Tag: CISA

CISA releases new 5G paper with NSAcyber and ODNIgov: Potential Threat Vectors to 5G Infrastructure

Agency News, Cyber Security CII sector, Industry News
Securing Critical Infrastructure operations means ensuring cybersecurity practices are incorporated within 5G.
The deployment of 5G has begun, and with it, a wealth of benefits that has the potential to impact every aspect of our lives and work. With faster connectivity, ultra-low latency, greater network capacity, 5G will redefine the operations of critical infrastructure activities from the plant floor to the cloud. It will enable large-scale connections, capabilities, and services that can pave the way for smart cities, remote surgery, autonomous vehicles, and other emergent technologies. However, these capabilities also make 5G networks an attractive target for criminals and foreign adversaries to exploit for valuable information and intelligence and even global disruption.
To secure the full scope of 5G use cases, it is critical that strong cybersecurity practices are incorporated within the design and development of 5G technology. In March 2020, the White House developed the National Strategy to Secure 5G, which outlines how the Nation will safeguard 5G infrastructure domestically and abroad. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, and the Office of the Director of National Intelligence, as part of the Enduring Security Framework (ESF)—a cross-sector, public-private working group—initiated an assessment of the cybersecurity and vulnerabilities to 5G infrastructure. The ESF established the 5G Threat Model Working Panel which developed this paper, Potential Threat Vectors to 5G Infrastructure, to enhance understanding of the threats posed to 5G adoption.
The Working Panel reviewed existing bodies of public and private research and analysis to identify and generate an aggregated list of known and potential threats to the 5G environment. From that list, they identified three primary threat vectors areas—Policy and Standards, Supply Chain, and 5G Systems Architecture—and within these threat vectors, 11 sub-threats were identified as additional points of vulnerability for threat actors to exploit (i.e., open standards, counterfeit parts, and multi-access edge computing). This paper represents the beginning of the Working Panel’s thinking on the types of risks introduced by 5G adoption in the Unites States, and not the culmination of it.
With the promise of connectivity between billions of Internet of Things (IoT) devices, it is critical that government and industry collaborate to ensure that cybersecurity is prioritized within the design and development of 5G technology.
https://www.cisa.gov/publication/5g-potential-threat-vectors
Leave a comment , , , , ,

US and UK agencies release cybersecurity advisory on recently modified tactics by Russian intelligence agency

Agency News, Cyber Security CII sector, Industry News
The FBI, National Security Agency and Cybersecurity and Infrastructure Security Agency collaborated with the United Kingdom's National Cyber Security Centre to release a Joint Cybersecurity Advisory examining tactics, techniques, and procedures associated with Russian Foreign Intelligence Service (SVR). The advisory provides additional insights on SVR activity including exploitation activity following the SolarWinds Orion supply chain compromise.
CISA released a related document, Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise, that summarizes three joint publications focused on SVR activities related to the SolarWinds Orion compromise.
SVR cyber operators appear to have reacted to prior reporting by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders.
Leave a comment , , , ,

CISA-FBI Cybersecurity Advisory on DarkSide Ransomware following Colonial Pipeline cyberattack

Cyber Security CII sector, Industry News
CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on a ransomware-as-a-service (RaaS) variant—referred to as DarkSide—recently used in a ransomware attack against a critical infrastructure (CI) company.
The cyberattack against Colonial Pipeline that was discovered on May 7 underscores the growing impact of cyberthreats on industrial sectors. While the investigation is ongoing and important lessons from this attack will be extracted in the next few weeks, the fact that Colonial Pipeline had to pro-actively take their OT systems offline after starting to learn about which IT systems were impacted by the ransomware is significant.
Latest Update:
May 11: The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks
May 10: Colonial Pipeline restarted some systems with the goal of substantially restoring operational service by the end of the week
May 9: Colonial Pipeline is is developing a system restart plan
May 7: A ransomware attack against the corporate systems (IT) of Colonial Pipeline led the organization on Friday May 7 to proactively take certain operational systems (OT) offline to contain the threat, which has temporarily halted all pipeline operations. Details on the attack mechanism and the attack scope are under active investigation by the FBI and the private security firm Mandiant (a division of FireEye).
Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data. These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy.
Prevention is the most effective defense against ransomware. It is critical to follow best practices to protect against ransomware attacks, which can be devastating to an individual or organization and recovery may be a difficult process. In addition to the Joint CSA, CISA and FBI urge CI asset owners and operators to review the following resources for best practices on strengthening cybersecurity posture:
CISA and Multi-State Information Sharing and Analysis Center: Joint Ransomware Guide <https://www.cisa.gov/publication/ransomware-guide>
Leave a comment , , ,

