22/11/21

Critical Infrastructure Daily Brief

Statewide Terrorism & Intelligence Center

Critical Infrastructure Daily Brief

**UNCLASSIFIED **

(U) STIC is providing this information to our partner agencies for situational awareness. This document contains information obtained from open source information. While STIC has gone to great lengths to verify the information found in open source documents on the internet, this information may not be accurate.

Situational Awareness

• 5 Dead, More than 40 Injured After SUV Slams into Wisconsin Holiday Parade

A joyous Christmas parade in Waukesha, Wisconsin turned into a scene of deadly horror when a red SUV plowed into a crowd on the city's Main Street late Sunday. At least five people were killed and more than 40 others were injured, according to officials in the suburban Milwaukee city. Those numbers may change as new information comes to light, they said… The exact circumstances surrounding the incident and what may have motivated it were not yet clear. Waukesha Police Chief Daniel Thompson confirmed at a news conference Sunday evening that a person of interest had been taken into custody. Four senior law enforcement officials had told NBC News that a person of interest who may have a significant criminal history was being questioned overnight, with investigators probing the possibility that the driver had been fleeing an earlier incident involving a knife fight.

• A Person Plowed Their SUV Through the Waukesha Christmas Parade, Leaving Five Dead and More than 40 Injured Authorities Say
• 5 Dead, More than 40 Hurt After SUV Sped Into Christmas Parade in Wisconsin

• 6 Dead, 28 Wounded in Weekend Shootings Across Chicago

At least 28 people were shot so far over the weekend in Chicago, and six of those victims have died. Of those shot at least seven were under 18 years old.

• Multiple Shooters Fire at Crowd Outside Kankakee Bar; 4 Hurt, Police Say

Four people were injured when multiple shooters opened fire from a vehicle as it passed by a bar in the northern Illinois town of Kankakee, authorities said. More than 50 rounds were fired into the crowd outside the International Lounge, located in the 600-block of North Schuyler Avenue, shortly after 12 a.m. Saturday. The Daily Journal reported the bar had closed early for the evening, and that the shots were fired from several different weapons. Two people had to be airlifted to advanced trauma care hospitals, police said. Kankakee Police Chief Robin Passwater and Mayor Chris Curtis both expressed frustration that many people witnessed the shooting but the majority would not cooperate with law enforcement.

• 4 Shot Leaving Kankakee Bar Early Saturday Morning

• Kyle Rittenhouse Acquitted of All Charges

A jury has found Kyle Rittenhouse not guilty of all charges in Kenosha. The jury said Rittenhouse, now 18, acted in self-defense and was justified when he shot three men, killing two of them. He faced five felonies. Each count carries a descriptor that Rittenhouse committed the crimes with a dangerous weapon. A misdemeanor gun possession charge was dismissed before jurors began deliberating the case. All charges were dismissed with prejudice, meaning Rittenhouse can not be charged again.

• Hundreds Protest Rittenhouse Acquittal Across US

• Police Arrest 15-Year-Old in Fatal Wednesday Stabbing Outside Lanphier High School

Police arrested a 15-year-old girl Friday in connection with the fatal Wednesday stabbing of Pierre V. Scott Jr., 18, outside Lanphier High School. The Springfield Police Department announced Friday afternoon that police made the arrest at about 11 a.m. and the teen was in custody at the Sangamon County Juvenile Detention Center. She was charged with three counts of first-degree murder, three counts of aggravated battery, a Class 3 felony, and two counts of aggravated unlawful use of a weapon, a Class 4 felony.

• Springfield Students Walkout Demanding Better Security

Cybersecurity

• US SEC Warns Investors of Ongoing Govt Impersonation Attacks

The Securities and Exchange Commission (SEC) has warned US investors of scammers impersonating SEC officials in government impersonator schemes via phone calls, voicemails, emails, and letters. The alert comes from SEC's Office of Investor Education and Advocacy (OIEA), which regularly issues warnings to inform investors about the latest developments in investment frauds and scams. "We are aware that several individuals recently received phone calls or voicemail messages that appeared to be from an SEC phone number," OIEA said. "The calls and messages raised purported concerns about unauthorized transactions or other suspicious activity in the recipients' checking or cryptocurrency accounts." Investors are advised not to provide personal info until they verify they're actuating speaking with an SEC official since these phone calls and voicemails are "in no way connected to the SEC."

