Iranian Islamic Revolutionary Guard Corps Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations

09/14/2022 10:33 AM EDT

Original release date: September 14, 2022

CISA, Federal Bureau of Investigation (FBI), National Security Agency (NSA), U.S. Cyber Command (USCC) – Cyber National Mission Force (CNMF), Department of the Treasury, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC) have released a joint Cybersecurity Advisory (CSA), Iranian Islamic Revolutionary Guard Corps Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations. This advisory updates previous joint reporting from November 2021, to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies now assess are associated with the Iranian Islamic Revolutionary Guard Corps (IRGC).

The authoring agencies urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:

  • Patch all systems and prioritize remediating known exploited vulnerabilities.
  • Enforce multifactor authentication (MFA).
  • Secure Remote Desktop Protocol (RDP) and other risky services.
  • Make offline backups of your data.

See Iranian Islamic Revolutionary Guard Corps Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations and joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities for information on these Iranian government-sponsored APT actors’ tactics and techniques, indicators of compromise, and recommended mitigations. Additionally, review StopRansomware.gov for more guidance on ransomware protection, detection, and response.

For more information on state-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Updates Advisory on Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite

08/22/2022 10:59 AM EDT

Original release date: August 22, 2022

CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have updated joint Cybersecurity Advisory AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite, originally released August 16, 2022. The advisory has been updated to include additional detection signatures.

CISA encourages organizations to review the latest update to AA22-228A and apply the recommended mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

Threat Actors Exploiting Multiple Vulnerabilities Against Zimbra Collaboration Suite

08/16/2022 11:10 AM EDT

Original release date: August 16, 2022

CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have released a joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple vulnerabilities against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. 

CISA and MS-ISAC encourage users and administrators review Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite for more information and apply the recommended mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

Threat Actors Exploiting F5 BIG IP CVE1388

05/18/2022 09:00 AM EDT

Original release date: May 18, 2022

CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released the joint Cybersecurity Advisory Threat Actors Exploiting F5 BIG-IP CVE-2022-1388 in response to active exploitation of CVE-2022-1388, which affects F5 Networks BIG-IP devices. The vulnerability allows an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses.

CISA encourages users and administrators to review the joint advisory for detection methods and mitigations, which include updating F5 BIG-IP software, or, if unable to immediately update, applying temporary workarounds.  

This product is provided subject to this Notification and this Privacy & Use policy.

FBI-CISA-CGCYBER Advisory on APT Exploitation of ManageEngine ADSelfService Plus Vulnerability

09/16/2021 12:14 PM EDT

Original release date: September 16, 2021

The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have released a Joint Cybersecurity Advisory (CSA) detailing the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus—a self-service password management and single sign-on solution. The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of this vulnerability poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.

CISA strongly encourages users and administrators to review Joint FBI-CISA-CGCYBER CSA: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus and immediately implement the recommended mitigations, which include updating to ManageEngine ADSelfService Plus build 6114.

This product is provided subject to this Notification and this Privacy & Use policy.