November 16, 2022: CISA and FBI Release Advisory on Iranian Government-Sponsored APT Actors Compromising Federal Network
Today, CISA and the Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (CSA), Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester. The CSA provides information on an incident at a Federal Civilian Executive Branch (FCEB) organization in which Iranian government-sponsored APT actors exploited a Log4Shell vulnerability in unpatched VMware Horizon server.
The CSA includes a malware analysis report (MAR), MAR-10387061-1-v1 XMRig Cryptocurrency Mining Software, on the mining software that the APT actors used against the compromised FCEB network. The CSA also provides tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) obtained from the incident response as well as recommended mitigations.
CISA and FBI strongly recommend organizations apply the recommended mitigations and defensive measures, which include:
- Updating affected VMware Horizon and unified access gateway (UAG) systems to the latest version.
- Minimizing your organization’s internet-facing attack surface.
- Exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in the CSA.
- Testing your organization’s existing security controls against the ATT&CK techniques described in the CSA.
November 10, 2022: CISA Releases SSVC Methodology to Prioritize Vulnerabilities
Today CISA published its guide on Stakeholder-Specific Vulnerability Categorization (SSVC), a vulnerability management methodology that assesses vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts to safety, and prevalence of the affected product in a singular system.
As stated in Executive Assistant Director (EAD) Eric Goldstein’s blog post Transforming the Vulnerability Management Landscape, implementing a methodology, such as SSVC, is a critical step to advancing the vulnerability management ecosystem. Additionally, the blog details advances—including
CISA’s Known Exploited Vulnerabilities (KEV) catalog, Common Security Advisory Framework (CSAF) machine-readable security advisories, and the Vulnerability Exploitability eXchange (VEX)—that, used in conjunction with SSVC, will reduce the window cyber threat actors have to exploit networks.
- CISA’s SSVC decision tree
- SSVC Guide on using SSVC and the SSVC decision tree
- SSVC Calculator for prioritizing vulnerability responses in an organization’s respective environment
Nov. 7, 2022: CSD Cyber Defense Education and Training (CDET) Offerings
Highlights: What You Want to Know
- CISA will host the 200th Industrial Control Systems Cybersecurity (301L) course on November 7th! This is a four-day, instructor-led, hands-on lab that is taught at a training facility in Idaho Falls, Idaho, USA. This course has a full day capstone activity dedicated to a Red Team versus Blue Team exercise. To register, please visit https://www.cisa.gov/uscert/ics/Calendar
- A new category has been added to FedVTE under the Cybersecurity Courses called Non-Technical Cybersecurity. Some new courses that fall into this category include Cloud Monitoring, Critical Infrastructure Protection, and Cybersecurity Investigations. To see the full list of available courses in this category, visit https://fedvte.usalearning.gov/courses_nontech_cybersecurity.php
- CISA now offers a new Analysis of a Cyber Incident course on FedVTE. This three-module course teaches the beginner analyst how to develop the analytical skills and capabilities needed to handle a potential cyber incident — from analysis to reporting findings. This course is available to federal employees. For a full list of available courses on FedVTE for federal employees, please see the course catalog. For courses available to the public, please visit https://fedvte.usalearning.gov/public_fedvte.php
- In November and December, U.S. Executive Branch employees and contractors can participate in numerous CDM Dashboard courses, including the new CDM and Federal Mandates- Featuring how to use the CDM Dashboard to enable automated BOD-22-01 Reporting course. This course presents information regarding current Federal cybersecurity directives, mandates, and policies, and how they can be supported by the CDM Agency Dashboard. Featured prominently will be details on how to use the CDM Dashboard to enable automated BOD-22-01 Reporting.
October 25, 2022
On Nov. 1, 2022, CISA will upgrade from Traffic Light Protocol (TLP) 1.0 to TLP 2.0 in accordance with the recommendation by the Forum of Incident Response Security Teams (FIRST) that organizations move to 2.0 by the end of 2022. TLP Version 2.0 brings the following key updates:
- TLP:CLEAR replaces TLP:WHITE for publicly releasable information.
- TLP:AMBER+STRICT supplements TLP:AMBER, clarifying when information may be shared with the recipient’s organization only.
CISA encourages all network defenders and partners to upgrade to TLP Version 2.0 to facilitate greater information sharing and collaboration. For more information see:
- On Nov. 1, CISA Upgrades to Traffic Light Protocol 2.0 — Join Us! by Tom Millar, Cybersecurity Senior Advisor, CISA, and Co-chair of the FIRST TLP Special Interest Group (SIG)
- CISA.gov/TLP, which contains links to CISA’s TLP 2.0 User Guide and Fact Sheet
Cybersecurity Awareness Month 2022: CISA Mid-Campaign Announcement
Hello Campaign Partners and Friends,
Cybersecurity Awareness Month is in full swing! Our next focus is on cyber careers, and you can get involved by participating in: The National Initiative for Cybersecurity and Education’s (NICE) Cybersecurity Career Awareness Week from October 17-22.
CISA focuses on building a cyber aware public and introducing them to cyber careers from an early age. We do this through a variety of training programs for educators, the federal cyber workforce and critical infrastructure operators, as well as non-traditional training opportunities to help bring skilled professionals into the workforce quicker than traditional pathways. With these resources, CISA strives to reach those who may not have access to training in underserved communities. Some of the key resources for Cybersecurity Career Awareness Week include:
We will continue to share our campaign theme, See Yourself in Cyber, and the four action steps below:
- Enable Multi-Factor Authentication
- Use Strong Passwords – see this week’s focus below!
- Recognize and Report Phishing
- Update Your Software
Get involved by:
- Amplifying messages through emails, blogs, and social media.
- Using the CISA and NCA Cybersecurity Awareness Month websites’ resources and information to create your own outreach campaign.
- Connecting with peers, families, friends and your communities as cybersecurity awareness ambassadors, sharing how we can all See Ourselves in Cyber.