China-nexus cyber actors are increasingly using large-scale networks of compromised devices, known as covert networks, to mask their malicious activities. This shift in tactics, techniques, and procedures (TTPs) moves away from individually procured infrastructure. These covert networks are primarily composed of compromised Small Office Home Office (SOHO) routers, Internet of Things (IoT) devices, and smart devices. Such networks allow actors to conduct cyber operations with low cost, low risk, and deniability, making attribution difficult. They are utilized across all phases of the cyber kill chain, from reconnaissance to malware delivery and data exfiltration. Evidence suggests that Chinese information security companies create and maintain these covert networks. For example, the Raptor Train network, infecting over 200,000 devices, was managed by Integrity Technology Group. The KV Botnet, used by Volt Typhoon, consisted mainly of vulnerable end-of-life routers. Old defense paradigms relying on static IP blocklists are becoming less effective due to the dynamic and distributed nature of these botnets. Defenders must adapt by mapping network edge devices, baselining normal connections, and leveraging threat intelligence. Implementing multi-factor authentication and employing IP address or geographic allow lists are crucial protective measures. Larger or more at-risk organizations can further enhance security through zero trust policies and reducing their internet-facing IT estate. Active hunting and tracking of these covert networks as distinct threats are recommended for the most targeted entities. Comprehensive cybersecurity best practices remain fundamental in defending against these evolving threats.

This advisory warns of Iranian-affiliated cyber actors targeting US critical infrastructure, specifically focusing on Rockwell Automation/Allen-Bradley PLCs. These actors exploit internet-facing OT devices, causing disruptions by manipulating project files and data on HMI/SCADA displays, resulting in operational and financial losses. The affected sectors include government, water, wastewater, and energy sectors. Organizations should review the provided indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). Key actions include removing PLCs from internet exposure, checking logs for suspicious traffic, and contacting relevant agencies. The attacks utilized overseas-based IP addresses and targeted specific ports used by OT devices. The FBI assesses these attacks are part of an ongoing campaign to cause disruptions. The advisory includes a list of IP addresses and MITRE ATT&CK techniques employed by the actors. Recommended mitigations align with CISA and NIST's Cross-Sector Cybersecurity Performance Goals 2.0. Organizations should also consult Rockwell Automation's security guidance. Similar attacks have been previously attributed to the CyberAv3ngers group.

The Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and other partners have released a joint advisory on the targeting of critical infrastructure by pro-Russia hacktivists. These groups are conducting less sophisticated attacks against critical infrastructure entities, using minimally secured internet-facing virtual network computing connections to infiltrate operational technology control devices. The targeted sectors include Water and Wastewater Systems, Food and Agriculture, and Energy, with the goal of causing physical damage and disrupting operations. The authoring organizations encourage critical infrastructure organizations to implement recommendations to reduce the likelihood and impact of pro-Russia hacktivist-related incidents. Pro-Russia hacktivist groups, such as Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16, are capitalizing on the widespread prevalence of accessible VNC devices to execute attacks. These groups have limited capabilities and frequently misunderstand the processes they aim to disrupt, but they can still cause harm to vulnerable critical infrastructure. The authoring organizations assess that some of these groups have associations with the Russian state through direct or indirect support. The groups use opportunistic targeting methodology, leveraging superficial criteria such as victim availability and existing vulnerabilities, rather than focusing on strategically significant entities. The advisory provides recommendations for critical infrastructure organizations to mitigate the risk of pro-Russia hacktivist attacks, including implementing secure remote access protocols and monitoring for suspicious activity. Overall, the joint advisory highlights the threat posed by pro-Russia hacktivists to critical infrastructure and the need for organizations to take proactive steps to protect themselves. The authoring organizations will continue to monitor the activities of these groups and provide updates as necessary to help critical infrastructure organizations stay ahead of the threat.

CISA responded to a cyber incident at a U.S. federal agency after its endpoint detection and response tool flagged suspicious activity. The agency was compromised by exploiting CVE-2024-36401 in two GeoServers. This vulnerability, disclosed shortly before the exploitation, allowed attackers to gain remote code execution. The attackers remained undetected for three weeks, during which they moved laterally to other servers. Key lessons learned from this engagement highlight critical security failures. Prompt remediation of vulnerabilities, particularly in public-facing systems, is essential. Organizations must regularly test and update their incident response plans, ensuring they facilitate third-party assistance. Continuous review of endpoint detection and response alerts is crucial for timely threat detection. Implementing comprehensive and centralized logging is also vital for effective incident analysis. The attackers utilized publicly available tools for reconnaissance, resource development, and various stages of their attack. They employed web shells, cron jobs, and valid accounts for persistence. Privilege escalation attempts were made using known Linux exploits. Defense evasion tactics included indirect command execution and the use of tools like RingQ. Credential access was achieved through brute-force techniques and exploitation of service accounts. Discovery efforts involved network scanning and vulnerability assessment tools. CISA provides indicators of compromise and technical details to help organizations prevent similar attacks.

This advisory, issued by multiple international cybersecurity agencies, details Chinese state-sponsored cyberattacks targeting global networks. These attacks, often linked to specific Chinese entities, focus on telecommunications, government, and infrastructure networks. Attackers compromise devices, including routers, to gain initial access, then pivot into other networks using trusted connections. They leverage known vulnerabilities, especially on edge devices, and are actively exploiting newly discovered ones. Techniques include modifying access controls, opening ports, and using tunnels to maintain persistent access, often obscuring their true origin. The goal is to steal data for espionage, including tracking communications and movements. The advisory provides details on tactics, techniques, and procedures (TTPs) and encourages network defenders to implement mitigations. Several known threat groups are linked to this activity, although the advisory uses a generic term "APT actors." The attackers are exploiting several CVEs, including those targeting Cisco, Palo Alto, and Ivanti products. Organizations are urged to report compromise details to improve collective defense.

The Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Coast Guard (USCG) conducted a cybersecurity hunt at a critical infrastructure organization. This advisory shares their findings to help other organizations improve their security posture. Although no malicious activity was discovered, several cybersecurity risks were identified. These included insufficient logging, insecurely stored credentials, and shared local administrator credentials. The organization also had unrestricted remote access for local admin accounts. Furthermore, there was insufficient network segmentation between IT and operational technology (OT) assets, along with several device misconfigurations. Recommendations for mitigation were provided, aligning with CISA and NIST Cybersecurity Performance Goals. Key mitigations involve securely managing credentials, avoiding plaintext storage, and enforcing the principle of least privilege. Organizations are urged to implement these measures to prevent potential compromises. Unique administrator passwords and multifactor authentication for all administrative access are crucial. Strict policies should be enforced for accessing OT networks, using hardened bastion hosts. Comprehensive and detailed logging across all systems is also recommended.

The Interlock ransomware, first seen in late September 2024, targets businesses and critical infrastructure in North America and Europe. This financially motivated ransomware uses a double extortion model, encrypting data after exfiltration. Initial access is achieved through unusual methods like drive-by downloads from compromised websites and social engineering, specifically the ClickFix technique. Post-infection, Interlock uses various tools for reconnaissance, credential theft, and lateral movement within the network. The ransomware primarily targets virtual machines, encrypting files with .interlock or .1nt3rlock extensions. Ransom demands are not initially displayed but are communicated via a unique code and a .onion URL after contact from victims. The FBI, CISA, HHS, and MS-ISAC are releasing this advisory to share indicators of compromise and tactics, techniques, and procedures to aid in mitigation efforts. The advisory emphasizes implementing robust endpoint detection and response (EDR) tools to protect against Interlock. Similarities between Interlock and Rhysida ransomware are noted. Organizations are encouraged to follow the provided mitigation recommendations to reduce risk. The advisory concludes with a table listing tools used by the actors.

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing an advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. Ransomware actors have been targeting organizations through unpatched versions of SimpleHelp RMM since January 2025. SimpleHelp versions 5.5.7 and earlier contain several vulnerabilities, including CVE-2024-57727, which is a path traversal vulnerability. CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities (KEV) Catalog on February 13, 2025. CISA urges software vendors, downstream customers, and end users to immediately implement the recommended mitigations based on confirmed compromise or risk of compromise. The mitigations include isolating the SimpleHelp server instance from the internet or stopping the server process, upgrading to the latest SimpleHelp version, and conducting threat hunting actions for evidence of compromise. CISA also recommends implementing proactive mitigations to reduce risk, such as maintaining a robust asset inventory, conducting daily system backups, and establishing open communication channels with third-party vendors. If a system has been encrypted by ransomware, CISA recommends disconnecting the affected system from the internet, reinstalling the operating system, and wiping the system and restoring data from a clean backup.

The FBI and CISA have released a joint advisory on the LummaC2 malware, which can infiltrate computer networks and exfiltrate sensitive information of individuals and organizations across multiple US critical infrastructure sectors. The malware has been observed as recently as May 2025, with indicators of compromise dating back to November 2023. LummaC2 is typically deployed through spearphishing hyperlinks and attachments, and can bypass standard cybersecurity measures. Once infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, and multifactor authentication details. The malware uses a command and control server to receive instructions, and can steal data, take screenshots, and delete itself. The advisory includes indicators of compromise, and recommends that organizations investigate and vet these indicators prior to taking action. The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of the advisory to reduce the likelihood and impact of LummaC2 malware. The advisory uses the MITRE ATT&CK Matrix for Enterprise framework to map threat actor activity to tactics and techniques. The LummaC2 malware has been observed for sale on Russian-language speaking cybercriminal forums since 2022, and has been used to steal sensitive information from over 21,000 victims.

A joint cybersecurity advisory highlights a Russian state-sponsored cyber campaign targeting logistics entities and technology companies involved in foreign assistance to Ukraine. The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165, has been conducting a cyber espionage-oriented campaign using a mix of previously disclosed tactics, techniques, and procedures (TTPs). The campaign targets technology companies and logistics entities, including those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The actors' TTPs include reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. The campaign is likely connected to the actors' wide-scale targeting of IP cameras in Ukraine and bordering NATO nations. The authors of the advisory expect similar targeting and TTP use to continue. Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting and increase monitoring and threat hunting for known TTPs and indicators of compromise. The campaign has targeted dozens of entities across virtually all transportation modes, including air, sea, and rail, and has targeted entities associated with defense industry, transportation, maritime, air traffic management, and other sectors. The countries with targeted entities include Bulgaria, Czech Republic, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. The actors have used various techniques to gain initial access to targeted entities, including credential guessing, spearphishing, and exploitation of vulnerabilities.

