Full Report
Check out the new cloud security requirements for federal agencies. Plus, beware of North Korean government operatives posing as remote IT pros. Also, learn how water plants can protect their HMIs against cyberattacks. And get the latest on the U.S. cyber incident response framework; the CIS Benchmarks; and local and state governments’ cyber challenges.Dive into six things that are top of mind for the week ending Dec. 20.1 - CISA issues cloud security mandate for federal agenciesTo boost its cloud security, the U.S. government this week released a set of cybersecurity actions that federal civilian agencies will be required to take during the first half of 2025 — mostly focused on applying secure configuration baselines to their cloud apps.The mandate to secure cloud environments comes via the Binding Operational Directive (BOD) 25-01 — titled “Implementing Secure Practices for Cloud Services” — from the Cybersecurity and Infrastructure Security Agency (CISA).“Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access. The actions required by agencies in this Directive are an important step in reducing risk to the federal civilian enterprise,” CISA Director Jen Easterly said in a statement.The guidance, while applicable only to U.S. federal civilian agencies, can be helpful to all organizations in the public and private sectors, Easterly added. Its foundation is CISA’s Secure Cloud Business Applications (SCuBA) project, which offers recommendations for hardening the configuration of cloud services. These are the directive’s cloud security requirements at a high level:Identify all cloud tenants by February 21, 2025, and update this inventory annually.Deploy all assessment tools from CISA’s SCuBA project by April 25, 2025, and report assessment results to CISA.Implement all mandatory SCuBA policies by June 20, 2025.Implement all future updates to mandatory SCuBA policies.Implement all mandatory SCuBA secure configuration baselines.Agencies may deviate from mandatory SCuBA policies if needed, but they’ll have to identify these deviations and explain them to CISA.To learn more about cloud security, check out these Tenable resources:“Establishing a Cloud Security Program: Best Practices and Lessons Learned” (blog)“Empower Your Cloud: Mastering CNAPP Security” (white paper)“Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)“Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)“10 Considerations for Securing Stateful Persistent Volumes Attached to Kubernetes Pods and Applications” (white paper)2 - Feds: North Korea plants IT workers to commit fraud in the U.S.In a years-long fraud scheme, North Korean IT workers have gotten jobs in the U.S. using fake identities, and then have gone on to steal information, such as proprietary source code, and extort their employers.That’s according to the U.S. Department of Justice, which recently indicted 14 North Korean nationals, charging them with sanctions violations, wire fraud, money laundering and identity theft.The suspects worked as remote IT professionals for front companies controlled by the North Korean government. The six-year cyber conspiracy netted North Korea’s government at least $88 million, as it banked the IT workers’ hefty salaries and extortion payments. North Korea reportedly uses the money to fund its weapons-development efforts.The North Korean IT workers got jobs with U.S. firms using fake identities crafted via the use of phony email addresses, fictitious social media profiles, fraudulent payment platform accounts, bogus job site profiles and sham websites; and by hiding their tracks with proxy computers and virtual private networks. They also duped U.S. residents into unwittingly helping them by recruiting them to receive and set up laptops in their homes, which the fraudsters would then access remotely. That way, victimized employers would think the hired IT workers were based in the U.S.The indictment “... should serve as a warning to companies around the globe — be on alert for this malicious activity by the DPRK regime,” Deputy Attorney General Lisa Monaco said in a statement.The DOJ is offering a reward of up to $5 million for more information about this fraud scheme and about those involved with the North Korean front companies Yanbian Silverstar and Volasys Silverstar, based in China and Russia, respectively.The U.S. government issued its first alert about North Korea’s attempts to plant IT workers in the U.S. in 2022 and updated it in 2023 with more due diligence recommendations for employers to avoid falling for the scam. Employers in other countries have also fallen victim to this North Korean IT worker scam.For more information:“‘How not to hire a North Korean plant posing as a techie’ guide” (The Register)“Staying a Step Ahead: Mitigating the DPRK IT Worker Threat” (Google Cloud)“Advisory on the Democratic People’s Republic Of Korea IT Workers” (South Korea Ministry of Foreign Affairs)“Advisory on North Korean IT Workers” (UK Office of Financial Sanctions)“Advisory on Democratic People's Republic of Korea IT workers” (Australia Department of Foreign Affairs and Trade)VIDEONorth Korean nationals indicted in scheme using IT workers to funnel money for weapons programs (KSKD News) 3 - Water treatment plants get tips for securing HMIsIdentifying human-machine interfaces (HMIs) as a weak cyber link in many water treatment plants, the U.S. government has published recommendations for protecting these operational technology (OT) components.The fact sheet “Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems” is aimed at helping water and wastewater systems facilities harden remote access to HMIs.Using HMIs, OT operators are able to read supervisory control and data acquisition (SCADA) systems connected to programmable logic controllers (PLCs). By tampering with HMIs, hackers could disrupt water and wastewater treatment, endangering people’s health. Here are some of the recommendations in the fact sheet, which was jointly published by CISA and the Environmental Protection Agency:Inventory all internet-exposed devices.Identify HMIs that don’t need to be accessible from the internet and take them offline.Secure with a strong password the HMIs that must be connected to the