CyberSecurity Resources & Updates
CISA and FBI Release Joint Guidance on Product Security Bad Practices for Public Comment
10/16/2024
Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released joint guidance on Product Security Bad Practices, a part of CISA’s Secure by Design initiative. This joint guidance supplies an overview of exceptionally risky product security bad practices for software manufacturers who produce software in support of critical infrastructure or national critical functions.
The bad practices presented in this guidance are organized into three categories: product properties, security features, and organizational processes and policies. This guidance contains brief information about specific bad practices, recommended actions, and additional resources. While this guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices.
CISA and FBI urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process. For more information and resources, visit CISA.gov/SecureByDesign.
The public comment period begins today and concludes on December 2, 2024. During the comment period, members of the public can provide comments and feedback via the Federal Register.
ASD’s ACSC, CISA, FBI, NSA, and International Partners Release Guidance on Principles of OT Cybersecurity for Critical Infrastructure Organizations
10/01/2024
Today, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)—in partnership with CISA, U.S. government and international partners—released the guide Principles of Operational Technology Cybersecurity. This guidance provides critical information on how to create and maintain a safe, secure operational technology (OT) environment.
The six principles outlined in this guide are intended to aid organizations in identifying how business decisions may adversely impact the cybersecurity of OT and the specific risks associated with those decisions. Filtering decisions that impact the security of OT will enhance the comprehensive decision-making that promotes security and business continuity.
CISA encourages critical infrastructure organizations review the best practices and implement recommended actions which can help ensure the proper cybersecurity controls are in place to reduce residual risk in OT decisions.
For more information on OT cybersecurity, review our Industrial Control Systems page and the Joint Cybersecurity Advisory Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems to help critical infrastructure organizations manage and enhance their OT cybersecurity.
ASD’s ACSC, CISA, and US and International Partners Release Guidance on Detecting and Mitigating Active Directory Compromises
09/26/2024
Today, the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and other U.S. and international partners released the joint guide Detecting and Mitigating Active Directory Compromises. This guide informs organizations of recommended strategies to mitigate common techniques used by malicious actors to compromise Active Directory.
Active Directory is the most widely used authentication and authorization solution in enterprise information technology (IT) networks globally. Malicious actors routinely target Active Directory as part of efforts to compromise enterprise IT networks by escalating privileges and targeting the highest confidential user objects.
Responding to and recovering from malicious activity involving Active Directory can be consuming, costly, and disruptive. CISA encourages organizations review the guidance and implement the recommended mitigations to improve Active Directory security.
To learn more about taking a top-down approach to developing secure products, visit CISA’s Secure by Design webpage.
CISA Warns of Hurricane-Related Scams
09/25/2024
As Hurricane Helene approaches, CISA urges users to remain on alert for potential malicious cyber activity. Fraudulent emails and social media messages—often containing malicious links or attachments—are common after major natural disasters. Exercise caution in handling emails with hurricane-related subject lines, attachments, or hyperlinks. In addition, be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events.
CISA encourages users to review the following resources to avoid falling victim to malicious cyber activity:
- Federal Trade Commission’s Staying Alert to Disaster-related Scams and Before Giving to a Charity,
- Consumer Financial Protection Bureau’s Frauds and scams, and
- CISA’s Phishing Guidance, Stopping the Attack Cycle at Phase One to help organizations reduce likelihood and impact of successful phishing attacks.
CISA and Partners Release Advisory on RansomHub Ransomware
08/29/2024
Today, CISA—in partnership with the Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Department of Health and Human Services (HHS)—released a joint Cybersecurity Advisory, #StopRansomware: RansomHub Ransomware. This advisory provides network defenders with indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with RansomHub activity identified through FBI investigations and third-party reporting as recently as August 2024.
RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—which has recently attracted high-profile affiliates from other prominent variants such as LockBit and ALPHV.
CISA encourages network defenders to review this advisory and apply the recommended mitigations. See #StopRansomware and the #StopRansomware Guide for additional guidance on ransomware protection, detection, and response. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including added recommended baseline protections.
CISA encourages software manufacturers to take ownership of improving the security outcomes of their customers by applying secure by design methods. For more information on Secure by Design, see CISA’s Secure by Design webpage and joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.
Cyber Education & Training Updates
September – October 2024
Highlights: What You Want to Know
|
CISA has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) to release an advisory, People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action outlining a PRC state-sponsored cyber group’s activity. The following organizations also collaborated with ASD’s ACSC on the guidance:
- The National Security Agency (NSA);
- The Federal Bureau of Investigation (FBI);
- The United Kingdom’s National Cyber Security Centre (NCSC-UK);
- The Canadian Centre for Cyber Security (CCCS);
- The New Zealand National Cyber Security Centre (NCSC-NZ);
- The German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV);
- The Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC); and
- Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA).
