Archive: 2021 Cybersecurity Alerts

2021 Cyber Alerts Catalogue

Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
December 22, 2021

CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory in response to multiple vulnerabilities in Apache’s Log4j software library. Malicious cyber actors are actively scanning networks to potentially exploit CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.

This advisory expands on CISA’s previously published guidance, drafted in collaboration with industry members of CISA’s Joint Cyber Defense Collaborative (JCDC), by detailing recommended steps that vendors and organizations with information technology, operational technology/industrial control systems, and cloud assets should take to respond to these vulnerabilities.

CISA, FBI, NSA, the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) assess that exploitation of these vulnerabilities, especially Log4Shell, is likely to increase and continue over an extended period. CISA and its partners strongly urge all organizations to review AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities for detailed mitigations.


CISA Adds Two Known Exploited Vulnerabilities to Catalog
December 15, 2021

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose a significant risk to the federal enterprise.

CVE Number

CVE Title 

 Remediation
Due Date

 CVE-2021-43890

  Microsoft Windows AppX Installer Spoofing Vulnerability

12/29/2021

CVE-2021-4102

  Google Chromium V8 Engine Use-After-Free Vulnerability

12/29/2021

 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria.


Immediate Steps to Strengthen Critical Infrastructure against Potential Cyberattacks
December 15, 2021

In light of persistent and ongoing cyber threats, CISA urges critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential cyberattacks. CISA has released CISA Insights: Preparing For and Mitigating Potential Cyber Threats to provide critical infrastructure leaders with steps to proactively strengthen their organization’s operational resiliency against sophisticated threat actors, including nation-states and their proxies.

CISA encourages leadership at all organizations—and critical infrastructure owners and operators in particular—to review the CISA Insights and adopt a heighted state of awareness.


Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation 
December 10, 2021

The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.

CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.


Reminder for Critical Infrastructure to Stay Vigilant Against Threats During Holidays and Weekends
November 22, 2021

As Americans prepare to hit the highways and airports this Thanksgiving holiday, CISA and the Federal Bureau of Investigation (FBI) are reminding critical infrastructure partners that malicious cyber actors aren’t making the same holiday plans as you. Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways—big and small—to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure.

There are actions that executives, leaders, and workers in any organization can take proactively to protect themselves against cyberattacks, including possible ransomware attacks, during the upcoming holiday season—a time during which offices are often closed, and employees are home with their friends and families. Although neither CISA nor the FBI currently have identified any specific threats, recent 2021 trends show malicious cyber actors launching serious and impactful ransomware attacks during holidays and weekends, including Independence Day and Mother’s Day weekends.

CISA and the FBI strongly urge all entities–especially critical infrastructure partners–to examine their current cybersecurity posture and implement best practices and mitigations to manage the risk posed by cyber threats. Specifically, CISA and the FBI urge users and organizations to take the following actions to protect themselves from becoming the next victim:

Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack.

  • Implement multi-factor authentication for remote access and administrative accounts.
  • Mandate strong passwords and ensure they are not reused across multiple accounts.
  • If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored.
  • Remind employees not to click on suspicious links, and conduct exercises to raise awareness.

READ MORE


CISA LAUNCHES THE INFRASTRUCTURE DEPENDENCY PRIMER TO STRENGTHEN COMMUNITY RESILIENCE
November 19, 2021

WASHINGTON – Infrastructure is the backbone of communities, providing critical services and enabling essential functions such as health, safety, and economic growth. Understanding critical infrastructure dependencies and incorporating them into planning is key to the resilience of communities across the nation.  The Cybersecurity and Infrastructure Security Agency (CISA) announces today the Infrastructure Dependency Primer (IDP), developed to help state, local, tribal, and territorial planners and decisionmakers better understand how infrastructure dependencies can impact community risk and resilience and how to incorporate that knowledge into ongoing community planning.  The IDP is a supplement to CISA’s recently published Infrastructure Resilience Planning Framework (IRPF).

