HGN Alerts

Home HU DIS IntraHuman HGN News America HGN International HGN Financial HGN SouthWest NEW ORLEANS HU SHOPPING HGN White House HGN U.S. CONGRESS HGN Alerts HGN Editorial HGN Recalls/Safety HU Shalom 2 HU Shalom Medical HGN WEATHER HGN Nat'l Hazard HGN Hurricane HGN Marine Flood Data HGN Nat'l Radar HGN Voyage HGN Time Zone HGN Auto HU Gulf HU Canon NEWS ARCHIVES RELATED LINKS Rights/Privacy/Refunds CONTACT Foundation Page

"My people are destroyed for lack of knowledge...." Hosea 4:6-7

The natural, inalienable rights and legal rights of the citizenry to be accurately informed must not, by corruption, be perverted, lest that citizenry, acting on such perversion in their daily judgments, certainly suffer to their physical and spiritual detriment.

©2014 Edgar Rogers-Chairman 

hgn.news

HGNAlertSM

NATIONAL/GLOBAL/GALACTIC ALERTS AND EMERGENCY SITUATIONS

HGN News Journal™ "No Knowledge Hid That Won't Be Revealed"™

HGN News®    2021©All Rights Reserved

"For nothing is secret, that shall not be made manifest; neither any thing hid, that shall not be known and come abroad."  Luke 8:17 

"Every government degenerates when trusted to the rulers of the people alone. And even under the best forms, those entrusted with power have, in time and by slow operations, perverted it into tyranny."                             Thomas Jefferson

"...without active protest and petition, there is no protection against corrupt government and a corrupt society."     Homer Rogers/Edgar Rogers


 

 

All information is as is provided by the entity so providing and the presentation here does not constitute any endorsement by HGN News or by that entity of HGN News.

HGN News “No Truth Hid That Won’t Be Revealed”™

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

02/18/2021 10:29 AM EST

Original release date: February 18, 2021

Cisco has released security updates to address a vulnerability in Cisco AnyConnect Secure Mobility Client. An attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review Cisco Security Advisory cisco-sa-anyconnect-dll-hijac-JrcTOQMC and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

02/03/2021 08:10 AM EST

Original release date: February 3, 2021

Google has released Chrome version 88.0.4324.146 for Windows, Mac, and Linux. This version addresses multiple vulnerabilities that that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

02/02/2021 11:00 AM EST

Original release date: February 2, 2021 | Last revised: February 3, 2021

CISA is aware of a vulnerability in SonicWall Secure Mobile Access (SMA) 100 series products. SMA 100 series products provide an organization’s employees with remote access to internal resources. SonicWall security and engineering teams have confirmed a zero-day vulnerability that was reported by a third-party threat research team on Sunday, January 31, 2021. This vulnerability impacts only SMA 100 series devices with firmware version 10.x, and SonicWall has released a patch that should be applied immediately to avoid potential exploitation.  

CISA encourages users and administrators to review the SonicWall security advisory and apply the necessary update as soon as possible. CISA also encourages users and administrators to monitor the SonicWall advisory for updates as new information becomes available.

As a risk-reduction measure, CISA recommends organizations implement multi-factor authentication on all virtual private network connections.  

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

02/04/2021 07:29 AM EST

Original release date: February 4, 2021

Cisco has released security updates to address vulnerabilities in Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following Cisco Advisories and apply the necessary updates. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

02/05/2021 09:01 AM EST
Original release date: February 5, 2021

The National Cyber Investigative Joint Task Force (NCIJTF) has released a joint-sealed ransomware factsheet to address current ransomware threats and provide information on prevention and mitigation techniques. The Ransomware Factsheet was developed by an interagency group of subject matter experts from more than 15 government agencies to increase awareness of the ransomware threats to police and fire departments; state, local, tribal, and territorial governments; and critical infrastructure entities.

To reduce the risk of public and private sector organizations falling victim to common infection vectors like those outlined in the NCIJTF factsheet, CISA launched the Reduce the Risk of Ransomware Campaign in January to provide informational resources to support organizations’ cybersecurity and data protection posture against ransomware.

CISA encourages users and administrators to review the NCIJTF Ransomware Factsheet and CISA’s Ransomware webpage for additional resources to combat ransomware attacks.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

02/05/2021 09:36 AM EST

Original release date: February 5, 2021

Google has released Chrome Version 88.0.4324.150 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

02/02/2021 11:00 AM EST

Original release date: February 2, 2021

CISA is aware of a vulnerability in SonicWall Secure Mobile Access (SMA) 100 series products. SMA 100 series products provide an organization’s employees with remote access to internal resources. SonicWall security and engineering teams have confirmed a zero-day vulnerability that was reported by a third-party threat research team on Sunday, January 31, 2021. This vulnerability impacts only SMA 100 series devices with firmware version 10.x, and SonicWall is working on a patch that is expected to be released by end of day Tuesday, February 2, 2021.  

Earlier reports about other zero-day vulnerabilities remain unconfirmed and are still under investigation.

CISA encourages users and administrators to review the SonicWall security advisory and apply the necessary mitigations and patches when they become available. CISA also encourages users and administrators to monitor the SonicWall advisory for updates as new information becomes available.

As a risk-reduction measure, CISA recommends organizations implement multi-factor authentication on all virtual private network connections.  

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

02/02/2021 07:31 AM EST

Original release date: February 2, 2021

Apple has released security updates to address vulnerabilities in macOS Big Sur 11.0.1, macOS Catalina 10.15.7, and macOS Mojave 10.14.6. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Apple security update and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

02/02/2021 07:30 AM EST

Original release date: February 2, 2021

Sudo has released an advisory addressing a heap-based buffer overflow vulnerability—CVE-2021-3156—affecting sudo legacy versions 1.8.2 through 1.8.31p2 and stable versions 1.9.0 through 1.9.5p1. Sudo is a utility included in many Unix- and Linux-based operating systems that allows a user to run programs with the security privileges of another user. An attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to update to sudo version 1.9.5p2, refer to vendors for available patches, and review the following resources for additional information.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/12/2021 10:04 AM EST

Original release date: January 12, 2021

SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the SAP Security Notes for January 2021 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

1/12/2021 10:22 AM EST

Original release date: January 12, 2021

The National Security Agency (NSA) Cybersecurity Directorate has released its 2020 Year in Review, outlining key milestones and mission outcomes achieved during NSA Cybersecurity’s first full year of existence. Highlights include NSA Cybersecurity’s contributions to the 2020 elections, Operation Warp Speed, and the Department of Defense’s pandemic-influenced transition to telework.

For further details on those and other accomplishments, CISA encourages users and administrators to read the NSA Cybersecurity 2020 Year in Review.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/12/2021 10:07 AM EST

Original release date: January 12, 2021

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/12/2021 10:15 AM EST

Original release date: January 12, 2021

Mozilla has released a security update to address a vulnerability in Thunderbird. An attacker could exploit this vulnerability to take control of an affected system.  

CISA encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 78.6.1 and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/12/2021 03:35 PM EST

Original release date: January 12, 2021

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Microsoft’s January 2021 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments

Original release date: January 13, 2021

CISA is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors used a variety of tactics and techniques, including phishing and brute force logins, to attempt to exploit weaknesses in cloud security practices.

In response, CISA has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services which provides technical details and indicators of compromise to help detect and respond to potential attacks.

CISA encourages users and administrators to review AR21-013A and apply the recommendations to strengthen cloud environment configurations.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/14/2021 08:25 AM EST

Original release date: January 14, 2021

Cisco has released security updates to address vulnerabilities in Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities see the Cisco Security Advisories page.

CISA encourages users and administrators to review the following Cisco Advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/14/2021 08:23 AM EST

Original release date: January 14, 2021

Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to cause take control of an affected system.

CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/14/2021 08:30 AM EST

Original release date: January 14, 2021

Microsoft has released a security advisory to address a remote code execution vulnerability, CVE-2021-1647, in Microsoft Defender. A remote attacker can exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.

CISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1647 and apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure TomorrowYou are

01/15/2021 10:43 AM EST

Original release date: January 15, 2021

The Apache Software Foundation has released a security advisory to address a vulnerability affecting multiple versions of Apache Tomcat. An attacker could exploit this vulnerability to obtain sensitive information.   

CISA encourages users and administrators to review the Apache security advisory for CVE-2021-24122 and upgrade to the appropriate version.  

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/15/2021 04:00 PM EST

Original release date: January 15, 2021

The National Security Agency (NSA) has released an information sheet with guidance on adopting encrypted Domain Name System (DNS) over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), referred to as DNS over HTTPS (DoH). When configured appropriately, strong enterprise DNS controls can help prevent many initial access, command and control, and exfiltration techniques used by threat actors.

CISA encourages enterprise owners and administrators to review the NSA Info Sheet: Adopting Encrypted DNS in Enterprise Environments and consider implementing the recommendations to enhance DNS security.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/21/2021 07:13 AM EST

Original release date: January 21, 2021

CISA and the CERT Coordination Center (CERT/CC) are aware of multiple vulnerabilities affecting Dnsmasq version 2.82 and prior. Dnsmasq is a widely-used, open-source software that provides Domain Name Service forwarding and caching and is common in Internet-of-Things (IoT) and other embedded devices. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and vendors of IoT and embedded devices that use Dnsmasq to review CERT/CC VU#434904 and CISA ICSA-21-019-01 21 for more information and to apply the necessary update. Refer to vendors for appropriate patches, when available.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure TomorrowYou are s

01/21/2021 07:15 AM EST

Original release date: January 21, 2021

Drupal has released security updates to address a vulnerability affecting Drupal. An attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review Drupal Advisory SA-CORE-2021-001 and apply the necessary updates or mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/21/2021 07:10 AM EST

Original release date: January 21, 2021

Oracle has released its Critical Patch Update for January 2021 to address 329 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Oracle January 2021 Critical Patch Update and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/21/2021 07:16 AM EST

Original release date: January 21, 2021

Cisco has released security updates to address vulnerabilities in multiple Cisco products. A remote attacker could exploit these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

CISA encourages users and administrators to review the following Cisco Advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/21/2021 07:12 AM EST

Original release date: January 21, 2021

Google has released Chrome version 88.0.4324.96 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release and apply the necessary updates.

 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

01/26/2021 05:17 PM EST

Original release date: January 26, 2021

The Federal Trade Commission (FTC) has released information on scammers attempting to impersonate the FTC. The scammers operate an FTC-spoofed website that claims to provide instant cash payments and tries to trick consumers into disclosing their financial information. The real FTC does not require such information and scammers can use this information to steal consumers’ money and identities.

CISA encourages consumers to review the FTC blog post and CISA’s Security Tips on Avoiding Social Engineering and Phishing Attacks and Preventing and Responding to Identity Theft.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/27/2021 08:53 AM EST

Original release date: January 27, 2021

Apple has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users to review the Apple security pages for the following products and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/27/2021 09:06 AM EST

Original release date: January 27, 2021

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Mozilla Security Advisories for Firefox 85, Firefox ESR 78.7, and Thunderbird 78.7 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/27/2021 07:43 AM EST

Original release date: January 27, 2021

CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. Supernova is not part of the SolarWinds supply chain attack described in Alert AA20-352A.

CISA encourages users and administrators to review Malware Analysis Report MAR-10319053-1.v1 and the SolarWinds advisory for more information on Supernova.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/11/2021 01:16 PM EST
Original release date: January 11, 2021

Microsoft has released a security update to address multiple vulnerabilities in Edge (Chromium-based). An attacker could exploit some of these vulnerabilities to take control of an affected system.  

CISA encourages users and administrators to review the latest entry for Microsoft Security Advisory ADV200002 and apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/07/2021 11:13 AM EST

Original release date: January 7, 2021

Google has released Chrome version 87.0.4280.141 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

01/07/2021 11:17 AM EST

Original release date: January 7, 2021

Mozilla has released security updates to address a vulnerability in Firefox, Firefox for Android, and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system.  

CISA encourages users and administrators to review the Mozilla Security Advisory and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/08/2021 10:09 AM EST

Original release date: January 8, 2021

The Multi-State Information Sharing and Analysis Center (MS-ISAC) has released an advisory on a vulnerability in Zyxel firewalls and AP controllers. A remote attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review the MS-ISAC Advisory 2021-001 and Zyxel Security Advisory for CVE-2020-29583 and apply the necessary updates and mitigation recommendations.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/08/2021 01:13 PM EST

Original release date: January 8, 2021

CISA has evidence of post-compromise advanced persistent threat (APT) activity in the cloud environment. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment and using additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. This activity is in addition to what has been previously detailed in AA20-352A.

In response, CISA has released AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments to describe this malicious APT activity and offer guidance on three open-source tools—including a CISA-developed tool, Sparrow, released on December 24. Network defenders can use these tools to help detect and remediate malicious APT actor activity as part of the ongoing supply chain compromise.

CISA strongly encourages users and administrators to review the Activity Alert for additional information and detection countermeasures.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/05/2021 05:18 PM EST

Original release date: January 5, 2021

The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet on eliminating obsolete Transport Layer Security (TLS) configurations. The information sheet identifies strategies to detect obsolete cipher suites and key exchange mechanisms, discusses recommended TLS configurations, and provides remediation recommendations for organizations using obsolete TLS configurations.

CISA encourages administrators and users to review NSA's CSI sheet on Eliminating Obsolete TLS Protocol Configurations for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

01/06/2021 01:20 PM EST

Original release date: January 6, 2021

CISA has released Emergency Directive (ED) 21-01 Supplemental Guidance version 3: Mitigate SolarWinds Orion Code Compromise, providing guidance that supersedes Required Action 4 of ED 21-01 and Supplemental Guidance versions 1 and 2.

  • Federal agencies without evidence of adversary follow-on activity on their networks that accept the risk of running SolarWinds Orion in their enterprises should rebuild or upgrade, in compliance with hardening steps outlined in the Supplemental Guidance, to at least SolarWinds Orion Platform version 2020.2.1 HF2. The National Security Agency (NSA) examined this version and verified it eliminates the previously identified malicious code. This version also includes updates to fix un-related vulnerabilities, including vulnerabilities that SolarWinds has publicly disclosed.
  • Federal agencies with evidence of follow-on threat actor activity on their networks should keep their affected versions disconnected, conduct forensic analysis, and consult with CISA before rebuilding or reimaging affected platforms and host operating systems.

The updated supplemental guidance also includes forensic analysis and reporting requirements.

CISA has also updated AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, originally released December 17, 2020. This update includes new information on initial access vectors, updated mitigation recommendations, and new indicators of compromise (IOCs).

Although the Emergency Directive only applies to Federal Civilian Executive Branch agencies, CISA encourages state and local governments, critical infrastructure entities, and other private sector organizations to review CISA Emergency Directive 21-01 - Supplemental Guidance v.3 for recommendations on operating the SolarWinds Orion Platform. Review the following resources for additional information on the SolarWinds Orion compromise.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/24/2020 07:19 PM EST

Original release date: December 24, 2020

CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors.

CISA strongly encourages users and administrators to visit the following GitHub page for additional information and detection countermeasures.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/23/2020 12:55 PM EST

Original release date: December 23, 2020

CISA is tracking a known compromise involving SolarWinds Orion products that are currently being exploited by a malicious actor. An advanced persistent threat (APT) actor is responsible for compromising the SolarWinds Orion software supply chain, as well as widespread abuse of commonly used authentication mechanisms. If left unchecked, this threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at risk.

In response to this threat, CISA has issued CISA Insights: What Every Leader Needs to Know About the Ongoing APT Cyber Activity. This CISA Insights provides information to leaders on the known risk to organizations and actions that they can take to prioritize measures to identify and address these threats.

