Home HU DIS IntraHuman HGN News America HGN International HGN Financial HGN SouthWest NEW ORLEANS HU SHOPPING HGN White House HGN U.S. CONGRESS HGN Alerts HGN Editorial HGN Recalls/Safety HU Shalom 2 HU Shalom Medical HGN WEATHER HGN Nat'l Hazard HGN Hurricane HGN Marine Flood Data HGN Nat'l Radar HGN Voyage HGN Time Zone HGN Auto HU Gulf HU Canon NEWS ARCHIVES RELATED LINKS Rights/Privacy/Refunds CONTACT Foundation Page

"My people are destroyed for lack of knowledge...." Hosea 4:6-7

The natural, inalienable rights and legal rights of the citizenry to be accurately informed must not, by corruption, be perverted, lest that citizenry, acting on such perversion in their daily judgments, certainly suffer to their physical and spiritual detriment.™ ©2014 Edgar Rogers-Chairman 

hgn.news

HGNAlert™

^{NATIONAL/GLOBAL/GALACTIC ALERTS AND EMERGENCY SITUATIONS}

^{HGN News Journal™ "No Knowledge Hid That Won't Be Revealed"™}

^{HGN News®    1974-2024©All Rights Reserved}

^"For nothing is secret, that shall not be made manifest; neither any thing hid, that shall not be known and come abroad."  Luke 8:17 

"Every government degenerates when trusted to the rulers of the people alone. And even under the best forms, those entrusted with power have, in time and by slow operations, perverted it into tyranny."                             Thomas Jefferson

"...without active protest and petition, there is no protection against corrupt government and a corrupt society."     Homer Rogers/Edgar Rogers

All information is as is provided by the entity so providing and the presentation here does not constitute any endorsement by HGN News or by that entity of HGN News.

HGN News “No Truth Hid That Won’t Be Revealed”™

Juniper Releases Security Advisory for Juniper Secure Analytics 01/02/2024 2:19 PM EST Juniper released a security advisory to address multiple vulnerabilities affecting Juniper Secure Analytics. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Juniper advisory JSA75636 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

CISA Adds Two Known Exploited Vulnerabilities to Catalog 01/03/2024 12:00 PM EST CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-7024 Google Chromium WebRTC Heap Buffer Overflow Vulnerability CVE-2023-7101 Spreadsheet::ParseExcel Remote Code Execution Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.  Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. This product is provided subject to this Notification and this Privacy & Use policy.

CISA and FBI Release #StopRansomware: CL0P Ransomware Gang Exploits MOVEit Vulnerability 06/07/2023 02:30 PM EDT CISA and FBI released a joint Cybersecurity Advisory (CSA) CL0P Ransomware Gang Exploits MOVEit Vulnerability in response to a recent vulnerability exploitation attributed to CL0P Ransomware Gang. This [joint guide] provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) identified through FBI investigations as recently as May this year. Additionally, it provides immediate actions to help reduce the impact of CL0P ransomware.  The CL0P Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer. Internet- facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. CISA and FBI encourage information technology (IT) network defenders to review the MOVEit Transfer Advisory and implement the recommended mitigations to reduce the risk of compromise. This joint CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed TTPs and IOCs to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Multiple Products 06/07/2023 02:30 PM EDT Mozilla has released security updates to address vulnerabilities for Firefox 114 and Firefox ESR 102.12. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Mozilla’s security advisories for Firefox 114 and Firefox ESR 102.12 for more information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Vulnerability Summary for the Week of May 15, 2023 05/22/2023 09:37 AM EDT The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High: vulnerabilities with a CVSS base score of 7.0–10.0 Medium: vulnerabilities with a CVSS base score of 4.0–6.9 Low: vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.

CISA and Partners Update the #StopRansomware Guide, Developed through the Joint Ransomware Task Force (JRTF) 05/23/2023 08:00 AM EDT Today, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. The update incorporates lessons learned from the past two years and includes additional recommended actions, resources, and tools to maximize its relevancy and effectiveness and to further help reduce the prevalence and impacts of ransomware. The #StopRansomware Guide serves as a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. The authoring organizations recommend that entities review this joint guide to prepare and protect their facilities, personnel, and customers from the impacts of ransomware and data exfiltration. For more information and to access the latest resources about how to stop ransomware, please visit stopransomware.gov. This joint guide was developed through the Joint Ransomware Task Force (JRTF), an interagency collaborative effort to reduce the prevalence and impact of ransomware attacks. JRTF was established by Congress in 2022 and is co-chaired by CISA and FBI. For additional information about the JRTF, please visit CISA's newly launched Joint Ransomware Task Force (JRTF) webpage. This product is provided subject to this Notification and this Privacy & Use policy.

Offices of the United States Attorneys Russian National Charged with Ransomware Attacks Against Critical Infrastructure 05/16/2023 12:00 AM EDT The Justice Department today unsealed two indictments charging a Russian national and resident with using three different ransomware variants to attack numerous victims throughout the United States, including law enforcement agencies in Washington, D.C. and New Jersey, as well as victims in healthcare and other sectors nationwide. Ransomware Charges Unsealed Against Russian National 05/16/2023 12:00 AM EDT

CISA Adds Three Known Exploited Vulnerabilities to Catalog 02/21/2023 01:34 PM EST Original release date: February 21, 2023 CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2022-47986 IBM Aspera Faspex Code Execution Vulnerability CVE-2022-41223 Mitel MiVoice Connect Code Injection Vulnerability CVE-2022-40765 Mitel MiVoice Connect Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases February 2023 Security Updates 02/14/2023 02:30 PM EST Original release date: February 14, 2023 Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s February 2023 Security Update Guide and Deployment Information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Firefox 110 and Firefox ESR 02/14/2023 04:00 PM EST Original release date: February 14, 2023 Mozilla has released security updates to address vulnerabilities in Firefox 110 and Firefox ESR. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Mozilla’s security advisories for Firefox 110 and Firefox ESR 102.8 for more information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Update for Thunderbird 09/02/2022 10:00 AM EDT Original release date: September 2, 2022 Mozilla has released security update to address a vulnerability in Thunderbird. An attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the Mozilla security advisory for Thunderbird 102.2.1 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases June 2022 Security Updates 06/14/2022 02:53 PM EDT Original release date: June 14, 2022 Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s June 2022 Security Update Summary and Deployment Information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

#StopRansomware: MedusaLocker 06/30/2022 01:00 PM EDT Original release date: June 30, 2022 CISA, the Federal Bureau of Investigation (FBI), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory (CSA), #StopRansomware: MedusaLocker, to provide information on MedusaLocker ransomware. MedusaLocker actors target vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. Note: this joint #StopRansomware CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. CISA, FBI, Treasury and FinCEN encourage network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include: Prioritize remediating known exploited vulnerabilities. Train users to recognize and report phishing attempts. Enable and enforce multifactor authentication. See #StopRansomware: MedusaLocker to learn about MedusaLocker actors' tactics, techniques, and procedures and the recommended mitigations. Additionally, review the U.S. government resource StopRansomware.gov for more guidance on ransomware protection, detection, and response.  This product is provided subject to this Notification and this Privacy & Use policy.

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information has recently been updated, and is now available. Apache Releases Security Advisory for Tomcat 05/16/2022 11:00 AM EDT Original release date: May 16, 2022 The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat. An attacker could exploit this vulnerability to obtain sensitive information.     CISA encourages users and administrators to review Apache’s security advisory and apply the necessary updates.

You are Threat Actors Exploiting F5 BIG IP CVE-2022-1388 05/18/2022 09:00 AM EDT Original release date: May 18, 2022 CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released the joint Cybersecurity Advisory Threat Actors Exploiting F5 BIG-IP CVE-2022-1388 in response to active exploitation of CVE-2022-1388, which affects F5 Networks BIG-IP devices. The vulnerability allows an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses. CISA encourages users and administrators to review the joint advisory for detection methods and mitigations, which include updating F5 BIG-IP software, or, if unable to immediately update, applying temporary workarounds.

North Korean State-Sponsored APT Targets Blockchain Companies 04/18/2022 03:06 PM EDT Original release date: April 18, 2022 CISA,  the Federal Bureau of Investigation (FBI), and the U.S. Treasury Department have released a joint Cybersecurity Advisory (CSA) that details cyber threats associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) actor known as the Lazarus Group.   CISA encourages organizations to review joint CSA: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies and apply the recommendations.

CISA Temporarily Removes CVE-2022-26925 from Known Exploited Vulnerability Catalog 05/13/2022 08:20 PM EDT Original release date: May 13, 2022 CISA is temporarily removing CVE-2022-26925 from its Known Exploited Vulnerability Catalog due to a risk of authentication failures when the May 10, 2022 Microsoft rollup update is applied to domain controllers. After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller. For more information see the Microsoft Knowledge Base article, KB5014754—Certificate-based authentication changes on Windows domain controllers: Key Distribution Center registry key. Note: installation of updates released May 10, 2022, on client Windows devices and non-domain controller Windows Servers will not cause this issue and is still strongly encouraged. This issue only affects May 10, 2022 updates installed on servers used as domain controllers. Organizations should continue to apply updates to client Windows devices and non-domain controller Windows Servers.

Dirty Pipe Privilege Escalation Vulnerability in Linux 03/10/2022 12:37 PM EST Original release date: March 10, 2022 CISA is aware of a privilege escalation vulnerability in Linux kernel versions 5.8 and later known as “Dirty Pipe” (CVE-2022-0847). A local attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review (CVE-2022-0847) and update to Linux kernel versions 5.16.11, 5.15.25, and 5.10.102 or later. This product is provided subject to this Notification and this Privacy & Use polic

Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA Protocols 03/15/2022 10:00 AM EDT Original release date: March 15, 2022 CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges. The advisory provides observed tactics, techniques, and procedures, as well as indicators of compromise and mitigations to protect against this threat.  CISA encourages users and administrators to review AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. For general information on Russian state-sponsored malicious cyber activity, see cisa.gov/Russia. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure, as well as additional mitigation recommendations, see AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and cisa.gov/shields-up.

NSA Releases Network Infrastructure Security Guidance 03/03/2022 12:22 PM EST Original release date: March 3, 2022 The National Security Agency (NSA) has released a new Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance. The report captures best practices based on the depth and breadth of experience in supporting customers and responding to threats. Recommendations include perimeter and internal network defenses to improve monitoring and access controls throughout the network. CISA encourages network architects, defenders, and administrators to review NSA’s Network Infrastructure Security Guidance as well as CISA’s recently published Layering Network Security Through Segmentation infographic for assistance in hardening networks against cyber threats.

2021 Trends Show Increased Globalized Threat of Ransomware 02/09/2022 09:00 AM EST Original release date: February 9, 2022 CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have released a joint Cybersecurity Advisory (CSA) highlighting a global increase in sophisticated, high-impact, ransomware incidents against critical infrastructure organizations in 2021. This CSA provides observed behaviors and trends as well as mitigation recommendations to help network defenders reduce their risk of compromise by ransomware. CISA encourages users and administrators to review joint CSA: 2021 Trends Show Increased Globalized Threat of Ransomware and visit StopRansomware.gov for more information on protecting against and responding to ransomware attacks.

FBI Releases Indicators of Compromise Associated with LockBit 2.0 Ransomware 02/07/2022 10:16 AM EST Original release date: February 7, 2022 The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks, using LockBit 2.0, a Ransomware-as-a-Service that employs a wide variety of tactics, techniques, and procedures, creating significant challenges for defense and mitigation. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000162-MW and apply the recommend mitigations.

Ivanti Updates Log4j Advisory with Security Updates for Multiple Products   01/14/2022 10:18 AM EST Original release date: January 14, 2022 Ivanti has updated its Log4j Advisory with security updates for multiple products to address CVE-2021-44228. An unauthenticated attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the Ivanti security advisories pages for Avalanche; File Director; and MobileIron Core, MobileIron Sentry (Core/Cloud), and MobileIron Core Connector and apply the necessary updates and workarounds. This product is provided subject to this Notification and this Privacy & Use policy.

You are subscribed to National Cyber Awareness System Current Activity for Cybersecurity and Infrastructure Security Agency. This information has recently been updated, and is now available. CISA, FBI, and NSA Release Cybersecurity Advisory on Russian Cyber Threats to U.S. Critical Infrastructure 01/11/2022 10:00 AM EST Original release date: January 11, 2022 CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) that provides an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques, and procedures. The CSA also provides detection actions, incident response guidance, and mitigations. CISA, the FBI, and NSA are releasing the joint CSA to help the cybersecurity community reduce the risk presented by Russian state-sponsored cyber threats.   CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness, conduct proactive threat hunting, and implement the mitigations identified in the joint CSA. CISA recommends network defenders review CISA's Russia Cyber Threat Overview and Advisories page for more information on Russian state-sponsored malicious cyber activity. CISA recommends critical infrastructure leaders review CISA Insights: Preparing For and Mitigating Potential Cyber Threats for steps to proactively strengthen their organization’s operational resiliency against sophisticated threat actors, including nation-states and their proxies.

CISA Adds 15 Known Exploited Vulnerabilities to Catalog 01/10/2022 10:00 AM EST Original release date: January 10, 2022 CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. CVE Number CVE Title Remediation Due Date CVE-2021-22017 VMware vCenter Server Improper Access Control Vulnerability 1/24/2022 CVE-2021-36260   Hikvision Improper Input Validation Vulnerability 1/24/2022 CVE-2021-27860 FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability 1/24/2022 CVE-2020-6572 Google Chrome prior to 81.0.4044.92 Use-After-Free Vulnerability 7/10/2022 CVE-2019-1458 Microsoft Win32K Elevation of Privilege Vulnerability 7/10/2022 CVE-2013-3900 Microsoft WinVerify Trust Function Remote Code Execution Vulnerability 7/10/2022 CVE-2019-2725 Oracle WebLogic Server, Injection Vulnerability 7/10/2022 CVE-2019-9670 Synacor Zimbra Collaboration Suite Improper Restriction of XML External Entity Reference Vulnerability 7/10/2022 CVE-2018-13382 Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability 7/10/2022 CVE-2018-13383 Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability 7/10/2022 CVE-2019-1579 Palo Alto Networks PAN-OS Remote Code Execution Vulnerability     7/10/2022 CVE-2019-10149 Exim Mail Transfer Agent (MTA) Improper Input Validation Vulnerability 7/10/2022 CVE-2015-7450     IBM WebSphere Application Server and Server Hy Server Hypervisor Edition Remote Code Execution Vulnerability 7/10/2022 CVE-2017-1000486 Primetek Primefaces Application Remote Code Execution Vulnerability 7/10/2022 CVE-2019-7609 Elastic Kibana Remote Code Execution Vulnerability 7/10/2022 Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.

WordPress Releases Security Update 01/07/2022 02:30 PM EST Original release date: January 7, 2022 WordPress versions between 3.7 and 5.8 are affected by multiple vulnerabilities. Exploitation of some of these vulnerabilities could cause a denial of service condition.   CISA encourages users and administrators to review the WordPress Security Release and upgrade to WordPress 5.8.3. This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases December 2021 Security Updates 12/14/2021 01:17 PM EST Original release date: December 14, 2021 Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s December 2021 Security Update Summary and Deployment Information and apply the necessary updates.

CISA and FBI Release Alert on Active Exploitation of CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus 12/02/2021 05:43 PM EST Original release date: December 2, 2021 CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory identifying active exploitation of a vulnerability—CVE-2021-44077—in Zoho ManageEngine ServiceDesk Plus. CVE-2021-44077 is an unauthenticated remote code execution vulnerability that affects all ServiceDesk Plus versions up to, and including, version 11305.  This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. If left unpatched, successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Zoho has set up a security response plan center that provides additional details, a downloadable tool that can be run on potentially affected systems, and a remediation guide. CISA encourages organizations to review the joint Cybersecurity Advisory and apply the recommended mitigations immediately.

CISA Releases Security Advisory on WebHMI Vulnerabilities 12/06/2021 01:58 PM EST Original release date: December 6, 2021 CISA has released an Industrial Controls Systems (ICS) advisory detailing vulnerabilities in Distributed Data Systems WebHMI products. A remote attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review ICS advisory ICSA-21-336-03 Distributed Data Systems WebHMI for more information and apply the necessary mitigations.

