NJCCIC 2023 Key Cybersecurity Takeaways

2023 Key Cybersecurity Takeaways
Throughout 2023, cyberattacks affected organizations, governments, businesses, and private residents in New Jersey, resulting in monetary loss, degradation and interruption of services and resources, reputational damage, exposure of sensitive information, emotional distress, and more. In an era dominated by digital connectivity, the importance of cybersecurity cannot be overstated. Reflecting on the evolving threat landscape is crucial as we approach the end of the year.
Geopolitical Tensions 2023 has been marked by heightened geopolitical unrest. Nation-state threat actors carry out cyberattacks to advance their political and economic interests and influence, threatening critical information, services, and information systems, as well as public health and safety. This year, the Russia-Ukraine war entered its second year and hacktivist groups in support of Russia’s invasion of Ukraine launched distributed denial-of-service (DDOS) attacks across the United States. In the fall, armed conflict broke out between Israel and the Hamas militant group. These events triggered an uptick in cyberattacks against critical infrastructure sectors globally, including the United States, as nation-states sought to destabilize their adversaries.
In November, water and wastewater utilities nationwide were targeted in a series of cyberattacks attributed to CyberAv3ngers, an Iranian-backed advanced persistent threat (APT) group. In these incidents, the threat actors compromised Unitronics programmable logic controllers (PLCs) used mainly in the Water and Wastewater sector but also implemented in other industries, including energy, food and beverage manufacturing, and healthcare. CyberAv3ngers claimed responsibility for over a dozen cyberattacks launched since October 30, stating that they targeted Unitronics as it is Israeli-made and “Every equipment ‘made in Israel” is CyberAv3ngers legal target.’”
The Energy and Defense sectors were also recently impacted when IntelBroker, an initial access broker known for targeting US government agencies ,  launched a cyberattack against General Electric (GE), which has divisions in power, renewable energy, and aerospace industries. The threat actors exfiltrated sensitive Defense Advanced Research Projects Agency (DARPA) data comprised of classified information, including weapons programs and artificial intelligence (AI) research.
As geopolitical tensions intensify, a notable shift in cyber threat tactics occurs, and cyberattacks attributed to state-aligned APT groups have surged. APT 28, a Russian threat group with ties to the General Staff Main Intelligence Directorate (GRU), leveraged a Microsoft Outlook zero-day identified as CVE-2023-23397 to target critical infrastructure in NATO countries. Additionally, nearly  two dozen critical infrastructure organizations across the United States were compromised by threat actors affiliated with the Chinese People’s Liberation Army (PLA) within the past 12 months. Notably, military and communications networks on Guam were targeted in  a string of attacks attributed to Volt Typhoon, a Chinese State-sponsored APT group.
Ransomware Evolution Ransomware attacks underwent a notable evolution in 2023, demonstrating a higher level of sophistication and a more calculated approach by cybercriminals. The current ransomware landscape is characterized by highly organized criminal groups that employ sophisticated techniques and tactics. Rather than indiscriminate attacks, threat actors focused on strategic targets, including critical infrastructure networks and high-profile organizations.
The Healthcare and Public Health (HPH) sector has been heavily targeted with ransomware throughout the year. Most recently, Hackensack Meridian Health and Mountainside Hospital in Montclair, both in New Jersey, were impacted after Ardent, a healthcare services provider based in Tennessee, suffered a ransomware attack. Ardent operates roughly 30 hospitals and over 200 facilities across six US states.
Ransomware groups are increasingly leveraging vulnerabilities to gain initial access to targeted networks. Nearly a third of ransomware attacks in the first half of 2023 were launched by exploiting vulnerabilities, and zero-day exploitation has increased globally. The NJCCIC observed patterns in which APT groups rapidly developed and deployed exploits for vulnerabilities, such as Citrix Bleed, to target public and private NJ organizations effectively. Tracked as CVE-2023-4966 , the Citrix Bleed vulnerability allows threat actors to obtain valid session tokens from the memory of internet-facing NetScaler devices, which can be used to hijack active sessions and bypass authentication – even multi-factor authentication (MFA) – to gain unauthorized access, steal data, and launch ransomware attacks. Researchers determined that the vulnerability has been exploited since at least August 2023 and by at least six cyber threat groups.
Earlier this year, the Cl0p ransomware group exploited a SQL injection vulnerability, CVE-2023-34362, found in Progress Software’s MOVEit Transfer file transfer solution, which allowed them to access the underlying database. Organizations impacted by the attacks include governments, financial institutions, educational organizations, medical facilities, and more. The number of victims affected by the MOVEit vulnerability has surged to an estimated 2,120 organizations, which equates to an impact of roughly 62 million individuals as of September.
AI and Machine Learning While neither are new concepts, artificial intelligence (AI) and machine learning (ML) have become household conversation starters in 2023. The introduction of ChatGPT in November 2022 ignited the public’s interest in generative AI tools and AI and ML as a whole. As with many technological advancements, there is the potential for significant benefits to society and the risk of misuse by adversaries.
Regarding cybersecurity, AI and ML offer both offensive and defensive capabilities. Cyber attackers have increasingly harnessed AI and ML techniques to enhance attacks by automating tasks, adapting to evolving defenses, and launching more sophisticated and targeted attacks. Additionally, AI-powered tools can identify vulnerabilities to exploit, automate phishing attacks, and optimize social engineering tactics. However, AI can also be used to better defend and safeguard networks. AI and ML play a vital role in identifying and mitigating cyber threats by detecting anomalous behavior, automatically responding to attacks in real-time, reducing false positives and negatives, and offering greater scalability and cost savings. Generative AI can also assist network defenders in writing rules for security tools to effectively identify and block malicious network traffic. On a broader scale, generative AI can offset resources needed for more mundane tasks, freeing up valuable time for staff to focus on more complex responsibilities.
Nation-states are more likely to widely adopt AI technology to support the advancement of the country’s economic status and influence. Malicious use of AI, such as deep fake technology, will be increasingly embraced by nation-states and non-governmental groups alike.  Notable improvements to deep fake technology have increased its believability, making it more difficult for the general public to accurately identify real and synthetic images and videos. This technology will be used in disinformation campaigns by adversaries to sow unrest and undermine governments and organizations.