Fast flux is a malicious technique where attackers rapidly change DNS records to hide the location of their servers and evade detection. This poses a significant national security threat, allowing cybercriminals and nation-state actors to maintain resilient C2 infrastructure. The advisory, jointly released by multiple agencies, warns organizations and service providers about fast flux enabled malicious activities. It urges providers, especially PDNS providers, to develop fast flux detection and blocking capabilities. The document provides guidance on detecting and mitigating fast flux using DNS analysis, network monitoring, and threat intelligence. Fast flux utilizes techniques like single and double flux, using compromised hosts and botnets for proxying. This facilitates resilience, anonymity, and effective circumvention of IP blocking, enabling phishing, and malicious marketplaces. The advisory recommends a layered approach to detection, including threat intelligence feeds, anomaly detection, and TTL analysis. Mitigation strategies involve blocking malicious domains and IPs, reputational filtering, and enhanced monitoring. Collaboration and information sharing are crucial for defending against fast flux.

The FBI, CISA, and MS-ISAC have released a joint advisory to disseminate known Medusa ransomware tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021, and as of February 2025, it has impacted over 300 victims from various critical infrastructure sectors. Medusa actors employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid. The actors typically recruit initial access brokers (IABs) to obtain initial access to potential victims, often through phishing campaigns and exploitation of unpatched software vulnerabilities. Once a foothold is established, Medusa actors use living off the land (LOTL) and legitimate tools for initial user, system, and network enumeration. They also use PowerShell and the Windows Command Prompt for network and filesystem enumeration, and to utilize Ingress Tool Transfer capabilities. Medusa actors attempt to avoid detection by using various evasion techniques, including certutil and PowerShell detection evasion techniques. The actors have also been observed using legitimate remote access software to move laterally through the network and identify files for exfiltration and encryption. Finally, Medusa actors use Rclone to facilitate exfiltration of data to their C2 servers and employ a double extortion model to demand payment from victims.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint advisory to provide information on the Ghost (Cring) ransomware variant. Ghost actors, located in China, have been conducting widespread attacks for financial gain since early 2021, targeting organizations with outdated software and firmware. The group has compromised organizations in over 70 countries, including critical infrastructure, schools, healthcare, government networks, and small- and medium-sized businesses. Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet-facing servers. They rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, making attribution challenging. The group uses various tools, including Cobalt Strike, to exploit vulnerabilities, gain access, and move laterally within victim networks. The advisory provides technical details on the tactics, techniques, and procedures (TTPs) used by Ghost actors, including initial access, execution, persistence, privilege escalation, credential access, defense evasion, discovery, lateral movement, exfiltration, and command and control. The group relies heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control operations. The impact of Ghost ransomware activity varies widely on a victim-to-victim basis, with the group typically demanding tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software. The advisory encourages organizations to implement recommendations to reduce the likelihood and impact of Ghost ransomware incidents.

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory regarding the exploitation of vulnerabilities in Ivanti Cloud Service Appliances (CSA). The vulnerabilities, including CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380, were exploited in September 2024, allowing threat actors to gain initial access, conduct remote code execution, obtain credentials, and implant webshells on victim networks. The actors chained the vulnerabilities to gain access, with two primary exploit paths: one leveraging CVE-2024-8963 with CVE-2024-8190 and CVE-2024-9380, and the other exploiting CVE-2024-8963 with CVE-2024-9379. The vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities also affect CSA versions 5.0.1 and below. Ivanti CSA 4.6 is End-of-Life and no longer receives patches or third-party libraries, and CISA and FBI strongly encourage network administrators to upgrade to the latest supported version. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within the advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised, and organizations should collect and analyze logs and artifacts for malicious activity. The advisory provides technical details on the vulnerabilities, including the MITRE ATT&CK tactics and techniques used by the threat actors. The actors' activity was detected by three victim organizations, which were able to remediate the incidents by replacing virtual machines with clean and upgraded versions.

In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks, allowing them to conduct operations against higher-priority targets. The majority of the most frequently exploited vulnerabilities were initially exploited as zero-day vulnerabilities, which is an increase from 2022. The authoring agencies, including CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, and CERT NZ, developed this joint Cybersecurity Advisory to provide details on the top 15 vulnerabilities exploited by malicious cyber actors in 2023. These vulnerabilities include code injection, buffer overflow, privilege escalation, command injection, SQL injection, broken access control, remote code execution, improper input validation, and information disclosure. The advisory also provides recommendations for vendors, designers, developers, and end-user organizations to reduce the risk of compromise by malicious cyber actors.

Microsoft released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following and apply necessary updates: Microsoft Security Update Guide for October

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Communications Security Establishment Canada (CSE), Australian Federal Police (AFP), and Australian Cyber Security Centre (ASD's ACSC) have released a joint Cybersecurity Advisory to warn of Iranian cyber actors' use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors. The actors likely aim to obtain credentials and network information that can then be sold to cybercriminals. The actors use brute force, such as password spraying, and multifactor authentication (MFA) 'push bombing' to compromise user accounts and obtain access to organizations. They leverage virtual private network (VPN) services for command and control. To detect brute force activity, review authentication logs for system and application login failures of valid accounts and look for multiple, failed authentication attempts across all accounts. Implementing phishing-resistant MFA and disabling user accounts and access to organizational resources for departing staff can help minimize system exposure.

CISA has updated its Known Exploited Vulnerabilities Catalog with a new vulnerability, CVE-2024-8963, which is an Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability. This type of vulnerability is frequently exploited by malicious actors and poses a significant risk to the federal enterprise. The Known Exploited Vulnerabilities Catalog was established by the Binding Operational Directive (BOD) 22-01 to identify and address vulnerabilities that carry significant risks to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date to protect their networks against active threats. CISA strongly urges all organizations to prioritize timely remediation of catalog vulnerabilities as part of their vulnerability management practice. The Known Exploited Vulnerabilities Catalog is a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risks to the federal enterprise. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. The BOD 22-01 Fact Sheet provides more information on the directive.

