Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Johannesburg Ransomware Attack Leaves Residents in the Dark
Oldest First  |  Newest First  |  Threaded View
tdsan
tdsan,
User Rank: Ninja
7/27/2019 | 3:48:13 PM
Separation of duties
A number of organizations have not implemented "segmentation" at the network layer. I am not sure how the hack took place but why did the Utility company connect their SCADA infrastructure to the Internet? There should have been conversations on creating a separate network utilizing VDI as a way to connect and perform management procedures using an area in the network with limited capability (a small network segment that is monitored and tracked to the highest extent where access is authorized by management staff and NAC (Network Access Control) devices).

Cybersecurity Utility

And the other aspect of the network should have been on IPv6. If the internal SCADA network is on IPv6 and the external network is on IPv4 (admin or mgmt network), we can limit the ability of the hacker to access the VDI environment. Since the VDI is limited with IPv6 (dual-homed) with specific IPv6 addresses on the Mgmt Network, access to the SCADA environment can provide limited accessibility when it comes to external actors. This heightened level of security makes this area an internal "jump area" or quasi-DMZ. This helps to improve security levels by reducing MITM (Man in the Middle Attacks) enabling encryption (in-flight & at rest). IPv6 IPSec AES256 ESP/AH VPN can reduce the level of attacks 10 fold as long as it is configured properly with hours of testing. Remember, if you look at most of the hack attempts that took place in the world, they use IPv4 (not to say that they don't use IPv6), this would give the organization a leg up on addressing this issue and it adds a certain level of complexity or obfuscation to the mix.

Another consideration would be to stand up a test environment with hardened OSes, this practice could affect the application especially when PLC devices are involved; having a test environment that mimics production is vital to the organization's security posture.

Hopefully, they will be working with security vendors to address some of their issues.

Todd

 
Dr.T
Dr.T,
User Rank: Ninja
7/29/2019 | 8:52:09 PM
More cities
No more cities. Obviously ransomware attackers found a better target: all cities anymore.
Dr.T
Dr.T,
User Rank: Ninja
7/29/2019 | 8:55:37 PM
Re: Separation of duties
A number of organizations have not implemented "segmentation" at the network layer. This a good point, separation helps in the network tremendously.
Dr.T
Dr.T,
User Rank: Ninja
7/29/2019 | 8:58:07 PM
Re: Separation of duties
There should have been conversations on creating a separate network utilizing VDI as a way to connect Well put and good point. It should be well architectured as it is always possible to jump from network to network.
Dr.T
Dr.T,
User Rank: Ninja
7/29/2019 | 9:00:35 PM
Re: Separation of duties
This heightened level of security makes this area an internal "jump area" or quasi-DMZ. Good point. DMZ would help to segregate web from data layer where they would harder time to pass-through
Dr.T
Dr.T,
User Rank: Ninja
7/29/2019 | 9:02:31 PM
Re: Separation of duties
IPv6 IPSec AES256 ESP/AH VPN can reduce the level of attacks 10 fold as long as it is configured properly with hours of testing. Ok. That makes sense. As IPv6 would have more security features than IPv4.
tdsan
tdsan,
User Rank: Ninja
7/29/2019 | 11:20:46 PM
Re: Separation of duties
Thank you for reviewing my responses. Yes I agree that IPv6 could address a number of issues, not all but at least it would help with identifying where the attack came from, encrypt traffic, employ segmentation and a number of other issues as indicated in my prior post. Todd


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file