01/12/21

Critical Infrastructure Daily Brief

Statewide Terrorism & Intelligence Center

Critical Infrastructure Daily Brief

**UNCLASSIFIED **

(U) STIC is providing this information to our partner agencies for situational awareness. This document contains information obtained from open source information. While STIC has gone to great lengths to verify the information found in open source documents on the internet, this information may not be accurate.

Situational Awareness

• Man Rescued After Trench Collapse at Illinois Work Site

First responders rescued a man from a trench that collapsed around him Monday at a worksite in Dupo, Illinois. The man was a contractor working on a sewer system within Union Pacific’s rail yard near Carondelet Avenue. He became trapped up to his neck after the walls of the trench collapsed just before noon. Crews worked until about 3 p.m. to free the man, who was airlifted to Saint Louis University Hospital. Herb Simmons, the director for the St. Clair County Emergency Management Agency, credited first responders for working diligently and carefully throughout the rescue. “You can’t just go in there and start grabbing,” said Simmons. “You’ve got the possibility of more ground collapsing around him or the rescuers. It takes time, and that’s why these men and women spend hours and hours of training. It takes time, and that’s why this turned out as good as it did.” The man was alert and talking to first responders as they transported him to the hospital.

• Testimony Begins in the Jussie Smollett Trial

Testimony is set to begin Tuesday in the trial of former “Empire” actor Jussie Smollett, who prosecutors say staged a homophobic and racist attack in Chicago but whose defense attorney says is a “real victim” of a “real crime.” Smollett’s attorney says there has been a “tremendous rush to judgment” by the police in the case, and because of it, his client’s career and reputation are damaged. Smollett is charged with felony disorderly conduct after allegedly arranging a hate crime against himself in January 2019. Smollett claims he was attacked by strangers who used homophobic and racial slurs then put a noose around his neck.

• Jussie Smollett Trial Continues with Prosecution Expected to Bring CPD Officer as 1^st Witness

Cybersecurity

• Critical Wormable Security Flaw Found in Several HP Printer Models

Cybersecurity researchers on Tuesday disclosed multiple security flaws affecting 150 different multifunction printers (MFPs) from HP Inc that could be potentially abused by an adversary to take control of vulnerable devices, pilfer sensitive information, and infiltrate enterprise networks to mount other attacks. The two weaknesses — collectively called Printing Shellz — were discovered and reported to HP by F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev on April 29, 2021, prompting the PC maker to issue patches earlier this month. "The flaws are in the unit's communications board and font parser," Hirvonen and Bolshev said. "An attacker can exploit them to gain code execution rights, with the former requiring physical access while the latter can be accomplished remotely. A successful attack will allow an adversary to achieve various objectives, including stealing information or using the compromised machine as a beachhead for future attacks against an organization." CVE-2021-39238's critical severity rating also stems from that the vulnerability is wormable, meaning it could be exploited to self-propagate to other MFPs on the compromised network.

• Unpatched Windows Zero-Day Allows Privileged File Access

An unpatched Windows security vulnerability could allow information disclosure and local privilege escalation (LPE), researchers have warned. The issue (CVE-2021-24084) has yet to get an official fix, making it a zero-day bug – but a micropatch has been rolled out as a stop-gap measure. Security researcher Abdelhamid Naceri originally reported the vulnerability as an information-disclosure issue in October 2020, via Trend Micro’s Zero-Day Initiative (ZDI). Though Microsoft had told him it was planning a fix for last April, the patch has not yet been forthcoming. Then, this month, Naceri discovered that CVE-2021-24084 could also be exploited for LPE, so that non-admin Windows users can read arbitrary files even if they do not have permissions to do so. In a proof-of-concept exploit, he demonstrated that it’s possible to copy files from a chosen location into a Cabinet (.CAB) archive that the user can then open and read.

• Ransomware Gang Targeting Schools, Hospitals Reinvents Itself to Avoid Scrutiny

An under-the-radar ransomware group that’s been attacking schools, hospitals and other critical infrastructure has tried to cover its tracks by rebranding, according to findings from researchers at Mandiant. Sabbath, a rebrand of the ransomware group Arcane, “is unfortunately not slowing down” in its attacks, Tyler McLellan, principal analyst at Mandiant, said in a statement. “They picked up their pace right into November 2021, when its public shaming portal mysteriously went offline.” Researchers first caught onto Sabbath in October, when it held the data of a Texas school district for school for ransom. Interestingly, the group turned to social media platform Reddit to make its ransom demand. Ransomware gangs often host their own websites where they shame victims and threaten to leak data. Sabbath eventually launched its own victim site, which researchers found nearly identical to that of a formerly active group that went by the name Arcane. The two groups also shared infrastructure, according to a Mandiant blog post Monday. In mid-November alone, the group added six victims to its public extortion website in the span of two days. It has been able to largely fly under the radar thanks to its constant rebranding and less-prominent victims, Mandiant researchers say.

Related Links