The FBI, CISA, and NSA have identified Russian GRU Unit 29155 as responsible for cyber operations targeting global entities since 2020, aiming for espionage, sabotage, and reputational harm. This unit, distinct from other GRU cyber groups, deployed the destructive WhisperGate malware against Ukrainian organizations in January 2022. To mitigate this threat, organizations should prioritize system updates, network segmentation, and multifactor authentication. This advisory outlines the tactics, techniques, and procedures employed by Unit 29155, including their use of publicly available tools and vulnerabilities. The FBI assesses Unit 29155 cyber actors as junior GRU officers gaining experience through cyber operations and relying on non-GRU individuals for support. The cybersecurity industry tracks this group under various names, including Cadet Blizzard, Ember Bear, and Frozenvista. In addition to Ukraine, Unit 29155 has targeted NATO members and other countries in Europe, Latin America, and Central Asia. Their activities include website defacements, infrastructure scanning, data exfiltration, and public data leaks. Since early 2022, their focus has shifted to disrupting aid to Ukraine. The FBI has observed over 14,000 instances of domain scanning across 26 NATO members and several EU countries. Unit 29155 targets critical infrastructure sectors, including government services, finance, transportation, energy, and healthcare. Their reconnaissance techniques include using tools like Acunetix, Amass, MASSCAN, and Shodan to scan for vulnerabilities and collect information. They have been observed obtaining exploit scripts for various CVEs and using them for initial access. The group frequently utilizes common red teaming techniques and publicly available tools, relying on dark web forums to obtain malware and loaders. They have exploited vulnerabilities in Dahua IP cameras to bypass authentication and exfiltrated data. Unit 29155 has employed various methods for lateral movement, including using Shodan to identify IoT devices and exploiting vulnerabilities in IP cameras to gain access and dump configuration settings. The advisory provides a list of Indicators of Compromise (IOCs) to assist in identifying and mitigating potential threats associated with this group.

The joint Cybersecurity Advisory by the FBI, CISA, MS-ISAC, and HHS aims to provide information on the RansomHub ransomware variant, which has been identified as a ransomware-as-a-service model that has attracted high-profile affiliates from other prominent variants. RansomHub has encrypted and exfiltrated data from at least 210 victims across various sectors. Affiliates use phishing emails, exploit known vulnerabilities, and password spraying to gain initial access. They then conduct network scanning, disable antivirus products, and move laterally inside the network using tools like Mimikatz, Cobalt Strike, and others. Data exfiltration methods vary but include tools such as PuTTY, AWS S3 buckets, and HTTP POST requests. The ransomware uses an Elliptic Curve Encryption algorithm to encrypt files, appending a unique key and checksum at the end of each file. The ransomware executable does not encrypt executable files and deletes volume shadow copies to hinder system recovery.

The FBI, CISA, and DC3 warn of Iranian cyber actors exploiting US and foreign organizations for ransomware attacks. These actors leverage remote device vulnerabilities, such as CVE-2024-3400, CVE-2024-24919, and CVE-2023-3519, to gain initial network access. Once inside, they create accounts, disable security software, and escalate privileges. They collaborate with ransomware affiliates, including NoEscape, Ransomhouse, and ALPHV (aka BlackCat), to facilitate encryption operations. The FBI assesses these actors are state-sponsored and engage in espionage activities, including data theft, in support of the Government of Iran. Victims include organizations in the education, finance, healthcare, defense, and government sectors. Mitigations include patching vulnerable devices, implementing zero-trust policies, and monitoring network activity for suspicious behavior. If compromised, organizations should contact the FBI or report the incident to CISA.

Event Logging Best Practices for Cyber Threat Mitigation This guidance defines best practices for event logging to enhance cyber security and network visibility, addressing challenges such as living off the land techniques used by malicious actors. Four Key Factors for Effective Logging - Enterprise-approved Event Logging Policy: Establishes a consistent approach to logging across environments. - Centralized Event Log Access and Correlation: Allows for efficient monitoring and analysis of event logs. - Secure Storage and Event Log Integrity: Preserves the integrity and accessibility of event logs. - Detection Strategy for Relevant Threats: Focuses logging on identifying malicious activities and indicators of compromise. Event Log Quality - High-quality logs provide detailed information on security events, aiding in incident identification and threat detection. - Relevant considerations for LOTL detection include capturing logs on specific commands and tools used by malicious actors. Captured Event Log Details - Logs should contain sufficient information for network defenders to investigate and respond to incidents, including timestamps, event types, and system identifiers. - Using key-value-pairs for data formatting simplifies log analysis. Operational Technology Considerations - OT devices often have limited logging capabilities, requiring supplemental solutions or out-of-band log communications. Consistency and Synchronization - Consistent log formats and timestamps across systems facilitate log search and correlation. - Accurate time sources assist in identifying connections between events. Additional Resources - ASD's Information Security Manual: Provides guidelines for event log recording. - CISA's M-21-31 Guidance: Outlines priorities for log collection. - NIST's OT Security Guide: Addresses OT-specific event logging considerations.

CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including vulnerabilities in Microsoft Project, Windows Scripting Engine, and Windows Kernel. These vulnerabilities are actively exploited and pose significant risks to federal agencies and organizations. BOD 22-01 requires FCEB agencies to remediate these vulnerabilities by specified due dates. While BOD 22-01 applies only to FCEB agencies, CISA recommends that all organizations prioritize remediation of Catalog vulnerabilities to mitigate cyberattack risks. CISA will continue to update the catalog with vulnerabilities that meet specific criteria for active exploitation.

The Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment for a critical infrastructure organization in the United States. The assessment involved simulating real-world malicious cyber operations to evaluate the organization's cybersecurity detection and response capabilities. The red team used a web shell left from a previous security assessment to gain initial access to the network. They escalated privileges on the host, discovered credential material on a misconfigured Network File System (NFS) share, and moved from the DMZ to the internal network. The team exploited a certificate for client authentication to compromise a system configured for Unconstrained Delegation, allowing them to acquire a ticket granting ticket (TGT) for a domain controller. This led to the compromise of the domain and several sensitive business systems (SBSs). The organization detected much of the red team's activity in their Linux infrastructure after being alerted by CISA. Network defenders mitigated the vulnerability and initiated threat hunting activities, detecting some of the red team's activity. However, they failed to act promptly on the malicious network traffic through their DMZ or challenge much of the red team's presence in the organization's Windows environment. The red team was able to compromise the domain and SBSs due to insufficient controls to detect and respond to their activities.

The FBI and its partners alert organizations to ongoing cyber espionage activity by North Korea's Reconnaissance General Bureau (RGB) 3rd Bureau, known as Andariel. This group targets defense, aerospace, nuclear, and engineering entities to acquire sensitive technical information for Pyongyang's military and nuclear programs. The group conducts phishing campaigns and exploits software vulnerabilities, such as Log4j, to gain initial access to networks. They utilize custom malware implants and open-source tooling for lateral movement, data exfiltration, and remote access. The group funds their operations through ransomware attacks against US healthcare entities. Critical infrastructure organizations are advised to patch vulnerabilities, protect web servers from web shells, and enhance authentication and remote access protections. The victimology includes heavy tanks, fighter aircraft, submarines, nuclear power plants, and shipbuilding technology. The group's techniques align with the MITRE ATT&CK framework, including reconnaissance, exploitation, and execution. By sharing this advisory, the authoring agencies aim to assist organizations in defending against Andariel's malicious cyber espionage activities.

CISA conducted a SILENTSHIELD assessment on a Federal Civilian Executive Branch organization, simulating nation-state cyber operations. The red team gained initial access through an unpatched web server vulnerability and then compromised the Windows network via phishing. The team fully compromised the domain and pivoted to an external organization, highlighting the importance of defense-in-depth. The organization had insufficient controls to prevent and detect malicious activity, inefficient log collection and analysis, and bureaucratic barriers hindering network defenders. The team's findings emphasized the value of behavior-based indicators of compromise, an "allowlist" approach, and defense-in-depth. CISA recommends applying these principles, including robust network segmentation, baselining network traffic, and focusing on behavior-based detection. Software manufacturers are urged to implement secure by design principles and eliminate default passwords to enhance network security. By addressing these vulnerabilities, organizations can reduce the risk of domain compromise and malicious cyber activity.

This advisory details the activities and threats posed by a PRC state-sponsored cyber group known as APT40, targeting Australian and international networks. Activity Overview: - APT40 utilizes sophisticated techniques to exploit vulnerabilities in popular software (e.g., Log4J, Atlassian Confluence, Microsoft Exchange) and penetrate networks. - The group often compromises vulnerable public-facing infrastructure and uses compromised devices as operational infrastructure. - APT40 places emphasis on establishing persistence and obtaining valid credentials to maintain access. Notable Tradecraft: - APT40 has shifted towards using compromised small-office/home-office (SOHO) devices as C2 infrastructure. - The group's use of procured or leased infrastructure as C2 infrastructure has declined. Tooling: - ASD's ACSC has provided malicious file samples for analysis and detection. Case Studies: - Two anonymized investigative reports highlight APT40's techniques and tradecraft. - In one case study, the organization was deliberately targeted and sensitive data was exfiltrated. - The investigation revealed the group's ability to move laterally through the network and obtain privileged credentials. Conclusion: APT40 remains a significant threat to organizations worldwide. Understanding their tactics, techniques, and procedures is crucial for implementing effective mitigation measures.

This Cybersecurity Advisory (CSA) aims to provide information on Black Basta, a ransomware-as-a-service variant, to help organizations protect themselves. First identified in April 2022, Black Basta has impacted numerous organizations across critical infrastructure sectors globally. Black Basta affiliates exploit common vulnerabilities, such as phishing emails and software flaws, to gain access to victims' systems. They employ a double-extortion tactic by encrypting data and stealing it for future leverage. Victims are given a set timeframe to meet ransom demands, typically communicated through a .onion URL, or risk their data being published on the "Basta News" Tor site. Black Basta actors target healthcare organizations because of their critical nature and potential access to sensitive personal data. Organizations are strongly encouraged to review and implement the provided mitigation recommendations to bolster their defenses against Black Basta and similar ransomware threats. The advisory details Black Basta's tactics and techniques, mapping them to the MITRE ATT&CK framework for comprehensive understanding. It outlines their methods of initial access, privilege escalation, defense evasion, execution, and the tools used in each step. Furthermore, the CSA provides a list of indicators of compromise (IOCs), including file hashes associated with Black Basta, aiding organizations in detecting potential infections. Victims of Black Basta ransomware attacks are advised to report the incident to the FBI or CISA for assistance and support.