Zoho Releases Security Advisory for ManageEngine Desktop Central and Desktop Central MSP 12/06/2021 04:20 PM EST Original release date: December 6, 2021 Zoho has released a security advisory to address an authentication bypass vulnerability in ManageEngine Desktop Central and Desktop Central MSP. An attacker could exploit this vulnerability to take control of an affected system. According to Zoho, this vulnerability is being actively exploited in the wild. CISA encourages users and administrators to review the Zoho Vulnerability Notification and the Zoho ManageEngine Desktop Central and  ManageEngine Desktop Central MSP security advisories and apply the recommended mitigations immediately.

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities 11/17/2021 09:00 AM EST Original release date: November 17, 2021 CISA, the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC)  have released a joint Cybersecurity Advisory highlighting ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran.  FBI and CISA have observed this Iranian government-sponsored APT exploit Fortinet and Microsoft Exchange ProxyShell vulnerabilities to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. Joint Cybersecurity Advisory AA21-321A provides observed tactics and techniques, as well as indicators of compromise that FBI, CISA, ACSC, and NCSC assess are likely associated with this Iranian government-sponsored APT activity. FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.  CISA also recommends reviewing its Iran Cyber Threat Overview and other Iran-related Advisories.

VMware Releases Security Update for Tanzu Application Service for VMs 11/12/2021 10:13 AM EST Original release date: November 12, 2021 VMware has released a security update to address a vulnerability in Tanzu Application Service for VMs. A remote attacker could exploit this vulnerability to cause a denial-of-service condition. CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0026 and apply the necessary update.

CISA, FBI, and NSA Release Joint Cybersecurity Advisory on Blackmatter Ransomware 10/18/2021 10:00 PM EDT Original release date: October 18, 2021 CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released joint Cybersecurity Advisory (CSA): BlackMatter Ransomware. Since July 2021, malicious cyber actors have used BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization. Using an analyzed sample of BlackMatter ransomware and information from trusted third parties, this CSA provides cyber actor tactics, techniques, and procedures and outlines mitigations to improve ransomware protection, detection, and response. To reduce the risk of BlackMatter ransomware, CISA, FBI, and NSA encourage organizations to implement the recommended mitigations in the joint CSA and visit StopRansomware.gov for more information on protecting against and responding to ransomware attacks.

10/20/2021 10:55 AM EDT Original release date: October 20, 2021 Google has released Chrome version 95.0.4638.54  for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary update as soon as possible.

10/21/2021 11:46 AM EDT Original release date: October 21, 2021 Cisco has released security updates to address a vulnerability in IOS XE SD-WAN Software. An authenticated local attacker could exploit this vulnerability to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review Cisco Advisory cisco-sa-sd-wan-rhpbE34A and apply the necessary updates.

GPS Daemon (GPSD) Rollover Bug 10/21/2021 03:36 PM EDT Original release date: October 21, 2021 Critical Infrastructure (CI) owners and operators, and other users who obtain Coordinated Universal Time (UTC) from Global Positioning System (GPS) devices, should be aware of a GPS Daemon (GPSD) bug in GPSD versions 3.20 (released December 31, 2019) through 3.22 (released January 8, 2021).    On October 24, 2021, Network Time Protocol (NTP) servers using bugged GPSD versions 3.20-3.22 may rollback the date 1,024 weeks—to March 2002—which may cause systems and services to become unavailable or unresponsive.     CISA urges affected CI owners and operators to ensure systems—that use GPSD to obtain timing information from GPS devices—are using GPSD version 3.23 (released August 8, 2021) or newer.   For more information, see Keeping Track of Time: Network Time Protocol and a GPSD Bug.

Ongoing Cyber Threats to U.S. Water and Wastewater Systems Sector Facilities 10/14/2021 02:57 PM EDT Original release date: October 14, 2021 CISA, the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) that details ongoing cyber threats to U.S. Water and Wastewater Systems (WWS) Sector. This activity—which includes cyber intrusions leading to ransomware attacks—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities. The joint CSA provides extensive mitigations and resources to assist WWS Sector facilities in strengthening operational resilience and cybersecurity practices. CISA has also released a Cyber Risks & Resources for the Water and Wastewater Systems Sector infographic that details both information technology and operational technology risks the WWS Sector faces and provides select resources.

Apache Releases Security Advisory for Tomcat   10/15/2021 11:11 AM EDT Original release date: October 15, 2021 The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat. An attacker could exploit this vulnerability to cause a denial of service condition. CISA encourages users and administrators to review Apache’s security advisory for CVE-2021-42340 and apply the necessary updates.

Apple Releases Security Update to Address CVE-2021-30883 10/12/2021 12:56 PM EDT Original release date: October 12, 2021 Apple has released a security update to address a vulnerability—CVE-2021-30883—in multiple products. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability has been detected in exploits in the wild. CISA encourages users to review the Apple security page for iOS 15.0.2 and iPadOS 15.0.2 and apply the necessary updates as soon as possible.

Apple Releases Security Updates for Multiple Products 09/21/2021 11:56 AM EDT Original release date: September 21, 2021 Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: Safari 15 Xcode 13 tvOS 15 watchOS 8 iOS 15 and iPadOS 15

Google Releases Security Updates for Chrome 08/18/2021 07:57 AM EDT Original release date: August 18, 2021 Google has released Chrome version 92.0.4515.159 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.

Apple Releases Security Update 08/17/2021 07:36 AM EDT Original release date: August 17, 2021 Apple has released a security update to address vulnerabilities in iCloud for Windows 12.5. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Apple security update and apply the necessary updates.

Mozilla Releases Security Updates 08/18/2021 08:00 AM EDT Original release date: August 18, 2021 Mozilla has released security updates to address vulnerabilities in Firefox 91.0.1 and Thunderbird 91.0.1. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Mozilla Security Advisory 2021-37 and apply the necessary updates.

CISA Releases Security Advisory for ThroughTek Kalay P2P SDK 08/17/2021 01:16 PM EDT Original release date: August 17, 2021 CISA has released an Industrial Control Systems (ICS) advisory detailing a vulnerability affecting several versions of ThroughTek Kalay P2P Software Development Kit (SDK). A remote attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the ICS Advisory: ICSA-21-229-01 ThroughTek Kalay P2P SDK and the FireEye Mandiant blog: Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices for more information and to apply the necessary update and mitigations.

BadAlloc Vulnerability Affecting Devices Incorporating Older BlackBerry QNX Products 08/17/2021 10:39 AM EDT Original release date: August 17, 2021 CISA released an Alert today on devices incorporating older versions of multiple BlackBerry QNX products affected by a BadAlloc vulnerability. A malicious actor could exploit this vulnerability to take control of an affected system or cause a denial-of-service condition.  Because devices incorporating older versions of BlackBerry QNX products support critical infrastructure and national critical functions, CISA is strongly urging all organizations whose devices use affected QNX-based systems to immediately apply the mitigations provided in CISA Alert AA21-229A and Blackberry Advisory QNX-2021-001.

Adobe Releases Multiple Security Updates 08/18/2021 07:57 AM EDT Original release date: August 18, 2021 Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates: APSB21-60 Captivate APSB21-65 XMP Toolkit SDK APSB21-68 Photoshop APSB21-69 Bridge APSB21-70 Media Encoder

CISA Provides Recommendations for Protecting Information from Ransomware-Caused Data Breaches 08/18/2021 12:30 AM EDT Original release date: August 18, 2021 CISA has released the fact sheet Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches to address the increase in malicious cyber actors using ransomware to exfiltrate data and then threatening to sell or leak the exfiltrated data if the victim does not pay the ransom. These data breaches, often involving sensitive or personal information, can cause financial loss to the victim organization and erode customer trust. The fact sheet provides information for organizations to use in preventing and responding to ransomware-caused data breaches. CISA encourages organizations to adopt a heightened state of awareness and implement the recommendations listed in this fact sheet to reduce their risk to ransomware and protect sensitive and personal information. Review StopRansomware.gov for additional ransomware resources.

ISC Releases Security Advisory for BIND 08/19/2021 08:09 AM EDT Original release date: August 19, 2021 The Internet Systems Consortium (ISC) has released a security advisory that addresses a vulnerability affecting multiple versions of the ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit this vulnerability to cause a denial-of-service condition. CISA encourages users and administrators to review ISC advisory CVE-2021-25218 and apply the necessary updates or workarounds.

Mozilla Releases Security Updates for Thunderbird 08/12/2021 06:57 AM EDT Original release date: August 12, 2021 Mozilla has released security updates to address vulnerabilities in Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 91 and apply the necessary updates.

Drupal Releases Security Updates 08/12/2021 09:16 PM EDT Original release date: August 12, 2021 | Last revised: August 13, 2021 Drupal has released security updates to address vulnerabilities that could affect versions 8.9, 9.1, and 9.2. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Drupal Security Advisory SA-CORE-2021-005 and apply the necessary updates.

Pulse Secure Releases Security Update for Pulse Secure Connect 08/06/2021 07:06 AM EDT Original release date: August 6, 2021 Pulse Secure has released Pulse Secure Connect system software version 9.1R12 to address multiple vulnerabilities an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review Pulse Secure’s Security Advisory SA44858 and apply the necessary update.

Mozilla Releases Security Updates for Firefox 08/10/2021 09:06 AM EDT Original release date: August 10, 2021 Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Mozilla Security Advisory for Firefox 91 and Firefox ESR 78.13 and apply the necessary updates.

Adobe Releases Security Updates for Multiple Products  08/10/2021 11:31 AM EDT Original release date: August 10, 2021 Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates: APSB21-66 Connect ASPB21-64 Magento

Intel Releases Multiple Security Updates 08/10/2021 07:37 AM EDT Original release date: August 10, 2021 Intel has released security updates to address vulnerabilities multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Intel advisories and apply the necessary updates:  NUC 9 Extreme Laptop Kits Advisory INTEL-SA-00553 NUC Pro Chassis Element Driver Advisory INTEL-SA-00543 Ethernet Linux Driver Advisory INTEL-SA-00515 Optane PMem Advisory INTEL-SA-00512 Graphics Drivers Advisory INTEL-SA-OO508 Ethernet Adapters 800 Series Advisory INTEL-SA-00479

Microsoft Releases August 2021 Security Updates 08/10/2021 02:01 PM EDT Original release date: August 10, 2021 Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s August 2021 Security Update Summary and Deployment Information and apply the necessary updates.

SAP Releases August 2021 Security Updates 08/10/2021 07:38 AM EDT Original release date: August 10, 2021 SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review SAP Security Notes for August 2021 and apply the necessary updates.

Citrix Releases Security Update for ShareFile Storage Zones Controller 08/10/2021 04:56 PM EDT Original release date: August 10, 2021 Citrix has released a security update to address a vulnerability affecting Citrix ShareFile storage zones controller. An attacker can exploit this vulnerability to obtain access to sensitive information. CISA recommends users and administrators review Citrix Security Bulletin CTX322787 and apply the necessary update.

CISA Releases Security Advisory for Swisslog Healthcare 08/03/2021 02:26 PM EDT Original release date: August 3, 2021 CISA has released an Industrial Control Systems (ICS) advisory detailing multiple vulnerabilities in Swisslog Healthcare Translogic Pneumatic Tube Systems (PTS). An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the ICS Medical Advisory ICSMA-21-215-01 Swisslog Translogic PTS and apply the necessary updates and mitigations.

CISA and NSA Release Kubernetes Hardening Guidance 08/02/2021 04:14 PM EDT Original release date: August 2, 2021 | Last revised: August 3, 2021 The National Security Agency (NSA) and CISA have released Kubernetes Hardening Guidance, a cybersecurity technical report detailing the complexities of securely managing Kubernetes—an open-source, container-orchestration system used to automate deploying, scaling, and managing containerized applications.  This report describes the security challenges associated with setting up and securing a Kubernetes cluster, and presents hardening strategies to guide system administrators avoid common misconfigurations.  CISA encourages users and administrators to ensure the security of applications by following the hardening guidance outlined in this report.

NSA Releases Guidance on Securing Wireless Devices While in Public 07/30/2021 07:02 AM EDT Original release date: July 30, 2021 The National Security Agency (NSA) has released an information sheet with guidance on securing wireless devices while in public for National Security System, Department of Defense, and Defense Industrial Base teleworkers, as well as the general public. This information sheet provides information on malicious techniques used by cyber actors to target wireless devices and ways to protect against it. CISA encourages organization leaders, administrators, and users to review NSA’s guidance on Securing Wireless Devices in Public Settings and CISA’s Security Tip on Privacy and Mobile Device Apps for information on protecting devices and data.

CISA Announces Vulnerability Disclosure Policy (VDP) Platform 07/30/2021 07:04 AM EDT Original release date: July 30, 2021 CISA has announced the establishment of its Vulnerability Disclosure Policy (VDP) Platform for the federal civilian enterprise, which will allow the Federal Civilian Executive Branch to coordinate with the civilian security research community in a streamlined fashion. The VDP Platform provides a single, centrally managed website that agencies can leverage as the primary point of entry for intaking, triaging, and routing vulnerabilities disclosed by researchers. It enables researchers and members of the general public to find vulnerabilities in agency websites and submit reports for analysis. This new platform allows agencies to gain greater insights into potential vulnerabilities, which will improve their cybersecurity posture. This approach also means  agencies no longer need to develop separate systems to enable vulnerability reporting  and triage of identified vulnerabilities, providing government-wide cost savings that CISA estimates at over $10 million. For more details, see the blog post by CISA’s Executive Assistant Director for Cybersecurity, Eric Goldstein.

Apple Releases Security Updates 07/21/2021 06:37 AM EDT Original release date: July 21, 2021 Apple has released security updates to address vulnerabilities in Safari 14.1.2 and iOS 14.7. CISA encourages users and administrators to review the Apple security updates page and apply the necessary updates when available.

Adobe Releases Security Updates for Multiple Products  07/21/2021 06:39 AM EDT Original release date: July 21, 2021 Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates: APSB21-63 Photoshop APSB21-62 Audition APSB21-59 Character Animator APSB21-58 Prelude APSB21-56 Premiere Pro APSB21-54 After Effects APSB21-43 Media Encoder

Google Releases Security Updates for Chrome 07/21/2021 06:35 AM EDT Original release date: July 21, 2021 Google has released Chrome version 92.0.4515.107 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.

2021 CWE Top 25 Most Dangerous Software Weaknesses 07/21/2021 01:07 PM EDT Original release date: July 21, 2021 The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The Top 25 uses data from the National Vulnerability Database (NVD) to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. CISA encourages users and administrators to review the Top 25 list and evaluate recommended mitigations to determine those most suitable to adopt.

Cisco Releases Security Updates 07/22/2021 10:01 AM EDT Original release date: July 22, 2021 Cisco has released security updates to address multiple vulnerabilities in Intersight Virtual Appliance. An attacker could exploit these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review Cisco Advisory cisco-sa-ucsi2-iptaclbp-L8Dzs8m8 and apply the necessary updates.

Drupal Releases Security Updates 07/22/2021 10:00 AM EDT Original release date: July 22, 2021 Drupal has released security updates to address a critical third-party-library vulnerability that could affect Drupal 7,  8.9, 9.1, and 9.2. An attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the Drupal security advisory and apply the necessary updates.

Significant Historical Cyber-Intrusion Campaigns Targeting ICS 07/20/2021 07:12 AM EDT Original release date: July 20, 2021 Protecting our Nation’s critical infrastructure is the responsibility of federal and state, local, tribal, and territorial (SLTT) governments and owners and operators of that infrastructure. The cybersecurity threats posed to the industrial control systems (ICS) that control and operate critical infrastructure are among the most significant and growing issues confronting our Nation. To raise awareness of the risks to—and improve the cyber protection of—critical infrastructure, CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory as well as updates to five alerts and advisories. These alerts and advisories contain information on historical cyber-intrusion campaigns that have targeted ICS: Joint CISA-FBI Cybersecurity Advisory (CSA): AA21-201A: Gas Pipeline Intrusion Campaign, 2011-2013 Note: CISA released the initial version of this publication to affected stakeholders in 2012. ICS Joint Security Awareness Report: JSAR-12-241-01B: Shamoon/DistTrack Malware (Update B) ICS Advisory: ICSA-14-178-01: ICS Focused Malware – Havex ICS Alert: ICS-ALERT-14-281-01E: Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) ICS Alert: IR-ALERT-H-16-056-01: Cyber-Attack Against Ukrainian Critical Infrastructure Technical Alert: TA17-163A: CrashOverride Malware CISA urges critical infrastructure owners and operators to review the publications listed above and apply the mitigations in Joint CISA-FBI CSA AA21-201A: Gas Pipeline Intrusion Campaign, 2011-2013. CISA also encourages owners and operators to review AR-17-20045: Enhanced Analysis of Malicious Cyber Activity. These products contain threat actor tactics, techniques, and procedures (TTPs); technical indicators; and forensic analysis that critical infrastructure owners and operators can use to reduce their organizations’ exposure to cyber threats. Note: although these publications detail historical activity, the TTPs remain relevant to help network defenders protect against intrusions. CISA encourages critical infrastructure owners and operators to report cyber incidents to CISA. Note: for information on the U.S. Department of State’s reward program for identifying persons who participate in the malicious cyber activities against U.S. critical infrastructure, see the U.S. Department of State press release.

