13/08/21

Critical Infrastructure Daily Brief

**UNCLASSIFIED **

(U) STIC is providing this information to our partner agencies for situational awareness. This document contains information obtained from open source information. While STIC has gone to great lengths to verify the information found in open source documents on the internet, this information may not be accurate.

Situational Awareness

• Over 21,000 Unemployment Claims Filed in Illinois Last Week Amid COVID-19 Pandemic

The Illinois Department of Employment Security (IDES) reported 21,499 new unemployment claims were filed during the week of August 2 in Illinois, an 7% increase from the previous week when 20,019 people filed. Illinois’ estimated claims are among 375,000 total claims filed across the country last week.

• Storms Cause Officials to Cancel Illinois State Fair Kickoff Festivities, Concerts

The Twilight Parade and the official ribbon cutting to the Illinois State Fair at the fairgrounds' main gate were canceled Thursday due to inclement weather. The chance for more storms Thursday evening also prompted cancellation of the Grandstand show featuring Sammy Hagar & the Circle/Tonic. Refund information is here. The ribbon cutting, featuring Gov. JB Pritzker, was scheduled for 3 p.m. The Twilight Parade was set to kick off from Lincoln Park at 5:30 p.m. Eleven health care workers and spiritual leaders from across the state, including the Rev. T. Ray McJunkins, senior pastor of Union Baptist Church, were set to serve as grand marshals. Storms packed winds up to 70 mph around Springfield Thursday afternoon, causing trees to be damaged here and in Sherman, Riverton and Rochester, said National Weather Service meteorologist Nicole Batcek.

• Weather Cancels Opening Day Activities of Illinois State Fair

Cybersecurity

• Ransomware Payments Explode Amid ‘Quadruple Extortion’

The average ransomware payment spiked 82 percent year over year: It’s now over half a million dollars, according to the first-half 2021 update report put out by Palo Alto Networks’ Unit 42. As far as the sheer multitude of attacks goes, Barracuda researchers on Thursday reported that they’ve identified and analyzed 121 ransomware incidents so far in 2021, a 64 percent increase in attacks, year-over-year. What’s helped to intensify extortion payments is the fact that cybercriminals have been pouring money into “highly profitable ransomware operations,” Unit 42 researchers wrote, including a new, disturbing trend: The rise of “quadruple extortion.”

• Hackers Stole Client Info, Work Materials in Accenture Ransomware Attack

Ransomware hackers began leaking Accenture data after the consulting giant suffered a security incident where the perpetrators made off with client-related documents and work materials. The gang, known as LockBit 2.0, has threatened to leak further after providing purported proof of the breach. Accenture acknowledged the attack on Wednesday, but has downplayed its severity. “Through our security controls and protocols, we identified irregular activity in one of our environments,” an Accenture spokesperson said. “We immediately contained the matter and isolated the affected servers. We fully restored our affected servers from back up. There was no impact on Accenture’s operations, or on our clients’ systems.” Even as Accenture said the extent of the harm was minimal, the ransomware attack on the company attracted considerable social media attention and speculation. The Fortune 500 company had $44 billion in revenue in 2020, employs more than half a million people around the globe and does work in the cybersecurity field. The cyber intelligence firm Cyble tweeted that LockBit 2.0 sought a $50 million ransom for six terabytes of data. Cybercrime intelligence company Hudson Rock tweeted that 2,500 computers of employees and partners were compromised. The ransomware group’s leak site faulted Accenture’s security. “These people are beyond privacy and security,” a note read. “I really hope that their services are better than what I saw as an insider. If you’re interested in buying some databases, reach us.” A recent Australian Cyber Security Centre alert warned of an uptick in LockBit activity. It’s a group that typically seeks ransoms in the “high five figures,” according to a profile last month by Emsisoft, a security firm.

• Attackers are Exploiting Windows PrintNightmare Vulnerabilities

Cyber criminals are exploiting Windows PrintNightmare vulnerabilities in their attempts to infect victims with ransomware – and the number of ransomware groups attempting to take advantage of unpatched networks is likely to grow. The remote code execution vulnerabilities (CVE-2021-34527 and  CVE-2021-1675) in Windows Print Spooler – a service enabled by default in all Windows clients and used to copy data between devices to manage printing jobs – allow attackers to run arbitrary code, enabling them to install programs, modify, change and delete data, create new accounts with full user rights and move laterally around networks. Now ransomware gangs are taking advantage of PrintNightmare to compromise networks, encrypt files and servers, and demand payment from victims for a decryption key. One of them is Vice Society, a relatively new player in the ransomware space that first appeared in June and conducts hands-on, human-operated campaigns against targets. Vice Society is known to be quick to exploit new security vulnerabilities to help ransomware attacks and, according to cybersecurity researchers at Cisco Talos, they've added PrintNightmare to their arsenal of tools for compromising networks. Like many cyber-criminal ransomware groups, Vice Society uses double extortion attacks, stealing data from victims and threatening to publish it if the ransom isn't paid. According to Cisco Talos, the group has mostly focused on small and midsize victims, notably schools and other educational institutions.

• Microsoft: Evasive Office 365 Phishing Campaign Active Since July 2020

Microsoft says that a year-long and highly evasive spear-phishing campaign has targeted Office 365 customers in multiple waves of attacks starting with July 2020. The ongoing phishing campaign lures targets into handing over their Office 365 credentials using invoice-themed XLS.HTML attachments and various information about the potential victims, such as email addresses and company logos. This suggests that the threat actors collect data on their targets in a reconnaissance stage of the attack, increasing the campaign's effectiveness through social engineering. "This campaign’s primary goal is to harvest usernames, passwords, and—in its more recent iteration—other information like IP address and location, which attackers use as the initial entry point for later infiltration attempts," the Microsoft 365 Defender Threat Intelligence Team explained.

• Banks Are Moving Their Core Operations into the Cloud at a Rapid Rate-New Tech Brings New Challenges

Banks are increasingly turning to the cloud in an effort to modernize their outdated IT models and better compete for customers' favors, finds a new report commissioned by Google – even though relying on cloud providers for critical services like finance comes with its fair share of risk. The research, which surveyed more than 1,300 leaders from the financial services industry across the globe, found that an overwhelming 83% of respondents said that their companies were deploying cloud technology as part of their primary computing infrastructures. Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let's look at the top cloud storage options. In contrast, only 17% of organizations still rely primarily on on-premises services – and among those, respondents said that they planned to switch on average 40% of their workloads to the public cloud during the next year. Cloud computing is seen as a key technology to future-proof the banking industry. Large-scale cloud providers such as Microsoft Azure and AWS have the capabilities to implement infrastructure that is specifically built to better protect workloads from failure, meaning better operational resiliency. The cloud is also seen as a way to support the creation of new products and services, improve data security, and better connect legacy software infrastructure. 

Related Links