Cybersecurity Snapshot: EPA Urges Water Plants To Boost Cybersecurity, as OpenSSF Launches Threat Intel Platform for Open Source Software

Check out the EPA’s call for water plants to beef up their cyber defenses. Plus, open source developers have a new platform to share threat intelligence. Moreover, business email compromise attacks prompt alert from U.K.’s cyber agency. And CISA tackles DNS encryption best practices. And much more!

Dive into six things that are top of mind for the week ending May 24.

1 - EPA to dial up enforcement of cyber requirements for water systems

The U.S. government is urging water plants to boost their cybersecurity in accordance with federal law, as hackers increasingly target these critical infrastructure organizations.

More than 70% of U.S. water systems don’t fully comply with the cybersecurity requirements of the Safe Drinking Water Act, according to recent inspections by the U.S. Environmental Protection Agency (EPA). This prompted the EPA to issue an “enforcement alert” this week.

“Protecting our nation’s drinking water is a cornerstone of EPA’s mission, and we are committed to using every tool, including our enforcement authorities, to ensure that our nation’s drinking water is protected from cyberattacks,” EPA Deputy Administrator Janet McCabe said in a statement.

Among the actions the EPA is urging water plants to take immediately are:

• Reduce exposure to vulnerabilities
• Make regular cybersecurity assessments
• Change default passwords
• Inventory all operational technology (OT) and IT assets and back them up
• Provide cybersecurity training to the staff

To get more details, read:

• The announcement “EPA Outlines Enforcement Measures to Help Prevent Cybersecurity Attacks and Protect the Nation’s Drinking Water”
• The enforcement alert “Drinking Water Systems to Address Cybersecurity Vulnerabilities”
• The fact sheet “Top Cyber Actions for Securing Water Systems”

To learn more about the threat to water systems and how to address it, check out these Tenable resources:

• “Shoring Up Water Security: Industry Leaders Testify Before Congress” (blog)
• “Protecting Public Water Systems from Cyberattacks” (solution brief)
• “Keep the Water Flowing for the DoD: Securing Operational Technology from Cyberattacks” (blog)
• “Tech Perspectives: What is the State of Cyber Risk in the Water Sector? A Q&A with Tenable’s Marty Edwards” (news article on WaterFM)
• “Enhancing Critical Infrastructure Cybersecurity for Water Utilities” (Infographic)

VIDEOS

Tenable Homeland Security Testimony 2024: Marty Edwards Opening statement

The Constant Drip: EPA Water Regulations, Funding Sources, And How Tenable Can Help (on demand webinar)

2 - New threat intel platform launched for OSS

Developers and maintainers of open source software (OSS) have a new centralized platform to share threat intelligence information and help each other boost the security of their projects.

Called Siren, the platform is hosted by the Open Source Security Foundation (OpenSSF) and aims to provide visibility into the tactics, techniques and procedures, as well as into the indicators of compromise associated with attacks targeting OSS.

“Siren is intended to be a post-disclosure means of keeping the community informed of threats and activities after the initial sharing and coordination,” OpenSSF said in a blog this week.

OpenSSF is inviting all developers and maintainers of open source projects, as well as cybersecurity enthusiasts, to join Siren.

To get more information, check out:

• The blog “Enhancing Open Source Security: Introducing Siren by OpenSSF”
• The OpenSSF Siren list

For more information about OSS security:

• “Open Source Software Security Roadmap” (CISA)
• “White House releases report on securing open-source software” (CyberScoop)
• “Securing open source software: Whose job is it, anyway?” (The Register)

VIDEO

CISA Live! Presents Open Source Software Security

3 - U.K. cyber agency issues tips on preventing BEC attacks

As business email compromise grows, the U.K. National Cyber Security Centre (NCSC) has new guidelines to prevent these attacks, in which scammers impersonate business leaders to dupe employees into transferring them money.

Here are some of the NCSC’s recommendations, aimed specifically at small and medium size businesses:

• Don’t overshare details about your company’s senior management on social media and public websites.
• Train staff to detect BEC email characteristics. Tell-tale signs include emails in which a senior leader, out of the blue, asks for an urgent payment or money transfer.
• Set up multi-factor authentication (MFA), thus reducing the chances that attackers will hijack email accounts.
• Adopt the principle of least privilege, to ensure, for example, that the ability to conduct large-scale financial transactions is limited only to the appropriate staffers.
• Establish a process in which high-value payments and transactions requested via email are also confirmed using other methods, such as a phone call or an in-person meeting.

