CISA, NSA, and NIST Publish Factsheet on Quantum Readiness

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and National Institute of Standards and Technology (NIST) released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap.

CISA, NSA, and NIST urge organizations to review the joint factsheet and to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. For more information and resources related to CISA’s PQC work, visit Post-Quantum Cryptography Initiative.

CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware variants. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the four organizations assess cyber threat actors leveraged the malware through phishing campaigns containing malicious redirect hyperlinks.

Additionally, newer versions of Truebot malware allow malicious actors to gain initial access by exploiting a known vulnerability with Netwrix Auditor application (CVE-2022-31199). As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the U.S. and Canada.

CISA, FBI, MS-ISAC, and the CCCS encourage all organizations to review this joint advisory and implement the recommended mitigations contained therein—including applying patches to CVE-2022-31199, to reduce the likelihood and impact of Truebot activity, as well as other ransomware related incidents.

CISA CyberSentry Program Launches Webpage

Cybersecurity & Infrastructure Security Agency (CISA) has published a blog and webpage on the CyberSentry program, a CISA-managed threat detection and monitoring capability with critical infrastructure partners that operate significant networks supporting National Critical Functions (NCFs): cisa.gov/CyberSentry

The CyberSentry program enables our agency to proactively hunt for malicious cyber activity, advise on mitigation strategies, and provide critical infrastructure partners with recommendations for improving overall network and control system security. The new CyberSentry webpage includes an informational video about the program, a fact sheet and details on how to contact CISA CyberSentry program.

Critical infrastructure organizations are experiencing network intrusions at an increasing frequency. To enhance detection of threats, CISA operates CyberSentry, which is a voluntary, proactive program that leverages its capabilities and partners with a select number of critical infrastructure organizations.

CyberSentry technology supports sensing and monitoring for information technology (IT) and operational technology (OT) networks. CyberSentry has added significant value to both CISA’s national mission and to our partners’ enterprise cybersecurity efforts.

Recent successes include:

- Infected OT Equipment: CyberSentry discovered an infection on a partner’s Human Machine Interface (HMI) equipment that had not been properly patched and secured. CISA analysts quickly notified the partner about the issue and offered guidance on preventive techniques for the future.

- Unintentional Exposure: CyberSentry tools spotted cleartext authentication occurring on a partner’s network, and further investigation revealed that a misconfiguration had caused the issue. A detailed report was provided to the partner, including specific guidance on remediating the situation.

- Private Sector Coordination: During the Colonial Pipeline disruption, CISA analysts coordinated closely with its pipeline partners to share information and monitor for adversary activity.

- SolarWinds Response: CyberSentry data helped to quickly identify partners affected by the SolarWinds supply chain compromise. All impacted partners were notified, and the program worked closely and expediently with these partners to confirm remediation of the threat.

- Identification of Malicious Activity: On multiple occasions, CISA analysts identified possible malicious activity at partner sites and worked with affected partners to identify the root causes of activity.

- Malware Discovery: CyberSentry tools quickly discovered and identified malware in a partner’s IT network. Working with the partner, CISA analysts were able to locate the infected device so the partner could remove it from the network and verify that the threat was contained.

- Attacker Exfiltration Detected: CyberSentry discovered that an attacker was actively exfiltrating information. CyberSentry worked with the partner to identify information that had been exfiltrated. After conferring with CyberSentry analysts, the partner was able to isolate infected systems that same evening, eliminating the threat.

CISA and FBI Release #StopRansomware: CL0P Ransomware Gang Exploits MOVEit Vulnerability

The Cybersecurity & Infrastructure Security Agency (CISA) and FBI released a joint Cybersecurity Advisory (CSA) CL0P Ransomware Gang Exploits MOVEit Vulnerability in response to a recent vulnerability exploitation attributed to CL0P Ransomware Gang. This [joint guide] provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) identified through FBI investigations as recently as May this year. Additionally, it provides immediate actions to help reduce the impact of CL0P ransomware.

The CL0P Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer. Internet- facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases.

