US CERT Current Activity
Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments
Mar 23, 2023
Today, CISA released the Untitled Goose Tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. The Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services. The tool enables users to: Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity. Query, export, and investigate AAD, M365, and Azure configurations. Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics. Perform time bounding of the UAL. Extract data within those time bounds. Collect and review data using similar time bounding capabilities for MDE data. Untitled Goose Tool was developed by CISA with support from Sandia National Laboratories. Network defenders can see the Untitled Goose Tool fact sheet and visit the Untitled Goose Tool GitHub repository to get started. Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
Cisco Releases Security Advisories for Multiple Products
Mar 23, 2023
Cisco has released security advisories for vulnerabilities affecting multiple Cisco products. A remote cyber threat actor could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following advisories and apply the necessary updates: Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability cisco-sa-ipv4-vfr-dos-CXxtFacb Cisco IOS XE Software IOx Application Hosting Environment Privilege Escalation Vulnerability cisco-sa-iox-priv-escalate-Xg8zkyPk Cisco IOS XE SD-WAN Software Command Injection Vulnerability cisco-sa-ios-xe-sdwan-VQAhEjYw Cisco IOS XE Software Fragmented Tunnel Protocol Packet Denial of Service Vulnerability cisco-sa-ios-gre-crash-p6nE5Sq5 Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability cisco-sa-ios-dhcpv6-dos-44cMvdDK Cisco IOS XE Software for Wireless LAN Controllers HTTP Client Profiling Denial of Service Vulnerability cisco-sa-ewlc-dos-wFujBHKw Cisco DNA Center Privilege Escalation Vulnerability cisco-sa-dnac-privesc-QFXe74RS Cisco IOS XE Software for Cisco Catalyst 9300 Series Switches Secure Boot Bypass Vulnerability cisco-sa-c9300-spi-ace-yejYgnNQ Cisco Access Point Software Association Request Denial of Service Vulnerability cisco-sa-ap-assoc-dos-D2SunWK2 For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. Please share your thoughts. We recently updated our anonymous Product Feedback Survey; we'd welcome your feedback.
JCDC Cultivates Pre-Ransomware Notification Capability
Mar 23, 2023
In today’s blog post, Associate Director of the Joint Cyber Defense Collaborative (JCDC) Clayton Romans highlighted recent successes of pre-ransomware notification and its impact in reducing harm from ransomware intrusions. With pre-ransomware notifications, organizations can receive early warning and potentially evict threat actors before they can encrypt and hold critical data and systems for ransom. Using this proactive cyber defense capability, CISA has notified more than 60 entities of early-stage ransomware intrusions since January 2023, including critical infrastructure organizations in the Energy, Healthcare and Public Health, Water and Wastewater Systems sectors, as well as the education community. The pre-ransomware notification was cultivated with the help of the cybersecurity research community and through CISA’s relationships with infrastructure providers and cyber threat intelligence companies. For more information, visit #StopRansomware. To report early-stage ransomware activity, visit Report Ransomware. CISA also encourages stakeholders and network defenders to review associate director Romans’ post, Getting Ahead of the Ransomware Epidemic: CISA’s Pre-Ransomware Notifications Help Organizations Stop Attacks Before Damage Occurs, to learn more about CISA’s Pre-Ransomware Notification Initiative. Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
CISA Releases Six Industrial Control Systems Advisories
Mar 23, 2023
CISA released six Industrial Control Systems (ICS) advisories on March 23, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-082-01 RoboDK ICSA-23-082-02 CP-Plus KVMS Pro ICSA-23-082-03 SAUTER EY-modulo 5 Building Automation Stations ICSA-23-082-04 Schneider Electric IGSS ICSA-23-082-05 ABB Pulsar Plus Controller ICSA-23-082-06 ProPump and Controls Osprey Pump Controller CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management
Mar 21, 2023
As part of the Enduring Security Framework (ESF), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) has released Identity and Access Management Recommended Best Practices Guide for Administrators. These recommended best practices provide system administrators with actionable recommendations to better secure their systems from threats to Identity and Access Management (IAM). IAM—a framework of business processes, policies, and technologies that facilitate the management of digital identities—ensures that users only gain access to data when they have the appropriate credentials. This paper provides recommended best practices and mitigations to counter threats to IAM related to: identity governance environmental hardening identity federation/single sign-on multifactor authentication IAM auditing and monitoring This guidance was developed and published by a CISA- and NSA-led working panel with ESF, a public-private cross-sector partnership that aims to address risks that threaten critical infrastructure and national security systems.