The IDP provides animations, interactive graphics, and guidance to address fundamental questions users may have regarding infrastructure, dependencies, and resilience planning, such as:

  • What are infrastructure dependencies and why should I care?
  • What is resilience, how does it relate to dependencies, and how do I plan for it?
  • What resources are there to help me reduce dependency risks and enhance the resilience of my community?

The IDP is organized into three main sections, which provide basic instruction on important topics:

  • LEARN: Essential community functions, enabling infrastructure systems, and infrastructure dependencies
  • PLAN: Resilience, the role of infrastructure stakeholders in planning processes, and methods for incorporating dependencies into planning
  • IMPLEMENT: Actions for improving resilience, case study examples, and available resources

This IDP is publicly accessible and meant to be independently explored by users based on their interests and needs.  No prerequisite training or knowledge is needed to benefit from IDP content.  Increase your infrastructure dependency understanding today at cisa.gov/idp.

For more information on infrastructure resilience planning and assessment, visit CISA.gov/idr-program.


CISA RELEASES DIRECTIVE ON REDUCING THE SIGNIFICANT RISK OF KNOWN EXPLOITED VULNERABILITIES
November 03, 2021

Establishes Priorities for Vulnerability Management and Provides an Impetus for Federal Agencies to Improve Vulnerability Management Practices

WASHINGTON – Today the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries. The Directive establishes a CISA-managed catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.

CISA issued BOD 22-01 to drive federal agencies to mitigate actively exploited vulnerabilities on their networks, sending a clear message to all organizations across the country to focus patching on the subset of vulnerabilities that are causing harm now, and enable CISA to drive continuous prioritization of vulnerabilities based on our understanding of adversary activity. The Directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. With this Directive, CISA is imposing the first government-wide requirements to remediate vulnerabilities affecting both internet-facing and non-internet facing assets.

“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” said CISA Director Jen Easterly. “The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks. While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

READ MORE


FBI Releases Indicators of Compromise Associated with Ranzy Locker Ransomware
October 27, 2021

The Federal Bureau of Investigation (FBI) has released a Flash report [click here to review] detailing indicators of compromise (IOCs) associated with attacks using Ranzy Locker, a ransomware variant first identified targeting victims in the United States in late 2020.


NOBELIUM Attacks on Cloud Services and other Technologies
October 25, 2021

Microsoft has released a blog on NOBELIUM attacks on cloud services and other technologies. CISA urges users and administrators to review [NOBELIUM targeting delegated administrative privileges to facilitate broader attacks] and apply the necessary mitigations.

October 18, 2021

CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released joint Cybersecurity Advisory (CSA): BlackMatter Ransomware.

Since July 2021, malicious cyber actors have used BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization. Using an analyzed sample of BlackMatter ransomware and information from trusted third parties, this CSA provides cyber actor tactics, techniques, and procedures and outlines mitigations to improve ransomware protection, detection, and response.

To reduce the risk of BlackMatter ransomware, CISA, FBI, and NSA encourage organizations to implement the recommended mitigations in the joint CSA and visit this website.


CISA, FBI, and NSA  Release Joint Cybersecurity Advisory on Conti Ransomware 
September 22, 2021

CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) alerting organizations of increased Conti ransomware attacks. Malicious cyber actors use Conti ransomware to steal sensitive files from domestic and international organizations, encrypt the targeted organizations’ servers and workstations, and demand a ransom payment from the victims.

CISA, FBI, and NSA encourage network defenders to examine their current cybersecurity posture and apply the recommended mitigations in the joint CSA, which include:

  • Updating your operating system and software,
  • Requiring multi-factor authentication, and
  • Implementing network segmentation.

Additionally, review the U.S. government resource StopRansomware.gov for more guidance on ransomware protection, detection, and response.


September 14, 2021

Google has released Chrome version 93.0.4577.82 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.


SAP Releases September 2021 Security Updates 
September 14, 2021

SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the SAP Security Notes for September 2021 and apply the necessary updates.


Microsoft Releases September 2021 Security Updates
September 14, 2021

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Microsoft’s September 2021 Security Update Summary and Deployment Information and apply the necessary updates.

