Cybersecurity Alerts

CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) alerting organizations of increased Conti ransomware attacks. Malicious cyber actors use Conti ransomware to steal sensitive files from domestic and international organizations, encrypt the targeted organizations’ servers and workstations, and demand a ransom payment from the victims.

CISA, FBI, and NSA encourage network defenders to examine their current cybersecurity posture and apply the recommended mitigations in the joint CSA, which include:

  • Updating your operating system and software,
  • Requiring multi-factor authentication, and
  • Implementing network segmentation.

Additionally, review the U.S. government resource StopRansomware.gov for more guidance on ransomware protection, detection, and response.


September 14, 2021

Google has released Chrome version 93.0.4577.82 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.


SAP Releases September 2021 Security Updates 
September 14, 2021

SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the SAP Security Notes for September 2021 and apply the necessary updates.


Microsoft Releases September 2021 Security Updates
September 14, 2021

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Microsoft’s September 2021 Security Update Summary and Deployment Information and apply the necessary updates.

Apple has released security updates to address vulnerabilities—CVE-2021-30860, CVE-2021-30858—in iOS and iPadOS. An attacker could exploit these vulnerabilities to take control of an affected device. CISA is aware of public reporting that these vulnerabilities may have been exploited in the wild.

CISA encourages users and administrators to review the iOS 14.8 and iPadOS 14.8 security update page and apply the necessary updates.

Microsoft has released mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in Microsoft Windows. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. This vulnerability has been detected in exploits in the wild.

CISA encourages users and administrators to review Microsoft’s advisory and to implement the mitigations and workarounds.

CISA has released a new CISA Insights, Risk Considerations for Managed Service Provider Customers (MSPs), which provides Managed Service Provider (MSP) customers a framework for reducing risk.

This framework is designed for government and private sector organizations of all sizes, and it suggests considerations for IT management planning, best practices, and tools for reducing overall risk. This resource divides guidance across these areas: (1) senior executives and boards of directors (strategic decision-making); (2) procurement professionals (operational decision-making); and (3) network administrators, systems administrators, and front-line cybersecurity staff (tactical decision-making).

Read CISA’s latest blog, visit: CISA.gov/blog/2021/09/02/going-beyond-assessing-security-practices-it- service-providers.


Ransomware Awareness for Holidays and Weekends
September 2, 2021

SUMMARY
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021. The FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday. However, the FBI and CISA are sharing the below information to provide awareness to be especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.

READ MORE HERE


FBI Releases Indicators of Compromise Associated with Hive Ransomware
Original release date: August 27, 2021

The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with ransomware attacks by Hive, a likely Ransomware-as-a-Service organization consisting of a number of actors using multiple mechanisms to compromise business networks, exfiltrate data and encrypt data on the networks, and attempt to collect a ransom in exchange for access to the decryption software.

CISA encourages users and administrators to review the technical details, IOCs, and TTPs in FBI Flash MC-000150-MW and apply the recommend mitigations.


F5 Releases August 2021 Security Advisory
Original release date: August 25, 2021

F5 has released a security advisory on vulnerabilities affecting multiple versions of BIG-IP and BIG-IQ for August 2021.

CISA encourages users and administrators to review the F5 security advisory and install updated software or apply the necessary mitigations as soon as possible.


Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities
Original release date: August 21, 2021

Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.


CISA Provides Recommendations for Protecting Information from Ransomware-Caused Data Breaches
Original release date: August 18, 2021

CISA has released the fact sheet Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches to address the increase in malicious cyber actors using ransomware to exfiltrate data and then threatening to sell or leak the exfiltrated data if the victim does not pay the ransom. These data breaches, often involving sensitive or personal information, can cause financial loss to the victim organization and erode customer trust.

The fact sheet provides information for organizations to use in preventing and responding to ransomware-caused data breaches. CISA encourages organizations to adopt a heightened state of awareness and implement the recommendations listed in this fact sheet to reduce their risk to ransomware and protect sensitive and personal information. Review StopRansomware.gov for additional ransomware resources.


