Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

04/20/2022 10:00 PM EDT

Original release date: April 20, 2022

The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory (CSA) to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.

Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure, drafted with contributions from industry members of the Joint Cyber Defense Collaborative, provides an overview of Russian state-sponsored advanced persistent threat groups, Russian-aligned cyber threat groups, and Russian-aligned cybercrime groups to help the cybersecurity community protect against possible cyber threats.

U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats by hardening their cyber defenses as recommended in the [joint CSA].

For more information on current and historical Russian-state-sponsored cyber activity and recommended mitigations, see the following CISA webpages: 

This product is provided subject to this Notification and this Privacy & Use policy.

Oracle Releases April 2022 Critical Patch Update

04/19/2022 06:20 PM EDT

Original release date: April 19, 2022

Oracle has released its Critical Patch Update for April 2022 to address 520 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the Oracle April 2022 Critical Patch Update and apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

Guidance on Sharing Cyber Incident Information

04/07/2022 04:53 PM EDT

Original release date: April 7, 2022

CISA’s Sharing Cyber Event Information Fact Sheet provides our stakeholders with clear guidance and information about what to share, who should share, and how to share information about unusual cyber incidents or activity.  

CISA uses this information from partners to build a common understanding of how adversaries are targeting U.S. networks and critical infrastructure sectors. This information fills critical information gaps and allows CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.  Click the fact sheet link to learn more and visit our Shields Up site for useful information.

This product is provided subject to this Notification and this Privacy & Use policy.

Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA Protocols

03/15/2022 10:00 AM EDT

Original release date: March 15, 2022

CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges. The advisory provides observed tactics, techniques, and procedures, as well as indicators of compromise and mitigations to protect against this threat. 

CISA encourages users and administrators to review AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. For general information on Russian state-sponsored malicious cyber activity, see cisa.gov/Russia. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure, as well as additional mitigation recommendations, see AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and cisa.gov/shields-up.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Insights: Foreign Influence Operations Targeting Critical Infrastructure

02/18/2022 05:23 PM EST

Original release date: February 18, 2022

CISA has released CISA Insights: Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure, which provides proactive steps organizations can take to assess and mitigate risks from information manipulation. Malicious actors may use tactics—such as misinformation, disinformation, and malinformation—to shape public opinion, undermine trust, and amplify division, which can lead to impacts to critical functions and services across multiple sectors.
 
Current social factors—including heightened polarization and the ongoing global pandemic—increase the risk and potency of influence operations to U.S. critical infrastructure. CISA encourages leaders at all organizations to review the CISA Insights and follow the guidance to assess risk and increase resilience.

This product is provided subject to this Notification and this Privacy & Use policy.

Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)

02/08/2022 09:00 AM EST

Original release date: February 8, 2022

On February 8, 2022, SAP released security updates to address vulnerabilities affecting multiple products, including critical vulnerabilities affecting SAP applications using SAP Internet Communication Manager (ICM). SAP applications help organizations manage critical business processes—such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management. Impacted organizations could experience:

  • theft of sensitive data,
  • financial fraud,
  • disruption of mission-critical business processes,
  • ransomware, and
  • halt of all operations.

Additionally, security researchers from Onapsis, in coordination with SAP, released a Threat Report describing SAP ICM critical vulnerabilities, CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. Onapsis also provides an open source tool to identify if a system is vulnerable and needs to be patched.

CISA recommends operators of SAP systems review SAP’s February 2022 Security Updates page, the Onapsis Research Labs Threat Report: SAP ICMAD Vulnerabilities, and the Onapsis GitHub page for more information and apply necessary updates and mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

Oracle Releases January 2022 Critical Patch Update

01/18/2022 08:54 AM EST

Original release date: January 18, 2022

Oracle has released its Critical Patch Update for January 2022 to address 497 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Oracle January 2022 Critical Patch Update and apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

CISA, FBI, and NSA Release Cybersecurity Advisory on Russian Cyber Threats to U.S. Critical Infrastructure

01/11/2022 10:00 AM EST

Original release date: January 11, 2022

CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA) that provides an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques, and procedures. The CSA also provides detection actions, incident response guidance, and mitigations. CISA, the FBI, and NSA are releasing the joint CSA to help the cybersecurity community reduce the risk presented by Russian state-sponsored cyber threats.  

CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness, conduct proactive threat hunting, and implement the mitigations identified in the joint CSA. CISA recommends network defenders review CISA’s Russia Cyber Threat Overview and Advisories page for more information on Russian state-sponsored malicious cyber activity. CISA recommends critical infrastructure leaders review CISA Insights: Preparing For and Mitigating Potential Cyber Threats for steps to proactively strengthen their organization’s operational resiliency against sophisticated threat actors, including nation-states and their proxies. 

This product is provided subject to this Notification and this Privacy & Use policy.

Immediate Steps to Strengthen Critical Infrastructure against Potential Cyberattacks

12/15/2021 08:10 AM EST

Original release date: December 15, 2021

In light of persistent and ongoing cyber threats, CISA urges critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential cyberattacks. CISA has released CISA Insights: Preparing For and Mitigating Potential Cyber Threats to provide critical infrastructure leaders with steps to proactively strengthen their organization’s operational resiliency against sophisticated threat actors, including nation-states and their proxies.

CISA encourages leadership at all organizations—and critical infrastructure owners and operators in particular—to review the CISA Insights and adopt a heighted state of awareness.

This product is provided subject to this Notification and this Privacy & Use policy.

Reminder for Critical Infrastructure to Stay Vigilant Against Threats During Holidays and Weekends

11/22/2021 10:00 AM EST

Original release date: November 22, 2021

As Americans prepare to hit the highways and airports this Thanksgiving holiday, CISA and the Federal Bureau of Investigation (FBI) are reminding critical infrastructure partners that malicious cyber actors aren’t making the same holiday plans as you. Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways—big and small—to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure. 

There are actions that executives, leaders, and workers in any organization can take proactively to protect themselves against cyberattacks, including possible ransomware attacks, during the upcoming holiday season—a time during which offices are often closed, and employees are home with their friends and families. Although neither CISA nor the FBI currently have identified any specific threats, recent 2021 trends show malicious cyber actors launching serious and impactful ransomware attacks during holidays and weekends, including Independence Day and Mother’s Day weekends.

CISA and the FBI strongly urge all entities–especially critical infrastructure partners–to examine their current cybersecurity posture and implement best practices and mitigations to manage the risk posed by cyber threats. Specifically, CISA and the FBI urge users and organizations to take the following actions to protect themselves from becoming the next victim:

  • Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack. 
  • Implement multi-factor authentication for remote access and administrative accounts.
  • Mandate strong passwords and ensure they are not reused across multiple accounts. 
  • If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored. 
  • Remind employees not to click on suspicious links, and conduct exercises to raise awareness. 

Additionally, CISA and the FBI recommend maintaining vigilance against the multiple techniques cybercriminals use to gain access to networks, including:

Finally—to reduce the risk of severe business/functional degradation should your organization fall victim to a ransomware attack—review and, if needed, update your incident response and communication plans. These plans should list actions to take—and contacts to reach out to—should your organization be impacted by a ransomware incident. Note: for assistance, review available incident response guidance, such as the Ransomware Response Checklist in the CISA-MS-ISAC Joint Ransomware Guide, the Public Power Cyber Incident Response Playbook, and the new Federal Government Cybersecurity Incident and Vulnerability Response Playbooks.

CISA and the FBI urge users and organizations to take these actions immediately to protect themselves against this threat. For a comprehensive overview, see the joint Cybersecurity Advisory Ransomware Awareness for Holidays and Weekends. For more information and resources on protecting against and responding to ransomware, visit StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.

This product is provided subject to this Notification and this Privacy & Use policy.