To get more details, read:

• The NCSC blog “Business email compromise: new guidance to protect your organisation”
• The NCSC guidance “Business email compromise: defending your organisation”

For more information about BEC attacks:

• “5 ways to mitigate the risks of business email compromise attacks” (Deloitte)
• “Business Email Compromise” (FBI)
• “Business Email Compromise: What It Is and How to Prevent It” (National Cybersecurity Alliance)

4 - CISA offers guidance on encrypted DNS traffic

Looking for best practices on how to adopt DNS encryption? You might want to check out new guidelines just published for U.S. federal agencies.

The new guide “Encrypted Domain Name System (DNS) Implementation Guidance” offers DNS encryption recommendations for networks, DNS infrastructure, on-premises endpoints, cloud deployments and mobile endpoints.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) developed the document to help federal agencies understand and implement “key actions and protocols” to start encrypting DNS traffic, CISA official Eric Goldstein said in a statement.

“This guide will help agencies progress further in their zero trust security journey,” Goldstein added.

The guide includes a phased-implementation checklist, detailed implementation recommendations and vendor-specific implementation advice, including for specific web browsers, operating systems and DNS servers.

5 - SocGholish rides wave of fake update attacks

SocGholish continues reigning supreme among malware variants, with a 60% share of malware incidents in the first quarter of 2024, as attackers deploy it in fake software update campaigns.

It’s the third straight quarter in which SocGholish ranks first in the Center for Internet Security’s (CIS) quarterly list of top 10 malware, a sign of the prevalence of fake update attacks.

SocGholish, written in JavaScript, is distributed via malicious or compromised websites that peddle fraudulent software updates.

^{(Source: Center for Internet Security)}

Here’s the full list, in descending order:

• SocGholish, a downloader distributed through malicious websites that tricks users into downloading it by offering fake software updates 
• Arechclient2, a .NET RAT whose capabilities include multiple stealth functions
• CoinMiner, a cryptocurrency miner that spreads using Windows Management Instrumentation (WMI)
• NanoCore, a remote access trojan (RAT) that spreads via malspam as a malicious Excel spreadsheet
• Agent Tesla, a RAT that captures credentials, keystrokes and screenshots
• Lumma Stealer, an infostealer that focuses on swiping personally identifiable information and features multiple evasion capabilities
• Ratenjay, a RAT that's dropped by other malware, executes remote commands and has keylogging capabilities
• Jupyter, an adaptive .NET infostealer that’s highly evasive
• RogueRaticate, a downloader distributed through malicious or compromised websites using fake browser updates. 
• Gh0st, a RAT designed to control infected endpoint devices

To get more information, check out CIS’ “Top 10 Malware Q1 2024” blog report, which provides details, context and indicators of compromise for each malware strain.

For more information about fake update attacks:

• “The Fake Browser Update Scam Gets a Makeover” (Krebs on Security)
• “Atomic Stealer malware strikes macOS via fake browser updates” (Bleeping Computer)
• “Hackers Use Fake Browser Updates for AMOS Malware Attacks Targeting Mac Users” (MSSP Alert)
• “Malware crooks find an in with fake browser updates, in case real ones weren't bad enough” (The Register)
• “Hackers have been spreading malware via fake Chrome updates” (TechRadar)

VIDEO

Fake Chrome Update Malware (The PC Security Channel)

6 - 2023 was a banner year for phishers with nearly 5M attacks

Cyber scammers unleashed almost five million phishing attacks in 2023, the most ever recorded in a year, as phishers ramped up their abuse of social media platforms and voice phone calls to carry out their crimes.

That’s according to the Anti Phishing Working Group’s (APWG) “Phishing Activity Trends Report” for the fourth quarter of 2023.

Phishing actually dipped at one point in 2023, after the shutdown of the Freenom free domain-name program, which was heavily used by phishers for many years. But even with that dip, 2023 ended up being the worst on record for phishing victims.

Industries Most Targeted By Phishers, Q4 2023

^{(Source: Anti Phishing Working Group’s “Phishing Activity Trends Report” for Q4 2023)}

In the fourth quarter, phishers turned up the heat on social media platforms, which got hit with almost 43% of phishing attacks. Meanwhile, voice phishing, or “vishing,” is becoming popular with scammers, as they use deep-fake tools to imitate voices of people the victims know.

To get more details, read:

• The statement “APWG Q4 Report Finds 2023 Was Record Year For Phishing”
• The “Phishing Activity Trends Report” for Q4