CISA | Cybersecurity Advisorie... Note

CISA | Cybersecurity Advisories

CISA (Cybersecurity and Infrastructure Security Agency) regularly publishes cybersecurity advisories to inform organizations and individuals about potential threats and vulnerabilities. These advisories include detailed reports on specific cybersecurity issues, threat actor tactics, techniques, and procedures, as well as indicators of compromise and recommended mitigations. CISA also provides alerts, which are concise summaries covering current security issues, vulnerabilities, and exploits. Additionally, CISA offers industrial control system (ICS) advisories that focus on vulnerabilities in ICS products and their mitigations.

Thread Of Notes

China-nexus cyber actors are increasingly using large-scale networks of compromised devices, known as covert networks, to mask their malicious activities. This shift in tactics, techniques, and procedures (TTPs) moves away from individually procured infrastructure. These covert networks are primarily composed of compromised Small Office Home Office (SOHO) routers, Internet of Things (IoT) devices, and smart devices. Such networks allow actors to conduct cyber operations with low cost, low risk, and deniability, making attribution difficult. They are utilized across all phases of the cyber kill chain, from reconnaissance to malware delivery and data exfiltration. Evidence suggests that Chinese information security companies create and maintain these covert networks. For example, the Raptor Train network, infecting over 200,000 devices, was managed by Integrity Technology Group. The KV Botnet, used by Volt Typhoon, consisted mainly of vulnerable end-of-life routers. Old defense paradigms relying on static IP blocklists are becoming less effective due to the dynamic and distributed nature of these botnets. Defenders must adapt by mapping network edge devices, baselining normal connections, and leveraging threat intelligence. Implementing multi-factor authentication and employing IP address or geographic allow lists are crucial protective measures. Larger or more at-risk organizations can further enhance security through zero trust policies and reducing their internet-facing IT estate. Active hunting and tracking of these covert networks as distinct threats are recommended for the most targeted entities. Comprehensive cybersecurity best practices remain fundamental in defending against these evolving threats.
CdXz5zHNQW_ATHApB8wCS.png
The Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and other partners have released a joint advisory on the targeting of critical infrastructure by pro-Russia hacktivists. These groups are conducting less sophisticated attacks against critical infrastructure entities, using minimally secured internet-facing virtual network computing connections to infiltrate operational technology control devices. The targeted sectors include Water and Wastewater Systems, Food and Agriculture, and Energy, with the goal of causing physical damage and disrupting operations. The authoring organizations encourage critical infrastructure organizations to implement recommendations to reduce the likelihood and impact of pro-Russia hacktivist-related incidents. Pro-Russia hacktivist groups, such as Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16, are capitalizing on the widespread prevalence of accessible VNC devices to execute attacks. These groups have limited capabilities and frequently misunderstand the processes they aim to disrupt, but they can still cause harm to vulnerable critical infrastructure. The authoring organizations assess that some of these groups have associations with the Russian state through direct or indirect support. The groups use opportunistic targeting methodology, leveraging superficial criteria such as victim availability and existing vulnerabilities, rather than focusing on strategically significant entities. The advisory provides recommendations for critical infrastructure organizations to mitigate the risk of pro-Russia hacktivist attacks, including implementing secure remote access protocols and monitoring for suspicious activity. Overall, the joint advisory highlights the threat posed by pro-Russia hacktivists to critical infrastructure and the need for organizations to take proactive steps to protect themselves. The authoring organizations will continue to monitor the activities of these groups and provide updates as necessary to help critical infrastructure organizations stay ahead of the threat.