CISA and FBI encourage information technology (IT) network defenders to review the MOVEit Transfer Advisory and implement the recommended mitigations to reduce the risk of compromise. This joint CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed TTPs and IOCs to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

IACIPP Speak at CyberCon Conference in Bucharest

John Donlon QPM FSyI, Chairman of the International Association of Critical Infrastructure Protection Professionals (IACIPP), was a guest speaker on behalf of the National Institute for Research & Development in Informatics (ICI Bucharest) at the CyberCon Conference which took place in Romania between the 22nd and 27th May.

John was on a panel session addressing the subject of Cyber Diplomacy. The session was moderated by Carmen-Elena CÎRNU, the Scientific Director of ICI Bucharest and opened by the Director General of ICI Bucharest, Victor Vevera. In his opening address Victor referenced the Romanian position on Cyber Diplomacy from his organisations perspective and also highlighted the continuing partnership with IACIPP and the successful joint conference held in the Romanian Royal Place in 2022.

John delivered a presentation where he outlined his views on how the type and nature of the crisis being faced within our increasingly interconnected, globalised and rapidly changing world were ever evolving referencing the pandemic, the war in Ukraine and the devastating earthquakes that hit Turkey and Syria at the start of this year.

He summarised the development of IACIPP and what it seeks to achieve as a platform for likeminded individuals. The aim being to create a space to share information, connect and communicate on all matters relating to the protection and resilience of national infrastructure and information. The focus being on the part that such an association can play in facilitating communication across both the public and private sectors.

That need for connectivity was a common thread throughout the session. It was acknowledged that the worlds infrastructure and cyber position is a greater target and more vulnerable than ever and in order to address issues of concern there is a requirement to continue to develop a comprehensive approach that aligns both physical and cyber security, protection and resilience through enhanced levels of cooperation and coordination.

There was consensus across the panel and from the audience, of the continued need for greater levels of coordination, cooperation and communication across both nation states and between public and private sector entities.

It was recognised that the development of Cyber Diplomacy along with the growth in Cyber Ambassadors across the globe could go some significant way to addressing cyber problems internationally and improving the connectivity that has to be in place.

CISA Warns of Hurricane/Typhoon-Related Scams

The Cybersecurity & Infrastructure Security Agency (CISA) urges users to remain on alert for malicious cyber activity following a natural disaster such as a hurricane or typhoon, as attackers target potential disaster victims by leveraging social engineering tactics, techniques, and procedures (TTPs). Social engineering TTPs include phishing attacks that use email or malicious websites to solicit personal information by posing as a trustworthy organization, notably as charities providing relief. Exercise caution in handling emails with hurricane/typhoon-related subject lines, attachments, or hyperlinks to avoid compromise. In addition, be wary of social media pleas, texts, or door-to-door solicitations related to severe weather events.

CISA encourages users to review the Federal Trade Commission’s Staying Alert to Disaster-related Scams and Before Giving to a Charity, and CISA’s Using Caution with Email Attachments and Tips on Avoiding Social Engineering and Phishing Attacks to avoid falling victim to malicious attacks.

Nuclear Security: DOE Should Take Actions to Fully Implement Insider Threat Program

The theft of nuclear material and the compromise of information could have devastating consequences. Threats can come from external adversaries or from "insiders," including employees or visitors with trusted access. In 2014, DOE established its Insider Threat Program to integrate its policies, procedures, and resources. The program also coordinates analysis, response, and mitigation actions among DOE organizations.

The House report accompanying a bill for the National Defense Authorization Act for fiscal year 2022 includes a provision for GAO to review DOE's efforts to address insider threats with respect to the nuclear security enterprise. This report examines (1) the extent to which DOE has implemented required standards to protect the nuclear security enterprise from insider threats and (2) the factors that have affected DOE's ability to fully implement its Insider Threat Program.

GAO reviewed the minimum standards and best practices for federal insider threat programs, DOE documentation, and four assessments by independent reviewers. GAO also interviewed DOE and National Nuclear Security Administration officials and contractors.