internet.Track remote logins to HMIs, including failed and atypical attempts. Protect with multifactor authentication and a strong password the HMI and OT network.Segment your network by adding a DMZ or bastion host at the OT network boundary; and by implementing geo-fencing.For more information about securing operational technology (OT) systems in water plants, check out these Tenable resources:“Protecting Public Water Systems from Cyberattacks” (solution overview)“EPA to dial up enforcement of cyber requirements for water systems” (blog) “Safeguarding Your Water Utility” (on-demand webinar)“Enhancing Critical Infrastructure Cybersecurity for Water Utilities” (infographic)“The Constant Drip: EPA Water Regulations, Funding Sources, And How Tenable Can Help” (on-demand webinar)4 - U.S. publishes national cyber incident response plan updateCurious about how the U.S. government would respond to a major cybersecurity crisis? Now you can find out — and give your opinion about it.CISA has just released an update to the U.S. National Cyber Incident Response Plan (NCIRP), whose current version dates back to 2016, and is asking for the public to comment on it. The NCIRP update has been in the works since October 2023.“CISA is seeking more perspectives to help strengthen the NCIRP and invites stakeholders from across the public and private sectors to share their knowledge and experiences, further informing our findings and contributing to this revision,” CISA said in a statement. The NCIRP aims to provide a flexible, agile, coherent and repeatable framework for how the U.S. federal, state and local governments, along with the private sector and international partners, will collaborate to respond to a major cybersecurity incident.“This draft NCIRP Update leverages the lessons learned over the past several years to achieve a deeper unity of effort between the government and the private sector,” CISA Director Jen Easterly said in a statement. The NCIRP addresses coordination mechanisms, decision points and priority activities; and it focuses on four aspects of the cyber response:Asset response to assist affected parties in protecting their assetsThreat response, which would be led by federal law enforcement agencies like the Department of Justice and the FBIIntelligence support, which would be overseen by the Office of the Director of National Intelligence (ODNI)Affected entity response, led by the affected federal agencies in coordination with CISA (civilian agencies); the U.S. Cyber Command (Defense Department agencies); or the IC Security Coordination Center (intelligence agencies)You can provide feedback on the new NCIRP in the Federal Register. The public comment period ends on January 15, 2025.For more information about cyber incident response planning:“13 incident response best practices for your organization” (TechTarget)“10 Best Practices for Incident Response Plans” (Daily.dev)“How to build an incident response plan, with examples, template” (TechTarget)“How to effectively detect, respond to and resolve cyber incidents” (UK National Cyber Security Centre)“Best Practices for Cyber Crisis Management” (ENISA)5 - CIS updates Benchmarks for Cisco, Google, Microsoft productsCisco IOS XE, Google Kubernetes Engine and Microsoft 365 are among the products whose CIS Benchmarks got updated in November by the Center for Internet Security.Specifically, these secure-configuration recommendations were updated:CIS Cisco IOS XE 17.x Benchmark v2.1.1CIS Google Kubernetes Engine (GKE) AutoPilot Benchmark v1.1.0CIS Google Kubernetes Engine (GKE) Benchmark v1.7.0CIS Microsoft 365 Foundations Benchmark v4.0.0CIS Red Hat Enterprise Linux 8 STIG Benchmark v2.0.0 In addition, CIS released a brand new Benchmark: CIS Microsoft Azure Storage Services Benchmark v1.0.0. The CIS Benchmarks’ secure-configuration guidelines are designed to help organizations harden products against attacks. Currently, CIS offers more than 100 Benchmarks for 25-plus vendor product families in categories including: cloud platformsdatabasesdesktop and server softwaremobile devicesoperating systemsTo get more details, read the CIS blog “CIS Benchmarks December 2024 Update.”For more information about the CIS Benchmarks list, check out its home page, as well as:“Getting to Know the CIS Benchmarks” (CIS)“Security Via Consensus: Developing the CIS Benchmarks” (Dark Reading)“How to Unlock the Security Benefits of the CIS Benchmarks” (Tenable)“CIS Benchmarks Communities: Where configurations meet consensus” (Help Net Security)“CIS Benchmarks: DevOps Guide to Hardening the Cloud” (DevOps)6 - Local gov’t cybersecurity hurt by lack of funds, complex threatsInsufficient funding and more sophisticated threats top the list of cybersecurity concerns among U.S. state and local governments.That’s according to the “2023 Nationwide Cybersecurity Review (NCSR),” a free cybersecurity assessment program from the Center for Internet Security (CIS).The 4,210 state, local, tribal and territorial government organizations that participated also reported being concerned about: emerging technologieslack of cyber incident-documentation processesdifficulty finding qualified cybersecurity professionalsOn the positive side, the number of program participants increased 14%, with K-12 school districts recording their highest participation ever. Returning participants saw their cyber maturity level increase by an average of 4%. Those that have participated at least two years scored 23% higher in cyber maturity, while those with nine years in the program scored 41% higher.Overall, NCSR participants are doing a good job monitoring and protecting their IT environments. They also have incident response plans in place, as well as access-control policies.Areas for improvement include:Risk managementDisaster recovery plansCyber team understaffing
Analysis Summary
# Threat Intelligence Summary: Week Ending December 20 (Selected Highlights)
## Main Topic
This summary focuses on key cybersecurity developments affecting government agencies and critical infrastructure, including a new CISA cloud security mandate, a significant North Korean state-sponsored fraud operation, and updated guidance for securing operational technology (OT) in U.S. water systems.
