US-Cert Current Activity

CISA released five Industrial Control Systems (ICS) advisories on November 12, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-317-01 Subnet Solutions PowerSYSTEM Center
• ICSA-24-317-02 Hitachi Energy TRO600
• ICSA-24-317-03 Rockwell Automation FactoryTalk View ME
• ICSA-23-306-03 Mitsubishi Electric MELSEC Series (Update A)
• ICSA-23-136-01 Snap One OvrC Cloud (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and international partners released joint Cybersecurity Advisory, 2023 Top Routinely Exploited Vulnerabilities.

This advisory supplies details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors and their associated Common Weakness Enumeration(s) (CWE) to help organizations better understand the impact of exploitation. International partners contributing to this advisory include:

• Australian Signals Directorate’s Australian Cyber Security Centre
• Canadian Centre for Cyber Security
• New Zealand National Cyber Security Centre and New Zealand Computer Emergency Response Team
• United Kingdom’s National Cyber Security Centre

The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory. The advisory provides vendors, designers, and developers a guide for implementing secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations mitigations. Following this guidance will help reduce the risk of compromise by malicious cyber actors.

Vendors and developers are encouraged to take appropriate steps to provide products that protect their customers’ sensitive data. To learn more about secure by design principles and practices, visit CISA’s Secure by Design.

CISA released three Industrial Control Systems (ICS) advisories on November 7, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-312-01 Beckhoff Automation TwinCAT Package Manager
• ICSA-24-312-02 Delta Electronics DIAScreen
• ICSA-24-312-03 Bosch Rexroth IndraDrive

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-43093 Android Framework Privilege Escalation Vulnerability
• CVE-2024-51567 CyberPanel Incorrect Default Permissions Vulnerability
• CVE-2019-16278 Nostromo nhttpd Directory Traversal Vulnerability
• CVE-2024-5910 Palo Alto Expedition Missing Authentication Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
• CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has received multiple reports of a large-scale spear-phishing campaign targeting organizations in several sectors, including government and information technology (IT). The foreign threat actor, often posing as a trusted entity, is sending spear-phishing emails containing malicious remote desktop protocol (RDP) files to targeted organizations to connect to and access files stored on the target’s network. Once access has been gained, the threat actor may pursue additional activity, such as deploying malicious code to achieve persistent access to the target’s network. 

CISA, government, and industry partners are coordinating, responding, and assessing the impact of this campaign. CISA urges organizations to take proactive measures:

•  Restrict Outbound RDP Connections:
  • It is strongly advised that organizations forbid or significantly restrict outbound RDP connections to external or public networks. This measure is crucial for minimizing exposure to potential cyber threats.
  • Implement a Firewall along with secure policies and access control lists.
• Block RDP Files in Communication Platforms:
  • Organizations should prohibit RDP files from being transmitted through email clients and webmail services. This step helps prevent the accidental execution of malicious RDP configurations.
• Prevent Execution of RDP Files: 
  • Implement controls to block the execution of RDP files by users. This precaution is vital in reducing the risk of exploitation.
• Enable Multi-Factor Authentication (MFA):
  • Multi-factor authentication must be enabled wherever feasible to provide an essential layer of security for remote access.
  • Avoid SMS MFA whenever possible.
• Adopt Phishing-Resistant Authentication Methods:
  • Organizations are encouraged to deploy phishing-resistant authentication solutions, such as FIDO tokens. It is important to avoid SMS-based MFA, as it can be vulnerable to SIM-jacking attacks.
• Implement Conditional Access Policies:
  • Establish Conditional Access Authentication Strength to mandate the use of phishing-resistant authentication methods. This ensures that only authorized users can access sensitive systems.
• Deploy Endpoint Detection and Response (EDR):
  • Organizations should implement Endpoint Detection and Response (EDR) solutions to continuously monitor for and respond to suspicious activities within the network.
• Consider Additional Security Solutions:
  • In conjunction with EDR, organizations should evaluate the deployment of antiphishing and antivirus solutions to bolster their defenses against emerging threats.
• Conduct User Education:
  • Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails.
  • Recognize and Report Phishing: Avoid phishing with these simple tips.
• Hunt For Activity Using Referenced Indicators and TTPs:
  • Utilize all indicators that are released in relevant articles and reporting to search for possible malicious activity within your organization’s network.
  • Search for unexpected and/or unauthorized outbound RDP connections within the last year.

CISA urges users and administrators to remain vigilant against spear-phishing attempts, hunt for any malicious activity, report positive findings to CISA, and review the following articles for more information:

• Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files
• AWS Security: Amazon identified internet domains abused by APT29
• The Centre for Cybersecurity Belgium: Warning: Government-themed Phishing with RDP Attachments
• Computer Emergency Response Team of Ukraine: RDP configuration files as a means of obtaining remote access to a computer or "Rogue RDP"

CISA released four Industrial Control Systems (ICS) advisories on October 31, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-305-01 Rockwell Automation FactoryTalk ThinManager
• ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products (Update A)
• ICSA-24-135-04 Mitsubishi Electric Multiple FA Engineering Software Products (Update A)
• ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update B)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Fortinet has updated their security advisory addressing a critical FortiManager vulnerability (CVE-2024-47575) to include additional workarounds and indicators of compromise (IOCs). A remote, unauthenticated cyber threat actor could exploit this vulnerability to gain access to sensitive files or take control of an affected system. At this time, all patches have been released.

CISA previously added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, as confirmed by Fortinet.

CISA strongly encourages users and administrators to apply the necessary updates, hunt for any malicious activity, assess potential risk from service providers, report positive findings to CISA, and review the following articles for additional information: 

• Fortinet Advisory FG-IR-24-423, 
• CISA alert on the Fortinet FortiManager Missing Authentication Vulnerability, 
• Google Threat Intelligence article Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575).

CISA, through the Joint Cyber Defense Collaborative (JCDC), enabled swift, coordinated response and information sharing in the wake of a significant IT outage caused by a CrowdStrike software update. This outage, which impacted government, critical infrastructure, and industry across the globe, led to disruptions in essential services, including air travel, healthcare, and financial operations.

Leveraging its unique ability to bring together public and private sector partners, JCDC facilitated virtual engagements with over 1,000 federal agency representatives. In close collaboration with CrowdStrike, a JCDC partner, CISA provided critical updates, mitigation guidance, and analysis on the potential for malicious exploitation of the outage. This rapid coordination enabled key information to be quickly disseminated across federal networks, helping to expedite mitigation and protect U.S. government systems.

This successful response underscores JCDC’s essential role in uniting industry and government partners to address cyber challenges that could impact national security and resilience. For more information about JCDC’s collaborative efforts, visit the JCDC Success Stories webpage and CISA.gov/JCDC.

Apple released security updates to address vulnerabilities in multiple Apple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.  

CISA encourages users and administrators to review the following advisories and apply necessary updates: 

• iOS 18.1 and iPadOS 18.1

• iOS 17.7.1 and iPadOS 17.7.1

• macOS Sequoia 15.1

• macOS Sonoma 14.7.1

• macOS Ventura 13.7.1

• watchOS 11.1

• tvOS 18.1

• visionOS 2.1

CISA released three Industrial Control Systems (ICS) advisories on October 29, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-303-01 Siemens InterMesh Subscriber Devices
• ICSA-24-303-02 Solar-Log Base 15
• ICSA-24-303-03 Delta Electronics InfraSuite Device Master

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.