Current Activity

Today, CISA—in partnership with the Federal Bureau of Investigation (FBI)—released a joint Cybersecurity Advisory, North Korea State-Sponsored Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs. The advisory was coauthored with the following organizations:

• U.S. Cyber National Mission Force (CNMF);
• U.S. Department of Defense Cyber Crime Center (DC3);
• U.S. National Security Agency (NSA);
• Republic of Korea’s National Intelligence Service (NIS);
• Republic of Korea’s National Police Agency (NPA); and
• United Kingdom’s National Cyber Security Centre (NCSC).

This advisory was crafted to highlight cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju. The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.

The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India.

All critical infrastructure organizations are encouraged to review the advisory and implement the recommended mitigations. For more information on North Korean state-sponsored threat actor activity, see CISA’s North Korea Cyber Threat Overview and Advisories page.

Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities. For more information on this ransomware activity, see joint advisories #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities and North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.

CISA released two Industrial Control Systems (ICS) advisories on July 25, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-207-01 Siemens SICAM Products
• ICSA-24-207-02 Positron Broadcast Signal Processor

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

The Internet Systems Consortium (ISC) released security advisories to address vulnerabilities affecting multiple versions of ISC’s Berkeley Internet Name Domain (BIND) 9. A cyber threat actor could exploit one of these vulnerabilities to cause a denial-of-service condition. 

CISA encourages users and administrators to review the following advisories and apply the necessary updates: 

• CVE-2024-4076: Assertion failure when serving both stale cache data and authoritative zone content
• CVE-2024-1975: SIG(0) can be used to exhaust CPU resources
• CVE-2024-1737: BIND’s database will be slow if a very large number of RRs exist at the same name
• CVE-2024-0760: A flood of DNS messages over TCP may make the server unstable

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2012-4792 Microsoft Internet Explorer Use-After-Free Vulnerability
• CVE-2024-39891 Twilio Authy Information Disclosure Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released four Industrial Control Systems (ICS) advisories on July 23, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-205-01 National Instruments IO Trace
• ICSA-24-205-02 Hitachi Energy AFS/AFR Series Products
• ICSA-24-205-03 National Instruments LabVIEW
   
• ICSA-22-333-02 Hitachi Energy IED Connectivity Packages and PCM600 Products (Update A)

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Note: CISA will update this Alert with more information as it becomes available.

Update 12:30 p.m., EDT, July 26, 2024: 

• CrowdStrike’s Counter Adversary Operations blog lists various reports of malicious cyber activity leveraging last week’s outage. 
• CISA encourages users and administrators to remain vigilant and maintain robust cybersecurity measures, including:
  • Only follow guidance from legitimate sources.
  • Block malicious domains.
  • Follow CrowdStrike’s recommendations to protect against the outage-related phishing activity listed in their Counter Adversary Operations reports.
• CrowdStrike also continues to provide updated information through its remediation and guidance hub.

Update 12:00 p.m., EDT, July 24, 2024: 

• CrowdStrike continues to provide updates to its guidance, including:
  • An instructional video to guide users through a self-remediation process.
  • An update to their initial remediation that accelerates remediation of impacted systems; CrowdStrike encourages customers to “follow the Tech Alerts for latest updates as they happen.”
  • A “Preliminary Incident Review,” which provides answers to why and how the outage occurred and how they will prevent such outages going forward.
• CrowdStrike also published a list of domains impersonating the CrowdStrike brand, which threat actors could use to deliver malicious content. 

Update 9:45 a.m., EDT, July 21, 2024: 

• Microsoft released a recovery tool that uses a USB drive to boot and repair affected systems. 
• Microsoft also published a blog post that provides links to various remediation solutions and outlines their actions in response to the outage, which include working with CrowdStrike to expedite restoring services to disrupted systems.
• In the blog post, Microsoft estimates the outage affected 8.5 million Windows devices. Microsoft notes that this number makes up less than one percent of all Windows machines.