Apple has released security updates to address vulnerabilities—CVE-2021-30860, CVE-2021-30858—in iOS and iPadOS. An attacker could exploit these vulnerabilities to take control of an affected device. CISA is aware of public reporting that these vulnerabilities may have been exploited in the wild.

CISA encourages users and administrators to review the iOS 14.8 and iPadOS 14.8 security update page and apply the necessary updates.

Microsoft has released mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in Microsoft Windows. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. This vulnerability has been detected in exploits in the wild.

CISA encourages users and administrators to review Microsoft’s advisory and to implement the mitigations and workarounds.

CISA has released a new CISA Insights, Risk Considerations for Managed Service Provider Customers (MSPs), which provides Managed Service Provider (MSP) customers a framework for reducing risk.

This framework is designed for government and private sector organizations of all sizes, and it suggests considerations for IT management planning, best practices, and tools for reducing overall risk. This resource divides guidance across these areas: (1) senior executives and boards of directors (strategic decision-making); (2) procurement professionals (operational decision-making); and (3) network administrators, systems administrators, and front-line cybersecurity staff (tactical decision-making).

Read CISA’s latest blog, visit: CISA.gov/blog/2021/09/02/going-beyond-assessing-security-practices-it- service-providers.


Ransomware Awareness for Holidays and Weekends
September 2, 2021

SUMMARY
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021. The FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday. However, the FBI and CISA are sharing the below information to provide awareness to be especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.

READ MORE HERE


FBI Releases Indicators of Compromise Associated with Hive Ransomware
Original release date: August 27, 2021

The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with ransomware attacks by Hive, a likely Ransomware-as-a-Service organization consisting of a number of actors using multiple mechanisms to compromise business networks, exfiltrate data and encrypt data on the networks, and attempt to collect a ransom in exchange for access to the decryption software.

CISA encourages users and administrators to review the technical details, IOCs, and TTPs in FBI Flash MC-000150-MW and apply the recommend mitigations.


F5 Releases August 2021 Security Advisory
Original release date: August 25, 2021

F5 has released a security advisory on vulnerabilities affecting multiple versions of BIG-IP and BIG-IQ for August 2021.

CISA encourages users and administrators to review the F5 security advisory and install updated software or apply the necessary mitigations as soon as possible.


Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities
Original release date: August 21, 2021

Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.


CISA Provides Recommendations for Protecting Information from Ransomware-Caused Data Breaches
Original release date: August 18, 2021

CISA has released the fact sheet Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches to address the increase in malicious cyber actors using ransomware to exfiltrate data and then threatening to sell or leak the exfiltrated data if the victim does not pay the ransom. These data breaches, often involving sensitive or personal information, can cause financial loss to the victim organization and erode customer trust.

The fact sheet provides information for organizations to use in preventing and responding to ransomware-caused data breaches. CISA encourages organizations to adopt a heightened state of awareness and implement the recommendations listed in this fact sheet to reduce their risk to ransomware and protect sensitive and personal information. Review StopRansomware.gov for additional ransomware resources.


CISA ANNOUNCES NEW VULNERABILITY DISCLOSURE POLICY (VDP) PLATFORM

Improves Cybersecurity Across the Federal Civilian Enterprise and Reduces Government Spending
By Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA

August 2021 — Last fall, we issued the final version of Binding Operational Directive (BOD 20-01), which was issued in support of the Office of Management and Budget M-20-32, “Improving Vulnerability Identification, Management, and Remediation”. This Directive reflects CISA’s commitment to strengthening cybersecurity and resilience for federal civilian agencies by requiring agencies to establish policies enabling the public to contribute and report vulnerability disclosures. Recognizing that policies alone are not sufficient, we also announced plans to launch a vulnerability disclosure platform service in the near future. Today, the future arrived.

