State Government Cyber Updates

ACTIVE THREATS

New ZERO -DAY threat (updated 06/02/2022)  

CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Workarounds

To disable the MSDT URL Protocol: Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

1.             Run Command Prompt as Administrator

2.             To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\\ms-msdt filename“

3.             Execute the command “reg delete HKEY_CLASSES_ROOT\\ms-msdt /f”.

How to undo the workaround

1.             Run Command Prompt as Administrator.

2.             To restore the registry key, execute the command “reg import filename”

3.             Microsoft Defender Detections & Protections

Customers with Microsoft Defender Antivirus should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

Customers of Microsoft Defender for Endpoint can enable attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. For more information see Attack surface reduction rules overview.

Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.851.0 or higher:

·        Trojan:Win32/Mesdetty.A  (blocks msdt command line)

·        Trojan:Win32/Mesdetty.B  (blocks msdt command line)

·        Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)

·        Trojan:Win32/MesdettyScript.A (to detect HTML files that contain msdt suspicious command being dropped)

·        Trojan:Win32/MesdettyScript.B (to detect HTML files that contain msdt suspicious command being dropped)

Microsoft Defender for Endpoint provides customers detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:

·        Suspicious behavior by an Office application

·        Suspicious behavior by Msdt.exe

The MSRC Team will continue to update CVE-2022-30190, please visit their CVE-2022-30190 page for further information.

 

----------------------------------------------------------------------------

 

Apache Log4j Vulnerability and the Log4shell exploit(s), Winter 2022:

updated 01/25/2022 - STS Log4j Vulnerability & Exploit Guide (PDF download)

Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services. Recently, a serious vulnerability in the popular Java logging package, Log4j (CVE-2021-44228) was disclosed, posing a severe risk to millions of consumer products to enterprise software and web applications. The vulnerability (CVE-2021-44228) in the Apache Log4j logging library allows for remote code execution (RCE), ransomware, crypto miners, and data exfiltration. The Log4shell attacks can be delivered through a variety of protocols including IMAP, DNS, SMTP, HTTP, and LDAP. This vulnerability is being widely exploited by a growing set of attackers, and we urge you to take action. Active Vulnerabilities:

For more information, please view the Strategic Technology Solutions Apache Log4j Vulnerability Exploit Quick Guide above, or CISA's Log4j Vulnerability Guidance site.  For further questions, you can reach out to the CISO’s office through the CyberSafeTN contact form.

UPDATES

 A Message from CISA Regarding Karakurt Data Extortion Group (6/1/2022)

In partnership with the FBI, Treasury, and FinCEN, CISA published a joint Cybersecurity Advisory (CSA) with recommended actions and mitigations for organizations to take to protect against reported tactics, techniques, and procedures (TTPs) by Karakurt data extortion group that has been creating significant challenges for defense and mitigation.  

Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. As of May 2022, several terabytes worth of data purported to belong to victims across North America and Europe, along with several “press releases” naming victims who had not paid or cooperated, and instructions for participating in victim data “auctions” was reported to be contained on Karakurt operated website located in the deep web and on the dark web.  

During reconnaissance, Karakurt actors appear to obtain access to victim devices, primarily, by purchasing stolen login credentials. They can also obtain access to already compromised victims from cooperating partners in the cybercrime community or buying access to already compromised victims via third-party intrusion broker networks.  

Actions that organizational leaders and network administrators can take today to mitigate cyber threats from ransomware include prioritizing patching known exploited vulnerabilities, training users to recognize and report phishing attempts, and enforcing multi-factor authentication (MFA). More recommended mitigations include: 

·        Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. 

·        Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization. 

·        Regularly back up data and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides. 

·        Install and regularly update antivirus software on all hosts and enable real time detection. 

·        Review domain controllers, servers, workstations, and active directories for new or unrecognized accounts.    

Organizations are encouraged to review the advisory for all the details on the Karakurt actors, associated indicators of compromise, malicious behavior mapped to MITRE ATT&CK, and agency resources available to all organizations.  

All organizations should share information about incidents and unusual cyber activity with CISA and/or FBI. When cyber incidents are reported quickly, it can contribute to stopping further attacks. Organizations should inform CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870, or an FBI field office.

Your support to amplify this advisory through your communications and social media channels is appreciated. And as always, thank you for your continued collaboration. 

 

Alert (AA22-011A) Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure:

updated 01/25/2022 - Alert AA22-011A (CISA website)

This joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)—is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian statesponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats. CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation. For more info, please visit https://www.cisa.gov/uscert/ncas/alerts/aa22-011a.

 

Cyber Storm VIII Exercise, Spring 2022:

updated 08/06/2021 - CS VIII States Brief

  • As part of CISA’s efforts to strengthen cybersecurity preparedness and partnerships, we would like to provide some information regarding the upcoming Cyber Storm VIII exercise in Spring 2022.
  • Cyber Storm is CISA’s biennial cyber capstone exercise that provides a venue for participants to simulate the discovery of and response to a widespread coordinated cyberattack without the consequences of a real-world event. Cyber Storm brings together hundreds of agencies and organizations from across the public and private sectors to simulate response and coordination efforts to a significant cyber incident impacting the nation’s critical infrastructure with the aim of strengthening cybersecurity preparedness and response capabilities by exercising policies, processes, and procedures.
  • Cyber Storm is a distributed exercise, meaning organizations participate from their actual work locations. Interested states can participate either as a Victim organization or elect to participate in tandem with MS-ISAC as a Monitor and Respond organization. Victim organizations are directly affected by the incident, whereas Monitor and Respond organizations utilize normal communication channels, such as the MS-ISAC and government bulletins, to monitor events during the exercise and respond appropriately. 
  • States interested in participating as Victim organizations will actively work with the Cyber Storm Planning Team over the course of the fall and winter to plan the extent of their organization’s participation in the exercise and develop customized scenario injects to meet their organization’s unique goals and level of play.
  • The next planning meeting is the Midterm Planning Meeting, scheduled to be held in-person and virtually in McLean, VA, on September 16, 2021.
  • The Cyber Storm Planning Team looks forward to working with members of your organization as we work together to increase cybersecurity preparedness and strengthen partnerships. For your convenience, we attached a quick overview of Cyber Storm VIII. Please contact Marshall Garnuette (Garnuette_Marshall@bah.com), Cyber Storm States Working Group Lead to learn more about participating in Cyber Storm VIII.