CISA Publish Ransomware Guidance and Resources

Agency News, Cyber Security CII sector, Industry News
Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid. In recent years, ransomware incidents have become increasingly prevalent among the Nation’s state, local, tribal, and territorial (SLTT) government entities and critical infrastructure organizations.
Malicious actors continue to adjust and evolve their ransomware tactics over time, and CISA analysts remain vigilant in maintaining awareness of ransomware attacks and associated tactics, techniques, and procedures across the country and around the world: See CISA's Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights – Ransomware Outbreak.
Looking to learn more about this growing cyber threat? The NEW Ransomware Guide is a great place to start. The Guide, released in September 2020, represents a joint effort between CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The joint Ransomware Guide includes industry best practices and a response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.
In January 2021, CISA unveiled the Reduce the Risk of Ransomware Campaign to raise awareness and instigate actions to combat this ongoing and evolving threat. The campaign is a focused, coordinated and sustained effort to encourage public and private sector organizations to implement best practices, tools and resources that can help them mitigate ransomware risk.
Leave a comment , , , ,

CISA Announce Transfer of .gov Top-Level Dommain from US General Services Administration

Agency News, Cyber Security CII sector, Industry News
The Cybersecurity and Infrastructure Security Agency (CISA) announced it will begin overseeing the .gov top-level domain (TLD) in April 2021. CISA is working closely with the U.S. General Services Administration, who currently oversees the TLD, to ensure a seamless transition of daily operations for .gov customers.
“Using .gov and increasing trust that government communications are authentic will improve our collective cybersecurity,” said Eric Goldstein, Executive Assistant Director for CISA’s Cybersecurity Division. “People see a .gov website or email address and know they are interacting with an official, U.S.-based government organization. Using .gov also provides security benefits, like two-factor authentication on the .gov registrar and notifications of DNS changes to administrators, over other TLDs. We’ll endeavor to make the TLD more secure for the American public and harder for malicious actors to impersonate.”
.gov is one of the six original TLDs in the internet’s domain name system (DNS). The TLD is actively used by each branch of the federal government, every state in the nation, hundreds of counties and cities, and many tribes and territories as they serve the public on the internet. The DOTGOV Act of 2020 shifted responsibility for managing .gov to CISA as the nation’s civilian cybersecurity agency.
Because the TLD is central to the availability and integrity of thousands of online services relied upon by millions of users, .gov is critical infrastructure for governments throughout the country and all aspects of its administration have cybersecurity significance. Under the actions required by the Act, CISA will work to increase security and decrease complexity for our government partners.
Leave a comment , ,

Joint NSA and CISA Guidance on Strengthening Cyber Defense Through Protective DNS

Agency News, Cyber Security CII sector, Industry News
The National Security Agency (NSA) and CISA have released a Joint Cybersecurity Information (CSI) sheet with guidance on selecting a protective Domain Name System (PDNS) service as a key defense against malicious cyber activity. Protective DNS can greatly reduce the effectiveness of ransomware, phishing, botnet, and malware campaigns by blocking known-malicious domains. Additionally organizations can use DNS query logs for incident response and threat hunting activities.
CISA encourages users and administrators to consider the benefits of using a protective DNS service and review NSA and CISA’s CSI sheet on Selecting a Protective DNS Service for more information.
Protecting users’ DNS queries is a key defense because cyber threat actors use domain names across the network exploitation lifecycle: users frequently mistype domain names while attempting to navigate to a known-good website and unintentionally go to a malicious one instead (T1583.001); threat actors lace phishing emails with malicious links (T1566.002); a compromised device may seek commands from a remote command and control server (TA0011); a threat actor may exfiltrate data from a compromised device to a remote host (TA0010).1 The domain names associated with malicious content are often known or knowable, and preventing their resolution protects individual users and the enterprise.
Due to the centrality of DNS for cybersecurity, the Department of Defense (DoD) included DNS filtering as a requirement in its Cybersecurity Maturity Model Certification (CMMC) standard (SC.3.192). The Cybersecurity and Infrastructure Security Agency issued a memo and directive requiring U.S. government organizations to take steps to mitigate related DNS issues. Additionally, the National Security Agency has published guidance documents on defending DNS [1, 2, 3].
This guidance outlines the benefits and risks of using a protective DNS service and assesses several commercial PDNS providers based on reported capabilities. The assessment is meant to serve as information for organizations, not as recommendations for provider selection. Users of these services must evaluate their architectures and specific needs when choosing a service for PDNS and then validate that a provider meets those needs.
Leave a comment , , ,