Update 12:30 p.m., EDT, July 20, 2024: 

• CrowdStrike continues to provide updated guidance on yesterday’s widespread IT outage, including remediation steps for specific environments.
• CrowdStrike released technical details that provide:
  • A technical summary of the outage and the impact.
  • Information on how the update to the CrowdStrike Falcon sensor configuration file, Channel File 291, caused the logic error that led to the outage.
  • A discussion of the root cause analysis CrowdStrike is undertaking to determine how the logic error occurred.
• Cyber threat actors continue to leverage the outage to conduct malicious activity, including phishing attempts. CISA continues to work closely with CrowdStrike and other private sector and government partners to actively monitor any emerging malicious activity.
  • According to a new CrowdStrike blog, threat actors have been distributing a malicious ZIP archive file. This activity appears to be targeting Latin America-based CrowdStrike customers. The blog provides indicators of compromise and recommendations.

Update 7:30 p.m., EDT, July 19, 2024: 

• The CrowdStrike guidance is updated with additional guidance regarding impacts to specific environments, e.g., Azure, AWS. 
• For additional information:
  
  • Update from the United Kingdom's National Cyber Security Centre (NCSC-UK)
  • Update from the Australian Cyber Security Centre (ACSC)
  • Update from the Canadian Centre for Cyber Security (CCCS)
• Threat actors continue to use the widespread IT outage for phishing and other malicious activity. CISA urges organizations to ensure they have robust cybersecurity measures to protect their users, assets, and data against this activity.

CISA continues to monitor the situation and will update this Alert to provide continued support.

Initial Alert (11:30 a.m., EDT, July 19, 2024):

CISA is aware of the widespread outage affecting Microsoft Windows hosts due to an issue with a recent CrowdStrike update and is working closely with CrowdStrike and federal, state, local, tribal and territorial (SLTT) partners, as well as critical infrastructure and international partners to assess impacts and support remediation efforts. CrowdStrike has confirmed the outage:

• Impacts Windows 10 and later systems.
• Does not impact Mac and Linux hosts.
• Is due to the CrowdStrike Falcon content update and not to malicious cyber activity.

According to CrowdStrike, the issue has been identified, isolated and a fix has been deployed. CrowdStrike customer organizations should reference CrowdStrike guidance and their customer portal to resolve the issue.

Of note, CISA has observed threat actors taking advantage of this incident for phishing and other malicious activity. CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.

Cisco released security updates to address vulnerabilities in Cisco software. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following advisories and apply necessary updates:

• Cisco Secure Email Gateway Arbitrary File Write Vulnerability
• Cisco Smart Software Manager On-Prem Password Change Vulnerability
• Cisco Secure Web Appliance Privilege Escalation Vulnerability
• Cisco Identity Services Engine Arbitrary File Upload Vulnerability
• Cisco Intelligent Node Software Static Key Vulnerability
• Cisco Webex App Vulnerabilities
• Cisco RV340 and RV345 Dual WAN Gigabit VPN Routers Authenticated Remote Code Execution Vulnerability
• Cisco Expressway Series Open Redirect Vulnerability
• Cisco Secure Email Gateway Server-Side Template Injection Vulnerability

Oracle released its quarterly Critical Patch Update Advisory for July 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following Oracle Critical Patch Update Advisory and apply the necessary updates: 

• July 2024 Critical Patch Update Advisory

CISA released three Industrial Control Systems (ICS) advisories on July 18, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-200-01 Mitsubishi Electric MELSOFT MaiLab
• ICSA-24-200-02 Subnet Solutions PowerSYSTEM Center
• ICSMA-24-200-01 Philips Vue PACS

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Ivanti released security updates to address vulnerabilities in Ivanti Endpoint Manager (EPM) and Ivanti Endpoint Manager for Mobile (EPMM). A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following Ivanti advisories and apply the necessary updates:

• Security Advisory EPM
• Security Advisory Ivanti Endpoint Manager for Mobile (EPMM)

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-34102 Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
• CVE-2024-28995 SolarWinds Serv-U Path Traversal Vulnerability
• CVE-2022-22948 VMware vCenter Server Incorrect Default File Permissions Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released one Industrial Control Systems (ICS) advisory on July 16, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-198-01 Rockwell Automation Pavilion 8

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-36401 OSGeo GeoServer GeoTools Eval Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

On July 12, AT&T released a public statement on unauthorized access of customer data from a third-party cloud platform. AT&T also provided recommendations and resources for affected customers.    

CISA encourages customers to review the following AT&T article for additional information and follow necessary guidance to help protect personal information.  

