US CERT Current Activity
CISA Releases Security Advisory for Philips Vue PAC Products
Jul 6, 2021
Original release date: July 6, 2021CISA has released an Industrial Controls Systems (ICS) Medical Advisory detailing multiple vulnerabilities in multiple Philips Clinical Collaboration Platform Portal (officially registered as Vue PACS) products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the ICS medical advisory ICSMA-21-187-01 Philips Vue PACS and to apply the necessary updates or workarounds. This product is provided subject to this Notification and this Privacy & Use policy.
CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack
Jul 4, 2021
Original release date: July 4, 2021CISA and the Federal Bureau of Investigation (FBI) continue to respond to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers. CISA and FBI strongly urge affected MSPs and their customers to follow the guidance below. CISA and FBI recommend affected MSPs: Contact Kaseya at support@kaseya.com with the subject “Compromise Detection Tool Request” to obtain and run Kaseya's Compromise Detection Tool available to Kaseya VSA customers. The tool is designed to help MSPs assess the status of their systems and their customers' systems. Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services. Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network. CISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: these actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack. CISA and FBI recommend affected MSP customers: Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network; Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available; Implement: Multi-factor authentication; and Principle of least privilege on key network resources admin accounts. Resources: CISA and FBI provide these resources for the reader’s awareness. CISA and FBI do not endorse any non-governmental entities nor guarantee the accuracy of the linked resources. For the latest guidance from Kaseya, see Kaseya's Important Notice July 3rd, 2021. For indicators of compromise, see Peter Lowe's GitHub page REvil Kaseya CnC Domains. Note: due to the urgency to share this information, CISA and FBI have not yet validated this content. For guidance specific to this incident from the cybersecurity community, see Cado Security's GitHub page, Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack. Note: due to the urgency to share this information, CISA and FBI have not yet validated this content. For advice from the cybersecurity community on securing against MSP ransomware attacks, see Gavin Stone's article, How secure is your RMM, and what can you do to better secure it?. For general incident response guidance, CISA encourages users and administrators to see Joint Cybersecurity Advisory AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity. This product is provided subject to this Notification and this Privacy & Use policy.
Kaseya VSA Supply-Chain Ransomware Attack
Jul 2, 2021
Original release date: July 2, 2021CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software. CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shutdown VSA servers. This product is provided subject to this Notification and this Privacy & Use policy.
NSA-CISA-NCSC-FBI Joint Cybersecurity Advisory on Russian GRU Brute Force Campaign
Jul 1, 2021
Original release date: July 1, 2021The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC) have released Joint Cybersecurity Advisory (CSA): Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. The CSA provides details on the campaign, which is being conducted by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS). The campaign uses a Kubernetes® cluster in brute force access attempts against the enterprise and cloud environments of government and private sector targets worldwide. After obtaining credentials via brute force, the GTsSS uses a variety of known vulnerabilities for further network access via remote code execution and lateral movement. CISA strongly encourages users and administrators to review the Joint CSA for GTSS tactics, techniques, and procedures, as well as mitigation strategies. This product is provided subject to this Notification and this Privacy & Use policy.
PrintNightmare, Critical Windows Print Spooler Vulnerability
Jun 30, 2021
Original release date: June 30, 2021The CERT Coordination Center (CERT/CC) has released a VulNote for a critical remote code execution vulnerability in the Windows Print spooler service, noting: “while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675.” An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system. CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print. Additionally, administrators should employ the following best practice from Microsoft’s how-to guides, published January 11, 2021: “Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.” This product is provided subject to this Notification and this Privacy & Use policy.
CISA’s CSET Tool Sets Sights on Ransomware Threat
Jun 30, 2021
Original release date: June 30, 2021CISA has released a new module in its Cyber Security Evaluation Tool (CSET): the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate their cybersecurity practices on their networks. CSET—applicable to both information technology (IT) and industrial control system (ICS) networks—enables users to perform a comprehensive evaluation of their cybersecurity posture using many recognized government and industry standards and recommendations. The RRA is a self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident. CISA has tailored the RRA to varying levels of ransomware threat readiness to make it useful to all organizations regardless of their current cybersecurity maturity. The RRA: Helps organizations evaluate their cybersecurity posture, with respect to ransomware, against recognized standards and best practice recommendations in a systematic, disciplined, and repeatable manner. Guides asset owners and operators through a systematic process to evaluate their operational technology (OT) and information technology (IT) network security practices against the ransomware threat. Provides an analysis dashboard with graphs and tables that present the assessment results in both summary and detailed form. CISA strongly encourages all organizations to take the CSET Ransomware Readiness Assessment, available at https://github.com/cisagov/cset/. This product is provided subject to this Notification and this Privacy & Use policy.
CISA Begins Cataloging Bad Practices that Increase Cyber Risk
Jun 29, 2021
Original release date: June 29, 2021In a blog post by Executive Assistant Director (EAD) Eric Goldstein, CISA announced the creation of a catalog to document bad cybersecurity practices that are exceptionally risky for any organization and especially dangerous for those supporting designated Critical Infrastructure or National Critical Functions. While extensive guidance on cybersecurity “best practices” exists, additional perspective is needed. Ending the most egregious risks requires organizations to make a concerted effort to stop bad practices. CISA encourages cybersecurity leaders and professionals to review EAD Goldstein’s blog post and the new Bad Practices webpage and to monitor the webpage for updates. CISA also encourages all organizations to engage in the necessary actions and critical conversations to address bad practices. This product is provided subject to this Notification and this Privacy & Use policy.
