03/02/22
Critical Infrastrusture Daily Brief
Statewide Terrorism & Intelligence Center
Critical Infrastructure Daily Brief
February 3, 2022
**UNCLASSIFIED **
(U) STIC is providing this information to our partner agencies for situational awareness. This document contains information obtained from open source information. While STIC has gone to great lengths to verify the information found in open source documents on the internet, this information may not be accurate.
Situational Awareness
Top security officials in Chicago convened a late-day meeting Wednesday with downtown business officials to discuss concerns about the imminent release of the former Chicago Police Officer who killed Laquan McDonald. Jason Van Dyke has been hustled away from jail previously, when he bonded out after murder charges were first filed. A similar look is expected Thursday. City officials held a security check on the phone with concerned business owners and downtown stakeholders to discuss planned protests. There have been protests and demonstrations at various times since the CPD video of Van Dyke was released, showing him firing 16 times on Laquan McDonald, killing the Black teenager who was carrying a knife while walking away from police.
Six "tech savvy" juveniles have been identified as persons of interest by the FBI in threats to historically Black colleges and universities that appear to be racially motivated. More than a dozen historically Black colleges and universities received bomb threats on Tuesday, the first day of Black History Month. A law enforcement official says the FBI has identified six persons of interest around the country, all juveniles, who are suspected of making the threats. The official says they appear to be “tech savvy,” using sophisticated methods to try to disguise the source of the threats, which appear to have a racist motivation.
A suspect has been apprehended after a shooting aboard a Greyhound bus in Northern California on Wednesday night left one person dead and several others wounded, authorities said. Five people were shot aboard the bus, including the person who died, Oroville mayor Chuck Reynolds told CNN. The Oroville Police Department and Butte County Sheriff's Office responded to 911 calls at around 7:35 p.m. about a shooting taking place inside a bus located outside a convenience store, according to a Butte County Sheriff's Office statement. Officers arrived to find several people with gunshot wounds, according to police. One person was pronounced dead at the scene and others were transported to local hospitals, the office said. The suspect fled the scene before law enforcement arrived, but the Oroville Police Department received additional 911 calls reporting the suspect was inside a nearby Walmart, police said. At the store, officers located the suspect as well as evidence connecting them to the shooting, the sheriff's office said. The suspect was taken into custody and brought to the Butte County Jail, according to the statement.
Cybersecurity
Microsoft has detailed the evolution of a relatively new piece of Mac malware called UpdateAgent that started out stealing system information in late 2020 but has morphed into a tool for delivering adware and potentially other threats. One of UpdateAgent's newest and most potent features is the ability to bypass Apple's built-in Gatekeeper system that is meant to allow only trusted, signed apps to run on Macs. Microsoft flagged the malware now as it appears to be under continuous development. Today, it installs an "unusually persistent" adware threat called Adload, but Microsoft cautions it could be used to distribute other more dangerous payloads in future. For example, Microsoft found its makers host additional payloads on Amazon Web Services' S3 and CloudFront services.
The rising adoption of multi-factor authentication (MFA) for online accounts pushes phishing actors to use more sophisticated solutions to continue their malicious operations, most notably reverse-proxy tools. The COVID-19 pandemic has changed the way people work forever, proving that it's possible and sometimes even preferable to work from home. This has increased security risks for companies, many of which can be mitigated by using MFA to protect their employees' accounts. Even Google, a key internet services provider, has recently decided to enforce two-factor authentication (2FA) on all Google accounts through a staged auto-enrollment process. With MFA, a user must provide a second authentication factor apart from their account's password to access it. This factor can be a one-time code sent via SMS or email, a token, or a unique cryptographic key. This additional step creates a practical problem for phishing actors, as stealing the account credentials is no longer enough for them to assume control of them.
The Homeland Security Department is establishing a Cyber Safety Review Board that will convene after major cyber events to review and act on them, according to a Federal Register notice scheduled for publication Thursday. The Federal Register notice brings to fruition an idea long circulated among cybersecurity policymakers and thinkers, one set in motion by an executive order President Joe Biden signed in May 2021. The idea is to mimic the National Transportation Safety Board that reviews civil aviation accidents. The board (CSRB) will have no more than 20 members, with one each required from DHS, its Cybersecurity and Infrastructure Security Agency, the Department of Justice, the National Security Agency and the FBI. The DHS undersecretary for strategy, policy and plans — a post held by Rob Silvers — will serve as the inaugural two-year chair. It will kick into effect when an incident prompts formation of a Cyber Unified Coordination Group, a National Security Council-established organization for unifying government response to cyber incidents such as those that hit critical infrastructure owners and operators. The 2020 SolarWinds breach, which caused the compromise of both federal agencies and major tech companies, led to a public announcement of a coordination group forming. Alternately, the secretary of DHS or leader of CISA can initiate a meeting of the CSRB.
