State Government Cyber Updates

ACTIVE INDUSTRY THREATS

Ivanti Vulnerabilities (01/19/24) - CISA has issued Emergency Directive (ED) 24-01 Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities in response to active vulnerabilities in the following Ivanti products: Ivanti Connect Secure and Ivanti Policy Secure. ED 24-01 directs all Federal Civilian Executive Branch (FCEB) agencies running Ivanti Connect Secure and Ivanti Policy Secure to: Implement the mitigations as detailed in the ED; Report indications of compromise to CISA; Remove compromised products from agency networks and follow the ED’s comprehensive instructions for restoring and bringing the products back into service; Apply the updates to the products within 48 hours of Ivanti releasing the updates; Provide CISA with a report that includes: a complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks, and details on actions taken and results. Although this directive is only for FCEB agencies, CISA strongly encourages all organizations to address the vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure. For additional details, see CISA’s Alert, Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways, which CISA will update with further mitigations and patches as these become available.

Apache ActiveMQ / HelloKitty Ransomware (11/02/23) - On 10/27/2023 CVE-2023-46604 was published to the NIST National Vulnerability Database with a CVSS Score of 10 (Critical). This is a remote code execution vulnerability that impacts multiple versions of Apache ActiveMQ. This vulnerability is actively being exploited in the wild by HelloKitty Ransomware Group as of 10/27/2023 . Successful exploitation allows an attacker to execute arbitrary code with the same privileges of the ActiveMQ server. Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. Technical analysis of the attack from Rapid7 explains that the vulnerability leverages the Apache ActiveMQ OpenWire transport connector that listens for TCP connections (TCP port 61616 by default). This listening port is enabled by default. The attacker can send a malicious XML configuration file over HTTP from a remote URL. Affected Versions: Apache ActiveMQ 5.18.0 before 5.18.3; Apache ActiveMQ 5.17.0 before 5.17.6; Apache ActiveMQ 5.16.0 before 5.16.7; Apache ActiveMQ before 5.15.16; Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3; Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6; Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7; Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16. Indicators of Compromise (IOC): https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/ .

WinRAR versions older than 6.23 (8/2/23) - A high-severity vulnerability has been found in WinRAR versions older than 6.23 that can execute commands on a computer simply by opening an archive. The vulnerability was reported on June 8^th, 2023. The patch was released on August 2, 2023 that fixes the issue. The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened. The vulnerability is known to be exploited in the wild, and CISA has added it to their Known Exploited Vulneabilities Catalog on August 24, 2023. The flaw can be fixed by updating to the newest version, 6.23. 

MOVEit Transfer by Progress (6/5/23) - A critical vulnerability has been discovered in the software MOVEit Transfer by Progress. This vulnerability is being actively exploited in the wild right now and must be addressed via a patch. If you use MOVEit Transfer, it is critical that you ensure that you are running a version that is no longer vulnerable to this attack. More information on the attack and the fixed versions may be found at the software’s official site https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 as well as below:

SQL Injection (CVE-2023-34362)

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS.

All MOVEit Transfer versions are affected by this vulnerability.

PaperCut MF/NG Exploit CVE-2023-27350 (5/11/23) - The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (CSA) with recommended actions and mitigations to protect against cyber actors exploiting a vulnerability (CVE-2023-27350) in certain versions of PaperCut, a print management software. When exploited, an unauthenticated actor is able to execute malicious code remotely without credentials. The advisory provides technical details on Bl00dy Ransomware Gang observed by the FBI in early May 2023 attempting to exploit vulnerable PaperCut servers against education facilities subsector. Some of these operations by Bl00dy Ransomware Gang led to data exfiltration, encryption and ransom notes left on victim systems. PaperCut released a patch for CVE-2023-27350 in March 2023. Users and administrators are strongly urged to immediately apply patches, and workarounds if unable to patch. All organizations, especially K-12 schools and school districts are recommended to implement recommended mitigations. The CSA also includes indicators of compromise to help cybersecurity professionals detect if this exploitation activity is on their networks. Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a

Microsoft Outlook Elevation of Privilege Vulnerability (updated 03/16/2023) - On Tuesday, March 14, Microsoft disclosed a new Microsoft Outlook critical (CVSS3.1 9.8) privilege escalation vulnerability as part of its March Patch Tuesday drop with the official assignment of CVE-2023-23397.  The attack complexity is rated as "Low" with no user interaction required, meaning that an attacker can attempt to exploit this vulnerability merely by sending the victim a specifically crafted email or message.  Read more: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

IBM Aspera Faspex (updated 02/28/2023) - IBM's high-speed file transfer protocol that can transfer extremely large files at unprecedented speeds contains a flaw. On 21 Feb 2023, CVE-2022-47986 was added to the CVE database and identifies a flaw in the application. CISA stated the flaw poses “significant risks to the Federal enterprise”, and set a 14 March 2023 suspense for all affected Federal agencies to patch their systems with a vendor-supplied patch (dated 18 January 2023).

