US CERT Current Activity
CISA Adds Two Known Exploited Vulnerabilities to Catalog
Nov 14, 2024
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Releases Nineteen Industrial Control Systems Advisories
Nov 14, 2024
CISA released nineteen Industrial Control Systems (ICS) advisories on November 14, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-319-01 Siemens RUGGEDCOM CROSSBOW ICSA-24-319-02 Siemens SIPORT ICSA-24-319-03 Siemens OZW672 and OZW772 Web Server ICSA-24-319-04 Siemens SINEC NMS ICSA-24-319-05 Siemens Solid Edge ICSA-24-319-06 Siemens SCALANCE M-800 Family ICSA-24-319-07 Siemens Engineering Platforms ICSA-24-319-08 Siemens SINEC INS ICSA-24-319-09 Siemens Spectrum Power 7 ICSA-24-319-10 Siemens TeleControl Server ICSA-24-319-11 Siemens SIMATIC CP ICSA-24-319-12 Siemens Mendix Runtime ICSA-24-319-13 Rockwell Automation Verve Asset Manager ICSA-24-319-14 Rockwell Automation FactoryTalk Updater ICSA-24-319-15 Rockwell Automation Arena Input Analyzer ICSA-24-319-16 Hitachi Energy MSM ICSA-24-319-17 2N Access Commander ICSA-24-291-01 Elvaco M-Bus Metering Gateway CMe3100 (Update A) ICSMA-24-319-01 Baxter Life2000 Ventilation System CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
Palo Alto Networks Emphasizes Hardening Guidance
Nov 13, 2024
Palo Alto Networks (PAN) has released an important informational bulletin on securing management interfaces after becoming aware of claims of an unverified remote code execution vulnerability via the PAN-OS management interface. CISA urges users and administrators to review the following for more information, follow PAN’s guidance for hardening network devices, review PAN’s instruction for accessing organization’s scan results for internet-facing management interfaces, and take immediate action if required: PAN-SA-2024-0015 Important Informational Bulletin: Ensure Access to Management Interface is Secured Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device
Fortinet Releases Security Updates for Multiple Products
Nov 12, 2024
Fortinet has released security updates to address vulnerabilities in multiple products, including FortiOS. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following advisories and apply necessary updates: FG-IR-23-396 ReadOnly Users Could Run Some Sensitive Operations FG-IR-23-475 FortiOS - SSLVPN Session Hijacking Using SAML Authentication FG-IR-24-144 Privilege Escalation via Lua Auto Patch Function FG-IR-24-199 Named Pipes Improper Access Control
Microsoft Releases November 2024 Security Updates
Nov 12, 2024
Microsoft released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following and apply necessary updates: Microsoft Security Update Guide for November
Adobe Releases Security Updates for Multiple Products
Nov 12, 2024
Adobe released security updates to address multiple vulnerabilities in Adobe software. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates: Security update available for Adobe Bridge | APSB24-77 Security update available for Adobe Audition | APSB24-83 Security update available for Adobe After Effects | APSB24-85 Security update available for Adobe Substance 3D Painter | APSB24-86 Security update available for Adobe Illustrator| APSB24-87 Security update available for Adobe InDesign | APSB24-88 Security update available for Adobe Photoshop | APSB24-89 Security update available for Adobe Commerce | APSB24-90
CISA Adds Five Known Exploited Vulnerabilities to Catalog
Nov 12, 2024
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2021-26086 Atlassian Jira Server and Data Center Path Traversal Vulnerability CVE-2014-2120 Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability CVE-2021-41277 Metabase GeoJSON API Local File Inclusion Vulnerability CVE-2024-43451 Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability CVE-2024-49039 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Ivanti Releases Security Updates for Multiple Products
Nov 12, 2024
Ivanti released security updates to address vulnerabilities in Ivanti Endpoint Manager (EPM), Ivanti Avalanche, Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Security Access Client. CISA encourages users and administrators to review the following Ivanti security advisories and apply the necessary guidance and updates: Ivanti Security Advisory EPM Ivanti Security Advisory Avalanche Ivanti Security Advisory Connect Secure, Ivanti Policy Secure, and Ivanti Security Access Client
JCDC’s Collaborative Efforts Enhance Cybersecurity for the 2024 Olympic and Paralympic Games
Nov 12, 2024
The Cybersecurity and Infrastructure Security Agency (CISA), through the Joint Cyber Defense Collaborative (JCDC), enabled proactive coordination and information sharing to bolster cybersecurity ahead of the 2024 Olympic and Paralympic Games in Paris. Recognizing the potential for cyber threats targeting the Games, CISA worked to strengthen U.S. private sector ties and facilitate connections with key French counterparts to promote collective defense measures. Utilizing its role as a key facilitator between public and private sector partners, JCDC established monitoring channels and launched cyber threat information-sharing forums to prepare for significant incidents. Throughout the Games, JCDC industry partners remained vigilant, promptly alerting CISA to any potential impacts on Olympic and Paralympic activities. This allowed CISA to provide prompt updates and share critical information with the French Agence Nationale de la Sécurité des Systèmes d'Information to aid swift response efforts. This collaboration underscores JCDC’s essential role in uniting global partners to defend against cyber challenges that threaten national security and international events. The partnership highlights the value of voluntary information sharing to build trust and strengthen the protection of critical infrastructure in an evolving threat landscape. For more information about JCDC’s initiatives, visit the JCDC Success Stories webpage and CISA.gov/JCDC.
