CISA and Partners Release Joint Guide to Securing Remote Access Software

The Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Israel National Cyber Directorate (INCD) released the Guide to Securing Remote Access Software. This new joint guide is the result of a collaborative effort to provide an overview of legitimate uses of remote access software, as well as common exploitations and associated tactics, techniques, and procedures (TTPs), and how to detect and defend against malicious actors abusing this software.

Remote access software provides organizations with a broad array of capabilities to maintain and improve information technology (IT), operational technology (OT), and industrial control system (ICS) services; however, malicious actors often exploit this software for easy and broad access to victim systems.

CISA encourages organizations to review this joint guide for recommendations and best practices to implement in alignment with their specific cybersecurity requirements to better detect and defend against exploitation. Additionally, please refer to the additional information below on guidance for MSPs and small- and mid-sized businesses and on malicious use of remote monitoring and management software in using remote software and implementing mitigations.

CISA and FBI Release #StopRansomware: CL0P Ransomware Gang Exploits MOVEit Vulnerability

The Cybersecurity & Infrastructure Security Agency (CISA) and FBI released a joint Cybersecurity Advisory (CSA) CL0P Ransomware Gang Exploits MOVEit Vulnerability in response to a recent vulnerability exploitation attributed to CL0P Ransomware Gang. This [joint guide] provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) identified through FBI investigations as recently as May this year. Additionally, it provides immediate actions to help reduce the impact of CL0P ransomware.

The CL0P Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer. Internet- facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases.

CISA and FBI encourage information technology (IT) network defenders to review the MOVEit Transfer Advisory and implement the recommended mitigations to reduce the risk of compromise. This joint CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed TTPs and IOCs to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

IACIPP Speak at CyberCon Conference in Bucharest

John Donlon QPM FSyI, Chairman of the International Association of Critical Infrastructure Protection Professionals (IACIPP), was a guest speaker on behalf of the National Institute for Research & Development in Informatics (ICI Bucharest) at the CyberCon Conference which took place in Romania between the 22nd and 27th May.

John was on a panel session addressing the subject of Cyber Diplomacy. The session was moderated by Carmen-Elena CÎRNU, the Scientific Director of ICI Bucharest and opened by the Director General of ICI Bucharest, Victor Vevera. In his opening address Victor referenced the Romanian position on Cyber Diplomacy from his organisations perspective and also highlighted the continuing partnership with IACIPP and the successful joint conference held in the Romanian Royal Place in 2022.

John delivered a presentation where he outlined his views on how the type and nature of the crisis being faced within our increasingly interconnected, globalised and rapidly changing world were ever evolving referencing the pandemic, the war in Ukraine and the devastating earthquakes that hit Turkey and Syria at the start of this year.

He summarised the development of IACIPP and what it seeks to achieve as a platform for likeminded individuals. The aim being to create a space to share information, connect and communicate on all matters relating to the protection and resilience of national infrastructure and information. The focus being on the part that such an association can play in facilitating communication across both the public and private sectors.

That need for connectivity was a common thread throughout the session. It was acknowledged that the worlds infrastructure and cyber position is a greater target and more vulnerable than ever and in order to address issues of concern there is a requirement to continue to develop a comprehensive approach that aligns both physical and cyber security, protection and resilience through enhanced levels of cooperation and coordination.

There was consensus across the panel and from the audience, of the continued need for greater levels of coordination, cooperation and communication across both nation states and between public and private sector entities.

It was recognised that the development of Cyber Diplomacy along with the growth in Cyber Ambassadors across the globe could go some significant way to addressing cyber problems internationally and improving the connectivity that has to be in place.

CISA Warns of Hurricane/Typhoon-Related Scams

The Cybersecurity & Infrastructure Security Agency (CISA) urges users to remain on alert for malicious cyber activity following a natural disaster such as a hurricane or typhoon, as attackers target potential disaster victims by leveraging social engineering tactics, techniques, and procedures (TTPs). Social engineering TTPs include phishing attacks that use email or malicious websites to solicit personal information by posing as a trustworthy organization, notably as charities providing relief. Exercise caution in handling emails with hurricane/typhoon-related subject lines, attachments, or hyperlinks to avoid compromise. In addition, be wary of social media pleas, texts, or door-to-door solicitations related to severe weather events.

CISA encourages users to review the Federal Trade Commission’s Staying Alert to Disaster-related Scams and Before Giving to a Charity, and CISA’s Using Caution with Email Attachments and Tips on Avoiding Social Engineering and Phishing Attacks to avoid falling victim to malicious attacks.

Nuclear Security: DOE Should Take Actions to Fully Implement Insider Threat Program

The theft of nuclear material and the compromise of information could have devastating consequences. Threats can come from external adversaries or from "insiders," including employees or visitors with trusted access. In 2014, DOE established its Insider Threat Program to integrate its policies, procedures, and resources. The program also coordinates analysis, response, and mitigation actions among DOE organizations.

