Category: Agency News

CISA and FBI Publish Joint Advisory on QakBot Infrastructure

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), Identification and Disruption of QakBot Infrastructure, to help organizations detect and protect against newly identified QakBot-related activity and malware. QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally.

Originally used as a banking trojan to steal banking credentials for account compromise, QakBot—in most cases—was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network. QakBot has since grown to deploy multiple types of malware, trojans, and highly-destructive ransomware variants targeting the United States and other global infrastructures, including the Election Infrastructure Subsector, Financial Services, Emergency Services, and Commercial Facilities Sectors.

CISA and FBI urge organizations to implement the recommendations contained within the joint CSA to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections.

Leave a comment , ,

CISA Publishes JCDC Remote Monitoring and Management Systems Cyber Defense Plan

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA) published the Cyber Defense Plan for Remote Monitoring and Management (RMM), the first proactive Plan developed by industry and government partners through the Joint Cyber Defense Collaborative (JCDC) as part of our 2023 Planning Agenda. This Plan provides a clear roadmap to advance security and resilience of the RMM ecosystem and further specific lines of effort in the National Cyber Strategy to scale public-private collaboration and in the CISA Cybersecurity Strategic Plan to drive adoption of the most impactful security measures.

Organizations across sectors leverage RMM products to gain efficiencies and benefit from scalable services. These same benefits, however, are increasingly targeted by adversaries – from ransomware actors to nation-states – to compromise large numbers of downstream customer organizations. By targeting RMM products, threat actors attempt to evade detection and maintain persistent access, a technique known as living off the land.

Part of our 2023 Planning Agenda, the RMM Cyber Defense Plan provides a clear roadmap to advance security and resilience of this critical ecosystem, including RMM vendors, managed service providers (MSPs), managed security service providers (MSSPs), small and medium sized businesses (SMBs), and critical infrastructure operators. This Plan was developed through a multi-month process that leveraged deep expertise by vendors, operators, agencies, and other stakeholders, and has already resulted in a significant deliverable with publication of our joint advisory on Protecting Against Malicious Use of Remote Monitoring and Management Software.

The RMM Cyber Defense Plan is built on two foundational pillars, operational collaboration and cyber defense guidance, and contains four subordinate lines of effort:

(1) Cyber Threat and Vulnerability Information Sharing: Expand the sharing of cyber threat and vulnerability information between U.S. government and RMM ecosystem stakeholders.

(2) Enduring RMM Operational Community: Implement mechanisms for an enduring RMM operational community that will continue to mature scaled security efforts.

(3) End-User Education: Develop and enhance end-user education and cybersecurity guidance to advance adoption of strong best practices, a collaborative effort by CISA, interagency partners and other RMM ecosystem stakeholders.

(4) Amplification: Leverage available lines of communication to amplify relevant advisories and alerts within the RMM ecosystem.

“As envisioned by Congress and the Cyberspace Solarium Commission, JCDC Cyber Defense Plans are intended to bring together diverse stakeholders across the cybersecurity ecosystem to understand systemic risks and develop shared, actionable solutions. The RMM Cyber Defense Plan demonstrates the criticality of this work and the importance of both deep partnership and proactive planning in addressing systemic risks facing our country,” said Eric Goldstein,CISA Executive Assistant Director for Cybersecurity. “These planning efforts are dependent on trusted collaboration with our partners, and this Plan was a true partnership with the RMM community, industry and interagency partners that contributed time and effort towards this important work. The collaboration established to develop this plan has already achieved several accomplishments for RMM stakeholders and ecosystem. As the JCDC leads the execution of this plan, we are confident that this public-private collaboration in the RMM ecosystem will further reduce risk to our nation’s critical infrastructure.”

Leave a comment

CISA, NSA, and NIST Publish Factsheet on Quantum Readiness

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and National Institute of Standards and Technology (NIST) released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap.

CISA, NSA, and NIST urge organizations to review the joint factsheet and to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. For more information and resources related to CISA’s PQC work, visit Post-Quantum Cryptography Initiative.

Leave a comment , ,

CISA Releases Infrastructure Resilience Planning Framework Launchpoint

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA) releases the Infrastructure Resilience Planning Framework (IRPF) Launchpoint, a supplemental resource developed to help prospective users of the IRPF quickly navigate IRPF guidance and concepts based on their specific needs.