Oracle Releases July 2021 Critical Patch Update 07/20/2021 06:50 AM EDT Original release date: July 20, 2021 Oracle has released its Critical Patch Update for July 2021 to address 327 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Oracle July 2021 Critical Patch Update and apply the necessary updates.

Citrix Releases Security Updates  07/20/2021 06:49 AM EDT Original release date: July 20, 2021 Citrix has released security updates to address multiple vulnerabilities in Application Delivery Controller, Gateway, and SD-WAN WANOP Edition. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Citrix Security Update CTX319135 and apply the necessary updates.

Fortinet Releases Security Updates for FortiManager and FortiAnalyzer 07/14/2021 09:33 AM EDT Original release date: July 14, 2021 | Last revised: July 19, 2021 Fortinet has released security advisory FG-IR-21-067 to address a use-after-free vulnerability in the FortiManager fgfmsd daemon. A use-after-free condition occurs when a program marks a section of memory as free but then subsequently tries to use that memory, which could result in a program crash. The use of previously freed memory in FortiManager fgfmsd daemon may allow a remote, unauthenticated attacker to execute arbitrary code as root. This occurs via sending a specifically crafted request to the fgfm port of the targeted device. Note that FortiAnalyzer is only vulnerable where it supports FortiManager features that have been enabled, on specific hardware, with a very specific upgrade path. CISA encourages users and administrators to review Fortinet security advisory FG-IR-21-067 and apply the necessary updates.

U.S. Government Releases Indictment and Several Advisories Detailing Chinese Cyber Threat Activity 07/19/2021 07:23 AM EDT Original release date: July 19, 2021 CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed increasingly sophisticated Chinese state-sponsored activity targeting U.S. political, economic, military, educational, and critical infrastructure personnel and organizations. In response: The White House has released a statement attributing recent Microsoft Exchange server exploitation activity to the People’s Republic of China (PRC). The Department of Justice has indicted four Chinese cyber actors from the advanced persistent threat (APT) group APT40 for malicious cyber activities, carried out on orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD). These activities resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organizations in the United States and abroad, as well as from multiple foreign governments. CISA and FBI have released Joint Cybersecurity Advisory: TTPs of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department to help network defenders identify and remediate APT40 intrusions and established footholds. CISA, NSA and FBI have released Joint Cybersecurity Advisory: Chinese Observed TTPs, which describes Chinese cyber threat behavior and trends and provides mitigations to help protect the Federal Government; state, local, tribal, and territorial governments; critical infrastructure, defense industrial base, and private industry organizations. CISA, NSA and FBI have released CISA Insights: Chinese Cyber Threat Overview for Leaders to help leaders understand this threat and how to reduce their organization's risk of falling victim to cyber espionage and data theft. CISA also encourages users and administrators to review the blog post, Safeguarding Critical Infrastructure against Threats from the People’s Republic of China, by CISA Executive Assistant Director Eric Goldstein and the China Cyber Threat Overview and Advisories webpage.

Kaseya Ransomware Attack: Guidance and Resources 07/13/2021 11:39 AM EDT Original release date: July 13, 2021 CISA has created a webpage to provide information and guidance for the recent ransomware attack against Kaseya customers that include managed service providers (MSPs) and customers of those MSPs. CISA encourages affected organizations to review Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers for more information.

New StopRansomware.gov website – The U.S. Government’s One-Stop Location to Stop Ransomware 07/15/2021 07:20 AM EDT Original release date: July 15, 2021 The U.S. Government launched a new website to help public and private organizations defend against the rise in ransomware cases. StopRansomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. We encourage organizations to use this new website to understand the threat of ransomware, mitigate risk, and in the event of an attack, know what steps to take next. The StopRansomware.gov webpage is an interagency resource that provides our partners and stakeholders with ransomware protection, detection, and response guidance that they can use on a single website. This includes ransomware alerts, reports, and resources from CISA, the FBI, and other federal partners. We look forward to growing the information and resources on StopRansomware.gov and plan to partner with additional Federal Agencies who are working to curb the rise in ransomware.

07/15/2021 02:52 PM EDT Original release date: July 15, 2021 CISA is aware of threat actors actively targeting a known, previously patched, vulnerability in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware. Threat actors can exploit this vulnerability to initiate a targeted ransomware attack. CISA encourages users and administrators to review the SonicWall security advisory and upgrade to the newest firmware or disconnect EOL appliances as soon as possible. Review the CISA Bad Practices webpage to learn more about bad cybersecurity practices, such as using EOL software, that are especially dangerous for organizations supporting designated Critical Infrastructure or National Critical Functions.

Google Releases Security Updates for Chrome 07/16/2021 06:29 AM EDT Original release date: July 16, 2021 Google has released Chrome version 91.0.4472.164 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities—CVE-2021-30563—has been detected in exploits in the wild. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.

You are subscribed to National Cyber Awareness System Current Activity for Cybersecurity and Infrastructure Security Agency. This information has recently been updated, and is now available.

Cisco Releases Security Updates for Multiple Products 07/08/2021 07:40 AM EDT Original release date: July 8, 2021 Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates: Cisco Web Security Appliance Privilege Escalation Vulnerability cisco-sa-scr-web-priv-esc-k3HCGJZ Cisco Business Process Automation Privilege Escalation Vulnerabilities cisco-sa-bpa-priv-esc-dgubwbH4

CISA Releases Analysis of FY20 Risk and Vulnerability Assessments 07/08/2021 12:48 PM EDT Original release date: July 8, 2021 CISA has released an analysis and infographic detailing the findings from the Risk and Vulnerability Assessments (RVAs) conducted in Fiscal Year (FY) 2020 across multiple sectors. The analysis details a sample attack path a cyber threat actor could take to compromise an organization with weaknesses that are representative of those CISA observed in FY20 RVAs. The infographic provides a high-level snapshot of five potential attack paths and breaks out the most successful techniques for each tactic that the RVAs documented. Both the analysis and the infographic map threat actor behavior to the MITRE ATT&CK® framework. CISA encourages network defenders to review the analysis and infographic and apply the recommended mitigations to protect against the observed tactics and techniques. For information on CISA RVAs and additional services, visit the CISA Cyber Resource Hub.

CISA Publishes Malware Analysis Report and Updates Alert on DarkSide Ransomware 07/07/2021 06:35 AM EDT Original release date: July 7, 2021 | Last revised: July 8, 2021 CISA has published a new Malware Analysis Report (MAR) on DarkSide Ransomware and updated Alert AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks, originally released May 11, 2021. This update adds indicators of compromise associated with a DarkSide ransomware variant that executes a dynamic-link library used to delete Volume Shadow copies available on the system. CISA encourages users and administrators to review the following resources for more information: AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks Malware Analysis Report MAR-10337801-1.v1

Microsoft Releases Out-of-Band Security Updates for PrintNightmare 07/06/2021 07:53 PM EDT Original release date: July 6, 2021 Microsoft has released out-of-band security updates to address a remote code execution (RCE) vulnerability—known as PrintNightmare (CVE-2021-34527)—in the Windows Print spooler service. According to the CERT Coordination Center (CERT/CC), “The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.” The updates are cumulative and contain all previous fixes as well as protections for CVE-2021-1675. The updates do not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016—Microsoft states updates for these versions are forthcoming. Note: According to CERT/CC, “the Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant.” See CERT/CC Vulnerability Note VU #383432 for workarounds for the LPE variant. CISA encourages users and administrators to review the Microsoft Security Updates as well as CERT/CC Vulnerability Note VU #383432 and apply the necessary updates or workarounds. For additional background, see CISA’s initial Current Activity on PrintNightmare.

CISA Releases Security Advisory for Philips Vue PAC Products 07/06/2021 07:14 AM EDT Original release date: July 6, 2021 CISA has released an Industrial Controls Systems (ICS) Medical Advisory detailing multiple vulnerabilities in multiple Philips Clinical Collaboration Platform Portal (officially registered as Vue PACS) products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the ICS medical advisory ICSMA-21-187-01 Philips Vue PACS and to apply the necessary updates or workarounds .

Kaseya VSA Supply-Chain Ransomware Attack 07/02/2021 04:44 PM EDT Original release date: July 2, 2021 CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software. CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers.

NSA-CISA-NCSC-FBI Joint Cybersecurity Advisory on Russian GRU Brute Force Campaign 07/01/2021 07:16 AM EDT Original release date: July 1, 2021 The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC) have released Joint Cybersecurity Advisory (CSA): Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. The CSA provides details on the campaign, which is being conducted by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS). The campaign uses a Kubernetes® cluster in brute force access attempts against the enterprise and cloud environments of government and private sector targets worldwide. After obtaining credentials via brute force, the GTsSS uses a variety of known vulnerabilities for further network access via remote code execution and lateral movement. CISA strongly encourages users and administrators to review the Joint CSA for GTSS tactics, techniques, and procedures, as well as mitigation strategies.

CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack 07/04/2021 12:29 PM EDT Original release date: July 4, 2021 CISA and the Federal Bureau of Investigation (FBI) continue to respond to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers. CISA and FBI strongly urge affected MSPs and their customers to follow the guidance below. CISA and FBI recommend affected MSPs: Contact Kaseya at support@kaseya.com with the subject “Compromise Detection Tool Request” to obtain and run Kaseya's Compromise Detection Tool available to Kaseya VSA customers. The tool is designed to help MSPs assess the status of their systems and their customers' systems. Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services. Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network. CISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: these actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack. CISA and FBI recommend affected MSP customers: Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network; Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available; Implement: Multi-factor authentication; and Principle of least privilege on key network resources admin accounts. Resources: CISA and FBI provide these resources for the reader’s awareness.  CISA and FBI do not endorse any non-governmental entities nor guarantee the accuracy of the linked resources. For the latest guidance from Kaseya, see Kaseya's Important Notice July 3rd, 2021. For indicators of compromise, see Peter Lowe's GitHub page REvil Kaseya CnC Domains. Note: due to the urgency to share this information, CISA and FBI have not yet validated this content. For guidance specific to this incident from the cybersecurity community, see Cado Security's GitHub page, Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack. Note: due to the urgency to share this information, CISA and FBI have not yet validated this content. For advice from the cybersecurity community on securing against MSP ransomware attacks, see Gavin Stone's article, How secure is your RMM, and what can you do to better secure it?. For general incident response guidance, CISA encourages users and administrators to see Joint Cybersecurity Advisory AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity.

CISA Begins Cataloging Bad Practices that Increase Cyber Risk 06/29/2021 06:27 AM EDT Original release date: June 29, 2021 In a blog post by Executive Assistant Director (EAD) Eric Goldstein, CISA announced  the creation of a catalog to document bad cybersecurity practices that are exceptionally risky for any organization and especially dangerous for those supporting designated Critical Infrastructure or National Critical Functions. While extensive guidance on cybersecurity “best practices” exists, additional perspective is needed. Ending the most egregious risks requires organizations to make a concerted effort to stop bad practices. CISA encourages cybersecurity leaders and professionals to review EAD Goldstein’s blog post and the new Bad Practices webpage and to monitor the webpage for updates. CISA also encourages all organizations to engage in the necessary actions and critical conversations to address bad practices.

PrintNightmare, Critical Windows Print Spooler Vulnerability 06/30/2021 05:32 PM EDT Original release date: June 30, 2021 The CERT Coordination Center (CERT/CC) has released a VulNote for a critical remote code execution vulnerability in the Windows Print spooler service, noting: “while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675.” An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system. CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print. Additionally, administrators should employ the following best practice from Microsoft’s how-to guides, published January 11, 2021: “Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.”

CISA's New Chemical Security Associate Director The Cybersecurity and Infrastructure Security Agency (CISA) has selected Kelly Murray to serve as the new Associate Director for Chemical Security. In this role, Kelly will oversee the Chemical Facility Anti-Terrorism Standards (CFATS) program, proposed Ammonium Nitrate Security Program, and voluntary chemical security initiatives. Kelly has been with CISA’s Chemical Security team since 2008, where she rose through the ranks, having served previously as a Section Chief and Branch Chief, and most recently as the Acting Deputy Associate Director for Chemical Security. Kelly brings a wealth of knowledge and experience in chemical security to the position. Over the last 13 years, she has been integral not only to developing and implementing the CFATS program, but also to growing the extensive stakeholder relationships across CISA’s critical infrastructure partners. Prior to joining the Department of Homeland Security, Kelly was a government consultant who worked with the Federal Emergency Management Agency on disaster recovery and reconstitution efforts after Hurricane Katrina. She also worked with the Department of Defense on exercises, mobility and logistics, and war plans. Kelly earned a bachelor’s degree from Indiana University in mathematics with minors in Information Technology, Economics, and Spanish, and recently graduated from the Federal Executive Institute. As Kelly assumes the Associate Director role, Todd Klessman will resume his role as the Deputy Associate Director for Chemical Security. If you have any questions, feel free to reach out to CFATS@hq.dhs.gov.   CISA's New Chemical Security Director 2021 Chemical Security Seminars Transportation Worker Identification Credential Recommendations CFATS Information Collection Requests Cyber Alert: Darkside Ransomware New CISA Infrastructure Security Twitter Account CFATS Program Statistics Practicing Good Cyber Hygiene Reminder: Complete Your Annual Audit New and Updated Resources

CISA’s CSET Tool Sets Sights on Ransomware Threat 06/30/2021 12:45 PM EDT Original release date: June 30, 2021 CISA has released a new module in its Cyber Security Evaluation Tool (CSET): the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate their cybersecurity practices on their networks. CSET—applicable to both information technology (IT) and industrial control system (ICS) networks—enables users to perform a comprehensive evaluation of their cybersecurity posture using many recognized government and industry standards and recommendations. The RRA is a self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident. CISA has tailored the RRA to varying levels of ransomware threat readiness to make it useful to all organizations regardless of their current cybersecurity maturity. The RRA: Helps organizations evaluate their cybersecurity posture, with respect to ransomware, against recognized standards and best practice recommendations in a systematic, disciplined, and repeatable manner. Guides asset owners and operators through a systematic process to evaluate their operational technology (OT) and information technology (IT) network security practices against the ransomware threat. Provides an analysis dashboard with graphs and tables that present the assessment results in both summary and detailed form. CISA strongly encourages all organizations to take the CSET Ransomware Readiness Assessment, available at https://github.com/cisagov/cset/. Privacy & Use policy.

Google Releases Security Updates for Chrome 06/18/2021 07:05 AM EDT Original release date: June 18, 2021 Google has released Chrome version 91.0.4472.114 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities—CVE-2021-30554—has been detected in exploits in the wild. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates for iOS 12.5.4 06/15/2021 06:43 AM EDT Original release date: June 15, 2021 Apple has released security updates to address vulnerabilities in iOS 12.5.4. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Apple security update and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

CISA Publishes Eviction Guidance for Networks Affected by SolarWinds and AD/M365 Compromise 05/14/2021 10:00 AM EDT Original release date: May 14, 2021 CISA has released an analysis report, AR21-134A Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise. The report provides detailed steps for affected organizations to evict the adversary from compromised on-premises and cloud environments. Additionally, CISA has publicly issued Emergency Directive (ED) 21-01 Supplemental Direction Version 4: Mitigate SolarWinds Orion Code Compromise to all federal agencies that have—or had—networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity. Although the guidance in AR21-134A and ED 21-01 Supplemental Direction V.4 is tailored to federal agencies, CISA encourages critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review and apply it, as appropriate. Review the following resources for additional information: CISA Webpage: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise (updated May 14, 2021) CISA Webpage: SolarWinds Orion Supply Chain Compromise CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations Note: the U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a statement from the White House and in the three Joint Cybersecurity Advisories summarized in the CISA Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise. This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for Multiple Products   05/19/2021 12:41 PM EDT Original release date: May 20, 2021 Cisco has released security updates to address vulnerabilities in multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates: Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Command Injection Vulnerability cisco-sa-pi-epnm-cmd-inj-YU5e6tB3 Cisco Modeling Labs Web UI Command Injection Vulnerability cisco-sa-cml-cmd-inject-N4VYeQXB This product is provided subject to this Notification and this Privacy & Use policy

Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware 05/19/2021 05:48 PM EDT Original release date: May 19, 2021 CISA and the Federal Bureau of Investigation (FBI) have updated Joint Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for Preventing Disruption from Ransomware Attacks, originally released May 11, 2021. This update provides a downloadable STIX file of indicators of compromise (IOCs) to help network defenders find and mitigate activity associated with DarkSide ransomware. These IOCs were shared with critical infrastructure partners and network defenders on May 10, 2021. CISA encourages users and administrators to review AA21-131A for more information.   This product is provided subject to this Notification and this Privacy & Use policy.

