Category: alerts

CISA has issued requests for comment on the Secure Software Self-Attestation Form. CISA, in coordination with the Office of Budget and Management (OMB), released proposed guidance on secure software. This guidance seeks to secure software leveraged by the federal government. CISA expects agencies to use this proposed form to reduce the risk to the federal environment, thereby implementing a standardized process for agencies and software producers that will create transparency on the security of software development efforts.
 
Visit CISA.gov/secure-software-attestation-form for more information and to review the document. The comment period is open until June 26, 2023. CISA is specifically requesting insight on the feasibility, clarity, and usefulness of the document. To submit a comment, click the comment box at the top of Regulations.gov. 

CISA released one Industrial Control Systems Medical (ICS) medical advisory on April 27, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review the newly released ICS medical advisory for technical details and mitigations:

• ICSMA-23-117-01 Illumina Universal Copy Service

 CISA has released a new Malware Analysis Report (MAR) on an infostealer known as ICONICSTEALER. This trojan has been identified as a variant of malware used in the supply chain attack against 3CX’s Desktop App.

CISA recommends users and administrators to review the following resources for more information, and hunt for the listed indicators of compromise (IOCs) for potential malicious activity:

• MAR-10435108.r1.v1 – ICONICSTEALER
• Supply Chain Attack Against 3CXDesktopApp

Today, CISA, NSA, FBI, NCSC-UK, ACSC, CCCS and NCSC-NZ released a joint guide: Cybersecurity Best Practices for Smart Cities. 

Smart cities may create safer, more efficient, resilient communities through technological innovation and data-driven decision making. However, this opportunity also introduces potential vulnerabilities and weaknesses that—if exploited—could impact national security, economic security, public health and safety, and critical infrastructure operations.

CISA encourages organizations implement these best practices in alignment with their specific cybersecurity requirements to ensure the safe and secure operation of infrastructure systems, protection of citizen’s private data, and security of sensitive government and business data.
 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2017-6742 Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability 

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.

APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742.

Overview and Context

The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021.

We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.

Download the UK PDF version of this report:

Download the US PDF version of this report:

Previous Activity

The NCSC has previously attributed the following activity to APT28:

• Cyber attacks against the German parliament in 2015, including data theft and disrupting email accounts of German Members of Parliament (MPs) and the Vice Chancellor
• Attempted attack against the Organization for the Prohibition of Chemical Weapons (OPCW) in April 2018, to disrupt independent analysis of chemicals weaponized by the GRU in the UK

For more information on APT28 activity, see the advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.

As of 2021, APT28 has been observed using commercially available code repositories, and post-exploit frameworks such as Empire. This included the use of PowerShell Empire, in addition to Python versions of Empire.

Reconnaissance

Use of SNMP Protocol to Access Routers

In 2021, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide. This included a small number based in Europe, US government institutions and approximately 250 Ukrainian victims.

SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.

A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks.

Weak SNMP community strings, including the default “public,” allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces. [T1078.001]

The compromized routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted.

Exploitation of CVE-2017-6742

APT28 exploited the vulnerability CVE-2017-6742 (Cisco Bug ID: CSCve54313) [T1190]. This vulnerability was first announced by Cisco on 29 June 2017, and patched software was made available. 

Cisco’s published advisory provided workarounds, such as limiting access to SNMP from trusted hosts only, or by disabling a number of SNMP Management Information bases (MIBs).

Malware Deployment

For some of the targeted devices, APT28 actors used an SNMP exploit to deploy malware, as detailed in the NCSC’s Jaguar Tooth Malware Analysis Report. This malware obtained further device information, which is exfiltrated over trivial file transfer protocol (TFTP), and enabled unauthenticated access via a backdoor.

The actor obtained this device information by executing a number of Command Line Interface (CLI) commands via the malware. It includes discovery of other devices on the network by querying the Address Resolution Protocol (ARP) table to obtain MAC addresses. [T1590]

Indicators of Compromise (IoCs)

Please refer to the accompanying Malware Analysis Report for indicators of compromise which may help to detect this activity.

MITRE ATT&CK®

This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

For detailed TTPs, see the Malware Analysis Report.

Tactic	ID	Technique	Procedure
Initial Access	T1190	Exploit Public-facing Application.	APT28 exploited default/well-known community strings in SNMP as outlined in CVE-2017-6742 (Cisco Bug ID: CSCve54313).
Initial Access	T1078.001	Valid Accounts: Default Accounts.	Actors accessed victim routers by using default community strings such as “public.”
Reconnaissance	T1590	Gather Victim Network Information	Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved in available in the MITRE ATT&CK section of the Jaguar Tooth MAR.

Conclusion

APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742 (Cisco Bug ID: CSCve54313) as published by Cisco.

