USCG released the first annual Cyber Trends and Insights in the Marine Environment (ME) report. This report aims to provide relevant information about best practices to secure their critical systems based on USCG findings.
The report intends to aid Sector Commanders, their staffs, and maritime facility leadership teams, including Facility Security Officers (FSOs), IT Directors, Chief Information Officers (CIOs), Chief Information Security Officers (CISOs) and other executives.
It also contains a summary of findings along with mitigations applicable to a variety of owners and operators. Below is an excerpt, showing some of the key findings from Cyber Protection Team assessments:
Cyber Threats to the Marine Environment
#1 Ransomware exploitation
During calendar year 2021 (CY21), cyber criminals continued to target Marine Transportation System (MTS) entities by exploiting traditional ransomware and Ransomware as a Service (RaaS).
Cyber-criminals are now using more advanced tactics, techniques, and procedures (TTPs) including focused ransomware attacks in multiextortion style campaigns with hopes of ensuring a higher, more guaranteed payout.
Rather than hitting a broad range of targets, cyber criminals have evolved to focus ransomware attacks on higher value targets. The three most popular RaaS variants used to target the MTS in this period were:
According to publicly available information, these three RaaS families are consistently among the top five variants used across all industries in 2020 and 2021.
#2 Nation States Improving Tactics
Nation state malicious cyber actors (MCAs) typically abuse zero-day vulnerabilities and known exploitations. Zero-day vulnerabilities are vulnerabilities disclosed or discovered without an available patch or update to remediate the vulnerability.
MCAs often use zero-day vulnerabilities in their initial attack vector to avoid detection. Nation state MCAs abuse Virtual Private Servers (VPS) and web 2021 Cyber Trends & Insights in the Marine Environment shells to avoid detection and circumvent host system security in order to gain access to the victim networks.
MCAs use these techniques within the MTS to increase the probability of successfully exploiting an intended victim.
#3 Phishing Attacks
In 2021, phishing remained the most prevalent means by which MCAs delivered malicious code. Cyber-criminals and nation state MCAs will very likely continue to use phishing emails to gain initial access to victim networks.
There was an overall increase in phishing reporting in 2021, mirroring trends in phishing activities observed globally by the Anti-Phishing Working Group (APWG). In 2021, industries within the ME, like logistics and shipping, have seen slight increases in activity.
MTS partners fully remediated two-thirds (⅔) of all exploitable findings on publicly facing systems and 45% of all internally exploitable findings within six months of a CPT Assess mission. They also partially remediated an additional one-sixth (⅙) of publicly facing and 43% of internally accessible findings within this 6-month window.
#1 Easily Guessable Credentials
One or more services are accessible using an easily guessed username and password. An attacker with minimal technical knowledge can use these credentials to access the related services.
The below tables show some of the most common default usernames and passwords, along with the number of unique technology vendors that utilize them. The information comes from a public analysis of 2,866 vendor products.
#2 Easily Crackable Passwords
User account passwords on the system are common and widely used. An attacker can successfully predict the victim’s password, using a wordlist to gain access to the account.
The below table shows the twenty most common passwords used according to several data breach repositories from NordPass. Using a common password can greatly increase the probability of an attacker accessing an account without authorization.
#3 Weak Password Policy
A weak password policy can result in an attacker gaining unauthorized access to a system or application. According to the National Institute of Standards and Technology (NIST), a strong password includes password length, complexity, minimum password age, and history.
It also contains suggestions for enforcement and consequences when not followed (lost system access). A good password policy can protect an organization from brute force password cracking, guessing, and reuse.
#4 Open Mail Relay
An open mail relay is an email server that allows anonymous users to send emails. There is no authentication when using an open mail relay. Open mail relays will send emails with spoofed source addresses that appear to be coming from legitimate addresses within your organization. MCAs often use open mail relays to send phishing emails and spam.
#5 Patch Management
Vendors release patches and updates to address existing and emerging security threats and address multiple levels of criticality. Failure to apply the latest patches can leave the system open to attack with publicly available exploits. The risk presented by missing patches and updates can vary.
#6 Unsupported OS or Application
Vendors do not patch unsupported software or hardware, creating a significant security risk. There is no way to address security vulnerabilities on these devices to ensure that they are secure. The overall security posture of the entire network is at risk because an attacker can target these devices to establish an initial foothold into the network.
#7 Elevated Service Account Privileges
Applications often require user accounts to operate, known as Service Accounts. Service Accounts use elevated privileges to perform a business function. MCAs leverage techniques, such as AS-REP roasting and Kerberoasting, to abuse legitimate functionality to attain a copy of the Service Account’s password hash.
If the service account has a weak password, the MCA can crack this password and access systems in the context of the Service Account. For simplicity, administrators often use existing administrator accounts as Service Accounts or create a new account and add the new Service Account to an existing administrator group, such as, Domain Administrators.
MCAs often leverage these unnecessary permissions to gain full control over an enterprise.
#8 Non-Essential Use of Elevated Access
IT personnel use domain administrator accounts for system and network management because these typically have broad access permissions. Many organizations do not require separate accounts for normal business functions, such as email and web browsing, and their computer administrator tasks.
An MCA who compromises an administrator account has significantly more access then if they were to compromise a standard user. An MCA with access to an administrator account on a compromised host can steal the account’s authentication token generated by Active Directory and use it to operate using the elevated permissions.
Using an elevated account throughout the domain for normal day-to-day tasks increases this risk.
- Disable or Remove Feature or Program: Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
- Password Policies: Set and enforce secure password policies for accounts. Despite widespread frustration with the use of passwords from both a usability and security standpoint, they remain a very widely used form of authentication.
- Multi-Factor Authentication: Use two or more means to authenticate to a system, such as a username and a password in addition to a token from a physical smart card or token generator.
- Network Intrusion Prevention: Use signatures and anomaly detection to block malicious traffic.
- Network Segmentation: Design sections of the network to isolate critical systems, functions, or resources; Use physical and logical segmentation to prevent access to potentially sensitive systems and information; A Demilitarized Zone (DMZ) contains Internet-facing services preventing exposure of the internal network to the Internet; Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.
- Vulnerability Scanning: Regularly scan externally facing systems and internal networks for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure; Implement continuous monitoring of vulnerability sources and the use of automatic and manual code review tools.
- Update Software: Perform regular software updates to mitigate exploitation risk.
Leave a Reply