CISA and Partners Release Advisory on Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

CISA—in partnership with the Federal Bureau of Investigation (FBI) and the Department of Defense Cyber Crime Center (DC3)—released Iran-based Cyber Actors Enabling Ransomware Attacks on U.S. Organizations. This joint advisory warns of cyber actors, known in the private sector as Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm, targeting and exploiting U.S. and foreign organizations across multiple sectors in the U.S.
FBI investigations conducted as recently as August 2024 assess that cyber actors like Pioneer Kitten are connected with the Government of Iran (GOI) and linked to an Iranian information technology (IT) company. Their malicious cyber operations are aimed at deploying ransomware attacks to obtain and develop network access. These operations aid malicious cyber actors in further collaborating with affiliate actors to continue deploying ransomware.
This advisory highlights similarities to a previous advisory, Iran-Based Threat Actor Exploits VPN Vulnerabilities published on Sept. 15, 2020, and provides known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).
CISA and partners encourage critical infrastructure organizations to review and implement the mitigations provided in this joint advisory to reduce the likelihood and impact of ransomware incidents. For more information on Iranian state-sponsored threat actor activity, see CISA’s Iran Cyber Threat Overview and Advisories page.

International Partners Release Malware Analysis Report on Infamous Chisel Mobile Malware

The United Kingdom’s National Cyber Security Centre (NCSC-UK), the United States’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), New Zealand’s National Cyber Security Centre (NCSC-NZ), Canadian Centre for Cyber Security (CCCS), and the Australian Signals Directorate (ASD) published a joint Malware Analysis Report (MAR), on Infamous Chisel a new mobile malware targeting Android devices with capabilities to enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information.

Infamous Chisel mobile malware has been used in a malware campaign targeting Android devices in use by the Ukrainian military.

Infamous Chisel is a collection of components targeting Android devices and is attributed to Sandworm, the Russian Main Intelligence Directorate’s (GRU’s) Main Centre for Special Technologies, GTsST. The malware’s capability includes network monitoring, traffic collection, network backdoor access via The Onion Router (Tor) and Secure Shell (SSH), network scanning and Secure Copy Protocol (SCP) file transfer.

The authoring organizations urge users, network defenders, and stakeholders to review the malware analysis report for indicators of compromise (IOCs) and detection rules and signatures to determine system compromise. For more information about malware, see CISA’s Malware, Phishing, and Ransomware page. The joint MAR can also be read in full on the NCSC-UK website. Associated files relating to this report can also be accessed via the NCSC's Malware Analysis Reports page.

CISA and Partners Disclose Snake Malware Threat From Russian Cyber Actors

CISA and partners released a joint advisory for a sophisticated cyber espionage tool used by Russian cyber actors. Hunting Russian Intelligence “Snake” Malware provides technical descriptions of the malware’s host architecture and network communications, and mitigations to help detect and defend against this threat.

 

The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts.

CISA has identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, to include the United States and Russia itself. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical in nature. Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, from a victim in a North Atlantic Treaty Organization (NATO) country. Within the United States, the FSB has victimized industries including education, small businesses, and media organizations, as well as critical infrastructure sectors including government facilities, financial services, critical manufacturing, and communications.

This Cybersecurity Advisory (CSA) provides background on Snake’s attribution to the FSB and detailed technical descriptions of the implant’s host architecture and network communications. This CSA also addresses a recent Snake variant that has not yet been widely disclosed. The technical information and mitigation recommendations in this CSA are provided to assist network defenders in detecting Snake and associated activity. For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage.

CISA urges organizations to review the advisory for more information and apply the recommended mitigations and detection guidance.

NSA, CISA, and MS-ISAC Release Guidance for Securing Remote Monitoring and Management Software

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released the “Protecting Against Malicious Use of Remote Monitoring and Management Software” Cybersecurity Advisory (CSA) today to help network defenders protect against the malicious use of legitimate remote monitoring and management (RMM) software.

RMM software is commonly used by managed service providers (MSPs) and help desks to provide security and/or technical support. The software is intended to enable network management, endpoint monitoring, and remote interaction with hosts for IT-support functions. Malicious use of RMM software allows cybercriminals and advanced persistent threat (APT) actors to bypass anti-virus/anti-malware defenses.

In October, CISA identified a widespread cyber campaign in which cybercriminal actors leveraged RMM software to gain command and control of devices and accounts. Malicious cyber actors could leverage these same techniques to target National Security Systems (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) networks and use legitimate RMM software on both work and home devices and accounts. Other RMM software solutions could be abused to similar effect.

CISA, NSA, and MS-ISAC encourage network defenders to apply mitigations such as the following:

- Audit installed remote access tools to identify RMM software.
- Implement application controls to prevent execution of unauthorized RMM software.
- Use only authorized RMM software on your network over approved remote access solutions, such as VPN or VDI.
- Block both inbound and outbound connections on common RMM ports and protocols.