• Top National Security Officials Stress Need for Collaboration in Cyberspace

The United States' adversaries are trying to steal the nation's top secrets, top Cyber Command and National Security Agency officials say, and protecting the American people from these threats takes both the private and public sectors. "Cybercom's mission is to play the away game and to execute operations outside of the United States that keep us secure," Maj. Gen. Joe Hartman, deputy commanding general of U.S. Cyber Command, told ABC News' Chief Justice Correspondent Pierre Thomas. "On a daily basis, whether it's nation-state, malicious cyber actors trying to steal secrets, whether it's ransomware actors -- every day our adversary gets up and attempts to execute operations against the United States. They're not going to stop and neither are we." Hartman oversees Cyber Command’s Cyber National Mission Force, comprised of more than 2,000 military and civilian personnel -- focused on securing and protection U.S. national interests from foreign-threat actors. The NSA has an entire center dedicated to collaborating with partners. "So NSA has been in cybersecurity for a really long time," said Morgan Adamski, the chief of the NSA's Cybersecurity Collaboration Center. "And we've shared our deep insights into foreign cyber-actor activity as well as our technical expertise, but the way that the actors are working now, they're working so quickly. We had to kind of adapt to the way that we were sharing that information." She said the NSA engages with partners at a "rapid" speed to share information. Acting in the cyber world "is part of our daily life," Hartman said. "What we see with adversaries is they will execute broad-scale operations," he added, referencing Russia's role in last year's SolarWinds hack. The intrusion, believed to be carried out by Russia, involved software from SolarWinds, which makes IT management tools, that had been adulterated or "trojanized" with a vulnerability that could be exploited by hackers to steal information, manipulate systems or plant trap doors and other exploits for future use. It gained access to nine government agencies. "They executed operations against thousands of targets, ultimately to provide them access and to use that access for future operations," he said in reference to the attack. "Cyberspace is the one domain that changes on a daily basis," he said. "And our adversaries pay attention to that. We need to pay attention to it. And as I think you're aware, when a vulnerability is identified, the quicker we are able to mitigate that vulnerability, the safer you are at home on your personal computer and the safer we are as a nation. But again, it is dynamic and it changes daily."

• Iranians Charged in Cyberattacks Against U.S. 2020 Election

The U.S. Department of Justice has unsealed charges against two Iranian nationals for cyberattacks against the U.S. 2020 presidential campaign, and there’s a $10 million reward offered for information on their activities. The two men, Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian, allegedly stole voter information and engaged in intimidation and disinformation aimed at undermining confidence in the election, according to a newly unsealed indictment. The Department of Justice identified the two as contractors for Iran-based cybersecurity company Emennet Pasargad, formerly Eleyanet Gostar, reportedly a known vendor for the Iranian government. Kazemi and Kashian allegedly breached at least one state election website and attempted to access 11 others, sent threatening emails to voters, distributed a disinformation video about election infrastructure vulnerabilities, and gained access to a U.S. media company’s network, according to law enforcement. “As alleged, Kazemi and Kashian were part of a coordinated conspiracy in which Iranian hackers sought to undermine faith and confidence in the U.S. presidential election,” U.S. Attorney Damian Williams for the Southern District of New York said in a statement. “Working with others, Kazemi and Kashian accessed voter information from at least one state’s voter database, threatened U.S. voters via email, and even disseminated a fictitious video that purported to depict actors fabricating overseas ballots.”

• Microsoft Exchange Servers Hacked in Internal Reply-Chain Attacks

Threat actors are hacking Microsoft Exchange servers using ProxyShell and ProxyLogon exploits to distribute malware and bypass detection using stolen internal reply-chain emails. When threat actors conduct malicious email campaigns, the hardest part is to trick users into trusting the sender enough so that they open up linked to or included malware-distributing attachments. TrendMicro researchers have discovered an interesting tactic used of distributing malicious email to a company's internal users using the victim's compromised Microsoft exchange servers. The actors behind this attack are believed to be 'TR', a known threat actor who distributes emails with malicious attachments that drop malware, including Qbot, IcedID, Cobalt Strike, and SquirrelWaffle payloads. As a way to trick corporate targets into opening malicious attachments, the threat actor exploits Microsoft Exchange servers using the ProxyShell and ProxyLogon vulnerabilities. The threat actors then uses these compromised Exchange servers to reply to the company's internal emails in reply-chain attacks containing links to malicious documents that install various malware.

• 6M Sky Routers Left Exposed to Attack for Nearly 1.5 Years

Sky, a U.K. broadband provider, left about 6 million customers’ underbellies exposed to attackers who could remotely sink their fangs into their home networks: a nice, soft attack surface left that way for nearly 18 months as the company tried to fix a DNS rebinding vulnerability in customers’ routers. Pen Test Partners reported the problem to Sky Broadband – a broadband service offered by Sky UK in the United Kingdom – on May 11, 2020 … and then chased Sky for a repeatedly postponed update, the security firm said in a post. The flaw could have affected customers who hadn’t changed the default admin password on their routers. As well, non-default credentials could have been brute-forced, according to Pen Test Partners. The vulnerability has now been fixed.

Related Links