CISA Cybersecurity Alerts

By CyberWire Inc.

Listen to a podcast, please open Podcast Republic app. Available on Google Play Store.


Category: Tech News

Open in Apple Podcasts


Open RSS feed


Open Website


Rate for this podcast

Subscribers: 8
Reviews: 0

Description

Flash cybersecurity advisories from the US Government. These alerts provide timely technical and operational information, indicators of compromise, and mitigations for current major security threats, vulnerabilities, and exploits. These alerts have been edited and adapted for audio by The CyberWire as a public service.

Episode Date
CISA Alert AA22-138B – Threat actors chaining unpatched VMware vulnerabilities for full system control.
194
CISA is releasing this cybersecurity advisory to warn organizations that malicious cyber actors are exploiting CVE-2022-22954 and CVE-2022-22960. These vulnerabilities affect versions of VMware products. Successful exploitation permits malicious actors to trigger a server-side template injection that may result in remote code execution or escalation of privileges to root level access. Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released VMware vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. AA22-138B Alert, Technical Details, and Mitigations AA22-138B.stix Emergency Directive 22-03 Mitigate VMware Vulnerabilities VMware Security Advisory VMSA-2022-0011 VMware Security Advisory VMSA-2022-0014 All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
May 20, 2022
CISA Alert AA22-138A – Threat Actors Exploiting F5 BIG-IP CVE-2022-1388.
200
CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC), are releasing this joint Cybersecurity Advisory in response to active exploitation of CVE-2022-1388. This vulnerability is a critical iControl REST authentication bypass vulnerability affecting multiple versions of F5 Networks BIG-IP.  AA22-138A Alert, Technical Details, and Mitigations F5 Security Advisory K23605346 and indicators of compromise F5 guidance K11438344 for remediating a compromise Emerging Threats suricata signatures Palo Alto Networks Unit 42 Threat Brief: CVE-2022-1388. This brief includes indicators of compromise.  Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Threat Advisory: Critical F5 BIG-IP Vulnerability. This blog includes indicators of compromise. Note: due to the urgency to share this information, CISA and MS-ISAC have not yet validated this content. Randori’s bash script. This script can be used to identify vulnerable instances of BIG-IP. Note: MS-ISAC has verified this bash script identifies vulnerable instances of BIG-IP.  All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
May 19, 2022
CISA Alert AA22-137A – Weak security controls and practices routinely exploited for initial access.
169
This joint cybersecurity advisory was coauthored by the cybersecurity authorities of the US, Canada, New Zealand, the Netherlands, and the UK. Cyber actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices, and includes best practices to mitigate these risks. AA22-137A Alert, Technical Details, and Mitigations White House Executive Order on Improving the Nation’s Cybersecurity NCSC-NL Factsheet: Prepare for Zero Trust NCSC-NL Guide to Cyber Security Measures N-able Blog: Intrusion Detection System (IDS): Signature vs. Anomaly-Based NCSC-NL Guide to Cyber Security Measures National Institute of Standards and Technology SP 800-123 – Keeping Servers Secured NCSC-UK Guidance – Phishing Attacks: Defending Your Organisation  Open Web Application Security Project (OWASP) Proactive Controls: Enforce Access Controls All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
May 17, 2022
CISA Alert AA22-131A – Protecting against cyber threats to managed service providers and their customers.
207
The cybersecurity authorities of the UK, Australia, Canada, New Zealand, and the US have observed a recent increase in malicious cyber activity against managed service providers (MSPs). Allied cybersecurity authorities expect state-sponsored cyber actors to increase their targeting of MSPs in an attempt to exploit provider-customer trust relationships. This advisory includes security guidance tailored for both MSPs and their customers.  AA22-131A Alert, Technical Details, and Mitigations Technical Approaches to Uncovering and Remediating Malicious Activity Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses APTs Targeting IT Service Provider Customers ACSC's Managed Service Providers: How to manage risk to customer networks  Global Targeting of Enterprise Managed Service Providers Cyber Security Considerations for Consumers of Managed Services  How to Manage Your Security When Engaging a Managed Service Provider Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers Baseline Cyber Security Controls for Small and Medium Organizations Actions to take when the cyber threat is heightened Top 10 IT Security Action Items to Protect Internet Connected Networks and Information CCCS's Alert: Malicious Cyber Activity Targeting Managed Service Providers  CISA Cybersecurity Alert: APT Activity Exploiting MSPs (2018) CISA Cyber Essentials and CISA Cyber Resource Hub  Improving Cybersecurity of Managed Service Providers  Shields Up Technical Guidance All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
May 12, 2022
Update 1 to CISA Alert AA22-076A – Strengthening cybersecurity of SATCOM network providers and customers.
211