The advisory is based on current ACSC-led incident response investigations and shared understanding of a PRC state-sponsored cyber group, APT40—also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting.
APT 40 has previously targeted organizations in various countries, including Australia and the United States. Notably, APT 40 possesses the ability to quickly transform and adapt vulnerability proofs of concept (POCs) for targeting, reconnaissance, and exploitation operations. APT 40 identifies new exploits within widely used public software such as Log4J, Atlassian Confluence and Microsoft Exchange to target the infrastructure of the associated vulnerability.
CISA urges all organizations and software manufacturers to review the advisory to help identify, prevent, and remediate APT 40 intrusions. Software vendors are also urged to incorporate Secure by Design principles into their practices to limit the impact of threat actor techniques and to strengthen the security posture of their products for their customers.
For more information on PRC state-sponsored threat actor activity, see CISA’s People’s Republic of China Cyber Threat. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage.
Today, CISA, in partnership with the Federal Bureau of Investigation, Australian Signals Directorate’s Australian Cyber Security Centre, and Canadian Cyber Security Center, released Exploring Memory Safety in Critical Open Source Projects. This guidance was crafted to provide organizations with findings on the scale of memory safety risk in selected open source software (OSS).
This joint guidance builds on the guide The Case for Memory Safe Roadmaps by providing a starting point for software manufacturers to create memory safe roadmaps, including plans to address memory safety in external dependencies which commonly include OSS. Exploring Memory Safety in Critical Open Source Projects also aligns with the 2023 National Cybersecurity Strategy and corresponding implementation plan, which discusses investing in memory safety and collaborating with the open source community—including the establishment of the interagency Open Source Software Security Initiative (OS3I) and investment in memory-safe programming languages.
CISA encourages all organizations and software manufacturers to review the methodology and results found in the guidance to:
- Reduce memory safety vulnerabilities;
- Make secure and informed choices;
- Understand the memory-unsafety risk in OSS;
- Evaluate approaches to reducing this risk; and
- Continue efforts to drive risk-reducing action by software manufacturers.
To learn more about taking a top-down approach to developing secure products, visit CISA’s Secure by Design webpage.
Today, CISA released Barriers to Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: Identifying Challenges and Opportunities, a detailed report exploring challenges to SSO adoption by small and medium-sized businesses (SMBs). The report also identifies potential ways to overcome these challenges and improve an SMB’s level of security.
CISA also released a related blog post, Why SMBs Don’t Deploy Single Sign-On (SSO), urging software manufacturers to consider how their business practices may inadvertently reduce the security posture of their customers.
For more information, visit CISA’s Secure by Design webpage. To learn more about identity and access management, visit Identity, Credential, and Access Management (ICAM).
|
|
CISA Marks Important Milestone in Addressing Cyber Incidents; Seeks Input on CIRCIA Notice of Proposed Rulemaking
March 27, 2024
Implementation of CIRCIA will improve CISA’s ability to use cybersecurity incident and ransomware payment information reported to the agency to identify patterns in real-time, fill critical information gaps, rapidly deploy resources to help entities that are suffering from cyber attacks, and inform others who would be potentially affected. When information about cyber incidents is shared quickly, CISA can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland. The NPRM will soon formally publish in the Federal Register, following which the public will have 60 days to submit written comments to inform the direction and substance of the Final Rule.
“Cyber incident reports submitted to us through CIRCIA will enable us to better protect our nation’s critical infrastructure,” said Secretary of Homeland Security Alejandro N. Mayorkas. “CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents, and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors. The proposed rule is the result of collaboration with public and private stakeholders, and DHS welcomes feedback during the public comment period on the direction and substance of the final rule.”
CISA has published Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Guidance (HISG) to help users better understand identity management capabilities and securely integrate their traditional on-premises enterprise networks with cloud-based solutions. This initial publication reflects feedback gathered during its 2023 draft public comment period.
CISA encourages users to review and implement this solutions guidance as appropriate for their individual organizations. HISG is the latest resource released by CISA’s SCuBA project.
In accordance with Executive Order 14028, CISA’s SCuBA project aims to develop consistent, effective, modern, and manageable security that will help secure organizations’ information assets stored within cloud environments. Visit CISA’s SCuBA project page for more information.
|
|
Priorities of the Joint Cyber Defense Collaborative for 2024
02/12/2024
Today, CISA—on behalf of the collective group of industry and government partners that comprise the Joint Cyber Defense Collaborative (JCDC)—released JCDC’s 2024 Priorities. Similar to the 2023 JCDC Planning Agenda, JCDC’s 2024 Priorities will help focus the collective group on developing high-impact and collaborative solutions to the most pressing cybersecurity challenges.