CISA ANNOUNCES NEW VULNERABILITY DISCLOSURE POLICY (VDP) PLATFORM

Improves Cybersecurity Across the Federal Civilian Enterprise and Reduces Government Spending
By Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA

August 2021 — Last fall, we issued the final version of Binding Operational Directive (BOD 20-01), which was issued in support of the Office of Management and Budget M-20-32, “Improving Vulnerability Identification, Management, and Remediation”. This Directive reflects CISA’s commitment to strengthening cybersecurity and resilience for federal civilian agencies by requiring agencies to establish policies enabling the public to contribute and report vulnerability disclosures. Recognizing that policies alone are not sufficient, we also announced plans to launch a vulnerability disclosure platform service in the near future. Today, the future arrived.

The Cybersecurity and Infrastructure Security Agency (CISA) is proud to announce the VDP Platform for the federal civilian enterprise, the latest shared service offered by CISA’s Cyber Quality Services Management Office (QSMO) and provided by BugCrowd and EnDyna. The VDP Platform provides a single, centrally managed online website for agencies to list systems in scope for their vulnerability disclosure policies, enabling security researchers and members of the general public to find vulnerabilities in agency websites and submit reports for analysis. The Department of Homeland Security (DHS), the Department of Labor (DoL), and the Department of Interior (DoI) are among the agencies planning to leverage this platform at the onset.

This new platform allows agencies to gain greater insights into potential vulnerabilities, thereby improving their cybersecurity posture. This approach also enables significant government-wide cost savings, as agencies no longer need to develop their own, separate systems to enable reporting and triage of identified vulnerabilities. CISA estimates over $10 million in government-wide cost savings will be achieved by leveraging the QSMO shared services approach.

READ MORE


U.S., U.K., and Australia Issue Joint Cybersecurity Advisory
Original release date: July 28, 2021

Cyber Agencies Share Top Routinely Exploited Vulnerabilities

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), United Kingdom’s National Cyber Security Centre (NCSC) and Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory today, highlighting the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by cyber actors in 2020 and those vulnerabilities being widely exploited thus far in 2021. Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide.  It’s recommended that organizations apply the available patches for the 30 vulnerabilities listed in the joint cybersecurity advisory and implement a centralized patch management system.

One of the key findings is that four of the most targeted vulnerabilities in 2020 involved remote work, VPNs, or cloud-based technologies. Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options due to the COVID-19 pandemic challenging the ability of organizations to conduct rigorous patch management. In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. This advisory lists the vendors, products, and CVEs associated with these vulnerabilities, which organizations should urgently patch.

READ MORE


Top Routinely Exploited Vulnerabilities
Original release date: July 28, 2021

CISA, the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) have released the Joint Cybersecurity Advisory Top Routinely Exploited Vulnerabilities, which details the top vulnerabilities routinely exploited by malicious actors in 2020 and those being widely exploited thus far in 2021.

CISA encourages users and administrators to review the Joint Cybersecurity Advisory for information on assessing and remediating vulnerabilities as quickly as possible to reduce the risk of exploitation.


Dept. Homeland Security Emergency Directive 21-04: Mitigate Windows Print Spooler Service Vulnerability
July 13, 2021

Background

CISA has become aware of active exploitation, by multiple threat actors, of a vulnerability (CVE-2021-34527) in the Microsoft Windows Print Spooler service. Exploitation of the vulnerability allows an attacker to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization.

The Microsoft Print Spooler service improperly performs privileged file operations and fails to restrict access to functionality that allows users to add printers and related drivers, which in turn allows a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. CISA has validated various proofs of concept and is concerned that exploitation of this vulnerability may lead to full system compromise of agency networks if left unmitigated.

CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.

Required Actions

All Federal Civilian Executive Branch agencies must complete the following actions:

  1. By 11:59 pm EDT, Wednesday, July 14, 2021, Stop and Disable the Print Spooler service on all Microsoft Active Directory (AD) Domain Controllers (DC).
  2. By 11:59 pm EDT, Tuesday, July 20, 2021, apply the July 2021 cumulative updates to all Windows Servers and Workstations.
  3. By 11:59 pm EDT, Tuesday, July 20, 2021, for all hosts running Microsoft Windows operating systems (other than domain controllers under action #1) complete either Option 1, 2, or 3 below:

READ MORE HERE


SolarWinds Releases Advisory for Serv-U Vulnerability
Original release date: July 13, 2021

SolarWinds has released an advisory addressing a vulnerability—CVE-2021-35211—affecting Serv-U Managed File Transfer and Serv-U Secure FTP. The exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Note: this vulnerability does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products.