Read full report at www.media.defense.gov/2023/Jan/25/2003149873/-1/-1/0/JOINT_CSA_RMM.PDF

CISA Developed Cross-Sector Recommendations to Help Organizations Prioritize Cybersecurity Investments

The Department of Homeland Security released the Cybersecurity Performance Goals (CPGs), voluntary practices that outline the highest-priority baseline measures businesses and critical infrastructure owners of all sizes can take to protect themselves against cyber threats. The CPGs were developed by DHS, through the Cybersecurity and Infrastructure Security Agency (CISA), at the direction of the White House. Over the past year, CISA worked with hundreds of public and private sector partners and analyzed years of data to identify the key challenges that leave our nation at unacceptable risk. By clearly outlining measurable goals based on easily understandable criteria such as cost, complexity, and impact, the CPGs were designed to be applicable to organizations of all sizes. This effort is part of the Biden-Harris Administration’s ongoing work to ensure the security of the critical infrastructure and reduce our escalating national cyber risk.

“Organizations across the country increasingly understand that cybersecurity risk is not only a fundamental business challenge but also presents a threat to our national security and economic prosperity,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The new Cybersecurity Performance Goals will help organizations decide how to leverage their cybersecurity investments with confidence that the measures they take will make a material impact on protecting their business and safeguarding our country.”

CISA developed the CPGs in close partnership with the National Institute for Standards and Technology (NIST). The resulting CPGs are intended to be implemented in concert with the NIST Cybersecurity Framework. Every organization should use the NIST Cybersecurity Framework to develop a rigorous, comprehensive cybersecurity program. The CPGs prescribe an abridged subset of actions – a kind of “QuickStart guide” – for the NIST CSF to help organizations prioritize their security investments.

“To reduce risk to the infrastructure and supply chains that Americans rely on every day, we must have a set of baseline cybersecurity goals that are consistent across all critical infrastructure sectors,” said CISA Director Jen Easterly. “CISA has created such a set of cybersecurity performance goals to address medium-to-high impact cybersecurity risks to our critical infrastructure. For months, we’ve been gathering input from our partners across the public and private sectors to put together a set of concrete actions that critical infrastructure owners can take to drive down risk to their systems, networks and data. We look forward to seeing these goals implemented over the coming years and to receiving additional feedback on how we can improve future versions to most effectively reduce cybersecurity risk to our country.”

“The Biden-Harris Administration has relentlessly focused on securing our Nation’s critical infrastructure since day one,” said Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger. “CISA has demonstrated tremendous leadership in strengthening our critical infrastructure’s cyber resilience over the last year. The Cyber Performance Goals build on these efforts, by setting a higher cybersecurity standard for sectors to meet.”

“Given the myriad serious cybersecurity risks our nation faces, NIST looks forward to continuing to work with industry and government organizations to help them achieve these performance goals,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “Our priority remains bringing together the right stakeholders to further develop standards, guidelines and practices to help manage and reduce cybersecurity risk.”

In the months ahead, CISA will actively seek feedback on the CPGs from partners across the critical infrastructure community and has established a Discussions webpage to receive this input. CISA will also begin working directly with individual critical infrastructure sectors as it builds out sector-specific CPGs in the coming months.

To access these new CPGs visit CISA.gov/cpgs.

UK and allies expose Iranian state agency for exploiting cyber vulnerabilities for ransomware operations

The UK and international allies have issued a joint cyber security advisory highlighting that cyber actors affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) are exploiting vulnerabilities to launch ransomware operations against multiple sectors.

Iranian-state APT actors have been observed actively targeting known vulnerabilities on unprotected networks, including in critical national infrastructure (CNI) organisations.

The advisory, published by the National Cyber Security Centre (NCSC) − a part of GCHQ − alongside agencies from the US, Australia and Canada, sets out tactics and techniques used by the actors, as well as steps for organisations to take to mitigate the risk of compromise.

It updates an advisory issued in November 2021 which provided information about Iranian APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities.

They are now assessed to be affiliated to the IRGC and are continuing to exploit these vulnerabilities, as well as the Log4j vulnerabilities, to provide them with initial access, leading to further malicious activity including data extortion and disk encryption.

Paul Chichester, NCSC Director of Operations, said:

"This malicious activity by actors affiliated with Iran’s IRGC poses an ongoing threat and we are united with our international partners in calling it out.

“We urge UK organisations to take this threat seriously and follow the advisory’s recommendations to mitigate the risk of compromise.”

The NCSC urges organisations to follow the mitigation set out in the advisory, including:

- Keeping systems and software updated and prioritising remediating known exploited vulnerabilities
- Enforcing multi-factor authentication
- Making offline backups of your data

This advisory has been issued by the NCSC, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), US Cyber Command (USCC), Department of the Treasury (DoT), the Australian Cyber Security Centre (ACSC) and the Canadian Centre for Cybersecurity (CCCS).

