US-CERT Feed

Cisco Releases Security Updates for Multiple Products

US-Cert Current Activity - Thu, 07/02/2020 - 11:06am
Original release date: July 2, 2020

Cisco has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Mozilla Releases Security Updates for Firefox and Firefox ESR

US-Cert Current Activity - Thu, 07/02/2020 - 10:53am
Original release date: July 2, 2020

Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 78 and Firefox ESR 68.10 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor

US-Cert Alerts - Wed, 07/01/2020 - 9:00pm
Original release date: July 1, 2020
Summary

This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) and Pre-ATT&CK framework. See the ATT&CK for Enterprise and Pre-ATT&CK frameworks for referenced threat actor techniques.

This advisory—written by the Cybersecurity Security and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI)—highlights risks associated with Tor, along with technical details and recommendations for mitigation. Cyber threat actors can use Tor software and network infrastructure for anonymity and obfuscation purposes to clandestinely conduct malicious cyber operations.[1],[2],[3]

Tor (aka The Onion Router) is software that allows users to browse the web anonymously by encrypting and routing requests through multiple relay layers or nodes. This software is maintained by the Tor Project, a nonprofit organization that provides internet anonymity and anti-censorship tools. While Tor can be used to promote democracy and free, anonymous use of the internet, it also provides an avenue for malicious actors to conceal their activity because identity and point of origin cannot be determined for a Tor software user. Using the Onion Routing Protocol, Tor software obfuscates a user’s identity from anyone seeking to monitor online activity (e.g., nation states, surveillance organizations, information security tools). This is possible because the online activity of someone using Tor software appears to originate from the Internet Protocol (IP) address of a Tor exit node, as opposed to the IP address of the user’s computer.

CISA and the FBI recommend that organizations assess their individual risk of compromise via Tor and take appropriate mitigations to block or closely monitor inbound and outbound traffic from known Tor nodes.

Click here for a PDF version of this report.

Risk Evaluation

Malicious cyber actors use Tor to mask their identity when engaging in malicious cyber activity impacting the confidentiality, integrity, and availability of an organization’s information systems and data. Examples of this activity include performing reconnaissance, penetrating systems, exfiltrating and manipulating data, and taking services offline through denial-of-service attacks and delivery of ransomware payloads. Threat actors have relayed their command and control (C2) server communications—used to control systems infected with malware—through Tor, obscuring the identity (location and ownership) of those servers.

The use of Tor in this context allows threat actors to remain anonymous, making it difficult for network defenders and authorities to perform system recovery and respond to cyberattacks. Organizations that do not take steps to block or monitor Tor traffic are at heightened risk of being targeted and exploited by threat actors hiding their identity and intentions using Tor.

The risk of being the target of malicious activity routed through Tor is unique to each organization. An organization should determine its individual risk by assessing the likelihood that a threat actor will target its systems or data and the probability of the threat actor’s success given current mitigations and controls. This assessment should consider legitimate reasons that non-malicious users may prefer to, or need to, use Tor for accessing the network. Organizations should evaluate their mitigation decisions against threats to their organization from advanced persistent threats (APTs), moderately sophisticated attackers, and low-skilled individual hackers, all of whom have leveraged Tor to carry out reconnaissance and attacks in the past.

Technical Details

Tor obfuscates the source and destination of a web request. This allows users to conceal information about their activities on the web—such as their location and network usage—from the recipients of that traffic, as well as third parties who may conduct network surveillance or traffic analysis. Tor encrypts a user’s traffic and routes the traffic through at least three Tor nodes, or relays, so that the user’s starting IP address and request is masked from network and traffic observers during transit. Once the request reaches its intended destination, it exits Tor through a public Tor exit node. Anyone conducting monitoring or analysis will only see the traffic coming from the Tor exit node and will not be able to determine the original IP address of the request.