Resulting from the trusted partnerships the collaborative has fostered, the focused goals of the 2024 priorities are to:
- Defend against Advanced Persistent Threat (APT) operations.
- Raise critical infrastructure’s cybersecurity baseline.
- Anticipate emerging technology and risks.
CISA encourages organizations to review JCDC’s 2024 Priorities and the related blog post by CISA Associate Director Clayton Romans. Visit CISA.gov/JCDC for more information on the work the collaborative is doing to secure cyberspace.
Note: CISA will update this Alert with more information as it becomes available.
Updated Jan. 31, 2024:
CISA urges organizations to follow the updated guidance—including software updates—that Ivanti has published to their KB article, which includes:
- Two additional vulnerabilities in all supported versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure Gateways:
- A privilege escalation vulnerability (CVE-2024-21888)
- A server-side request forgery vulnerability (CVE-2024-21893)
- A cyber threat actor could exploit CVE-2024-21888 and CVE-2024-21893 to take control of an affected system. Ivanti’s KB article includes software updates that cover these vulnerabilities in specific versions of the software as well as mitigations for affected software versions that do not yet have updates.
- Software updates are also available for the previously reported Ivanti Connect Secure and Policy Secure Gateways vulnerabilities in Ivanti devices (CVE-2023-46805 and CVE-2024-21887). Note: See the KB article for the specific versions that these updates apply to as well as specific guidance on implementing the updates. Ivanti will publish additional information and software updates to the KB article as these become available.
Additionally, CISA has issued a Supplemental Direction to its Emergency Directive on Ivanti Vulnerabilities. Although the Supplemental Direction and Emergency Directive are only for FCEB agencies, CISA strongly encourages all organizations to review the guidance and implement it as applicable.
End of Jan. 31 update
CISA is releasing this alert to provide cyber defenders with new mitigations to defend against threat actors exploiting Ivanti Connect Secure and Policy Secure Gateways vulnerabilities in Ivanti devices (CVE-2023-46805 and CVE-2024-21887).
Threat actors are continuing to leverage vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways to capture credentials and/or drop webshells that enable further compromise of enterprise networks. Some threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection. CISA is aware of instances in which sophisticated threat actors have subverted the external integrity checker tool (ICT), further minimizing traces of their intrusion.
If an organization has been running Ivanti Connect Secure (9.x and 22.x) and Policy Secure gateways over the last several weeks and/or continues to run these products, CISA recommends continuous threat hunting on any systems connected to—or recently connected to—the Ivanti device. Additionally, organizations should monitor authentication, account usage, and identity management services that could be exposed and isolate the system(s) from any enterprise resources as much as possible.
After applying patches, when these become available, CISA recommends that organizations continue to hunt their network in order to detect any compromise that may have occurred before patches were implemented.
This guidance supplements CISA’s previous guidance for mitigation and detection, which remains applicable. For previous guidance, see CISA Issues Emergency Directive on Ivanti Vulnerabilities and Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways.
Today, CISA published Guidance on Assembling a Group of Products created by the Software Bill of Materials (SBOM) Tooling & Implementation Working Group, one of the five SBOM community-driven workstreams facilitated by CISA. CISA’s community-driven working groups publish documents and reports to advance and refine SBOM and ultimately promote adoption. Specifically, software producers often need to assemble and test products together before releasing them to customers. These products may contain components that experience version changes over time, therefore creating a need to be tracked. This document serves as a guide for creating the build for SBOM assembled products.
For more information on all things SBOM, please visit CISA’s Software Bill of Materials website.
01/23/2024
CISA has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) on Engaging with Artificial Intelligence—joint guidance, led by ACSC, on how to use AI systems securely. The following organizations also collaborated with ACSC on the guidance:
- Federal Bureau of Investigation (FBI)
- National Security Agency (NSA)
- United Kingdom (UK) National Cyber Security Centre (NCSC-UK)
- Canadian Centre for Cyber Security (CCCS)
- New Zealand National Cyber Security Centre (NCSC-NZ) and CERT NZ
- Germany Federal Office for Information Security (BSI)
- Israel National Cyber Directorate (INCD)
- Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and the Secretariat of Science, Technology and Innovation Policy, Cabinet Office
- Norway National Cyber Security Centre (NCSC-NO)
- Singapore Cyber Security Agency (CSA)
- Sweden National Cybersecurity Center
The guidance provides AI systems users with an overview of AI-related threats as well as steps that can help them manage AI-related risks while engaging with AI systems. The guidance covers the following AI-related threats:
- Data poisoning
- Input manipulation
- Generative AI hallucinations
- Privacy and intellectual property threats
- Model stealing and training data exfiltration
- Re-identification of anonymized data
Note: This guidance is primarily for users of AI systems. CISA encourages developers of AI systems to review the recently published Guidelines for Secure AI System Development.To learn more about how CISA and our partners are addressing both the cybersecurity opportunities and risks associated with AI technologies, visit CISA.gov/AI.