CISA responded to a cyber incident at a U.S. federal agency after its endpoint detection and response tool flagged suspicious activity. The agency was compromised by exploiting CVE-2024-36401 in two GeoServers. This vulnerability, disclosed shortly before the exploitation, allowed attackers to gain remote code execution.The attackers remained undetected for three weeks, during which they moved laterally to other servers. Key lessons learned from this engagement highlight critical security failures. Prompt remediation of vulnerabilities, particularly in public-facing systems, is essential.Organizations must regularly test and update their incident response plans, ensuring they facilitate third-party assistance. Continuous review of endpoint detection and response alerts is crucial for timely threat detection. Implementing comprehensive and centralized logging is also vital for effective incident analysis.The attackers utilized publicly available tools for reconnaissance, resource development, and various stages of their attack. They employed web shells, cron jobs, and valid accounts for persistence. Privilege escalation attempts were made using known Linux exploits.Defense evasion tactics included indirect command execution and the use of tools like RingQ. Credential access was achieved through brute-force techniques and exploitation of service accounts. Discovery efforts involved network scanning and vulnerability assessment tools. CISA provides indicators of compromise and technical details to help organizations prevent similar attacks.
CdXz5zHNQW_HWczZ8ypOU.jpeg
CdXz5zHNQW_Da7Y5uJ2dv.png
A joint cybersecurity advisory highlights a Russian state-sponsored cyber campaign targeting logistics entities and technology companies involved in foreign assistance to Ukraine. The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165, has been conducting a cyber espionage-oriented campaign using a mix of previously disclosed tactics, techniques, and procedures (TTPs). The campaign targets technology companies and logistics entities, including those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The actors' TTPs include reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. The campaign is likely connected to the actors' wide-scale targeting of IP cameras in Ukraine and bordering NATO nations. The authors of the advisory expect similar targeting and TTP use to continue. Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting and increase monitoring and threat hunting for known TTPs and indicators of compromise. The campaign has targeted dozens of entities across virtually all transportation modes, including air, sea, and rail, and has targeted entities associated with defense industry, transportation, maritime, air traffic management, and other sectors. The countries with targeted entities include Bulgaria, Czech Republic, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. The actors have used various techniques to gain initial access to targeted entities, including credential guessing, spearphishing, and exploitation of vulnerabilities.
CdXz5zHNQW_nyCYDfno3R.png
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint advisory to provide information on the Ghost (Cring) ransomware variant. Ghost actors, located in China, have been conducting widespread attacks for financial gain since early 2021, targeting organizations with outdated software and firmware. The group has compromised organizations in over 70 countries, including critical infrastructure, schools, healthcare, government networks, and small- and medium-sized businesses.Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet-facing servers. They rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, making attribution challenging. The group uses various tools, including Cobalt Strike, to exploit vulnerabilities, gain access, and move laterally within victim networks.The advisory provides technical details on the tactics, techniques, and procedures (TTPs) used by Ghost actors, including initial access, execution, persistence, privilege escalation, credential access, defense evasion, discovery, lateral movement, exfiltration, and command and control. The group relies heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control operations.The impact of Ghost ransomware activity varies widely on a victim-to-victim basis, with the group typically demanding tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software. The advisory encourages organizations to implement recommendations to reduce the likelihood and impact of Ghost ransomware incidents.
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory regarding the exploitation of vulnerabilities in Ivanti Cloud Service Appliances (CSA). The vulnerabilities, including CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380, were exploited in September 2024, allowing threat actors to gain initial access, conduct remote code execution, obtain credentials, and implant webshells on victim networks. The actors chained the vulnerabilities to gain access, with two primary exploit paths: one leveraging CVE-2024-8963 with CVE-2024-8190 and CVE-2024-9380, and the other exploiting CVE-2024-8963 with CVE-2024-9379. The vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities also affect CSA versions 5.0.1 and below. Ivanti CSA 4.6 is End-of-Life and no longer receives patches or third-party libraries, and CISA and FBI strongly encourage network administrators to upgrade to the latest supported version. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within the advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised, and organizations should collect and analyze logs and artifacts for malicious activity. The advisory provides technical details on the vulnerabilities, including the MITRE ATT&CK tactics and techniques used by the threat actors. The actors' activity was detected by three victim organizations, which were able to remediate the incidents by replacing virtual machines with clean and upgraded versions.