The US government attributes cyberattacks on satellite communication (SATCOM) networks to Russian state-sponsored malicious cyber actors. The FBI and CISA are aware of possible threats to US and international SATCOM networks. Intrusions into SATCOM networks could create risk in customer environments. AA22-076A Alert, Technical Details, and Mitigations Attribution of Russia’s Malicious Cyber Activity Against Ukraine CISA Shields Up Technical Guidance NSA Cybersecurity Advisory: Protecting VSAT Communications  NSA Cybersecurity Tech-Rep: Network Infrastructure Security Guidance Annual Threat Assessment of the U.S. Intelligence Community, February 2022 CISA Tip: Choosing and Protecting Passwords  CISA Capacity Enhancement Guide: Implementing Strong Authentication All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
May 10, 2022
CISA Alert AA22-117A – 2021 top routinely exploited vulnerabilities.
205
This joint Cybersecurity Advisory was coauthored by cybersecurity authorities of the US, Australia, Canada, New Zealand, and the UK. This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited. AA22-117A Alert, Technical Details, and Mitigations Top 15 CVEs Routinely Exploited in 2020 Risk Considerations for Managed Service Provider Customers Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses How to Manage Your Security When Engaging a Managed Service Provider CISA Capacity Enhancement Guide – Implementing Strong Authentication Implementing Multi-Factor Authentication CISA’s Apache Log4j Vulnerability Guidance All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Apr 27, 2022
CISA Alert AA22-110A – Russian state-sponsored and criminal cyber threats to critical infrastructure.
200
The allied cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and US allies and partners. AA22-110A Alert, Technical Details, and Mitigations. March 21, 2022, Statement by U.S. President Biden. CISA Shields Up Technical Guidance. Mitigating Russian State-Sponsored Cyber Threats to US Critical Infrastructure. Joint Cyber Defense Collaborative Australian Cyber Security Centre’s (ACSC) Advisory. Canadian Centre for Cyber Security (CCCS) Cyber Threat Bulletin. National Cyber Security Centre New Zealand (NZ NCSC) General Security Advisory. United Kingdom’s National Cyber Security Centre (NCSC-UK) guidance on how to bolster cyber defences in light of the Russian cyber threat. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Apr 20, 2022
CISA Alert AA22-108A – TraderTraitor: North Korean state-sponsored APT targets blockchain companies.
214
This joint Cybersecurity Advisory highlights the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored APT group since at least 2020. This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. As of April 2022, North Korea’s Lazarus Group has targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal crypto. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.  AA22-108A Alert, Technical Details, and Mitigations CISA North Korea Threat Information AppleJeus: Analysis of North Korea’s Cryptocurrency Malware HIDDEN COBRA – FASTCash Campaign FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Apr 18, 2022
CISA Alert AA22-103A – APT Cyber Tools Targeting ICS/SCADA Devices.
202
The DOE, CISA, NSA, and the FBI are releasing this joint Cybersecurity Advisory to warn that certain APT actors have demonstrated the ability to gain full system access to multiple ICS/SCADA devices, including: Schneider Electric programmable logic controllers, OMRON Sysmac NEX programmable logic controllers, and Open Platform Communications Unified Architecture servers. DOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations, to implement the detection and mitigation recommendations provided in this CSA to detect potential malicious APT activity and harden their ICS/SCADA devices. The DOE, CISA, NSA, and the FBI would like to thank Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric for their contributions to this joint CSA. AA22-103A Alert, Technical Details, and Mitigations Layering Network Security Through Segmentation Stop Malicious Cyber Activity Against Connected Operational Technology NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems Dragos Report: CHERNOVITE’s PIPEDREAM Malware Targeting Industrial Control Systems All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Apr 13, 2022
CISA Alert AA22-083A – TTPs of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector.
212
This joint Cybersecurity Advisory provides information on multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 that targeted US and international Energy Sector organizations. CISA, the FBI, and DOE assess that state-sponsored Russian cyber operations continue to pose a threat to Energy Sector networks and are sharing this information in order to highlight TTPs used by adversaries to target Energy Sector organizations. They urge the Energy Sector and other critical infrastructure organizations to apply the recommendations listed in the Mitigations Section and Appendix Alpha of the alert documentation to reduce the risk of compromise. AA22-083A Alert, Technical Details, and Mitigations Russian Government Employees Charged for Hacking Critical Infrastructure CISA Shields Up Technical Guidance Mitigating Russian State-Sponsored Cyber Threats to US Critical Infrastructure Rewards for Justice Program All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. If you have information on state-sponsored Russian cyber operations targeting US critical infrastructure, contact the Department of State’s Rewards for Justice program. You may be eligible for a reward of up to $10 million for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against US critical infrastructure. Contact +1-202-702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details refer to the Rewards for Justice website.