NSA, CISA: How Cyber Actors Compromise OT/ICS and How to Defend Against It

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published a Cybersecurity Advisory that highlights the steps malicious actors have commonly followed to compromise operational technology (OT)/industrial control system (ICS) assets and provides recommendations on how to defend against them.

“Control System Defense: Know the Opponent” notes the increasing threats to OT and ICS assets that operate, control, and monitor day-to-day critical infrastructure and industrial processes. OT/ICS designs are publicly available, as are a wealth of tools to exploit IT and OT systems.

Cyber actors, including advanced persistent threat (APT) groups, have targeted OT/ICS systems in recent years to achieve political gains, economic advantages, and possibly to execute destructive effects. Recently, they’ve developed tools for scanning, compromising, and controlling targeted OT devices.

“Owners and operators of these systems need to fully understand the threats coming from state-sponsored actors and cybercriminals to best defend against them,” said Michael Dransfield, NSA Control Systems Defense Expert. “We’re exposing the malicious actors’ playbook so that we can harden our systems and prevent their next attempt.”

This joint Cybersecurity Advisory builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure. Noting that traditional approaches to securing OT/ICS do not adequately address threats to these systems, NSA and CISA examine the tactics, techniques, and procedures cyber actors employ so that owners and operators can prioritize hardening actions for OT/ICS.

Defenders should employ the mitigations listed in this advisory to limit unauthorized access, lock down tools and data flows, and deny malicious actors from achieving their desired effects.

UNOCT launches five new thematic guides on Protecting Vulnerable Targets Against Terrorist Attacks

The United Nations Office of Counter-Terrorism (UNOCT) hosted a high-level virtual event to launch five new specialized guides (modules) dedicated to the protection of particularly vulnerable targets against terrorist attacks, on 6 September 2022. “Vulnerable targets” refers to public places (e.g. tourist venues, urban centers, religious sites) or critical infrastructure (e.g. public transportation systems, energy sector) which are easily accessible and relatively unprotected, and therefore vulnerable to terrorist attacks.

The online launch event was opened by the Under-Secretary-General of the United Nations Office of Counter-Terrorism (UNOCT), Mr. Vladimir Voronkov, along with the Permanent Representative of Qatar to the United Nations, H.E. Ambassador Alya Ahmed Saif Al-Thani; Acting Executive Director of the United Nations Counter-Terrorism Committee Executive Directorate (CTED), Mr. Weixiong Chen; Director of the United Nations Interregional Crime and Justice Institute (UNICRI) Ms. Antonia Marie De Meo; and Chief of Cabinet of the Under-Secretary-General of the United Nations Alliance of Civilizations (UNAOC), Ms. Nihal Saad.

The participants included decision-makers, practitioners and experts on vulnerable targets protection from Member States, international and regional organizations, the private sector, civil society and academia, including members of the United Nations Global Expert Network to Protect Vulnerable Targets against Terrorist Attacks.

The high-level opening was streamed live via UN WebTV. It will be followed by an expert session, during which Member States will share experiences, good practices and tools related to the themes of the five modules:

1. The protection of “soft" targets;
2. The protection of touristic sites;
3. The protection of religious sites and places of worship;
4. The protection of urban centres; and
5. Threats posed by unmanned aircraft systems (UAS) to vulnerable targets.

The 5 modules are published in Arabic, English, French and Russian and are presented by the United Nations Global Programme on Countering Terrorist Threats Against Vulnerable Targets, which is led by UNOCT and jointly implemented with CTED, UNICRI and UNAOC.

The new guides present the knowledge and resources and lessons learned identified during the three Expert Group Meetings held by UNOCT with partners CTED, UNAOC and UNICRI in 2021. They also complement the 2018 United Nations Compendium of Good Practices on the Protection of Critical Infrastructure (CIP) against Terrorist AttacksPDF by focusing on public places/"soft" targets as distinct types of sites worthy of a dedicated security approach. The guides feature specific case studies, good practices and recommended tools from around the world to support both the public and private sectors to further strengthen the safety and security of their public places, keeping them open and accessible and promoting shared responsibility.

How to map the Cybersecurity Threat Landscape? Follow the ENISA 6-step Methodology

The cybersecurity threat landscape methodology developed by the European Union Agency for Cybersecurity (ENISA) aims at promoting consistent and transparent threat intelligence sharing across the European Union.

With a cyber threat landscape in constant evolution, the need for updated and accurate information on the current situation is growing and this a key element for assessing relevant risks.

This is why ENISA releases today an open and transparent framework to support the development of threat landscapes.

