Mitigating Log4Shell and Other Log4j-Related Vulnerabilities

Original release date: December 22, 2021

CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory in response to multiple vulnerabilities in Apache’s Log4j software library. Malicious cyber actors are actively scanning networks to potentially exploit CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.

This advisory expands on CISA’s previously published guidance, drafted in collaboration with industry members of CISA’s Joint Cyber Defense Collaborative (JCDC), by detailing recommended steps that vendors and organizations with information technology, operational technology/industrial control systems, and cloud assets should take to respond to these vulnerabilities.

CISA, FBI, NSA, the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) assess that exploitation of these vulnerabilities, especially Log4Shell, is likely to increase and continue over an extended period. CISA and its partners strongly urge all organizations to review AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities for detailed mitigations.

Reminder for Critical Infrastructure to Stay Vigilant Against Threats During Holidays and Weekends

11/22/2021 10:00 AM EST

Original release date: November 22, 2021

As Americans prepare to hit the highways and airports this Thanksgiving holiday, CISA and the Federal Bureau of Investigation (FBI) are reminding critical infrastructure partners that malicious cyber actors aren’t making the same holiday plans as you. Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways—big and small—to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure. 

There are actions that executives, leaders, and workers in any organization can take proactively to protect themselves against cyberattacks, including possible ransomware attacks, during the upcoming holiday season—a time during which offices are often closed, and employees are home with their friends and families. Although neither CISA nor the FBI currently have identified any specific threats, recent 2021 trends show malicious cyber actors launching serious and impactful ransomware attacks during holidays and weekends, including Independence Day and Mother’s Day weekends.

CISA and the FBI strongly urge all entities–especially critical infrastructure partners–to examine their current cybersecurity posture and implement best practices and mitigations to manage the risk posed by cyber threats. Specifically, CISA and the FBI urge users and organizations to take the following actions to protect themselves from becoming the next victim:

  • Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack. 
  • Implement multi-factor authentication for remote access and administrative accounts.
  • Mandate strong passwords and ensure they are not reused across multiple accounts. 
  • If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored. 
  • Remind employees not to click on suspicious links, and conduct exercises to raise awareness. 

Additionally, CISA and the FBI recommend maintaining vigilance against the multiple techniques cybercriminals use to gain access to networks, including:

Finally—to reduce the risk of severe business/functional degradation should your organization fall victim to a ransomware attack—review and, if needed, update your incident response and communication plans. These plans should list actions to take—and contacts to reach out to—should your organization be impacted by a ransomware incident. Note: for assistance, review available incident response guidance, such as the Ransomware Response Checklist in the CISA-MS-ISAC Joint Ransomware Guide, the Public Power Cyber Incident Response Playbook, and the new Federal Government Cybersecurity Incident and Vulnerability Response Playbooks.

CISA and the FBI urge users and organizations to take these actions immediately to protect themselves against this threat. For a comprehensive overview, see the joint Cybersecurity Advisory Ransomware Awareness for Holidays and Weekends. For more information and resources on protecting against and responding to ransomware, visit StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.

This product is provided subject to this Notification and this Privacy & Use policy.

New Federal Government Cybersecurity Incident and Vulnerability Response Playbooks

11/16/2021 07:42 AM EST

Original release date: November 16, 2021

The White House, via Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, tasked CISA, as the operational lead for federal cybersecurity, to “develop a standard set of operational procedures (i.e., playbook) to be used in planning and conducting cybersecurity vulnerability and incident response activity” for federal civilian agency information systems. In response, today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.  
 
FCEB agencies should use the playbooks to shape their overall defensive cyber operations. The playbooks apply to information systems used or operated by an FCEB agency, a contractor of the agency, or another organization on behalf of the agency. CISA encourages agencies to review the playbooks and CISA’s webpage on EO 14028 for more information.  
 
Although CISA created the playbooks for FCEB agencies, we encourage critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review them to benchmark their own vulnerability and incident response practices.

This product is provided subject to this Notification and this Privacy & Use policy.