 

Figure 1: Malicious tactics and techniques aided by Tor, mapped to the MITRE ATT&CK framework

Malicious Tactics and Techniques Aided by Tor

Threat actors use Tor to create a layer of anonymity to conceal malicious activity at different stages of network compromise. Their tactics and techniques—illustrated in figure 1 above—include:

Pre-ATT&CK
  • Target Selection [TA0014]
  • Technical Information Gathering [TA0015]
    • Conduct Active Scanning [T1254]
    • Conduct Passive Scanning [T1253]
    • Determine domain and IP address space [T1250]
    • Identify security defensive capabilities [T1263]
  • Technical Weakness Identification [TA0018]
ATT&CK Key Indicators of Malicious Activity via Tor

While Tor obfuscates a user from being identified through standard security tools, network defenders can leverage various network, endpoint, and security appliance logs to detect the use of Tor, including potentially malicious activity involving Tor, through indicator- or behavior-based analysis.

Using an indicator-based approach, network defenders can leverage security information and event management (SIEM) tools and other log analysis platforms to flag suspicious activities involving the IP addresses of Tor exit nodes. The list of Tor exit node IP addresses is actively maintained by the Tor Project’s Exit List Service, which offers both real-time query and bulk download interfaces (see https://blog.torproject.org/changes-tor-exit-list-service). Organizations preferring bulk download may consider automated data ingest solutions, given the highly dynamic nature of the Tor exit list, which is updated hourly. Network defenders should closely inspect evidence of substantial transactions with Tor exit nodes—revealed in netflow, packet capture (PCAP), and web server logs—to infer the context of the activity and to discern any malicious behavior that could represent reconnaissance, exploitation, C2, or data exfiltration.

Using a behavior-based approach, network defenders can uncover suspicious Tor activity by searching for the operational patterns of Tor client software and protocols. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports commonly affiliated with Tor include 9001, 9030, 9040, 9050, 9051, and 9150. Highly structured Domain Name Service (DNS) queries for domain names ending with the suffix torproject.org is another behavior exhibited by hosts running Tor software. In addition, DNS queries for domains ending in .onion is a behavior exhibited by misconfigured Tor clients, which may be attempting to beacon to malicious Tor hidden services.

Organizations should research and enable the pre-existing Tor detection and mitigation capabilities within their existing endpoint and network security solutions, as these often employ effective detection logic. Solutions such as web application firewalls, router firewalls, and host/network intrusion detection systems may already provide some level of Tor detection capability.

Mitigations

Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk posed by threat actors who use Tor to carry out malicious activities. However, mitigation actions can also impact the access of legitimate users who leverage Tor to protect their privacy when visiting an organization’s internet-facing assets. Organizations should evaluate their probable risk, available resources, and impact to legitimate, non-malicious, Tor users before applying mitigation actions. 

  • Most restrictive approach: Block all web traffic to and from public Tor entry and exit nodes. Organizations that wish to take a conservative or less resource-intensive approach to reduce the risk posed by threat actors’ use of Tor should implement tools that restrict all traffic—malicious and legitimate—to and from Tor entry and exit nodes. Of note, blocking known Tor nodes does not completely eliminate the threat of malicious actors using Tor for anonymity, as additional Tor network access points, or bridges, are not all listed publicly. See table 1 for the most restrictive mitigation practices.

Table 1: Most restrictive mitigation practices

Type Level of Effort Technical Implementation

Impact 

Baseline Activity Low/Medium

Require organization to maintain up-to-date lists of known Tor exit and entry node IP addresses.

Public lists are available on the internet, but frequency of updates and accuracy varies depending on the source. The Tor Project maintains an authoritative list

Up-to-date awareness of known Tor nodes to enable blocking External Policies Medium

Set external policies to block incoming traffic from known Tor exit nodes to prevent malicious reconnaissance and exploit attempts.

Network security tools (e.g., next-generation firewalls, proxies) may have configuration settings to apply these policies.

Block inbound network traffic, both malicious and legitimate, from reaching the organization’s domain from known Tor exit nodes Internal Policies Medium

Set internal policies to block outgoing traffic to Tor entry nodes to prevent data exfiltration and C2 traffic.