•  AT&T: Unlawful access of customer data

CISA released twenty-one Industrial Control Systems (ICS) advisories on July 11, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-193-01 Siemens Remote Connect Server
• ICSA-24-193-02 Siemens RUGGEDCOM APE 1808
• ICSA-24-193-03 Siemens Teamcenter Visualization and JT2Go
• ICSA-24-193-04 Siemens Simcenter Femap
• ICSA-24-193-05 Siemens SCALANCE, RUGGEDCOM, SIPLUS, and SINEC
• ICSA-24-193-06 Siemens RUGGEDCOM
• ICSA-24-193-07 Siemens SIMATIC and SIMIT
• ICSA-24-193-08 Siemens Mendix Encryption Module
• ICSA-24-193-09 Siemens SINEMA Remote Connect Server
• ICSA-24-193-10 Siemens JT Open and PLM XML SDK
• ICSA-24-193-11 Siemens RUGGEDCOM APE 1808
• ICSA-24-193-12 Siemens TIA Portal and SIMATIC STEP 7
• ICSA-24-193-13 Siemens TIA Portal, SIMATIC, and SIRIUS
• ICSA-24-193-14 Siemens SIPROTEC
• ICSA-24-193-15 Siemens SINEMA Remote Connect Server
• ICSA-24-193-16 Siemens SIMATIC WinCC
• ICSA-24-193-17 Siemens SIMATIC STEP 7 (TIA Portal)
• ICSA-24-193-18 Rockwell Automation ThinManager ThinServer
• ICSA-24-193-19 Rockwell Automation FactoryTalk System Services and Policy Manager
• ICSA-24-193-20 HMS Industrial Networks Anybus-CompactCom 30
• ICSA-22-356-03 Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series (Update D)

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Today, CISA released CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth in coordination with the assessed organization. This Cybersecurity Advisory (CSA) details key findings and lessons learned from a 2023 assessment, along with the red team’s tactics, techniques, and procedures (TTPs) and associated network defense activity.

The CSA also provides recommendations to assist executives, leaders, and network defenders in all organizations with refining their cybersecurity, detection, response, and hunt capabilities.

CISA encourages all organizations review the advisory and apply the recommendations and mitigations within, including applying defense-in-depth principles, using robust network segmentation, and establishing baselines of network traffic, application execution, and account authentication.

For more information on the most common and impactful threats, tactics, techniques, and procedures, see CISA’s Cross-Sector Cybersecurity Performance Goals. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage. 

Today, CISA and FBI are releasing their newest Secure by Design Alert in the series, Eliminating OS Command Injection Vulnerabilities, in response to recent well-publicized threat actor campaigns that exploited OS command injection defects in network edge devices (CVE-2024-20399, CVE-2024-3400, CVE-2024-21887) to target and compromise users. These vulnerabilities allowed unauthenticated malicious actors to remotely execute code on network edge devices.

OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command. Despite this finding, OS command injection vulnerabilities—many of which result from CWE-78—are still a prevalent class of vulnerability.

CISA and FBI urge CEOs and other business leaders at technology manufacturers to request their technical leaders analyze past occurrences of this class of defect and develop a plan to eliminate them in the future. For more on how to champion Secure by Design principles, visit our webpage. To join with the 150+ other companies who have signed our Secure by Design pledge, visit here.

Citrix released security updates to address vulnerabilities in multiple Citrix products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.  

CISA encourages users and administrators to review the following and apply necessary updates:  

• NetScaler ADC and NetScaler Gateway Security Update for CVE-2024-5491 and CVE-2024-5492
• NetScaler Console, Agent and SVM Security Update for CVE-2024-6235 and CVE-2024-6236
• Citrix Workspace app for HTML5 Security Bulletin CVE-2024-6148 and CVE-2024-6149
• Citrix Provisioning Security Bulletin CVE-2024-6150
• Windows Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2024-6151
• Citrix Workspace app for Windows Security Bulletin CVE-2024-6286

Microsoft released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.  

CISA encourages users and administrators to review the following and apply necessary updates:    

• Microsoft Security Update Guide for July

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-23692 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
• CVE-2024-38080 Microsoft Windows Hyper-V Privilege Escalation Vulnerability
• CVE-2024-38112 Microsoft Windows MSHTML Platform Spoofing Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.