CISA has also created a new Supply Chain Compromise webpage to consolidate the many resources—including Emergency Directive (ED) 21-01 and Activity Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations—that we have released on this compromise. CISA will update the webpage to include partner resources that are of value to the cyber community.

To read the latest CISA Insights, visit CISA.gov/insights. For more information on the SolarWinds Orion software compromise, visit CISA.gov/supply-chain-compromise.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/16/2020 01:42 PM EST
Original release date: December 16, 2020

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.  

CISA encourages users and administrators to review the Mozilla Security Advisories for Firefox 84, Firefox ESR 78.6, and Thunderbird 78.6 and apply the necessary updates.  

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/17/2020 09:54 PM EST
Original release date: December 17, 2020

The National Security Agency (NSA) has released a cybersecurity advisory on detecting abuse of authentication mechanisms. This advisory describes tactics, techniques, and procedures used by malicious cyber actors to access protected data in the cloud and provides guidance on defending against and detecting such activity.

CISA encourages users and administrators to review the NSA cybersecurity advisory and CISA Activity Alert AA20-352A and take the appropriate mitigation actions.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/19/2020 02:29 PM EST
Original release date: December 19, 2020

CISA has updated AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, originally released December 17. This update states that CISA has evidence of, and is currently investigating, initial access vectors in addition to those attributed to the SolarWinds Orion supply chain compromise. This update also provides new mitigation guidance and revises the indicators of compromise table; it also includes a downloadable STIX file of the IOCs.

In addition, CISA has released supplemental guidance to Emergency Directive (ED) 21-01, providing new information on affected versions, new guidance for agencies using third-party service providers, and additional clarity on required actions.

CISA encourages users and administrators to review the following resources for additional information on the SolarWinds Orion compromise.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/15/2020 11:54 AM EST

Original release date: December 15, 2020

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

Active Exploitation of SolarWinds Software

12/13/2020 10:23 PM EST

Original release date: December 13, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.

CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/11/2020 11:04 AM EST

Original release date: December 11, 2020

Cisco has released security updates to address vulnerabilities in Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Cisco Security Advisory cisco-sa-jabber-ZktzjpgO and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

Alert (AA20-345A)

Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data

Original release date: December 10, 2020

Summary

This Joint Cybersecurity Advisory was coauthored by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

The FBI, CISA, and MS-ISAC assess malicious cyber actors are targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services. Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments.

Click here for a PDF version of this report.

Technical Details

As of December 2020, the FBI, CISA, and MS-ISAC continue to receive reports from K-12 educational institutions about the disruption of distance learning efforts by cyber actors.

Ransomware

The FBI, CISA, and MS-ISAC have received numerous reports of ransomware attacks against K-12 educational institutions. In these attacks, malicious cyber actors target school computer systems, slowing access, and—in some instances—rendering the systems inaccessible for basic functions, including distance learning. Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen—and threatened to leak—confidential student data to the public unless institutions pay a ransom.

According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July.

The five most common ransomware variants identified in incidents targeting K-12 schools between January and September 2020—based on open source information as well as victim and third-party incident reports made to MS-ISAC—are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil.

Malware

Figure 1 identifies the top 10 malware strains that have affected state, local, tribal, and territorial (SLTT) educational institutions over the past year (up to and including September 2020). Note: These malware variants are purely opportunistic as they not only affect educational institutions but other organizations as well.

ZeuS and Shlayer are among the most prevalent malware affecting K-12 schools.

  • ZeuS is a Trojan with several variants that targets Microsoft Windows operating systems. Cyber actors use ZeuS to infect target machines and send stolen information to command-and-control servers.
  • Shlayer is a Trojan downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malicious advertising posing as a fake Adobe Flash updater. Note: Shlayer is the only malware of the top 10 that targets MacOS; the other 9 affect Microsoft Windows operating systems

Figure 1: Top 10 malware affecting SLTT educational institutions

 
Distributed Denial-of-Service Attacks

Cyber actors are causing disruptions to K-12 educational institutions—including third-party services supporting distance learning—with distributed denial-of-service (DDoS) attacks,  which temporarily limit or prevent users from conducting daily operations. The availability of DDoS-for-hire services provides opportunities for any motivated malicious cyber actor to conduct disruptive attacks regardless of experience level. Note: DDoS attacks overwhelm servers with a high level of internet traffic originating from many different sources, making it impossible to mitigate at a single source.

Video Conference Disruptions

Numerous reports received by the FBI, CISA, and MS-ISAC since March 2020 indicate uninvited users have disrupted live video-conferenced classroom sessions. These disruptions have included verbally harassing students and teachers, displaying pornography and/or violent images, and doxing meeting attendees (Note: doxing is the act of compiling or publishing personal information about an individual on the internet, typically with malicious intent). To enter classroom sessions, uninvited users have been observed:

  • Using student names to trick hosts into accepting them into class sessions, and
  • Accessing meetings from either publicly available links or links shared with outside users (e.g., students sharing links and/or passwords with friends).

Video conference sessions without proper control measures risk disruption or compromise of classroom conversations and exposure of sensitive information.

Additional Risks and Vulnerabilities

In addition to the recent reporting of distance learning disruptions received by the FBI, CISA, and MS-ISAC, malicious cyber actors are expected to continue seeking opportunities to exploit the evolving remote learning environment.

Social Engineering

Cyber actors could apply social engineering methods against students, parents, faculty, IT personnel, or other individuals involved in distance learning. Tactics, such as phishing, trick victims into revealing personal information (e.g., password or bank account information) or performing a task (e.g., clicking on a link). In such scenarios, a victim could receive what appears to be legitimate email that:

  • Requests personally identifiable information (PII) (e.g., full name, birthdate, student ID),
  • Directs the user to confirm a password or personal identification number (PIN),
  • Instructs the recipient to visit a website that is compromised by the cyber actor, or
  • Contains an attachment with malware.

Cyber actors also register web domains that are similar to legitimate websites in an attempt to capture individuals who mistype URLs or click on similar looking URLs. These types of attacks are referred to as domain spoofing or homograph attacks. For example, a user wanting to access www.cottoncandyschool.edu could mistakenly click on www.cottencandyschool.edu (changed “o” to an “e”) or www.cottoncandyschoo1.edu (changed letter “l” to a number “1”) (Note: this is a fictitious example to demonstrate how a user can mistakenly click and access a website without noticing subtle changes in website URLs). Victims believe they are on a legitimate website when, in reality, they are visiting a site controlled by a cyber actor.

Technology Vulnerabilities and Student Data

Whether as collateral for ransomware attacks or to sell on the dark web, cyber actors may seek to exploit the data-rich environment of student information in schools and education technology (edtech) services. The need for schools to rapidly transition to distance learning likely contributed to cybersecurity gaps, leaving schools vulnerable to attack. In addition, educational institutions that have outsourced their distance learning tools may have lost visibility into data security measures. Cyber actors could view the increased reliance on—and sharp usership growth in—these distance learning services and student data as lucrative targets.

Open/Exposed Ports

The FBI, CISA, and MS-ISAC frequently see malicious cyber actors exploiting exposed Remote Desktop Protocol (RDP) services to gain initial access to a network and, often, to manually deploy ransomware. For example, cyber actors will attack ports 445 (Server Message Block [SMB]) and 3389 (RDP) to gain network access. They are then positioned to move laterally throughout a network (often using SMB), escalate privileges, access and exfiltrate sensitive information, harvest credentials, or deploy a wide variety of malware. This popular attack vector allows cyber actors to maintain a low profile, as they are using a legitimate network service that provides them with the same functionality as any other remote user.

End-of-Life Software

End-of-Life (EOL) software is regularly exploited by cyber actors—often to gain initial access, deface websites, or further their reach in a network. Once a product reaches EOL, customers no longer receive security updates, technical support, or bug fixes. Unpatched and vulnerable servers are likely to be exploited by cyber actors, hindering an organization’s operational capacity.