Resources
 
Cybersecurity for Critical Infrastructure
Cybersecurity for Small & Medium-Sized Businesses
Cybersecurity Best Practices
Ransomware: Risk Mitigation Strategies
Increase in State-Sponsored and State-Aligned Cyberattacks
Seeing AI to AI: Artificial Intelligence and its Impact on Cybersecurity
ChatGPT and Its Impact on Cybersecurity
Is Seeing Believing? A Look into Deepfakes
 
.
 
Verizon Wireless Impersonation Scams
 
Over the past month, threat actors increased efforts to target Verizon Wireless cellphone subscribers with social engineering tactics, impersonating Verizon Wireless technical support and fraud agents using spoofed Verizon Wireless phone numbers and SMS text messages. For example, threat actors contact the target and claim that the account has been compromised with attempts to purchase phones. Since the account is supposedly on hold due to the account compromise and failed autopayment, they try to convince the target to make a payment through Zelle that, if paid, results in stolen personal information and funds.
 
In another campaign, the threat actors informed the target that someone had tried to purchase thousands of dollars worth of Verizon merchandise. They advised them to change their password, which gave the threat actors access to the account, including bank account information for autopay. They also claimed they must migrate the account to another platform and issue a charge. Once the target became suspicious, the threat actors threatened to lock their phones. They were successful; however, the real Verizon Wireless was able to reactivate the phones. In a similar campaign, threat actors claimed the target’s account was locked for security purposes and sent the target a temporary password. They further claim they must migrate the phone service to a new platform and that the account is suspended. The target was requested to resubmit two Zelle payments from their bank account to reinstate it, and the threat actors would transfer it immediately into the target’s account.
 
Threat actors may also claim there is suspicious activity on the account and that someone is trying to add two phone lines to the account. The threat actors advise the target that they need to transfer the phone lines to another platform and assign a new account number, and the target needs to make a payment in the exact amount of the last Verizon Wireless payment, which would be transferred back to the account. Additionally, they claim Verizon Wireless has a new policy of not utilizing or sharing bank or credit card information, instead advising the target to submit payment through Zelle.
 
In a separate campaign, threat actors notified the target that the account was flagged for suspicious activity as several iPhones were purchased and shipped to multiple addresses, including the home address on file. The threat actors confirmed the addresses and asked if the target made these purchases, who replied no. They claimed they could not stop the shipment because it had already left the warehouse, and the target would be charged for the phones unless returned. The target further replied no and requested to reroute the one package to the home address. The target then received an SMS text message with an authorization code, which was shared with the threat actors.