CISA Issues Emergency Directive for Federal Agencies to Patch Critical Vulnerability

Agency News, Cyber Security CII sector, Industry News
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 21-02 requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch released yesterday.  It also requires agencies who are currently able to do so to collect forensic images. All agencies are also required to search for known indicators of compromise after patching, and if indicators are found, contact CISA to begin incident response activities.  The directive is in response to observed active exploitation of these products using previously unknown vulnerabilities.  CISA also issued an activity alert to provide additional information and to encourage other public and private sector organizations to take steps to protect their networks.
“This Emergency Directive will help us secure federal networks against the immediate threat while CISA works with its interagency partners to better understand the malicious actor’s techniques and motivations to share with our stakeholders,” said Acting CISA Director Brandon Wales.  “The swiftness with which CISA issued this Emergency Directive reflects the seriousness of this vulnerability and the importance of all organizations – in government and the private sector – to take steps to remediate it.”
ED 21-02 reflects CISA’s determination that exploitations that pose an unacceptable risk to the federal civilian executive branch agencies require emergency action.  CISA made this assessment on the basis of 1) current exploitation of these vulnerabilities, 2) the likelihood of widespread exploitation of the vulnerabilities after public disclosure and the risk that federal government services to the American public could be degraded.
CISA and the National Security Agency worked with Microsoft and security researchers to identify detection and mitigation approaches to these vulnerabilities, for which Microsoft released the patch this afternoon.  Cloud services such as Microsoft 365 and Azure systems are not known to be affected by this vulnerability.
Leave a comment , ,

