramifications to the ongoing behavior being observed out of the Russian GRU.
It’s worth noting that these attribution stories can be difficult to interpret sometimes. In some cases, their release may be timed in strategic ways so as to coincide with other worldly events. However, we can be sure that the more that is exposed by these state-backed groups, the better. And when we have ally nations pointing the finger, that makes the message far more serious.