TTPs in this advisory may still be used against vulnerable Cisco devices. Organizations are advised to follow the mitigation advice in this advisory to defend against this activity.

Reporting

UK organizations should report any suspected compromises to the NCSC.
US organisations should contact CISA’s 24/7 Operations Centre at report@cisa.gov or (888) 282-0870.

Mitigation

Mitigation

• Patch devices as advised by Cisco. The NCSC also has general guidance on managing updates and keeping software up to date.
• Do not use SNMP if you are not required to configure or manage devices remotely to prevent unauthorized users from accessing your router.
  • If you are required to manage routers remotely, establish allow and deny lists for SNMP messages to prevent unauthorized users from accessing your router.
• Do not allow unencrypted (i.e., plaintext) management protocols, such as SNMP v2 and Telnet. Where encrypted protocols aren’t possible, you should carry out any management activities from outside the organization through an encrypted virtual private network (VPN), where both ends are mutually authenticated.
• Enforce a strong password policy. Don’t reuse the same password for multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication and implement two-factor authentication based on public-private key.
• Disable legacy unencrypted protocols such as Telnet and SNMP v1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMP v3. Harden the encryption protocols based on current best security practice. The NCSC strongly advises owners and operators to retire and replace legacy devices that can’t be configured to use SNMP v3.
• Use logging tools to record commands executed on your network devices, such as TACACS+ and Syslog. Use these logs to immediately highlight suspicious events and keep a record of events to support an investigation if the device’s integrity is ever in question. See NCSC guidance on monitoring and logging.
• If you suspect your router has been compromised:
  • Follow Cisco’s advice for verifying the Cisco IOS image.
  • Revoke all keys associated with that router. When replacing the router configuration be sure to create new keys rather than pasting from the old configuration.
  • Replace both the ROMMON and Cisco IOS image with an image that has been sourced directly from the Cisco website, in case third party and internal repositories have been compromised.
• NSA’s Network Infrastructure guide provides some best practices for SNMP.
• See also the Cisco IOS hardening guide and Cisco’s Jaguar Tooth blog.

This product is provided subject to this Notification and this Privacy & Use policy.

NCSC, NSA, CISA, and FBI have released a joint advisory to provide details of tactics, techniques, and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021.  By exploiting the vulnerability CVE-2017-6742, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide, including routers in Europe, U.S. government institutions, and approximately 250 Ukrainian victims.

CISA encourages personnel to review NCSC’s Jaguar Tooth malware analysis report for detailed TTPs and indicators of compromise which may help detect APT28 activity. For more information on APT28 activity, see the advisories Russian State-sponsored and Criminal Cyber Threats to Critical Infrastructure and Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments, as well as [Titles of the EAD blogs.

This product is provided subject to this Notification and this Privacy & Use policy.

The Internal Revenue Service (IRS) has issued a reminder urging taxpayers to be vigilant and wary of new of tax-related scams. These include phishing and other fraudulent behaviors. The IRS recommends strengthening passwords, remaining vigilant against phishing attempts, and forwarding suspicious emails to phishing@irs.gov.

 

CISA encourages taxpayers to review the IRS Alerts and CISA’s Tips on Avoiding Social Engineering and Phishing Attacks for more information on avoiding tax scams throughout the year, not just during tax season. If you believe you have been a victim of a tax-related scam, visit the IRS webpage on Tax Scams – How to Report Them.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA has released the SBOM Sharing Lifecycle Report to the cybersecurity and supply chain community. The purpose of this report is to enumerate and describe the different parties and phases of the SBOM Sharing Lifecycle and to assist readers in choosing suitable SBOM sharing solutions based on the amount of time, resources, subject-matter expertise, effort, and access to tooling that is available to the reader to implement a phase of the SBOM sharing lifecycle. 

This report also highlights SBOM sharing survey results obtained from interviews with stakeholders to understand the current SBOM sharing landscape.

This product is provided subject to this Notification and this Privacy & Use policy.

Shifting the Balance of Cybersecurity Risk: Security-by-Design and Default Principles serves as a cybersecurity roadmap for manufacturers of technology and associated products. With recommendations in this guide, manufacturers are urged to put cybersecurity first, during the design phase of a product’s development lifecycle, to decrease user risk and provide out-of-the-box user protections by default at no extra charge. 

This guide represents an international effort to reduce exploitable vulnerabilities in technology used by the government and private sector organizations. The authoring agencies are CISA, Federal Bureau of Investigation, National Security Agency, Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand’s Computer Emergency Response Team, United Kingdom’s National Cyber Security Centre, Germany’s Federal Office for Information Security (BSI), and the Netherlands’ National Cyber Security Centre. The authoring agencies recognize the contributions by many private sector partners in advancing Security-by-Design and -Default.

For more information on the importance of product security, see CISA’s blog article The Cost of Unsafe Technology and What We Can Do About It.