Bank Impersonation Scams Blog From NJCCIC

Threat actors continue to research their targets, impersonate trusted entities, and initiate communications through email, phone calls, and SMS text messaging to convince them to take action, such as divulging information or transferring funds. In bank impersonation scams, threat actors seek personal information, account numbers, passwords, and PINs. If threat actors gain access to bank accounts, they can update personal and financial information. Additionally, they can set up fictitious travel notices or memos  to spend money outside the normal spending location and evade detection. Furthermore, threat actors will test accounts to see if they are being monitored. If threat actors perform a fraudulent transaction and the activity is not detected, they will perform additional transactions. Despite banks using Early Warning services to help fight bank fraud, bank impersonation scams are increasing. The Federal Trade Commission (FTC) revealed that bank impersonation was the top reported text message scam in 2022, and reports of this scam increased nearly twentyfold since 2019. The most popular choices of major banks used in impersonation scams included Bank of America, Wells Fargo, Chase, and Citibank.
The NJCCIC observed multiple emails sent to New Jersey State employees attempting to lure potential victims with urgent bank account notifications to capture login credentials. In the example above, the email conveys a sense of legitimacy by using stolen Bank of America branding. However, upon further inspection, the display name is spoofed with “Bank of America Alert,” while the sender’s email address of iolevron5886[@]live[.]com is from a Microsoft Live.com account and not from a Bank of America domain. The purported account verification notification warns of temporarily limited account access due to unauthorized login attempts or billing failures.

Microsoft Discovery Day: Get Ready for the New Way of Work

AI has the potential to enhance productivity, increase innovation, and grow skills in incredible new ways. Join us at Microsoft Discovery Day: Get Ready for the New Way of Work, a free half-day event, and learn how to use AI to fulfill your vision of secure productivity and limitless innovation while reducing costs, reigniting creativity, and generating efficiencies. View real-life use cases and demonstrations showcasing how Microsoft 365 and Copilot help bring powerful productivity to workers, implement zero-trust security models, and improve experiences through flexible endpoint management. You’ll have the opportunity to: See how Copilot allows employees to work securely and efficiently from anywhere on any device. Learn how to build a zero-trust security model that secures identities, devices, and apps while protecting and defending against threats to your business. Discover how Copilot helps enhance creativity and provide greater opportunities for innovation. Space is limited. Register for free today. Thursday, January 18, 2024, 1:00 – 3:00 PM (GMT-05:00)
 
Microsoft Discovery Day: Get Ready for the New Way of Work
 
Register now >

Microsoft.Source newsletter

What’s New
Blog Microsoft Ignite 2023 round up > Check out this collection of Ignite announcements and blogs from across the Microsoft Technology Community. (English only)  
Blog GitHub Universe 2023: Key developer takeaways > Catch up on Universe 2023 announcements including general availability of GitHub Copilot Chat and new AI-powered security features. (English only)  
Blog What’s new in ASP.NET Core 8.0 > Learn about the most significant changes in ASP.NET Core 8.0.  
Events See local events >
On demand GitHub Copilot and AI for Developers / On demand > Join Scott Hanselman as he dissects AI’s potential and pitfalls in development in this on demand session from Microsoft Ignite  
On demand Deploying Microsoft Dev Box inside Microsoft / On demand > Learn how to best deploy, manage, and use Microsoft Dev Box.  
Virtual Ask an Azure AI SME series / Starts Jan 17 / Online > Ask experts questions on topics ranging from data science, generative AI, MLOps, responsible AI and more. (English Only)  
On demand Quantum Innovator webinar series / On demand > Get a firsthand account of the Microsoft strategy for scaled quantum computing.  
In person Microsoft Community Days > Find, participate and run community events in any area. These events are supported by Microsoft and Partners.  
Learning
Cloud Skills Challenge Microsoft Ignite Cloud Skills Challenge > Complete the challenge and enter to win a VIP event pass for the next Microsoft Ignite or Microsoft Build! The challenge is on through January 15, 2024.  
Video Learn .NET for free > Free tutorials, videos, courses, and more for beginners and advanced .NET developers.   Challenge Project
Build a minigame with GitHub Copilot and Python > Learn to analyze, create, and use different methods to develop a console minigame in Python with GitHub Codespaces and Copilot.  

Upcoming Webinar: What’s in Store for NIST’s Small Business Cybersecurity Program in 2024?