This Cybersecurity Advisory addresses the Akira ransomware, outlining its tactics, techniques, and procedures, along with indicators of compromise, to aid organizations in bolstering their defenses. Since its emergence in 2023, Akira has targeted diverse sectors globally, impacting over 250 organizations and amassing an estimated $42 million in ransom payments. The ransomware exploits vulnerabilities in VPN services, RDP, spear phishing, and compromised credentials to gain initial access. Following infiltration, Akira actors establish persistence, escalate privileges, and conduct reconnaissance within the compromised network. They employ defense evasion techniques, including disabling security software, and utilize a double-extortion model, exfiltrating data before encrypting systems. Data exfiltration is carried out through tools like FileZilla, WinRAR, and RClone, with command-and-control channels established via AnyDesk, MobaXterm, and similar tools. Encryption is achieved using a robust hybrid method combining ChaCha20 and RSA algorithms, hindering system recovery. Victims receive ransom notes with instructions for contacting the threat actors, with payments demanded in Bitcoin. The advisory further details leveraged tools, indicators of compromise, and two distinct Akira variants, including the newer Akira_v2, highlighting its enhanced functionalities and evolution.

The Phobos ransomware, a ransomware-as-a-service (RaaS) model, has been observed targeting state, local, tribal, and territorial governments, as well as critical infrastructure entities, since May 2019. Phobos actors use phishing campaigns, IP scanning tools, and brute force attacks on exposed RDP ports to gain initial access to vulnerable networks. They also use various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound to maintain persistence and escalate privileges within compromised environments. Phobos ransomware variants, including Elking, Eight, Devos, Backmydata, and Faust, have been linked to Phobos due to similar tactics, techniques, and procedures (TTPs) observed in Phobos intrusions. The ransomware uses commands to delete volume shadow copies, disable Windows Firewall, and set the system's boot status policy to ignore all failures. It also deletes the system's backup catalog and displays a ransom note to the end user. Phobos actors use various email providers for communication and exfiltration, and they have been known to list victims and host stolen data on onion sites.

The SVR, a sophisticated cyber espionage group, has adapted its tactics to target cloud infrastructure, using brute force, password spraying, and exploiting system and dormant accounts. They also use stolen access tokens to bypass passwords and multi-factor authentication through "MFA bombing." To defend against these activities, organizations should implement multi-factor authentication, disable inactive accounts, and enforce least privilege access for system and service accounts. They should also configure device enrollment policies, monitor application and host-based logs, and use zero-touch enrollment where possible. The NCSC and international partners have observed these tactics in the last 12 months, and the guidance in this advisory aims to help network defenders mitigate against the SVR's initial access vectors.

Cybercriminals are actively exploiting vulnerabilities in Ivanti Connect Secure and Policy Secure gateways, which can allow them to execute arbitrary commands with elevated privileges. These vulnerabilities impact all supported versions and are being used in a chain of exploits to bypass authentication and craft malicious requests. Despite Ivanti's Integrity Checker Tool (ICT), CISA has determined that it is insufficient to detect compromise, as cybercriminals have been able to deceive it and maintain root-level persistence even after factory resets. Network defenders should assume compromised user and service account credentials, hunt for malicious activity, run the latest ICT, and apply patches as they become available. In the event of compromise, organizations should quarantine affected hosts, reimage them, reset credentials, identify and remove malicious administrator accounts, and collect and analyze artifacts. CISA recommends that organizations consider the significant risk of adversary access and persistence on Ivanti gateways and evaluate whether to continue operating them. The Federal Emergency Directive (ED) 24-01 requires Federal Civilian Executive Branch (FCEB) agencies to take specific actions on affected products. The Canadian Centre for Cyber Security has issued an alert with periodic updates for affected IT professionals. Indicators of Compromise (IOCs) and YARA rules are provided to aid in detecting malicious activity. Network defenders should map malicious cyber activity to the MITRE ATT&CK framework for improved detection and response.

An unidentified threat actor compromised network administrator credentials of a former employee to access a state government organization's on-premises environment through a virtual private network (VPN). The actor used compromised accounts and executed LDAP queries to collect user and host information, which was later posted on a dark web brokerage site. Key Points: * Threat actors commonly exploit accounts of former employees to gain access to organizations. * The threat actor compromised a global domain administrator account, granting them administrative privileges on both on-premises and Azure environments. * The actor executed LDAP queries to collect detailed information about users, hosts, and trust relationships. * The actor authenticated to various services, including CIFS, for network discovery and file exploration. * The victim organization had not disabled the compromised employee's account promptly after their departure. * The victim organization took swift action to disable compromised accounts and remove administrator privileges after discovering the dark web posting. Mitigations: * Disable accounts of former employees immediately upon termination. * Implement multifactor authentication (MFA) for all administrative accounts. * Regularly audit and monitor active directory accounts for suspicious activity. * Implement network monitoring and detection tools to detect unauthorized access. * Conduct regular security assessments to identify and address vulnerabilities.