The ENISA methodology aims to provide a baseline for the transparent and systematic delivery of horizontal, thematic and sectorial cybersecurity threat landscapes (CTL) thanks to a systematic and transparent process for data collection and analysis.

Who can benefit from this new methodology?

This new methodology is made available to ENISA’s stakeholders and to other interested parties who wish to generate their own cyber threat landscapes. Adopting and/or adapting the proposed new CTL framework will enhance their ability to build situational awareness, to monitor and to tackle existing and potential threats.

ENISA will also be using this new methodology to deliver an enhanced annual ENISA Threat Landscape (ETL). It will also be used to generate technical or sectorial threat landscapes.

How does the methodology work?

The framework is based on the different elements considered in the performance of the cybersecurity threat landscape analysis. It therefore includes the identification and definition of the process, methods and tools used as well as the stakeholders involved.

Building on the existing modus operandi, this methodology provides directions on the following:

- defining components and contents of each of the different types of CTL;
- assessing the target audience for each type of CTL to be performed;
- how data sources are collected;
- how data is analysed;
- how data is to be disseminated;
- how feedback is to be collected and analysed.

The ENISA methodology consists of six main steps with feedback foreseen and associated to each of these steps:

1. Direction;
2. Collection;
3. Processing;
4. Analysis and production;
5. Dissemination;
6. Feedback

This CTL methodology has been validated by the ENISA ad-hoc working group on the Cybersecurity Threat Landscape (CTL WG). The group consists of European and international experts from both public and private sector entities.

Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks

U.S. critical infrastructure (such as utilities, financial services, and pipelines) faces increasing cybersecurity risks. Understanding these risks and associated vulnerabilities, threats, and impacts is essential to protecting critical infrastructure.

Cybersecurity Vulnerabilities, Threats, and Impacts

Vulnerabilities. Critical infrastructure has become more vulnerable to cyberattacks for reasons that include greater use of interconnected electronic systems.

Threats. Threat actors—such as nation-states, criminal groups, and terrorists—have become increasingly capable of carrying out cyberattacks on critical infrastructure.

Impacts. Federal and industry data indicate that cyberattacks—including those affecting critical infrastructure—generally have increased in frequency and cost.

Source: Prior GAO reports and GAO analysis of agency and industry documentation.

The effects of cyber incidents can spill over from the initial target to economically linked firms—magnifying damage to the economy. For example, in May 2021 the Colonial Pipeline Company learned that it was the victim of a cyberattack that led to short-lived gasoline shortages.

Cyber insurance and the Terrorism Risk Insurance Program (TRIP)—the government backstop for losses from terrorism—are both limited in their ability to cover potentially catastrophic losses from systemic cyberattacks. Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware. However, private insurers have been taking steps to limit their potential losses from systemic cyber events. For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages. TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements. However, cyberattacks may not meet the program's criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified.

The Department of the Treasury's Federal Insurance Office (FIO) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) both have taken steps to understand the financial implications of growing cybersecurity risks. However, they have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response. CISA is the primary risk advisor on critical infrastructure and FIO the federal monitor of the insurance sector. Accordingly, they are well-positioned to jointly perform such an assessment. Doing so and reporting the results to Congress can inform deliberations on whether a federal insurance response is warranted.

If such a response were deemed necessary, GAO's framework for providing federal assistance to private market participants (GAO-10-719) could help inform its design. The framework notes the need to define the problem, mitigate moral hazard (that the existence of a federal backstop could result in entities taking greater risks), and protect taxpayer interests. Consistent with these elements, any federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants.

Cyber threats to critical infrastructure represent a significant economic challenge. Although cyber incident costs are paid in part by the private cyber insurance market, growing cyber threats have created uncertainty in this evolving market.

The Further Consolidated Appropriations Act, 2020, includes a provision for GAO to study cyber risks to U.S. critical infrastructure and available insurance for these risks. This report examines the extent to which (1) cyber risks for critical infrastructure exist; (2) private insurance covers catastrophic cyber losses and TRIP provides a backstop for such losses; and (3) cognizant federal agencies have assessed a potential federal response for cyberattacks.

GAO reviewed cyber insurance coverage literature and reports on cyber risk and the insurance market. GAO interviewed CISA and FIO officials and industry stakeholders (e.g., critical infrastructure owners, insurers, and brokers) that were selected based on factors such as expertise and market share.

Cyber insurance can help offset costs of some common cyber risks, like data breaches or ransomware. But cyber risks are growing, and cyberattacks targeting critical infrastructure—like utilities or financial services—could affect entire systems and result in catastrophic financial loss.

Insurers and the government's terrorism risk insurance may not be able to cover such losses. For example, the government's insurance may only cover cyberattacks if they can be considered "terrorism" under its defined criteria.

CISA and FIO should jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response, and inform Congress of the results of their assessment. Both agencies agreed with the recommendations.

1 2 3