Mar 31, 2022
CISA Alert AA22-076A – Strengthening Cybersecurity of SATCOM Network Providers and Customers.
169
The FBI and CISA are aware of possible threats to U.S. and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risk in SATCOM network providers’ customer environments. AA22-076A Alert, Technical Details, and Mitigations CISA Shields Up Technical Guidance NSA Cybersecurity Advisory: Protecting VSAT Communications NSA Cybersecurity Tech-Rep: Network Infrastructure Security Guidance Annual Threat Assessment of the U.S. Intelligence Community, February 2022 CISA Tip: Choosing and Protecting Passwords CISA Capacity Enhancement Guide: Implementing Strong Authentication All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Mar 31, 2022
CISA Alert AA22-074A – Russian state-sponsored cyber actors gain network access by exploiting default MFA protocols and “PrintNightmare” vulnerability.
220
The FBI and CISA are releasing this joint Cybersecurity Advisory to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability. As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration. Alert, Technical Details, and Mitigations Structured Threat Information Expression (STIX) Russian Cyber Threat Information Shields Up Technical Guidance All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Mar 31, 2022
CISA Alert AA22-057A – Destructive malware targeting organizations in Ukraine.
223
This Joint Cybersecurity Advisory between CISA and the FBI provides technical information on WhisperGate and HermeticWiper malware as well as open-source indicators of compromise for organizations to detect and prevent the malware. Additionally, this alert provides recommended guidance and considerations for organizations to address as part of network architecture, security baseline, continuous monitoring, and incident response practices. Alert and technical details. Structured Threat Information Expression (STIX) All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Mar 31, 2022
CISA Alert AA22-055A – Iranian government-sponsored actors conduct cyber operations against global government and commercial networks.
182
The FBI, CISA, US Cyber Command Cyber National Mission Force, and the United Kingdom’s National Cyber Security Centre have observed a group of Iranian government-sponsored APT actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America.  AA22-055A Alert, Technical Details, and Mitigations Malware Analysis Report AA22-052A STIX and Malware Analysis STIX Iran Cyber Threat Overview and Advisories NCSC-UK MAR – Small Sieve CNMF's press release – Iranian intel cyber suite of malware uses open source tools All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Feb 24, 2022
CISA Alert AA22-054A – New Sandworm malware “Cyclops Blink” replaces VPNFilter.
178
CISA, the UK’s National Cyber Security Centre (NCSC), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have identified that the actor known as Sandworm or Voodoo Bear is using a new malware, Cyclops Blink. CISA, the NCSC, and the FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies. AA22-054A Alert, Technical Details, and Mitigations Cyclops Blink Malware Analysis Report All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Feb 23, 2022
CISA Alert AA22-047A – Russian state-sponsored cyber actors target cleared defense contractor networks to obtain sensitive US defense information and technology.
218
CISA, the FBI, and NSA have observed Russian state-sponsored cyber actors regularly target US cleared defense contractors from at least January 2020 through February 2022. The actors have targeted both large and small defense contractors and subcontractors with varying levels of cybersecurity protocols and resources. These defense contractors support contracts for the US Department of Defense (DoD) and Intelligence Community in command, control, communications, and combat systems; intelligence, surveillance, reconnaissance, and targeting; weapons and missile development; vehicle and aircraft design; and software development, data analytics, computers, and logistics.  AA22-047A Alert, Technical Details, and Mitigations Russia Cyber Threat Overview and Advisories All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Feb 16, 2022
CISA Alert AA22-040A – 2021 trends show increased globalized threat of ransomware.
182
In 2021, cybersecurity authorities in the United States, Australia, and the United Kingdom observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally. The FBI, CISA, and NSA observed incidents involving ransomware against 14 of the 16 US critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors.  AA22-040A Alert, Technical Details, and Mitigations CISA’s Ransomware Readiness Assessment CISA’s Cyber Hygiene Services ACSC’s Strategies to Mitigate Cyber Security Incidents All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Feb 09, 2022
CISA Cybersecurity Alerts - Trailer
63
Flash cybersecurity advisories from the US Government. These alerts provide timely technical and operational information, indicators of compromise, and mitigations for current major security threats, vulnerabilities, and exploits. These alerts have been edited and adapted for audio by The CyberWire as a public service.
Feb 01, 2022