WordPress Releases Security Update 05/13/2021 05:27 PM EDT Original release date: May 13, 2021 WordPress versions between 3.7 and 5.7.1 are affected by a security vulnerability. An attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the WordPress Security Release and upgrade to WordPress 5.7.2. This product is provided subject to this Notification and this Privacy & Use policy.

Adobe Releases Security Updates for Multiple Products  05/11/2021 07:53 PM EDT Original release date: May 11, 2021 Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Adobe’s Security Bulletins and apply the necessary updates.  This product is provided subject to this Notification and this Privacy & Use policy.

Citrix Releases Security Updates for Workspace App for Windows 05/11/2021 07:43 PM EDT Original release date: May 11, 2021 Citrix has released security updates to address a vulnerability in Citrix Workspace App for Windows. An attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review Citrix Security Update CTX307794 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases May 2021 Security Updates 05/11/2021 07:49 PM EDT Original release date: May 11, 2021 Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s May 2021 Security Update Summary and Deployment Information and apply the necessary updates.   This product is provided subject to this Notification and this Privacy & Use policy.

Juniper Networks Releases Security Updates 05/11/2021 07:34 PM EDT Original release date: May 11, 2021 Juniper Networks has released security updates to address multiple vulnerabilities in various Juniper products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Juniper's 2021-05 Out-of-Cycle Security Bulletin and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Joint CISA-FBI Cybersecurity Advisory on DarkSide Ransomware 05/11/2021 01:42 PM EDT Original release date: May 11, 2021 CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on a ransomware-as-a-service (RaaS) variant—referred to as DarkSide—recently used in a ransomware attack against a critical infrastructure (CI) company.  Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data. These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy.  Prevention is the most effective defense against ransomware. It is critical to follow best practices to protect against ransomware attacks, which can be devastating to an individual or organization and recovery may be a difficult process. In addition to the Joint CSA, CISA and FBI urge CI asset owners and operators to review the following resources for best practices on strengthening cybersecurity posture: CISA and Multi-State Information Sharing and Analysis Center: Joint Ransomware Guide CISA webpage: Ransomware Guidance and Resources CISA Insights: Ransomware Outbreak CISA Pipeline Cybersecurity Initiative CISA Pipeline Cybersecurity Resources Library Victims of ransomware should report it immediately to CISA, a local FBI Field Office, or a Secret Service Field Office.

Google Releases Security Updates for Chrome 05/11/2021 10:27 AM EDT Original release date: May 11, 2021 Google has released Chrome version 90.0.4430.212 for Windows, Mac, and Linux.   This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.   This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates 05/04/2021 11:02 AM EDT Original release date: May 4, 2021 Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device. CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates. macOS Big Sur 11.3.1 iOS 14.5.1 and iPadOS 14.5.1 iOS 12.5.3 watchOS 7.4.1 This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases Analysis Reports on New FiveHands Ransomware 05/06/2021 09:04 AM EDT Original release date: May 6, 2021 CISA is aware of a recent, successful cyberattack against an organization using a new ransomware variant, known as FiveHands, that has been used to successfully conduct a cyberattack against an organization.   CISA has released AR21-126A: FiveHands Ransomware and MAR-10324784-1.v1: FiveHands Ransomware to provide analysis of the threat actor’s tactics, techniques, and procedures as well as indicators of compromise (IOCs).  These reports also provide CISA’s recommended mitigations for strengthening networks to protect against, detect, and respond to potential FiveHands ransomware attacks. CISA encourages organizations to review AR21-126A and MAR-10324784.r1.v1 for more information. This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Firefox 05/06/2021 09:55 AM EDT Original release date: May 6, 2021 Mozilla has released security updates to address vulnerabilities in Firefox. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Mozilla Security Advisory for Firefox 88.0.1 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

VMware Releases Security Update 05/06/2021 09:53 AM EDT Original release date: May 6, 2021 VMware has released a security update to address a vulnerability in VMware vRealize Business for Cloud. A remote attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0007 and apply the necessary update.

Cisco Releases Security Updates for Multiple Products  05/06/2021 04:04 PM EDT Original release date: May 6, 2021 Cisco has released security updates to address vulnerabilities in multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates: •    Cisco SD-WAN vManage Software Vulnerabilities cisco-sa-sd-wan-vmanage-4TbynnhZ •    Cisco HyperFlex HX Command Injection Vulnerabilities cisco-sa-hyperflex-rce-TjjNrkpR •    Cisco SD-WAN Software vDaemon Denial of Service Vulnerability cisco-sa-sdwan-dos-Ckn5cVqW •    Cisco SD-WAN vEdge Software Buffer Overflow Vulnerabilities cisco-sa-sdwan-buffover-MWGucjtO •    Cisco SD-WAN vManage Software Authentication Bypass Vulnerability cisco-sa-sdw-auth-bypass-65aYqcS2 •    Cisco Small Business 100, 300, and 500 Series Wireless Access Points Vulnerabilities cisco-sa-sb-wap-multi-ZAfKGXhF •    Cisco Enterprise NFV Infrastructure Software Command Injection Vulnerability cisco-sa-nfvis-cmdinj-DkFjqg2j •    Cisco Unified Communications Manager IM & Presence Service SQL Injection Vulnerabilities cisco-sa-imp-inj-ereCOKjR •    Cisco AnyConnect Secure Mobility Client for Windows DLL and Executable Hijacking Vulnerabilities cisco-sa-anyconnect-code-exec-jR3tWTA6 This product is provided subject to this Notification and this Privacy & Use policy.

Exim Releases Security Update 05/07/2021 11:46 AM EDT Original release date: May 7, 2021 Exim has released a security update to address multiple vulnerabilities in Exim versions prior to 4.94.2. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Exim 4.94.2 update page and apply the necessary update. CISA also encourages users and administrators to review Center for Internet Security Advisory 2021-064 for more information.   This product is provided subject to this Notification and this Privacy & Use policy.

Ivanti Releases Pulse Secure Security Update 05/03/2021 12:19 PM EDT Original release date: May 3, 2021 Ivanti has released a security update to address vulnerabilities affecting Pulse Connect Secure (PCS) software outlined in CVE-2021-22893. An attacker could exploit these vulnerabilities to gain system access and take control of an affected system. In response, CISA released AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities on April 20 and added detection information on April 30.   CISA strongly encourages customers using Ivanti Pulse Connect Secure appliances to review the blog post and apply the necessary updates. For additional information, CISA recommends reviewing the following resources and tools below.   CISA Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities Pulse Security Integrity Checker Tool This product is provided subject to this Notification and this Privacy & Use policy. Having trouble viewing this message? View it as a webpage.  Y

CISA Updates Alert on Pulse Connect Secure 04/30/2021 10:07 AM EDT Original release date: April 30, 2021 CISA has updated Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities, originally released April 20. This update adds a new Detection section providing information on Impossible Travel and Transport Layer Security (TLS) Fingerprinting that may be useful in identifying malicious activity. CISA encourages users and administrators to review the following resources for more information: AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities Emergency Directive 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities This product is provided subject to this Notification and this Privacy & Use policy.

Oracle Releases April 2021 Critical Patch Update 04/20/2021 01:22 PM EDT Original release date: April 20, 2021 Oracle has released its Critical Patch Update for April 2021 to address 384 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Oracle April 2021 Critical Patch Update and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Update for Firefox, Firefox ESR, and Thunderbird 04/20/2021 09:59 AM EDT Original release date: April 20, 2021 Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Mozilla Security Advisories for Firefox 88, Firefox ESR 78.10, and Thunderbird 78.10, and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

You are VMware Releases Security Update 04/20/2021 10:00 AM EDT Original release date: April 20, 2021 VMware has released a security update to address a vulnerability affecting NSX-T. An attacker can exploit this vulnerability to take control of an affected system CISA encourages users and administrators to review VMSA-2021-0006 and apply the necessary update and workaround. This product is provided subject to this Notification and this Privacy & Use policy.

FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities 04/02/2021 09:35 AM EDT Original release date: April 2, 2021 The Federal Bureau of Investigation (FBI) and CISA have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services. Gaining initial access pre-positions the APT actors to conduct future attacks. CISA encourages users and administrators to review Joint CSA AA21-092A: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks and implement the recommended mitigations. This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates  03/26/2021 04:40 PM EDT Original release date: March 26, 2021 Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device.  CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates.  •    watchOS 7.3.3 •    iOS 12.5.2  •    iOS 14.4.2 and iPadOS 14.4.2  This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome 03/15/2021 11:31 AM EDT Original release date: March 15, 2021 Google has released Chrome version 89.0.4389.90 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Updates on Microsoft Exchange Server Vulnerabilities 03/13/2021 11:07 AM EST Original release date: March 13, 2021 CISA has added seven Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each MAR identifies a webshell associated with exploitation of the vulnerabilities in Microsoft Exchange Server products. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actors can upload a webshell to enable remote administration of the affected system. In addition to the MARs, CISA added information on ransomware activity associated with exploitation of the Exchange Server products, including DearCry ransomware. CISA encourages users and administrators to review the following resources for more information. Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities MAR-10328877-1.v1: China Chopper Webshell MAR-10328923-1.v1: China Chopper Webshell MAR-10329107-1.v1: China Chopper Webshell MAR-10329297-1.v1: China Chopper Webshell MAR-10329298-1.v1: China Chopper Webshell MAR-10329301-1.v1: China Chopper Webshell MAR-10329494-1.v1: China Chopper Webshell CISA’s Remediating Microsoft Exchange Vulnerabilities web page CISA’s Ransomware Guidance and Resources web page This product is provided subject to this Notification and this Privacy & Use policy.

CISA Strongly Urges All Organizations to Immediately Address Microsoft Exchange Vulnerabilities 03/08/2021 07:31 PM EST Original release date: March 8, 2021 CISA has published a Remediating Microsoft Exchange Vulnerabilities web page that strongly urges all organizations to immediately address the recent Microsoft Exchange Server product vulnerabilities. As exploitation of these vulnerabilities is widespread and indiscriminate, CISA strongly advises organizations follow the guidance laid out in the web page. The guidance provides specific steps for both leaders and IT security staff and is applicable for all sizes of organizations across all sectors. This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates 03/09/2021 09:54 AM EST Original release date: March 9, 2021 Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates. Safari 14.0.3 (v.14610.4.3.1.7 and 15610.4.3.1.7) macOS Big Sur 11.2.3 watchOS 7.3.2 iOS 14.4.1 and iPadOS 14.4.1 This product is provided subject to this Notification and this Privacy & Use policy.

Adobe Releases Security Updates 03/09/2021 02:15 PM EST Original release date: March 9, 2021 Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates. Framemaker APSB21-14 Creative Cloud Desktop Application APSB21-18 Connect APSB21-19 This product is provided subject to this Notification and this Privacy & Use policy.

SAP Releases March 2021 Security Updates 03/09/2021 05:38 PM EST Original release date: March 9, 2021 SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.  CISA encourages users and administrators to review the SAP Security Notes for March 2021 and apply the necessary updates.  This product is provided subject to this Notification and this Privacy & Use policy.

Guidance on Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise 03/09/2021 09:48 AM EST Original release date: March 9, 2021 Since December 2020, CISA has been responding to a significant cybersecurity incident involving an advanced persistent threat (APT) actor targeting networks of multiple U.S. government agencies, critical infrastructure entities, and private sector organizations. The APT actor added malicious code to multiple versions of the SolarWinds Orion platform and leveraged it—as well as other techniques, including—for initial access to enterprise networks. After gaining persistent, invasive access to select organizations’ enterprise networks, the APT actor targeted their federated identity solutions and their Active Directory/M365 environments. CISA has published two new resources on the follow-on activity from this compromise: The Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page to provide actionable guidance to organizations affected by this APT activity. Although the guidance on the web page is directed to federal departments and agencies, CISA encourages affected critical infrastructure and private sector organizations to review and apply it, as appropriate. The CISA Insights: SolarWinds and Active Directory/M365 Compromise: Risk Decisions for Leaders supports executive leaders of affected organizations in understanding the threat, risk, and associated actions they should take in response to the APT activity. The CISA Insights specifically applies to organizations with affected versions of SolarWinds Orion who have evidence of follow-on threat actor activity. CISA encourages affected organizations to review and apply the necessary guidance in the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page and CISA Insights. For general information on CISA’s response to SolarWinds Orion compromise activity, refer to www.cisa.gov/supply-chain-compromise.   This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases March 2021 Security Updates 03/10/2021 09:31 AM EST Original release date: March 10, 2021 Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s March 2021 Security Update Summary and Deployment Information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

F5 Security Advisory for RCE Vulnerabilities in BIG-IP, BIG-IQ 03/10/2021 01:51 PM EST Original release date: March 10, 2021 F5 has released a security advisory to address remote code execution (RCE) vulnerabilities—CVE-2021-22986, CVE-2021-22987—impacting BIG-IP and BIG-IQ devices. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators review the F5 advisory and install updated software as soon as possible. This product is provided subject to this Notification and this Privacy & Use policy.

FBI-CISA Joint Advisory on Compromise of Microsoft Exchange Server 03/10/2021 02:51 PM EST Original release date: March 10, 2021 CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) to address recently disclosed vulnerabilities in Microsoft Exchange Server. CISA and FBI assess that adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack. The CSA places the malicious cyber actor activity observed in the current Microsoft Exchange Server compromise into the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. CISA recommends organizations to review Joint CSA: AA-21-069 Compromise of Microsoft Exchange Server as well as the CISA Remediating Microsoft Exchange Vulnerabilities web page for guidance on detecting, protecting against, and remediating this malicious activity.   This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for AnyConnect Secure Mobility Client 02/18/2021 10:29 AM EST Original release date: February 18, 2021 Cisco has released security updates to address a vulnerability in Cisco AnyConnect Secure Mobility Client. An attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review Cisco Security Advisory cisco-sa-anyconnect-dll-hijac-JrcTOQMC and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome 02/03/2021 08:10 AM EST Original release date: February 3, 2021 Google has released Chrome version 88.0.4324.146 for Windows, Mac, and Linux. This version addresses multiple vulnerabilities that that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Zero-Day Vulnerability in SonicWall SMA 100 Series Version 10.x Products 02/02/2021 11:00 AM EST Original release date: February 2, 2021 | Last revised: February 3, 2021 CISA is aware of a vulnerability in SonicWall Secure Mobile Access (SMA) 100 series products. SMA 100 series products provide an organization’s employees with remote access to internal resources. SonicWall security and engineering teams have confirmed a zero-day vulnerability that was reported by a third-party threat research team on Sunday, January 31, 2021. This vulnerability impacts only SMA 100 series devices with firmware version 10.x, and SonicWall has released a patch that should be applied immediately to avoid potential exploitation.   CISA encourages users and administrators to review the SonicWall security advisory and apply the necessary update as soon as possible. CISA also encourages users and administrators to monitor the SonicWall advisory for updates as new information becomes available. As a risk-reduction measure, CISA recommends organizations implement multi-factor authentication on all virtual private network connections.   This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates 02/04/2021 07:29 AM EST Original release date: February 4, 2021 Cisco has released security updates to address vulnerabilities in Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Cisco Advisories and apply the necessary updates. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers Remote Code Execution Vulnerabilities cisco-sa-rv160-260-rce-XZeFkNHf Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021 cisco-sa-sudo-privesc-jan2021-qnYQfcM Cisco IOS XR Software IPv6 Flood Denial of Service Vulnerability cisco-sa-xripv6-spJem78K Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers Arbitrary File Write Vulnerabilities cisco-sa-rv160-260-filewrite-7x9mnKjn Cisco Small Business RV Series Routers Management Interface Remote Command Execution and Denial of Service Vulnerabilities cisco-sa-rv-overflow-ghZP68y Cisco Small Business RV Series Routers Management Interface Command Injection Vulnerabilities cisco-sa-rv-command-inject-BY4c5zd Cisco IOS XR Software for Cisco 8000 Series Routers and Network Convergence System 540 Series Routers Image Verification Vulnerabilities cisco-sa-ioxr-l-zNhcGCBt Cisco IOS XR Software for Cisco 8000 Series Routers and Network Convergence System 540 Series Routers Privilege Escalation Vulnerability cisco-sa-iosxr-pe-QpzCAePe Cisco IOS XR Software Enf Broker Denial of Service Vulnerability cisco-sa-iosxr-dos-WwDdghs2 This product is provided subject to this Notification and this Privacy & Use policy.