The Cybersecurity and Infrastructure Security Agency (CISA) is proud to announce the VDP Platform for the federal civilian enterprise, the latest shared service offered by CISA’s Cyber Quality Services Management Office (QSMO) and provided by BugCrowd and EnDyna. The VDP Platform provides a single, centrally managed online website for agencies to list systems in scope for their vulnerability disclosure policies, enabling security researchers and members of the general public to find vulnerabilities in agency websites and submit reports for analysis. The Department of Homeland Security (DHS), the Department of Labor (DoL), and the Department of Interior (DoI) are among the agencies planning to leverage this platform at the onset.

This new platform allows agencies to gain greater insights into potential vulnerabilities, thereby improving their cybersecurity posture. This approach also enables significant government-wide cost savings, as agencies no longer need to develop their own, separate systems to enable reporting and triage of identified vulnerabilities. CISA estimates over $10 million in government-wide cost savings will be achieved by leveraging the QSMO shared services approach.

READ MORE


U.S., U.K., and Australia Issue Joint Cybersecurity Advisory
Original release date: July 28, 2021

Cyber Agencies Share Top Routinely Exploited Vulnerabilities

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), United Kingdom’s National Cyber Security Centre (NCSC) and Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory today, highlighting the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by cyber actors in 2020 and those vulnerabilities being widely exploited thus far in 2021. Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide.  It’s recommended that organizations apply the available patches for the 30 vulnerabilities listed in the joint cybersecurity advisory and implement a centralized patch management system.

One of the key findings is that four of the most targeted vulnerabilities in 2020 involved remote work, VPNs, or cloud-based technologies. Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options due to the COVID-19 pandemic challenging the ability of organizations to conduct rigorous patch management. In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. This advisory lists the vendors, products, and CVEs associated with these vulnerabilities, which organizations should urgently patch.

READ MORE


Top Routinely Exploited Vulnerabilities
Original release date: July 28, 2021

CISA, the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) have released the Joint Cybersecurity Advisory Top Routinely Exploited Vulnerabilities, which details the top vulnerabilities routinely exploited by malicious actors in 2020 and those being widely exploited thus far in 2021.

CISA encourages users and administrators to review the Joint Cybersecurity Advisory for information on assessing and remediating vulnerabilities as quickly as possible to reduce the risk of exploitation.


Dept. Homeland Security Emergency Directive 21-04: Mitigate Windows Print Spooler Service Vulnerability
July 13, 2021

Background

CISA has become aware of active exploitation, by multiple threat actors, of a vulnerability (CVE-2021-34527) in the Microsoft Windows Print Spooler service. Exploitation of the vulnerability allows an attacker to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization.

The Microsoft Print Spooler service improperly performs privileged file operations and fails to restrict access to functionality that allows users to add printers and related drivers, which in turn allows a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. CISA has validated various proofs of concept and is concerned that exploitation of this vulnerability may lead to full system compromise of agency networks if left unmitigated.

CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.

Required Actions

All Federal Civilian Executive Branch agencies must complete the following actions:

  1. By 11:59 pm EDT, Wednesday, July 14, 2021, Stop and Disable the Print Spooler service on all Microsoft Active Directory (AD) Domain Controllers (DC).
  2. By 11:59 pm EDT, Tuesday, July 20, 2021, apply the July 2021 cumulative updates to all Windows Servers and Workstations.
  3. By 11:59 pm EDT, Tuesday, July 20, 2021, for all hosts running Microsoft Windows operating systems (other than domain controllers under action #1) complete either Option 1, 2, or 3 below:

READ MORE HERE


SolarWinds Releases Advisory for Serv-U Vulnerability
Original release date: July 13, 2021

SolarWinds has released an advisory addressing a vulnerability—CVE-2021-35211—affecting Serv-U Managed File Transfer and Serv-U Secure FTP. The exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Note: this vulnerability does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products.

CISA encourages users and administrators to review the SolarWinds advisory and install the necessary updates.


CISA Addresses the Rise in Ransomware Targeting Operational Technology Assets
Original release date: June 9, 2021

CISA has published the Rising Ransomware Threat to OT Assets fact sheet in response to the recent increase in ransomware attacks targeting operational technology (OT) assets and control systems. The guidance:

  • Provides steps to prepare for, mitigate against, and respond to attacks;
  • Details how the dependencies between an entity’s IT and OT systems can provide a path for attackers; and
  • Explains how to reduce the risk of severe business degradation if affected by ransomware.