US agencies, including CISA, NSA, and FBI, have identified that Chinese state-sponsored cyber actors known as Volt Typhoon are targeting critical infrastructure organizations in the US. Volt Typhoon has compromised IT networks in sectors such as communications, energy, transportation, and water systems, primarily through known vulnerabilities or zero-day exploits. The group's behavior suggests they are positioning themselves for disruptive or destructive attacks on OT assets during geopolitical tensions or military conflicts. Volt Typhoon conducts extensive pre-exploitation reconnaissance to tailor their tactics to the target environment and maintain persistent access through LOTL techniques and strong operational security. They often escalate privileges to obtain administrator credentials, allowing lateral movement to domain controllers and other devices, including OT systems. Volt Typhoon uses LOTL binaries and PowerShell to extract sensitive data from event logs and the NTDS.dit file, bypassing file locking mechanisms. They employ offline password cracking to obtain plaintext passwords and elevated access for further infiltration and discovery. Volt Typhoon has demonstrated the ability to access and manipulate OT assets, such as HVAC systems and energy controls, posing a potential threat to critical infrastructure. International partners assess that the threat to infrastructure in their respective countries is lower but could be impacted by disruptions to US infrastructure. Critical infrastructure organizations are urged to implement mitigations and hunt for malicious activity to prevent or respond to incidents.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory to address known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. This malware is used to establish a botnet that can identify and compromise vulnerable networks. The advisory provides a list of IOCs and TTPs, including scanning for websites using the Laravel web application framework, targeting the PHPUnit module, and exploiting CVE-2017-9841 for remote code execution. It also highlights the malware's ability to access databases and steal credentials for services such as AWS, SendGrid, and Twilio. The advisory encourages organizations to implement mitigation strategies to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.

This collaborative report by cybersecurity authorities from Australia, Canada, New Zealand, the United Kingdom, and the United States addresses the malicious use of five widespread, publicly available cybersecurity tools. The report highlights JBiFrost, a Remote Access Trojan; China Chopper, a webshell; Mimikatz, a credential stealer; PowerShell Empire, a lateral movement framework; and HUC Packet Transmitter for C2 obfuscation. These tools, despite being publicly available, have been leveraged by various threat actors, ranging from amateur cyber criminals to state-sponsored groups, to compromise critical sectors like health, finance, government, and defense. The widespread availability of these established tools complicates network defense and threat-actor attribution, as even sophisticated threat actors frequently rely on them after initial system compromises. Initial breaches often occur by exploiting common security weaknesses like unpatched software or misconfigured systems, after which these five tools are deployed to achieve further objectives. The report aims to assist network defenders and system administrators by providing technical details on each tool, including their capabilities, typical uses, and examples of deployment in recent cyber incidents. Crucially, the document offers specific advice and general best practices for detecting the presence of these tools on a network and limiting their effectiveness. For instance, strong patching policies, application allow listing, and monitoring suspicious network patterns are emphasized as essential defenses. This guidance underscores the importance of robust network defense practices against both existing and evolving cyber threats.

The National Cybersecurity and Communications Integration Center (NCCIC) has identified a global Domain Name System (DNS) infrastructure hijacking campaign. Attackers exploit compromised credentials to alter an organization’s DNS records, rerouting user traffic. This redirection allows them to intercept and inspect network traffic destined for legitimate services. A critical aspect of this attack is the attacker's ability to obtain valid encryption certificates for the targeted domain names. These valid certificates enable man-in-the-middle attacks by allowing decryption of traffic without raising user warnings. The campaign leverages compromised credentials to modify DNS records like A, MX, and NS. Organizations are advised to update passwords for accounts managing DNS records. Implementing multifactor authentication for domain registrar accounts is also a crucial mitigation. Regular auditing of public DNS records to confirm correct resolution is recommended. Finally, it is important to search for and revoke any fraudulently issued encryption certificates.

New vulnerabilities are continually emerging, and the best defense against attackers exploiting patched vulnerabilities is to keep software up to date. On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway, and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections. The CryptoAPI spoofing vulnerability, known as CVE-2020-0601, affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. The Windows RD Gateway and Windows Remote Desktop Client vulnerabilities, known as CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611, affect Windows Server 2012 and newer, as well as Windows 7 and newer. The Cybersecurity and Infrastructure Security Agency strongly recommends organizations install these critical patches as soon as possible, prioritizing mission critical systems, internet-facing systems, and networked servers. A successful network intrusion can have severe impacts, including temporary or permanent loss of sensitive information, disruption to regular operations, and financial losses. The agency also recommends reviewing the Microsoft January 2020 Release Notes page and applying critical patches, as well as reviewing general guidance on patch management and cybersecurity practices.

CISA warns of the "BlueKeep" vulnerability affecting several Microsoft Windows operating systems. This vulnerability allows attackers to gain control of vulnerable systems remotely. BlueKeep resides within the Remote Desktop Protocol (RDP) and enables remote code execution. Attackers can send specially crafted packets to vulnerable systems with RDP enabled. Successful exploitation allows for actions like installing programs and altering data. BlueKeep is considered "wormable," meaning it could spread rapidly like the WannaCry malware. CISA has confirmed Windows 2000's vulnerability to BlueKeep. Users should apply the available security patches released by Microsoft. Alternative mitigations include upgrading aging operating systems and disabling unnecessary services. Enabling Network Level Authentication also protects against BlueKeep in specific Windows versions. Blocking TCP port 3389 at the firewall can prevent external exploitation. CISA encourages users and administrators to review the provided Microsoft resources for detailed guidance.

Unpatched Pulse Secure VPN servers are persistently targeted by malicious actors due to a known vulnerability. This vulnerability, identified as CVE-2019-11510, allows for arbitrary file reading. The vulnerability was disclosed and patched by Pulse Secure in April 2019. Despite the patch availability, exploitation of the vulnerability continues to be widely observed. CISA warns of ongoing attacks exploiting unpatched environments. The attacks can lead to complete server compromise and access to user credentials. An attacker can potentially execute arbitrary commands on connecting VPN clients. Affected versions of Pulse Connect Secure and Pulse Policy Secure are specified. The only effective mitigation is to apply the vendor-provided patches and perform system updates. Organizations are strongly advised by CISA to upgrade to the necessary fixes immediately. Numerous reports, advisories, and demonstrations have highlighted and detailed the severity of this issue.