CISA Releases Eight Industrial Control Systems Advisories
Mar 21, 2023
CISA released eight Industrial Control Systems (ICS) advisories on March 21, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-080-01 Keysight N6854A Geolocation Server and N6841A RF Sensor ICSA-23-080-02 Delta Electronics InfraSuite Device Master ICSA-23-080-03 Siemens RUGGEDCOM APE1808 Product Family ICSA-23-080-04 Siemens RADIUS Client of SIPROTEC 5 Devices ICSA-23-080-05 VISAM VBASE Automation Base ICSA-23-080-06 Rockwell Automation ThinManager ICSA-23-080-07 Siemens SCALANCE Third-Party ICSA-21-343-01 Hitachi Energy GMS600, PWC600, and Relion (Update A) CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
CISA Releases Updated Cybersecurity Performance Goals
Mar 21, 2023
Content: Today, we published stakeholder-based updates to the Cybersecurity Performance Goals (CPGs). Originally released last October, the CPGs are voluntary practices that businesses and critical infrastructure owners can take to protect themselves against cyber threats. The CPGs have been reorganized, reordered and renumbered to align closely with NIST CSF functions (Identify, Protect, Detect, Respond, and Recover) to help organizations more easily use the CPGs to prioritize investments as part of a broader cybersecurity program built around the CSF. CISA urges stakeholders to review and learn more by visiting Cross-Sector Cybersecurity Performance Goals.
Drupal Releases Security Advisory to Address Vulnerability in Drupal Core
Mar 17, 2023
Drupal has released a security advisory to address an access bypass vulnerability affecting multiple Drupal versions. An attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review Drupal security advisory SA-CONTRIB- 2023-004 for more information and apply the necessary updates.
FBI, CISA, and MS-ISAC Release #StopRansomware: LockBit 3.0
Mar 16, 2023
The Federal Bureau of Investigation (FBI), CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has released a joint cybersecurity advisory (CSA), #StopRansomware: LockBit 3.0. This joint advisory details known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) that FBI investigations correlated with LockBit 3.0 ransomware as recently as March 2023. LockBit 3.0 functions as an affiliate-based ransomware variant and is a continuation of LockBit 2.0 and LockBit. CISA encourages network defenders to review and apply the recommendations in the Mitigations section of this CSA. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response.
CISA Releases Eight Industrial Control Systems Advisories
Mar 16, 2023
CISA released eight Industrial Control Systems (ICS) advisories on March 16, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-075-01 Siemens SCALANCE, RUGGEDCOM Third-Party ICSA-23-075-02 Siemens RUGGEDCOM CROSSBOW V5.3 ICSA-23-075-03 Siemens RUGGEDCOM CROSSBOW V5.2 ICSA-23-075-04 Siemens SCALANCE W1750D Devices ICSA-23-075-05 Siemens Mendix SMAL Module ICSA-23-075-06 Honeywell OneWireless Wireless Device Manager ICSA-23-075-07 Rockwell Automation Modbus TCP AOI Server ICSA-22-342-02 AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere (Update A) Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
<p>The Water Information Sharing and
Mar 15, 2023
The Water Information Sharing and Analysis Center (WaterISAC) has released an advisory, Potential for Mandatory Microsoft DCOM Patch to Disrupt SCADA. ICS/OT/SCADA engineers and operators should assess the use of the Distributed Component Object Model (DCOM) protocol in their industrial environments. According to WaterISAC, “failure to address could result in loss of critical communications between impacted ICS/OT/SCADA devices.” CISA urges operators to review the WaterISAC advisory and apply recommended compensating controls. See Microsoft KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) for more information.