The FBI, CISA, and NSA have identified Russian GRU Unit 29155 as responsible for cyber operations targeting global entities since 2020, aiming for espionage, sabotage, and reputational harm. This unit, distinct from other GRU cyber groups, deployed the destructive WhisperGate malware against Ukrainian organizations in January 2022. To mitigate this threat, organizations should prioritize system updates, network segmentation, and multifactor authentication. This advisory outlines the tactics, techniques, and procedures employed by Unit 29155, including their use of publicly available tools and vulnerabilities. The FBI assesses Unit 29155 cyber actors as junior GRU officers gaining experience through cyber operations and relying on non-GRU individuals for support. The cybersecurity industry tracks this group under various names, including Cadet Blizzard, Ember Bear, and Frozenvista. In addition to Ukraine, Unit 29155 has targeted NATO members and other countries in Europe, Latin America, and Central Asia. Their activities include website defacements, infrastructure scanning, data exfiltration, and public data leaks. Since early 2022, their focus has shifted to disrupting aid to Ukraine. The FBI has observed over 14,000 instances of domain scanning across 26 NATO members and several EU countries. Unit 29155 targets critical infrastructure sectors, including government services, finance, transportation, energy, and healthcare. Their reconnaissance techniques include using tools like Acunetix, Amass, MASSCAN, and Shodan to scan for vulnerabilities and collect information. They have been observed obtaining exploit scripts for various CVEs and using them for initial access. The group frequently utilizes common red teaming techniques and publicly available tools, relying on dark web forums to obtain malware and loaders. They have exploited vulnerabilities in Dahua IP cameras to bypass authentication and exfiltrated data. Unit 29155 has employed various methods for lateral movement, including using Shodan to identify IoT devices and exploiting vulnerabilities in IP cameras to gain access and dump configuration settings. The advisory provides a list of Indicators of Compromise (IOCs) to assist in identifying and mitigating potential threats associated with this group.
Event Logging Best Practices for Cyber Threat MitigationThis guidance defines best practices for event logging to enhance cyber security and network visibility, addressing challenges such as living off the land techniques used by malicious actors.Four Key Factors for Effective Logging- Enterprise-approved Event Logging Policy: Establishes a consistent approach to logging across environments. - Centralized Event Log Access and Correlation: Allows for efficient monitoring and analysis of event logs. - Secure Storage and Event Log Integrity: Preserves the integrity and accessibility of event logs. - Detection Strategy for Relevant Threats: Focuses logging on identifying malicious activities and indicators of compromise.Event Log Quality- High-quality logs provide detailed information on security events, aiding in incident identification and threat detection. - Relevant considerations for LOTL detection include capturing logs on specific commands and tools used by malicious actors.Captured Event Log Details- Logs should contain sufficient information for network defenders to investigate and respond to incidents, including timestamps, event types, and system identifiers. - Using key-value-pairs for data formatting simplifies log analysis.Operational Technology Considerations- OT devices often have limited logging capabilities, requiring supplemental solutions or out-of-band log communications.Consistency and Synchronization- Consistent log formats and timestamps across systems facilitate log search and correlation. - Accurate time sources assist in identifying connections between events.Additional Resources- ASD's Information Security Manual: Provides guidelines for event log recording. - CISA's M-21-31 Guidance: Outlines priorities for log collection. - NIST's OT Security Guide: Addresses OT-specific event logging considerations.
This Cybersecurity Advisory (CSA) aims to provide information on Black Basta, a ransomware-as-a-service variant, to help organizations protect themselves. First identified in April 2022, Black Basta has impacted numerous organizations across critical infrastructure sectors globally. Black Basta affiliates exploit common vulnerabilities, such as phishing emails and software flaws, to gain access to victims' systems. They employ a double-extortion tactic by encrypting data and stealing it for future leverage. Victims are given a set timeframe to meet ransom demands, typically communicated through a .onion URL, or risk their data being published on the "Basta News" Tor site. Black Basta actors target healthcare organizations because of their critical nature and potential access to sensitive personal data. Organizations are strongly encouraged to review and implement the provided mitigation recommendations to bolster their defenses against Black Basta and similar ransomware threats. The advisory details Black Basta's tactics and techniques, mapping them to the MITRE ATT&CK framework for comprehensive understanding. It outlines their methods of initial access, privilege escalation, defense evasion, execution, and the tools used in each step. Furthermore, the CSA provides a list of indicators of compromise (IOCs), including file hashes associated with Black Basta, aiding organizations in detecting potential infections. Victims of Black Basta ransomware attacks are advised to report the incident to the FBI or CISA for assistance and support.