The report, a collaboration between the Treasury and FinCEN, focuses on the Dridex malware and its variants, targeting the financial sector. It provides an overview, relevant activity details, and previously unreported indicators of compromise (IOCs) derived from financial institutions. Dridex uses phishing emails with urgent-sounding language and attachments to infect systems. These attachments often contain malicious macros that download Dridex, which can steal login information. The malware has capabilities to steal sensitive information and facilitate fraudulent transactions. Dridex is related to other malware families, like Cridex, Bugat, BitPaymer, and Locky, sharing some code and distribution methods. The report highlights the use of massive spam campaigns in Dridex’s distribution. Lastly, organizations are urged to report suspicious activity and incorporate the provided IOCs into their security systems. The report also lists several email addresses and IP addresses associated with Dridex activity. Proper mitigation strategies are encouraged for improved security.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding exploits targeting insecure SAP configurations. These vulnerabilities, detailed at a cybersecurity conference, allow attackers to compromise internet-exposed SAP systems. A primary concern is the SAP Gateway's Access Control List (ACL) if misconfigured, enabling anonymous OS command execution. Approximately 900 U.S. internet-facing systems were identified as potentially vulnerable in this manner. Another vulnerability lies with the SAP Router's `secinfo` configuration, which can allow anonymous internal host command execution. Over a thousand SAP routers were found exposed online, though their specific vulnerability status is unconfirmed. SAP Message Servers, acting as brokers, also pose a risk without proper authentication, potentially enabling man-in-the-middle attacks. Over 600 U.S. internet-exposed Message Servers were detected, which could lead to credential theft and code execution. CISA, in collaboration with Onapsis Inc., developed a Snort signature to detect these exploits. Administrators are strongly advised to secure SAP configurations by restricting access to Message Servers and Gateways. Properly configuring ACL files and reviewing SAP Notes are crucial mitigation steps. Furthermore, ensuring SAP components are not exposed to the internet or are adequately secured is paramount.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a primer to protect critical infrastructure due to heightened tensions with Iran. Organizations should adopt a state of heightened awareness and increase vigilance by monitoring security capabilities and identifying anomalous behavior. It is crucial to confirm reporting processes so personnel know how and when to report incidents. Exercising incident response plans ensures personnel are prepared and have the necessary access and knowledge. Iranian cyber threat actors, often linked to the Islamic Revolutionary Guard Corps (IRGC), have demonstrated increasingly sophisticated capabilities. Historically, Iran has engaged in activities ranging from DDoS attacks to data theft and destructive wiper malware. Examples include attacks on U.S. financial institutions, a New York dam's SCADA system, and the Sands Las Vegas Corporation. CISA recommends reducing vulnerability through disabling unnecessary ports and protocols, and enhancing network and email traffic monitoring. Patching externally facing equipment and logging PowerShell usage are also advised. Ensuring backups are up-to-date and air-gapped is a critical mitigation step. Mitigations for specific Iranian Advanced Persistent Threat techniques include managing access controls, disabling NTLM, and using unique passwords. Detection methods involve monitoring processes interacting with Isass.exe and using tools like AuditD for Linux. Strategies to combat obfuscated files, compressed data, PowerShell misuse, user execution, and scripting are provided, emphasizing monitoring, policy enforcement, and user training.

Microsoft will end extended support for Windows 7 and Windows Server 2008 R2 on January 14, 2020. After this date, these operating systems will no longer receive free security updates or technical support. This discontinuation poses risks for organizations with regulatory obligations, as they may struggle to maintain compliance. While systems will continue to function, using unsupported software increases vulnerability to malware and security threats. Unpatched vulnerabilities could lead to the loss of data confidentiality, integrity, and availability. Mission and business operations reliant on these systems could suffer significant negative consequences. The Cybersecurity and Infrastructure Security Agency (CISA) advises upgrading to a newer operating system. Organizations should identify affected devices and develop a plan for migration. Exploring fee-for-service maintenance options with the vendor is also recommended if immediate upgrades are not feasible. Federally certified voting systems running Windows 7 will receive free updates through the 2020 election.

The Department of Homeland Security's NCCIC and the FBI have issued an alert about the SamSam ransomware, detailing its exploitation methods and providing mitigation strategies. Cyber actors have targeted various industries, including critical infrastructure, with victims primarily in the United States and internationally. SamSam actors gain persistent access to Windows servers, often exploiting vulnerable JBoss applications or utilizing Remote Desktop Protocol (RDP). They achieve administrator privileges and deploy malware without victim interaction, a method that bypasses typical ransomware infection vectors. Stolen RDP credentials, purchased from darknet marketplaces, are frequently used to infiltrate networks rapidly. SamSam ransomware encrypts computers and leaves ransom notes directing victims to contact actors via Tor to arrange payment in Bitcoin for decryption keys. The alert includes technical analysis reports of four SamSam malware variants. Recommended mitigations include auditing and disabling unnecessary RDP, securing open RDP ports with firewalls and VPNs, enforcing strong passwords and account lockout policies, and enabling two-factor authentication. Organizations should also regularly update systems, maintain backups, enable and review RDP login logs, and limit network exposure for critical devices. Additionally, restricting user permissions for software installation, scanning email attachments, and disabling file sharing services are advised. Further guidance on malware incident prevention is available from NIST. Contact information for reporting intrusions and requesting assistance is provided.