Current high-impact types of security incidents
- Zoho Releases Security Advisory for ManageEngine Desktop Central and Desktop Central MSPby CISA on December 6, 2021 at 9:20 pm
Original release date: December 6, 2021Zoho has released a security advisory to address an authentication bypass vulnerability in ManageEngine Desktop Central and Desktop Central MSP. An attacker could exploit this vulnerability to take control of an affected system. According to Zoho, this vulnerability is being actively exploited in the wild. CISA encourages users and administrators to review the Zoho Vulnerability Notification and the Zoho ManageEngine Desktop Central and ManageEngine Desktop Central MSP security advisories and apply the recommended mitigations immediately. This product is provided subject to this Notification and this Privacy & Use policy.
- CISA Releases Security Advisory on WebHMI Vulnerabilitiesby CISA on December 6, 2021 at 6:58 pm
Original release date: December 6, 2021CISA has released an Industrial Controls Systems (ICS) advisory detailing vulnerabilities in Distributed Data Systems WebHMI products. A remote attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review ICS advisory ICSA-21-336-03 Distributed Data Systems WebHMI for more information and apply the necessary mitigations. This product is provided subject to this Notification and this Privacy & Use policy.
- CISA and FBI Release Alert on Active Exploitation of CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plusby CISA on December 2, 2021 at 11:43 pm
Original release date: December 2, 2021CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory identifying active exploitation of a vulnerability—CVE-2021-44077—in Zoho ManageEngine ServiceDesk Plus. CVE-2021-44077 is an unauthenticated remote code execution vulnerability that affects all ServiceDesk Plus versions up to, and including, version 11305. This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. If left unpatched, successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Zoho has set up a security response plan center that provides additional details, a downloadable tool that can be run on potentially affected systems, and a remediation guide. CISA encourages organizations to review the joint Cybersecurity Advisory and apply the recommended mitigations immediately. This product is provided subject to this Notification and this Privacy & Use policy.
- Mozilla Releases Security Updates for Network Security Servicesby CISA on December 2, 2021 at 10:41 pm
Original release date: December 2, 2021Mozilla has released security updates to address a vulnerability in Network Security Services (NSS). An attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the Mozilla Security Advisory for NSS and apply the necessary update. This product is provided subject to this Notification and this Privacy & Use policy.
- NSA and CISA Release Part III of Guidance on Securing 5G Cloud Infrastructuresby CISA on December 2, 2021 at 5:53 pm
Original release date: December 2, 2021CISA has announced the joint National Security Agency (NSA) and CISA publication of the third of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part III: Data Protection examines security during all phases of the data lifecycle—in transit, in use, and at rest. The guidance focuses on protecting the confidentiality, integrity, and availability of data within a 5G cloud infrastructure to protect sensitive information from unauthorized access. This series is being published under the Enduring Security Framework (ESF), a public-private cross-sector working group led by NSA and CISA. CISA has also released a set of four 5G educational videos to enhance the awareness and importance of the safe and secure development and deployment of 5G infrastructure. CISA encourages 5G providers, integrators, and network operators to review the guidance and consider the recommendations. See CISA’s 5G Security and Resilience webpage for more information. This product is provided subject to this Notification and this Privacy & Use policy.
- CISA Adds Five Known Exploited Vulnerabilities to Catalogby CISA on December 1, 2021 at 3:47 pm
Original release date: December 1, 2021CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. CVE Number CVE Title Remediation Due Date CVE-2020-11261 Qualcomm Multiple Chipsets Improper Input Validation Vulnerability 06/01/2022 CVE-2018-14847 MikroTik Router OS Directory Traversal Vulnerability 06/01/2022 CVE-2021-37415 Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability 12/15/2021 CVE-2021-40438 Apache HTTP Server-Side Request Forgery (SSRF) 12/15/2021 CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution 12/15/2021 Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria. This product is provided subject to this Notification and this Privacy & Use policy.
- CISA Releases Capacity Enhancement Guides to Enhance Mobile Device Cybersecurity for Consumers and Organizationsby CISA on November 24, 2021 at 5:00 pm
Original release date: November 24, 2021CISA has released actionable Capacity Enhancement Guides (CEGs) to help users and organizations improve mobile device cybersecurity. The CEG: Mobile Device Cybersecurity Checklist for Consumers provides steps for consumers, including using strong authentication and enabling automatic operating system updates. The CEG: Mobile Device Cybersecurity Checklist for Organizations provides steps to help organizations secure mobile access to enterprise resources. CISA encourages users and administrators to review the guidance and apply the recommendations. This product is provided subject to this Notification and this Privacy & Use policy.
