This month’s Threat Intelligence Report, released by Ericsson’s threat research and analysis (TR&A) team, emphasizes the growing risks to critical infrastructure. U.S. government agencies have raised alarms about escalating threats to water and wastewater utilities, with recent threat landscape activity validating these concerns.
Each month the TR&A team publishes a threat intelligence report to inform organizations about relevant changes in the threat landscape. This report covers events during September 2024.
At a glance
- Transport industry targeted by tailored attack techniques
- Arkansas City water utility attack part of a larger pattern
- Despite botnet takedowns by authorities, botnets recover with new campaigns
- Known exploited vulnerabilities that Ericsson Cradlepoint solutions would mitigate
Our Views on Recent Attacks:
In this month’s report we highlight attacks on critical infrastructure and the resilience of threat actors. U.S. agencies CISA and the FBI issued advisories about threats to critical infrastructure systems, highlighting botnets using compromised IoT devices to attack target organizations. Despite international efforts to dismantle major botnet networks earlier this year, threat actors like Volt Typhoon have quickly rebuilt them and maintained the threat to critical infrastructure.
Attacks tailored to transport industry
Security researchers at Proofpoint reported on a cluster of activity that used sophisticated social engineering techniques to target transport industry companies, such as logistics and freight. The attack lifecycle sequence observed was:
- Reconnaissance of transport industry language and software
- Compromise of a user email account (Business Email Compromise - BEC)
- Hijacking a conversation thread
- Attaching malicious documents or obfuscated links to download malware
BEC and email thread hijacking typically aimed to divert large financial transactions into accounts controlled by threat actors. The shift in techniques to establish a longer attack lifecycle suggested espionage as the motivation, rather than quick financial gain. For more details, see Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware.
TR&A Comments: This campaign uses techniques often associated with advanced threat actors targeting large organizations, but Proofpoint reports suggested the attackers may not be as mature. AI may be helping actors generate industry-specific content during dynamic email exchanges. Regardless, the increasing sophistication of social engineering heightens the risk of user compromise.
Ericsson Cradlepoint solutions for active defense: Zero Trust Internet Access blocks or scrubs malicious content from phishing email links and downloads, preventing users from accessing harmful software. NetCloud Secure Connect, part of NetCloud SASE, further mitigates initial access using micro-segmentation to deliver built-in zero trust connectivity.
Threats to water utilities continue
U.S. government agencies including CISA, FBI, and nonprofit Water Information Sharing and Analysis Center (Water ISAC) issued advisories this month warning of continued threats to water and wastewater services (WWS) utilities. This Arkansas City, Kansas, water utility was the victim of a Sept. 29 cyber attack that impacted water services. Details about the attack are not yet available however, four days before the attack, CISA reported that attacks have used “unsophisticated exploits” to successfully compromise victim utilities. Water ISAC issued an amber alert warning of increased attacks from state sponsored threat actors, although the details of that warning were not made public. For more details, see Threat Actors Continue to Exploit OT/ICS through Unsophisticated Means.
TR&A Comments: To remotely administer control systems, administrators have connected these devices directly to the internet. These systems are easily discovered through internet scanning tools like Shodan and Censys, and lack robust security features, making them vulnerable to simple attacks. Defenders are advised to implement secure remote access to these systems to avoid direct internet exposure.
Ericsson’s enterprise solutions for active defense: Zero Trust Private Access secures administration for remote systems. This solution does not require a VPN headend, removing the threat of vulnerable VPN devices and software. Reduce the attack surface and mitigate risks to industrial control systems by combining secure remote access with a zero trust network architecture.
Botnets thrive by exploiting new vulnerabilities
Authorities disrupted several large botnet networks in January and May of this year. However, the NSA and international agencies issued warnings about “Raptor Train,” a new campaign to rebuild botnets. This campaign involved state-sponsored threat actors using upgraded Mirai malware to exploit newly discovered IoT and network device vulnerabilities. Threat actors use botnets for detection evasion against security controls, such as using “residential IP addresses” to obfuscate attacks on the initial country of origin and later data exfiltration activity. For more details, see CSA-PRC-LINKED-ACTORS-BOTNET.PDF (defense.gov) and Derailing the Raptor Train - Lumen.
TR&A Comments: Five of the vulnerabilities exploited by Mirai are from 2024, with two allowing remote command execution. Three are for internet-facing devices, and this month the D-Link 820 router has a reported RCE vulnerability that could be added to the Mirai exploits. Defenders are advised to protect internet-facing devices by prioritizing patches, restricting available services, and monitoring for the IoC listed in the “CSA PRC Linked Actors Botnet” advisory.
Ericsson’s enterprise solutions for active defense: Zero Trust SD-WAN and NetCloud Secure Connect are designed with zero trust networks by default. Devices that require internet access are protected, and their exposure to internet-based attacks is reduced.
Known exploited vulnerabilities that Ericsson's enterprise solutions would mitigate
The vulnerabilities listed below are actively exploited, including vulnerabilities published or added to CISA’s Known Exploited Vulnerabilities Catalog in September 2024. The table “Criticality” shows the CISA-APD score to guide remediation prioritization, when available.
| Product | Criticality (CVSS 3.0) | Impact | Industry | Exploited? | CVE |
| D-Link DIR-820 Router | 9.8 Critical |
An unauthenticated remote code execution allowed using a crafted payload with the ping_addr parameter. | Multiple | Yes | CVE-2023-25280 |
| Product | Criticality (CVSS 3.0) | Impact | Industry | Exploited? | CVE |
| Microsoft Windows Mark of the Web (MoTW) | 5.4 Medium |
Security protection features will fail if they rely on MoTW tagging to identify files with increased risk. | Multiple | Yes | CVE-2024-38217 |
For more monthly threat intelligence reports, please visit our threat intelligence blog or watch our weekly Hot Shots video series for tactical threat intelligence in under 15 minutes. If you would like to speak with an Ericsson solutions expert, you can contact us using the chat feature on our website.