CyberMinute - May 12, 2025

On May 31, Alberta’s Security Management for Critical Infrastructure Regulation is set to come into effect, introducing new security obligations for designated energy facilities. The regulation, issued under the Responsible Energy Development Act, applies to sites including wells, pipelines, mines, in situ operations, and processing plants. The Alberta Energy Regulator (AER) is responsible for identifying these critical facilities and notifying operators. It also has the authority to audit and, if necessary, suspend operations for non-compliance.

The regulation mandates that operators of designated critical infrastructure implement a Security Management Program in accordance with CSA Z246.1, a national standard for petroleum and natural gas systems. This standard outlines a risk-based framework for managing physical, personnel, and cybersecurity threats. It emphasizes protections tailored to the nature of information technology (IT) and industrial control systems (ICS), including maintaining asset inventories, segmenting networks, securing remote access, and monitoring for intrusions.

Organizations should begin by assessing their exposure, identifying critical assets, and developing tailored security programs. Training and continuous improvement are also key, with the regulation requiring ongoing evaluation of security controls and supporting documentation. The consequences of non-compliance are significant, failure to implement a compliant program could lead to license suspension or full operational shutdown.

The adoption of CSA Z246.1 marks a shift toward harmonized standards across Canadian jurisdictions. For Alberta’s critical infrastructure, it signals a heightened regulatory focus on cybersecurity and risk preparedness. CyberAlberta provides several resources that may be helpful for organizations in identifying gaps in their security strategy, and ensuring compliance, which is essential for protecting critical systems and maintaining public and environmental safety. 

Click Here to Read More!

On April 22, 2025, cybersecurity firm ReliaQuest disclosed the active exploitation of a critical zero-day vulnerability (CVE-2025-31324) in SAP NetWeaver — a core component of many enterprise SAP environments. This vulnerability carries the highest possible Common Vulnerability Scoring System (CVSS) score of 10 and enables remote code execution and arbitrary file upload, significantly increasing the risk of full system compromise.

Research from ONAPSIS indicates that threat actors began publicly testing this vulnerability as early as January 2025, with confirmed exploitation starting in mid-March. However, most organizations only began detecting related activity in April, highlighting a multi-week gap during which adversaries could have operated undetected.

Exploitation patterns show that attackers commonly uploaded multiple web shells to affected systems, establishing persistent access points. Critically, these web shells were left accessible, leading to widespread opportunistic exploitation once the issue became public knowledge.

This threat impacts both internal and external attack surfaces and poses a high risk to organizations running SAP systems. Immediate action is recommended:

• Identify exposure: Inventory all SAP systems across the organization.
• Apply SAP Security Note #3594142 to remediate the vulnerability. If patching is not feasible, implement the mitigation guidance in SAP Note #3593336.
• Assess for compromise: Use the tool developed by Mandiant and ONAPSIS to detect vulnerable or compromised instances.

Given the strategic importance of SAP systems to business operations, organizations must treat this as a priority threat. Delayed response may result in significant operational and data loss risk. 

Click Here to Read More!

A recent report by SecureWorks reveals that ransomware groups are experimenting with new business models in cybercriminal forums. By outsourcing tools, infrastructure, and target lists, these cybercriminals can potentially attack more victims at a higher rate and make attribution and tracking malicious activity even more challenging.

One example of this evolution in ransomware affiliate programs is the “cartel” model recently adopted by the DragonForce Ransomware-as-a-Service (RaaS) operation. As noted by SecureWorks, DragonForce provides affiliates with access to its infrastructure and tools as a base to launch attacks. Unlike other RaaS models, it does not mandate the use of their encryption locker, offering greater operational flexibility to appeal to a wider range of affiliates.

The Anubis ransomware operation has diversified its offerings to cater to various affiliate preferences. It now supports three different models: traditional Ransomware-as-a-Service (RaaS) using file encryption for extortion, single-extortion campaigns involving data exfiltration without encryption, and acting as an initial access broker, selling entry points into compromised environments for use by other threat actors. Each model offers differing profit opportunities depending on the scope and role of the affiliate. Anubis also revealed a new negotiation tactic of threatening to report their compromises to respective authorities to pressure victims into compliance.

Clearly, cybercriminal enterprises are continuing seeking efficiencies to maximize their return on investment. For organizations, this means the threat of cybercriminal attacks continues to expand. To mitigate threat actors gaining access to target networks, organizations should adhere to thorough patch management, enforce strong password policies, and implement multi-factor authentication (MFA) wherever possible. Furthermore, CyberAlberta provides resources to help organizations align with cybersecurity best practices and develop incident response playbooks.

Click Here to Read More!