The Cybersecurity Express – 9 October 2024
The station buzzes with anticipation, the distant hum of engines blending with the chatter of passengers. You stand on the platform, eyes scanning the horizon as the shimmering lights of the Cybersecurity Express come into view. The train, sleek and futuristic, promises more than just a ride—it’s your ticket to a world of discovery. With each stop, you’ll dive into the latest cybersecurity revelations, uncovering vulnerabilities, ingenious hacks, and cutting-edge defenses. Your pulse quickens as you imagine the wealth of information awaiting, from the intricate dance of code to the real-world impacts these digital battles hold.
The air feels electric as the doors slide open, inviting you aboard. You step inside, your curiosity piqued, as the conductor tips his hat with a knowing smile. “Buckle up,” he says, “this ride’s full of surprises.” The seats are plush, the windows wide, and as the train begins to move, you’re reminded that the landscape of cybersecurity is ever-shifting. The destinations? Key insights into today’s most pressing digital threats and solutions. You settle in, ready for the journey. The Cybersecurity Express is about to make its first stop—right into the heart of the latest cyber challenge.
American Water Goes Offline in the wake of Cyberattack
Not to be confused with “shutting down operations”, offline means that American Water, the largest publicly traded water and wastewater utility in the U.S., has announced that it had to shut down several of its online services following a cyberattack that took place on October 3rd. The company, which provides water and wastewater services to more than 14 million people across 14 states, revealed the incident in a regulatory filing with the U.S. Securities and Exchange Commission (SEC) on October 7, 2024.
According to the filing, American Water detected “unauthorized activity” on its computer network and immediately took action to contain the breach. This involved disconnecting certain systems to protect customer data and prevent any further damage. In response to the incident, the company has hired third-party cybersecurity experts and reported the attack to law enforcement, with whom they are cooperating in an ongoing investigation.
In a statement posted on its website, American Water confirmed that as part of its response, it temporarily disabled its customer service portal, MyWater, and paused billing services. While these systems remain offline, the company reassured customers that there will be no late fees for payments during the downtime.
“We are working diligently to investigate the scope and nature of this incident,” said Ruben Rodriguez, a spokesperson for American Water. “Currently, there is no evidence that the company’s water or wastewater services or facilities have been impacted.”
This incident adds to a growing number of cyberattacks on critical infrastructure in the U.S., particularly in the public services sectors. Earlier this year, Arkansas City’s water treatment facility was forced to switch to manual operations following a cyberattack. Furthermore, the Water Information Sharing and Analysis Center (WaterISAC) recently issued a TLP advisory, warning of increased cyber threats targeting water utilities, specifically from state-sponsored groups linked to Russia, China, and Iran.
The U.S. Environmental Protection Agency (EPA) has also issued updated guidance encouraging water and wastewater systems (WWSs) to strengthen their cybersecurity protocols, ensuring that operators evaluate potential vulnerabilities and implement measures to protect against threats.
The growing frequency of cyberattacks on the water sector highlights the need for enhanced cybersecurity measures to safeguard the country’s critical infrastructure. While American Water’s swift response helped mitigate the immediate risks, the incident underscores the continuing vulnerability of essential services to increasingly sophisticated cyber threats.
As American Water continues to investigate the breach and restore its systems, the company remains committed to ensuring the security of its customers’ data and preventing further disruptions. Law enforcement and cybersecurity experts are working closely with the utility to assess the incident and enhance its defenses against future attacks.
GoldenJackal Doesn’t Mind the (Air) Gap
A sophisticated advanced persistent threat (APT) group known as GoldenJackal has successfully infiltrated air-gapped government systems in Europe, using a variety of custom malware tools to exfiltrate sensitive data such as emails, encryption keys, images, and documents. According to a detailed report from ESET, this cyber espionage campaign has targeted government and diplomatic entities since at least 2019, with confirmed breaches occurring as recently as 2024.
GoldenJackal’s use of air-gapped breach tactics was uncovered in two primary incidents. The first, in September 2019, targeted the embassy of a South Asian country in Belarus. The second attack, which spanned from May 2022 to March 2024, targeted a European government organization. These attacks demonstrate the evolving methods used by GoldenJackal to penetrate highly secure, isolated systems.
Air-gapped systems, which are disconnected from external networks, are typically deployed to protect critical infrastructure and confidential data. However, GoldenJackal has developed a sophisticated method to bypass this physical isolation by leveraging USB drives to propagate malware and collect stolen data.
GoldenJackal’s attack begins by infecting internet-connected systems through traditional means such as trojanized software or malicious documents. The initial malware, dubbed GoldenDealer, waits for the insertion of a USB drive. Once detected, it copies itself, along with other malicious components, onto the USB drive.
The infected USB drive then becomes the vehicle for malware delivery to air-gapped systems. When plugged into the isolated system, GoldenDealer installs two additional malware variants: GoldenHowl (a backdoor) and GoldenRobo (a file stealer). GoldenRobo scans the air-gapped system for valuable data, including documents, encryption keys, archives, and VPN configurations, storing this information in a hidden directory on the USB drive.