More than 1,300 malicious packages have been identified in the most oft-downloaded JavaScript package repository used by developers, npm, in the last six months — a rapid increase that showcases how npm has become a launchpad for a range of nefarious activities. New research from open-source security and management firm WhiteSource has discovered the disturbing increase in the delivery of malicious npm packages, which are used as building blocks for web applications. Any app using a malicious code block could be serving up data theft, cryptojacking, botnet delivery and more to its users. Out of the malicious packages found, 14 percent were designed to steal sensitive information like credentials, while nearly 82 percent of those packages were performing “reconnaissance,” which involved adversaries actively or passively gathering information that can be used to support targeting, the firm said. Because npm packages in general are being downloaded upwards of 20 billion times a week—and thus installed across countless web-facing components of software and applications across the world–exploiting them means a sizeable playing field for attackers, researchers said in their Wednesday report. An average of 32,000 new npm package versions are published every month (17,000 daily), and a full 68 percent of developers depend upon it to create rich online functionality, according to WhiteSource. That level of activity enables threat actors to launch a number of software supply-chain attacks, researchers said. Accordingly, WhiteSource investigated malicious activity in npm, identifying more than 1,300 malicious packages in 2021 — which were subsequently removed, but may have been brought into any number of applications before they were taken down. “Attackers are focusing more efforts on using npm for their own nefarious purposes and targeting the software supply chain using npm,” they wrote in the report. “In these supply-chain attacks, adversaries are shifting their attacks upstream by infecting existing components that are distributed downstream and installed potentially millions of times.” To boot, with so many npm packages being released monthly, it’s also easy for some vulnerabilities to slip through the cracks, researchers noted.
Energy
A triple whammy of sleet, snow and ice has bombarded more than 2,000 miles in the eastern US -- and many Americans are now stuck in the storm with no electricity. More than 100 million people in 25 states stretching from the Mexican to Canadian borders were under winter weather alerts Thursday, CNN meteorologist Monica Garrett said. By 7 a.m. ET, about 100,000 people had lost power, according to Poweroutage.us.
Exelon has completed the spin off of its nuclear power plant division into a separate company. Constellation is publicly traded on the NASDAQ, and Exelon owners received one share of Constellation stock for every three shares of Exelon they own. Constellation is headquartered in Baltimore, Md. and bills itself as the nation's largest carbon-free energy producer ahead of NextEra Energy in Florida and Duke Energy in North Carolina.
Healthcare
This week, Health and Human Services Secretary Xavier Becerra announced the formation of the HHS Task Force to Prevent Human Trafficking, knownl simply as the Task Force. The Task Force will facilitate implementation of the actions HHS has committed to in President Biden's National Action Plan to Combat Human Trafficking, and the hope is that it will strengthen HHS' human trafficking prevention and intervention efforts with a focus on partnerships, equity and open data. Becerra first announced the Task Force at a January 25 meeting of Biden's Interagency Task Force to Monitor and Combat Trafficking in Persons – a cabinet-level entity of 20 federal agencies responsible for coordinating U.S. government-wide efforts to combat human trafficking. The Administration for Children and Families and the Office of the Assistant Secretary for Health will lead the Task Force at HHS, which will be comprised of experts from across the department, HHS said. According to the American Public Health Association, the health system plays an important role in identifying and treating victims of human trafficking. Estimates show that approximately 80% of human trafficking victims are women, and healthcare providers are often the first professionals to have contact with trafficked women and girls. One study found that close to 50% of trafficked individuals saw a healthcare professional during their exploitation. Human trafficking is a public health concern that affects individuals, families and entire communities across generations, according to the Administration for Children and Families, part of HHS. Human trafficking disproportionally affects many of the communities HHS serves, the agency said. These communities include – but are not limited to – youth and adults experiencing homelessness and domestic violence, people in eldercare systems, unaccompanied children and refugees, Indigenous communities, those with a prior history of substance abuse, and other populations that, in HHS' view, have been systematically marginalized. Part of the work of the Task Force will be to figure out how to better reach affected communities where they are. Along with federal, state, local and public-private partners, the Task Force will work to scale models to prevent human trafficking – particularly in the high-need areas of housing, mental health and substance use, and economic mobility. The Task Force will also integrate an "equity lens" into new public awareness strategies to better reach populations at disproportionate risk for human trafficking, HHS said. Finally, the Task Force will partner with the research and business communities to analyze data on human trafficking and prevent it in healthcare supply chains.
Related Links
Back to index