Securin's Critical Infrastructure Overview 2024 report is out, and sheds light on the ongoing threats to critical infrastructure. The research looked at more than 1,700 attacks on critical infrastructure, including manufacturing, energy, water, and healthcare, at a time when cyberattacks on these sectors are escalating at an alarming rate.
The Cybersecurity and Infrastructure Security Agency (CISA) defines critical infrastructure as "systems and assets so vital to the United States that their incapacitation would have a debilitating effect on security, national economic security, public health, or safety." As the report highlights, these sectors are increasingly targeted by sophisticated threat actors, making it a collective priority for private and public enterprises to address.
The report found that vulnerability and misconfiguration exploits remain the leading attack vector (30%), followed by compromised credentials (22.8%) and spearphishing via links or attachments (19%). Threat actors are exploiting legacy systems and poor security hygiene to gain entry into critical systems.
Nation-state actors are among the leading attackers targeting critical infrastructure, the report found. Ransomware groups like Sandworm and BlackCat have exploited outdated software and unpatched vulnerabilities, often leveraging geopolitical tensions to focus their efforts on critical sectors.
Now, here's today's MSSP update. Drop me a line at [email protected] if you have news to share or want to say hi!
Today's MSSP Update
1. OPSWAT acquires Fend for OT security: Critical infrastructure security firm OPSWAT, has acquired Fend Incorporated. Fend is a data pipeline and cybersecurity company dedicated to securing operational technology (OT) against cyber threats, ransomware, and other evolving risks. Based in Arlington, Virginia, Fend has expertise in protecting U.S. government agencies, utilities, oil and gas, manufacturing, and other critical industries that use air-gapped environments.
2. Black Duck names new CIO, CISO: AppSec firm Black Duck®Software, Inc. has appointed Ishpreet Singh as chief information officer (CIO) and Bruce Jenkins as chief information security officer (CISO). Last month, Black Duck announced that Sean Forkan was named chief revenue officer (CRO). As the global CIO at Black Duck, Ishpreet Singh leads the organization’s technology strategy. He is responsible for aligning technology initiatives with business objectives, driving the company’s digital transformation, and implementing innovative solutions, including a robust AI strategy to enhance growth and scalability. As the newly appointed CISO at Black Duck, Bruce Jenkins will lead all aspects of Black Duck’s cybersecurity program and strategy, including on-premises products, cloud solutions, IT infrastructure, and supply chain. Jenkins brings nearly 25 years of physical, IT, and software security expertise to this role. Previously, he oversaw internal product security, incident response, and risk and compliance strategy with the Synopsys Software Integrity Group, and through its transition to the newly established Black Duck. Congratulations!
3. CISA's new FedCloud requirements: CISA has published a new Binding Operational Directive 25-01, Implementing Secure Practices for Cloud Services, which requires federal agencies to implement a set of Secure Cloud Business Applications (SCuBA) Secure Configuration Baselines for SaaS products. The directive starts with Microsoft 365, with three hard deadlines in February, April, and June, 2025.
4. Google Calendar phishing attacks: Bleeping Computer reports that healthcare organizations, banks, educational institutions, and construction firms have been subjected to an ongoing phishing scam involving the exploitation of Google Calendar to facilitate clandestine credential compromise. Attacks start with the distribution of malicious Google Calendar invites. Those contain links redirecting to a Google Forms or Google Drawings page with a reCaptcha or support button; that redirects to phishing pages, according to a report from Check Point. By using Google Calendar, the malicious messages are able to evade spam filters.
5. European firms targeted in HubSpot phishing: European organizations in the automotive, chemical, and industrial compound manufacturing sectors had at least 20,000 Microsoft Azure account credentials exfiltrated as part of the HubPhish phishing campaign that leveraged HubSpot tools, according to The Hacker News. Malicious emails with DocuSign lures contained a file that would redirect to HubSpot Free Form builder links. Those links led to a fraudulent Outlook Web App page that seeks targets' credentials, a report from Palo Alto Networks Unit 42 showed. The campaign did not impact HubSpot or its infrastructure.