More information can be found at the following links:

• CVE-2022-47986
• IBM Security Bulletin - Aspera Faspex

Git, Github, and Gitlab Vulnerabilities (updated 01/23/2023)

A new vulnerability in Git and Gitlab has been found involving git log and gitattributes that could lead to remote code execution and system compromise. Git, Github, and Gitlab have released patches that address these vulnerabilities. This primarily affects "local" installations as Github.com has already taken steps to prevent the potential exploit, as well as reviewed all code repositories on the site to determine they have not been affected.

The following actions should be taken immediately.

• Any local installations involving Git, Github, or Gitlab should be patched immediately.
• Developers should be running as a normal user and elevating, not running as admin to reduce likelihood of PC compromise.
• Developers using Git should be extra vigilant when downloading code from public repositories.
• Locally hosted repositories should be verified as being not accessible to the public.

More information can be found at the following links:

• https://github.blog/2023-01-17-git-security-vulnerabilities-announced-2/
• https://about.gitlab.com/releases/2023/01/17/critical-security-release-gitlab-15-7-5-released/

Zeppelin Ransomware - Alert AA22-223A (updated 08/11/2022)

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Zeppelin ransomware IOCs and TTPs associated with ransomware variants identified through FBI investigations as recently as 21 June 2022. The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report: pdf, 999 kb; Download the YARA signature for Zeppelin: YARA Signature, .yar 125 kb; Download the IOCs: .stix 113 kb

----------------------------------------------------------------------------

CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability (updated 06/02/2022)  

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

The MSRC Team will continue to update CVE-2022-30190, please visit their CVE-2022-30190 page for further information.

----------------------------------------------------------------------------

Apache Log4j Vulnerability and the Log4shell exploit(s), Winter 2022 (updated 01/25/2022)

Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services. Recently, a serious vulnerability in the popular Java logging package, Log4j (CVE-2021-44228) was disclosed, posing a severe risk to millions of consumer products to enterprise software and web applications. The vulnerability (CVE-2021-44228) in the Apache Log4j logging library allows for remote code execution (RCE), ransomware, crypto miners, and data exfiltration. The Log4shell attacks can be delivered through a variety of protocols including IMAP, DNS, SMTP, HTTP, and LDAP. This vulnerability is being widely exploited by a growing set of attackers, and we urge you to take action.

For more information, please view the Strategic Technology Solutions Apache Log4j Vulnerability Exploit Quick Guide (PDF download), or CISA's Log4j Vulnerability Guidance site.  For further questions, you can reach out to the CISO’s office through the CyberSafeTN contact form.

CYBER NEWS & UPDATES

LockBit 3.0 Ransomware (03/16/23) - Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) published a joint Cybersecurity Advisory (CSA) with recommended actions and mitigations to protect against LockBit 3.0 ransomware. Actions that organizations can take today to mitigate the ransomware cyber threat include: prioritize remediating known exploited vulnerabilities (KEVs), train users to recognize and report phishing attempts, and enable and enforce multifactor authentication with strong passwords. Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

CISA published a Cybersecurity Advisory (CSA) detailing tactics, techniques, procedures (TTPs) and key findings from a 2022 Red Team assessment to provide network defenders of critical infrastructure organizations proactive steps they can take to reduce the threat of similar activity from malicious cyber actors (2/28/23) - The advisory titled, CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks, highlights the importance for all organizations to collect and monitor logs for unusual activity as well as continuous testing and exercises to ensure their environment is not vulnerable to compromise, regardless of its cybersecurity maturity level. During the assessment, CISA’s red team emulated cyber threat actors to assess the cyber detection and response capabilities of a large critical infrastructure organization with multiple geographically separated sites. The CSA includes key findings the team found that contributed to persistent, undetected access across the organization’s sites.