|
|
CISA Releases SCuBA Google Workspace Secure Configuration Baselines for Public Comment
12/12/2023
Today, CISA released the draft Secure Cloud Business Applications (SCuBA) Google Workspace (GWS) Secure Configuration Baselines and the associated assessment tool ScubaGoggles for public comment. The draft baselines offer minimum viable security configurations for nine GWS services: Groups for Business, Google Calendar, Google Common Controls, Google Classroom, Google Meet, Gmail, Google Chat, Google Drive and Docs, and Google Sites. The ScubaGoggles tool assesses GWS tenants’ compliance against the baselines.
Federal agencies and other organizations are invited to adopt the draft baselines in their GWS environments, tailor them to reflect their own unique needs and risk tolerances, and then sharetheir experiences with CISA during the public comment period, which closes Jan. 12, 2024. Comments will ensure that the final published baselines are clear, feasible, and effective.
The draft SCuBA GWS Secure Configuration Baselines is the latest offering from CISA’s SCuBA project, dedicated to securing data stored in the cloud through additional configurations, settings, and security products. These baselines are created in accordance with Executive Order 14028 to provide enhanced visibility into cloud security.
Comment on SCuBA GWS Secure Configuration Baselines by Jan. 12, 2024. For more information, read CISA Seeks Public Comment on Newly Developed Secure Configuration Baselines for Google Workspace and visit CISA’s SCuBA project page.
CISA Releases Joint Guide for Software Manufacturers: The Case for Memory Safe Roadmaps
12/06/2023
Today, as part of the Secure by Design campaign, CISA published The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously in collaboration with the following partners:
- United States National Security Agency
- United States Federal Bureau of Investigation
- Australian Signals Directorate’s Australian Cyber Security Centre
- Canadian Centre for Cyber Security
- United Kingdom National Cyber Security Centre
- New Zealand National Cyber Security Centre
- Computer Emergency Response Team New Zealand
Malicious cyber actors routinely exploit memory safety vulnerabilities, which are common coding errors and the most prevalent type of disclosed software vulnerability. Preventing and responding to these vulnerabilities cost both software manufacturers and their customer organizations significant time and resources.
The Case for Memory Safe Roadmaps details how software manufacturers can transition to memory safe programming languages (MSLs) to eliminate memory safety vulnerabilities. The guidance provides manufacturers steps for creating and publishing memory safe roadmaps that will show their customers how they are owning security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products—key Secure by Design tenets.
CISA and our partners urge C-suite and technical experts at software manufacturers to read this guidance and implement memory safe roadmaps to eliminate memory safety vulnerabilities from their product.
For more information and resources, visit CISA.gov/SecureByDesign.
Cyber Training Bulletin – December 2023 and January 2024
CSD Cyber Defense Education and Training (CDET) Offerings
12/01/23
Highlights: What You Want to Know
- The CYBER.ORG Range celebrates its one-year anniversary! Made possible with initial funding from the state of Louisiana and expanded by CISA, the Range has been leveraged by over 2,000 teachers in high school classrooms and over 30,000 student accounts from all 50 states in just one year. CYBER.ORG Range differs from other industry ranges, as it makes learning cybersecurity easier for teachers and students alike who want to increase their confidence in cyber education and explore the field. The Range is also available for students who have had no prior knowledge in cybersecurity. Learn more at https://cyber.org/news/happy-birthday-cyberorg-range-celebrating-one-year-and-reaching-all-50-states
- Two courses were added to the Federal Virtual Training Environment (FedVTE), for the Cyber Defense Analyst and the Cyber Defense Infrastructure Support Specialist. Each new course is mapped to the NICE Framework, and each features guided labs from subject matter experts demonstrating the skills necessary to succeed in these two roles.
This free training series includes 100-level webinars for a general audience which are cybersecurity topic overviews that provide core guidance and best practices to make your network more resilient to attacks. It also includes 200-level Cyber Range Training courses for government employees and contractors across federal, state, local, tribal, and territorial government, educational partners, and critical infrastructure partners. These Cyber Range Trainings provide guided step-action labs to learn and practice investigation, remediation, and incident response skills.