## Key Points
- **CISA Cloud Security Mandate:** CISA issued Binding Operational Directive (BOD) 25-01 requiring U.S. federal civilian agencies to implement secure configuration baselines for cloud apps by mid-2025, based on the Secure Cloud Business Applications (SCuBA) project.
- **National Incident Response Update:** CISA released an updated draft of the U.S. National Cyber Incident Response Plan (NCIRP) for public comment, aiming for a more flexible and coherent framework for public/private sector collaboration during major incidents.
- **OT Security Guidance:** The U.S. government published specific guidance aimed at water and wastewater facilities to protect Human-Machine Interfaces (HMIs) from cyber threats that could disrupt treatment processes.
- **CIS Benchmark Updates:** The Center for Internet Security (CIS) released several updated secure-configuration benchmarks, including those for Cisco IOS XE 17.x, Google Kubernetes Engine (GKE), and Microsoft 365, and introduced a new benchmark for Azure Storage Services.
- **Local Government Challenges:** U.S. state and local governments report insufficient funding and increasingly sophisticated threats as top cybersecurity concerns, though overall cyber maturity is increasing among participating organizations.
## Threat Actors
- **North Korean Government Operatives (DPRK):** Indicted for running a long-term fraud scheme utilizing remote IT workers.
- **Motivation:** To unlawfully generate revenue (at least $88 million) to fund weapons-development efforts.
- **General Threat Actors:** Increasingly targeting cloud environments with evolving tactics to gain initial access, as noted by CISA regarding the necessity of BOD 25-01.
## TTPs
- **North Korean Fraud Scheme:**
- **Identity Deception:** Used fake identities, phony email addresses, fictitious social media profiles, fraudulent job site profiles, and sham websites to secure employment.
- **Evasion:** Masked their location using proxy computers and VPNs.
- **Logistics Manipulation:** Duped U.S. residents into unwittingly assisting by receiving and setting up laptops in their homes for remote access.
- **Financial Activity:** Engaged in wire fraud, money laundering, and extortion of employer salaries.
- **Cloud Exploitation:** Threat actors are evolving tactics to gain initial access to cloud environments.
- **OT/HMI Exploitation:** Hackers could potentially disrupt water and wastewater treatment by tampering with HMIs connected to SCADA systems and PLCs.
## Affected Systems
- **Federal Civilian Agency Cloud Services:** Targeted by the CISA BOD 25-01 mandate.
- **U.S. Water and Wastewater Systems:** Specifically, their Human-Machine Interfaces (HMIs) exposed to the internet.
- **Enterprise IT/Software:** Cisco IOS XE, Google Kubernetes Engine (GKE), and Microsoft 365 environments (via benchmark updates).
- **U.S. Employers:** Companies who hired the North Korean remote IT operatives.
## Mitigations
- **Cloud Security (BOD 25-01):**
- Identify all cloud tenants by February 21, 2025.
- Deploy CISA SCuBA assessment tools by April 25, 2025.
- Implement all mandatory SCuBA secure configuration baselines by June 20, 2025.
- **Water/OT Security (HMI Protection):**
- Inventory all internet-exposed devices.
- Take offline HMIs that do not require internet accessibility.
- Use strong passwords and Multifactor Authentication (MFA) on required internet-connected HMIs.
- Track remote logins (including failed/atypical attempts).
- Implement network segmentation (DMZ or bastion host) at the OT network boundary and use geo-fencing.
- **General Fraud Mitigation:**
- Employers should apply increased due diligence when hiring remote IT staff, especially given the DPRK threat.
- **Cyber Incident Response:**
- Stakeholders are encouraged to review and provide feedback on the draft updated NCIRP framework.
- **Configuration Hardening:**
- Implement the latest CIS Benchmarks for relevant technologies (e.g., Cisco IOS XE 17.x, M365, Azure Storage).
## Conclusion
The U.S. federal government is significantly increasing its focus on cloud security posture remediation via mandatory BODs. Concurrently, warnings are active regarding sophisticated, state-sponsored financial fraud leveraging seemingly legitimate remote IT employment. Critical infrastructure operators, such as water utilities, face direct guidance to harden operational technology interfaces like HMIs against potential disruption. Organizations should leverage the updated CIS Benchmarks for immediate configuration hardening across key platforms.