Network security tools (e.g., next-generation firewalls, proxies) may have configuration settings to apply these policies.

Block outbound network traffic, both malicious and legitimate, from leaving the organization’s domain into known Tor entry nodes

 

  • Less restrictive approach: Tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes. There are instances in which legitimate users may leverage Tor for internet browsing and other non-malicious purposes. For example, deployed military or other overseas voters may use Tor as part of the voting process to escape monitoring by foreign governments. Such users may use Tor when visiting elections-related websites, to check voter registration status, or to mark and then cast absentee ballots via email or web portal. Similarly, some users may use Tor to avoid tracking by advertisers when browsing the internet. Organizations that do not wish to block legitimate traffic to/from Tor entry/exit nodes should consider adopting practices that allow for network monitoring and traffic analysis for traffic from those nodes, and then consider appropriate blocking. This approach can be resource intensive but will allow greater flexibility and adaptation of defensive.

Table 2: Less restrictive mitigation practices

Type Level of Effort Technical Implementation Impact Known Tor Nodes Low/Medium

Require the organization to maintain up-to-date lists of known Tor exit and entry node IP addresses.

The Tor Project maintains an authoritative list

Up-to-date awareness of known Tor nodes to enable baselining/allow blocking SIEM Correlation Low/Medium Integrate network security and SIEM tools that correlate logs. Enhanced understanding of legitimate/expected Tor use for inbound/outbound traffic Baseline Medium

Analyze traffic to determine normal patterns of behavior; legitimate vs. anomalous uses of Tor.

Baseline existing Tor traffic to/from known entry/exit nodes over a period of months.

Inspect traffic to understand legitimate traffic; level-set the organization’s risk tolerance for blocking or allowing Tor traffic to/from specific services.

Baseline understanding of legitimate vs. potentially anomalous Tor uses. Internal / External Policies Medium/High

Institute behavioral signatures/rules to block unexpected/potentially malicious activity and allow legitimate activity.

Examine activity between any ephemeral port and Tor IP—this could be malicious data exfiltration or C2 traffic (except where use of outbound Tor entry nodes is expected).

Monitor for use of TCP/UDP ports 9001, 9030, 9040, 9050, 9051, 9150, and TCP ports 443* and 8443.

Monitor and/or block inbound connections from Tor exit nodes to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports).

Associated ports are applicable for client -> guard/relay traffic monitoring and analysis but not monitoring for exit node -> a network destination.

Monitor and examine any large dataflows between networks and Tor IP addresses, regardless of port, as this could be unauthorized data exfiltration.

*Since port 443 is the most common port for secure web traffic, generically monitoring 443 may produce a high volume of false positives; network traffic tools can be used to assist in this analysis.

Legitimate traffic via Tor entry/exit nodes is permitted and unexpected/potentially malicious activity via Tor entry/exit nodes is blocked

 

  • Blended approach: Block all Tor traffic to some resources, allow and monitor for others. Given the various licit and illicit uses of Tor, a blended approach may be an appropriate risk mitigation strategy for some organizations (i.e., intentionally allowing traffic to/from Tor only for specific websites and services where legitimate use may be expected and blocking all Tor traffic to/from non-excepted processes/services). This may require continuous re-evaluation as an entity considers its own risk tolerance associated with different applications. The level of effort to implement this approach is high.
Considerations for Blocking Use of Tor

Sophisticated threat actors may leverage additional anonymization technologies—such as virtual private networks (VPNs)—and configurable features within Tor—such as Tor bridges and pluggable transports—to circumvent detection and blocking. Blocking the use of known Tor nodes may not effectively mitigate all hazards but may protect against less sophisticated actors. For example, blocking outbound traffic to known Tor entry nodes could have an appreciable impact in blocking less sophisticated malware from successfully beaconing out to hidden C2 machines obfuscated by Tor. Ultimately, each entity must consider its own internal thresholds and risk tolerance when determining a risk mitigation approach associated with Tor.

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov.

Disclaimer

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp/.