IR Training Events through January 2024 |
||||
Date |
Course Code | Registration Begins | Course |
Hours |
12/07/2023 |
IR209 | 11/07/2023 | Defend Against Ransomware Attacks Cyber Range Training | 4 |
01/11/2024 | IR110 | 11/16/2023 |
Introduction to Log Management Webinar |
1 |
To learn more or register visit: https://www.cisa.gov/resources-tools/programs/Incident-Response-Training
This SbD Alert urges software manufacturers to proactively prevent the exploitation of vulnerabilities in web management interfaces by designing and developing their products using SbD principles:
- Take Ownership of Customer Security Outcomes.
- Embrace Radical Transparency and Accountability.
For more information on SbD principles, see Secure by Design and Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.
Today, in a landmark collaboration, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) are proud to announce the release of the Guidelines for Secure AI System Development. Co-sealed by 23 domestic and international cybersecurity organizations, this publication marks a significant step in addressing the intersection of artificial intelligence (AI), cybersecurity, and critical infrastructure.
The Guidelines, complementing the U.S. Voluntary Commitments on Ensuring Safe, Secure, and Trustworthy AI, provide essential recommendations for AI system development and emphasize the importance of adhering to Secure by Design principles. The approach prioritizes ownership of security outcomes for customers, embraces radical transparency and accountability, and establishes organizational structures where secure design is a top priority.
The Guidelines apply to all types of AI systems, not just frontier models. We provide suggestions and mitigations that will help data scientists, developers, managers, decision-makers, and risk owners make informed decisions about the secure design, model development, system development, deployment, and operation of their machine learning AI systems.
This document is aimed primarily at providers of AI systems, whether based on models hosted by an organization or making use of external application programming interfaces. However, we urge all stakeholders—including data scientists, developers, managers, decision-makers, and risk owners make—to read this guidance to help them make informed decisions about the design, deployment, and operation of their machine learning AI systems.
CISA invites stakeholders, partners, and the public to explore the Guidelines for Secure AI System Development as well as our recently published Roadmap for AI to learn more about our strategic vision for AI technology and cybersecurity. To access learn more, visit CISA.gov/AI.
Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Rhysida Ransomware, to disseminate known Rhysida ransomware indicators of compromise (IOCs), detection methods, and tactics, techniques, and procedures (TTPs) identified through investigations as recently as September 2023.
Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates. Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.
CISA, FBI, and MS-ISAC encourage organizations review the joint CSA for recommended mitigations to reduce the likelihood and impact of Rhysida and other ransomware incidents. For more information, see CISA’s #StopRansomware webpage, which includes the updated #StopRansomware Guide.
CISA Releases Roadmap for Artificial Intelligence Adoption
11/14/2023
Today, CISA released its Roadmap for Artificial Intelligence—in alignment with White House Executive Order 14110: Safe, Secure, And Trustworthy Development and Use of Artificial Intelligence—to outline a comprehensive set of actions CISA will take along five lines of effort:
- Responsibly use AI to support our mission.
- Assure AI systems.
- Protect critical infrastructure from malicious use of AI.
- Collaborate and communicate on key AI efforts with the interagency, international partners, and the public.
- Expand AI expertise in our workforce.
Learn more about CISA’s Roadmap for Artificial Intelligence at cisa.gov/AI.
CISA Releases Update to Royal Ransomware Advisory
Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released an update to joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware. The updated advisory provides network defenders with additional information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as June 2023.
Royal ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education.
CISA encourages network defenders to review the updated CSA and to apply the included mitigations. See #StopRansomware for additional guidance on ransomware protection, detection, and response.
Today, CISA, the National Security Agency (NSA), and partners released Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption. Developed through the Enduring Security Framework (ESF), this guidance provides software developers and suppliers with industry best practices and principles, including managing open source software and software bills of materials (SBOM), to maintain and provide awareness about the security of software.
Organizations can use this guide to assess and measure their security practices relative to the software lifecycle; the suggested practices may be applied across the acquisition, deployment, and operational phases of a software supply chain.
CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.
Today, CISA, in response to active, targeted exploitation, released guidance for addressing Citrix NetScaler ADC and Gateway vulnerability CVE-2023-4966. The vulnerability, also known as Citrix Bleed, could allow a cyber actor to take control of an affected system.
CISA recommends organizations patch unmitigated appliances, hunt for any malicious activity, and report any positive findings to CISA. Review CISA’s guidance for more information.
Today, the Federal Emergency Management Agency (FEMA) and the Cybersecurity and Infrastructure Security Agency (CISA) released the joint guide Planning Considerations for Cyber Incidents: Guidance for Emergency Managers to provide state, local, tribal, and territorial (SLTT) emergency managers with foundational knowledge of cyber incidents to increase cyber preparedness efforts in their jurisdictions.
Emergency managers should be able to understand and prepare for the potential impacts of cyber incidents on their communities and emergency operations. FEMA and CISA encourage emergency managers to review this guide for recommendations on how to plan for and respond to cyber incidents.