The Department of Energy has several programs to ensure proper access to and handling of the nation's nuclear weapons and related information. DOE started a program in 2014 to further protect against insider threats from employees, contractors, and trusted visitors.

But as of 2023, DOE hasn't fully implemented the program. For example, DOE doesn't ensure that employees are trained to identify and report potential insider threats. Also, the agency hasn't clearly defined contractors' responsibilities for this program.

DOE changed the program's leadership in February 2023, but there's more to do. We recommended ways to improve the program.

The Department of Energy (DOE) has not implemented all required measures for its Insider Threat Program more than 8 years after DOE established it in 2014, according to multiple independent assessments. Specifically, DOE has not implemented seven required measures for its Insider Threat Program, even after independent reviewers made nearly 50 findings and recommendations to help DOE fully implement its program (see fig. for examples). DOE does not formally track or report on its actions to implement them. Without tracking and reporting on its actions to address independent reviewers' findings and recommendations, DOE cannot ensure that it has fully addressed identified program deficiencies.

Examples of Selected Recommendations from Independent Assessments of DOE's Insider Threat Program

DOE has not fully implemented its Insider Threat Program due to multiple factors.

- DOE has not integrated program responsibilities. DOE has not effectively integrated Insider Threat Program responsibilities. Instead, DOE divided significant responsibilities for its program between two offices. Specifically, the program's senior official resides within the security office, while operational control for insider threat incident analysis and response resides within the Office of Counterintelligence—a part of the organization with its own line of reporting to the Secretary of Energy. Without better integrating insider threat responsibilities between these offices, DOE's insider threat program will continue to face significant challenges that preclude it from having an effective or fully operational program.

- DOE has not identified and assessed resource needs. DOE has not identified and assessed the human, financial, and technical resources needed to fully implement its Insider Threat Program. Program funding identified in DOE's budget does not account for all program responsibilities. For example, DOE's budget does not include dedicated funding for its contractor-run nuclear weapons production and research sites to carry out their responsibilities for implementing the program. Unless DOE identifies and assesses the resources needed to support the Insider Threat Program, it will be unable to fully ensure that components are equipped to respond to insider threat concerns, potentially creating vulnerabilities in the program.

CISA and Partners Release Cybersecurity Advisory Guidance detailing PRC state-sponsored actors evading detection by “Living off the Land”

The Cybersecurity & Infrastructure Security Agency (CISA) joined the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners in releasing a joint cybersecurity advisory highlighting recently discovered activities conducted by a People’s Republic of China (PRC) state-sponsored cyber threat actor.

This advisory highlights how PRC cyber actors use techniques called “living off the land” to evade detection by using built-in networking administration tools to compromise networks and conduct malicious activity. This enables the cyber actor to blend in with routine Windows system and network activities, limit activity and data captured in default logging configurations, and avoid endpoint detection and response (EDR) products that could alert to the introduction of third-party applications on the host or network. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.

The authoring agencies have identified potential indicators associated with these techniques. To hunt for this activity, CISA and partners encourage network defenders to use the actor’s commands and detection signatures provided in this advisory. CISA and partners further encourage network defenders to view the indicators of compromise (IOCs) and mitigations summaries to detect this activity.

Standardisation of Cybersecurity for Artificial Intelligence

The European Union Agency for Cybersecurity (ENISA) publishes an assessment of standards for the cybersecurity of AI and issues recommendations to support the implementation of upcoming EU policies on Artificial Intelligence (AI).

This report focuses on the cybersecurity aspects of AI, which are integral to the European legal framework regulating AI, proposed by the European Commission last year dubbed as the “AI Act“.

What is Artificial Intelligence?

The draft AI Act provides a definition of an AI system as “software developed with one or more (…) techniques (…) for a given set of human-defined objectives, that generates outputs such as content, predictions, recommendations, or decisions influencing the environments they interact with.” In a nutshell, these techniques mainly include: machine learning resorting to methods such as deep learning, logic, knowledge-based and statistical approaches.