The House report accompanying a bill for the National Defense Authorization Act for fiscal year 2022 includes a provision for GAO to review DOE's efforts to address insider threats with respect to the nuclear security enterprise. This report examines (1) the extent to which DOE has implemented required standards to protect the nuclear security enterprise from insider threats and (2) the factors that have affected DOE's ability to fully implement its Insider Threat Program.

GAO reviewed the minimum standards and best practices for federal insider threat programs, DOE documentation, and four assessments by independent reviewers. GAO also interviewed DOE and National Nuclear Security Administration officials and contractors.

The Department of Energy has several programs to ensure proper access to and handling of the nation's nuclear weapons and related information. DOE started a program in 2014 to further protect against insider threats from employees, contractors, and trusted visitors.

But as of 2023, DOE hasn't fully implemented the program. For example, DOE doesn't ensure that employees are trained to identify and report potential insider threats. Also, the agency hasn't clearly defined contractors' responsibilities for this program.

DOE changed the program's leadership in February 2023, but there's more to do. We recommended ways to improve the program.

The Department of Energy (DOE) has not implemented all required measures for its Insider Threat Program more than 8 years after DOE established it in 2014, according to multiple independent assessments. Specifically, DOE has not implemented seven required measures for its Insider Threat Program, even after independent reviewers made nearly 50 findings and recommendations to help DOE fully implement its program (see fig. for examples). DOE does not formally track or report on its actions to implement them. Without tracking and reporting on its actions to address independent reviewers' findings and recommendations, DOE cannot ensure that it has fully addressed identified program deficiencies.

Examples of Selected Recommendations from Independent Assessments of DOE's Insider Threat Program

DOE has not fully implemented its Insider Threat Program due to multiple factors.

- DOE has not integrated program responsibilities. DOE has not effectively integrated Insider Threat Program responsibilities. Instead, DOE divided significant responsibilities for its program between two offices. Specifically, the program's senior official resides within the security office, while operational control for insider threat incident analysis and response resides within the Office of Counterintelligence—a part of the organization with its own line of reporting to the Secretary of Energy. Without better integrating insider threat responsibilities between these offices, DOE's insider threat program will continue to face significant challenges that preclude it from having an effective or fully operational program.

- DOE has not identified and assessed resource needs. DOE has not identified and assessed the human, financial, and technical resources needed to fully implement its Insider Threat Program. Program funding identified in DOE's budget does not account for all program responsibilities. For example, DOE's budget does not include dedicated funding for its contractor-run nuclear weapons production and research sites to carry out their responsibilities for implementing the program. Unless DOE identifies and assesses the resources needed to support the Insider Threat Program, it will be unable to fully ensure that components are equipped to respond to insider threat concerns, potentially creating vulnerabilities in the program.

CISA and Partners Release Cybersecurity Advisory Guidance detailing PRC state-sponsored actors evading detection by “Living off the Land”

The Cybersecurity & Infrastructure Security Agency (CISA) joined the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners in releasing a joint cybersecurity advisory highlighting recently discovered activities conducted by a People’s Republic of China (PRC) state-sponsored cyber threat actor.

This advisory highlights how PRC cyber actors use techniques called “living off the land” to evade detection by using built-in networking administration tools to compromise networks and conduct malicious activity. This enables the cyber actor to blend in with routine Windows system and network activities, limit activity and data captured in default logging configurations, and avoid endpoint detection and response (EDR) products that could alert to the introduction of third-party applications on the host or network. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.

The authoring agencies have identified potential indicators associated with these techniques. To hunt for this activity, CISA and partners encourage network defenders to use the actor’s commands and detection signatures provided in this advisory. CISA and partners further encourage network defenders to view the indicators of compromise (IOCs) and mitigations summaries to detect this activity.

EPA Updates Power Resilience Guide for Water and Wastewater Utilities

EPA has published an updated version of the Power Resilience Guide, which provides water and wastewater utilities with information and strategies to help strengthen relationships with their electric providers and increase their resilience to power outages.

The guide has been updated to include new information in its “Energy Efficiency,” “Renewable Energy and Distributed Energy Resources,” and “Funding” sections. The document is divided into eight areas in which water sector utilities can increase power resilience, which include communication, power assessments, emergency generators, fuel, energy efficiency, renewable energy and microgrids, black sky planning, and funding. Additionally, the updated guide includes new case studies that demonstrate creative power resilience strategies (e.g., implementation of microgrids at utilities) and planning considerations for both short (e.g., 2-3 days) and long (e.g., several weeks) duration power outages.

Access the updated guide below or read more about power resilience at EPA.

Cyber Agencies and Allies Partner to Identify Russian Snake Malware Infrastructure Worldwide

The National Security Agency (NSA) and several partner agencies have identified infrastructure for Snake malware—a sophisticated Russian cyberespionage tool—in over 50 countries worldwide.

To assist network defenders in detecting Snake and any associated activity, the agencies are publicly releasing the joint Cybersecurity Advisory (CSA), “Hunting Russian Intelligence “Snake” Malware” today.

