Broadcom Software Discloses APT Actors Deploying Daxin Malware in Global Espionage Campaign

02/28/2022 10:01 AM EST

Original release date: February 28, 2022

Broadcom Software—an industry member of CISA’s Joint Cyber Defense Collaborative (JCDC)—uncovers an advanced persistent threat (APT) campaign against select governments and other critical infrastructure targets in a publication titled Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks. The Symantec Threat Hunter team, part of Broadcom Software, worked with CISA to engage with multiple governments targeted with Daxin malware and assisted in detection and remediation.

Daxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command and control (C2) functionality that enabled remote actors to communicate with secured devices not connected directly to the internet. Daxin appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions.  

CISA urges organizations to review Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks for more information and for a list of indicators of compromise that may aid in the detection of this activity.

Report incidents related to this activity to CISA and/or the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases Advisory on Destructive Malware Targeting Organizations in Ukraine

02/26/2022 10:00 AM EST

Original release date: February 26, 2022

CISA and the Federal Bureau of Investigation have released an advisory on destructive malware targeting organizations in Ukraine. The advisory also provides recommendations and strategies to prepare for and respond to destructive malware. 

Additionally, CISA has created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage includes technical resources from partners to assist organizations against these threats. 

CISA recommends organizations review Destructive Malware Targeting Organizations in Ukraine and Shields Up Technical Guidance webpage for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Adds Four Known Exploited Vulnerabilities to Catalog

02/25/2022 02:05 PM EST

Original release date: February 25, 2022

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.

CVE ID Vulnerability Name Due Date
CVE-2022-24682 Zimbra Webmail Cross-Site Scripting Vulnerability 3/11/2022
CVE-2017-8570 Microsoft Office Remote Code Execution 8/25/2022
CVE-2017-0222 Microsoft Internet Explorer Remote Code Execution 8/25/2022
CVE-2014-6352 Microsoft Windows Code Injection Vulnerability 8/25/2022

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Update for Mozilla VPN

02/25/2022 06:59 AM EST

Original release date: February 25, 2022

Mozilla has released a security update to address a vulnerability in Mozilla VPN. An attacker could exploit this vulnerability to take control of an affected system.  

CISA encourages users and administrators to review Mozilla Foundation Security Advisory 2022-08 and make the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for Multiple Products

02/24/2022 07:05 AM EST

Original release date: February 24, 2022

Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit one of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Iranian Government-Sponsored MuddyWater Actors Conducting Malicious Cyber Operations

02/24/2022 11:00 AM EST

Original release date: February 24, 2022

CISA, the Federal Bureau of Investigation (FBI), U.S. Cyber Command Cyber National Mission Force (CNMF), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the National Security Agency (NSA) have issued a joint Cybersecurity Advisory (CSA) detailing malicious cyber operations by Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater. 

MuddyWater is conducting cyber espionage and other malicious cyber operations as part of Iran’s Ministry of Intelligence and Security (MOIS), targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. 

CISA encourages users and administrators to review the joint CSA: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. For additional information on Iranian cyber threats, see CISA’s Iran Cyber Threat Overview and Advisories webpage.

This product is provided subject to this Notification and this Privacy & Use policy.

New Sandworm Malware Cyclops Blink Replaces VPNFilter

02/23/2022 10:00 AM EST

Original release date: February 23, 2022

The United Kingdom’s National Cyber Security Centre, CISA, the National Security Agency, and the Federal Bureau of Investigation have released a joint Cybersecurity Advisory (CSA) reporting that the malicious cyber actor known as Sandworm or Voodoo Bear is using new malware, referred to as Cyclops Blink. Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office routers and network-attached storage devices.

CISA encourages users and administrators to review joint CSA: New Sandworm Malware Cyclops Blink Replaces VPNFilter for additional technical details and mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Adds Two Known Exploited Vulnerabilities to Catalog

02/22/2022 04:50 PM EST

Original release date: February 22, 2022

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.

CVE ID Vulnerability Name Due Date
CVE-2022-23131 Zabbix Frontend Authentication Bypass Vulnerability 3/8/2022
CVE-2022-23134 Zabbix Frontend Improper Access Control Vulnerability 3/8/2022

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.