CISA and Partners Release Joint Guide to Securing Remote Access Software

The Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Israel National Cyber Directorate (INCD) released the Guide to Securing Remote Access Software. This new joint guide is the result of a collaborative effort to provide an overview of legitimate uses of remote access software, as well as common exploitations and associated tactics, techniques, and procedures (TTPs), and how to detect and defend against malicious actors abusing this software.

Remote access software provides organizations with a broad array of capabilities to maintain and improve information technology (IT), operational technology (OT), and industrial control system (ICS) services; however, malicious actors often exploit this software for easy and broad access to victim systems.

CISA encourages organizations to review this joint guide for recommendations and best practices to implement in alignment with their specific cybersecurity requirements to better detect and defend against exploitation. Additionally, please refer to the additional information below on guidance for MSPs and small- and mid-sized businesses and on malicious use of remote monitoring and management software in using remote software and implementing mitigations.

CISA and Partners Release Cybersecurity Advisory Guidance detailing PRC state-sponsored actors evading detection by “Living off the Land”

The Cybersecurity & Infrastructure Security Agency (CISA) joined the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners in releasing a joint cybersecurity advisory highlighting recently discovered activities conducted by a People’s Republic of China (PRC) state-sponsored cyber threat actor.

This advisory highlights how PRC cyber actors use techniques called “living off the land” to evade detection by using built-in networking administration tools to compromise networks and conduct malicious activity. This enables the cyber actor to blend in with routine Windows system and network activities, limit activity and data captured in default logging configurations, and avoid endpoint detection and response (EDR) products that could alert to the introduction of third-party applications on the host or network. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.

The authoring agencies have identified potential indicators associated with these techniques. To hunt for this activity, CISA and partners encourage network defenders to use the actor’s commands and detection signatures provided in this advisory. CISA and partners further encourage network defenders to view the indicators of compromise (IOCs) and mitigations summaries to detect this activity.

Cyber Agencies and Allies Partner to Identify Russian Snake Malware Infrastructure Worldwide

The National Security Agency (NSA) and several partner agencies have identified infrastructure for Snake malware—a sophisticated Russian cyberespionage tool—in over 50 countries worldwide.

To assist network defenders in detecting Snake and any associated activity, the agencies are publicly releasing the joint Cybersecurity Advisory (CSA), “Hunting Russian Intelligence “Snake” Malware” today.

The agencies, which include the NSA, Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Cyber National Mission Force (CNMF), Canadian Cyber Security Centre (CCCS), United Kingdom National Cyber Security Centre (NCSC-UK), Australian Cyber Security Centre (ACSC), and New Zealand National Cyber Security Centre (NCSC-NZ) attribute Snake operations to a known unit within Center 16 of Russia’s Federal Security Service (FSB). The international coalition has identified Snake malware infrastructure across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia.

“Russian government actors have used this tool for years for intelligence collection,” said Rob Joyce, NSA Director of Cybersecurity. “Snake infrastructure has spread around the world. The technical details will help many organizations find and shut down the malware globally.”

Malicious cyber actors used Snake to access and exfiltrate sensitive international relations documents, as well as other diplomatic communications, through a victim in a North Atlantic Treaty Organization (NATO) country.

In the U.S., the FSB has victimized industries including education institutions, small businesses, and media organizations. Critical infrastructure sectors, such as local government, finance, manufacturing, and telecommunications, have also been impacted.

Typically, Snake malware is deployed to external-facing infrastructure nodes on a network. From there, it uses other tools, and techniques, tactics, and procedures (TTPs) on the internal network to conduct additional exploitation operations.

Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service have released a joint Cybersecurity Advisory (CSA), Ransomware Attacks on Critical Infrastructure Fund Democratic People’s Republic of Korea (DPRK) Espionage Activities, to warn network defenders of malicious activity targeting U.S. and South Korean Healthcare and Public Health (HPH) Sector organizations as well as other critical infrastructure sectors.

In addition to other tactics, these malicious cyber actors have been exploiting vulnerabilities, such as Log4Shell CVE-2021-44228, SMA100 Apache CVE-2021-20038, and/or TerraMaster OS CVE-2022-24990, to gain access and escalate privileges on victim’s networks. After initial access, DPRK actors use staged payloads with customized malware to perform malicious movements, use various ransomware tools and demand ransom in cryptocurrency.