Event Date: January 10, 2024

Event Time: 2:00 p.m. to 2:45 p.m. ET

Event Location: Virtual

Event Description:

We’re ringing in the New Year by giving you a sneak peek into what the NIST Small Business Cybersecurity Program has planned for 2024. During this webinar, we’ll:

  • Introduce you to the new NIST Lead for Small Business Engagement.
  • Provide an overview of upcoming small business cybersecurity events.
  • Launch our two new NIST Small Business Cybersecurity Community of Interest (COI) sub-groups:
    • COI for Small Business Owners/Operators.
    • COI for Small Business Vendors and Resource Partners.
    • Learn more about each and sign up here.
  • Provide a teaser of what’s coming the rest of the year.
  • Answer your questions/receive your input.

Speaker: Daniel Eliot, Lead for Small Business Engagement, Applied Cybersecurity Division, NIST

Register Here

FBI, CISA, and ASD’s ACSC Release Advisory on Play Ransomware

Today, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Play Ransomware, to disseminate Play ransomware group’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified through FBI investigations as recently as October 2023.

Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia.

FBI, CISA, and the ASD’s ACSC encourage organizations review and implement the recommendations provided in the joint CSA to reduce the likelihood and impact of Play and other ransomware incidents. For more information, see CISA’s #StopRansomware webpage, which includes the updated #StopRansomware Guide.

StopRansomware: Play Ransomware

This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint CSA to disseminate the Play ransomware group’s IOCs and TTPs identified through FBI investigations as recently as October 2023. 
Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.
In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023.
The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. The Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions; however, victims are instructed to contact the threat actors via email.
The FBI, CISA, and ASD’s ACSC encourage organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of ransomware incidents. Recommendations include requiring multi-factor authentication, maintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software, and firmware up to date.

CISA and FBI Release Advisory on ALPHV Blackcat Affiliates

Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), #StopRansomware: ALPHV Blackcat, to disseminate known ALPHV Blackcat affiliates’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified through FBI investigations as recently as Dec. 6, 2023. The advisory also provides updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise released April 19, 2022.

ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operations. FBI investigations, as of September 2023, place the number of compromised entities at over 1000—over half of which are in the United States and approximately 250 outside the United States.

CISA and FBI encourage critical infrastructure organizations to review and implement the mitigations provided in the joint CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents. For more information, see CISA’s #StopRansomware webpage, which includes the updated #StopRansomware Guide.

Collaborators Announced for NCCoE Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector Project

The NCCoE has invited technology providers and industry experts from Amazon Web Services, Cisco, Dragos, Garland Technologies, Inductive Automation, QCOR, Rockwell Automation, Siemens, TDI Technologies, and Tenable to collaborate on the Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector project.

These collaborators will work with the NCCoE project team to demonstrate a practical solution to assist organizations in detecting, responding, and recovering from a cyber incident within an operational technology environment.

The result will be a freely available NIST Cybersecurity Practice Guide that includes a reference design and a detailed description of the practical steps needed to implement the solution based on the NIST Cybersecurity Framework and industry standards and best practices.

Each of these organizations responded to a notice in the Federal Register to submit capabilities that aligned with desired solution characteristics for the project. The accepted collaborators were extended a Cooperative Research and Development Agreement, enabling them to participate in a consortium in which they will contribute expertise and hardware or software to help refine a reference design and build example standards-based solutions.

To learn more about this project, visit our project page.

Project Page

NIST Calls for Information to Support Safe, Secure and Trustworthy Development and Use of Artificial Intelligence

NIST Calls for Information to Support Safe, Secure and Trustworthy Development and Use of Artificial Intelligence Hands draw on a transparent screen with circuits making the shape of a brain and "AI" written in the center. The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has issued a Request for Information (RFI) that will assist in the implementations of its responsibilities under the recent Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI). The order directs NIST to develop guidelines for evaluation, red-teaming and more; facilitate development of consensus-based standards; and provide testing environments for the evaluation of AI systems. These guidelines and infrastructure will be a resource to help the AI community in the safe and trustworthy development and responsible use of AI. “President Biden has been clear — AI is the defining technology of our generation, and we have an obligation to harness the power of AI for good while protecting people from its risks. As part of the president’s Executive Order, the Department of Commerce is soliciting feedback across industry, academia, civil society and more so we can develop industry standards around AI safety, security, and trust that will enable America to continue leading the world in the responsible development and use of this rapidly evolving technology,” said U.S. Secretary of Commerce Gina Raimondo.
Read More