For continued updates on efforts related to the guide, including webinars, please visit FEMA’s webpage.
Today, CISA published When to Issue Vulnerability Exploitability eXchange (VEX) Information, developed by a community of industry and government experts with the goal to offer some guidance and structure for the software security world, including the large and growing global SBOM community.
This guide explains the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information. Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers. This document identifies factors that influence the decision.
For more information, read the new reference material When to Issue Vulnerability Exploitability eXchange (VEX) Information.
10/24/2023
Today, CISA updated its guidance addressing two vulnerabilities, CVE-2023-20198 and CVE-2023-20273, affecting Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI).
The guidance now notes that Cisco has fixed these vulnerabilities for the 17.9 Cisco IOS XE software release train with the 17.9.4a update. According to Cisco’s Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature, fixes are still to be determined for the following Cisco IOS XE software release trains: 17.6, 17.3, 16.12 (Catalyst 3650 and 3850 only). CISA urges organizations with the 17.9 Cisco IOS XE software release train to immediately update to the 17.9.4a release.
CISA urges organizations to review:
- CISA’s updated guidance
- Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
- Cisco Talos blog: Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
CISA has added CVE-2023-20198 and CVE-2023-20273 to its Known Exploited Vulnerabilities Catalog, which, per Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date to protect FCEB networks against active threats.
Note: The Cisco Security Advisory initially pointed to another vulnerability as part of this activity. However, as stated in the Cisco Talos blog, Cisco has since determined that the vulnerability “CVE-2021-1435 that had previously been mentioned is no longer assessed to be associated with this activity.”
10/20/2023
Today, the Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet on the effort to revise the National Cyber Incident Response Plan (NCIRP). Through the Joint Cyber Defense Collaborative (JCDC), CISA will work to ensure that the updated NCIRP addresses significant changes in policy and cyber operations since the initial NCIRP was released.
First published in 2016, the NCIRP was developed in accordance with Presidential Policy Directive 41 (PPD-41) on U.S. Cyber Incident Coordination and describes how federal government, private sector, and state, local, tribal, territorial (SLTT) government entities will organize to manage, respond to, and mitigate the consequences of significant cyber incidents.
NCIRP 2024 will address changes to the cyber threat landscape and in the nation’s cyber defense ecosystem by incorporating principles grounded in four main areas:
- Unification
- Shared Responsibility
- Learning from the Past
- Keeping Pace with Evolutions in Cybersecurity
CISA encourages all organizations to read the fact sheet and visit CISA’s NCIRP webpage to learn about this long-term effort and stay updated on the development of the NCIRP 2024.
10/20/2023
Today, CISA, in response to active, widespread exploitation, released guidance addressing two vulnerabilities, CVE-2023-20198 and CVE-2023-20273, affecting Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI). An unauthenticated remote actor could exploit these vulnerabilities to take control of an affected system. Specifically, these vulnerabilities allow the actor to create a privileged account that provides complete control over the device.
CISA urges organizations running Cisco IOS XE Web UI to review CISA’s guidance and immediately implement the mitigations outlined in:
- Cisco Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
- Cisco Talos blog: Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities
These mitigations include disabling the HTTP Server feature on internet-facing systems, and hunt for malicious activity on their network.
CISA Releases New Resources Identifying Known Exploited Vulnerabilities and Misconfigurations Linked to Ransomware
Oct. 12, 2023
Today, as part of the Ransomware Vulnerability Warning Pilot (RVWP), CISA launched two new resources for combating ransomware campaigns:
- A “Known to be Used in Ransomware Campaigns” column in the KEV Catalog that identifies KEVs associated with ransomware campaigns.
- A “Misconfigurations and Weaknesses Known to be Used in Ransomware Campaigns” table on StopRansomware.gov that identifies misconfigurations and weaknesses associated with ransomware campaigns. The table features a column that identifies the Cyber Performance Goal (CPG) action for each misconfiguration or weakness.
These two new resources will help organizations become more cybersecure by providing mitigations that protect against specific KEVs, misconfigurations, and weaknesses associated with ransomware.
CISA encourages all organizations to review the blog about this RVWP effort, as well as the new KEV catalog column and updated StopRansomware.gov site and implement applicable mitigations today.
Today, CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems.
This publication, which follows ESF’s Identity and Access Management Recommended Best Practices Guide for Administrators, assesses and addresses challenges developers and technology manufacturers face in identity and access management (IAM). The guidance specifically addresses technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.
Although the publication primarily addresses challenges facing large organizations, it also provides recommendations applicable to smaller organizations. CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.
Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Snatch Ransomware, which provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the Snatch ransomware variant. FBI investigations identified these IOCs and TTPs as recently as June 1, 2023.
Snatch threat actors operate a ransomware-as-a-service (RaaS) model and change their tactics according to current cybercriminal trends and successes of other ransomware operations.
FBI and CISA encourage organizations review the joint CSA for recommended steps and best practices to reduce the likelihood and impact of Snatch ransomware incidents. For general ransomware guidance, visit StopRansomware.gov, which provides resources, including the updated Joint #StopRansomware Guide.
CISA Releases Continuous Diagnostics and Mitigation Program: Identity, Credential, and Access Management (ICAM) Reference Architecture
Sept. 15, 2023
Today, CISA released the Continuous Diagnostics and Mitigation Program: Identity, Credential, and Access Management (ICAM) Reference Architecture to help federal civilian departments and agencies integrate their identity and access management (IDAM) capabilities into their ICAM architectures. Prior to this release, there was no singular, authoritative, and recognized reference for architecting an ICAM capability across an enterprise. This publication provides:
- a description of the federal ICAM practice area, including how ICAM services and components implement ICAM use cases,
- a description of related CDM capabilities,
- an introduction to federation services, and
- a high-level notional physical implementation.
In addition, it explores zero trust architecture and illustrates how ICAM and CDM help enable it.
CISA Releases its Open Source Software Security Roadmap
Sept. 12, 2023
Today, CISA released an Open Source Software Security Roadmap to lay out—in alignment with the National Cybersecurity Strategy and the CISA Cybersecurity Strategic Plan—how we will partner with federal agencies, open source software (OSS) consumers, and the OSS community, to secure OSS infrastructure. To that end, the roadmap details four key goals:
- Establish CISA’s role in supporting the security of OSS,
- Understand the prevalence of key open source dependencies,
- Reduce risks to the federal government, and
- Harden the broader OSS ecosystem.
See CISA’s Open Source Software Security Roadmap to learn more.
NSA, FBI, and CISA Release Cybersecurity Information Sheet on Deepfake Threats
Sept. 12, 2023
Today, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (CSI), Contextualizing Deepfake Threats to Organizations, which provides an overview of synthetic media threats, techniques, and trends. Threats from synthetic media, such as deepfakes, have exponentially increased—presenting a growing challenge for users of modern technology and communications, including the National Security Systems (NSS), the Department of Defense (DoD), the Defense Industrial Base (DIB), and national critical infrastructure owners and operators. Between 2021 and 2022, U.S. Government agencies collaborated to establish a set of employable best practices to take in preparation and response to the growing threat. Public concern around synthetic media includes disinformation operations, designed to influence the public and spread false information about political, social, military, or economic issues to cause confusion, unrest, and uncertainty.
The authoring agencies urge organizations review the CSI for recommended steps and best practices to prepare, identify, defend against, and respond to deepfake threats.
To report suspicious activity or possible incidents involving deepfakes, contact one of the following agencies:
- Cybersecurity Report Feedback: [email protected]
- Internet Crime Complaint Center (IC3) at IC3.gov or contact a local FBI field office
- CISA’s Incident Reporting System or through the agency’s 24/7 Operations Center at [email protected] or (888) 282-0870
Sept. 7, 2023
Today, CISA, Federal Bureau of Investigation (FBI), and U.S. Cyber Command’s Cyber National Mission Force (CNMF) published a joint Cybersecurity Advisory (CSA), Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475. This CSA provides information on an incident at an Aeronautical Sector organization, with malicious activity occurring as early as January 2023.
CISA, FBI, and CNMF confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.
The authoring agencies urge organizations to review this CSA and implement the recommended mitigations, which align with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs)—developed by CISA and the National Institute of Standards and Technology (NIST)—as well as NSA-recommended best practices for securing infrastructure.
All organizations should report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory by contacting your local FBI field office and CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870.
CISA has released actionable guidance for Federal Civilian Executive Branch (FCEB) agencies to help them evaluate and mitigate the risk of volumetric distributed denial-of-service (DDoS) attacks against their websites and related web services. The Capacity Enhancement Guide: Volumetric DDoS Against Web Services Technical Guidance:
- Helps agencies prioritize DDoS mitigations based on mission and reputational impact.
- Describes DDoS mitigation services so agencies can make risk-informed tradeoff decisions on how to use available resources most effectively.
CISA encourages FCEB agencies to review the guidance and apply the recommendations. Visit Capacity Enhancement Guides for Federal Agencies for more ways to reduce cybersecurity risk.
