US CERT Current Activity

Cisco Releases Security Advisories for Cisco NX-OS Software

Mar 1, 2024

Cisco released security advisories to address vulnerabilities affecting Cisco NX-OS Software. A cyber threat actor could exploit one of these vulnerabilities to cause a denial-of-service condition. CISA encourages users and administrators to review the following advisories and apply the necessary updates: Cisco NX-OS Software MPLS Encapsulated IPv6 Denial of Service Vulnerability Cisco NX-OS Software External Border Gateway Protocol Denial of Service Vulnerability      

Continue Reading ›

CISA and Partners Release Advisory on Threat Actors Exploiting Ivanti Connect Secure and Policy Secure Gateways Vulnerabilities

Feb 29, 2024

Today, CISA and the following partners released joint Cybersecurity Advisory Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways:  Federal Bureau of Investigation (FBI)  Multi-State Information Sharing & Analysis Center (MS-ISAC)  Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)  United Kingdom National Cyber Security Centre (NCSC-UK)  Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment  New Zealand National Cyber Security Centre (NCSC-NZ)  CERT-New Zealand (CERT NZ)  The advisory describes cyber threat actor exploitation of multiple previously identified Connect Secure and Policy Secure vulnerabilities—namely CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893—which threat actors can exploit in a chain to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. Additionally, the advisory describes two key CISA findings:   The Ivanti Integrity Checker Tool is not sufficient to detect compromise due to the ability of threat actors to deceive it, and   A cyber threat actor may be able to gain root-level persistence despite the victim having issued factory resets on the Ivanti device.  The advisory provides cyber defenders with detection methods and indicators of compromise (IOCs) as well as mitigation guidance to defend against this activity. Note: As exploitation is ongoing as of publication of this advisory, CISA will provide updates to the Additional Resources list below as they are made available.  CISA and its partners urge cyber defenders to review this advisory and consider the significant risk of cyber threat actor access to, and persistence on Connect Secure and Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.  Additional Resources  Organizations using these devices should assume a threat actor is maintaining persistence and lying dormant for a period before conducting malicious actions. For more on this specific technique, see Identifying and Mitigating Living Off the Land Techniques.  CISA has issued Emergency Directive (ED) 24-01 Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities as well as corresponding Supplemental Direction to ED 24-01 to federal agencies. IBM: Widespread exploitation of recently disclosed Ivanti vulnerabilities Akamai: Scanning Activity for CVE-2024-22024 (XXE) Vulnerability in Ivanti Rapid7 AttackerKB: CVE-2024-21893, CVE-2024-21887, CVE-2024-22024, CVE-2023-46805 Orange Cyberdefense: Ivanti Connect Secure: Journey to the core of the DSLog backdoor Volexity: Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN WatchTowr: Ivanti Connect Secure CVE-2024-22024 - Are We Now Part Of Ivanti? Mandiant: Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation, Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts Grey Noise: Ivanti Connect Secure Exploited to Install Cryptominers Ivanti: KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways Palo Alto Networks Unit 42: Threat Brief: Multiple Ivanti Vulnerabilities GitHub: CSIRTs Network - Exploitation of Ivanti Connect Secure and Ivanti Policy Secure Gateway Zero-Days

Continue Reading ›

CISA Adds One Known Exploited Vulnerability to Catalog

Feb 29, 2024

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-29360 Microsoft Streaming Service Untrusted Pointer Dereference Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Continue Reading ›

CISA, FBI, and MS-ISAC Release Advisory on Phobos Ransomware

Feb 29, 2024

Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Phobos Ransomware, to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), which are from incident response investigations tied to Phobos ransomware activity from as recently as February, 2024. Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars. CISA, the FBI, and MS-ISAC encourages critical infrastructure organizations to review and implement the mitigations provided in the joint CSA to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents. For more information, see CISA’s #StopRansomware webpage and the updated #StopRansomware Guide. 