The agencies, which include the NSA, Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Cyber National Mission Force (CNMF), Canadian Cyber Security Centre (CCCS), United Kingdom National Cyber Security Centre (NCSC-UK), Australian Cyber Security Centre (ACSC), and New Zealand National Cyber Security Centre (NCSC-NZ) attribute Snake operations to a known unit within Center 16 of Russia’s Federal Security Service (FSB). The international coalition has identified Snake malware infrastructure across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia.

“Russian government actors have used this tool for years for intelligence collection,” said Rob Joyce, NSA Director of Cybersecurity. “Snake infrastructure has spread around the world. The technical details will help many organizations find and shut down the malware globally.”

Malicious cyber actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, through a victim in a North Atlantic Treaty Organization (NATO) country.

In the U.S., the FSB has victimized industries including education institutions, small businesses, and media organizations. Critical infrastructure sectors, such as local government, finance, manufacturing, and telecommunications, have also been impacted.

Typically, Snake malware is deployed to external-facing infrastructure nodes on a network. From there, it uses other tools, and techniques, tactics, and procedures (TTPs) on the internal network to conduct additional exploitation operations.

Reimagining Gunshot Detection for Enhanced Community Safety

New portable system employs two methods of detection for increased accuracy and reduced false positives.

New and improved gunshot detection technology will soon make American communities of all sizes safer. The Science and Technology Directorate (S&T) and its industry partner Shooter Detection Systems (SDS) developed SDS Outdoor, a gunshot detection system that builds on existing SDS technology to deliver new capabilities that significantly improve the response and management of outdoor shootings.

Among these new capabilities are portability and ease of system set up at any location, two-source detection—sound and flash—to confirm a gunshot, real-time alerts that provide near-instant situational awareness to law enforcement and emergency medical responders, and enhanced data recording that aids apprehension and conviction of alleged shooters.

Portability allows the system to be set up practically anywhere, including near outdoor events, and a single person can install it. Additionally, the enhanced system tells law enforcement when and where a gunshot originates, cutting response times dramatically and providing police officers actionable information—for example, data that helps them to determine if there is a single shooter or multiple shooters. Agencies can then use that information to coordinate resource response and counter an active threat.

“It takes about two to three minutes for an individual to call 911 after a gunshot. Gunshot detection technology cuts that time in half and sends a notification to local law enforcement. Police could then dispatch a unit quicker to either stop the incident that's occurring or to assist in preventing any lives being taken,” said Wilhelm Thomas, officer with the New York Police Department’s (NYPD) Counterterrorism Division. “If we're there first, we can lock down the scene. This will provide security for the emergency medical services (EMS) and thus help prevent the loss of more lives.”

Although gunshot detection technology is currently in use, it can only be installed at fixed locations. For outdoor public events, portable gunshot detection technology can add another layer of security to already installed security systems like cameras.

“This system does not prevent gunshots. It detects an ongoing shooting to help first responders get there faster,” said Anthony Caracciolo, S&T program manager for First Responder Technology. “The more details officers have about an incident, the quicker they can identify and eliminate the threat, and EMS can tend injured victims safely.”

More than two years ago, S&T’s First Responder Resource Group set out to extend gunshot detection capabilities to locations that do not support fixed deployments, such as open areas where large crowds may gather temporarily. Since then, the project has progressed into prototype design, gathering opinions from first responders, and, most recently, a November 2022 Operational Field Assessment (OFA) led by S&T’s National Urban Security Technology Laboratory (NUSTL).

“We started this project because most existing gunshot detection technologies come with limitations, and they may also trigger false alarms,” said Caracciolo. “An outdoor mobile detector that can be easily deployed in the field for a concert or other outdoor event is needed.”
Detecting gunshots almost instantly

SDS Outdoor has several interesting added features. For starters, one to two people can transport and install the system. Also, the tech delivers critical intelligence about an outdoor shooting incident almost instantaneously to first responders. Moreover, it dramatically reduces false-positive alerts.

“Unlike other detection systems, which mostly rely just on acoustics, our indoor gunshot detection system pairs two types of sensors—for the firearm’s infrared flash and acoustic bang—to get the false-alert rate way down,” said Richard Onofrio, SDS’ managing director. “We've applied that same concept to this development where we've increased the coverage area considerably.”

Prior to an outdoor event, officers can map out placement locations, install the system in minutes, and select the response agencies whom SDS Outdoor will alert if a shooting occurs.

As a plus, the gunshot detection tech’s alerting software integrates with the existing platforms used by first responders, including security cameras and dispatch systems. If internet is unavailable at an event site—no problem! The tech can communicate with the software application directly in more of a ‘local only’ mode.

CISA and Partners Release BianLian Ransomware Cybersecurity Advisory

CISA, the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) with known BianLian ransomware and data extortion group technical details. Microsoft and Sophos contributed to the advisory.
To reduce the likelihood and impact of BianLian and other ransomware incidents, CISA encourages organizations to implement mitigations recommended in this advisory. Mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).

1 2 3 4 30