This self-appraisal tool helps users contemplate their community’s resilience goals and start developing an approach to incorporating critical infrastructure resilience into their planning activities by pointing them to specific IRPF guidance, resources, and templates that might be most relevant and valuable to them.

“The IRPF Launchpoint is a great resource created by our Resilience Services Branch that provides SLTT and regional planners with insights on how best to apply the Infrastructure Resilience Planning Framework to meet their specific needs,” said Dr. David Mussington, Executive Assistant Director for Infrastructure Security. “As one of many resilience resources within CISA, the new IRPF Launchpoint tool will guide users to specific resources they can employ in planning for infrastructure to reduce the risk of disruptions to their communities.”

Infrastructure is the backbone of communities, providing not only critical services, but also the means for health, safety, and economic growth. CISA’s IRPF provides flexible guidance for state, local, tribal, territorial, and regional planners on enhancing community resilience by addressing critical infrastructure dependencies in their existing planning efforts.

Leave a comment

CyberSentry Program Launches Webpage

Agency News, Cyber Security CII sector

It should come as no surprise that our nation’s critical infrastructure is under concerted threat from malicious cyber actors.

To illustrate, just recently, the Office of the Director of National Intelligence’s 2023 Threat Assessment stated that “China almost certainly is capable of launching cyber-attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems” and that “Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems, in the United States as well as in allied and partner countries, because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.”

Facing such a challenging threat environment, we must focus our efforts on a two-pronged strategy of defense – on driving adoption of strong cybersecurity measures, and on ensuring effective visibility into cyber threats targeting our nation’s critical infrastructure.

The second line of effort, in particular, is what I want to talk about today.

Right now, we are able to achieve a portion of this visibility by partnering with critical infrastructure organizations and cybersecurity companies, forging and maintaining crucial relationships with our partners for the betterment of our nation.

But for some of the nation’s most critical entities, we need to do more. And that leads us to CyberSentry.

We can distill down CyberSentry’s mission to this – through unique partnerships with industry, CISA is able to supply commercial detection capabilities that provide three key benefits:

- Enables the operational use of sensitive information prior to broader dissemination to the cybersecurity community

- Allows CISA’s analysts to correlate threat activity targeting multiple critical infrastructure entities and understand evolving campaigns

- Provides participating entities with access to their own CyberSentry dashboard, enabling integration into the partner’s cyber operations.

CyberSentry is governed by an agreement between CISA and voluntarily participating critical infrastructure partners. CyberSentry technology supports sensing and monitoring for information technology (IT) and operational technology (OT) networks. CyberSentry has added significant value to both CISA’s national mission and to our partners’ enterprise cybersecurity efforts.

Recent successes include:

- Infected OT Equipment: CyberSentry discovered an infection on a partner’s Human Machine Interface (HMI) equipment that had not been properly patched and secured. CISA analysts quickly notified the partner about the issue and offered guidance on preventive techniques for the future.

- Unintentional Exposure: CyberSentry tools spotted cleartext authentication occurring on a partner’s network, and further investigation revealed that a misconfiguration had caused the issue. A detailed report was provided to the partner, including specific guidance on remediating the situation.

- Private Sector Coordination: During the Colonial Pipeline disruption, CISA analysts coordinated closely with its pipeline partners to share information and monitor for adversary activity.

- SolarWinds Response: CyberSentry data helped to quickly identify partners affected by the SolarWinds supply chain compromise. All impacted partners were notified, and the program worked closely and expediently with these partners to confirm remediation of the threat.

- Identification of Malicious Activity: On multiple occasions, CISA analysts identified possible malicious activity at partner sites and worked with affected partners to identify the root causes of activity.

- Malware Discovery: CyberSentry tools quickly discovered and identified malware in a partner’s IT network. Working with the partner, CISA analysts were able to locate the infected device so the partner could remove it from the network and verify that the threat was contained.

- Attacker Exfiltration Detected: CyberSentry discovered that an attacker was actively exfiltrating information. CyberSentry worked with the partner to identify information that had been exfiltrated. After conferring with CyberSentry analysts, the partner was able to isolate infected systems that same evening, eliminating the threat.

CISA is looking to partner with a select number of additional Critical Infrastructure organizations who operate systems supporting National Critical Functions – functions so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on our Nation.

As malicious cyber activity continues to evolve, and nation state actors continue to aggressively target National Critical Functions, CyberSentry’s capabilities and critical partnerships directly enhance CISA’s goal of a stronger collective defense for our Nation.