NCIJTF Releases Ransomware Factsheet 02/05/2021 09:01 AM EST Original release date: February 5, 2021 The National Cyber Investigative Joint Task Force (NCIJTF) has released a joint-sealed ransomware factsheet to address current ransomware threats and provide information on prevention and mitigation techniques. The Ransomware Factsheet was developed by an interagency group of subject matter experts from more than 15 government agencies to increase awareness of the ransomware threats to police and fire departments; state, local, tribal, and territorial governments; and critical infrastructure entities. To reduce the risk of public and private sector organizations falling victim to common infection vectors like those outlined in the NCIJTF factsheet, CISA launched the Reduce the Risk of Ransomware Campaign in January to provide informational resources to support organizations’ cybersecurity and data protection posture against ransomware. CISA encourages users and administrators to review the NCIJTF Ransomware Factsheet and CISA’s Ransomware webpage for additional resources to combat ransomware attacks. This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome 02/05/2021 09:36 AM EST Original release date: February 5, 2021 Google has released Chrome Version 88.0.4324.150 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Zero-Day Vulnerability in SonicWall SMA 100 Series Version 10.x Products 02/02/2021 11:00 AM EST Original release date: February 2, 2021 CISA is aware of a vulnerability in SonicWall Secure Mobile Access (SMA) 100 series products. SMA 100 series products provide an organization’s employees with remote access to internal resources. SonicWall security and engineering teams have confirmed a zero-day vulnerability that was reported by a third-party threat research team on Sunday, January 31, 2021. This vulnerability impacts only SMA 100 series devices with firmware version 10.x, and SonicWall is working on a patch that is expected to be released by end of day Tuesday, February 2, 2021.   Earlier reports about other zero-day vulnerabilities remain unconfirmed and are still under investigation. CISA encourages users and administrators to review the SonicWall security advisory and apply the necessary mitigations and patches when they become available. CISA also encourages users and administrators to monitor the SonicWall advisory for updates as new information becomes available. As a risk-reduction measure, CISA recommends organizations implement multi-factor authentication on all virtual private network connections.   This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates 02/02/2021 07:31 AM EST Original release date: February 2, 2021 Apple has released security updates to address vulnerabilities in macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Apple security update and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Sudo Heap-Based Buffer Overflow Vulnerability — CVE-2021-3156 02/02/2021 07:30 AM EST Original release date: February 2, 2021 Sudo has released an advisory addressing a heap-based buffer overflow vulnerability—CVE-2021-3156—affecting sudo legacy versions 1.8.2 through 1.8.31p2 and stable versions 1.9.0 through 1.9.5p1. Sudo is a utility included in many Unix- and Linux-based operating systems that allows a user to run programs with the security privileges of another user. An attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to update to sudo version 1.9.5p2, refer to vendors for available patches, and review the following resources for additional information. Sudo Advisory Qualys Blog This product is provided subject to this Notification and this Privacy & Use policy.

SAP Releases January 2021 Security Updates 01/12/2021 10:04 AM EST Original release date: January 12, 2021 SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the SAP Security Notes for January 2021 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

1/12/2021 10:22 AM EST Original release date: January 12, 2021 The National Security Agency (NSA) Cybersecurity Directorate has released its 2020 Year in Review, outlining key milestones and mission outcomes achieved during NSA Cybersecurity’s first full year of existence. Highlights include NSA Cybersecurity’s contributions to the 2020 elections, Operation Warp Speed, and the Department of Defense’s pandemic-influenced transition to telework. For further details on those and other accomplishments, CISA encourages users and administrators to read the NSA Cybersecurity 2020 Year in Review. This product is provided subject to this Notification and this Privacy & Use policy.

Adobe Releases Security Updates for Multiple Products 01/12/2021 10:07 AM EST Original release date: January 12, 2021 Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates. Photoshop APSB21-01 Illustrator ASPB21-02 Animate ASPB21-03 Campaign Classic APSB21-04 InCopy APSB21-05 Captivate APSB21-06 Bridge APSB21-07 This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Update for Thunderbird 01/12/2021 10:15 AM EST Original release date: January 12, 2021 Mozilla has released a security update to address a vulnerability in Thunderbird. An attacker could exploit this vulnerability to take control of an affected system.   CISA encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 78.6.1 and apply the necessary update. This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases January 2021 Security Updates 01/12/2021 03:35 PM EST Original release date: January 12, 2021 Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s January 2021 Security Update Summary and Deployment Information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments Original release date: January 13, 2021 CISA is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors used a variety of tactics and techniques, including phishing and brute force logins, to attempt to exploit weaknesses in cloud security practices. In response, CISA has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services which provides technical details and indicators of compromise to help detect and respond to potential attacks. CISA encourages users and administrators to review AR21-013A and apply the recommendations to strengthen cloud environment configurations. This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for Multiple Products 01/14/2021 08:25 AM EST Original release date: January 14, 2021 Cisco has released security updates to address vulnerabilities in Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities see the Cisco Security Advisories page. CISA encourages users and administrators to review the following Cisco Advisories and apply the necessary updates: AnyConnect Secure Mobility Client for Windows DLL Injection Vulnerability cisco-sa-anyconnect-dll-injec-pQnryXLf Connected Mobile Experiences Privilege Escalation Vulnerability cisco-sa-cmxpe-75Asy9k Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Command Injection Vulnerabilities cisco-sa-rv-command-inject-LBdQ2KRN Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Remote Command Execution and Denial of Service Vulnerabilities cisco-sa-rv-overflow-WUnUgv4U This product is provided subject to this Notification and this Privacy & Use policy.

Juniper Networks Releases Security Updates for Multiple Products 01/14/2021 08:23 AM EST Original release date: January 14, 2021 Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to cause take control of an affected system. CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

RCE Vulnerability Affecting Microsoft Defender 01/14/2021 08:30 AM EST Original release date: January 14, 2021 Microsoft has released a security advisory to address a remote code execution vulnerability, CVE-2021-1647, in Microsoft Defender. A remote attacker can exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild. CISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1647 and apply the necessary updates.  This product is provided subject to this Notification and this Privacy & Use policy.

You are Apache Releases Security Advisory for Tomcat 01/15/2021 10:43 AM EST Original release date: January 15, 2021 The Apache Software Foundation has released a security advisory to address a vulnerability affecting multiple versions of Apache Tomcat. An attacker could exploit this vulnerability to obtain sensitive information.    CISA encourages users and administrators to review the Apache security advisory for CVE-2021-24122 and upgrade to the appropriate version.   This product is provided subject to this Notification and this Privacy & Use policy.

NSA Releases Guidance on Encrypted DNS in Enterprise Environments   01/15/2021 04:00 PM EST Original release date: January 15, 2021 The National Security Agency (NSA) has released an information sheet with guidance on adopting encrypted Domain Name System (DNS) over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), referred to as DNS over HTTPS (DoH). When configured appropriately, strong enterprise DNS controls can help prevent many initial access, command and control, and exfiltration techniques used by threat actors. CISA encourages enterprise owners and administrators to review the NSA Info Sheet: Adopting Encrypted DNS in Enterprise Environments and consider implementing the recommendations to enhance DNS security. This product is provided subject to this Notification and this Privacy & Use policy.

CERT/CC and CISA Report Multiple Vulnerabilities in Dnsmasq 01/21/2021 07:13 AM EST Original release date: January 21, 2021 CISA and the CERT Coordination Center (CERT/CC) are aware of multiple vulnerabilities affecting Dnsmasq version 2.82 and prior. Dnsmasq is a widely-used, open-source software that provides Domain Name Service forwarding and caching and is common in Internet-of-Things (IoT) and other embedded devices. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and vendors of IoT and embedded devices that use Dnsmasq to review CERT/CC VU#434904 and CISA ICSA-21-019-01 21 for more information and to apply the necessary update. Refer to vendors for appropriate patches, when available. This product is provided subject to this Notification and this Privacy & Use policy.

You are s Drupal Releases Security Updates 01/21/2021 07:15 AM EST Original release date: January 21, 2021 Drupal has released security updates to address a vulnerability affecting Drupal. An attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review Drupal Advisory SA-CORE-2021-001 and apply the necessary updates or mitigations. This product is provided subject to this Notification and this Privacy & Use policy.

Oracle Releases January 2021 Security Bulletin 01/21/2021 07:10 AM EST Original release date: January 21, 2021 Oracle has released its Critical Patch Update for January 2021 to address 329 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Oracle January 2021 Critical Patch Update and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Advisories for Multiple Products 01/21/2021 07:16 AM EST Original release date: January 21, 2021 Cisco has released security updates to address vulnerabilities in multiple Cisco products. A remote attacker could exploit these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review the following Cisco Advisories and apply the necessary updates: Cisco SD-WAN Command Injection Vulnerabilities [cisco-sa-sdwan-cmdinjm-9QMSmgcn] Cisco SD-WAN Buffer Overflow Vulnerabilities cisco-sa-sdwan-bufovulns-B5NrSHbj Cisco DNA Center Command Runner Command Injection Vulnerability cisco-sa-dnac-cmdinj-erumsWh9 Cisco Smart Software Manager Satellite Web UI Command Injection Vulnerabilities cisco-sa-cssm-multici-pgG5WM5A This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome 01/21/2021 07:12 AM EST Original release date: January 21, 2021 Google has released Chrome version 88.0.4324.96 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release and apply the necessary updates.   This product is provided subject to this Notification and this Privacy & Use policy.

FTC Reports Scammers Impersonating FTC 01/26/2021 05:17 PM EST Original release date: January 26, 2021 The Federal Trade Commission (FTC) has released information on scammers attempting to impersonate the FTC. The scammers operate an FTC-spoofed website that claims to provide instant cash payments and tries to trick consumers into disclosing their financial information. The real FTC does not require such information and scammers can use this information to steal consumers’ money and identities. CISA encourages consumers to review the FTC blog post and CISA’s Security Tips on Avoiding Social Engineering and Phishing Attacks and Preventing and Responding to Identity Theft. This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates 01/27/2021 08:53 AM EST Original release date: January 27, 2021 Apple has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users to review the Apple security pages for the following products and apply the necessary updates. Xcode 12.4 iCloud for windows 12.0 iOS 14.4 and iPadOS 14.4 tvOS 14.4 watchOS 7.3 This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird 01/27/2021 09:06 AM EST Original release date: January 27, 2021 Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Mozilla Security Advisories for Firefox 85, Firefox ESR 78.7, and Thunderbird 78.7 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

CISA Malware Analysis on Supernova 01/27/2021 07:43 AM EST Original release date: January 27, 2021 CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. Supernova is not part of the SolarWinds supply chain attack described in Alert AA20-352A. CISA encourages users and administrators to review Malware Analysis Report MAR-10319053-1.v1 and the SolarWinds advisory for more information on Supernova. This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases Security Updates for Edge 01/11/2021 01:16 PM EST Original release date: January 11, 2021 Microsoft has released a security update to address multiple vulnerabilities in Edge (Chromium-based). An attacker could exploit some of these vulnerabilities to take control of an affected system.   CISA encourages users and administrators to review the latest entry for Microsoft Security Advisory ADV200002 and apply the necessary updates.  This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome 01/07/2021 11:13 AM EST Original release date: January 7, 2021 Google has released Chrome version 87.0.4280.141 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Firefox, Firefox for Android, and Firefox ESR 01/07/2021 11:17 AM EST Original release date: January 7, 2021 Mozilla has released security updates to address a vulnerability in Firefox, Firefox for Android, and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system.   CISA encourages users and administrators to review the Mozilla Security Advisory and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

MS-ISAC Releases Cybersecurity Advisory on Zyxel Firewalls and AP Controllers 01/08/2021 10:09 AM EST Original release date: January 8, 2021 The Multi-State Information Sharing and Analysis Center (MS-ISAC) has released an advisory on a vulnerability in Zyxel firewalls and AP controllers. A remote attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the MS-ISAC Advisory 2021-001 and Zyxel Security Advisory for CVE-2020-29583 and apply the necessary updates and mitigation recommendations. This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases New Alert on Post-Compromise Threat Activity in Microsoft Cloud Environments and Tools to Help Detect This Activity 01/08/2021 01:13 PM EST Original release date: January 8, 2021 CISA has evidence of post-compromise advanced persistent threat (APT) activity in the cloud environment. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment and using additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. This activity is in addition to what has been previously detailed in AA20-352A. In response, CISA has released AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments to describe this malicious APT activity and offer guidance on three open-source tools—including a CISA-developed tool, Sparrow, released on December 24. Network defenders can use these tools to help detect and remediate malicious APT actor activity as part of the ongoing supply chain compromise. CISA strongly encourages users and administrators to review the Activity Alert for additional information and detection countermeasures. This product is provided subject to this Notification and this Privacy & Use policy.

NSA Releases Guidance on Eliminating Obsolete TLS Protocol Configurations 01/05/2021 05:18 PM EST Original release date: January 5, 2021 The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet on eliminating obsolete Transport Layer Security (TLS) configurations. The information sheet identifies strategies to detect obsolete cipher suites and key exchange mechanisms, discusses recommended TLS configurations, and provides remediation recommendations for organizations using obsolete TLS configurations. CISA encourages administrators and users to review NSA's CSI sheet on Eliminating Obsolete TLS Protocol Configurations for more information. This product is provided subject to this Notification and this Privacy & Use policy.

CISA Updates Emergency Directive 21-01 Supplemental Guidance and Activity Alert on SolarWinds Orion Compromise 01/06/2021 01:20 PM EST Original release date: January 6, 2021 CISA has released Emergency Directive (ED) 21-01 Supplemental Guidance version 3: Mitigate SolarWinds Orion Code Compromise, providing guidance that supersedes Required Action 4 of ED 21-01 and Supplemental Guidance versions 1 and 2. Federal agencies without evidence of adversary follow-on activity on their networks that accept the risk of running SolarWinds Orion in their enterprises should rebuild or upgrade, in compliance with hardening steps outlined in the Supplemental Guidance, to at least SolarWinds Orion Platform version 2020.2.1 HF2. The National Security Agency (NSA) examined this version and verified it eliminates the previously identified malicious code. This version also includes updates to fix un-related vulnerabilities, including vulnerabilities that SolarWinds has publicly disclosed. Federal agencies with evidence of follow-on threat actor activity on their networks should keep their affected versions disconnected, conduct forensic analysis, and consult with CISA before rebuilding or reimaging affected platforms and host operating systems. The updated supplemental guidance also includes forensic analysis and reporting requirements. CISA has also updated AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, originally released December 17, 2020. This update includes new information on initial access vectors, updated mitigation recommendations, and new indicators of compromise (IOCs). Although the Emergency Directive only applies to Federal Civilian Executive Branch agencies, CISA encourages state and local governments, critical infrastructure entities, and other private sector organizations to review CISA Emergency Directive 21-01 - Supplemental Guidance v.3 for recommendations on operating the SolarWinds Orion Platform. Review the following resources for additional information on the SolarWinds Orion compromise. CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise CISA Activity Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations CISA webpage on the SolarWinds Orion Supply Chain Compromise This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases Free Detection Tool for Azure/M365 Environment 12/24/2020 07:19 PM EST Original release date: December 24, 2020 CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors. CISA strongly encourages users and administrators to visit the following GitHub page for additional information and detection countermeasures. This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases CISA Insights and Creates Webpage on Ongoing APT Cyber Activity 12/23/2020 12:55 PM EST Original release date: December 23, 2020 CISA is tracking a known compromise involving SolarWinds Orion products that are currently being exploited by a malicious actor. An advanced persistent threat (APT) actor is responsible for compromising the SolarWinds Orion software supply chain, as well as widespread abuse of commonly used authentication mechanisms. If left unchecked, this threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at risk. In response to this threat, CISA has issued CISA Insights: What Every Leader Needs to Know About the Ongoing APT Cyber Activity. This CISA Insights provides information to leaders on the known risk to organizations and actions that they can take to prioritize measures to identify and address these threats. CISA has also created a new Supply Chain Compromise webpage to consolidate the many resources—including Emergency Directive (ED) 21-01 and Activity Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations—that we have released on this compromise. CISA will update the webpage to include partner resources that are of value to the cyber community. To read the latest CISA Insights, visit CISA.gov/insights. For more information on the SolarWinds Orion software compromise, visit CISA.gov/supply-chain-compromise. This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird 12/16/2020 01:42 PM EST Original release date: December 16, 2020 Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.   CISA encourages users and administrators to review the Mozilla Security Advisories for Firefox 84, Firefox ESR 78.6, and Thunderbird 78.6 and apply the necessary updates.   This product is provided subject to this Notification and this Privacy & Use policy.