CISA encourages critical infrastructure (CI) owners and operators to review the Rising Ransomware Threat to OT Assets fact sheet as well as CISA’s Ransomware webpage to help them in reducing their CI entity’s vulnerability to ransomware.


SAP Releases June 2021 Security Updates
Original release date: June 8, 2021

SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the SAP Security Notes for June 2021 and apply the necessary updates.


Unpatched VMware vCenter Software
Original release date: June 4, 2021

CISA is aware of the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system.

CISA encourages users and administrators to review VMware’s VMSA-2021-010blogpost, and FAQ for more information about the vulnerability and apply the necessary updates as soon as possible, even if out-of-cycle work is required. If an organization cannot immediately apply the updates, then apply the workarounds in the interim.


Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware
Original release date: May 19, 2021

CISA and the Federal Bureau of Investigation (FBI) have updated Joint Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for Preventing Disruption from Ransomware Attacks, originally released May 11, 2021. This update provides a downloadable STIX file of indicators of compromise (IOCs) to help network defenders find and mitigate activity associated with DarkSide ransomware. These IOCs were shared with critical infrastructure partners and network defenders on May 10, 2021.

CISA encourages users and administrators to review AA21-131A for more information.


CISA Publishes Eviction Guidance for Networks Affected by SolarWinds and AD/M365 Compromise
Original release date: May 14, 2021

CISA has released an analysis report, AR21-134A Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise. The report provides detailed steps for affected organizations to evict the adversary from compromised on-premises and cloud environments.

Additionally, CISA has publicly issued Emergency Directive (ED) 21-01 Supplemental Direction Version 4: Mitigate SolarWinds Orion Code Compromise to all federal agencies that have—or had—networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity.

Although the guidance in AR21-134A and ED 21-01 Supplemental Direction V.4 is tailored to federal agencies, CISA encourages critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review and apply it, as appropriate.

Review the following resources for additional information:

Note: the U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a statement from the White House and in the three Joint Cybersecurity Advisories summarized in the CISA Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise.


Joint CISA-FBI Cybersecurity Advisory on DarkSide Ransomware
Original release date: May 11, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on a ransomware-as-a-service (RaaS) variant—referred to as DarkSide—recently used in a ransomware attack against a critical infrastructure (CI) company.

Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data. These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy.

Prevention is the most effective defense against ransomware. It is critical to follow best practices to protect against ransomware attacks, which can be devastating to an individual or organization and recovery may be a difficult process. In addition to the Joint CSA, CISA and FBI urge CI asset owners and operators to review the following resources for best practices on strengthening cybersecurity posture:

Victims of ransomware should report it immediately to CISA, a local FBI Field Office, or a Secret Service Field Office.


Joint NCSC-CISA-FBI-NSA Cybersecurity Advisory on Russian SVR Activity
Original release date: May 07, 2021

CISA has joined with the United Kingdom’s National Cyber Security Centre (NCSC), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), in releasing a Joint Cybersecurity Advisory on Russian Foreign Intelligence Service (SVR) tactics, techniques, and procedures. Further TTPs associated with SVR cyber actors provides additional details on SVR activity including exploitation activity following their initial compromise of SolarWinds Orion software supply chain.

CISA has also released Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise that provides summaries of three key joint publications that focus on SVR activities related to the SolarWinds Orion supply chain compromise.

CISA strongly encourages users and administrators to review the joint advisory as well as the other two advisories summarized on the fact sheet for mitigation strategies to aid organizations in securing their networks against Russian SVR activity.


CISA Releases Analysis Reports on New FiveHands Ransomware
Original release date: May 06, 2021

CISA is aware of a recent, successful cyberattack against an organization using a new ransomware variant, known as FiveHands, that has been used to successfully conduct a cyberattack against an organization.