Cybercriminals are actively exploiting vulnerabilities in Ivanti Connect Secure and Policy Secure gateways, which can allow them to execute arbitrary commands with elevated privileges. These vulnerabilities impact all supported versions and are being used in a chain of exploits to bypass authentication and craft malicious requests.Despite Ivanti's Integrity Checker Tool (ICT), CISA has determined that it is insufficient to detect compromise, as cybercriminals have been able to deceive it and maintain root-level persistence even after factory resets.Network defenders should assume compromised user and service account credentials, hunt for malicious activity, run the latest ICT, and apply patches as they become available.In the event of compromise, organizations should quarantine affected hosts, reimage them, reset credentials, identify and remove malicious administrator accounts, and collect and analyze artifacts.CISA recommends that organizations consider the significant risk of adversary access and persistence on Ivanti gateways and evaluate whether to continue operating them.The Federal Emergency Directive (ED) 24-01 requires Federal Civilian Executive Branch (FCEB) agencies to take specific actions on affected products.The Canadian Centre for Cyber Security has issued an alert with periodic updates for affected IT professionals.Indicators of Compromise (IOCs) and YARA rules are provided to aid in detecting malicious activity.Network defenders should map malicious cyber activity to the MITRE ATT&CK framework for improved detection and response.
US agencies, including CISA, NSA, and FBI, have identified that Chinese state-sponsored cyber actors known as Volt Typhoon are targeting critical infrastructure organizations in the US.Volt Typhoon has compromised IT networks in sectors such as communications, energy, transportation, and water systems, primarily through known vulnerabilities or zero-day exploits.The group's behavior suggests they are positioning themselves for disruptive or destructive attacks on OT assets during geopolitical tensions or military conflicts.Volt Typhoon conducts extensive pre-exploitation reconnaissance to tailor their tactics to the target environment and maintain persistent access through LOTL techniques and strong operational security.They often escalate privileges to obtain administrator credentials, allowing lateral movement to domain controllers and other devices, including OT systems.Volt Typhoon uses LOTL binaries and PowerShell to extract sensitive data from event logs and the NTDS.dit file, bypassing file locking mechanisms.They employ offline password cracking to obtain plaintext passwords and elevated access for further infiltration and discovery.Volt Typhoon has demonstrated the ability to access and manipulate OT assets, such as HVAC systems and energy controls, posing a potential threat to critical infrastructure.International partners assess that the threat to infrastructure in their respective countries is lower but could be impacted by disruptions to US infrastructure.Critical infrastructure organizations are urged to implement mitigations and hunt for malicious activity to prevent or respond to incidents.
New vulnerabilities are continually emerging, and the best defense against attackers exploiting patched vulnerabilities is to keep software up to date. On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway, and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections. The CryptoAPI spoofing vulnerability, known as CVE-2020-0601, affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. The Windows RD Gateway and Windows Remote Desktop Client vulnerabilities, known as CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611, affect Windows Server 2012 and newer, as well as Windows 7 and newer. The Cybersecurity and Infrastructure Security Agency strongly recommends organizations install these critical patches as soon as possible, prioritizing mission critical systems, internet-facing systems, and networked servers. A successful network intrusion can have severe impacts, including temporary or permanent loss of sensitive information, disruption to regular operations, and financial losses. The agency also recommends reviewing the Microsoft January 2020 Release Notes page and applying critical patches, as well as reviewing general guidance on patch management and cybersecurity practices.