CISA encourages users and administrators to review the SolarWinds advisory and install the necessary updates.


CISA Addresses the Rise in Ransomware Targeting Operational Technology Assets
Original release date: June 9, 2021

CISA has published the Rising Ransomware Threat to OT Assets fact sheet in response to the recent increase in ransomware attacks targeting operational technology (OT) assets and control systems. The guidance:

  • Provides steps to prepare for, mitigate against, and respond to attacks;
  • Details how the dependencies between an entity’s IT and OT systems can provide a path for attackers; and
  • Explains how to reduce the risk of severe business degradation if affected by ransomware.

CISA encourages critical infrastructure (CI) owners and operators to review the Rising Ransomware Threat to OT Assets fact sheet as well as CISA’s Ransomware webpage to help them in reducing their CI entity’s vulnerability to ransomware.


SAP Releases June 2021 Security Updates
Original release date: June 8, 2021

SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the SAP Security Notes for June 2021 and apply the necessary updates.


Unpatched VMware vCenter Software
Original release date: June 4, 2021

CISA is aware of the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system.

CISA encourages users and administrators to review VMware’s VMSA-2021-010blogpost, and FAQ for more information about the vulnerability and apply the necessary updates as soon as possible, even if out-of-cycle work is required. If an organization cannot immediately apply the updates, then apply the workarounds in the interim.


Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware
Original release date: May 19, 2021

CISA and the Federal Bureau of Investigation (FBI) have updated Joint Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for Preventing Disruption from Ransomware Attacks, originally released May 11, 2021. This update provides a downloadable STIX file of indicators of compromise (IOCs) to help network defenders find and mitigate activity associated with DarkSide ransomware. These IOCs were shared with critical infrastructure partners and network defenders on May 10, 2021.

CISA encourages users and administrators to review AA21-131A for more information.


CISA Publishes Eviction Guidance for Networks Affected by SolarWinds and AD/M365 Compromise
Original release date: May 14, 2021

CISA has released an analysis report, AR21-134A Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise. The report provides detailed steps for affected organizations to evict the adversary from compromised on-premises and cloud environments.

Additionally, CISA has publicly issued Emergency Directive (ED) 21-01 Supplemental Direction Version 4: Mitigate SolarWinds Orion Code Compromise to all federal agencies that have—or had—networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity.

Although the guidance in AR21-134A and ED 21-01 Supplemental Direction V.4 is tailored to federal agencies, CISA encourages critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review and apply it, as appropriate.

Review the following resources for additional information:

Note: the U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a statement from the White House and in the three Joint Cybersecurity Advisories summarized in the CISA Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise.


Joint CISA-FBI Cybersecurity Advisory on DarkSide Ransomware
Original release date: May 11, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on a ransomware-as-a-service (RaaS) variant—referred to as DarkSide—recently used in a ransomware attack against a critical infrastructure (CI) company.

Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data. These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy.

Prevention is the most effective defense against ransomware. It is critical to follow best practices to protect against ransomware attacks, which can be devastating to an individual or organization and recovery may be a difficult process. In addition to the Joint CSA, CISA and FBI urge CI asset owners and operators to review the following resources for best practices on strengthening cybersecurity posture:

Victims of ransomware should report it immediately to CISA, a local FBI Field Office, or a Secret Service Field Office.


Joint NCSC-CISA-FBI-NSA Cybersecurity Advisory on Russian SVR Activity
Original release date: May 07, 2021

CISA has joined with the United Kingdom’s National Cyber Security Centre (NCSC), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), in releasing a Joint Cybersecurity Advisory on Russian Foreign Intelligence Service (SVR) tactics, techniques, and procedures. Further TTPs associated with SVR cyber actors provides additional details on SVR activity including exploitation activity following their initial compromise of SolarWinds Orion software supply chain.

CISA has also released Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise that provides summaries of three key joint publications that focus on SVR activities related to the SolarWinds Orion supply chain compromise.

CISA strongly encourages users and administrators to review the joint advisory as well as the other two advisories summarized on the fact sheet for mitigation strategies to aid organizations in securing their networks against Russian SVR activity.


CISA Releases Analysis Reports on New FiveHands Ransomware
Original release date: May 06, 2021

CISA is aware of a recent, successful cyberattack against an organization using a new ransomware variant, known as FiveHands, that has been used to successfully conduct a cyberattack against an organization.