Citrix Releases Security Updates for Hypervisor
Jun 25, 2021
Original release date: June 25, 2021Citrix has released security updates to address vulnerabilities in Hypervisor. An attacker could exploit these vulnerabilities to cause a denial-of-service condition. CISA encourages users and administrators to review Citrix Security Update CTX316325 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
VMware Releases Security Updates
Jun 23, 2021
Original release date: June 23, 2021VMware has released security updates to address vulnerabilities in the VMware Carbon Black App Control management server as well as VMware Tools for Windows, VMware Remote Console for Windows, and VMware App Volumes. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review VMware Security Advisory Advisories VMSA-2021-0012 and VMSA-2021-0013 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
Google Releases Security Updates for Chrome
Jun 18, 2021
Original release date: June 18, 2021Google has released Chrome version 91.0.4472.114 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities—CVE-2021-30554—has been detected in exploits in the wild. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
Cisco Releases Security Updates for Multiple Products
Jun 17, 2021
Original release date: June 17, 2021Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates: Cisco Email Security Appliance and Cisco Web Security Appliance Certificate Validation Vulnerability cisco-sa-esa-wsa-cert-vali-n8L97RW Cisco DNA Center Certificate Validation Vulnerability cisco-sa-dnac-certvalid-USEj2CZk Cisco Small Business 220 Series Smart Switches Vulnerabilities cisco-sa-ciscosb-multivulns-Wwyb7s5E Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability cisco-sa-anyconnect-pos-dll-ff8j6dFv Cisco Meeting Server API Denial of Service Vulnerability cisco-sa-meetingserver-dos-NzVWMMQT Cisco Jabber Desktop and Mobile Client Software Vulnerabilities cisco-sa-jabber-GuC5mLwG Cisco Unified Intelligence Center Reflected Cross-Site Scripting Vulnerability cisco-sa-cuic-xss-csHUdtrL Cisco AnyConnect Secure Mobility Client for Windows Denial of Service Vulnerability cisco-sa-anyconnect-dos-hMhyDfb8 Cisco Jabber and Webex Client Software Shared File Manipulation Vulnerability cisco-sa-webex-teams-7ZMcXG99 This product is provided subject to this Notification and this Privacy & Use policy.
Apple Releases Security Updates for iOS 12.5.4
Jun 15, 2021
Original release date: June 15, 2021Apple has released security updates to address vulnerabilities in iOS 12.5.4. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Apple security update and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
CISA Releases Advisory on ZOLL Defibrillator Dashboard
Jun 14, 2021
Original release date: June 14, 2021CISA has released an Industrial Controls Systems (ICS) Medical Advisory on multiple vulnerabilities in the ZOLL Defibrillator Dashboard. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the ICS Medical Advisory ICSMA-21-161-01 and apply the recommended mitigations. This product is provided subject to this Notification and this Privacy & Use policy.
Google Releases Security Updates for Chrome
Jun 10, 2021
Original release date: June 10, 2021Google has released Chrome version 91.0.4472.101 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities—CVE-2021-30551—has been detected in exploits in the wild. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
CISA Addresses the Rise in Ransomware Targeting Operational Technology Assets
Jun 9, 2021
Original release date: June 9, 2021CISA has published the Rising Ransomware Threat to OT Assets fact sheet in response to the recent increase in ransomware attacks targeting operational technology (OT) assets and control systems. The guidance: provides steps to prepare for, mitigate against, and respond to attacks; details how the dependencies between an entity’s IT and OT systems can provide a path for attackers; and explains how to reduce the risk of severe business degradation if affected by ransomware. CISA encourages critical infrastructure (CI) owners and operators to review the Rising Ransomware Threat to OT Assets fact sheet as well as CISA’s Ransomware webpage to help them in reducing their CI entity’s vulnerability to ransomware. This product is provided subject to this Notification and this Privacy & Use policy.
SAP Releases June 2021 Security Updates
Jun 8, 2021
Original release date: June 8, 2021SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the SAP Security Notes for June 2021 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
Adobe Releases Security Updates for Multiple Products
Jun 8, 2021
Original release date: June 8, 2021Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Adobe’s Security Bulletins and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
Microsoft Releases June 2021 Security Updates
Jun 8, 2021
Original release date: June 8, 2021Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s June 2021 Security Update Summary and Deployment Information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
Unpatched VMware vCenter Software
Jun 4, 2021
Original release date: June 4, 2021CISA is aware of the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system. CISA encourages users and administrators to review VMware’s VMSA-2021-010, blogpost, and FAQ for more information about the vulnerability and apply the necessary updates as soon as possible, even if out-of-cycle work is required. If an organization cannot immediately apply the updates, then apply the workarounds in the interim. This product is provided subject to this Notification and this Privacy & Use policy.
Cisco Releases Security Updates for Multiple Products
Jun 3, 2021
Original release date: June 3, 2021Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates: Cisco Webex Network Recording Player and Webex Player Memory Corruption Vulnerability cisco-sa-webex-player-rCFDeVj2 Cisco Webex Player Memory Corruption Vulnerability cisco-sa-webex-player-kOf8zVT Cisco Webex Network Recording Player and Webex Player Memory Corruption Vulnerability cisco-sa-webex-player-dOJ2jOJ Cisco SD-WAN Software Privilege Escalation Vulnerability cisco-sa-sd-wan-fuErCWwF Cisco ASR 5000 Series Software Authorization Bypass Vulnerabilities cisco-sa-asr5k-autho-bypass-mJDF5S7n This product is provided subject to this Notification and this Privacy & Use policy.
