Crtical Infrastructure Daily Brief

Statewide Terrorism & Intelligence Center

Critical Infrastructure Daily Brief

September 15, 2021



(U) STIC is providing this information to our partner agencies for situational awareness. This document contains information obtained from open source information. While STIC has gone to great lengths to verify the information found in open source documents on the internet, this information may not be accurate.


Situational Awareness

  • Ex-U.S. Intel Operatives Admit Hacking American Networks for UAE

Three former U.S. intelligence operatives who worked as cyber spies for the United Arab Emirates admitted to violating U.S. hacking laws and prohibitions on selling sensitive military technology, under a deal to avoid prosecution announced on Tuesday. The operatives - Marc Baier, Ryan Adams and Daniel Gericke - were part of a clandestine unit named Project Raven, first reported by Reuters, that helped the UAE spy on its enemies. At the behest of the UAE’s monarchy, the Project Raven team hacked into the accounts of human rights activists, journalists and rival governments, Reuters reported. The three men admitted to hacking into computer networks in the United States and exporting sophisticated cyber intrusions tools without gaining required permission from the U.S. government, according to court papers released in U.S. federal court in Washington, D.C., on Tuesday.


An Ohio man was sentenced today to 20 years in prison for attempting to provide material support to the Islamic State of Iraq and al-Sham (ISIS), and attempting to commit a hate crime, for planning an attack on a synagogue in the Toledo, Ohio area. Damon M. Joseph, aka Abdullah Ali Yusuf, 23, of Holland, Ohio, pleaded guilty in May 2021. According to court documents, in 2018, Joseph drew the attention of law enforcement by posting photographs of weapons and various messages in support of ISIS on his social media accounts, as well as a photograph originally distributed by the media wing of ISIS. “Inspired by ISIS, Damon Joseph planned to conduct a deadly terrorist attack at a synagogue in Ohio.  He hoped to cause mass casualties by selecting a time when numerous innocent victims would be present.  For this conduct, he will now spend 20 years in prison,” said Acting Assistant Attorney General Mark J. Lesko of the Justice Department’s National Security Division. "We are committed to identifying, disrupting, and holding accountable individuals who seek to engage in such attacks.  I commend the agents, analysts, and prosecutors who identified the threat posed by this defendant and took action to protect the public from his plans.”



Threat actors impersonated the U.S. Department of Transportation (USDOT) in a two-day phishing campaign that used a combination of tactics – including creating new domains that mimic federal sites so as to appear to be legitimate – to evade security detections. Between Aug. 16-18, researchers at e-mail security provider INKY detected 41 phishing emails dangling the lure of bidding for projects benefitting from a $1 trillion infrastructure package recently passed by Congress, according to a report written by INKY’s Roger Kay, vice president of security strategy, that was published on Wednesday. The campaign – which targeted companies in industries such as engineering, energy and architecture that likely would work with the USDOT – sends potential victims an initial email in which they’re told that the USDOT is inviting them to submit a bid for a department project by clicking a big blue button with the words “Click Here to Bid.” The emails themselves are launched from a domain, transportationgov[.]net, that was registered by Amazon on Aug. 16, Kay said. The date of its creation – revealed by WHOIS – seems to signal that the site was set up specifically for the phishing campaign. To anyone familiar with government sites, the domain would appear suspicious given that government sites typically have a .gov suffix. However, “to someone reading through quickly, the domain name might seem at least somewhere in the ballpark of reality,” Kay observed.


Microsoft has released a security update to fix the last remaining PrintNightmare zero-day vulnerabilities that allowed attackers to gain administrative privileges on Windows devices quickly. In June, a zero-day Windows print spooler vulnerability dubbed PrintNightmare (CVE-2021-34527) was accidentally disclosed. This vulnerability exploits the Windows Point and Print feature to perform remote code execution and gain local SYSTEM privileges. While Microsoft released two security updates to fix various PrintNightmare vulnerabilities, another vulnerability publicly disclosed by security researcher Benjamin Delpy still allowed threat actors to quickly gain SYSTEM privileges simply by connecting to a remote print server. As demonstrated below, Delpy's vulnerability abused the CopyFiles directive to copy and execute malicious DLL using SYSTEM privileges when a user installed a remote printer. Once the exploit launched the DLL, it would open a console Window where all commands are executed with SYSTEM privileges. To make matters worse, ransomware gangs, such as Vice Society, Magniber, and Conti, began utilizing the bug to gain elevated privileges on compromised devices. This remaining PrintNightmare vulnerability is tracked as CVE-2021-36958 and is attributed to Victor Mata of FusionX, Accenture Security, who privately disclosed the bug to Microsoft in December 2020.


In September’s Patch Tuesday crop of security fixes, Microsoft released patches for 66 CVEs, three of which are rated critical, and one of which – the Windows MSHTML zero-day – has been under active attack for nearly two weeks. One other bug is listed as publicly known but isn’t (yet) being exploited. Immersive Labs’ Kevin Breen, director of cyber threat research, observed that with only one CVE under active attack in the wild, it’s “quite a light Patch Tuesday” – at least on the surface, that is. The flaws were found in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS and the Windows Subsystem for Linux. Of the 66 new CVEs patched today, three are rated critical, 62 are rated important, and one is rated moderate in severity.


An ongoing Zloader campaign uses a new infection chain to disable Microsoft Defender Antivirus (formerly Windows Defender) on victims' computers to evade detection. According to Microsoft's stats, Microsoft Defender Antivirus is the anti-malware solution pre-installed on more than 1 billion systems running Windows 10. The attackers have also changed the malware delivery vector from spam or phishing emails to TeamViewer Google ads published through Google Adwords, redirecting the targets to fake download sites. From there, they are tricked into downloading signed and malicious MSI installers designed to install Zloader malware payloads on their computers. "The attack chain analyzed in this research shows how the complexity of the attack has grown in order to reach a higher level of stealthiness," said SentinelLabs security researchers Antonio Pirozzi and Antonio Cocomazzi in a report published today. "The first stage dropper has been changed from the classic malicious document to a stealthy, signed MSI payload. It uses backdoored binaries and a series of LOLBAS to impair defenses and proxy the execution of their payloads.

Related Links

Back to index