US-Cert Current Activity

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-3272 D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
• CVE-2024-3273 D-Link Multiple NAS Devices Command Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Today, CISA publicly issued Emergency Directive (ED) 24-02 to address the recent campaign by Russian state-sponsored cyber actor Midnight Blizzard to exfiltrate email correspondence of Federal Civilian Executive Branch (FCEB) agencies through a successful compromise of Microsoft corporate email accounts. This Directive rhttps://www.cisa.gov/news-events/directives/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-systemequires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to secure privileged Microsoft Azure accounts.

While ED 24-02 requirements only apply to FCEB agencies, other organizations may also have been impacted by the exfiltration of Microsoft corporate email and are encouraged to contact their respective Microsoft account team for any additional questions or follow up. FCEB agencies and state and local government should utilize the distro MBFedResponse@Microsoft.com for any escalations and assistance with Microsoft. Regardless of direct impact, all organizations are strongly encouraged to apply stringent security measures, including strong passwords, multifactor authentication (MFA) and prohibited sharing of unprotected sensitive information via unsecure channels.

CISA released nine Industrial Control Systems (ICS) advisories on April 11, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-102-01 Siemens SIMATIC S7-1500
• ICSA-24-102-02 Siemens SIMATIC WinCC
• ICSA-24-102-03 Siemens RUGGEDCOM APE1808 before V11.0.1
• ICSA-24-102-04 Siemens RUGGEDCOM APE1808
• ICSA-24-102-05 Siemens Scalance W1750D
• ICSA-24-102-06 Siemens Parasolid
• ICSA-24-102-07 Siemens SINEC NMS
• ICSA-24-102-08 Siemens Telecontrol Server Basic 
• ICSA-24-102-09 Rockwell Automation 5015-AENFTXT

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

CISA is collaborating with private industry partners to respond to a recent compromise discovered by independent security researchers impacting Sisense, a company that provides data analytics services.

CISA urges Sisense customers to:

• Reset credentials and secrets potentially exposed to, or used to access, Sisense services. 
• Investigate—and report to CISA—any suspicious activity involving credentials potentially exposed to, or used to access, Sisense services.

CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations. We will provide updates as more information becomes available.
 

Fortinet released security updates to address vulnerabilities in multiple products, including OS and FortiProxy. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following advisories and apply necessary updates: 

• FR-IR-23-345 FortiClientMac - Lack of configuration file validation
• FG-IR-23-493 FortiOS & FortiProxy - Administrator cookie leakage
• FG-IR-23-087 FortiClient Linux - Remote Code Execution due to dangerous   nodejs configuration

Microsoft released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.  

Users and administrators are encouraged to review the following and apply the necessary updates:  

• Microsoft Security Update Guide for April

Adobe has released security updates to address multiple vulnerabilities in Adobe software. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

Users and administrators are encouraged to review the following Adobe Security Bulletins and apply the necessary updates:  

• Adobe After Effects
• Adobe Photoshop
• Adobe Commerce and Magento
• Adobe InDesign
• Adobe Experience Manager
• Adobe Media Encoder
• Adobe Bridge
• Adobe Illustrator
• Adobe Animate

CISA released one Industrial Control Systems (ICS) advisory on April 9, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-100-01 SUBNET PowerSYSTEM Server and Substation Server

CISA encourages users and administrators to review the newly released ICS advisory for technical details and mitigations.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-29745 Android Pixel Information Disclosure Vulnerability
• CVE-2024-29748 Android Pixel Privilege Escalation Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released two Industrial Control Systems (ICS) advisories on April 4, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-095-01 Hitachi Energy Asset Suite 9
• ICSA-24-095-02 Schweitzer Engineering Laboratories SEL

CISA encourages users and administrators to review the newly released ICS advisory for technical details and mitigations.

Ivanti has released security updates to address vulnerabilities in all supported versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure gateways. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system. 

Users and administrators are encouraged to review the following Ivanti advisory and apply the necessary updates: 

• SA:CVE-2024-21894 (Heap Overflow), CVE-2024-22052 (Null Pointer Dereference), CVE-2024-22053 (Heap Overflow) and CVE-2024-22023 (XML entity expansion or XXE) for Ivanti Connect Secure and Ivanti Policy Secure Gateways