References Revisions
  • July 1, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Microsoft Releases Security Updates for Windows 10, Windows Server

US-Cert Current Activity - Wed, 07/01/2020 - 10:45am
Original release date: July 1, 2020

Microsoft has released security updates to address vulnerabilities in Windows 10 and Windows Server. These vulnerabilities could allow a remote attacker to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Microsoft security advisories for CVE-2020-1425 and CVE-2020-1457 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

AA20-182A: EINSTEIN Data Trends – 30-day Lookback

US-Cert Alerts - Tue, 06/30/2020 - 10:34am
Original release date: June 30, 2020
Summary

Cybersecurity and Infrastructure Security Agency (CISA) analysts have compiled the top detection signatures that have been the most active over the month of May in our national Intrusion Detection System (IDS), known as EINSTEIN. This information is meant to give the reader a closer look into what analysts are seeing at the national level and provide technical details on some of the most active threats.

IDS is a network tool that uses sensors to monitor inbound and outbound traffic to search for any type of suspicious activity or known threats, alerting analysts when a specific traffic pattern matches with an associated threat. IDS allows users to deploy signatures on these boundary sensors to look for the specific pattern, or network indicator, associated with a known threat.

The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian government. By collecting information from participating federal government agencies, CISA builds and enhances our Nation’s cyber-related situational awareness.

The signatures CISA created have been included below for analysts across various organizations to use in enhancing their own network defenses. Note: CISA has created and tested these signatures in an environment that might not be the same for all organizations, so administrators may need to make changes or updates before using in the following signatures in their local environments.

Technical Details

Note: the below Snort signatures accounted for over 90 percent of what CISA analysts identified as potential threats using the IDS system for detection.

1. NetSupport Manager RAT Description

The NetSupport Manager Remote Access Tool (RAT) is a legitimate program that, once installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to steal information. Malicious RATs can be difficult to detect because they do not normally appear in lists of running programs, and they can mimic the behavior of legitimate applications.

Examples

In January 2020, Palo Alto researchers observed the abuse of NetSupport in targeted phishing email campaigns.[1] In November 2019, Zscaler researchers observed “software update-themed” campaigns tricking users into installing a malicious NetSupport Manager RAT.[2] The earliest malicious use of NetSupport was seen in a phishing email campaign—reported by FireEye researchers in April 2018.[3]

Snort Signature alert tcp any any -> any $HTTP_PORTS (msg:"NetSupportManager:HTTP Client Header contains 'User-Agent|3a 20|NetSupport Manager/'"; flow:established,to_server; flowbits:isnotset,.tagged; content:"User-Agent|3a 20|NetSupport Manager/"; http_header; fast_pattern:only; content:"CMD="; nocase; http_client_body; depth:4; content:"POST"; nocase; http_method; flowbits:set,.; classtype:http-header; reference:url,unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/; reference:url,www.pentestpartners.com/security-blog/how-to-reverse-engineer-a-protocol/; reference:url,github.com/silence-is-best/c2db; 2. Kovter Description

Kovter is a fileless Trojan with several variants. This malware started as ransomware that malicious actors used to trick victims into thinking that they need to pay their local police a fine. Cyber actors have also used Kovter to perform click-fraud operations to infect targets and send stolen information from the target machines to command and control servers. Kovter’s evolving features have allowed this malware to rank among the Center for Internet Security’s most prolific malware year after year.[4] See CISA’s Webinar on Combatting Ransomware for additional information on Kovter.

Snort Signature alert tcp any any -> any $HTTP_PORTS (msg:"Kovter:HTTP URI POST to CnC Server";; flow:established,to_server; flowbits:isnotset,.tagged; content:"POST / HTTP/1.1"; depth:15; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; depth:47; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"LOADCURRENCY"; nocase; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; nocase; http_header; pcre:"/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/P"; pcre:"/User-Agent\x3a[^\r\n]+\r\nHost\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a\x20[1-5][0-9]{2,3}\r\n(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n(?:\r\n)?$/H";; classtype:nonstd-tcp;; reference:url,www.malware-traffic-analysis.net/2017/06/29/index2.html; 3. XMRig Description

XMRig is a type of cryptocurrency miner that uses the resources of an unsuspecting infected machine to mine Monero—a type of cryptocurrency. XMRig can cause a victim computer to overheat and perform poorly by using additional system resources that would otherwise not be active.