For more information visit our CyberSentry webpage.

Author: Jermaine Roebuck, Associate Director for Threat Hunting

Leave a comment

Ransomware Accounts for 54% of Cybersecurity Threats

Agency News, Cyber Security CII sector, Health & Social Care, Industry News

The European Union Agency for Cybersecurity (ENISA) released its first cyber threat landscape for the health sector. The report found that ransomware accounts for 54% of cybersecurity threats in the health sector.

The comprehensive analysis maps and studies cyberattacks, identifying prime threats, actors, impacts, and trends for a period of over 2 years, providing valuable insights for the healthcare community and policy makers. The analysis is based on a total of 215 publicly reported incidents in the EU and neighbouring countries.

Executive Director of the European Union Agency for Cybersecurity (ENISA), Juhan Lepassaar, said: “A high common level of cybersecurity for the healthcare sector in the EU is essential to ensure health organisations can operate in the safest way. The rise of the covid-19 pandemic showed us how we critically depend on health systems. What I consider as a wake-up call confirmed we need to get a clear view of the risks, the attack surface and the vulnerabilities specific to the sector. Access to incident reporting data must therefore be facilitated to better visualise and comprehend our cyber threat environment and identify the appropriate mitigation measures we need to implement.”

The findings

The report reveals a concerning reality of the challenges faced by the EU health sector during the reporting period.

- Widespread incidents. The European health sector experienced a significant number of incidents, with healthcare providers accounting for 53% of the total incidents. Hospitals, in particular, bore the brunt, with 42% of incidents reported. Additionally, health authorities, bodies and agencies (14%), and the pharmaceutical industry (9%) were targeted.
- Ransomware and data breaches. Ransomware emerged as one of the primary threats in the health sector (54% of incidents). This trend is seen as likely to continue. Only 27% of surveyed organisations in the health sector have a dedicated ransomware defence programme. Driven by financial gain, cybercriminals extort both health organisations and patients, threatening to disclose data, personal or sensitive in nature. Patient data, including electronic health records, were the most targeted assets (30%). Alarmingly, nearly half of all incidents (46%) aimed to steal or leak health organisations' data.
- Impact and lessons learned by the COVID-19 Pandemic. It is essential to note that the reporting period coincided with a significant portion of the COVID-19 pandemic era, during which the healthcare sector became a prime target for attackers. Financially motivated threat actors, driven by the value of patient data, were responsible for the majority of attacks (53%). The pandemic saw multiple instances of data leakage from COVID-19-related systems and testing laboratories in various EU countries. Insiders and poor security practices, including misconfigurations, were identified as primary causes of these leaks. The incidents serve as a stark reminder of the importance of robust cybersecurity practices, particularly in times of urgent operational needs.
- Vulnerabilities in Healthcare Systems. Attacks on healthcare supply chains and service providers resulted in disruptions or losses to health organisations (7%). Such types of attacks are expected to remain significant in the future, given the risks posed by vulnerabilities in healthcare systems and medical devices. A recent study by ENISA revealed that healthcare organisations reported the highest number of security incidents related to vulnerabilities in software or hardware, with 80% of respondents citing vulnerabilities as the cause of more than 61% of their security incidents.
- Geopolitical Developments and DDoS Attacks. Geopolitical developments and hacktivist activity led to a surge in Distributed Denial of Service (DDoS) attacks by pro-Russian hacktivist groups against hospitals and health authorities in early 2023, accounting for 9% of total incidents. While this trend is expected to continue, the actual impact of these attacks remains relatively low.
- The incidents examined in the report had significant consequences for health organisations, primarily resulting in breaches or theft of data (43%) disrupted healthcare services (22%) and disrupted services not related to healthcare (26%). The report also highlights the financial losses incurred, with the median cost of a major security incident in the health sector estimated at €300,000 according to the ENISA NIS Investment 2022 study.
- Patient safety emerges as a paramount concern for the health community, given potential delays in triage and treatment caused by cyber incidents.

New report from the NIS Cooperation Group

The NIS Cooperation Group releases today its report on “Threats and risk management in the health sector – Under the NIS Directive”. As a first assessment on the measures currently in place, the study sheds light on the different cybersecurity challenges in risk mitigation faced by the EU health sector. Together with relevant threat taxonomies and cyber incident data, the report discloses business continuity and mitigation recommendations to limit the likelihood and impacts of a cyber related incident.