- VMware Releases Security Updatesby CISA on November 24, 2021 at 4:58 pm
Original release date: November 24, 2021VMware has released security updates to address multiple vulnerabilities in vCenter Server and Cloud Foundation. A remote attacker can exploit this vulnerability to obtain access to sensitive information. CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0027 and apply the necessary updates. This product is provided subject to this Notification and this Privacy & Use policy.
- Reminder for Critical Infrastructure to Stay Vigilant Against Threats During Holidays and Weekendsby CISA on November 22, 2021 at 3:00 pm
Original release date: November 22, 2021As Americans prepare to hit the highways and airports this Thanksgiving holiday, CISA and the Federal Bureau of Investigation (FBI) are reminding critical infrastructure partners that malicious cyber actors aren’t making the same holiday plans as you. Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways—big and small—to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure. There are actions that executives, leaders, and workers in any organization can take proactively to protect themselves against cyberattacks, including possible ransomware attacks, during the upcoming holiday season—a time during which offices are often closed, and employees are home with their friends and families. Although neither CISA nor the FBI currently have identified any specific threats, recent 2021 trends show malicious cyber actors launching serious and impactful ransomware attacks during holidays and weekends, including Independence Day and Mother’s Day weekends. CISA and the FBI strongly urge all entities–especially critical infrastructure partners–to examine their current cybersecurity posture and implement best practices and mitigations to manage the risk posed by cyber threats. Specifically, CISA and the FBI urge users and organizations to take the following actions to protect themselves from becoming the next victim: Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack. Implement multi-factor authentication for remote access and administrative accounts. Mandate strong passwords and ensure they are not reused across multiple accounts. If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored. Remind employees not to click on suspicious links, and conduct exercises to raise awareness. Additionally, CISA and the FBI recommend maintaining vigilance against the multiple techniques cybercriminals use to gain access to networks, including: Phishing scams, such as unsolicited emails posing as charitable organizations. Fraudulent sites spoofing reputable businesses—it is possible malicious actors will target sites often visited by users doing their holiday shopping online. Unencrypted financial transactions. Finally—to reduce the risk of severe business/functional degradation should your organization fall victim to a ransomware attack—review and, if needed, update your incident response and communication plans. These plans should list actions to take—and contacts to reach out to—should your organization be impacted by a ransomware incident. Note: for assistance, review available incident response guidance, such as the Ransomware Response Checklist in the CISA-MS-ISAC Joint Ransomware Guide, the Public Power Cyber Incident Response Playbook, and the new Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. CISA and the FBI urge users and organizations to take these actions immediately to protect themselves against this threat. For a comprehensive overview, see the joint Cybersecurity Advisory Ransomware Awareness for Holidays and Weekends. For more information and resources on protecting against and responding to ransomware, visit StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts. This product is provided subject to this Notification and this Privacy & Use policy.
- Updated: APT Exploitation of ManageEngine ADSelfService Plus Vulnerabilityby CISA on November 19, 2021 at 9:04 pm
Original release date: November 19, 2021 | Last revised: November 24, 2021The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have updated the Joint Cybersecurity Advisory (CSA) published on September 16, 2021, which details the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus—a self-service password management and single sign-on solution. The update provides details on a suite of tools APT actors are using to enable this campaign: Dropper: a dropper trojan that drops Godzilla webshell on a system Godzilla: a Chinese language web shell NGLite: a backdoor trojan written in Go KdcSponge: a tool that targets undocumented APIs in Microsoft’s implementation of Kerberos for credential exfiltration Note: FBI, CISA, and CGCYBER cannot confirm the CVE-2021-40539 is the only vulnerability APT actors are leveraging as part of this activity, so it is key that network defenders focus on detecting the tools listed above in addition to initial access vector. CISA encourages organizations to review the November 19 update and apply the recommended mitigations. CISA also recommends reviewing the relevant blog posts from Palo Alto Networks, Microsoft, and IBM Security Intelligence. This product is provided subject to this Notification and this Privacy & Use policy.