NSA Releases Cybersecurity Advisory on Detecting Abuse of Authentication Mechanisms 12/17/2020 09:54 PM EST Original release date: December 17, 2020 The National Security Agency (NSA) has released a cybersecurity advisory on detecting abuse of authentication mechanisms. This advisory describes tactics, techniques, and procedures used by malicious cyber actors to access protected data in the cloud and provides guidance on defending against and detecting such activity. CISA encourages users and administrators to review the NSA cybersecurity advisory and CISA Activity Alert AA20-352A and take the appropriate mitigation actions. This product is provided subject to this Notification and this Privacy & Use policy.

CISA Updates Alert and Releases Supplemental Guidance on Emergency Directive for SolarWinds Orion Compromise 12/19/2020 02:29 PM EST Original release date: December 19, 2020 CISA has updated AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, originally released December 17. This update states that CISA has evidence of, and is currently investigating, initial access vectors in addition to those attributed to the SolarWinds Orion supply chain compromise. This update also provides new mitigation guidance and revises the indicators of compromise table; it also includes a downloadable STIX file of the IOCs. In addition, CISA has released supplemental guidance to Emergency Directive (ED) 21-01, providing new information on affected versions, new guidance for agencies using third-party service providers, and additional clarity on required actions. CISA encourages users and administrators to review the following resources for additional information on the SolarWinds Orion compromise. CISA Emergency Directive 21-01 - Supplemental Guidance v.1 CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise CISA Activity Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations   This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates for Multiple Products 12/15/2020 11:54 AM EST Original release date: December 15, 2020 Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: iOS 14.3 and iPadOS 14.3 macOS Server 5.11 iOS 12.5 tvOS 14.3 watchOS 6.3 Safari 14.0.2 watchOS 7.2 macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave This product is provided subject to this Notification and this Privacy & Use policy.

Active Exploitation of SolarWinds Software 12/13/2020 10:23 PM EST Original release date: December 13, 2020 The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, released between March 2020 and June 2020. CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures: SolarWinds Security Advisory FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor FireEye GitHub page: Sunburst Countermeasures    This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for Jabber Desktop and Mobile Client Software 12/11/2020 11:04 AM EST Original release date: December 11, 2020 Cisco has released security updates to address vulnerabilities in Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Cisco Security Advisory cisco-sa-jabber-ZktzjpgO and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Alert (AA20-345A) Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data Original release date: December 10, 2020 Summary This Joint Cybersecurity Advisory was coauthored by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The FBI, CISA, and MS-ISAC assess malicious cyber actors are targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services. Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments. Click here for a PDF version of this report. Technical Details As of December 2020, the FBI, CISA, and MS-ISAC continue to receive reports from K-12 educational institutions about the disruption of distance learning efforts by cyber actors. Ransomware The FBI, CISA, and MS-ISAC have received numerous reports of ransomware attacks against K-12 educational institutions. In these attacks, malicious cyber actors target school computer systems, slowing access, and—in some instances—rendering the systems inaccessible for basic functions, including distance learning. Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen—and threatened to leak—confidential student data to the public unless institutions pay a ransom. According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July. The five most common ransomware variants identified in incidents targeting K-12 schools between January and September 2020—based on open source information as well as victim and third-party incident reports made to MS-ISAC—are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil. Malware Figure 1 identifies the top 10 malware strains that have affected state, local, tribal, and territorial (SLTT) educational institutions over the past year (up to and including September 2020). Note: These malware variants are purely opportunistic as they not only affect educational institutions but other organizations as well. ZeuS and Shlayer are among the most prevalent malware affecting K-12 schools. ZeuS is a Trojan with several variants that targets Microsoft Windows operating systems. Cyber actors use ZeuS to infect target machines and send stolen information to command-and-control servers. Shlayer is a Trojan downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malicious advertising posing as a fake Adobe Flash updater. Note: Shlayer is the only malware of the top 10 that targets MacOS; the other 9 affect Microsoft Windows operating systems Figure 1: Top 10 malware affecting SLTT educational institutions   Distributed Denial-of-Service Attacks Cyber actors are causing disruptions to K-12 educational institutions—including third-party services supporting distance learning—with distributed denial-of-service (DDoS) attacks,  which temporarily limit or prevent users from conducting daily operations. The availability of DDoS-for-hire services provides opportunities for any motivated malicious cyber actor to conduct disruptive attacks regardless of experience level. Note: DDoS attacks overwhelm servers with a high level of internet traffic originating from many different sources, making it impossible to mitigate at a single source. Video Conference Disruptions Numerous reports received by the FBI, CISA, and MS-ISAC since March 2020 indicate uninvited users have disrupted live video-conferenced classroom sessions. These disruptions have included verbally harassing students and teachers, displaying pornography and/or violent images, and doxing meeting attendees (Note: doxing is the act of compiling or publishing personal information about an individual on the internet, typically with malicious intent). To enter classroom sessions, uninvited users have been observed: Using student names to trick hosts into accepting them into class sessions, and Accessing meetings from either publicly available links or links shared with outside users (e.g., students sharing links and/or passwords with friends). Video conference sessions without proper control measures risk disruption or compromise of classroom conversations and exposure of sensitive information. Additional Risks and Vulnerabilities In addition to the recent reporting of distance learning disruptions received by the FBI, CISA, and MS-ISAC, malicious cyber actors are expected to continue seeking opportunities to exploit the evolving remote learning environment. Social Engineering Cyber actors could apply social engineering methods against students, parents, faculty, IT personnel, or other individuals involved in distance learning. Tactics, such as phishing, trick victims into revealing personal information (e.g., password or bank account information) or performing a task (e.g., clicking on a link). In such scenarios, a victim could receive what appears to be legitimate email that: Requests personally identifiable information (PII) (e.g., full name, birthdate, student ID), Directs the user to confirm a password or personal identification number (PIN), Instructs the recipient to visit a website that is compromised by the cyber actor, or Contains an attachment with malware. Cyber actors also register web domains that are similar to legitimate websites in an attempt to capture individuals who mistype URLs or click on similar looking URLs. These types of attacks are referred to as domain spoofing or homograph attacks. For example, a user wanting to access www.cottoncandyschool.edu could mistakenly click on www.cottencandyschool.edu (changed “o” to an “e”) or www.cottoncandyschoo1.edu (changed letter “l” to a number “1”) (Note: this is a fictitious example to demonstrate how a user can mistakenly click and access a website without noticing subtle changes in website URLs). Victims believe they are on a legitimate website when, in reality, they are visiting a site controlled by a cyber actor. Technology Vulnerabilities and Student Data Whether as collateral for ransomware attacks or to sell on the dark web, cyber actors may seek to exploit the data-rich environment of student information in schools and education technology (edtech) services. The need for schools to rapidly transition to distance learning likely contributed to cybersecurity gaps, leaving schools vulnerable to attack. In addition, educational institutions that have outsourced their distance learning tools may have lost visibility into data security measures. Cyber actors could view the increased reliance on—and sharp usership growth in—these distance learning services and student data as lucrative targets. Open/Exposed Ports The FBI, CISA, and MS-ISAC frequently see malicious cyber actors exploiting exposed Remote Desktop Protocol (RDP) services to gain initial access to a network and, often, to manually deploy ransomware. For example, cyber actors will attack ports 445 (Server Message Block [SMB]) and 3389 (RDP) to gain network access. They are then positioned to move laterally throughout a network (often using SMB), escalate privileges, access and exfiltrate sensitive information, harvest credentials, or deploy a wide variety of malware. This popular attack vector allows cyber actors to maintain a low profile, as they are using a legitimate network service that provides them with the same functionality as any other remote user. End-of-Life Software End-of-Life (EOL) software is regularly exploited by cyber actors—often to gain initial access, deface websites, or further their reach in a network. Once a product reaches EOL, customers no longer receive security updates, technical support, or bug fixes. Unpatched and vulnerable servers are likely to be exploited by cyber actors, hindering an organization’s operational capacity. Mitigations Plans and Policies The FBI and CISA encourage educational providers to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, institutions may be unable to continue teaching and administrative operations. Evaluating continuity and capability will help identify potential operational gaps. Through identifying and addressing these gaps, institutions can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. The FBI and CISA suggest K-12 educational institutions review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by cyber actors. Network Best Practices Patch operating systems, software, and firmware as soon as manufacturers release updates. Check configurations for every operating system version for educational institution-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled. Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts. Use multi-factor authentication where possible. Disable unused remote access/RDP ports and monitor remote access/RDP logs. Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy. Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Audit logs to ensure new accounts are legitimate. Scan for open or listening ports and mediate those that are not needed. Identify critical assets such as student database servers and distance learning infrastructure; create backups of these systems and house the backups offline from the network. Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment. Set antivirus and anti-malware solutions to automatically update; conduct regular scans. User Awareness Best Practices Focus on awareness and training. Because end users are targeted, make employees and students aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities. Ensure employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently. Monitor privacy settings and information available on social networking sites. Ransomware Best Practices The FBI and CISA do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, regardless of whether your organization decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law. In addition to implementing the above network best practices, the FBI and CISA also recommend the following: Regularly back up data, air gap, and password protect backup copies offline. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location. Denial-of-Service Best Practices Consider enrolling in a denial-of-service mitigation service that detects abnormal traffic flows and redirects traffic away from your network. Create a partnership with your local internet service provider (ISP) prior to an event and work with your ISP to control network traffic attacking your network during an event. Configure network firewalls to block unauthorized IP addresses and disable port forwarding. Video-Conferencing Best Practices Ensure participants use the most updated version of remote access/meeting applications. Require passwords for session access. Encourage students to avoid sharing passwords or meeting codes. Establish a vetting process to identify participants as they arrive, such as a waiting room. Establish policies to require participants to sign in using true names rather than aliases. Ensure only the host controls screensharing privileges. Implement a policy to prevent participants from entering rooms prior to host arrival and to prevent the host from exiting prior to the departure of all participants. Edtech Implementation Considerations When partnering with third-party and edtech services to support distance learning, educational institutions should consider the following: The service provider’s cybersecurity policies and response plan in the event of a breach and their remediation practices: How did the service provider resolve past cyber incidents? How did their cybersecurity practices change after these incidents? The provider’s data security practices for their products and services (e.g., data encryption in transit and at rest, security audits, security training of staff, audit logs); The provider’s data maintenance and storage practices (e.g., use of company servers, cloud storage, or third-party services); Types of student data the provider collects and tracks (e.g., PII, academic, disciplinary, medical, biometric, IP addresses); Entities to whom the provider will grant access to the student data (e.g., vendors); How the provider will use student data (e.g., will they sell it to—or share it with—third parties for service enhancement, new product development, studies, marketing/advertising?); The provider’s de-identification practices for student data; and The provider’s policies on data retention and deletion. Malware Defense Table 1 identifies CISA-created Snort signatures, which have been successfully used to detect and defend against related attacks, for the malware variants listed below. Note: the listing is not fully comprehensive and should not be used at the exclusion of other detection methods. Table 1: Malware signatures Malware Signature NanoCore   Cerber   Kovter   Dridex   Contact Information To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov. Resources MS-ISAC membership is open to employees or representatives from all public K-12 education entities in the United States. The MS-ISAC provides multiple cybersecurity services and benefits to help K-12 education entities increase their cybersecurity posture. To join, visit https://learn.cisecurity.org/ms-isac-registration. CISA Telework Guidance and Resources CISA Cybersecurity Recommendations and Tips for Schools Using Video Conferencing CISA Ransomware Publications CISA Emergency Services Sector Continuity Planning Suite CISA-MS-ISAC Joint Ransomware Guide CISA Tip: Avoiding Social Engineering and Phishing Attacks CISA Tip: Understanding Patches CISA and CYBER.ORG “Cyber Safety Video Series” for K-12 students and educators FBI PSA: “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations Note: contact your local FBI field office (www.fbi.gov/contact-us/field) for additional FBI products on ransomware, edtech, and cybersecurity for educational institutions. Revisions Initial Version: December 10, 2020

Adobe Releases Security Updates for Acrobat and Reader 12/10/2020 12:23 PM EST Original release date: December 10, 2020 Adobe has released security updates to address a vulnerability in Acrobat and Reader. An attacker could exploit this vulnerability to obtain sensitive information. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletin APSB20-75 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

New ACSC Cybersecurity Campaign Begins by Focusing on Ransomware Threats 12/09/2020 09:07 AM EST Original release date: December 9, 2020 The Australian Cyber Security Centre (ACSC) has launched a new cyber security campaign encouraging all Australians to protect themselves against online threats. The initial focus of the campaign is ransomware threats, and the ACSC provides easy-to-follow security advice at cyber.gov.au to help Australians act now and stay secure.   The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the official ACSC campaign announcement for more information and to consult CISA’s ransomware page for additional guidance and resources.   This product is provided subject to this Notification and this Privacy & Use policy.

National Cyber Security Centre Cyber Awareness Campaign 12/09/2020 09:12 AM EST Original release date: December 9, 2020 The United Kingdom (UK) National Cyber Security Centre (NCSC) has launched a new cyber security campaign encouraging the public to adopt six behaviors to stay safe online. The six Cyber Aware behaviors recommended by the NSCS are: Use a separate password for your email Create strong passwords using three random words Save your passwords in your browser Turn on multi-factor authentication Update your devices Back up your data The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the official NCSC website as well as CISA’s Tips page for more information and additional resources.   This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Advisory for Vulnerability in AnyConnect Software 12/07/2020 07:41 AM EST Original release date: December 7, 2020 Cisco has released a security advisory on an Arbitrary Code Execution vulnerability—CVE-2020-3556—affecting Cisco AnyConnect Secure Mobility Client devices. A remote attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco Security Advisory and apply the necessary updates or workarounds. This product is provided subject to this Notification and this Privacy & Use policy.

SAP Releases December 2020 Security Updates 12/08/2020 09:38 AM EST Original release date: December 8, 2020 SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. These include a missing authentication check vulnerability affecting SAP NetWeaver AS JAVA (P2P Cluster Communication). The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the SAP Security Notes for December 2020 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Apache Releases Security Update for Apache Struts 2 12/08/2020 10:22 AM EST Original release date: December 8, 2020 The Apache Software Foundation has released a security update to address a vulnerability in Apache Struts versions 2.0.0 to 2.5.25. A remote attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Apache Security Bulletin S2-061 and apply the necessary update or workaround. This product is provided subject to this Notification and this Privacy & Use policy.

CERT/CC Releases Information on Vulnerabilities Affecting Open-Source TCP/IP Stacks 12/08/2020 10:48 AM EST Original release date: December 8, 2020 The CERT Coordination Center (CERT/CC) has released information on 33 vulnerabilities, known as AMNESIA:33, affecting multiple embedded open-source Transmission Control Protocol/Internet Protocol (TCP/IP) stacks. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review CERT/CC Vulnerability Note VU #815128 and CISA Advisory ICSA-20-343-01 for more information and to apply the recommended mitigations. Refer to vendors for appropriate patches, when available. This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases December 2020 Security Updates 12/08/2020 01:26 PM EST Original release date: December 8, 2020 Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s December 2020 Security Update Summary and Deployment Information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Adobe Releases Security Updates for Multiple Products 12/08/2020 01:50 PM EST Original release date: December 8, 2020 Adobe has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates. Acrobat and Reader APSB20-75 Lightroom APSB20-74 Experience Manager APSB20-72 Prelude APSB20-70 This product is provided subject to this Notification and this Privacy & Use policy.

