US CERT Current Activity
CISA Releases Two SBOM Documents
Apr 21, 2023
Today, CISA released two community-drafted documents around Software Bill of Materials (SBOM): Types of SBOM documents and Minimum Requirements for Vulnerability Exploitability eXchange (VEX). The Types of SBOM document summarizes common types of SBOMs that tools may create in the industry today, along with the data typically presented for each type of SBOM. As software goes from planning to source to build to deployed and used, tools may be able to detect subtle differences in the underlying components. These types will allow for better differentiation of tools and in the broader marketplace. The Minimum Requirements for VEX document specifies the minimum elements to create a VEX document. This will allow interoperability between different implementations and data formats of VEX. It will also help promote integration of VEX into novel and existing security tools. This document also specifies some optional VEX elements. Led by CISA, both publications were debated and drafted by a community of industry and government experts with the goal to offer some common guidance and structure for the large and growing global SBOM community.
Oracle Releases Security Updates
Apr 21, 2023
Oracle has released its Critical Patch Update Advisory, Solaris Third Party Bulletin, and Linux Bulletin for April 2023 to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Oracle’s Critical Patch Update Advisory, Solaris Third Party Bulletin, and Linux Bulletin and apply the necessary updates.
CISA Releases Malware Analysis Report on ICONICSTEALER
Apr 20, 2023
CISA has released a new Malware Analysis Report (MAR) on an infostealer known as ICONICSTEALER. This trojan has been identified as a variant of malware used in the supply chain attack against 3CX’s Desktop App. CISA recommends users and administrators to review the following resources for more information, and hunt for the listed indicators of compromise (IOCs) for potential malicious activity: MAR-10435108.r1.v1 – ICONICSTEALER Supply Chain Attack Against 3CXDesktopApp
CISA to Continue and Enhance U.K.’s Logging Made Easy Tool
Apr 20, 2023
CISA has announced plans to continue and enhance the Logging Made Easy (LME) tool, a service originally developed and maintained by the United Kingdom’s National Cyber Security Centre (NCSC-UK). NCSC-UK stopped supporting the open-source log management solution for Windows-based devices tool on March 31, 2023. LME reduces log management burden and provides greater transparency into operating system and network security across deployed devices. CISA’s enhanced LME tool will be available to public and private sector stakeholders this summer. Until CISA re-launches LME, neither CISA nor NCSC-UK will maintain the legacy LME tool and organizations using the unsupported version are urged to exercise due caution. For more information about CISA’s shared services, visit CISA’s Cyber Marketplace.
CISA Releases One Industrial Control Systems Advisory
Apr 20, 2023
CISA released one Industrial Control Systems (ICS) advisory on April 20, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA- 23-110-01 INEA ME RTU
CISA and Partners Release Cybersecurity Best Practices for Smart Cities
Apr 19, 2023
Today, CISA, NSA, FBI, NCSC-UK, ACSC, CCCS and NCSC-NZ released a joint guide: Cybersecurity Best Practices for Smart Cities. Smart cities may create safer, more efficient, resilient communities through technological innovation and data-driven decision making. However, this opportunity also introduces potential vulnerabilities and weaknesses that—if exploited—could impact national security, economic security, public health and safety, and critical infrastructure operations. CISA encourages organizations implement these best practices in alignment with their specific cybersecurity requirements to ensure the safe and secure operation of infrastructure systems, protection of citizen’s private data, and security of sensitive government and business data.
CISA Adds One Known Vulnerability to Catalog
Apr 19, 2023
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2017-6742 Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. This product is provided subject to this Notification and this Privacy & Use policy.
APT28 Exploits Known Vulnerability To Carry Out Reconnaissance and Deploy Malware on Cisco Routers
Apr 18, 2023
NCSC, NSA, CISA, and FBI have released a joint advisory to provide details of tactics, techniques, and procedures (TTPs) associated with APT28's exploitation of Cisco routers in 2021. By exploiting the vulnerability CVE-2017-6742, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide, including routers in Europe, U.S. government institutions, and approximately 250 Ukrainian victims. CISA encourages personnel to review NCSC’s Jaguar Tooth malware analysis report for detailed TTPs and indicators of compromise which may help detect APT28 activity. For more information on APT28 activity, see the advisories Russian State-sponsored and Criminal Cyber Threats to Critical Infrastructure and Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments, as well as [Titles of the EAD blogs. This product is provided subject to this Notification and this Privacy & Use policy.
CISA Releases Four Industrial Control Systems Advisories
Apr 18, 2023
CISA released four Industrial Control Systems (ICS) advisories on April 18, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-108-01 Omron CSCJ Series ICSA-23-108-02 Schneider Electric Easy UPS Online Monitoring Software ICSA-23-017-02 Mitsubishi Electric MELSEC iQ-F, iQ-R Series (Update B) ICSA-19-346-02 Omron PLC CJ and CS Series (Update B)
IRS Warns of New Tax Scams
Apr 17, 2023
The Internal Revenue Service (IRS) has issued a reminder urging taxpayers to be vigilant and wary of new of tax-related scams. These include phishing and other fraudulent behaviors. The IRS recommends strengthening passwords, remaining vigilant against phishing attempts, and forwarding suspicious emails to phishing@irs.gov. CISA encourages taxpayers to review the IRS Alerts and CISA’s Tips on Avoiding Social Engineering and Phishing Attacks for more information on avoiding tax scams throughout the year, not just during tax season. If you believe you have been a victim of a tax-related scam, visit the IRS webpage on Tax Scams - How to Report Them. This product is provided subject to this Notification and this Privacy & Use policy.