Snort Signature alert tcp any any -> any !25 (msg:"XMRIG:Non-Std TCP Client Traffic contains JSONRPC 2.0 Config Data";; flow:established,to_server; flowbits:isnotset; content:"|22|jsonrpc|22 3a 22|2.0|22|"; distance:0; content:"|22|method|22 3a 22|login|22|"; distance:0; content:"|22|agent|22 3a 22|XMRig"; nocase; distance:0; fast_pattern; content:"libuv/"; nocase; distance:0; content:!"|22|login|22 3a 22|x|22|"; flowbits:set,; classtype:nonstd-tcp;; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=1101; Mitigations

CISA recommends using the following best practices to strengthen the security posture of an organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
  • Ensure systems have the latest security updates. See Understanding Patches and Software Updates.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' permissions to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
  • Enforce a strong password policy. See Choosing and Protecting Passwords.
  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
  • Enable a personal firewall on agency workstations that is configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  • Scan all software downloaded from the internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs). Sign up to receive CISA’s alerts on security topics and threats.
  • Sign up for CISA’s free vulnerability scanning and testing services to help organizations secure internet-facing systems from weak configuration and known vulnerabilities. Email vulnerability_info@cisa.dhs.gov to sign up. See https://www.cisa.gov/cyber-resource-hub for more information about vulnerability scanning and other CISA cybersecurity assessment services.
Resources

https://unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/
https://threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/
https://www.zdnet.com/article/new-lokibot-trojan-malware-campaign-comes-disguised-as-a-popular-game-launcher/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless
https://www.varonis.com/blog/what-is-mimikatz/

References Revisions
  • June 30, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Netgear Router Vulnerabilities

US-Cert Current Activity - Mon, 06/29/2020 - 3:44pm
Original release date: June 29, 2020

Multiple Netgear router models contain vulnerabilities that a remote attacker can exploit to take control of an affected device. 

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to update to the most recent firmware version and to replace end-of-life devices that are no longer supported with security patches. Given the increase in telework, CISA recommends that CISOs consider the risk that these vulnerabilities present to business networks.

See the following products for additional information. 

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Palo Alto Releases Security Updates for PAN-OS

US-Cert Current Activity - Mon, 06/29/2020 - 2:10pm
Original release date: June 29, 2020

Palo Alto Networks has released security updates to address a vulnerability affecting PAN-OS. An unauthenticated attacker with network access could exploit this vulnerability to obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Palo Alto Security Advisory for CVE-2020-2021 and apply the necessary updates or workarounds.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Apache Releases Security Advisory for Apache Tomcat

US-Cert Current Activity - Fri, 06/26/2020 - 8:40am
Original release date: June 26, 2020

The Apache Software Foundation has released a security advisory to address a vulnerability in Apache Tomcat. An attacker could exploit this vulnerability to cause a denial-of-service condition.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apache security advisory for CVE-2019-10072 and upgrade to the appropriate version.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Cisco Releases Security Advisory for Telnet Vulnerability in IOS XE Software

US-Cert Current Activity - Thu, 06/25/2020 - 12:35pm
Original release date: June 25, 2020

Cisco has released a security advisory on a Telnet vulnerability—CVE-2020-10188—affecting Cisco IOS XE devices. A remote attacker could exploit this vulnerability to take control of an affected system. The advisory contains workarounds as well as indicators of compromise.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco Security Advisory and apply the necessary workarounds.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

VMware Releases Security Updates for Multiple Products

US-Cert Current Activity - Wed, 06/24/2020 - 11:05am
Original release date: June 24, 2020

VMware has released security updates to address multiple vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0015 and apply the necessary updates or workarounds.