Mitigations

Plans and Policies

The FBI and CISA encourage educational providers to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, institutions may be unable to continue teaching and administrative operations. Evaluating continuity and capability will help identify potential operational gaps. Through identifying and addressing these gaps, institutions can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. The FBI and CISA suggest K-12 educational institutions review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by cyber actors.

Network Best Practices

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for educational institution-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and mediate those that are not needed.
  • Identify critical assets such as student database servers and distance learning infrastructure; create backups of these systems and house the backups offline from the network.
  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

User Awareness Best Practices

  • Focus on awareness and training. Because end users are targeted, make employees and students aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.
  • Monitor privacy settings and information available on social networking sites.

Ransomware Best Practices

The FBI and CISA do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, regardless of whether your organization decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law.

In addition to implementing the above network best practices, the FBI and CISA also recommend the following:

  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

Denial-of-Service Best Practices

  • Consider enrolling in a denial-of-service mitigation service that detects abnormal traffic flows and redirects traffic away from your network.
  • Create a partnership with your local internet service provider (ISP) prior to an event and work with your ISP to control network traffic attacking your network during an event.
  • Configure network firewalls to block unauthorized IP addresses and disable port forwarding.

Video-Conferencing Best Practices

  • Ensure participants use the most updated version of remote access/meeting applications.
  • Require passwords for session access.
  • Encourage students to avoid sharing passwords or meeting codes.
  • Establish a vetting process to identify participants as they arrive, such as a waiting room.
  • Establish policies to require participants to sign in using true names rather than aliases.
  • Ensure only the host controls screensharing privileges.
  • Implement a policy to prevent participants from entering rooms prior to host arrival and to prevent the host from exiting prior to the departure of all participants.

Edtech Implementation Considerations

  • When partnering with third-party and edtech services to support distance learning, educational institutions should consider the following:
  • The service provider’s cybersecurity policies and response plan in the event of a breach and their remediation practices:
    • How did the service provider resolve past cyber incidents? How did their cybersecurity practices change after these incidents?
  • The provider’s data security practices for their products and services (e.g., data encryption in transit and at rest, security audits, security training of staff, audit logs);
  • The provider’s data maintenance and storage practices (e.g., use of company servers, cloud storage, or third-party services);
  • Types of student data the provider collects and tracks (e.g., PII, academic, disciplinary, medical, biometric, IP addresses);
  • Entities to whom the provider will grant access to the student data (e.g., vendors);
  • How the provider will use student data (e.g., will they sell it to—or share it with—third parties for service enhancement, new product development, studies, marketing/advertising?);
  • The provider’s de-identification practices for student data; and
  • The provider’s policies on data retention and deletion.

Malware Defense

Table 1 identifies CISA-created Snort signatures, which have been successfully used to detect and defend against related attacks, for the malware variants listed below. Note: the listing is not fully comprehensive and should not be used at the exclusion of other detection methods.

Table 1: Malware signatures


Malware Signature
NanoCore  

Cerber

 
Kovter  
Dridex  

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting organization; and a designated point of contact.

To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.

Resources

MS-ISAC membership is open to employees or representatives from all public K-12 education entities in the United States. The MS-ISAC provides multiple cybersecurity services and benefits to help K-12 education entities increase their cybersecurity posture. To join, visit https://learn.cisecurity.org/ms-isac-registration.

Note: contact your local FBI field office (www.fbi.gov/contact-us/field) for additional FBI products on ransomware, edtech, and cybersecurity for educational institutions.

Revisions

Initial Version: December 10, 2020

 

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

12/10/2020 12:23 PM EST

Original release date: December 10, 2020

Adobe has released security updates to address a vulnerability in Acrobat and Reader. An attacker could exploit this vulnerability to obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletin APSB20-75 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

12/09/2020 09:07 AM EST

Original release date: December 9, 2020

The Australian Cyber Security Centre (ACSC) has launched a new cyber security campaign encouraging all Australians to protect themselves against online threats. The initial focus of the campaign is ransomware threats, and the ACSC provides easy-to-follow security advice at cyber.gov.au to help Australians act now and stay secure.  

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the official ACSC campaign announcement for more information and to consult CISA’s ransomware page for additional guidance and resources.  

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

12/09/2020 09:12 AM EST

Original release date: December 9, 2020

The United Kingdom (UK) National Cyber Security Centre (NCSC) has launched a new cyber security campaign encouraging the public to adopt six behaviors to stay safe online.

The six Cyber Aware behaviors recommended by the NSCS are:

  1. Use a separate password for your email
  2. Create strong passwords using three random words
  3. Save your passwords in your browser
  4. Turn on multi-factor authentication
  5. Update your devices
  6. Back up your data

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the official NCSC website as well as CISA’s Tips page for more information and additional resources.
 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/07/2020 07:41 AM EST

Original release date: December 7, 2020

Cisco has released a security advisory on an Arbitrary Code Execution vulnerability—CVE-2020-3556—affecting Cisco AnyConnect Secure Mobility Client devices. A remote attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco Security Advisory and apply the necessary updates or workarounds.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/08/2020 09:38 AM EST

Original release date: December 8, 2020

SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. These include a missing authentication check vulnerability affecting SAP NetWeaver AS JAVA (P2P Cluster Communication).

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the SAP Security Notes for December 2020 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/08/2020 10:22 AM EST

Original release date: December 8, 2020

The Apache Software Foundation has released a security update to address a vulnerability in Apache Struts versions 2.0.0 to 2.5.25. A remote attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Apache Security Bulletin S2-061 and apply the necessary update or workaround.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/08/2020 10:48 AM EST

Original release date: December 8, 2020

The CERT Coordination Center (CERT/CC) has released information on 33 vulnerabilities, known as AMNESIA:33, affecting multiple embedded open-source Transmission Control Protocol/Internet Protocol (TCP/IP) stacks. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review CERT/CC Vulnerability Note VU #815128 and CISA Advisory ICSA-20-343-01 for more information and to apply the recommended mitigations. Refer to vendors for appropriate patches, when available.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/08/2020 01:26 PM EST

Original release date: December 8, 2020

Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s December 2020 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/08/2020 01:50 PM EST

Original release date: December 8, 2020

Adobe has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/08/2020 03:39 PM EST

Original release date: December 8, 2020

FireEye has released a blog addressing unauthorized access to their Red Team’s tools by a highly sophisticated threat actor. Red Team tools are often used by cybersecurity organizations to evaluate the security posture of enterprise systems. Although the Cybersecurity and Infrastructure Security Agency (CISA) has not received reporting of these tools being maliciously used to date, unauthorized third-party users could abuse these tools to take control of targeted systems. The exposed tools do not contain zero-day exploits.

CISA recommends cybersecurity practitioners review FireEye’s two blog posts for more information and FireEye’s GitHub repository for detection countermeasures:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/07/2020 11:25 AM EST

Original release date: December 7, 2020

The National Security Agency (NSA) has released a Cybersecurity Advisory on Russian state-sponsored actors exploiting CVE-2020-4006, a command-injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. The actors were found exploiting this vulnerability to access protected data on affected systems. The NSA advisory provides mitigation and detection guidance.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources and apply the necessary updates and detection guidance.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/08/2020 07:39 PM EST

Original release date: December 8, 2020

OpenSSL has released a security update to address a vulnerability affecting all versions of 1.0.2 and 1.1.1 released before version 1.1.1i. An attacker could exploit this vulnerability to cause a denial-of-service condition.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the OpenSSL Security Advisory and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

12/04/2020 12:58 PM EST

Original release date: December 4, 2020

The Apache Software Foundation has released a security advisory to address a vulnerability in Apache Tomcat. An attacker could exploit this vulnerability to cause a denial-of-service condition.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apache security advisory for CVE-2020-17527 and upgrade to the appropriate version.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/04/2020 10:42 AM EST

Original release date: December 4, 2020

Google has released Chrome version 87.0.4280.88 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/03/2020 03:02 PM EST

Original release date: December 3, 2020

Iranian cyber threat actors have been continuously improving their offensive cyber capabilities. They continue to engage in more conventional offensive cyber activities ranging from website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information (PII), to more advanced activities—including social media-driven influence operations, destructive malware, and, potentially, cyber-enabled kinetic attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Joint Cybersecurity Advisory AA20-259A: Iran-Based Threat Actor Exploits VPN Vulnerabilities and Activity Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities for information on known Iranian advanced persistent threat (APT) actor tactics, techniques, and procedures (TTPs).

