Dispatch from the Front July 16, 2023

Top

Newsletter 07/12/2023 Back to Contents

Versus

Valiantly Trying to Save Western Civilization,
One Attack At a Time, Part 3.

After so many years of neglect and denial, in 2023 Uncle Sam got serious about protecting this nation's critical infrastructure. Even this Congress has recognized the serious threat to our National Well-Being that cyberattacks on infrastructure represent. In her opening statement at a hearing, May 16, 2023, titled, “Protecting Critical Infrastructure from Cyberattacks: Examining Expertise of Sector Specific Agencies,” House Energy and Commerce Committee Chair Cathy McMorris Rodgers, acknowledged the dangerous nature of the threats from cyberattcks.

Some highlights from her opening remarks should alarm very right thinking American citizen:

Attacks that could deprive us of access to emergency services; food and water; and the ability to communicate with one another.

We depend on critical infrastructure to power our homes, ensure we can get to work, call for help in an emergency, supply us with clean water, and produce our food

With technological advances, this network has become increasingly more complex and interconnected.

Bad actors, whether criminal organizations or foreign adversaries, have demonstrated a growing interest in launching cyberattacks on critical infrastructure. And unfortunately, many have demonstrated that they have the capability to do so.

Among its important functions, CISA is out in front of making vendors, and the impacted agencies and entities, aware of vulnerabilities in the software controls that manage much of the world's critical infrastructure. Just recently, July 6, 2023, CISA released an advisory "Mitsubishi Electric MELSEC Series CPU module (Update A). The controller has a vulnerability in its CPU firmware. These industrial controllers are, in fact, computers, and as such suffer from the same type of vulnerabilities all computer products, their vendors, and their customers, now face. Industrial Controls are nothing more or less than computers built to perform specific tasks in specific types of industries. Notice the Mitsubishi Electric MELSEC Series looks much like computer servers.

The mitigation of the vulnerability means, like what IT people smarter than me implore all concerned to do, "Apply the patch now." As CISA stated in its advisory, "Mitsubishi Electric created the following firmware versions to address this issue and encourages users to update." Unlike simply running a vendor specific application to determine what update is needed for the specific configuration, System Admins of networks that employ the Mitsubishi controllers are encouraged to consult:

✓ “5 FIRMWARE UPDATE FUNCTION” in the MELSEC iQ-F FX5 User’s Manual (Application).
and
✓ MELSEC iQ-R Module Configuration Manual “Appendix 2: Firmware Update Function.”

Some engaging late night reading, I am sure.

Common IT infrastructure equipment from some of the most recognized names in the Industry have found themselves in CISA's crosshairs and became subjects of an advisory. CISA, The FBI, and the NSA have been tracking and working to disrupt Russian cyber crooks exploiting vulnerabilities in various products by industry stalwart, Cisco. April 18, 2023, these 3 agencies released, "APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers." [pdf will open.]

The report begins by stating with no equivocation that:

We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.

Since 2021, US and UK cyber agencies have observed that "APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide. This included a small number based in Europe." The Russian threat actor exploited a vulnerability first announced by Cisco, June 29 2017, and subsequently made patches available. [Advisory, pg 3] So in April 2023, CISA and its sister agencies are still advising admins of affected networks that this now patched vulnerability "may still be used against vulnerable Cisco devices. Organisations [sic] are advised to follow the mitigation advice in this advisory to defend against this activity." And to repeat, these vulnerabilities were corrected in 2017.

CISA was not done issuing advisories concerning vulnerabilities in Cisco products. On June 13, 2023, CISA released another advisory, "Cisco Releases Security Advisories for Multiple Products." This advisory concerns eight different Cisco products. Unless patched, these threats could allow a "remote cyber threat actor" to "exploit these vulnerabilities to take control of an affected system." Each product listed was a software interface that controls devices. Each separate application has its own software update that should be immediately applied.

Furthermore, it is not only Cisco and Mitsubishi whose Industrial Controls have come under attack. July 13, 2023, "CISA Releases Nine Industrial Control Systems Advisories," posted by CISA. Siemens, Rockwell, and Honeywell, each had products listed. Each product needs an update. Also among this group of vendors, is the "Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series," that needs a newer update. Just like in LOg4j and the MOVEit vulnerability, patching must be persistent. Often the first patch or patches do not hold. Or newer vulnerabilities are discovered.

Whether one is a simple home PC users or the administrator of a municipal water plant, the single most important action that can be taken is to be proactively aware of any and all updates, and certainly make all efforts to apply any and all patches as soon as they are released. The crooks can't exploit a vulnerability that is now harden and no longer vulnerable.