Continue Reading ›

CISA Releases Two Industrial Control Systems Advisories

Feb 29, 2024

CISA released two Industrial Control Systems (ICS) advisories on February 29, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-060-01 Delta Electronics CNCSoft-B ICSMA-24-060-01 MicroDicom DICOM Viewer CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Continue Reading ›

CISA Releases Resource Guide for University Cybersecurity Clinics

Feb 28, 2024

Today, CISA released a Resource Guide for Cybersecurity Clinics to outline ways CISA can partner with and support cybersecurity clinics and their clients. University cybersecurity clinics train students from diverse backgrounds and academic expertise to strengthen the digital defenses of non-profits, hospitals, municipalities, small businesses, and other under-resourced organizations. They can help address the national cyber workforce gap by developing a talent pipeline for cyber civil defense and helping students see themselves in a cybersecurity career. CISA encourages clinics to engage with CISA and leverage the CISA resources outlined in the guide. CISA also encourages more universities to consider starting their own cybersecurity clinics as they play an important role in strengthening the cybersecurity posture of small organizations at the local level.

Continue Reading ›

CISA, FBI, and HHS Release an Update to #StopRansomware Advisory on ALPHV Blackcat

Feb 27, 2024

Today, CISA, the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released an update to the joint advisory #StopRansomware: ALPHV Blackcat to provide new indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the ALPHV Blackcat ransomware as a service (RaaS). ALPHV Blackcat affiliates have been observed primarily targeting the healthcare sector. CISA, the FBI, and HHS urge network defenders to review the updated joint advisory to protect and detect against malicious activity.  All organizations are encouraged to share information on incidents and anomalous activity to CISA’s 24/7 Operations Center at report@cisa.gov or via our Report page, and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.  For more on ransomware, visit stopransomware.gov. 

Continue Reading ›

CISA Releases Two Industrial Control Systems Advisories

Feb 27, 2024

CISA released two Industrial Control Systems (ICS) advisories on February 27, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-058-01 Mitsubishi Electric Multiple Factory Automation Products  ICSMA-24-058-01 Santesoft Sante DICOM Viewer Pro CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Continue Reading ›

CISA, NCSC-UK, and Partners Release Advisory on Russian SVR Actors Targeting Cloud Infrastructure

Feb 26, 2024

CISA, in partnership with UK National Cyber Security Centre (NCSC) and other U.S. and international partners released the joint advisory, SVR Cyber Actors Adapt Tactics for Initial Cloud Access. This advisory provides recent tactics, techniques, and procedures (TTPs) used by Russian Foreign Intelligence Service (SVR) cyber actors—also known as APT29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—to gain initial access into a cloud environment. The authoring agencies encourage network defenders and organizations review the joint advisory for recommended mitigations. For more information on APT29, see joint CSA Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally or visit CISA’s Russia Cyber Threat Overview and Advisories page. For more guidance on cloud security best practices, see CISA’s Secure Cloud Business Applications (SCuBA) Project.

Continue Reading ›

Updated: Top Cyber Actions for Securing Water Systems

Feb 23, 2024

Today, CISA, the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI) updated the joint fact sheet Top Cyber Actions for Securing Water Systems. This update includes additional resources—from American Water Works Association, the WaterISAC, and MS-ISAC—to support water systems in defending against from malicious cyber activity.  The fact sheet outlines the following practical actions Water and Wastewater Systems (WWS) Sector entities can take to better protect water systems from malicious cyber activity and provides actionable guidance to implement concurrently: Reduce Exposure to the Public-Facing Internet Conduct Regular Cybersecurity Assessments Change Default Passwords Immediately Conduct an Inventory of Operational Technology/Information Technology Assets Develop and Exercise Cybersecurity Incident Response and Recovery Plans Backup OT/IT Systems Reduce Exposure to Vulnerabilities Conduct Cybersecurity Awareness Training CISA, EPA, and FBI urge all WWS Sector and critical infrastructure organizations to review the fact sheet and implement the actions to improve resilience to cyber threat activity. Organizations can visit cisa.gov/water for additional sector tools, information, and resources.

Continue Reading ›

CISA Releases One Industrial Control Systems Advisory

Feb 22, 2024

CISA released one Industrial Control Systems (ICS) advisory on February 22, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-053-01 Delta Electronics CNCSoft-B DOPSoft CISA encourages users and administrators to review the newly released ICS advisory for technical details and mitigations.