This advisory is a supplement to a July 2022 joint advisory on North Korean state-sponsored cyber actors using Maui ransomware to target HPH sector.

All organizations are encouraged to review the CSA for complete details on this threat and recommended mitigations, which also includes specific mitigations that HPH organizations should implement. This advisory is available on stopransomware.gov, the USG one-stop resource for advisories on the ransomware threat and available no-cost resources.

NSA, CISA, and MS-ISAC Release Guidance for Securing Remote Monitoring and Management Software

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released the “Protecting Against Malicious Use of Remote Monitoring and Management Software” Cybersecurity Advisory (CSA) today to help network defenders protect against the malicious use of legitimate remote monitoring and management (RMM) software.

RMM software is commonly used by managed service providers (MSPs) and help desks to provide security and/or technical support. The software is intended to enable network management, endpoint monitoring, and remote interaction with hosts for IT-support functions. Malicious use of RMM software allows cybercriminals and advanced persistent threat (APT) actors to bypass anti-virus/anti-malware defenses.

In October, CISA identified a widespread cyber campaign in which cybercriminal actors leveraged RMM software to gain command and control of devices and accounts. Malicious cyber actors could leverage these same techniques to target National Security Systems (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) networks and use legitimate RMM software on both work and home devices and accounts. Other RMM software solutions could be abused to similar effect.

CISA, NSA, and MS-ISAC encourage network defenders to apply mitigations such as the following:

- Audit installed remote access tools to identify RMM software.
- Implement application controls to prevent execution of unauthorized RMM software.
- Use only authorized RMM software on your network over approved remote access solutions, such as VPN or VDI.
- Block both inbound and outbound connections on common RMM ports and protocols.

Read full report at www.media.defense.gov/2023/Jan/25/2003149873/-1/-1/0/JOINT_CSA_RMM.PDF

ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Suppliers

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and Office of the Director of National Intelligence (ODNI) released Securing the Software Supply Chain: Recommended Practices Guide for Suppliers. The product is through the Enduring Security Framework (ESF) — a public-private cross-sector working group led by NSA and CISA that provides cybersecurity guidance to address high priority threats to the nation’s critical infrastructure.

In an effort to provide guidance to suppliers, ESF examined the events that led up to the SolarWinds attack, which made clear that investment was needed to create a set of industry and government evaluated best practices focusing on the needs of the software supplier.

Cyberattacks target an enterprise’s use of cyberspace to disrupt, disable, destroy, or maliciously control a computing environment or infrastructure, destroy the integrity of data, or steal controlled information. A malicious actor can take advantage of a single vulnerability in the software supply chain and have a severe negative impact on computing environments or infrastructure.

Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third party components, and harden the build environment. But the supplier also holds a critical responsibility in ensuring the security and integrity of our software. After all, the software vendor is responsible for liaising between the customer and software developer. It is through this relationship that additional security features can be applied via contractual agreements, software releases and updates, notifications and mitigations of vulnerabilities.

Software suppliers will find guidance from NSA and our partners on preparing organizations by defining software security checks, protecting software, producing well-secured software, and responding to vulnerabilities on a continuous basis. Until all stakeholders seek to mitigate concerns specific to their area of responsibility, the software supply chain cycle will be vulnerable and at risk for potential compromise.

NSA Releases Guidance on How to Protect Against Software Memory Safety Issues

The National Security Agency (NSA) has published guidance to help software developers and operators prevent and mitigate software memory safety issues, which account for a large portion of exploitable vulnerabilities.

The “Software Memory Safety” Cybersecurity Information Sheet highlights how malicious cyber actors can exploit poor memory management issues to access sensitive information, promulgate unauthorized code execution, and cause other negative impacts.

“Memory management issues have been exploited for decades and are still entirely too common today,” said Neal Ziring, Cybersecurity Technical Director. “We have to consistently use memory safe languages and other protections when developing software to eliminate these weaknesses from malicious cyber actors.”

Microsoft and Google have each stated that software memory safety issues are behind around 70 percent of their vulnerabilities. Poor memory management can lead to technical issues as well, such as incorrect program results, degradation of the program’s performance over time, and program crashes.