Compromise of U.S. Water Treatment Facility

Agency News, Cyber Security CII sector, Industry News, Water sector
On February 5, 2021, unidentified cyber actors obtained unauthorized access to the supervisory control and data acquisition (SCADA) system at a U.S. drinking water treatment facility. The unidentified actors used the SCADA system’s software to increase the amount of sodium hydroxide, also known as lye, a caustic chemical, as part of the water treatment process. Water treatment plant personnel immediately noticed the change in dosing amounts and corrected the issue before the SCADA system’s software detected the manipulation and alarmed due to the unauthorized change. As a result, the water treatment process remained unaffected and continued to operate as normal. The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system. Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system, although this cannot be confirmed at present date. Onsite response to the incident included Pinellas County Sheriff Office (PCSO), U.S. Secret Service (USSS), and the Federal Bureau of Investigation (FBI).
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have observed cyber criminals targeting and exploiting desktop sharing software and computer networks running operating systems with end of life status to gain unauthorized access to systems. Desktop sharing software, which has multiple legitimate uses—such as enabling telework, remote technical support, and file transfers—can also be exploited through malicious actors’ use of social engineering tactics and other illicit measures. Windows 7 will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system. Continuing to use any operating system within an enterprise beyond the end of life status may provide cyber criminals access into computer systems.
Click here for a PDF version of this report.
Technical Details
Desktop Sharing Software
The FBI, CISA, EPA, and MS-ISAC have observed corrupt insiders and outside cyber actors using desktop sharing software to victimize targets in a range of organizations, including those in the critical infrastructure sectors. In addition to adjusting system operations, cyber actors also use the following techniques:
- Use access granted by desktop sharing software to perform fraudulent wire transfers.
- Inject malicious code that allows the cyber actors to
 - Hide desktop sharing software windows,
 - Protect malicious files from being detected, and
 - Control desktop sharing software startup parameters to obfuscate their activity.
- Move laterally across a network to increase the scope of activity.
TeamViewer, a desktop sharing software, is a legitimate popular tool that has been exploited by cyber actors engaged in targeted social engineering attacks, as well as large scale, indiscriminate phishing campaigns. Desktop sharing software can also be used by employees with vindictive and/or larcenous motivations against employers.
Beyond its legitimate uses, when proper security measures aren’t followed, remote access tools may be used to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs). TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to RATs.
Windows 7 End of Life
On January 14, 2020, Microsoft ended support for the Windows 7 operating system, which includes security updates and technical support unless certain customers purchased an Extended Security Update (ESU) plan. The ESU plan is paid per-device and available for Windows 7 Professional and Enterprise versions, with an increasing price the longer a customer continues use. Microsoft will only offer the ESU plan until January 2023. Continued use of Windows 7 increases the risk of cyber actor exploitation of a computer system.
Cyber actors continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits. Microsoft released an emergency patch for its older operating systems, including Windows 7, after an information security researcher discovered an RDP vulnerability in May 2019. Since the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the vulnerability. Cyber actors often use misconfigured or improperly secured RDP access controls to conduct cyberattacks. The xDedic Marketplace, taken down by law enforcement in 2019, flourished by compromising RDP vulnerabilities around the world.
Mitigations
General Recommendations
The following cyber hygiene measures may help protect against the aforementioned scheme:
- Update to the latest version of the operating system (e.g., Windows 10).
- Use multiple-factor authentication.
- Use strong passwords to protect Remote Desktop Protocol (RDP) credentials.
- Ensure anti-virus, spam filters, and firewalls are up to date, properly configured, and secure.
- Audit network configurations and isolate computer systems that cannot be updated.
- Audit your network for systems using RDP, closing unused RDP ports, applying multiple-factor authentication wherever possible, and logging RDP login attempts.
- Audit logs for all remote connection protocols.
- Train users to identify and report attempts at social engineering.
- Identify and suspend access of users exhibiting unusual activity.
Water and Wastewater Systems Security Recommendations
The following physical security measures serve as additional protective measures:
- Install independent cyber-physical safety systems. These are systems that physically prevent dangerous conditions from occurring if the control system is compromised by a threat actor.
- Examples of cyber-physical safety system controls include:
 - Size of the chemical pump
 - Size of the chemical reservoir
 - Gearing on valves
 - Pressure switches, etc.
The benefit of these types of controls in the water sector is that smaller systems, with limited cybersecurity capability, can assess their system from a worst-case scenario. The operators can take physical steps to limit the damage. If, for example, cyber actors gain control of a sodium hydroxide pump, they will be unable to raise the pH to dangerous levels.
Remote Control Software Recommendations
For a more secured implementation of TeamViewer software:
- Do not use unattended access features, such as “Start TeamViewer with Windows” and “Grant easy access.”
- Configure TeamViewer service to “manual start,” so that the application and associated background services are stopped when not in use.
- Set random passwords to generate 10-character alphanumeric passwords.
- If using personal passwords, utilize complex rotating passwords of varying lengths. Note: TeamViewer allows users to change connection passwords for each new session. If an end user chooses this option, never save connection passwords as an option as they can be leveraged for persistence.
- When configuring access control for a host, utilize custom settings to tier the access a remote party may attempt to acquire.
- Require remote party to receive confirmation from the host to gain any access other than “view only.” Doing so will ensure that, if an unauthorized party is able to connect via TeamViewer, they will only see a locked screen and will not have keyboard control.
- Utilize the ‘Block and Allow’ list which enables a user to control which other organizational users of TeamViewer may request access to the system. This list can also be used to block users suspected of unauthorized access.
Leave a comment , , ,