Leave a comment , , ,

UK cyber chief: "AI should be developed with security at its core"

Agency News, Cyber Security CII sector, Industry News

SECURITY must be the primary consideration for developers of artificial intelligence (AI) in order to prevent designing systems that are vulnerable to attack, the head of the UK’s cyber security agency (NCSC) has today warned.

In a major speech, Lindy Cameron highlighted the importance of security being baked into AI systems as they are developed and not as an afterthought. She also emphasised the actions that need to be taken by developers to protect individuals, businesses, and the wider economy from inadequately secure products.

Her comments were delivered to an audience at the influential Chatham House Cyber 2023 conference, which sees leading experts gather to discuss the role of cyber security in the global economy and the collaboration required to deliver an open and secure internet.

She said:

“We cannot rely on our ability to retro-fit security into the technology in the years to come nor expect individual users to solely carry the burden of risk. We have to build in security as a core requirement as we develop the technology.

“Like our US counterparts and all of the Five Eyes security alliance, we advocate a ‘secure by design’ approach where vendors take more responsibility for embedding cyber security into their technologies, and their supply chains, from the outset. This will help society and organisations realise the benefits of AI advances but also help to build trust that AI is safe and secure to use.

“We know, from experience, that security can often be a secondary consideration when the pace of development is high.

“AI developers must predict possible attacks and identify ways to mitigate them. Failure to do so will risk designing vulnerabilities into future AI systems.”

The UK is a global leader in AI and has an AI sector that contributes £3.7 billion to the economy and employs 50,000 people. It will host the first ever summit on global AI Safety later this year to drive targeted, rapid, international action to develop the international guardrails needed for safe and responsible development of AI.

Reflecting on the National Cyber Security Centre’s role in helping to secure advancements in AI, she highlighted three key themes that her organisation is focused on. The first of these is to support organisations to understand the associated threats and how to mitigate against them. She said:

“It’s vital that people and organisations using these technologies understand the cyber security risks – many of which are novel.

“For example, machine learning creates an entirely new category of attack: adversarial attacks. As machine learning is so heavily reliant on the data used for the training, if that data is manipulated, it creates potential for certain inputs to result in unintended behaviour, which adversaries can then exploit.

“And LLMs pose entirely different challenges. For example - an organisation's intellectual property or sensitive data may be at risk if their staff start submitting confidential information into LLM prompts.”

The second key theme Ms Cameron discussed was the need to maximise the benefits of AI to the cyber defence community. On the third, she emphasised the importance of understanding how our adversaries – whether they are hostile states or cyber criminals – are using AI and how they can be disrupted. She said:

“We can be in no doubt that our adversaries will be seeking to exploit this new technology to enhance and advance their existing tradecraft.

“LLMs also present a significant opportunity for states and cyber criminals too. They lower barriers to entry for some attacks. For example, they make writing convincing spear-phishing emails much easier for foreign nationals without strong linguistic skills.”

Leave a comment , ,

ESF Members NSA and CISA Publish Second Industry Paper on 5G Network Slicing

Agency News, Cyber Security CII sector, Industry News, Telecomms sector

Enduring Security Framework (ESF) partners the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) published an assessment of 5G network slicing. ESF, a public-private cross-sector working group led by NSA and CISA, identifies three keys for keeping this emerging technology secure: Security Consideration for Design, Deployment, and Maintenance.

“This document marks an initial stride in capturing the current, but evolving, landscape of network slicing, and serves as a catalyst for initiating meaningful conversations surrounding the potential use cases for network slicing,” said Lauren Wyble, Technical Director for Network Infrastructure Security at NSA.

5G is a fifth-generation technology standard for broadband cellular networks; it can provide increased data download and upload speeds, lower latency, and allow more devices to connect to the internet at the same time. 5G network slicing is a network architecture which allows mobile service providers to divide their network up into several independent ones in order to create specific virtual networks that cater to different clients and use cases. Today’s release builds upon threat and security considerations previously published by the ESF.

The assessment intends to provide an informed methodology and a mutual understanding with industry for “federal departments and agencies (inclusive of the DoD)” to design, deploy, operate, and maintain “secure network slicing” across private, hybrid, and public networks.

This paper introduces 5G stakeholders to the benefits associated with network slicing, assesses 5G network slicing threat vectors, presents guidance in line with industry best practices, and identifies perceived risks and management strategies that may address those risks.