It is indeed essential for the allocation of legal responsibilities under a future AI framework to agree on what falls into the definition of an 'AI system'.

However, the exact scope of an AI system is constantly evolving both in the legislative debate on the draft AI Act, as well in the scientific and standardisation communities.

Although broad in contents, this report focuses on machine learning (ML) due to its extensive use across AI deployments. ML has come under scrutiny with respect to vulnerabilities particularly impacting the cybersecurity of an AI implementation.

AI cybersecurity standards: what’s the state of play?

As standards help mitigate risks, this study unveils existing general-purpose standards that are readily available for information security and quality management in the context of AI. In order to mitigate some of the cybersecurity risks affecting AI systems, further guidance could be developed to help the user community benefit from the existing standards on AI.

This suggestion has been based on the observation concerning the software layer of AI. It follows that what is applicable to software could be applicable to AI. However, it does not mean the work ends here. Other aspects still need to be considered, such as:

  • a system-specific analysis to cater for security requirements deriving from the domain of application;
  • standards to cover aspects specific to AI, such as the traceability of data and testing procedures.

Further observations concern the extent to which the assessment of compliance with security requirements can be based on AI-specific horizontal standards; furthermore, the extent to which this assessment can be based on vertical/sector specific standards calls for attention.

Key recommendations include:

  • Resorting to a standardised AI terminology for cybersecurity;
  • Developing technical guidance on how existing standards related to the cybersecurity of software should be applied to AI;
  • Reflecting on the inherent features of ML in AI. Risk mitigation in particular should be considered by associating hardware/software components to AI; reliable metrics; and testing procedures;
  • Promoting the cooperation and coordination across standards organisations’ technical committees on cybersecurity and AI so that potential cybersecurity concerns (e.g., on trustworthiness characteristics and data quality) can be addressed in a coherent manner.

Regulating AI: what is needed?

As for many other pieces of EU legislation, compliance with the draft AI Act will be supported by standards. When it comes to compliance with the cybersecurity requirements set by the draft AI Act, additional aspects have been identified. For example, standards for conformity assessment, in particular related to tools and competences, may need to be further developed. Also, the interplay across different legislative initiatives needs to be further reflected in standardisation activities – an example of this is the proposal for a regulation on horizontal cybersecurity requirements for products with digital elements, referred to as the “Cyber Resilience Act”.

Building on the report and other desk research as well as input received from experts, ENISA is currently examining the need for and the feasibility of an EU cybersecurity certification scheme on AI. ENISA is therefore engaging with a broad range of stakeholders including industry, ESOs and Member States, for the purpose of collecting data on AI cybersecurity requirements, data security in relation to AI, AI risk management and conformity assessment.

ENISA advocated the importance of standardisation in cybersecurity today, at the RSA Conference in San Francisco in the ‘Standards on the Horizon: What Matters Most?’ in a panel comprising the National Institute of Standards and Technology (NIST).

CISA and Partners Disclose Snake Malware Threat From Russian Cyber Actors

CISA and partners released a joint advisory for a sophisticated cyber espionage tool used by Russian cyber actors. Hunting Russian Intelligence “Snake” Malware provides technical descriptions of the malware’s host architecture and network communications, and mitigations to help detect and defend against this threat.

 

The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts.

CISA has identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, to include the United States and Russia itself. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical in nature. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a North Atlantic Treaty Organization (NATO) country. Within the United States, the FSB has victimized industries including education, small businesses, and media organizations, as well as critical infrastructure sectors including government facilities, financial services, critical manufacturing, and communications.

This Cybersecurity Advisory (CSA) provides background on Snake’s attribution to the FSB and detailed technical descriptions of the implant’s host architecture and network communications. This CSA also addresses a recent Snake variant that has not yet been widely disclosed. The technical information and mitigation recommendations in this CSA are provided to assist network defenders in detecting Snake and associated activity. For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage.

CISA urges organizations to review the advisory for more information and apply the recommended mitigations and detection guidance.

1 2 3 4