CISA Launches Campaign to Reduce Risk of Ransomeware

Agency News, Cyber Security CII sector, Industry News
The Cybersecurity and Infrastructure Security Agency (CISA) announced the Reduce the Risk of Ransomware Campaign today, a focused, coordinated and sustained effort to encourage public and private sector organizations to implement best practices, tools and resources that can help them mitigate this cybersecurity risk and threat.
Ransomware is increasingly threatening both public and private networks, causing data loss, privacy concerns, and costing billions of dollars a year. These incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. Malicious actors have adjusted their ransomware tactics over time to include pressuring victims for payment by threatening to release stolen data if they refuse to pay and publicly naming and shaming victims as secondary forms of extortion.
“CISA is committed to working with organization at all levels to protect their networks from the threat of ransomware,” said Brandon Wales, Director (Acting) of CISA. “This includes working collaboratively with our public and private sector partners to understand, develop and share timely information about the varied and disruptive ransomware threats. Anyone can be the victim of ransomware, and so everyone should take steps to protect their systems.”
In this campaign, which will have a particular focus on supporting COVID-19 response organizations and K-12 educational institutions, CISA is working to raise awareness about the importance of combating ransomware as part of an organization’s cybersecurity and data protection best practices. Over the next several months, CISA will use its social media platforms to iterate key behaviors or actions with resource links that can help technical and non-technical partners combat ransomware attacks.
CISA established a new one-stop resource at cisa.gov/ransomware. On this page, interested partners will find four categories of ransomware resources:
- Alerts and Statements: Official CISA updates to help stakeholders guard against the ever-evolving ransomware threat environment. These alerts are geared toward system administrators and other technical staff to bolster their organization’s security posture.
- Guides and Services: Tips and best practices for home users, organizations, and technical staff to guard against the growing ransomware threat.
- Fact Sheets and Infographics: Easy-to-use, straightforward information to help organizations and individuals better understand the threats from and the consequences of a ransomware attack.
- Trainings and Webinars: This information provides technical and non-technical audiences, including managers, business leaders, and technical specialists with an organizational perspective and strategic overview.
Many of the resources on this webpage were developed in collaboration with industry and interagency partners, such as:
- CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide;
- CISA, Federal Bureau of Investigation (FBI), and Department of Health and Human Services (HHS) Joint Cybersecurity Advisory on Ransomware Activity Targeting the Healthcare and Public Health Sector;
- CISA, FBI, DHS Homeland Security Investigations, and U.S. Secret Service recorded video discussion on Trends and Predictions in Ransomware from the 2020 CISA National Cybersecurity Summit.
- CISA Fact Sheet on Cyber Threats to K-12 Remote Learning Education for non-technical educational professionals with contributions from the FBI.
Leave a comment , ,

CISA Updates Emergency Directive 21-01 Supplemental Guidance and Activity Alert on SolarWinds Orion Compromise

Agency News, Cyber Security CII sector, Industry News
CISA has released Emergency Directive (ED) 21-01 Supplemental Guidance version 3: Mitigate SolarWinds Orion Code Compromise, providing guidance that supersedes Required Action 4 of ED 21-01 and Supplemental Guidance versions 1 and 2.
- Federal agencies without evidence of adversary follow-on activity on their networks that accept the risk of running SolarWinds Orion in their enterprises should rebuild or upgrade, in compliance with hardening steps outlined in the Supplemental Guidance, to at least SolarWinds Orion Platform version 2020.2.1 HF2. The National Security Agency (NSA) examined this version and verified it eliminates the previously identified malicious code. This version also includes updates to fix un-related vulnerabilities, including vulnerabilities that SolarWinds has publicly disclosed.
- Federal agencies with evidence of follow-on threat actor activity on their networks should keep their affected versions disconnected, conduct forensic analysis, and consult with CISA before rebuilding or reimaging affected platforms and host operating systems.
The updated supplemental guidance also includes forensic analysis and reporting requirements.
CISA has also updated AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, originally released December 17, 2020. This update includes new information on initial access vectors, updated mitigation recommendations, and new indicators of compromise (IOCs).
Although the Emergency Directive only applies to Federal Civilian Executive Branch agencies, CISA encourages state and local governments, critical infrastructure entities, and other private sector organizations to review CISA Emergency Directive 21-01 - Supplemental Guidance v.3 for recommendations on operating the SolarWinds Orion Platform. Review the following resources for additional information on the SolarWinds Orion compromise.
Leave a comment ,
1 4 5 6 7