US CERT Current Activity
CISA Releases Two Industrial Control Systems Advisories
Aug 15, 2023
CISA released two Industrial Control Systems (ICS) advisories on August 15, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-227-01 Schneider Electric EcoStruxure Control Expert, Process Expert, Modicon ICSA-23-227-02 Rockwell Automation Armor PowerFlex CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.
CISA Releases Twelve Industrial Control Systems Advisories
Aug 10, 2023
CISA released twelve Industrial Control Systems (ICS) advisories on August 10, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-222-01 Siemens Solid Edge, JT2Go and Teamcenter Visualization ICSA-23-222-02 Siemens Parasolid Installer ICSA-23-222-03 Siemens JT Open, JT Utilities, and Parasolid ICSA-23-222-04 Siemens Software Center ICSA-23-222-05 Siemens RUGGEDCOM CROSSBOW ICSA-23-222-06 Siemens Parasolid and Teamcenter Visualization ICSA-22-222-07 Siemens Address Processing in SIMATIC ICSA-23-222-08 Resource Allocation in Siemens RUGGEDCOM ICSA-23-222-09 Siemens OpenSSL RSA Decryption in SIMATIC ICSA-23-222-10 Siemens SICAM TOOLBOX II ICSA-23-222-11 Siemens Solid Edge SE2023 ICSA-23-222-12 Network Mirroring in Siemens RUGGEDCOM CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.
CISA Adds One Known Exploited Vulnerability to Catalog
Aug 9, 2023
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-38180 Microsoft .NET Core and Visual Studio Denial of Service Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Adobe Releases Security Updates for Multiple Products
Aug 8, 2023
Adobe has released security updates to address multiple vulnerabilities in Adobe software. An attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates. Adobe Acrobat and Reader: APSB23-30 Adobe Commerce: APSB23-42 Adobe Dimension: APSB23-44 Adobe XMP Toolkit SDK: APSB23-45
CISA Releases Two Industrial Control Systems Advisories
Aug 8, 2023
CISA released two Industrial Control Systems (ICS) advisories on August 8, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-220-01 Schneider Electric IGSS ICSA-23-220-02 Hitachi Energy RTU500 series CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.
Fortinet Releases Security Update for FortiOS
Aug 8, 2023
Fortinet has released a security update to address a vulnerability (CVE-2023-29182) affecting FortiOS. A remote attacker can exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the Fortinet security release [FG-IR-23-149] and apply the necessary updates.
Microsoft Releases August 2023 Security Updates
Aug 8, 2023
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s August 2023 Security Update Guide and apply the necessary updates.
CISA Adds One Known Exploited Vulnerability to Catalog
Aug 7, 2023
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2017-18368 Zyxel P660HN-T1A Routers Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Releases its Cybersecurity Strategic Plan
Aug 4, 2023
Today, CISA released a strategic plan to lay out how we will fulfill our cybersecurity mission over the next three years. The CISA Cybersecurity Strategic Plan aligns the following nine objectives to specific enabling measures and measures of effectiveness to drive accountability: Increase visibility into, and ability to disrupt, cybersecurity threats and campaigns Coordinate disclosure of, hunt for, and drive mitigation of critical and exploitable vulnerabilities Plan for, exercise, and execute joint cyber defense operations and coordinate the response to significant cybersecurity incidents Understand how attacks really occur—and how to stop them Drive implementation of measurably effective cybersecurity investments Provide cybersecurity capabilities and services that fill gaps and help measure progress Drive development of trustworthy technology products Understand and reduce cybersecurity risks posed by emergent technologies Contribute to efforts to build a national cyber workforce Learn more about CISA’s Cybersecurity Strategic Plan at https://www.cisa.gov/cybersecurity-strategic-plan.
CISA Releases Five Industrial Control Systems Advisories
Aug 3, 2023
CISA released five Industrial Control Systems (ICS) advisories on August 3, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-215-01 Mitsubishi Electric GOT2000 and GOT SIMPLE ICSA-23-215-02 Mitsubishi Electric GT and GOT Series Products ICSA-23-215-03 TEL-STER TelWin SCADA WebInterface ICSA-23-215-04 Sensormatic Electronics VideoEdge ICSA-23-208-03 Mitsubishi Electric CNC Series CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.
CISA, NSA, FBI, and International Partners Release Joint CSA on Top Routinely Exploited Vulnerabilities of 2022
Aug 3, 2023
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners are releasing a joint Cybersecurity Advisory (CSA), 2022 Top Routinely Exploited Vulnerabilities. This advisory provides details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2022, and the associated Common Weakness Enumeration(s) (CWE), to help organizations better understand the impact exploitation could have on their systems. International partners include: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), New Zealand Computer Emergency Response Team (CERT-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the United Kingdom’s National Cyber Security Centre (NCSC-UK). The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory. The advisory provides vendors, designers, and developers recommendations on implementing secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations’ recommendations to reduce the risk of compromise by malicious cyber actors. Organizations should share information about incidents and unusual cyber activity with their respective cybersecurity authorities because when cyber incidents are reported quickly, it can contribute to stopping further attacks. In the U.S., organizations should inform CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870, or an FBI field office.
Mozilla Releases Security Updates for Firefox and Firefox ESR
Aug 2, 2023
Mozilla has released security updates to address vulnerabilities for Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Mozilla’s security advisories for Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14 for more information and apply the necessary updates.