¯¯\_(ツ)_/¯
Gerald Reiff

Back to Top ← previous post next post →


	*Versus*
Valiantly Trying to Save Western Civilization, One Attack At a Time, Part 3. After so many years of neglect and denial, in 2023 Uncle Sam got serious about protecting this nation's critical infrastructure. Even this Congress has recognized the serious threat to our National Well-Being that cyberattacks on infrastructure represent. In her opening statement at a hearing, May 16, 2023, titled, “Protecting Critical Infrastructure from Cyberattacks: Examining Expertise of Sector Specific Agencies,” House Energy and Commerce Committee Chair Cathy McMorris Rodgers, acknowledged the dangerous nature of the threats from cyberattcks. Some highlights from her opening remarks should alarm very right thinking American citizen: Attacks that could deprive us of access to emergency services; food and water; and the ability to communicate with one another. We depend on critical infrastructure to power our homes, ensure we can get to work, call for help in an emergency, supply us with clean water, and produce our food With technological advances, this network has become increasingly more complex and interconnected. Bad actors, whether criminal organizations or foreign adversaries, have demonstrated a growing interest in launching cyberattacks on critical infrastructure. And unfortunately, many have demonstrated that they have the capability to do so. Among its important functions, CISA is out in front of making vendors, and the impacted agencies and entities, aware of vulnerabilities in the software controls that manage much of the world's critical infrastructure. Just recently, July 6, 2023, CISA released an advisory "Mitsubishi Electric MELSEC Series CPU module (Update A). The controller has a vulnerability in its CPU firmware. These industrial controllers are, in fact, computers, and as such suffer from the same type of vulnerabilities all computer products, their vendors, and their customers, now face. Industrial Controls are nothing more or less than computers built to perform specific tasks in specific types of industries. Notice the Mitsubishi Electric MELSEC Series looks much like computer servers. The mitigation of the vulnerability means, like what IT people smarter than me implore all concerned to do, "Apply the patch now." As CISA stated in its advisory, "Mitsubishi Electric created the following firmware versions to address this issue and encourages users to update." Unlike simply running a vendor specific application to determine what update is needed for the specific configuration, System Admins of networks that employ the Mitsubishi controllers are encouraged to consult: ✓ “5 FIRMWARE UPDATE FUNCTION” in the MELSEC iQ-F FX5 User’s Manual (Application). and ✓ MELSEC iQ-R Module Configuration Manual “Appendix 2: Firmware Update Function.” Some engaging late night reading, I am sure. Common IT infrastructure equipment from some of the most recognized names in the Industry have found themselves in CISA's crosshairs and became subjects of an advisory. CISA, The FBI, and the NSA have been tracking and working to disrupt Russian cyber crooks exploiting vulnerabilities in various products by industry stalwart, Cisco. April 18, 2023, these 3 agencies released, "APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers." [pdf will open.] The report begins by stating with no equivocation that: We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor. Since 2021, US and UK cyber agencies have observed that "APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide. This included a small number based in Europe." The Russian threat actor exploited a vulnerability first announced by Cisco, June 29 2017, and subsequently made patches available. [Advisory, pg 3] So in April 2023, CISA and its sister agencies are still advising admins of affected networks that this now patched vulnerability "may still be used against vulnerable Cisco devices. Organisations [sic] are advised to follow the mitigation advice in this advisory to defend against this activity." And to repeat, these vulnerabilities were corrected in 2017. CISA was not done issuing advisories concerning vulnerabilities in Cisco products. On June 13, 2023, CISA released another advisory, "Cisco Releases Security Advisories for Multiple Products." This advisory concerns eight different Cisco products. Unless patched, these threats could allow a "remote cyber threat actor" to "exploit these vulnerabilities to take control of an affected system." Each product listed was a software interface that controls devices. Each separate application has its own software update that should be immediately applied. Furthermore, it is not only Cisco and Mitsubishi whose Industrial Controls have come under attack. July 13, 2023, "CISA Releases Nine Industrial Control Systems Advisories," posted by CISA. Siemens, Rockwell, and Honeywell, each had products listed. Each product needs an update. Also among this group of vendors, is the "Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series," that needs a newer update. Just like in LOg4j and the MOVEit vulnerability, patching must be persistent. Often the first patch or patches do not hold. Or newer vulnerabilities are discovered. Whether one is a simple home PC users or the administrator of a municipal water plant, the single most important action that can be taken is to be proactively aware of any and all updates, and certainly make all efforts to apply any and all patches as soon as they are released. The crooks can't exploit a vulnerability that is now harden and no longer vulnerable.


¯¯\_(ツ)_/¯ Gerald Reiff