CISA Releases Software Bill of Materials (SBOM) Sharing Lifecycle Report
Apr 17, 2023
CISA has released the SBOM Sharing Lifecycle Report to the cybersecurity and supply chain community. The purpose of this report is to enumerate and describe the different parties and phases of the SBOM Sharing Lifecycle and to assist readers in choosing suitable SBOM sharing solutions based on the amount of time, resources, subject-matter expertise, effort, and access to tooling that is available to the reader to implement a phase of the SBOM sharing lifecycle. This report also highlights SBOM sharing survey results obtained from interviews with stakeholders to understand the current SBOM sharing landscape. This product is provided subject to this Notification and this Privacy & Use policy.
CISA Adds Two Known Exploited Vulnerabilities to Catalog
Apr 17, 2023
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2019-8526 Apple macOS Use-After-Free Vulnerability CVE-2023-2033 Google Chromium V8 Engine Type Confusion Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. This product is provided subject to this Notification and this Privacy & Use policy.
CISA Releases Sixteen Industrial Control Systems Advisories
Apr 13, 2023
CISA released sixteen Industrial Control Systems (ICS) advisories on April 13, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSMA-23-103-01 B. Braun Battery Pack SP with Wi-Fi ICSA-23-103-01 Siemens Adaptec maxView Application ICSA-23-103-02 Siemens JT Open and JT Utilities ICSA-23-103-03 Siemens in OPC Foundation Local Discovery Server ICSA-23-103-04 Siemens TIA Portal ICSA-23-103-05 Siemens SCALANCE X-200IRT Devices ICSA-23-103-06 Siemens SIPROTEC 5 Devices ICSA-23-103-07 Siemens CPCI85 Firmware of SICAM A8000 Devices ICSA-23-103-08 Siemens Mendix Forgot Password Module ICSA-23-103-09 Siemens SCALANCE XCM332 ICSA-23-103-10 Siemens Industrial Products ICSA-23-103-11 Siemens Teamcenter Visualization and JT2Go ICSA-23-103-12 Siemens Polarion ALM ICSA-23-103-13 Siemens SCALANCE Switch Families ICSA-23-103-14 Datakit CrossCAD-WARE ICSA-23-103-15 Mitsubishi Electric GOC35 Series CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.
Shifting the Balance of Cybersecurity Risk: Security-by-Design and Default Principles
Apr 13, 2023
Shifting the Balance of Cybersecurity Risk: Security-by-Design and Default Principles serves as a cybersecurity roadmap for manufacturers of technology and associated products. With recommendations in this guide, manufacturers are urged to put cybersecurity first, during the design phase of a product’s development lifecycle, to decrease user risk and provide out-of-the-box user protections by default at no extra charge. This guide represents an international effort to reduce exploitable vulnerabilities in technology used by the government and private sector organizations. The authoring agencies are CISA, Federal Bureau of Investigation, National Security Agency, Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand’s Computer Emergency Response Team, United Kingdom’s National Cyber Security Centre, Germany’s Federal Office for Information Security (BSI), and the Netherlands’ National Cyber Security Centre. The authoring agencies recognize the contributions by many private sector partners in advancing Security-by-Design and -Default. For more information on the importance of product security, see CISA's blog article The Cost of Unsafe Technology and What We Can Do About It.
Juniper Networks Releases Security Updates
Apr 13, 2023
Juniper Networks has released security updates to address vulnerabilities affecting Junos OS, Paragon Active Assurance (PAA), and Juniper Secure Analytics (JSA) Series. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Juniper Networks’ security advisories page and apply the necessary updates.
CISA Adds Two Known Exploited Vulnerabilities to Catalog
Apr 13, 2023
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-20963 Android Framework Privilege Escalation Vulnerability CVE-2023-29492 Novi Survey Insecure Deserialization Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Fortinet Releases April 2023 Vulnerability Advisories
Apr 11, 2023
Fortinet has released its April 2023 Vulnerability Advisories to address vulnerabilities affecting multiple products. An attacker could exploit one of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Fortinet April 2023 Vulnerability Advisories page for more information and apply the necessary updates.
Microsoft Releases Guidance for the BlackLotus Campaign
Apr 11, 2023
Microsoft has released Guidance for investigating attacks using CVE-2022-21894: The BlackLotus Campaign. According to Microsoft, “[t]his guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.” An attacker could exploit this vulnerability to take control of an affected system. CISA urges users and organizations to review the Microsoft Blog Post for more information, and apply necessary detection, recovery, and prevention strategies.
Microsoft Releases April 2023 Security Updates
Apr 11, 2023
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s April 2023 Security Update Guide and Deployment Information and apply the necessary updates.
Mozilla Releases Security Advisories for Multiple Products
Apr 11, 2023
Mozilla has released security advisories for vulnerabilities affecting multiple Mozilla products. A cyber threat actor could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following advisories and apply the necessary updates: Security Vulnerabilities fixed in Firefox 112, Firefox for Android 112, Focus for Android 112 Mozilla Foundation Security Advisory 2023-13 Security Vulnerabilities fixed in Firefox ESR 102.10 Mozilla Foundation Security Advisory 2023-14 Security Vulnerabilities fixed in Thunderbird 102.10 Mozilla Foundation Security Advisory 2023-15
