BLOG

April 19, 2022

‘Denonia’ – the first cryptominer built for AWS Lambda

On the 6th April, CADO Security reported on its finding of the first known case of a cryptominer malware designed specifically to run in the AWS Lambda environment. The malware is written in Go and CADO believes it contains a customised variant of the XMRig mining software, along with some other unknown functions. It was named ‘Denonia’ by the CADO team after the domain it communicates with (gw.denonia.xyz) using newer address resolution techniques for command and control (C2) traffic designed to evade typical detection measures and virtual access controls making it difficult to detect.

New malicious tools targeting ICS / SCADA systems and mitigations

14.04.2022

ICS / SCADA systems under a new threat Yesterday, on the 13th April, CISA, DOE and FBI released a joint Cybersecurity Advisory – Alert (AA22-103A) – warning that certain APT actors have proven to be able to gain full access to multiple Industrial Control System (ICS) / Supervisory Control and Data Acquisition (SCADA) devices using custom-build offensive tools which enable scanning, compromising and controlling some of them, including: Schneider Electric MODICON and MODICON Nano programmable logic controllers (PLCs) , including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078; OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; Open Platform Communications Unified Architecture (OPC UA) servers.

Industrial Control Systems Best Practices

07.04.2022

Along with the US Department of Justice naming four Russian spies in late March this year and accusing them of hacking activities spanning nearly a decade impacting critical infrastructure across the globe, CISA has issued a joint Cybersecurity Advisory relating to this finding. As part of the advisory CISA published the following list of Industrial Control Systems (ICS) Best Practices aimed at improving their cyber posture. Update all software. Use a risk-based assessment strategy to determine which ICS networks, assets, and zones should participate in the patch management program.

Industrial Network Security Architecture - Network Segmentation

28.03.2022

The idea of network segmentation is an old concept in IT environments. It began as a way to improve network performance and bandwidth. Recently network segmentation is used proactively as a part of network security architecture. Segmenting the network into separate zones allows them to be individually and independently controlled, monitored, and protected. In the realm of Operational Technology, this is especially important due to the specific nature of the operational environment and is reflected within the ISA/IEC 62443-3-3 SR5.

FSB's Global Energy Sector Intrusion Campaign 2011-2018

28.03.2022

Last week, on Thursday, the 24th of March 2022 the US Justice Department officially charged four Russian officials accusing them of carrying out hundreds of cyberattacks targeting critical infrastructure facilities worldwide. The list of affected countries includes Saudi Arabia and the United States where, among other enterprises, the men hacked the Wolf Creek Nuclear Operation Corporation, which runs a nuclear plant in Kansas. The accused are [three Russian Federal Security Service (FSB) agents and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) [employee].

Industrial Network Security Architecture - Asset and Network Management

23.03.2022

Quickly advancing digitalisation and rapid spread of the Industrial Internet of Things (IIoT) entails the growth in number of connected devices in industrial networks, which in return increases the surface for a potential cyberattack. This situation demands the network owner to have the most current, real-time inventory of all network devices for the sake of a root cause analysis in case of a cyber incident. The IEC 62443 which is an international series of standards that address cybersecurity for operational technology in automation and control systems, sets the requirements for auditing and monitoring of the assets in sections SR2.

The Cloud and the Dark Web

22.03.2022

The dark web has been the go-to place for shady deals for some years now. It comes then to no surprise that just as one can purchase credit card numbers or other type of data commodity, one can also acquire Cloud accounts access credentials. And the market is thriving! In the period from July 2020 through July 2021, IBM conducted a dark web research into cloud accounts access black market. In this time period IBM X-Force identified some 30,000 cloud accounts potentially for sale on the dark web.

Industrial Network Security Architecture - Network Segmentation

17.03.2022

Software Defined Perimeter

14.03.2022

A Software Defined Perimeter (SDP) is a network security architecture that uses user authentication and network segmentation in order to grant access to resources based on the principle of authentication first, access later. SDP is a way of implementing the Zero Trust Network Access which is the main technology associated with Zero Trust Architecture. Contrary to having a human-defined perimeter with static, open ports leading to various access solutions the Software Defined Perimeter’s default state is that of all the ports closed to all incoming traffic from anyone.

Best Practices for Securing your Cloud

08.03.2022

There is a good number of boxes for you to tick to make sure the security of your cloud environment is as robust against potential breaches as you can make it. 1. Compliance Follow at least one of the available security frameworks that describe what a secure cloud environment looks like. And while compliance is no replacement for security using such a framework for assessment will help you realise what controls are needed to secure data and endpoints.