This collaborative report by cybersecurity authorities from Australia, Canada, New Zealand, the United Kingdom, and the United States addresses the malicious use of five widespread, publicly available cybersecurity tools. The report highlights JBiFrost, a Remote Access Trojan; China Chopper, a webshell; Mimikatz, a credential stealer; PowerShell Empire, a lateral movement framework; and HUC Packet Transmitter for C2 obfuscation. These tools, despite being publicly available, have been leveraged by various threat actors, ranging from amateur cyber criminals to state-sponsored groups, to compromise critical sectors like health, finance, government, and defense. The widespread availability of these established tools complicates network defense and threat-actor attribution, as even sophisticated threat actors frequently rely on them after initial system compromises. Initial breaches often occur by exploiting common security weaknesses like unpatched software or misconfigured systems, after which these five tools are deployed to achieve further objectives. The report aims to assist network defenders and system administrators by providing technical details on each tool, including their capabilities, typical uses, and examples of deployment in recent cyber incidents. Crucially, the document offers specific advice and general best practices for detecting the presence of these tools on a network and limiting their effectiveness. For instance, strong patching policies, application allow listing, and monitoring suspicious network patterns are emphasized as essential defenses. This guidance underscores the importance of robust network defense practices against both existing and evolving cyber threats.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a primer to protect critical infrastructure due to heightened tensions with Iran. Organizations should adopt a state of heightened awareness and increase vigilance by monitoring security capabilities and identifying anomalous behavior. It is crucial to confirm reporting processes so personnel know how and when to report incidents. Exercising incident response plans ensures personnel are prepared and have the necessary access and knowledge. Iranian cyber threat actors, often linked to the Islamic Revolutionary Guard Corps (IRGC), have demonstrated increasingly sophisticated capabilities. Historically, Iran has engaged in activities ranging from DDoS attacks to data theft and destructive wiper malware. Examples include attacks on U.S. financial institutions, a New York dam's SCADA system, and the Sands Las Vegas Corporation. CISA recommends reducing vulnerability through disabling unnecessary ports and protocols, and enhancing network and email traffic monitoring. Patching externally facing equipment and logging PowerShell usage are also advised. Ensuring backups are up-to-date and air-gapped is a critical mitigation step. Mitigations for specific Iranian Advanced Persistent Threat techniques include managing access controls, disabling NTLM, and using unique passwords. Detection methods involve monitoring processes interacting with Isass.exe and using tools like AuditD for Linux. Strategies to combat obfuscated files, compressed data, PowerShell misuse, user execution, and scripting are provided, emphasizing monitoring, policy enforcement, and user training.
The Department of Homeland Security's NCCIC and the FBI have issued an alert about the SamSam ransomware, detailing its exploitation methods and providing mitigation strategies. Cyber actors have targeted various industries, including critical infrastructure, with victims primarily in the United States and internationally. SamSam actors gain persistent access to Windows servers, often exploiting vulnerable JBoss applications or utilizing Remote Desktop Protocol (RDP). They achieve administrator privileges and deploy malware without victim interaction, a method that bypasses typical ransomware infection vectors. Stolen RDP credentials, purchased from darknet marketplaces, are frequently used to infiltrate networks rapidly. SamSam ransomware encrypts computers and leaves ransom notes directing victims to contact actors via Tor to arrange payment in Bitcoin for decryption keys. The alert includes technical analysis reports of four SamSam malware variants. Recommended mitigations include auditing and disabling unnecessary RDP, securing open RDP ports with firewalls and VPNs, enforcing strong passwords and account lockout policies, and enabling two-factor authentication. Organizations should also regularly update systems, maintain backups, enable and review RDP login logs, and limit network exposure for critical devices. Additionally, restricting user permissions for software installation, scanning email attachments, and disabling file sharing services are advised. Further guidance on malware incident prevention is available from NIST. Contact information for reporting intrusions and requesting assistance is provided.