Current Activity

Today, CISA partnered with the Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group to publish the Principles for Package Repository Security framework. Recognizing the critical role package repositories play in securing open source software ecosystems, this framework lays out voluntary security maturity levels for package repositories. This publication supports Objective 1.2 of CISA's Open Source Software Security Roadmap, which states the goal of "working collaboratively [with relevant working groups] to develop security principles for package managers."

CISA highly encourages package managers and open source community members to review the Principles for Package Repository Security as well as the related OpenSSF blog post, offer feedback, and develop roadmaps for security improvements in their ecosystems. For more information on CISA's efforts to help secure open source software, see CISA.gov/opensource.

CISA released two Industrial Control Systems (ICS) advisories on February 8, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-039-01 Qolsys IQ Panel 4, IQ4 HUB
• ICSA-23-082-06 ProPump and Controls Osprey Pump Controller (Update A)

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Cisco released a security advisory to address vulnerabilities affecting Cisco Expressway Series. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Cisco Expressway Series advisory and apply the necessary updates.

Today, CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure alongside supplemental Joint Guidance: Identifying and Mitigating Living off the Land Techniques.

The following federal agencies and international organizations are additional co-authors on the joint advisory and guidance:

• U.S. Department of Energy (DOE)
• U.S. Environmental Protection Agency (EPA)
• U.S. Transportation Security Administration (TSA)
• Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)
• Canadian Centre for Cyber Security (CCCS) a part of the Communications Security Establishment (CSE)
• United Kingdom National Cyber Security Centre (NCSC-UK)
• New Zealand National Cyber Security Centre (NCSC-NZ)

 Volt Typhoon actors are seeking to pre-position themselves—using living off the land (LOTL) techniques—on IT networks for disruptive or destructive cyber activity against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. The advisory provides actionable information from U.S. incident response activity that can help all organizations:

1. Recognize Volt Typhoon techniques,
2. Assess whether Volt Typhoon techniques have compromised your organization,
3. Secure your networks from these adversarial techniques by implementing recommended mitigations.

To supplement the advisory, the Joint Guidance provides threat detection information and mitigations applicable to LOTL activity, regardless of threat actor. Additionally, CISA has published Secure by Design Alert: Security Design Improvements for SOHO Device Manufacturers, which provides technology manufactures guidance on protecting their products from Volt Typhoon compromises.

CISA and its partners strongly urge critical infrastructure organizations and technology manufacturers to read the joint advisory and guidance to defend against this threat. For more information on People’s Republic of China (PRC) state-sponsored actors, visit People's Republic of China Cyber Threat. To learn more about secure by design principles and practices, visit Secure by Design.

VMware released a security advisory to address multiple vulnerabilities in Aria Operations for Networks. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review VMware security advisory VMSA-2024-0002 and apply the necessary updates.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2023-4762 Google Chromium V8 Type Confusion Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released two Industrial Control Systems (ICS) advisories on February 6, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-037-01 HID Global Encoders
• ICSA-24-037-02 HID Global Reader Configuration Cards

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Juniper Networks released a security bulletin to address multiple vulnerabilities affecting Juniper Secure Analytics optional applications. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Juniper Security Bulletin JSA76718 and apply the necessary updates.

CISA released two Industrial Control Systems (ICS) advisories on February 1, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-032-01 Gessler GmbH WEB-MASTER 
• ICSA-24-032-03 AVEVA Edge products (formerly known as InduSoft Web Studio)

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Moby and the Open Container Initiative (OCI) have released updates for multiple vulnerabilities (CVE-2024-23651, CVE-2024-23652, CVE-2024-23653, CVE-2024-21626) affecting Docker-related components, including Moby BuildKit and OCI runc. A cyber threat actor could exploit these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the advisories from Moby BuildKit (CVE-2024-23651, CVE-2024-23652, CVE-2024-23653) and OCI runc (CVE-2024-21626), as well as the Snyk blog post about these vulnerabilities and apply the necessary updates.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-21893 Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2022-48618 Apple Multiple Products Improper Authentication Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Today, CISA and the Federal Bureau of Investigation (FBI) published guidance on Security Design Improvements for SOHO Device Manufacturers as a part of the new Secure by Design (SbD) Alert series that focuses on how manufacturers should shift the burden of security away from customers by integrating security into product design and development.

This third publication in CISA’s SbD Alert series examines how manufacturers can eliminate the path threat actors—particularly the People’s Republic of China (PRC)-sponsored Volt Typhoon group—are taking to compromise small office/home office (SOHO) routers. Specifically, CISA and FBI urge manufacturers to:

• Eliminate exploitable defects—during the product design and development phases—in SOHO router web management interfaces (WMIs).
• Adjust default device configurations in a way that:
  • Automates update capabilities.
  • Locates the WMI on LAN side ports.
  • Requires a manual override to remove security settings.

CISA and FBI also urge manufacturers to protect against Volt Typhoon activity and other cyber threats by disclosing vulnerabilities via the Common Vulnerabilities and Exposures (CVE) program as well as by supplying accurate Common Weakness Enumeration (CWE) classification for these vulnerabilities. The Alert also urges manufacturers to implement incentive structures that prioritize security during product design and development.