August 31, 2023
Today, the United Kingdom’s National Cyber Security Centre (NCSC-UK), the United States’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), New Zealand’s National Cyber Security Centre (NCSC-NZ), Canadian Centre for Cyber Security (CCCS), and the Australian Signals Directorate (ASD) published a joint Malware Analysis Report (MAR), on Infamous Chisel a new mobile malware targeting Android devices with capabilities to enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information. Infamous Chisel mobile malware has been used in a malware campaign targeting Android devices in use by the Ukrainian military.
Infamous Chisel is a collection of components targeting Android devices and is attributed to Sandworm, the Russian Main Intelligence Directorate’s (GRU’s) Main Centre for Special Technologies, GTsST. The malware’s capability includes network monitoring, traffic collection, network backdoor access via The Onion Router (Tor) and Secure Shell (SSH), network scanning and Secure Copy Protocol (SCP) file transfer.
The authoring organizations urge users, network defenders, and stakeholders to review the malware analysis report for indicators of compromise (IOCs) and detection rules and signatures to determine system compromise. For more information about malware, see CISA’s Malware, Phishing, and Ransomware page. The joint MAR can also be read in full on the NCSC-UK website. Associated files relating to this report can also be accessed via the NCSC’s Malware Analysis Reports page. For more information on Russian state-sponsored cyber activity, please see CISA’s Russia Cyber Threat Overview and Advisories webpage.
August 30, 2023
Today, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), Identification and Disruption of QakBot Infrastructure, to help organizations detect and protect against newly identified QakBot-related activity and malware. QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally.
Originally used as a banking trojan to steal banking credentials for account compromise, QakBot—in most cases—was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network. QakBot has since grown to deploy multiple types of malware, trojans, and highly-destructive ransomware variants targeting the United States and other global infrastructures, including the Election Infrastructure Subsector, Financial Services, Emergency Services, and Commercial Facilities Sectors.
CISA and FBI urge organizations to implement the recommendations contained within the joint CSA to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. To report incidents and anomalous activity, please contact one of the following organizations:
- CISA, either through the agency’s online tool (cisa.gov/report) or the 24/7 Operations Center at report@cisa.gov or (888) 282-0870.
- FBI via a local field office.
Organizations are also encouraged to visit CISA‘s Malware, Phishing, and Ransomware and StopRansomware.gov pages—StopRansomware provides a range of free U.S. government resources and services that can help bolster cyber hygiene, cybersecurity posture and reduce risk to ransomware, and contains an updated Joint #StopRansomware Guide.
August 25, 2023
Today, the Cybersecurity and Infrastructure Security Agency (CISA) released its inaugural Vulnerability Disclosure Policy (VDP) Platform 2022 Annual Report, highlighting the service’s progress supporting vulnerability awareness and remediation across the Federal Civilian Executive Branch (FCEB). This report showcases how agencies have used the VDP Platform—launched in July 2021—to safeguard the FCEB and support risk reduction. The VDP platform gives federal agencies a single, user-friendly interface to intake vulnerability information and to collaborate with the public researcher community for vulnerability awareness and remediation.
CISA urges FCEB agencies to review the VDP Platform 2022 Annual Report and encourages use of the platform to promote good-faith security research if they are not already doing so. By promoting an agency’s VDP to the public security researcher community, the platform benefits users by harnessing researchers’ expertise to search for and detect vulnerabilities that traditional scanning technology might not find.
CISA is actively seeking to enhance future collaborations with the public security researcher community and welcomes participation and partnership.
CISA, NSA, and NIST Publish Factsheet on Quantum Readiness
August 22, 2023
Today, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and National Institute of Standards and Technology (NIST) released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap.
CISA, NSA, and NIST urge organizations to review the joint factsheet and to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. For more information and resources related to CISA’s PQC work, visit Post-Quantum Cryptography Initiative.
CISA Releases JCDC Remote Monitoring and Management (RMM) Cyber Defense Plan
August 16, 2023
Today, CISA released the Remote Monitoring and Management (RMM) Cyber Defense Plan, the first proactive Plan developed by industry and government partners through the Joint Cyber Defense Collaborative (JCDC). This plan addresses systemic risks facing the exploitation of RMM software. Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers.
This release builds off the JCDC 2023 Planning Agenda and marks a major milestone in the continued evolution and maturation of the Collaborative’s development to satisfy JCDC’s core functions:
- Developing and coordinating cyber defense plans
- Operational collaboration and cybersecurity information fusion
- Producing and disseminating cyber defense guidance
Through this effort, CISA and partners across government and the private sector will take steps to measurably reduce some of the most significant cyber risks facing the global cyber community.
CISA encourages organizations to review JCDC’s RMM Strategic Cyber Defense Plan and 2023 Planning Agenda webpages. Visit CISA.gov/JCDC to learn about other ways JCDC is uniting the global cyber community in the collective defense of cyberspace.