 

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Adobe Releases Security Updates for Magento

US-Cert Current Activity - Tue, 06/23/2020 - 9:35am
Original release date: June 23, 2020

Adobe has released security updates to address vulnerabilities in Magento Commerce 1 and Magento Open Source 1. An attacker could exploit one of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletin APSB20-41 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Google Releases Security Updates for Chrome

US-Cert Current Activity - Tue, 06/23/2020 - 9:33am
Original release date: June 23, 2020

Google has released Chrome version 83.0.4103.116 for Windows, Mac, and Linux. This version addresses a vulnerability that a remote attacker could exploit to cause a denial-of-service condition.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release Note and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

ACSC Releases Advisory on Cyber Campaign using Copy-Paste Compromises

US-Cert Current Activity - Mon, 06/22/2020 - 9:00am
Original release date: June 22, 2020

The Australian Cyber Security Centre (ACSC) has released an advisory regarding an ongoing cyber campaign involving “copy-paste compromises” targeting Australian government and commercial networks. According to the advisory, a sophisticated malicious cyber actor is carrying out the campaign using open-source code that exploits known remote code execution vulnerabilities and spearphishing attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the tactics, techniques, and procedures and mitigations identified in ASCS Advisory 2020-008 as well as:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Microsoft Releases Security Updates for Windows

US-Cert Current Activity - Fri, 06/19/2020 - 9:27am
Original release date: June 19, 2020

Microsoft has released security updates to address a vulnerability in Windows 10 version 1903. An attacker could exploit this vulnerability to overwrite or modify a protected file and gain elevated privileges.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s Security Advisory for CVE-2020-1441 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Cisco Releases Multiple Security Updates

US-Cert Current Activity - Thu, 06/18/2020 - 10:20am
Original release date: June 18, 2020

Cisco has released security updates to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

ISC Releases Security Advisories for BIND

US-Cert Current Activity - Thu, 06/18/2020 - 10:18am
Original release date: June 18, 2020

The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ISC advisories for CVE-2020-8618 and CVE-2020-8619 for more information and to apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Drupal Releases Security Updates

US-Cert Current Activity - Thu, 06/18/2020 - 10:15am
Original release date: June 18, 2020

Drupal has released security updates to address vulnerabilities affecting Drupal 7, 8.8, 8.9, and 9.0. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.  

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Drupal Advisories SA-CORE-2020-004 and SA-CORE-2020-005 for more information and to apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

CERT NZ Releases Advisory on Ransomware Campaign

US-Cert Current Activity - Thu, 06/18/2020 - 10:10am
Original release date: June 18, 2020

The New Zealand Computer Emergency Response Team (CERT NZ) has released an advisory on a ransomware campaign leveraging remote access technologies. Malicious cyber actors are targeting organizations’ networks through remote access tools, such as Remote Desktop Protocol and virtual private networks, to exploit unpatched vulnerabilities and weak authentication.

After gaining access, cyber actors use various tools—including mimikatz, PsExec, Cobalt Strike, and Nefilim ransomware—for privilege escalation, lateral movement, persistence, and data exfiltration and encryption. Due to the level of access gained before deploying ransomware, the issue cannot be resolved by simply restoring data from backup.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the CERT NZ Advisory, Active Ransomware Campaign Leveraging Remote Access Technologies, for more information and mitigations as well as indicators of compromise associated with Nefilim ransomware. CISA also encourages organizations to review the following resources for more information on protecting against and responding to ransomware.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Adobe Releases Security Updates for Multiple Products

US-Cert Current Activity - Wed, 06/17/2020 - 10:32am
Original release date: June 17, 2020

Adobe has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Ripple20 Vulnerabilities Affecting Treck IP Stacks

US-Cert Current Activity - Tue, 06/16/2020 - 8:09pm
Original release date: June 16, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of multiple vulnerabilities, known as Ripple20, affecting Treck IP stack implementations for embedded systems. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following products for additional information and mitigations, and update to the latest stable version of Treck IP stack software (6.0.1.67 or later).

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Pages