CISA and FBI urge SOHO device manufacturers to read and implement Security Design Improvements for SOHO Device Manufacturers, which aligns to principles one through three of the joint guidance, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software:

1. Take ownership of customer security outcomes.
2. Embrace Radical Transparency and Accountability.
3. Build organizational structure and leadership to achieve these goals.

By implementing these principles in their design, development, and delivery processes, manufactures can prevent exploitation of SOHO routers. To learn more, visit Secure by Design.

Note: CISA will update this Alert with more information as it becomes available.

Updated Jan. 31, 2024:

CISA urges organizations to follow the updated guidance—including software updates—that Ivanti has published to their KB article, which includes:

• Two additional vulnerabilities in all supported versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure Gateways:
  • A privilege escalation vulnerability (CVE-2024-21888)
  • A server-side request forgery vulnerability (CVE-2024-21893)
• A cyber threat actor could exploit CVE-2024-21888 and CVE-2024-21893 to take control of an affected system. Ivanti’s KB article includes software updates that cover these vulnerabilities in specific versions of the software as well as mitigations for affected software versions that do not yet have updates.
• Software updates are also available for the previously reported Ivanti Connect Secure and Policy Secure Gateways vulnerabilities in Ivanti devices (CVE-2023-46805 and CVE-2024-21887). Note: See the KB article for the specific versions that these updates apply to as well as specific guidance on implementing the updates. Ivanti will publish additional information and software updates to the KB article as these become available.

Additionally, CISA has issued a Supplemental Direction to its Emergency Directive on Ivanti Vulnerabilities. Although the Supplemental Direction and Emergency Directive are only for FCEB agencies, CISA strongly encourages all organizations to review the guidance and implement it as applicable.

End of Jan. 31 update

CISA is releasing this alert to provide cyber defenders with new mitigations to defend against threat actors exploiting Ivanti Connect Secure and Policy Secure Gateways vulnerabilities in Ivanti devices (CVE-2023-46805 and CVE-2024-21887).  

Threat actors are continuing to leverage vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways to capture credentials and/or drop webshells that enable further compromise of enterprise networks. Some threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection. CISA is aware of instances in which sophisticated threat actors have subverted the external integrity checker tool (ICT), further minimizing traces of their intrusion.  

If an organization has been running Ivanti Connect Secure (9.x and 22.x) and Policy Secure gateways over the last several weeks and/or continues to run these products, CISA recommends continuous threat hunting on any systems connected to—or recently connected to—the Ivanti device. Additionally, organizations should monitor authentication, account usage, and identity management services that could be exposed and isolate the system(s) from any enterprise resources as much as possible.  

After applying patches, when these become available, CISA recommends that organizations continue to hunt their network in order to detect any compromise that may have occurred before patches were implemented.  

This guidance supplements CISA’s previous guidance for mitigation and detection, which remains applicable. For previous guidance, see CISA Issues Emergency Directive on Ivanti Vulnerabilities and Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways. 

CISA released eight Industrial Control Systems (ICS) advisories on January 30, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-030-01 Emerson Rosemount GC370XA, GC700XA, GC1500XA
• ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products
• ICSA-24-030-03 Mitsubishi Electric MELSEC WS Series Ethernet Interface Module
• ICSA-24-030-04 Hitron Systems Security Camera DVR
• ICSA-24-030-05 Rockwell Automation ControlLogix and GuardLogix 
• ICSA-24-030-06 Rockwell Automation FactoryTalk Service Platform
• ICSA-24-030-07 Rockwell Automation LP30/40/50 and BM40 Operator Interface
• ICSA-23-208-03 Mitsubishi Electric CNC Series (Update E)

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Juniper Networks released a security bulletin to address multiple vulnerabilities for J-Web in Junos OS SRX Series and EX Series. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Juniper Bulletin JSA76390 and apply the necessary updates.

Today, CISA published Guidance on Assembling a Group of Products created by the Software Bill of Materials (SBOM) Tooling & Implementation Working Group, one of the five SBOM community-driven workstreams facilitated by CISA. CISA’s community-driven working groups publish documents and reports to advance and refine SBOM and ultimately promote adoption. Specifically, software producers often need to assemble and test products together before releasing them to customers. These products may contain components that experience version changes over time, therefore creating a need to be tracked. This document serves as a guide for creating the build for SBOM assembled products.  

For more information on all things SBOM, please visit CISA’s Software Bill of Materials website. 

Cisco released a security advisory to address a vulnerability (CVE-2024-20253) affecting multiple Unified Communications Products. A cyber threat actor could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review the Cisco Unified Communications Products Remote Code Execution Vulnerability advisory and apply the necessary updates.

CISA released two Industrial Control Systems (ICS) advisories on January 25, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-025-01 MachineSense FeverWarn
• ICSA-24-025-02 SystemK NVR 504/508/516

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Mozilla has released security updates to address vulnerabilities in Thunderbird and Firefox. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following advisories and apply the necessary updates:

• Thunderbird 115.7
• Firefox ESR 115.7
• Firefox 122