20/09/21

Critical Infrastructure Daily Brief.

Statewide Terrorism & Intelligence Center

Critical Infrastructure Daily Brief

**UNCLASSIFIED **

(U) STIC is providing this information to our partner agencies for situational awareness. This document contains information obtained from open source information. While STIC has gone to great lengths to verify the information found in open source documents on the internet, this information may not be accurate.

Situational Awareness

• General Promises ‘Surge’ to Fight Ransomware Attacks

Gen. Paul Nakasone, the head of U.S. Cyber Command and director of the National Security Agency (NSA), is working to “surge” efforts to respond to the mounting ransomware attacks on critical U.S. organizations. “Even six months ago, we probably would have said, ‘Ransomware, that’s criminal activity,’ ” Nakasone said as part of an interview with The Associated Press published Tuesday. “But if it has an impact on a nation, like we’ve seen, then it becomes a national security issue. If it’s a national security issue, then certainly we’re going to surge toward it.” Nakasone told The Associated Press that there was “an intense focus” on the part of government specialists to tackle cybersecurity threats and to “impose costs when necessary,” including through publicly calling out countries behind major cyberattacks. His comments came on the heels of months of attacks on both U.S. government groups and private industry. These have included those linked to foreign governments, such as the SolarWinds hack, which allowed Russian-government linked hackers to compromise nine federal agencies and 100 private sector groups for much of 2020. President Biden imposed sanctions on Russia in connection with the attack in April. The incidents have also included major ransomware attacks on companies including Colonial Pipeline, which provides 45 percent of the East Coast’s fuel supply, and on meat producer JBS USA, both of which were linked to Russian-based cyber criminal groups. The Biden administration has made responding to cybersecurity threats a key priority, and Biden signed an executive order in May intended to strengthen federal cybersecurity. The attacks in cyberspace were also a key issue Biden discussed with Russian President Vladimir Putin during their in-person summit in Geneva earlier this year. Nakasone’s comments were made public the same day he appeared as part of a panel at the Intelligence and National Security Summit, during which Nakasone noted that his agencies were “very, very focused on cybersecurity.” “What has our nation faced over the past nine months? SolarWinds, Hafnium, JBS, Colonial Pipeline, ransomware, supply chain attacks,” Nakasone said. “Cybersecurity is national security, and we strongly believe that.”

• Man Accused of Threatening to Shoot Up Woodland Mosque has History of Violent Threats

A man was arrested for allegedly threatening to kill everyone inside a Woodland mosque. The suspect, identified as 23-year-old Abdul Khalid, appeared in court Wednesday and faces criminal threat charges. We’ve learned this is not the first time Khalid has made threats at the mosque. He’s been accused of causing fights in the past. “Mr. Khalid has thrown bottles and engaged in a fight with other mosque members, so there’s a history here,” a judge said in court. According to probation four years ago, Khalid was allegedly armed with a knife and threatened to kill mosque members. He’s now facing three felony criminal threats charges, accused of sending messages Monday on social media about committing a mass shooting and threatening to kill everyone inside the Woodland Muslim Mosque and Islamic Center. Investigators say Khalid claimed to be in possession of a gun and ammunition. “Kind of something extreme to be going on where we live,” said Robert Guerrero. Guerrero’s family’s home is near the mosque. “Innocent people getting hurt is never a good thing. Sounds like a hate crime,” he said. But as of now, Khalid hasn’t been charged with a hate crime. Below is a statement from Jonathan Raven, Yolo County Chief Deputy District Attorney: “Currently, Mr. Khalid is not charged with a hate crime or hate crime enhancement. To file a hate crime, we must believe that we can prove beyond a reasonable doubt that a substantial motivating factor in the crime was a bias against a particular religion. It’s always possible that further investigation could change things.” Raved added that a representative from the mosque told his office they don’t believe the crime was bias-motivated.

• Police Arrest Man Suspected of Threatening Mass Violence at Woodland Muslim Mosque

• India: 6 Men Plotting Terror Attacks Arrested, Police Say

Indian police on Tuesday evening said they have arrested six men alleged to be plotting terror attacks across major cities of the country. The attacks were allegedly being planned from Pakistan and were "meant to target congregations during the upcoming festive season," said Neeraj Thakur of the Delhi Police Special Cell, the arm responsible for investigating terrorism and organized crime-related cases. The Hindu festival of Durga Puja takes place in roughly a month's time, with the year's biggest festival Diwali celebrated on November 4. The two of the suspects arrested were believed to have gone to Pakistan via Oman where they received training in using explosives and firearms, he told reporters at a press conference.

• ISI-Dawood Terror Plot to Target Many Cities Foiled, Six Arrested

Cybersecurity

• FBI: $113 Million Lost to Online Romance Scams this Year

The FBI warned today that a massive spike of online romance scams this year caused Americans to lose more than $113 million since the start of 2021. The scammers behind this type of online fraud trend (also known as confidence fraud) — which can lead to significant financial losses and devastating emotional scars — use fake online identities to gain potential victims' trust on dating or social media platforms. After the victims are lured in, the crooks take advantage of the illusion of a romantic relationship they project to manipulate the targets into sending money or financial info that later can be used for other types of fraud schemes, including investment scams.

• CISA, FBI: State-Backed APTs May Be Exploiting Critical Zoho Bug

The FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) warned today that state-backed advanced persistent threat (APT) actors are likely among those who’ve been actively exploiting a newly identified bug in a Zoho single sign-on and password management tool since early last month. At issue is a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus platform that can lead to remote code execution (RCE) and thus open the corporate doors to attackers who can run amok, with free rein across users’ Active Directory (AD) and cloud accounts. The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise’s footprint, for both users and attackers alike.

• Cyberattacks Against the Aviation Industry Linked to Nigerian Threat Actor

Researchers have unmasked a lengthy campaign against the aviation sector, beginning with the analysis of a Trojan by Microsoft. On May 11, Microsoft Security Intelligence published a Twitter thread outlining a campaign targeting the "aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT." The operator of this campaign used email spoofing to pretend to be legitimate organizations in these industries, and an attached .PDF file included an embedded link, containing a malicious VBScript which would then drop Trojan payloads on a target machine.

• How to Fix Printers Asking for Admins Creds After PrintNightmare Patch

Some printers will request administrator credentials every time users try to print in Windows Point and Print environments due to a known issue caused by KB5005033 or later security updates addressing the PrintNightmare vulnerability. This happens because, after installing these PrintNightmare patches, only administrators are allowed to install or update drivers via Point and Print. The request for admin credentials is triggered automatically in environments where the print server has a newer driver than the client attempting to print.

• New Malware Uses Windows Subsystem for Linux for Stealthy Attacks

Security researchers have discovered malicious Linux binaries created for the Windows Subsystem for Linux (WSL), indicating that hackers are trying out new methods to compromise Windows machines. The finding underlines that threat actors are exploring new methods of attack and are focusing their attention on WSL to evade detection.

Related Links