For more information on Iranian cyber threats, review the following products.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/03/2020 05:11 PM EST

Original release date: December 3, 2020

VMware has released security updates to address a vulnerability—CVE-2020-4006—in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. An attacker could exploit this vulnerability to take control of an affected system. 

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0027.2 and apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/03/2020 07:58 AM EST

Original release date: December 3, 2020

Apple has released security updates to address vulnerabilities in iCloud for Windows. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security page for iCloud for Windows 11.5 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/03/2020 06:00 AM EST
Original release date: December 3, 2020

IBM X-Force has released a report on malicious cyber actors targeting the COVID-19 cold chain—an integral part of delivering and storing a vaccine at safe temperatures. Impersonating a biomedical company, cyber actors are sending phishing and spearphishing emails to executives and global organizations involved in vaccine storage and transport to harvest account credentials. The emails have been posed as requests for quotations for participation in a vaccine program.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages Operation Warp Speed (OWS) organizations and organizations involved in vaccine storage and transport to review the IBM X-Force report Attackers Are Targeting the COVID-19 Vaccine Cold Chain for more information, including indicators of compromise. For tips on avoiding social engineering and phishing attacks, see CISA Insights: Enhance Email & Web Security.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/02/2020 10:47 AM EST

Original release date: December 2, 2020

Xerox has released security updates for DocuShare 6.6.1, 7.0, and 7.5 to address a vulnerability that could allow an unauthenticated attacker to obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) urges users and administrators review Xerox Mini Bulletin XRX20W and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/02/2020 10:49 AM EST

Original release date: December 2, 2020

Mozilla has released a security update to address a vulnerability in Thunderbird. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 78.5.1 and apply the necessary update.

 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

12/03/2020 08:10 AM EST

Original release date: December 3, 2020

The United Kingdom (UK) National Cyber Security Centre (NCSC) has released its Annual Review 2020, which focuses on its response to evolving and challenging cyber threats. Recognizing cybersecurity as a “team sport,” the publication includes highlights of NCSC’s collaboration with many partners, including the Cybersecurity and Infrastructure Security Agency (CISA). A few examples:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/27/2020 11:00 AM EST
Original release date: November 27, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of the possible exposure of passwords on Fortinet devices that are vulnerable to CVE 2018-13379. Exploitation of this vulnerability may allow an unauthenticated attacker to access FortiOS system files. Potentially affected devices may be located in the United States.

Fortinet has released a security advisory to highlight mitigation of this vulnerability. CISA encourages users and administrators to review the advisory and apply the necessary updates immediately. Additionally, CISA recommends Fortinet users conduct a thorough review of logs on any connected networks to detect any additional threat actor activity.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/27/2020 10:53 AM EST
Original release date: November 27, 2020

Drupal has released security updates to address vulnerabilities in Drupal 7, 8.8 and earlier, 8.9, and 9.0. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Drupal Advisory SA-CORE-2020-013 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/23/2020 02:14 PM EST

Original release date: November 23, 2020

VMware has released workarounds to address a vulnerability—CVE-2020-4006—in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency encourages users and administrators to review VMware Security Advisory VMSA-2020-0027 and apply the necessary workarounds.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/24/2020 07:08 AM EST

Original release date: November 24, 2020

With more commerce occurring online this year, and with the holiday season upon us, the Cybersecurity and Infrastructure Security Agency (CISA) reminds shoppers to remain vigilant. Be especially cautious of fraudulent sites spoofing reputable businesses, unsolicited emails purporting to be from charities, and unencrypted financial transactions.

CISA encourages online holiday shoppers to review the following resources.

If you believe you are a victim of a scam, consider the following actions.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/19/2020 10:04 AM EST

Original release date: November 19, 2020

Cisco has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates.

For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.
 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/19/2020 10:09 AM EST

Original release date: November 19, 2020

Drupal has released security updates to address a critical vulnerability in Drupal 7, 8.8 and earlier, 8.9, and 9.0. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Drupal Advisory SA-CORE-2020-012, apply the necessary updates, and follow the additional recommendation.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/19/2020 10:12 AM EST

Original release date: November 19, 2020

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 83, Firefox ESR 78.5, and Thunderbird 78.5 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/19/2020 10:10 AM EST

Original release date: November 19, 2020

Google has released Chrome version 87.0.4280.66 for Windows, Mac, and Linux to address multiple vulnerabilities. Some of these vulnerabilities could allow an attacker to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/19/2020 10:18 AM EST

Original release date: November 19, 2020

VMware has released security updates to address multiple vulnerabilities in VMware SD-WAN Orchestrator. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0025 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/13/2020 11:46 AM EST

Original release date: November 13, 2020

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. Some of these vulnerabilities have been detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for macOS Big Sur 11.0, 11.0.1 and for macOS High Sierra 10.13.6, macOS Mojave 10.14.6 and apply the necessary updates.

 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/17/2020 11:42 AM EST

Original release date: November 17, 2020

Cisco has released security updates to address vulnerabilities in Cisco Security Manager. A remote attacker could exploit these vulnerabilities to obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/12/2020 11:39 AM EST

Original release date: November 12, 2020

Google has released Chrome version 86.0.4240.198 for Windows, Mac, and Linux. This version addresses CVE-2020-16013 and CVE-2020-16017. An attacker could exploit one of these vulnerabilities to take control of an affected system. These vulnerabilities have been detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/10/2020 11:00 AM EST

Original release date: November 10, 2020

Mozilla has released security updates to address a vulnerability in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 82.0.3, Firefox ESR 78.4.1, and Thunderbird 78.4.2 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/10/2020 11:37 AM EST

Original release date: November 10, 2020

SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. These include missing authentication check vulnerabilities affecting SAP Solution Manager (JAVA stack).

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the SAP Security Notes for November 2020 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/10/2020 01:18 PM EST

Original release date: November 10, 2020

Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s November 2020 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/10/2020 04:31 PM EST

Original release date: November 10, 2020

Cisco has released a security update to address a vulnerability in IOS XR Software for ASR 9000 Series Aggregation Services Routers. An unauthenticated, remote attacker could exploit this vulnerability to cause a denial-of-service condition.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco security advisory and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/10/2020 04:55 PM EST

Original release date: November 10, 2020

Adobe has released security updates to address vulnerabilities in multiple products.  An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Adobe security advisories for Adobe Connect and Adobe Reader for Android and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/06/2020 12:06 PM EST

Original release date: November 6, 2020

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/05/2020 12:01 PM EST

Original release date: November 5, 2020

Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco Security Advisories page and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/04/2020 10:41 AM EST

Original release date: November 4, 2020

Adobe has released security updates to address vulnerabilities in Adobe Acrobat and Reader. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletin APSB20-67 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/03/2020 10:35 AM EST

Original release date: November 3, 2020

Google has released Chrome version 86.0.4240.183 for Windows, Mac, and Linux addressing multiple vulnerabilities, including vulnerability CVE-2020-16009. Exploit code for this vulnerability exists in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release Note and apply the necessary updates immediately.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/29/2020 01:11 PM EDT
Original release date: October 29, 2020

Microsoft has released a blog post on cyber threat actors exploiting CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. The Cybersecurity and Infrastructure Security Agency (CISA) has observed nation state activity exploiting this vulnerability. This malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks.

CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes. CISA has released a patch validation script to detect unpatched Microsoft domain controllers. If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services.

In the coming weeks and months, administrators should take follow-on actions that are described in guidance released by Microsoft to prepare for the second half of Microsoft’s Netlogon migration process, which is scheduled to conclude in February 2021.

CISA encourages users and administrators to review the following resources and apply the necessary updates and mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/30/2020 03:59 PM EDT
Original release date: October 30, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint cybersecurity advisory on an Iranian advanced persistent threat (APT) actor targeting U.S. state websites, including elections websites, to obtain voter registration data. Joint Cybersecurity Advisory AA20-304A: Iranian APT Actor Identified Obtaining Voter Registration Data provides indicators of compromise and recommended mitigations for affected entities.

Analysis by CISA and the FBI indicates this actor scanned state websites, to include state election websites, between September 20 and September 28, 2020, with the Acunetix vulnerability scanner. Additionally, CISA and the FBI observed this actor attempting to exploit websites to obtain copies of voter registration data between September 29 and October 17, 2020. This includes attempted exploitation of known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leveraging unique flaws in websites. CISA and the FBI can confirm that the actor successfully obtained voter registration data for at least one state.

CISA and the FBI advise organizations that do not regularly use Acunetix to monitor their logs for any related activity that originates from IP addresses provided in this advisory and consider it malicious reconnaissance behavior.

 

 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

11/02/2020 01:09 PM EST

Original release date: November 2, 2020

Oracle has released an out-of-band security alert to address a remote code execution vulnerability—CVE-2020-14750—in Oracle WebLogic Server. A remote attacker can exploit this vulnerability to take control of an affected system.
 
The Cybersecurity and Infrastructure Security Agency (CISA) urges users and administrators review the Oracle Security Alert and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/28/2020 07:38 PM EDT
Original release date: October 28, 2020

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.  
 
CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans. 
 
CISA, FBI, and HHS are sharing this information in order to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats. CISA encourages users and administrators to review CISA’s Ransomware webpage for additional information. 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/26/2020 02:10 PM EDT

Original release date: October 26, 2020

Microsoft has released a security update to address vulnerabilities in Edge (Chromium-based). An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the latest entry for Microsoft Security Advisory ADV200002 apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/22/2020 01:40 PM EDT

Original release date: October 22, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released two joint cybersecurity advisories on widespread advanced persistent threat (APT) activity.

AA20-296A updates a previous joint CISA-FBI cybersecurity advisory and provides information on Russian state-sponsored actors targeting U.S. state, local, tribal, and territorial (SLTT) government networks, as well as aviation networks. In limited instances, this activity has resulted in unauthorized access to IT systems used by U.S. election officials.

AA20-296B details Iranian APT actors working to influence and interfere with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process. These actors have taken part in spear-phishing campaigns, website defacements, and disinformation campaigns to spread obtained U.S. voter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud.

Both joint cybersecurity advisories contain information on exploited vulnerabilities and recommended mitigation actions for affected organizations to pursue.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

10/22/2020 12:32 PM EDT

Original release date: October 22, 2020

Cisco has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco security page and apply the necessary updates.

 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/21/2020 12:34 PM EDT

Original release date: October 21, 2020

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 82Firefox ESR 78.4, and Thunderbird 78.4 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/21/2020 12:10 PM EDT

Original release date: October 21, 2020

Adobe has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/21/2020 12:30 PM EDT

Original release date: October 21, 2020

Google has released Chrome version 86.0.4240.111 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary changes.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

10/20/2020 07:20 PM EDT

Original release date: October 20, 2020

Oracle has released its Critical Patch Update for October 2020 to address 402 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Oracle October 2020 Critical Patch Update and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/20/2020 03:23 PM EDT

Original release date: October 20, 2020

The National Security Agency (NSA) has released a cybersecurity advisory on Chinese state-sponsored malicious cyber activity. This advisory provides 25 Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages critical system administrators to prioritize the immediate patching of the CVEs in NSA’s advisory and to review CISA’s Alert Potential for China Cyber Response to Heightened U.S.–China Tensions, which details potential cyber response to heightened tensions between the United States and China and provides specific tactics, techniques, and procedures (TTPs) and recommended mitigations to the cybersecurity community to assist in the protection of our Nation’s critical infrastructure.

Review the CISA's Chinese Malicious Cyber Activity page for more information on Chinese malicious cyber activity.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/20/2020 12:44 PM EDT

Original release date: October 20, 2020

VMware has released security updates to address vulnerabilities affecting multiple products. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0023 and apply the necessary updates or workarounds.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

10/15/2020 11:12 AM EDT

Original release date: October 15, 2020

Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

10/16/2020 12:10 PM EDT

Original release date: October 16, 2020

Adobe has released security updates to address vulnerabilities affecting Magento Commerce and Magento Open Source. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletin APSB20-59 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/16/2020 01:03 PM EDT

Original release date: October 16, 2020

The United Kingdom (UK) National Cyber Security Centre (NCSC) has released an Alert to address a vulnerability—CVE-2020-16952—affecting Microsoft SharePoint server. An attacker could exploit this vulnerability to take control of an affected system. Applying patches from Microsoft’s October 2020 Security Advisory for CVE-2020-16952 can prevent exploitation of this vulnerability.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review the NCSC Alert and the Microsoft Security Advisory for CVE-2020-16952 for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

10/13/2020 02:42 PM EDT

Original release date: October 13, 2020

Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s October 2020 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

10/14/2020 11:59 AM EDT

Original release date: October 14, 2020

Microsoft has released a security update to address a protocol vulnerability—CVE-2020-16898—in Windows Transmission Control Protocol (TCP)/IP stack handling of Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. A remote attacker could exploit this vulnerability to take control of an affected system or cause a denial-of-service condition.
 
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s Security Advisory for more information, and apply the necessary updates or workaround.
 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

10/14/2020 09:06 AM EDT

Original release date: October 14, 2020

The Apache Software Foundation has released a security advisory to address a vulnerability in Apache Tomcat. An attacker could exploit this vulnerability to obtain sensitive information. 

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Apache Security Advisory for CVE-2020-13943 and upgrade to the appropriate version.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

10/14/2020 09:11 AM EDT

Original release date: October 14, 2020

Adobe has released security updates to address a vulnerability affecting Flash Player. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletin APSB20-58 and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

 

10/13/2020 12:41 PM EDT

Original release date: October 13, 2020

SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. This includes an OS command injection vulnerability (CVE-2020-6364) affecting SAP Solution Manager and SAP Focused Run.
 
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the SAP Security Notes for October 2020 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/09/2020 06:20 PM EDT

Original release date: October 9, 2020

The Cybersecurity and Information Security Agency (CISA) and the Federal Bureau of Information (FBI) have released a joint cybersecurity advisory regarding advanced persistent threat (APT) actors chaining vulnerabilities—a commonly used tactic exploiting multiple vulnerabilities in the course of a single intrusion—in an attempt to compromise federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure, and elections organizations. CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised.

The joint cybersecurity advisory contains information on exploited vulnerabilities and recommended mitigation actions for affected organizations to pursue.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/09/2020 04:21 PM EDT

Original release date: October 9, 2020

Summary

This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

Note: the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity and Information Security Agency (CISA) will update this advisory as new information is available.

This joint cybersecurity advisory was written by CISA with contributions from the Federal Bureau of Investigation (FBI). 

CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability—CVE-2020-1472—in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application. 

This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.

CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.

Some common tactics, techniques, and procedures used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical CVE-2020-1472 Netlogon vulnerability. CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability CVE-2018-13379 has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability CVE-2020-15505. While these exploits have been observed recently, this activity is ongoing and still unfolding. CISA recommends network staff and administrators review internet-facing infrastructure for vulnerabilities, including Juniper CVE-2020-1631, Pulse Secure CVE-2019-11510,  Citrix NetScaler CVE-2020-19781, and Palo Alto Networks CVE-2020-2012 (this list is not considered exhaustive).