CISA has released AR21-126A: FiveHands Ransomware and MAR-10324784-1.v1: FiveHands Ransomware to provide analysis of the threat actor’s tactics, techniques, and procedures as well as indicators of compromise (IOCs).  These reports also provide CISA’s recommended mitigations for strengthening networks to protect against, detect, and respond to potential FiveHands ransomware attacks.

CISA encourages organizations to review AR21-126A and MAR-10324784.r1.v1 for more information.


CISA Updates Alert on Pulse Connect Secure
Original release date: April 30, 2021

CISA has updated Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities, originally released April 20. This update adds a new Detection section providing information on Impossible Travel and Transport Layer Security (TLS) Fingerprinting that may be useful in identifying malicious activity.

CISA encourages users and administrators to review the following resources for more information:


CISA Releases ICS Advisory on Real-Time Operating System Vulnerabilities
Original release date: April 29, 2021

CISA has released Industrial Control Systems Advisory ICSA-21-119-04 Multiple RTOS to provide notice of multiple vulnerabilities found in real-time operating systems (RTOS) and supporting libraries. Successful exploitation of these vulnerabilities could result in unexpected behavior such as a crash or a remote code injection/execution.

CISA encourages users and administrators to review the ICS Advisory for mitigation recommendations and available updates.


Cisco Releases Security Updates for Multiple Products
Original release date: April 29, 2021

Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit one of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Buffer Overflow Denial of Service Vulnerability
  • Cisco Firepower Threat Defense Software SSL Decryption Policy Denial of Service Vulnerability isco-sa-ftd-ssl-decrypt-dos-DdyLuK6c
  • Cisco Firepower Threat Defense Software Command Injection Vulnerability cisco-sa-ftd-cmdinj-vWY5wqZT
  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services VPN Denial of Service Vulnerabilities cisco-sa-asa-ftd-vpn-dos-fpBcpEcD
  • Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software SIP Denial of Service Vulnerability cisco-sa-asa-ftd-sipdos-GGwmMerC

Apple Releases Security Updates
Original release date: April 27, 2021

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:


Google Releases Security Updates for Chrome
Original release date: April 27, 2021

Google has released Chrome version 90.0.4430.93 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.


CISA and NIST Release New Interagency Resource: Defending Against Software Supply Chain Attacks
Original release date: April 26, 2021

A software supply chain attack—such as the recent SolarWinds Orion attack—occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software can then further compromise customer data or systems.

To help software vendors and customers defend against these attacks, CISA and the National Institute for Standards and Technology (NIST) have released Defending Against Software Supply Chain Attacks. This new interagency resource provides an overview of software supply chain risks and recommendations. The publication also provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.


CISA Incident Response to SUPERNOVA Malware
Original release date: April 22, 2021

CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advanced persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement.


Google Releases Security Updates for Chrome
Original release date: April 21, 2021

Google has released Chrome version 90.0.4430.85 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.


Oracle Releases April 2021 Critical Patch Update
Original release date: April 20, 2021

Oracle has released its Critical Patch Update for April 2021 to address 384 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Oracle April 2021 Critical Patch Update and apply the necessary updates.


Mozilla Releases Security Update for Firefox, Firefox ESR, and Thunderbird
Original release date: April 20, 2021

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Mozilla Security Advisories for Firefox 88Firefox ESR 78.10, and Thunderbird 78.10, and apply the necessary updates.


CISA is aware of the ongoing exploitation of Ivanti Pulse Connect Secure vulnerabilities compromising U.S. government agencies, critical infrastructure entities, and private sector organizations.

In response, CISA has released Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities to offer technical details regarding this activity. Ivanti has provided mitigation and is developing a patch.

CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to follow the guidance in Alert AA21-110A, which includes:

  • Running the Ivanti Integrity Checker Tool
  • Updating their Pulse Connect Secure appliance to the [https://us-cert.cisa.gov%20https:/blog.pulsesecure.net]latest software version
  • Implementing the [https://us-cert.cisa.gov%20https:/kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44784/s]mitigation provided by Ivanti Pulse Secure (if evidence of comprise is found)

For additional information regarding this ongoing exploitation, see the FireEye blog post: Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day.