Once the USB drive is reconnected to an internet-facing machine, GoldenDealer sends the stolen data back to a command-and-control (C2) server, allowing GoldenJackal to collect sensitive information without triggering alarms.
ESET’s report also highlights GoldenJackal’s newer tools. Since 2022, the group has shifted to a Go-based modular toolset, which assigns specific roles to compromised machines. For instance, some machines may focus on exfiltrating files, while others serve as distribution points for configuration data. This modular architecture allows GoldenJackal to manage large-scale operations more effectively.
Key tools in this expanded toolkit include GoldenAce, which infects USB drives, and GoldenUsbCopy or its successor, GoldenUsbGo, which handles file exfiltration. The latter variant filters and exfiltrates recently modified files smaller than 20 MB, specifically targeting documents with sensitive content such as passwords or login information.
Additional malware components include GoldenBlacklist, which archives selected email messages before exfiltration, GoldenMailer, which forwards stolen data via email, and GoldenDrive, which uploads exfiltrated files to Google Drive.
GoldenJackal’s ability to adapt and refine its custom malware toolsets underscores the group’s sophisticated approach to espionage. The fact that these attacks have successfully breached air-gapped systems, often considered highly secure, highlights the persistent risk posed by APTs to critical infrastructure.
Cybersecurity experts advise organizations to remain vigilant, particularly those operating in high-security environments. Enhanced monitoring of USB device activity, regular system patching, and comprehensive endpoint protection are recommended to defend against such advanced attacks.
For a detailed list of Indicators of Compromise (IoCs) related to GoldenJackal’s toolsets, consult ESET’s comprehensive report or visit the associated GitHub page.
Microsoft Warns of Rising Business Email Compromise Attacks Using File Hosting Services
Microsoft has sounded the alarm on a growing trend in cyberattack campaigns that exploit legitimate file hosting services like SharePoint, OneDrive, and Dropbox to launch business email compromise (BEC) attacks. These attacks, which leverage trusted platforms as a means of defense evasion, have been increasingly observed since mid-April 2024. They aim to compromise identities, deploy malware, and execute financial fraud by bypassing traditional security measures through the use of legitimate services.
The tactic, known as living-off-trusted-sites (LOTS), relies on the reputation and trustworthiness of widely-used cloud platforms to blend in with normal network traffic, making detection more difficult. By leveraging these platforms, threat actors are able to circumvent email security defenses, leading to data exfiltration, lateral movement within a network, and significant financial losses.
Cybercriminals are increasingly exploiting legitimate internet services (LIS) to host and distribute phishing campaigns, thereby complicating efforts to trace and attribute these malicious activities. In these BEC campaigns, attackers typically use compromised accounts from trusted vendors to upload malicious files onto services like OneDrive or SharePoint. They then share these files with their intended targets under the guise of business correspondence.
A key aspect of these phishing attacks is the use of view-only permissions. This prevents recipients from downloading the file, making it more difficult to inspect embedded URLs or other malicious content. Upon receiving a phishing email, recipients are prompted to access the file by signing in to the file-sharing service, which may also require them to re-authenticate by entering their email address and a one-time password (OTP). This not only enhances the legitimacy of the attack but also adds an additional layer of social engineering.
“These phishing campaigns utilize sophisticated techniques to evade detection and socially engineer recipients into sharing their credentials,” the Microsoft Threat Intelligence team said. “The files are configured to be accessible only to the designated recipient, often requiring sign-in or re-authentication to view.”
These types of attacks are broad in scope, enabling threat actors to steal login credentials, hijack user accounts, and move laterally within corporate networks. Microsoft notes that while the campaigns are generic and opportunistic, they are also highly effective due to the blending of legitimate services with malicious intent.
Further complicating matters, the rise of phishing-as-a-service (PhaaS) offerings such as the Mamba 2FA kit is enabling threat actors to launch even more sophisticated campaigns. This kit, which sells for $250 per month, allows attackers to impersonate Microsoft 365 login pages and circumvent non-phishing-resistant multi-factor authentication (MFA) methods, such as one-time codes and app notifications.
The Mamba 2FA phishing kit has been actively used since November 2023, targeting Microsoft Entra ID, AD FS, third-party SSO providers, and consumer accounts. “Stolen credentials and cookies are instantly sent to the attacker via a Telegram bot,” the French cybersecurity firm Sekoia noted in a recent report.
To mitigate the risks associated with these attacks, organizations are urged to adopt phishing-resistant MFA methods, strengthen access controls, and ensure that their employees are trained to recognize social engineering tactics. Additionally, implementing security solutions that monitor for suspicious activity on trusted platforms is essential to combating these sophisticated phishing campaigns.
As threat actors continue to evolve their techniques, the misuse of legitimate platforms like SharePoint and OneDrive is expected to increase, making it critical for businesses to remain vigilant in protecting their digital assets.
This wraps up today’s issue. Wherever you are out there in the digital world just stay safe, install the latest patches and keep a watchful eye out for anything that might want to deceive you. Thank you so much for being a wanderer on The Cybersecurity Express and we look forward to welcoming you on board the next time.