CISA released its 2022 Year in Review (1/12/23) - which highlights the tremendous work of CISA’s teammates and partners over the past year. Organized around the four goals outlined in thier Strategic Plan--Cyber Defense, Risk Reduction and Resilience, Operational Collaboration, and Agency Unification—the report highlights key achievements toward the agency’s vision of ensuring a secure and resilient critical infrastructure for the American people.

CISA released a new product, Securing Small and Medium-Sized Business (SMB) Supply Chains: A Resource Handbook to Reduce Information and Communication Technology Risks (1/10/23) - Developed by the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, the handbook provides an overview of the highest supply chain risk categories commonly faced by ICT SMBs, including cyber risks. It also contains several use cases and applicable resources to assist ICT SMBs in identifying the supply chain security practices they can take to enhance their security. The handbook was designed to provide supply chain guidance to SMBs that may have limited finances, share resources on how to enhance the SMB reporting and vetting processes when purchasing ICT, and offer methods and guidance to tackle the most common and highest priority risks faced by SMBs. To download the product, please visit CISA.gov/sites/default/files/publications/Securing-SMB-Supply-Chains_Resource-Handbook_508.pdf . For more information or questions, email: ICT_SCRM_Taskforce@cisa.dhs.gov

CISA releases Resilient Power Best Practices for Critical Facilities and Sites (12/15/22) - This document supports emergency and continuity managers with guidelines, analysis, background material, and references to increase the resilience of backup and emergency power systems during all durations of power outages. Improving power resilience can help the nation withstand and recover rapidly from deliberate attacks, accidents, natural disasters, as well as unconventional stresses, shocks, and threats to our economy and democratic system.

CISA updates Infrastructure Resilience Planning Framework (11/29/22) - The framework gives advice and resources for improving the security and resilience of critical infrastructure. Updates include guidance on bringing diverse opinions into planning efforts plus drought-related risks. 

CISA releases new Red Team Tool – RedEye (10/14/2022) - CISA released RedEye, an interactive open-source analytic tool for use by Red Teams to visualize and report command and control activities. This tool was developed in partnership with the Department of Energy Pacific Northwest National Lab. It allows a Red Team operator to quickly assess complex data associated with an engagement or penetration test (pen test), evaluate mitigation strategies, and enable effective decision making to strengthen an organizations cybersecurity posture. 

RedEye will intake Cobalt Strike logs from a pen test or Red Team engagement that uses Cobalt Strike. With this information, the tool will arrange logs to be easily queried and display them in a graphical, timeline format. RedEye also parses logs and presents the data to each operator. Operators can then tag and add comments to the activities in the tool, which can then be used in a presentation mode to present findings and workflow to stakeholders. 

Using this tool, Red Teams can quickly organize information and communicate findings, key events, and penetration paths, which without this tool would be a manual process scrolling through thousands of lines of text. For more information, CISA encourages users to review RedEye on GitHub and watch CISA’s RedEye tool overview video.

CISA, NSA and FBI Release Advisory on PRC State-Sponsored Malicious Cyber Activity  (10/06/2022) - The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) with details about the top vulnerabilities used and exploited since 2020 by the People’s Republic of China (PRC) state-sponsored cyber actors to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.

The PRC state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. The majority of the common vulnerabilities and exposures (CVEs) are vulnerable to remote code execution, meaning an adversary could exploit those specific vulnerabilities to gain unauthorized access and take control of an affected system. Many of the known vulnerabilities in this CSA allow the actors to operate in a stealthy manner to gain unauthorized access into sensitive networks. Once they gain unauthorized access inside a network, these actors seek to establish persistence and move laterally to other internally connected networks. 

The CSA provides an appendix with a clear, concise description and vulnerable technologies and versions for each CVE; it also provides recommended mitigations and detection methods, if any exist. Some of the actions in this CSA that can help protect networks include: 

• Update and patch systems, including those in this CSA and CISA’s known exploited vulnerabilities catalog.  
• Use phishing-resistant multi-factor authentication whenever possible.  
• Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised. 
• Block obsolete or unused protocols at the network edge. 
• Upgrade or replace end-of-life devices. 
• Move toward the Zero Trust security model.
• Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity.

Joint Cybersecurity Advisory from CISA and FBI regarding Zeppelin Ransomware (8/11/2022) - The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently released a joint Cybersecurity Advisory (CSA) with technical details on Zeppelin ransomware along with recommend actions, mitigations, and resources for organizations to use to protect and respond to this cyber threat. 