After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors, and is not limited to SLTT entities.

Click here for a PDF version of this report.

Technical Details

Initial Access

APT threat actors are actively leveraging legacy vulnerabilities in internet-facing infrastructure (Exploit Public-Facing Application [T1190], External Remote Services [T1133]) to gain initial access into systems. The APT actors appear to have predominately gained initial access via the Fortinet FortiOS VPN vulnerability CVE-2018-13379; however, other vulnerabilities, listed below, have been observed (as analysis is evolving, these listed vulnerabilities should not be considered comprehensive).

  • Citrix NetScaler CVE-2020-19781
  • MobileIron CVE-2020-15505
  • Pulse Secure CVE-2019-11510
  • Palo Alto Networks CVE-2020-2012
  • F5 BIG-IP CVE-2020-5902

FortiGuard ForitOS SSL VPN CVE-2018-13379

CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal. An unauthenticated attacker could exploit this vulnerability to download FortiOS system files through specially crafted HTTP resource requests.

MobileIron Core & Connector Vulnerability CVE-2020-15505

CVE-202-15505 is a remote code execution vulnerability in MobileIron Core & Connector versions 10.3 and earlier. This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.

Privilege Escalation

Post initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers. Actors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain Valid Account [T1078] credentials from AD servers.

Microsoft Netlogon Remote Protocol Vulnerability: CVE-2020-1472

CVE-2020-1472 is a vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory. This vulnerability could allow an unauthenticated attacker with network access to a domain controller to completely compromise all AD identity services (Valid Accounts: Domain Accounts [T1078.002]). Malicious actors can leverage this vulnerability to compromise other devices on the network (Lateral Movement [TA0008]).

Persistence

Once system access has been achieved, the APT actors use abuse of legitimate credentials (Valid Account [T1078]) to log in via VPN or Remote Access Services [T1133] to maintain persistence.

Mitigations

Organizations with externally facing infrastructure devices that have the vulnerabilities listed in this joint cybersecurity advisory, or other vulnerabilities, should move forward with an “assume breach” mentality. As initial exploitation and escalation may be the only observable exploitation activity, most mitigations will need to focus on more traditional network hygiene and user management activities.

Keep Systems Up to Date

Patch systems and equipment promptly and diligently. Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. See table 1 for patch information on CVEs mentioned in this report.

Table 1: Patch information for exploited CVEs

Vulnerability Vulnerable Products Patch Information
CVE-2018-13379
  • FortiOS 6.0
  • FortiOS 5.6  
  • FortiOS 5.4
CVE-2019-19781
  • Citrix Application Delivery Controller
  • Citrix Gateway
  • Citrix SDWAN WANOP
CVE-2020-5902
  • Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)
CVE-2020-11510
  • Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15
  • Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15
CVE-2020-15505
  • MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0  
  • Sentry versions 9.7.2 and earlier, and 9.8.0;  
  • Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier
CVE-2020-1631
  • Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1
CVE-2020-2021
  • PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL)
CVE-2020-1472
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903  (Server Core installation)
  • Windows Server, version 1909  (Server Core installation)
  • Windows Server, version 2004   (Server Core installation)

Comprehensive Account Resets

If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through “creative destruction,” wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise as well as Azure hosted AD instances.

Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.

It is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.

  1. Create a temporary administrator account, and use this account only for all administrative actions
  2. Reset the Kerberos Ticket Granting Ticket (krbtgt) password; this must be completed before any additional actions and a second reset will take place in step 5
  3. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
  4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned):
    1. User accounts (forced reset with no legacy password reuse)
    2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])
    3. Service accounts
    4. Directory Services Restore Mode (DSRM) account
    5. Domain Controller machine account
    6. Application passwords
  5. Reset the krbtgt password again
  6. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
  7. Reboot domain controllers
  8. Reboot all endpoints

The following accounts should be reset:

  • AD Kerberos Authentication Master (2x)
  • All Active Directory Accounts
  • All Active Directory Admin Accounts
  • All Active Directory Service Accounts
  • All Active Directory User Accounts
  • DSRM Account on Domain Controllers
  • Non-AD Privileged Application Accounts
  • Non-AD Unprivileged Application Accounts
  • Non-Windows Privileged Accounts
  • Non-Windows User Accounts
  • Windows Computer Accounts
  • Windows Local Admin

VPN Vulnerabilities

Implement the following recommendations to secure your organization’s VPNs:

  • Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. See CISA Tips Understanding Patches and Securing Network Infrastructure Devices. Wherever possible, enable automatic updates. See table 1 for patch information on VPN-related CVEs mentioned in this report.
  • Implement multi-factor authentication (MFA) on all VPN connections to increase security. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information.

Discontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. How to protect your organization against VPN vulnerabilities:

  • Audit configuration and patch management programs.
  • Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
  • Implement MFA, especially for privileged accounts.
  • Use separate administrative accounts on separate administration workstations.
  • Keep software up to date. Enable automatic updates, if available.  

To secure your organization’s Netlogon channel connections:

  • Update all Domain Controllers and Read Only Domain Controllers. On August 11, 2020, Microsoft released software updates to mitigate CVE-2020-1472. Applying this update to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).
  • Monitor for new events, and address non-compliant devices that are using vulnerable Netlogon secure channel connections.
  • Block public access to potentially vulnerable ports, such as 445 (SMB) and 135 (RPC).

To protect your organization against this CVE, follow advice from Microsoft, including:

  • Update your domain controllers with an update released August 11, 2020 or later.
  • Find which devices are making vulnerable connections by monitoring event logs.
  • Address non-compliant devices making vulnerable connections.
  • Enable enforcement mode to address CVE-2020-1472 in your environment.

How to uncover and mitigate malicious activity

  • Collect and remove for further analysis:
    • Relevant artifacts, logs, and data
  • Implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.
  • Consider soliciting incident response support from a third-party IT security organization to:
    • Provide subject matter expertise and technical support to the incident response,
    • Ensure that the actor is eradicated from the network, and
    • Avoid residual issues that could result in follow-up compromises once the incident is closed

Resources

Contact Information

Recipients of this report are encouraged to contribute any additional information that they may have related to this threat.

For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:

 
DISCLAIMER
 
This information is provided "as is" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.

The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

 

 

 

Revisions

  • October 9, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/07/2020 09:13 AM EDT

Original release date: October 7, 2020

The Cybersecurity and Information Security Agency (CISA) has released an infographic mapping analysis of 44 of its Risk and Vulnerability Assessments (RVAs) conducted in Fiscal Year 2019 to the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework. The infographic identifies routinely successful attack paths CISA observed during RVAs conducted across multiple sectors. Cyber attackers can use these attack paths to compromise organizations.

CISA encourages network administrators and IT professionals to review the infographic and apply the recommended defensive strategies to protect against the observed tactics and techniques. Review CISA’s Cyber Essentials for more information on where to start implementing organizational cybersecurity practices. For information on CISA RVAs and requesting additional services, visit CISA’s National Cybersecurity Assessment and Technical Services page.  

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/07/2020 11:42 AM EDT

Original release date: October 7, 2020

Google has released Chrome version 86.0.4240.75 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary changes.
 

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/08/2020 11:19 AM EDT

Original release date: October 8, 2020

Cisco has released security updates to address vulnerabilities in Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities see the Cisco Security Advisories page.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco Advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

QNAP Releases Security Updates for QNAP Helpdesk

10/08/2020 04:10 PM EDT
Original release date: October 8, 2020

QNAP Systems has released security updates to address vulnerabilities in QNAP Helpdesk. An attacker could exploit these vulnerabilities to take control of an affected QNAP network-attached storage (NAS) device.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review QNAP Security Advisory QSA-20-08 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/02/2020 11:09 AM EDT

Original release date: October 2, 2020

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has released an [Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments]. Financial institutions, cyber insurance firms, and companies that facilitate payments on behalf of victims may be violating OFAC regulations.