Continue Reading ›

CISA Adds One Known Exploited Vulnerability to Catalog

Feb 22, 2024

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-1709 ConnectWise ScreenConnect Authentication Bypass Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Continue Reading ›

Mozilla Releases Security Updates for Firefox and Thunderbird

Feb 21, 2024

Mozilla released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Mozilla Security Advisories and apply the necessary updates: MFSA 2024-05 for Firefox MFSA 2024-06 for Firefox ESR MFSA 2024-07 for Thunderbird

Continue Reading ›

CISA, EPA, and FBI Release Top Cyber Actions for Securing Water Systems

Feb 21, 2024

Today, CISA, the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI) released the joint fact sheet Top Cyber Actions for Securing Water Systems. This fact sheet outlines the following practical actions Water and Wastewater Systems (WWS) Sector entities can take to better protect water systems from malicious cyber activity and provides actionable guidance to implement concurrently: Reduce Exposure to the Public-Facing Internet Conduct Regular Cybersecurity Assessments Change Default Passwords Immediately Conduct an Inventory of Operational Technology/Information Technology Assets Develop and Exercise Cybersecurity Incident Response and Recovery Plans Backup OT/IT Systems Reduce Exposure to Vulnerabilities Conduct Cybersecurity Awareness Training CISA, EPA, and FBI urge all WWS Sector and critical infrastructure organizations to review the fact sheet and implement the actions to improve resilience to cyber threat activity. Organizations can visit cisa.gov/water for additional sector tools, information, and resources.  

Continue Reading ›

CISA Releases Three Industrial Control Systems Advisories

Feb 20, 2024

CISA released three Industrial Control Systems (ICS) advisories on February 20, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-051-01 Commend WS203VICM ICSA-24-051-02 Ethercat Zeek Plugin ICSA-24-051-03 Mitsubishi Electric Electrical Discharge Machines CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Continue Reading ›

CISA Releases Seventeen Industrial Control Systems Advisories

Feb 15, 2024

CISA released seventeen Industrial Control Systems (ICS) advisories on February 15, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-046-01 Siemens SCALANCE W1750D ICSA-24-046-02 Siemens SIDIS Prime ICSA-24-046-03 Siemens SIMATIC RTLS Gateways ICSA-24-046-04 Siemens CP343-1 Devices ICSA-24-046-05 Siemens Location Intelligence ICSA-24-046-06 Siemens Unicam FX ICSA-24-046-07 Siemens Tecnomatix Plant Simulation ICSA-24-046-08 Siemens RUGGEDCOM APE1808 ICSA-24-046-09 Siemens SCALANCE SC-600 Family ICSA-24-046-10 Siemens Simcenter Femap ICSA-24-046-11 Siemens SCALANCE XCM-/XRM-300 ICSA-24-046-12 Siemens SIMATIC WinCC, OpenPCS ICSA-24-046-13 Siemens Parasolid ICSA-23-046-14 Siemens Polarion ALM ICSA-24-046-15 Siemens SINEC NMS ICSA-24-046-16 Rockwell Automation FactoryTalk Service Platform ICSA-23-306-02 Mitsubishi Electric MELSEC iQ-F/iQ-R Series CPU Module (Update A) CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Continue Reading ›

CISA Adds Two Known Exploited Vulnerabilities to Catalog

Feb 15, 2024

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2020-3259 Cisco ASA and FTD Information Disclosure Vulnerability CVE-2024-21410 Microsoft Exchange Server Privilege Escalation Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.  Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Continue Reading ›

CISA and MS-ISAC Release Advisory on Compromised Account Used to Access State Government Organization

Feb 15, 2024

Today, CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA), Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization to provide network defenders with the tactics, techniques, and procedures (TTPs) utilized by a threat actor and methods to protect against similar exploitation. Following an incident response assessment of a state government organization’s network environment, analysis confirmed compromise through network administrator credentials of a former employee. This allowed the threat actor to successfully authenticate to an internal virtual private network (VPN) access point. CISA and MS-ISAC encourage network defenders and organizations review the TTPs and implement the mitigations provided in the joint CSA. For more information, visit CISA’s Cross-Sector Cybersecurity Performance Goals.

Continue Reading ›

Adobe Releases Security Updates for Multiple Products

Feb 13, 2024

Adobe has released security updates to address vulnerabilities in Adobe software. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.  CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.  Adobe Commerce and Magento Adobe Substance 3D Painter Adobe Acrobat and Reader Adobe FrameMaker Publishing Server Adobe Audition  Adobe Substance 3D Designer

Continue Reading ›

CISA Adds Two Known Exploited Vulnerabilities to Catalog

Feb 13, 2024

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-21412 Microsoft Windows Internet Shortcut Files Security Feature Bypass Vulnerability CVE-2024-21351 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.  Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Continue Reading ›

Pages

Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000

Contacts

Did you know?

Stay Safe Online Tips