Category: alerts

CISA is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against multiple organizations in multiple sectors. These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible.

If you think you or your business is experiencing a DoS or DDoS attack, it is important to contact the appropriate technical professionals for assistance.

• Contact your network administrator to confirm whether the service outage is due to maintenance or an in-house network issue. Network administrators can also monitor network traffic to confirm the presence of an attack, identify the source, and mitigate the situation by applying firewall rules and possibly rerouting traffic through a DoS protection service.
• Contact your internet service provider to ask if there is an outage on their end or if their network is the target of an attack and you are an indirect victim. They may be able to advise you on an appropriate course of action.

Organizations can take proactive steps to reduce the effects of an attack—See the following guidance for more information:

• Understanding and Responding to Distributed Denial-of-Service Attacks
• Additional DDoS Guidance for Federal Agencies

The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2023 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. The CWE Top 25 is calculated by analyzing public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years. These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working. 

The 2023 CWE Top 25 also incorporates updated weakness data for recent CVE records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog (KEV). 

CISA encourages developers and product security response teams to review the CWE Top 25 and evaluate recommended mitigations to determine those most suitable to adopt. Over the coming weeks, the CWE program will be publishing a series of further articles on the CWE Top 25 methodology, vulnerability mapping trends, and other useful information that help illustrate how vulnerability management plays an important role in Shifting the Balance of Cybersecurity Risk.
 

Today, CISA, together with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI) to provide recommendations and best practices for organizations to strengthen the security of their CI/CD pipelines against the threat of malicious cyber actors (MCAs).

Recognizing the various types of security threats that could affect CI/CD operations and taking steps to defend against each one is critical in securing a CI/CD environment. Organizations will find in this guide a list of common risks found in CI/CD pipelines and attack surfaces that could be exploited and threaten network security.     

CISA and NSA encourage all organizations to review this CSI and apply the recommended actions.

VMware has released a security update to address multiple memory corruption vulnerabilities in vCenter Server and Cloud Foundation. A cyber threat actor could exploit these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review VMware Security Advisory VMSA-2023-0014 and apply the necessary updates.

CISA has released several documents as part of the Secure Cloud Business Applications (SCuBA) project:

• The Technical Reference Architecture (TRA) document, previously released for public comment on April 19, 2022, is the final version of a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture, and zero trust frameworks. 

• The extensible Visibility Reference Framework (eVRF) guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps. The guidebook is accompanied by two workbooks: eVRF Google Workspace and eVRF Microsoft 365 and two spreadsheets: eVRF Google Workspace and eVRF Microsoft 365 that detail Google Workspace and Microsoft 365 security controls. 

Visit CISA’s SCuBA project page for more information and to review the guidance documents. Please contact CISA’s Cybersecurity Shared Services Office at CyberSharedServices@cisa.dhs.gov.

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

• High: vulnerabilities with a CVSS base score of 7.0–10.0
• Medium: vulnerabilities with a CVSS base score of 4.0–6.9
• Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

• High: vulnerabilities with a CVSS base score of 7.0–10.0
• Medium: vulnerabilities with a CVSS base score of 4.0–6.9
• Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.