CISA has released AR21-126A: FiveHands Ransomware and MAR-10324784-1.v1: FiveHands Ransomware to provide analysis of the threat actor’s tactics, techniques, and procedures as well as indicators of compromise (IOCs).  These reports also provide CISA’s recommended mitigations for strengthening networks to protect against, detect, and respond to potential FiveHands ransomware attacks.

CISA encourages organizations to review AR21-126A and MAR-10324784.r1.v1 for more information.


CISA Updates Alert on Pulse Connect Secure
Original release date: April 30, 2021

CISA has updated Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities, originally released April 20. This update adds a new Detection section providing information on Impossible Travel and Transport Layer Security (TLS) Fingerprinting that may be useful in identifying malicious activity.

CISA encourages users and administrators to review the following resources for more information:


CISA Releases ICS Advisory on Real-Time Operating System Vulnerabilities
Original release date: April 29, 2021

CISA has released Industrial Control Systems Advisory ICSA-21-119-04 Multiple RTOS to provide notice of multiple vulnerabilities found in real-time operating systems (RTOS) and supporting libraries. Successful exploitation of these vulnerabilities could result in unexpected behavior such as a crash or a remote code injection/execution.

CISA encourages users and administrators to review the ICS Advisory for mitigation recommendations and available updates.


Cisco Releases Security Updates for Multiple Products
Original release date: April 29, 2021

Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit one of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Buffer Overflow Denial of Service Vulnerability
  • Cisco Firepower Threat Defense Software SSL Decryption Policy Denial of Service Vulnerability isco-sa-ftd-ssl-decrypt-dos-DdyLuK6c
  • Cisco Firepower Threat Defense Software Command Injection Vulnerability cisco-sa-ftd-cmdinj-vWY5wqZT
  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services VPN Denial of Service Vulnerabilities cisco-sa-asa-ftd-vpn-dos-fpBcpEcD
  • Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software SIP Denial of Service Vulnerability cisco-sa-asa-ftd-sipdos-GGwmMerC

Apple Releases Security Updates
Original release date: April 27, 2021

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:


Google Releases Security Updates for Chrome
Original release date: April 27, 2021

Google has released Chrome version 90.0.4430.93 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.


CISA and NIST Release New Interagency Resource: Defending Against Software Supply Chain Attacks
Original release date: April 26, 2021

A software supply chain attack—such as the recent SolarWinds Orion attack—occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software can then further compromise customer data or systems.

To help software vendors and customers defend against these attacks, CISA and the National Institute for Standards and Technology (NIST) have released Defending Against Software Supply Chain Attacks. This new interagency resource provides an overview of software supply chain risks and recommendations. The publication also provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.


CISA Incident Response to SUPERNOVA Malware
Original release date: April 22, 2021

CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advanced persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement.


Google Releases Security Updates for Chrome
Original release date: April 21, 2021

Google has released Chrome version 90.0.4430.85 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.


Oracle Releases April 2021 Critical Patch Update
Original release date: April 20, 2021

Oracle has released its Critical Patch Update for April 2021 to address 384 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Oracle April 2021 Critical Patch Update and apply the necessary updates.


Mozilla Releases Security Update for Firefox, Firefox ESR, and Thunderbird
Original release date: April 20, 2021

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Mozilla Security Advisories for Firefox 88Firefox ESR 78.10, and Thunderbird 78.10, and apply the necessary updates.


CISA is aware of the ongoing exploitation of Ivanti Pulse Connect Secure vulnerabilities compromising U.S. government agencies, critical infrastructure entities, and private sector organizations.

In response, CISA has released Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities to offer technical details regarding this activity. Ivanti has provided mitigation and is developing a patch.

CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to follow the guidance in Alert AA21-110A, which includes:

  • Running the Ivanti Integrity Checker Tool
  • Updating their Pulse Connect Secure appliance to the [https://us-cert.cisa.gov%20https:/blog.pulsesecure.net]latest software version
  • Implementing the [https://us-cert.cisa.gov%20https:/kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44784/s]mitigation provided by Ivanti Pulse Secure (if evidence of comprise is found)

For additional information regarding this ongoing exploitation, see the FireEye blog post: Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day.