22/03/22

Critical Infrastructure Daily Brief

Statewide Terrorism & Intelligence Center

Critical Infrastructure Daily Brief

**UNCLASSIFIED **

(U) STIC is providing this information to our partner agencies for situational awareness. This document contains information obtained from open source information. While STIC has gone to great lengths to verify the information found in open source documents on the internet, this information may not be accurate.

 

Situational Awareness

President Joe Biden urged U.S. businesses Monday to take added precautions amid "evolving" intelligence that Russia could target American companies with cyberattacks. "The magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming. The federal government is doing its part to get ready," Biden said while speaking to the Business Roundtable CEO quarterly meeting in Washington. He called on companies to invest "as much as you can" in beefing up technological capacity to guard against potential attacks. As the war in Ukraine following Russia's invasion last month rages on, the White House released a fact sheet Monday telling U.S. companies to "Act Now to Protect Against Potential Cyberattacks." "This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience," Biden said in a statement. "I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. "Today, my administration is reiterating those warnings based on evolving intelligence that the Russian government is exploring options for potential cyberattacks," he continued. In its release, the White House pushed companies to mandate the use of multifactor authentication, backup and encrypt data and educate their workforces about tactics hackers may deploy, among other steps.

 

  • Situational Awareness: Persistent Risk of Violence at Large Gatherings

Over the past weekend, multiple mass shootings occurred across the United States. While the incidents are not believed to be related, they all occurred at public gatherings. Partners are reminded to maintain situational awareness in their security planning and procedures while in public locations and stay updated on applicable security trainings within their own organizations. Any suspicious behavior should be reported to the appropriate authorities.

 

Worshippers at a mosque in Toronto subdued an allegedly axe-wielding man who police say attacked people with bear spray during a dawn prayer service. Police said the 24-year-old man walked into the Dar Al-Tawheed Islamic centre in the suburb of Mississauga and allegedly “discharged bear spray towards people in the mosque while brandishing a hatchet” just before 7am on Saturday. The Canadian prime minister, Justin Trudeau, condemned the attack, calling it “incredibly disturbing” in a tweet. “I strongly condemn this violence – which has no place in Canada – and I’m keeping the community in my thoughts today. Speaking on behalf of the mosque, Nadia Hasan of the National Council of Canadian Muslims said a group of about 20 men were praying when the man sprayed them. “Some of the men turned around and they very bravely decided that they were not going to let him attack them,” she said. “They tackled him to the ground and apprehended him until the police showed up.” The man, a local resident, was arrested. Police say they’re considering “all possible motivations” for the incident and charges are pending. Police said the congregants received minor injuries as a result of the bear spray. “People are obviously quite shaken up and are recovering,” Hasan said. “For the most part, folks are still processing what’s happened and are trying to kind of see how they can ensure that their communities remain secure.”

 

Ukraine said it retook a strategically important suburb of Kyiv on Tuesday, as Russian forces squeezed other areas near the capital and pressed their attack on the embattled southern port of Mariupol. Explosions and bursts of gunfire shook Kyiv, and black smoke rose from a spot in the north. Intensified artillery fire could be heard from the northwest, where Russia has sought to encircle and capture several suburban areas of the capital, a crucial target. Residents sheltered at home or underground under a 35-hour curfew imposed by city authorities that runs to Wednesday morning. Russian forces also continued their siege of Mariupol after the southern port city’s defenders refused demands to surrender, with fleeing civilians describing relentless bombardments and corpses lying in the streets. But the Kremlin’s ground offensive in other parts of the country advanced slowly or not at all, knocked back by lethal hit-and-run attacks by the Ukrainians.

 

Cybersecurity

HP has published security advisories for three critical-severity vulnerabilities affecting hundreds of its LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format, and DeskJet printer models. The first security bulletin warns about about a buffer overflow flaw that could lead to remote code execution on the affected machine. Tracked as CVE-2022-3942, the security issue was reported by Trend Micro’s Zero Day Initiative team. Although it comes with a severity score of 8.4 (high), as calculated with the Common Vulnerability Scoring System (CVSS), HP lists the bug's severity as critical.

 

We’ve had it beaten into our brains: Before you go wily-nily clicking on a page, check the URL. First things first, the tried-and-usually-but-not-always-true advice goes, check that the site’s URL shows “https,” indicating that the site is secured with TLS/SSL encryption. If only it were that easy to avoid phishing sites. In reality, URL reliability hasn’t been absolute for a long time, given things like homograph attacks that swap in similar-looking characters in order to create new, identical-looking but malicious URLs, as well as DNS hijacking, in which Domain Name System (DNS) queries are subverted. Now, there’s one more way to trick targets into coughing up sensitive info, with a coding ruse that’s invisible to the naked eye. The novel phishing technique, described last week by a penetration tester and security researcher who goes by the handle mr.d0x, is called a browser-in-the-browser (BitB) attack. The novel method takes advantage of third-party single sign-on (SSO) options embedded on websites that issue popup windows for authentication, such as “Sign in with Google,” Facebook, Apple or Microsoft.

 

Identity authentication company Okta, which provides services to thousands of companies as well as U.S. government agencies, acknowledged Tuesday morning that it had investigated an incident in January that was related to screenshots posted online Monday night by a hacking group. “In late January 2022, Okta detected an attempt to compromise the account of a third party customer support engineer working for one of our subprocessors,” company Okta CEO Todd McKinnon tweeted. “The matter was investigated and contained by the subprocessor.” The tweet was in response to the latest posts by the cybercrime group Lapsus$ on its Telegram channel, according to multiple reports overnight. “We believe the screenshots shared online are connected to this January event,” McKinnon said. “Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.” Any spillover from such an incident could have implications for the cybersecurity of Okta customers, who use the company’s single sign-on (SSO) services — including password managers — to control access to their networks and applications.


Back to index