Citrix Releases Security Updates for NetScaler and Citrix Session Recording
Nov 12, 2024
Citrix released security updates to address multiple vulnerabilities in NetScaler ADC, NetScaler Gateway, and Citrix Session Recording. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following and apply necessary updates: NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2024-8534 and CVE-2024-8535 Citrix Session Recording Security Bulletin for CVE-2024-8068 and CVE-2024-8069
CISA Releases Five Industrial Control Systems Advisories
Nov 12, 2024
CISA released five Industrial Control Systems (ICS) advisories on November 12, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-317-01 Subnet Solutions PowerSYSTEM Center ICSA-24-317-02 Hitachi Energy TRO600 ICSA-24-317-03 Rockwell Automation FactoryTalk View ME ICSA-23-306-03 Mitsubishi Electric MELSEC Series (Update A) ICSA-23-136-01 Snap One OvrC Cloud (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA, FBI, NSA, and International Partners Release Joint Advisory on 2023 Top Routinely Exploited Vulnerabilities
Nov 12, 2024
Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and international partners released joint Cybersecurity Advisory, 2023 Top Routinely Exploited Vulnerabilities. This advisory supplies details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors and their associated Common Weakness Enumeration(s) (CWE) to help organizations better understand the impact of exploitation. International partners contributing to this advisory include: Australian Signals Directorate’s Australian Cyber Security Centre Canadian Centre for Cyber Security New Zealand National Cyber Security Centre and New Zealand Computer Emergency Response Team United Kingdom’s National Cyber Security Centre The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory. The advisory provides vendors, designers, and developers a guide for implementing secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations mitigations. Following this guidance will help reduce the risk of compromise by malicious cyber actors. Vendors and developers are encouraged to take appropriate steps to provide products that protect their customers’ sensitive data. To learn more about secure by design principles and practices, visit CISA’s Secure by Design.
CISA Releases Three Industrial Control Systems Advisories
Nov 7, 2024
CISA released three Industrial Control Systems (ICS) advisories on November 7, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-312-01 Beckhoff Automation TwinCAT Package Manager ICSA-24-312-02 Delta Electronics DIAScreen ICSA-24-312-03 Bosch Rexroth IndraDrive CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. This product is provided subject to this Notification and this Privacy & Use policy.
CISA Adds Four Known Exploited Vulnerabilities to Catalog
Nov 7, 2024
CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-43093 Android Framework Privilege Escalation Vulnerability CVE-2024-51567 CyberPanel Incorrect Default Permissions Vulnerability CVE-2019-16278 Nostromo nhttpd Directory Traversal Vulnerability CVE-2024-5910 Palo Alto Expedition Missing Authentication Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Adds Two Known Exploited Vulnerabilities to Catalog
Nov 4, 2024
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Foreign Threat Actor Conducting Large-Scale Spear-Phishing Campaign with RDP Attachments
Oct 31, 2024
CISA has received multiple reports of a large-scale spear-phishing campaign targeting organizations in several sectors, including government and information technology (IT). The foreign threat actor, often posing as a trusted entity, is sending spear-phishing emails containing malicious remote desktop protocol (RDP) files to targeted organizations to connect to and access files stored on the target’s network. Once access has been gained, the threat actor may pursue additional activity, such as deploying malicious code to achieve persistent access to the target’s network. CISA, government, and industry partners are coordinating, responding, and assessing the impact of this campaign. CISA urges organizations to take proactive measures: Restrict Outbound RDP Connections: It is strongly advised that organizations forbid or significantly restrict outbound RDP connections to external or public networks. This measure is crucial for minimizing exposure to potential cyber threats. Implement a Firewall along with secure policies and access control lists. Block RDP Files in Communication Platforms: Organizations should prohibit RDP files from being transmitted through email clients and webmail services. This step helps prevent the accidental execution of malicious RDP configurations. Prevent Execution of RDP Files: Implement controls to block the execution of RDP files by users. This precaution is vital in reducing the risk of exploitation. Enable Multi-Factor Authentication (MFA): Multi-factor authentication must be enabled wherever feasible to provide an essential layer of security for remote access. Avoid SMS MFA whenever possible. Adopt Phishing-Resistant Authentication Methods: Organizations are encouraged to deploy phishing-resistant authentication solutions, such as FIDO tokens. It is important to avoid SMS-based MFA, as it can be vulnerable to SIM-jacking attacks. Implement Conditional Access Policies: Establish Conditional Access Authentication Strength to mandate the use of phishing-resistant authentication methods. This ensures that only authorized users can access sensitive systems. Deploy Endpoint Detection and Response (EDR): Organizations should implement Endpoint Detection and Response (EDR) solutions to continuously monitor for and respond to suspicious activities within the network. Consider Additional Security Solutions: In conjunction with EDR, organizations should evaluate the deployment of antiphishing and antivirus solutions to bolster their defenses against emerging threats. Conduct User Education: Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails. Recognize and Report Phishing: Avoid phishing with these simple tips. Hunt For Activity Using Referenced Indicators and TTPs: Utilize all indicators that are released in relevant articles and reporting to search for possible malicious activity within your organization’s network. Search for unexpected and/or unauthorized outbound RDP connections within the last year. CISA urges users and administrators to remain vigilant against spear-phishing attempts, hunt for any malicious activity, report positive findings to CISA, and review the following articles for more information: Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files AWS Security: Amazon identified internet domains abused by APT29 The Centre for Cybersecurity Belgium: Warning: Government-themed Phishing with RDP Attachments Computer Emergency Response Team of Ukraine: RDP configuration files as a means of obtaining remote access to a computer or "Rogue RDP"
CISA Releases Four Industrial Control Systems Advisories
Oct 31, 2024
CISA released four Industrial Control Systems (ICS) advisories on October 31, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-305-01 Rockwell Automation FactoryTalk ThinManager ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products (Update A) ICSA-24-135-04 Mitsubishi Electric Multiple FA Engineering Software Products (Update A) ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update B) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
Fortinet Updates Guidance and Indicators of Compromise following FortiManager Vulnerability Exploitation
Oct 30, 2024
Fortinet has updated their security advisory addressing a critical FortiManager vulnerability (CVE-2024-47575) to include additional workarounds and indicators of compromise (IOCs). A remote, unauthenticated cyber threat actor could exploit this vulnerability to gain access to sensitive files or take control of an affected system. At this time, all patches have been released. CISA previously added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, as confirmed by Fortinet. CISA strongly encourages users and administrators to apply the necessary updates, hunt for any malicious activity, assess potential risk from service providers, report positive findings to CISA, and review the following articles for additional information: Fortinet Advisory FG-IR-24-423, CISA alert on the Fortinet FortiManager Missing Authentication Vulnerability, Google Threat Intelligence article Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575).
JCDC’s Industry-Government Collaboration Speeds Mitigation of CrowdStrike IT Outage
Oct 29, 2024
CISA, through the Joint Cyber Defense Collaborative (JCDC), enabled swift, coordinated response and information sharing in the wake of a significant IT outage caused by a CrowdStrike software update. This outage, which impacted government, critical infrastructure, and industry across the globe, led to disruptions in essential services, including air travel, healthcare, and financial operations. Leveraging its unique ability to bring together public and private sector partners, JCDC facilitated virtual engagements with over 1,000 federal agency representatives. In close collaboration with CrowdStrike, a JCDC partner, CISA provided critical updates, mitigation guidance, and analysis on the potential for malicious exploitation of the outage. This rapid coordination enabled key information to be quickly disseminated across federal networks, helping to expedite mitigation and protect U.S. government systems. This successful response underscores JCDC’s essential role in uniting industry and government partners to address cyber challenges that could impact national security and resilience. For more information about JCDC’s efforts, visit the JCDC Success Stories webpage and CISA.gov/JCDC.
CISA Releases Three Industrial Control Systems Advisories
Oct 29, 2024
CISA released three Industrial Control Systems (ICS) advisories on October 29, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-303-01 Siemens InterMesh Subscriber Devices ICSA-24-303-02 Solar-Log Base 15 ICSA-24-303-03 Delta Electronics InfraSuite Device Master CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