CISA and International Partner NCSC-NO Release Joint Cybersecurity Advisory on Threat Actors Exploiting Ivanti EPMM Vulnerabilities
Aug 1, 2023
The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA), Threat Actors Exploiting Ivanti EPMM Vulnerabilities, in response to the active exploitation of CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells. In July 2023, NCSC-NO became aware of advanced persistent threat (APT) actors exploiting a zero-day vulnerability in Ivanti EPMM, formerly known as MobileIron Core, to target a Norwegian government network. CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because threat actors, including APT actors, have previously exploited a MobileIron vulnerability. Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023. CISA and NCSC-NO recommend administrators use the CISA developed nuclei templates to determine if their system has these vulnerabilities and use the NCSC-NO developed checklist to identify signs of compromise. All organizations are urged to review Threat Actors Exploiting Ivanti EPMM Vulnerabilities and implement its recommended actions and mitigations.
CISA Releases One Industrial Control Systems Advisory
Aug 1, 2023
CISA released one Industrial Control Systems (ICS) advisory on August 1, 2023. This advisory provides timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-213-01 APSystems Altenergy Power Control CISA encourages users and administrators to review the newly released ICS advisory for technical details and mitigations.
CISA Adds One Known Exploited Vulnerability to Catalog
Jul 31, 2023
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-35081 Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Releases Malware Analysis Reports on Barracuda Backdoors
Jul 28, 2023
CISA has published three malware analysis reports on malware variants associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a zero day as early as October 2022 to gain access to ESG appliances. According to industry reporting, the actors exploited the vulnerability to gain initial access to victim systems and then implanted backdoors to establish and maintain persistence. CISA analyzed backdoor malware variants obtained from an organization that had been compromised by threat actors exploiting the vulnerability. Barracuda Exploit Payload and Backdoor – The payload exploits CVE-2023-2868, leading to dropping and execution of a reverse shell backdoor on ESG appliance. The reverse shell establishes communication with the threat actor’s command and control (C2) server, from where it downloads the SEASPY backdoor to the ESG appliance. The actors delivered the payload to the victim via a phishing email with a malicious attachment. SEASPY – SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service. SEASPY monitors traffic from the actor’s C2 server. When the right packet sequence is captured, it establishes a Transmission Control Protocol (TCP) reverse shell to the C2 server. The shell allows the threat actors to execute arbitrary commands on the ESG appliance. SUBMARINE – SUBMARINE is a novel persistent backdoor executed with root privileges that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon—that together enable execution with root privileges, persistence, command and control, and cleanup. CISA also analyzed artifacts related to SUBMARINE that contained the contents of the compromised SQL database. This malware poses a severe threat for lateral movement. For more information, including indicators of compromise and YARA rules for detection, on the exploit payload, SEASPY, and SUBMARINE backdoor, see the following Malware Analysis Reports: Exploit Payload Backdoor MAR-10454006-r3.v1.CLEAR SEASPY Backdoor MAR-10454006-r2.v1.CLEAR SUBMARINE Backdoor MAR-10454006-r1.v2.CLEAR For more information on CVE-2023-2868 see, Barracuda’s page Barracuda Email Security Gateway Appliance (ESG) Vulnerability and Mandiant’s blogpost Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor. To report suspicious or criminal activity related to information found in these malware analysis reports, contact CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.
Ivanti Releases Security Updates for EPMM to address CVE-2023-35081
Jul 28, 2023
Ivanti has identified and released patches for a directory traversal vulnerability (CVE-2023-35081, CWE-22) in Ivanti Endpoint Manager Mobile (EPMM). This vulnerability allows an attacker with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. The attacker could then execute the uploaded file, for example, a web shell. To gain EPMM administrator privileges, the attacker could exploit CVE-2023-35078 on an unpatched system. Ivanti reports active exploitation of both CVE-2023-35081 and CVE-2023-35078. This vulnerability affects supported EPMM versions 11.10, 11.9, and 11.8. Older, unsupported versions are also affected. CISA urges users and organizations to patch both CVE-2023-35081 and CVE-2023-35078. Patches for CVE-2023-35081 also include patches for CVE-2023-35078 (refer to our prior alert.)
CISA and Partners Release Joint Cybersecurity Advisory on Preventing Web Application Access Control Abuse
Jul 27, 2023
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) are releasing a joint Cybersecurity Advisory (CSA), Preventing Web Application Access Control Abuse, to warn vendors, designers, developers, and end-user organizations of web applications about insecure direct object reference (IDOR) vulnerabilities. These vulnerabilities are frequently exploited by malicious actors in data breach incidents and have resulted in the compromise of personal, financial, and health information of millions of users and consumers. ACSC, CISA, and NSA strongly encourage vendors, designers, developers, and end-user organizations to review the CSA, Preventing Web Application Access Control Abuse, for best practices, recommendations, and mitigations to reduce the prevalence of IDOR vulnerabilities and ensure web applications are secure-by-design and -default. To report or share information on incidents and unusual activity, contact CISA at report to CISA or our 24/7 Operations Center at report@cisa.gov or (888) 282-0870.
CISA Releases Five Industrial Control Systems Advisories
Jul 27, 2023
CISA released five Industrial Control Systems (ICS) advisories on July 27, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-208-01 ETIC Telecom RAS Authentication ICSA-23-208-02 PTC KEPServerEX ICSA-23-208-03 Mitsubishi Electric CNC Series ICSA-22-307-01 ETIC RAS (Update A) ICSA-22-172-01 Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update B) CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.
CISA Adds One Known Exploited Vulnerability to Catalog
Jul 26, 2023
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-38606 Apple Multiple Products Kernel Unspecified Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
