Trade in exploit code: IBM’s X-Force found four of the 10 most mentioned common vulnerabilities and exposures (CVEs) on the dark web were linked to sophisticated threat actor groups, including nation-state intelligence agencies.”Exploit codes for these CVEs were openly traded on numerous forums, fueling a growing market for attacks against power grids, health networks, and industrial systems,” IBM’s X-Force reports.IBM’s threat intel arm adds: “This sharing of information between financially motivated and nation-state adversaries highlights the increasing need for dark web monitoring to help inform patch management strategies and detect potential threats before they are exploited.”Of the 10 CVE’s highlighted in IBM’s X-Force 2025 Threat Report, five of them impacted edge devices and each were also featured in the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.Scott Caveza, senior staff research engineer at Tenable, commented: “Because these devices are often mission-critical and downtime may require significant planning, it may be one of the reasons these devices are patched less frequently, even in the wake of critical vulnerabilities impacting them.”Attackers targeting critical infrastructure also exploit unpatched vulnerabilities across legacy operating systems, as well as industrial control systems.”These systems often remain unpatched for longer periods of time given the downtime risks, making them attractive targets,” IBM X-Force’s Alvarez said. “As a result, attackers can leverage vulnerabilities to gain control over critical systems and disrupt essential services.”
Appetite for disruption: The list of attacks against critical infrastructure organizations that relied, wholly or in part, on vulnerability exploitation is large and growing.US government security agencies warned in February 2024 that Chinese state-sponsored hackers had penetrated multiple critical infrastructure networks, spanning communications, energy, transportation, and water sectors, and were maintaining persistent access.The Volt Typhoon group typically gained initial access by exploiting vulnerabilities in public-facing network appliances from vendors such as Fortinet, Citrix, and Cisco.Intel agencies warned that the group was setting up the ability to disrupt or destroy services in the event of a major crisis or conflict between the US and China.The MOVEit Transfer hack hit multiple healthcare and government organizations in June 2023 after a zero-day vulnerability in enterprise file transfer software was exploited by ransomware groups, a textbook example of a supply chain attack.Another example is the CyberAv3ngers attacks on US water and wastewater systems (2023-2024). This group, linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), targeted Unitronics programmable logic controllers (PLCs) used in many facilities.”By exploiting publicly exposed interfaces and weak security configurations, they defaced human-machine interfaces (HMIs) and, in at least one Texas incident, manipulated water pumps and alarms,” Bharat Mistry, director of product management at cybersecurity software company Trend Micro, said. “These attacks highlight the ongoing risks posed by vulnerable industrial control systems.”Andy Thompson, offensive cybersecurity research analyst at global identity security firm CyberArk, said that the biggest threat to critical infrastructure is the disruption of availability, as exemplified by the May 2021 Colonial Pipeline ransomware attack.The Colonial Pipeline breach started with a compromised VPN login, but it was the lack of multi-factor authentication and poor patching that allowed it to escalate so severely, according to Huntress’s Agha.The attack disrupted fuel supplies and triggered panic buying and widespread gasoline shortages across the US East Coast.
Countermeasures: The escalating threat to critical infrastructure systems, which shows little sign of abating, ought to prompt a rethink in how to defend critical systems.”Traditional methods for defense are not resilient enough for today’s evolving risk landscape,” said Andy Norton, European cyber risk officer at cybersecurity vendor Armis. “Legacy point products and siloed security solutions cannot adequately defend systems against modern threats, which increasingly incorporate AI. And yet, too few organizations are successfully adapting.”Norton added: “It’s vital that organizations stop reacting to cyber incidents once they’ve occurred and instead shift to a proactive cybersecurity posture that allows them to eliminate vulnerabilities before they can be exploited.”Mark Hughes, global managing partner of cybersecurity services at IBM, said: “Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernizing authentication management, plugging multi-factor authentication holes, and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3992747/critical-infrastructure-under-attack-flaws-becoming-weapon-of-choice.html