Observed as recently as April 2022, malicious actors using Zeppelin exploit vulnerabilities in remote desktop protocol and SonicWall firewall, and phishing campaigns to gain initial access to victims’ network. The advisory contains several indicators of compromise (file hashes) that network defenders can use to detect if this threat is on their networks.

A Message from CISA Regarding Karakurt Data Extortion Group (6/1/2022)

In partnership with the FBI, Treasury, and FinCEN, CISA published a joint Cybersecurity Advisory (CSA) with recommended actions and mitigations for organizations to take to protect against reported tactics, techniques, and procedures (TTPs) by Karakurt data extortion group that has been creating significant challenges for defense and mitigation.  

Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. As of May 2022, several terabytes worth of data purported to belong to victims across North America and Europe, along with several “press releases” naming victims who had not paid or cooperated, and instructions for participating in victim data “auctions” was reported to be contained on Karakurt operated website located in the deep web and on the dark web.  

During reconnaissance, Karakurt actors appear to obtain access to victim devices, primarily, by purchasing stolen login credentials. They can also obtain access to already compromised victims from cooperating partners in the cybercrime community or buying access to already compromised victims via third-party intrusion broker networks.  

Actions that organizational leaders and network administrators can take today to mitigate cyber threats from ransomware include prioritizing patching known exploited vulnerabilities, training users to recognize and report phishing attempts, and enforcing multi-factor authentication (MFA). More recommended mitigations include: 

·        Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. 

·        Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization. 

·        Regularly back up data and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides. 

·        Install and regularly update antivirus software on all hosts and enable real time detection. 

·        Review domain controllers, servers, workstations, and active directories for new or unrecognized accounts.    

Organizations are encouraged to review the advisory for all the details on the Karakurt actors, associated indicators of compromise, malicious behavior mapped to MITRE ATT&CK, and agency resources available to all organizations.  

All organizations should share information about incidents and unusual cyber activity with CISA and/or FBI. When cyber incidents are reported quickly, it can contribute to stopping further attacks. Organizations should inform CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870, or an FBI field office.

Your support to amplify this advisory through your communications and social media channels is appreciated. And as always, thank you for your continued collaboration. 

Alert (AA22-011A) Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure:

updated 01/25/2022 - Alert AA22-011A (CISA website)

This joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)—is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian statesponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats. CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation. For more info, please visit https://www.cisa.gov/uscert/ncas/alerts/aa22-011a.

Cyber Storm VIII Exercise, Spring 2022:

updated 08/06/2021 - CS VIII States Brief

• As part of CISA’s efforts to strengthen cybersecurity preparedness and partnerships, we would like to provide some information regarding the upcoming Cyber Storm VIII exercise in Spring 2022.
• Cyber Storm is CISA’s biennial cyber capstone exercise that provides a venue for participants to simulate the discovery of and response to a widespread coordinated cyberattack without the consequences of a real-world event. Cyber Storm brings together hundreds of agencies and organizations from across the public and private sectors to simulate response and coordination efforts to a significant cyber incident impacting the nation’s critical infrastructure with the aim of strengthening cybersecurity preparedness and response capabilities by exercising policies, processes, and procedures.
  
• Cyber Storm is a distributed exercise, meaning organizations participate from their actual work locations. Interested states can participate either as a Victim organization or elect to participate in tandem with MS-ISAC as a Monitor and Respond organization. Victim organizations are directly affected by the incident, whereas Monitor and Respond organizations utilize normal communication channels, such as the MS-ISAC and government bulletins, to monitor events during the exercise and respond appropriately. 
• States interested in participating as Victim organizations will actively work with the Cyber Storm Planning Team over the course of the fall and winter to plan the extent of their organization’s participation in the exercise and develop customized scenario injects to meet their organization’s unique goals and level of play.
• The next planning meeting is the Midterm Planning Meeting, scheduled to be held in-person and virtually in McLean, VA, on September 16, 2021.
• The Cyber Storm Planning Team looks forward to working with members of your organization as we work together to increase cybersecurity preparedness and strengthen partnerships. For your convenience, we attached a quick overview of Cyber Storm VIII. Please contact Marshall Garnuette (Garnuette_Marshall@bah.com), Cyber Storm States Working Group Lead to learn more about participating in Cyber Storm VIII.