CISA encourages organizations to review the OFAC Advisory for more information. See CISA’s Ransomware page for how to report and protect against ransomware attacks.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

09/30/2020 02:33 PM EDT

Original release date: September 30, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have released a joint Ransomware Guide that details practices that organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The in-depth guide provides actionable best practices for ransomware prevention as well as a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.

CISA encourages users and administrators to review the Ransomware Guide and CISA’s Ransomware webpage for additional information.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/01/2020 07:53 AM EDT

Original release date: October 1, 2020

October is National Cybersecurity Awareness Month (NCSAM), which is a collaborative effort between the Cybersecurity and Infrastructure Security Agency (CISA) and its public and private partners—including the National Cyber Security Alliance—to ensure every American has the resources they need to stay safe and secure online. This year’s theme, “Do your Part. #BeCyberSmart.,” encourages individuals and organizations to take proactive steps to enhance cybersecurity and protect their part of cyberspace.

CISA encourages individuals and organizations to review the NCSAM 2020 page for ways to participate in and promote NCSAM.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

10/01/2020 03:27 PM EDT

Original release date: October 1, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DOD) Cyber National Mission Force (CNMF) have identified a malware variant—referred to as SLOTHFULMEDIA—used by a sophisticated cyber actor. In addition, U.S. Cyber Command has released the malware sample to the malware aggregation tool and repository, VirusTotal.

CISA encourages users and administrators to review Malware Analysis Report MAR-10303705-1.v1 and U.S. Cyber Command’s VirusTotal page for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

09/30/2020 09:38 AM EDT

Original release date: September 30, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) has released the Telework Essentials Toolkit, a comprehensive resource of telework best practices. The Toolkit provides three personalized modules for executive leaders, IT professionals, and teleworkers. Each module outlines distinctive security considerations appropriate for their role:

  • Actions for executive leaders that drive cybersecurity strategy, investment and culture
  • Actions for IT professionals that develop security awareness and vigilance
  • Actions for teleworkers to develop their home network security awareness and vigilance

CISA encourages users and administrators to review the Telework Essentials Toolkit and the CISA Telework page for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

09/25/2020 09:19 AM EDT

Original release date: September 25, 2020

Cisco has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco security page and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

09/25/2020 09:17 AM EDT

Original release date: September 25, 2020

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

09/24/2020 10:25 AM EDT

Original release date: September 24, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. Applying patches from Microsoft’s August 2020 Security Advisory for CVE-2020-1472 can prevent exploitation of this vulnerability.

CISA has released a patch validation script to detect unpatched Microsoft domain controllers. CISA urges administrators to patch all domain controllers immediately—until every domain controller is updated, the entire infrastructure remains vulnerable. Review the following resources for more information:

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

09/21/2020 03:12 PM EDT

Original release date: September 21, 2020

The Samba Team has released a security update to address a critical vulnerability—CVE-2020-1472—in multiple versions of Samba. This vulnerability could allow a remote attacker to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Samba Security Announcement for CVE-2020-1472 and apply the necessary updates or workaround.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

09/22/2020 11:00 AM EDT
Original release date: September 22, 2020

Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise frameworks for all referenced threat actor techniques.

This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions by the Multi-State Information Sharing & Analysis Center (MS-ISAC).

CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity. LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.

Technical Details

LokiBot—also known as Lokibot, Loki PWS, and Loki-bot—employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials.

  • The malware steals credentials through the use of a keylogger to monitor browser and desktop activity (Credentials from Password Stores ).
    • (Credentials from Password Stores: Credentials from Web Browsers 
    • (Input Capture: Keylogging 
  • LokiBot can also create a backdoor into infected systems to allow an attacker to install additional payloads (Event Triggered Execution: Accessibility Features 
  • Malicious cyber actors typically use LokiBot to target Windows and Android operating systems and distribute the malware via email, malicious websites, text, and other private messages (User Execution: Malicious File  . See figure 1 for enterprise techniques used by LokiBot.

Figure 1: MITRE ATT&CK enterprise techniques used by LokiBot

Since LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications, including the following.

  • February 2020: Trend Micro identified cyber actors using LokiBot to impersonate a launcher for Fortnite—a popular video game.[1]
  • August 2019: FortiGuard SE researchers discovered a malspam campaign distributing LokiBot information-stealing payloads in spearphishing attack on a U.S. manufacturing company.[2]
  • August 2019: Trend Micro researchers reported LokiBot malware source code being hidden in image files spread as attachments in phishing emails.[3]
  • June 2019: Netskope uncovered LokiBot being distributed in a malspam campaign using ISO image file attachments.[4]
  • April 2019: Netskope uncovered a phishing campaign using malicious email attachments with LokiBot malware to create backdoors onto infected Windows systems and steal sensitive information.[5]
  • February 2018: Trend Micro discovered CVE-2017-11882 being exploited in an attack using Windows Installer service to deliver LokiBot malware.[6]
  • October 2017: SfyLabs identified cyber actors using LokiBot as an Android banking trojan that turns into ransomware.[7]
  • May 2017: Fortinet reported malicious actors using a PDF file to spread a new LokiBot variant capable of stealing credentials from more than 100 different software tools.[8]
  • March 2017: Check Point discovered LokiBot malware found pre-installed on Android devices.[9]
  • December 2016: Dr.Web researchers identified a new LokiBot variant targeting Android core libraries.[10]
  • February 2016: Researchers discovered the LokiBot Android Trojan infecting the core Android operating system processes.[11]

MITRE ATT&CK Techniques

According to MITRE, LokiBot uses the ATT&CK techniques listed in table 1.

Table 1: LokiBot ATT&CK techniques

Technique

Use

System Network Configuration Discovery

LokiBot has the ability to discover the domain name of the infected host.

Obfuscated Files or Information 

LokiBot has obfuscated strings with base64 encoding.

Obfuscated Files or Information: Software Packing 

LokiBot has used several packing methods for obfuscation.

System Owner/User Discovery 

LokiBot has the ability to discover the username on the infected host.

Exfiltration Over C2 Channel

LokiBot has the ability to initiate contact with command and control to exfiltrate stolen data.

Process Injection: Process Hollowing 

LokiBot has used process hollowing to inject into legitimate Windows process vbc.exe.

Input Capture: Keylogging 

LokiBot has the ability to capture input on the compromised host via keylogging.

Application Layer Protocol: Web Protocols 

LokiBot has used Hypertext Transfer Protocol for command and control.

System Information Discovery 

LokiBot has the ability to discover the computer name and Windows product name/version.

User Execution: Malicious File

LokiBot has been executed through malicious documents contained in spearphishing emails.

Credentials from Password Stores 

LokiBot has stolen credentials from multiple applications and data sources including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients.

Credentials from Password Stores: Credentials from Web Browsers 

LokiBot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and Chromium and Mozilla Firefox-based web browsers.

Hide Artifacts: Hidden Files and Directories 

LokiBot has the ability to copy itself to a hidden file and directory.

 

Mitigations

CISA and MS-ISAC recommend that federal, state, local, tribal, territorial government, private sector users, and network administrators consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
  • Keep operating system patches up to date. See Understanding Patches and Software Updates.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Enforce multi-factor authentication. See Supplementing Passwords for more information.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
  • Enforce a strong password policy. See Choosing and Protecting Passwords.
  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  • Scan all software downloaded from the internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate access control lists.
  • Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.

For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

Resources

Center for Internet Security Security Event Primer – Malware: https://www.cisecurity.org/white-papers/security-event-primer-malware/
MITRE ATT&CK – LokiBot: https://attack.mitre.org/software/S0447/
MITRE ATT&CK for Enterprise: https://attack.mitre.org/matrices/enterprise/

References