Theft of FireEye Red Team Tools 12/08/2020 03:39 PM EST Original release date: December 8, 2020 FireEye has released a blog addressing unauthorized access to their Red Team’s tools by a highly sophisticated threat actor. Red Team tools are often used by cybersecurity organizations to evaluate the security posture of enterprise systems. Although the Cybersecurity and Infrastructure Security Agency (CISA) has not received reporting of these tools being maliciously used to date, unauthorized third-party users could abuse these tools to take control of targeted systems. The exposed tools do not contain zero-day exploits. CISA recommends cybersecurity practitioners review FireEye’s two blog posts for more information and FireEye’s GitHub repository for detection countermeasures: FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community Unauthorized Access of FireEye Red Team Tools FireEye’s GitHub repository: Red Team Tool Countermeasures  This product is provided subject to this Notification and this Privacy & Use policy.

NSA Releases Advisory on Russian State-Sponsored Malicious Cyber Actors Exploiting CVE-2020-4006 12/07/2020 11:25 AM EST Original release date: December 7, 2020 The National Security Agency (NSA) has released a Cybersecurity Advisory on Russian state-sponsored actors exploiting CVE-2020-4006, a command-injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. The actors were found exploiting this vulnerability to access protected data on affected systems. The NSA advisory provides mitigation and detection guidance. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources and apply the necessary updates and detection guidance. NSA Cybersecurity Advisory Russian State-Sponsored Actors Exploiting Vulnerability in VMware Workspace ONEAccess Using Compromised Credentials VMware Security Advisory VMSA-2020-0027.2 CERT Coordination Center (CERT/CC) Vulnerability Note VU#724367 This product is provided subject to this Notification and this Privacy & Use policy.

OpenSSL Releases Security Update 12/08/2020 07:39 PM EST Original release date: December 8, 2020 OpenSSL has released a security update to address a vulnerability affecting all versions of 1.0.2 and 1.1.1 released before version 1.1.1i. An attacker could exploit this vulnerability to cause a denial-of-service condition. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the OpenSSL Security Advisory and apply the necessary update. This product is provided subject to this Notification and this Privacy & Use policy.

Apache Releases Security Advisory for Apache Tomcat 12/04/2020 12:58 PM EST Original release date: December 4, 2020 The Apache Software Foundation has released a security advisory to address a vulnerability in Apache Tomcat. An attacker could exploit this vulnerability to cause a denial-of-service condition. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apache security advisory for CVE-2020-17527 and upgrade to the appropriate version. This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome 12/04/2020 10:42 AM EST Original release date: December 4, 2020 Google has released Chrome version 87.0.4280.88 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.   This product is provided subject to this Notification and this Privacy & Use policy.

Heightened Awareness for Iranian Cyber Activity 12/03/2020 03:02 PM EST Original release date: December 3, 2020 Iranian cyber threat actors have been continuously improving their offensive cyber capabilities. They continue to engage in more conventional offensive cyber activities ranging from website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information (PII), to more advanced activities—including social media-driven influence operations, destructive malware, and, potentially, cyber-enabled kinetic attacks. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Joint Cybersecurity Advisory AA20-259A: Iran-Based Threat Actor Exploits VPN Vulnerabilities and Activity Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities for information on known Iranian advanced persistent threat (APT) actor tactics, techniques, and procedures (TTPs). For more information on Iranian cyber threats, review the following products. Joint Cybersecurity Advisory AA20-304A: Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data Joint Cybersecurity Advisory AA20-296B: Iranian Advanced Persistent Threat Actors Threaten Election-Related Systems Malware Analysis Report AR20-259A: MAR-10297887-1.v2 – Iranian Web Shells Activity Alert AA20-006A: Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad CISA Insights: Increased Geopolitical Tensions and Threats This product is provided subject to this Notification and this Privacy & Use policy.

VMware Releases Security Updates to Address CVE-2020-4006 12/03/2020 05:11 PM EST Original release date: December 3, 2020 VMware has released security updates to address a vulnerability—CVE-2020-4006—in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. An attacker could exploit this vulnerability to take control of an affected system.  The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0027.2 and apply the necessary updates.  This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates for iCloud for Windows 12/03/2020 07:58 AM EST Original release date: December 3, 2020 Apple has released security updates to address vulnerabilities in iCloud for Windows. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security page for iCloud for Windows 11.5 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

IBM Releases Report on Cyber Actors Targeting the COVID-19 Vaccine Supply Chain 12/03/2020 06:00 AM EST Original release date: December 3, 2020 IBM X-Force has released a report on malicious cyber actors targeting the COVID-19 cold chain—an integral part of delivering and storing a vaccine at safe temperatures. Impersonating a biomedical company, cyber actors are sending phishing and spearphishing emails to executives and global organizations involved in vaccine storage and transport to harvest account credentials. The emails have been posed as requests for quotations for participation in a vaccine program. The Cybersecurity and Infrastructure Security Agency (CISA) encourages Operation Warp Speed (OWS) organizations and organizations involved in vaccine storage and transport to review the IBM X-Force report Attackers Are Targeting the COVID-19 Vaccine Cold Chain for more information, including indicators of compromise. For tips on avoiding social engineering and phishing attacks, see CISA Insights: Enhance Email & Web Security. This product is provided subject to this Notification and this Privacy & Use policy.

Xerox Releases Security Updates for DocuShare 12/02/2020 10:47 AM EST Original release date: December 2, 2020 Xerox has released security updates for DocuShare 6.6.1, 7.0, and 7.5 to address a vulnerability that could allow an unauthenticated attacker to obtain sensitive information. The Cybersecurity and Infrastructure Security Agency (CISA) urges users and administrators review Xerox Mini Bulletin XRX20W and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Update for Thunderbird 12/02/2020 10:49 AM EST Original release date: December 2, 2020 Mozilla has released a security update to address a vulnerability in Thunderbird. An attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 78.5.1 and apply the necessary update.   This product is provided subject to this Notification and this Privacy & Use policy.

NCSC Releases 2020 Annual Review 12/03/2020 08:10 AM EST Original release date: December 3, 2020 The United Kingdom (UK) National Cyber Security Centre (NCSC) has released its Annual Review 2020, which focuses on its response to evolving and challenging cyber threats. Recognizing cybersecurity as a “team sport,” the publication includes highlights of NCSC’s collaboration with many partners, including the Cybersecurity and Infrastructure Security Agency (CISA). A few examples: Joint Advisory AA20-126A: APT Groups Target Healthcare and Essential Services, which warned of observed “large-scale ‘password spraying’ campaigns against healthcare bodies and medical research organizations” and provided mitigation advice for this threat. Joint Advisory AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity, which NCSC calls “an incident response playbook … applicable to the widest set of countries and situations possible.” The NCSC’s Secure Design Principles blog and CISA’s Cybersecurity Best Practices for Industrial Control Systems (ICS) guide. As stated by NCSC, these publications represent a CISA-NCSC “joint venture [to] set out risks faced by ICS owners and operators … to help them design and secure ICS, mitigate risks, and protect against the ever-evolving threats.” This product is provided subject to this Notification and this Privacy & Use policy.

Fortinet FortiOS System File Leak 11/27/2020 11:00 AM EST Original release date: November 27, 2020 The Cybersecurity and Infrastructure Security Agency (CISA) is aware of the possible exposure of passwords on Fortinet devices that are vulnerable to CVE 2018-13379. Exploitation of this vulnerability may allow an unauthenticated attacker to access FortiOS system files. Potentially affected devices may be located in the United States. Fortinet has released a security advisory to highlight mitigation of this vulnerability. CISA encourages users and administrators to review the advisory and apply the necessary updates immediately. Additionally, CISA recommends Fortinet users conduct a thorough review of logs on any connected networks to detect any additional threat actor activity. This product is provided subject to this Notification and this Privacy & Use policy.

Drupal Releases Security Updates 11/27/2020 10:53 AM EST Original release date: November 27, 2020 Drupal has released security updates to address vulnerabilities in Drupal 7, 8.8 and earlier, 8.9, and 9.0. An attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Drupal Advisory SA-CORE-2020-013 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

VMware Releases Workarounds for CVE-2020-4006 11/23/2020 02:14 PM EST Original release date: November 23, 2020 VMware has released workarounds to address a vulnerability—CVE-2020-4006—in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. An attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency encourages users and administrators to review VMware Security Advisory VMSA-2020-0027 and apply the necessary workarounds. This product is provided subject to this Notification and this Privacy & Use policy.

Online Holiday Shopping Scams 11/24/2020 07:08 AM EST Original release date: November 24, 2020 With more commerce occurring online this year, and with the holiday season upon us, the Cybersecurity and Infrastructure Security Agency (CISA) reminds shoppers to remain vigilant. Be especially cautious of fraudulent sites spoofing reputable businesses, unsolicited emails purporting to be from charities, and unencrypted financial transactions. CISA encourages online holiday shoppers to review the following resources. CISA’s Online Shopping Tip CISA’s Holiday Online Shopping page CISA’s Social Engineering and Phishing Attacks Tip The Federal Bureau of Investigation’s (FBI’s) ‘Tis the Season for Holiday Online Shopping Scams - Don't Be a Victim Announcement If you believe you are a victim of a scam, consider the following actions. Report the incident to your local police, and file online reports at the Federal Trade Commission’s Report Fraud page and the FBI's Internet Crime Complaint Center (IC3) page. Watch for unexpected or unexplained charges to your account. If any appear, contact your financial institution immediately and close any accounts that may have been compromised. See CISA’s Preventing and Responding to Identity Theft Tip for more information. Change any passwords you might have revealed immediately. Avoid reusing passwords. See CISA’s Choosing and Protecting Passwords Tip for more information. This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for Multiple Products 11/19/2020 10:04 AM EST Original release date: November 19, 2020 Cisco has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates. Integrated Management Controller Multiple Remote Code Execution Vulnerabilities cisco-sa-ucs-api-rce-UXwpeDHd DNA Spaces Connector Command Injection Vulnerability cisco-sa-dna-cmd-injection-rrAYzOwc IoT Field Network Director Unauthenticated REST API Vulnerability cisco-sa-FND-BCK-GHkPNZ5F Secure Web Appliance Privilege Escalation Vulnerability cisco-sa-wsa-prv-esc-nPzWZrQj IoT Field Network Director SOAP API Authorization Bypass Vulnerability cisco-sa-FND-AUTH-vEypBmmR IoT Field Network Director Missing API Authentication Vulnerability cisco-sa-FND-APIA-xZntFS2V For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.   This product is provided subject to this Notification and this Privacy & Use policy.

Drupal Releases Security Updates 11/19/2020 10:09 AM EST Original release date: November 19, 2020 Drupal has released security updates to address a critical vulnerability in Drupal 7, 8.8 and earlier, 8.9, and 9.0. An attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Drupal Advisory SA-CORE-2020-012, apply the necessary updates, and follow the additional recommendation. This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird 11/19/2020 10:12 AM EST Original release date: November 19, 2020 Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 83, Firefox ESR 78.5, and Thunderbird 78.5 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome 11/19/2020 10:10 AM EST Original release date: November 19, 2020 Google has released Chrome version 87.0.4280.66 for Windows, Mac, and Linux to address multiple vulnerabilities. Some of these vulnerabilities could allow an attacker to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

VMware Releases Security Updates for VMware SD-WAN Orchestrator 11/19/2020 10:18 AM EST Original release date: November 19, 2020 VMware has released security updates to address multiple vulnerabilities in VMware SD-WAN Orchestrator. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0025 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates for Multiple Products 11/13/2020 11:46 AM EST Original release date: November 13, 2020 Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. Some of these vulnerabilities have been detected in exploits in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for macOS Big Sur 11.0, 11.0.1 and for macOS High Sierra 10.13.6, macOS Mojave 10.14.6 and apply the necessary updates.   This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for Security Manager 11/17/2020 11:42 AM EST Original release date: November 17, 2020 Cisco has released security updates to address vulnerabilities in Cisco Security Manager. A remote attacker could exploit these vulnerabilities to obtain sensitive information. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates. Cisco Security Manager Path Traversal Vulnerability cisco-sa-csm-path-trav-NgeRnqgR Cisco Security Manager Static Credential Vulnerability cisco-sa-csm-rce-8gjUz9fW This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome 11/12/2020 11:39 AM EST Original release date: November 12, 2020 Google has released Chrome version 86.0.4240.198 for Windows, Mac, and Linux. This version addresses CVE-2020-16013 and CVE-2020-16017. An attacker could exploit one of these vulnerabilities to take control of an affected system. These vulnerabilities have been detected in exploits in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources and apply the necessary updates. Google Chrome Release Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory 2020-154 This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird 11/10/2020 11:00 AM EST Original release date: November 10, 2020 Mozilla has released security updates to address a vulnerability in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 82.0.3, Firefox ESR 78.4.1, and Thunderbird 78.4.2 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

SAP Releases November 2020 Security Updates 11/10/2020 11:37 AM EST Original release date: November 10, 2020 SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. These include missing authentication check vulnerabilities affecting SAP Solution Manager (JAVA stack). The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the SAP Security Notes for November 2020 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases November 2020 Security Updates 11/10/2020 01:18 PM EST Original release date: November 10, 2020 Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s November 2020 Security Update Summary and Deployment Information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Update for IOS XR Software 11/10/2020 04:31 PM EST Original release date: November 10, 2020 Cisco has released a security update to address a vulnerability in IOS XR Software for ASR 9000 Series Aggregation Services Routers. An unauthenticated, remote attacker could exploit this vulnerability to cause a denial-of-service condition. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco security advisory and apply the necessary update. This product is provided subject to this Notification and this Privacy & Use policy.

Adobe Releases Security Updates for Multiple Products 11/10/2020 04:55 PM EST Original release date: November 10, 2020 Adobe has released security updates to address vulnerabilities in multiple products.  An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Adobe security advisories for Adobe Connect and Adobe Reader for Android and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Apple Releases Security Updates for Multiple Products 11/06/2020 12:06 PM EST Original release date: November 6, 2020 Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates. macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update watchOS 5.3.9 watchOS 6.2.9 iOS 12.4.9 tvOS 14.2 iOS 14.2 and iPadOS 14.2 watchOS 7.1 This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for Multiple Products 11/05/2020 12:01 PM EST Original release date: November 5, 2020 Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco Security Advisories page and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Adobe Releases Security Updates for Acrobat and Reader 11/04/2020 10:41 AM EST Original release date: November 4, 2020 Adobe has released security updates to address vulnerabilities in Adobe Acrobat and Reader. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletin APSB20-67 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome, CVE-2020-16009 11/03/2020 10:35 AM EST Original release date: November 3, 2020 Google has released Chrome version 86.0.4240.183 for Windows, Mac, and Linux addressing multiple vulnerabilities, including vulnerability CVE-2020-16009. Exploit code for this vulnerability exists in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release Note and apply the necessary updates immediately. This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Warns of Continued Exploitation of CVE-2020-1472 10/29/2020 01:11 PM EDT Original release date: October 29, 2020 Microsoft has released a blog post on cyber threat actors exploiting CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. The Cybersecurity and Infrastructure Security Agency (CISA) has observed nation state activity exploiting this vulnerability. This malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes. CISA has released a patch validation script to detect unpatched Microsoft domain controllers. If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services. In the coming weeks and months, administrators should take follow-on actions that are described in guidance released by Microsoft to prepare for the second half of Microsoft’s Netlogon migration process, which is scheduled to conclude in February 2021. CISA encourages users and administrators to review the following resources and apply the necessary updates and mitigations. Microsoft blog post: Attacks exploiting Netlogon vulnerability (CVE-2020-1472) Microsoft: August Security Advisory for CVE-2020-1472 Microsoft: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 CISA Patch Validation Script CISA Joint Cybersecurity Advisory: AA20-283A APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations This product is provided subject to this Notification and this Privacy & Use policy.