NSA recommends that organizations use memory safe languages when possible and bolster protection through code-hardening defenses such as compiler options, tool options, and operating system configurations.

NSA, CISA release Kubernetes Hardening Guidance

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, “Kubernetes Hardening Guidance,”. This report details threats to Kubernetes environments and provides configuration guidance to minimize risk.
Kubernetes is an open source system that automates the deployment, scaling, and management of applications run in containers. Kubernetes clusters are often hosted in a cloud environment, and provide increased flexibility from traditional software platforms.
Kubernetes is commonly targeted for three reasons: data theft, computational power theft, or denial of service. Data theft is traditionally the primary motivation; however, cyber actors may attempt to use Kubernetes to harness a network’s underlying infrastructure for computational power for purposes such as cryptocurrency mining.
The report details recommendations to harden Kubernetes systems. Primary actions include the scanning of containers and Pods for vulnerabilities or misconfigurations, running containers and Pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing.
To ensure the security of applications, system administrators should follow the guidance in the Cybersecurity Technical Report and keep up to date with patches, updates, and upgrades to minimize risk. NSA and CISA also recommend periodic reviews of Kubernetes settings and vulnerability scans to ensure appropriate risks are accounted for and security patches are applied.
NSA and CISA’s guidance focuses on security challenges and recommends system administrators harden their environments where possible. NSA is releasing this guidance as part of our mission to support the Department of Defense, the Defense Industrial Base, and National Security Systems.

NSA, CISA, and FBI detail Chinese State-Sponsored Actions, Mitigations

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a Cybersecurity Advisory, Chinese State-Sponsored Cyber Operations: Observed TTPs. This advisory describes over 50 tactics, techniques, and procedures (TTPs) Chinese state-sponsored cyber actors used when targeting U.S. and allied networks, and details mitigations.
Chinese state-sponsored cyber activity poses a major threat to U.S. and allied systems. These actors aggressively target political, economic, military, educational, and critical infrastructure personnel and organizations to access valuable, sensitive data. These cyber operations support China’s long-term economic and military objectives.
One significant tactic detailed in the advisory includes the exploitation of public vulnerabilities within days of their public disclosure, often in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. This advisory provides specific mitigations for detailed tactics and techniques aligned to the recently released, NSA-funded MITRE D3FEND framework.
General mitigations outlined include: prompt patching; enhanced monitoring of network traffic, email, and endpoint systems; and the use of protection capabilities, such as an antivirus and strong authentication, to stop malicious activity.

NSA Releases Guidance on Securing Unified Communications and Voice and Video over IP Systems

NSA released a Cybersecurity Technical Report that provides best practices and mitigations for securing Unified Communications (UC) and Voice and Video over IP (VVoIP) call-processing systems. The comprehensive report, “Deploying Secure Unified Communications/Voice and Video over IP Systems,” also describes potential risks to UC/VVoIP systems that aren’t properly secured.
To complement the larger report, NSA published an abridged Cybersecurity Information Sheet to capture key takeways and introduce the steps organizations should take when securing their UC/VVoIP systems.
UC and VVoIP are workplace call-processing systems that provide a variety of collaboration tools as well as the flexibility to communicate using voice, video conferencing and instant messaging. The access to advanced call-processing features and centralization of management have made UC and VVoIP popular in enterprise environments, including National Security System, Department of Defense and Defense Industrial Base networks.
The IP infrastructure that enables UC/VVoIP systems also presents risks that were less prevalent in the prior generation of call centers. If UC/VVoIP systems are not properly secured, they are susceptible to the same malicious activity targeting existing IP systems through spyware, viruses, software vulnerabilities or other malicious means. Malicious actors could penetrate the IP networks to eavesdrop on conversations, impersonate users, commit toll fraud and perpetrate denial of service attacks. High-definition room audio and video could also be covertly collected.
To securely deploy UC/VVOIP systems, NSA provides best practices to use when preparing networks, establishing network perimeters, using enterprise session controllers and adding endpoints to deploy a UC/VVOIP system.
Methods to minimize the risk to UC/VVOIP systems include segmenting the networks to limit access to a common set of devices, ensuring timely patching, authentication and encryption of all signaling and media traffic, and verifying the security of devices before adding them to a network.
1 2