Author: Chase Snyder, Sr. PMM, Xage Security
Every month in the Risk Roundup we recap a set of the top stories that had actionable cybersecurity lessons for security pros, or otherwise strong signals about the future of cybersecurity across enterprise and critical infrastructure contexts. Let’s dive in!
ArcaneDoor Zero Days
Three zero day vulnerabilities in Cisco security products were announced on April 24 and dubbed ArcaneDoor. They have been actively exploited to put backdoors into a number of government agencies globally. This is suspected to be the work of nation-state threat actors originating from China.
It’s part of two trends: increasing attacks on government organizations and more frequent co-opting of edge devices that connect to the wider internet and can provide a means of entry into a target network.
Attacks on US water systems
After a series of attacks on water systems, the White House has warned organizations to tighten their defenses. Most recently, a group suspected to be associated with Russia breached a Texas water facility, making a water tank overflow. Attackers used a system for remote access to industrial infrastructure as an entry point, reinforcing the importance of remote access tools designed for security.
Volt Typhoon
China’s state-sponsored hacking group Volt Typhoon continues to access and persist within US infrastructure, including energy infrastructure, transportation systems, and more. US authorities issued an alert that the IT infrastructure of numerous critical infrastructures had been compromised.
They specifically called out living off the land (LOTL) techniques as being a signature of the threat group. A guide to suggested mitigations is included in the alert.
New Rules on Incident Reporting for Critical Infrastructure
In perhaps related news, CISA is working on new rules for incident reporting for critical infrastructure which are currently open for public comment. Secretary of Homeland Security Alejandro Mayorkas told The Record that “CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents, and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors,” while some cybersecurity experts have voiced concerns that the rules may be complex and burdensome.
MITRE Hack
Adding to the list of hacks against cybersecurity-focused organizations themselves (following CISA’s breach in March, MITRE has disclosed that it was breached via Ivanti VPNs, reinforcing the idea that VPNs are no longer a secure option for remote access.