CISA and FBI Release Joint Advisory on Iranian APT Actor Targeting Voter Registration Data 10/30/2020 03:59 PM EDT Original release date: October 30, 2020 The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint cybersecurity advisory on an Iranian advanced persistent threat (APT) actor targeting U.S. state websites, including elections websites, to obtain voter registration data. Joint Cybersecurity Advisory AA20-304A: Iranian APT Actor Identified Obtaining Voter Registration Data provides indicators of compromise and recommended mitigations for affected entities. Analysis by CISA and the FBI indicates this actor scanned state websites, to include state election websites, between September 20 and September 28, 2020, with the Acunetix vulnerability scanner. Additionally, CISA and the FBI observed this actor attempting to exploit websites to obtain copies of voter registration data between September 29 and October 17, 2020. This includes attempted exploitation of known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leveraging unique flaws in websites. CISA and the FBI can confirm that the actor successfully obtained voter registration data for at least one state. CISA and the FBI advise organizations that do not regularly use Acunetix to monitor their logs for any related activity that originates from IP addresses provided in this advisory and consider it malicious reconnaissance behavior.     This product is provided subject to this Notification and this Privacy & Use policy.

Oracle Releases Out-of-Band Security Alert 11/02/2020 01:09 PM EST Original release date: November 2, 2020 Oracle has released an out-of-band security alert to address a remote code execution vulnerability—CVE-2020-14750—in Oracle WebLogic Server. A remote attacker can exploit this vulnerability to take control of an affected system.   The Cybersecurity and Infrastructure Security Agency (CISA) urges users and administrators review the Oracle Security Alert and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Ransomware Activity Targeting the Healthcare and Public Health Sector 10/28/2020 07:38 PM EDT Original release date: October 28, 2020 The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.     CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.    CISA, FBI, and HHS are sharing this information in order to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats. CISA encourages users and administrators to review CISA’s Ransomware webpage for additional information.  This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases Security Update for Edge 10/26/2020 02:10 PM EDT Original release date: October 26, 2020 Microsoft has released a security update to address vulnerabilities in Edge (Chromium-based). An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the latest entry for Microsoft Security Advisory ADV200002 apply the necessary update. This product is provided subject to this Notification and this Privacy & Use policy.

CISA and FBI Release Joint Advisories Regarding Russian and Iranian APT Actors 10/22/2020 01:40 PM EDT Original release date: October 22, 2020 The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released two joint cybersecurity advisories on widespread advanced persistent threat (APT) activity. Joint Cybersecurity Advisory: AA20-296A Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets Joint Cybersecurity Advisory: AA20-296B Iranian State-Sponsored Advanced Persistent Threat Actors Threaten Election-Related Systems AA20-296A updates a previous joint CISA-FBI cybersecurity advisory and provides information on Russian state-sponsored actors targeting U.S. state, local, tribal, and territorial (SLTT) government networks, as well as aviation networks. In limited instances, this activity has resulted in unauthorized access to IT systems used by U.S. election officials. AA20-296B details Iranian APT actors working to influence and interfere with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process. These actors have taken part in spear-phishing campaigns, website defacements, and disinformation campaigns to spread obtained U.S. voter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud. Both joint cybersecurity advisories contain information on exploited vulnerabilities and recommended mitigation actions for affected organizations to pursue. This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for Multiple Products 10/22/2020 12:32 PM EDT Original release date: October 22, 2020 Cisco has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco security page and apply the necessary updates.   This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird 10/21/2020 12:34 PM EDT Original release date: October 21, 2020 Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 82, Firefox ESR 78.4, and Thunderbird 78.4 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Adobe Releases Security Updates for Multiple Products 10/21/2020 12:10 PM EDT Original release date: October 21, 2020 Adobe has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates. Illustrator APSB20-53 Dreamweaver APSB20-55 Marketo APSB20-60 Animate APSB20-61 After Effects APSB20-62 Photoshop APSB20-63 Premiere Pro APSB20-64 Media Encoder APSB20-65 InDesign APSB20-66 Creative Cloud Desktop Application APSB20-68 This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome 10/21/2020 12:30 PM EDT Original release date: October 21, 2020 Google has released Chrome version 86.0.4240.111 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary changes. This product is provided subject to this Notification and this Privacy & Use policy.

Oracle Releases October 2020 Security Bulletin 10/20/2020 07:20 PM EDT Original release date: October 20, 2020 Oracle has released its Critical Patch Update for October 2020 to address 402 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Oracle October 2020 Critical Patch Update and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

NSA Releases Advisory on Chinese State-Sponsored Actors Exploiting Publicly Known Vulnerabilities 10/20/2020 03:23 PM EDT Original release date: October 20, 2020 The National Security Agency (NSA) has released a cybersecurity advisory on Chinese state-sponsored malicious cyber activity. This advisory provides 25 Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks. The Cybersecurity and Infrastructure Security Agency (CISA) encourages critical system administrators to prioritize the immediate patching of the CVEs in NSA’s advisory and to review CISA’s Alert Potential for China Cyber Response to Heightened U.S.–China Tensions, which details potential cyber response to heightened tensions between the United States and China and provides specific tactics, techniques, and procedures (TTPs) and recommended mitigations to the cybersecurity community to assist in the protection of our Nation’s critical infrastructure. Review the CISA's Chinese Malicious Cyber Activity page for more information on Chinese malicious cyber activity. This product is provided subject to this Notification and this Privacy & Use policy.

VMware Releases Security Updates for Multiple Products 10/20/2020 12:44 PM EDT Original release date: October 20, 2020 VMware has released security updates to address vulnerabilities affecting multiple products. A remote attacker could exploit one of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0023 and apply the necessary updates or workarounds. This product is provided subject to this Notification and this Privacy & Use policy.

Juniper Networks Releases Security Updates for Multiple Products 10/15/2020 11:12 AM EDT Original release date: October 15, 2020 Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Adobe Releases Security Updates for Magento 10/16/2020 12:10 PM EDT Original release date: October 16, 2020 Adobe has released security updates to address vulnerabilities affecting Magento Commerce and Magento Open Source. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletin APSB20-59 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

NCSC Releases Alert on Microsoft SharePoint Vulnerability 10/16/2020 01:03 PM EDT Original release date: October 16, 2020 The United Kingdom (UK) National Cyber Security Centre (NCSC) has released an Alert to address a vulnerability—CVE-2020-16952—affecting Microsoft SharePoint server. An attacker could exploit this vulnerability to take control of an affected system. Applying patches from Microsoft’s October 2020 Security Advisory for CVE-2020-16952 can prevent exploitation of this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review the NCSC Alert and the Microsoft Security Advisory for CVE-2020-16952 for more information. This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases October 2020 Security Updates 10/13/2020 02:42 PM EDT Original release date: October 13, 2020 Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s October 2020 Security Update Summary and Deployment Information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Addresses Windows TCP/IP RCE/DoS Vulnerability 10/14/2020 11:59 AM EDT Original release date: October 14, 2020 Microsoft has released a security update to address a protocol vulnerability—CVE-2020-16898—in Windows Transmission Control Protocol (TCP)/IP stack handling of Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. A remote attacker could exploit this vulnerability to take control of an affected system or cause a denial-of-service condition.   The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s Security Advisory for more information, and apply the necessary updates or workaround.   This product is provided subject to this Notification and this Privacy & Use policy.

Apache Releases Security Updates for Apache Tomcat 10/14/2020 09:06 AM EDT Original release date: October 14, 2020 The Apache Software Foundation has released a security advisory to address a vulnerability in Apache Tomcat. An attacker could exploit this vulnerability to obtain sensitive information.  The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Apache Security Advisory for CVE-2020-13943 and upgrade to the appropriate version. This product is provided subject to this Notification and this Privacy & Use policy.

Adobe Releases Security Updates for Flash Player 10/14/2020 09:11 AM EDT Original release date: October 14, 2020 Adobe has released security updates to address a vulnerability affecting Flash Player. An attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletin APSB20-58 and apply the necessary update. This product is provided subject to this Notification and this Privacy & Use policy.

SAP Releases October 2020 Security Updates 10/13/2020 12:41 PM EDT Original release date: October 13, 2020 SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. This includes an OS command injection vulnerability (CVE-2020-6364) affecting SAP Solution Manager and SAP Focused Run.   The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the SAP Security Notes for October 2020 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.

CISA and FBI Release Joint Advisory Regarding APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations 10/09/2020 06:20 PM EDT Original release date: October 9, 2020 The Cybersecurity and Information Security Agency (CISA) and the Federal Bureau of Information (FBI) have released a joint cybersecurity advisory regarding advanced persistent threat (APT) actors chaining vulnerabilities—a commonly used tactic exploiting multiple vulnerabilities in the course of a single intrusion—in an attempt to compromise federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure, and elections organizations. CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. The joint cybersecurity advisory contains information on exploited vulnerabilities and recommended mitigation actions for affected organizations to pursue. This product is provided subject to this Notification and this Privacy & Use policy.

AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations 10/09/2020 04:21 PM EDT Original release date: October 9, 2020 Summary This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques. Note: the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity and Information Security Agency (CISA) will update this advisory as new information is available. This joint cybersecurity advisory was written by CISA with contributions from the Federal Bureau of Investigation (FBI).  CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability—CVE-2020-1472—in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application.  This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks. CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity. Some common tactics, techniques, and procedures used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical CVE-2020-1472 Netlogon vulnerability. CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability CVE-2018-13379 has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability CVE-2020-15505. While these exploits have been observed recently, this activity is ongoing and still unfolding. CISA recommends network staff and administrators review internet-facing infrastructure for vulnerabilities, including Juniper CVE-2020-1631, Pulse Secure CVE-2019-11510,  Citrix NetScaler CVE-2020-19781, and Palo Alto Networks CVE-2020-2012 (this list is not considered exhaustive). After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors, and is not limited to SLTT entities. Click here for a PDF version of this report. Technical Details Initial Access APT threat actors are actively leveraging legacy vulnerabilities in internet-facing infrastructure (Exploit Public-Facing Application [T1190], External Remote Services [T1133]) to gain initial access into systems. The APT actors appear to have predominately gained initial access via the Fortinet FortiOS VPN vulnerability CVE-2018-13379; however, other vulnerabilities, listed below, have been observed (as analysis is evolving, these listed vulnerabilities should not be considered comprehensive). Citrix NetScaler CVE-2020-19781 MobileIron CVE-2020-15505 Pulse Secure CVE-2019-11510 Palo Alto Networks CVE-2020-2012 F5 BIG-IP CVE-2020-5902 FortiGuard ForitOS SSL VPN CVE-2018-13379 CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal. An unauthenticated attacker could exploit this vulnerability to download FortiOS system files through specially crafted HTTP resource requests. MobileIron Core & Connector Vulnerability CVE-2020-15505 CVE-202-15505 is a remote code execution vulnerability in MobileIron Core & Connector versions 10.3 and earlier. This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors. Privilege Escalation Post initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers. Actors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain Valid Account [T1078] credentials from AD servers. Microsoft Netlogon Remote Protocol Vulnerability: CVE-2020-1472 CVE-2020-1472 is a vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory. This vulnerability could allow an unauthenticated attacker with network access to a domain controller to completely compromise all AD identity services (Valid Accounts: Domain Accounts [T1078.002]). Malicious actors can leverage this vulnerability to compromise other devices on the network (Lateral Movement [TA0008]). Persistence Once system access has been achieved, the APT actors use abuse of legitimate credentials (Valid Account [T1078]) to log in via VPN or Remote Access Services [T1133] to maintain persistence. Mitigations Organizations with externally facing infrastructure devices that have the vulnerabilities listed in this joint cybersecurity advisory, or other vulnerabilities, should move forward with an “assume breach” mentality. As initial exploitation and escalation may be the only observable exploitation activity, most mitigations will need to focus on more traditional network hygiene and user management activities. Keep Systems Up to Date Patch systems and equipment promptly and diligently. Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. See table 1 for patch information on CVEs mentioned in this report. Table 1: Patch information for exploited CVEs Vulnerability Vulnerable Products Patch Information CVE-2018-13379 FortiOS 6.0 FortiOS 5.6   FortiOS 5.4 Fortiguard Security Advisory: FG-IR-18-384 CVE-2019-19781 Citrix Application Delivery Controller Citrix Gateway Citrix SDWAN WANOP Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0   Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3 Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0 Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5 CVE-2020-5902 Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT) F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902 CVE-2020-11510 Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15 Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15 Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX CVE-2020-15505 MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0   Sentry versions 9.7.2 and earlier, and 9.8.0;   Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier Mobile Iron Blog: MobileIron Security Updates Available CVE-2020-1631 Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1 Juniper Security Advisory JSA11021 CVE-2020-2021 PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL) Palo Alto Networks Security Advisory for CVE-2020-2021 CVE-2020-1472 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2019 (Server Core installation) Windows Server, version 1903  (Server Core installation) Windows Server, version 1909  (Server Core installation) Windows Server, version 2004   (Server Core installation) Microsoft Security Advisory for CVE-2020-1472 Comprehensive Account Resets If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through “creative destruction,” wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise as well as Azure hosted AD instances. Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously. It is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide. Create a temporary administrator account, and use this account only for all administrative actions Reset the Kerberos Ticket Granting Ticket (krbtgt) password; this must be completed before any additional actions and a second reset will take place in step 5 Wait for the krbtgt reset to propagate to all domain controllers (time may vary) Reset all account passwords (passwords should be 15 characters or more and randomly assigned): User accounts (forced reset with no legacy password reuse) Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS]) Service accounts Directory Services Restore Mode (DSRM) account Domain Controller machine account Application passwords Reset the krbtgt password again Wait for the krbtgt reset to propagate to all domain controllers (time may vary) Reboot domain controllers Reboot all endpoints The following accounts should be reset: AD Kerberos Authentication Master (2x) All Active Directory Accounts All Active Directory Admin Accounts All Active Directory Service Accounts All Active Directory User Accounts DSRM Account on Domain Controllers Non-AD Privileged Application Accounts Non-AD Unprivileged Application Accounts Non-Windows Privileged Accounts Non-Windows User Accounts Windows Computer Accounts Windows Local Admin VPN Vulnerabilities Implement the following recommendations to secure your organization’s VPNs: Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. See CISA Tips Understanding Patches and Securing Network Infrastructure Devices. Wherever possible, enable automatic updates. See table 1 for patch information on VPN-related CVEs mentioned in this report. Implement multi-factor authentication (MFA) on all VPN connections to increase security. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information. Discontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. How to protect your organization against VPN vulnerabilities: Audit configuration and patch management programs. Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP). Implement MFA, especially for privileged accounts. Use separate administrative accounts on separate administration workstations. Keep software up to date. Enable automatic updates, if available.   To secure your organization’s Netlogon channel connections: Update all Domain Controllers and Read Only Domain Controllers. On August 11, 2020, Microsoft released software updates to mitigate CVE-2020-1472. Applying this update to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network). Monitor for new events, and address non-compliant devices that are using vulnerable Netlogon secure channel connections. Block public access to potentially vulnerable ports, such as 445 (SMB) and 135 (RPC). To protect your organization against this CVE, follow advice from Microsoft, including: Update your domain controllers with an update released August 11, 2020 or later. Find which devices are making vulnerable connections by monitoring event logs. Address non-compliant devices making vulnerable connections. Enable enforcement mode to address CVE-2020-1472 in your environment. How to uncover and mitigate malicious activity Collect and remove for further analysis: Relevant artifacts, logs, and data Implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered. Consider soliciting incident response support from a third-party IT security organization to: Provide subject matter expertise and technical support to the incident response, Ensure that the actor is eradicated from the network, and Avoid residual issues that could result in follow-up compromises once the incident is closed Resources CISA VPN-Related Guidance CISA Infographic: Risk Vulnerability And Assessment (RVA) Mapped to the MITRE ATT&CK FRAMEWORK National Security Agency InfoSheet: Configuring IPsec Virtual Private Networks CISA Joint Advisory: AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity CISA Activity Alert: AA20-073A: Enterprise VPN Security CISA Activity Alert: AA20-031A: Detecting Citrix CVE-2019-19781 CISA Activity Alert: AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability Cybersecurity Alerts and Advisories: Subscriptions to CISA Alerts and MS-ISAC Advisories Contact Information Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact: CISA (888-282-0870 or Central@cisa.dhs.gov), or The FBI through the FBI Cyber Division (855-292-3937 or CyWatch@fbi.gov) or a local field office   DISCLAIMER   This information is provided "as is" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information. The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.       Revisions October 9, 2020: Initial Version This product is provided subject to this Notification and this Privacy & Use policy.