Although all 5G network stakeholders can benefit from this guidance, the threat and security considerations discussed in this assessment are intended for mobile service providers, hardware manufacturers, software developers, and system integrators that design, deploy, operate, or maintain 5G networks. This document aims to foster communication among these parties, and between them and network slice customers. See the other documents in the ESF 5G series below:

- Potential Threats to 5G Network Slicing
- Potential Threat Vectors to 5G Infrastructure
- Security Guidance for 5G Cloud Infrastructures: Prevent and Detect Lateral Movement (Part I)
- Security Guidance for 5G Cloud Infrastructures: Securely Isolate Network Resources (Part II)
- Security Guidance for 5G Cloud Infrastructures: Data Protection (Part III)
- Security Guidance for 5G Cloud Infrastructures: Ensure Integrity of Cloud Infrastructure (Part IV)
- Open Radio Access Network Security Considerations

Leave a comment , ,

Launching and Implementing the National Cybersecurity Strategy

Agency News, Cyber Security CII sector, Industry News

Federal agency information systems and national critical infrastructure are vulnerable to cyberattacks.

The fiscal year 2021 national defense authorization act established the Office of the National Cyber Director (ONCD) and the Senate confirmed a National Cyber Director in June 2021 to serve as the principal advisor to the President on cybersecurity policy and strategy. In March 2023, the White House issued the National Cybersecurity Strategy, describing five pillars supporting the nation's cybersecurity:

- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnerships

In April 2023, GAO reported that the goals and strategic objectives included in the document provide a good foundation for establishing a more comprehensive strategy. Specifically, the strategy fully addressed three of six desirable characteristics of a national strategy. However, it only partially addressed the remaining three. These include

- goals, subordinate objectives, activities, and performance measures;
- resources, investments, and risk management; and
- organizational roles, responsibilities, and coordination.

ONCD stated it plans to work with federal agencies to develop a plan to implement the strategy, including milestones or performance measures, and to identify budget priorities. It is critical that these details be issued expeditiously so agencies can begin planning and allocating resources to properly execute the strategy. Until the federal government issues the implementation plan and ensures its strategy documents fully address the desirable characteristics of a national strategy, the nation will lack a clear roadmap for overcoming its cyber challenges.

Additionally, the newly established National Cyber Director position has been vacant since the Director resigned in February 2023. As of July 2023, an acting official continues to carry out the duties. This vacancy leaves unfilled a key leadership role needed to coordinate federal efforts to address cybersecurity threats and challenges. Further, sustained leadership in this position is essential to ensuring strategy execution and accountability.
Why GAO Did This Study

Federal agencies and our nation's critical infrastructure—such as energy, transportation, communications, and financial services—rely on information systems to carry out fundamental operations. Because of the increasing threats to federal information systems, critical infrastructure, and the privacy of personally identifiable information, GAO has designated ensuring the nation's cybersecurity as a government-wide high risk issue. This designation emphasizes the urgency with which the federal government needs to undertake efforts to address the nation's cybersecurity challenges. Accordingly, Congress established the Office of the National Cyber Director in the White House with the authority to implement and encourage action in support of the nation's cybersecurity. One of this office's responsibilities is developing and implementing a comprehensive national strategy to address cybersecurity threats and challenges. This product summarizes recent GAO reports that assessed the federal government's efforts to establish a national cybersecurity strategy and plans for implementing it.

This Snapshot covers the status of the National Cybersecurity Strategy. The strategy's goals and strategic objectives provide a good foundation, but the Administration needs to establish specific objectives and performance measures, resource requirements, and roles and responsibilities.

It will be difficult to implement the strategy when the specific details have yet to be issued. The continued vacancy in the role of National Cyber Director is also a challenge.

Leave a comment ,

CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware variants. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the four organizations assess cyber threat actors leveraged the malware through phishing campaigns containing malicious redirect hyperlinks.

Additionally, newer versions of Truebot malware allow malicious actors to gain initial access by exploiting a known vulnerability with Netwrix Auditor application (CVE-2022-31199). As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the U.S. and Canada.

CISA, FBI, MS-ISAC, and the CCCS encourage all organizations to review this joint advisory and implement the recommended mitigations contained therein—including applying patches to CVE-2022-31199, to reduce the likelihood and impact of Truebot activity, as well as other ransomware related incidents.

Leave a comment , , , , , ,
1 9 10 11 12 13 44