<p>CISA has released a draft Secure
Mar 15, 2023
CISA has released a draft Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Architecture guidance document for public comment. The request for comment period is open until April 17, 2023. Comments may be submitted to CyberSharedServices@cisa.dhs.gov. In accordance with Executive Order 14028, CISA’s SCuBA project aims to develop consistent, effective, modern, and manageable security that will help secure agency information assets stored within cloud operations. This guidance will help federal civilian departments and agencies securely and efficiently integrate their traditional on-premises enterprise networks with cloud-based solutions. CISA encourages federal program and project managers involved in identity management interoperability and vulnerability mitigation to review and provide comment. Visit CISA’s SCuBA project page for more information and to review the guidance document.
<p>In light of recent <a href="https:/
Mar 15, 2023
In light of recent bank failures, CISA warns consumers to beware of potential scams requesting your money or sensitive personal information. Exercise caution in handling emails with bank-related subject lines, attachments, or links. In addition, be wary of social media pleas, texts, or door-to-door solicitations relating to any failed bank. The Federal Deposit Insurance Corporation (FDIC), the "Receiver" of failed banks, would never contact you asking for personal details, such as bank account information, credit and debit card numbers, social security numbers, or passwords. To avoid becoming victims of scams, consumers should review the following resources and take preventative measures: CISA: Avoiding Social Engineering and Phishing Attacks FDIC Consumer News: Beware, It’s a Scam! FDIC Consumer News: Scammers Pretending to be the FDIC FDIC: Failed Bank Information for Silicon Valley Bank, Santa Clara, CA FDIC: Failed Bank Information for Signature Bank, New York, NY CISA: Phishing Infographic Consider reporting scams and fraud to the police and file a report with the Federal Trade Commission. Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
<p>CISA has added one new vulnerability
Mar 15, 2023
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-26360 Adobe ColdFusion Improper Access Control Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
<p>Today, the CISA, Federal Bureau of
Mar 15, 2023
Today, the CISA, Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA), Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server. This joint CSA provides IT infrastructure defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar, successful CVE-2019-18935 exploitation. As detailed in the advisory, CISA analysts determined that multiple cyber threat actors, including an Advanced Persistent Threat (APT) actor, exploited a .NET deserialization vulnerability in Progress Telerik user interface for ASP.NET AJAX. Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch (FCEB) agency’s Microsoft Internet Information Services (IIS) web server. Actors were then able to upload malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) to the C:\Windows\Temp\ directory. CISA, FBI, and MS-ISAC encourage network defenders to review the Detection and Mitigations sections of this advisory, as well as refer to the accompanying Malware Analysis Report, MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server, to reference CISA's analysis for the identified malicious files. Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
<p>Adobe has released security updates
Mar 14, 2023
Adobe has released security updates to address multiple vulnerabilities in Adobe software. An attacker can exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates. Commerce APSB23-17 Experience Manager APSB23-18 Illustrator APSB23-19 Dimension APSB23-20 Creative Cloud Desktop Application APSB23-21 Substance 3D Stager APSB23-22 Photoshop APSB23-23 ColdFusion APSB23-25 Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
<p>Microsoft has released updates to
Mar 14, 2023
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s March 2023 Security Update Guide and Deployment Information and apply the necessary updates. Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
<p>Mozilla has released security
Mar 14, 2023
Mozilla has released security updates to address vulnerabilities in Firefox 111 and Firefox ESR 102.9. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Mozilla’s security advisories for Firefox 111 and Firefox ESR 102.9 for more information and apply the necessary updates. Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
<p>CISA has added three new
Mar 14, 2023
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-23397 Microsoft Outlook Elevation of Privilege Vulnerability CVE-2023-24880 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability CVE-2022-41328 Fortinet FortiOS Path Traversal Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we'd welcome your feedback.
<p>CISA released four Industrial
Mar 14, 2023
CISA released four Industrial Control Systems (ICS) advisories on March 14, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-073-01 Omron CJ1m PLC ICSA-23-073-02 Autodesk FBX SDK ICSA-23-073-03 GE iFIX ICSA-23-073-04 AVEVA Plant SCADA and AVEVA Telemetry Server
