Alerts 2021
December 22, 2021 - CISA
Mitigating Log4Shell and Other Log4j-Related Vulnerabilities Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to provide mitigation guidance on addressing vulnerabilities in Apache’s Log4j software library: CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105. Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.December 17, 2021 - FBI
APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central Full Text
Abstract
Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers. The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.December 17, 2021 - CISA
VMware Releases Security Advisory Full Text
Abstract
VMware has released a security advisory to address a vulnerability in Workspace ONE UEM console. An attacker could exploit this vulnerability to obtain sensitive information.December 15, 2021 - CISA
PREPARING FOR AND MITIGATING POTENTIAL CYBER THREATS Full Text
Abstract
In the lead up to the holidays and in light of persistent and ongoing cyber threats, CISA urges critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks. Sophisticated threat actors, including nation-states and their proxies, have demonstrated capabilities to compromise networks and develop long-term persistence mechanisms. These actors have also demonstrated capability to leverage this access for targeted operations against critical infrastructure with potential to disrupt National Critical Functions.December 14, 2021 - CISA
Apache Log4j Vulnerability Guidance Full Text
Abstract
CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell" and "Logjam." Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.December 10, 2021 - CISA
CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog Full Text
Abstract
CISA has added thirteen new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.December 2, 2021 - FBI
Indicators of Compromise Associated with Cuba Ransomware Full Text
Abstract
The FBI has identified, as of early November 2021 that Cuba ransomware actors have compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors.December 2, 2021 - CISA
Hitachi Energy RTU500 series BCI Full Text
Abstract
. CVSS v3 7.5 . ATTENTION: Exploitable remotely/low attack complexity . Vendor: Hitachi Energy . Equipment: RTU500 series Bidirectional Communication Interface (BCI) . Vulnerability: Improper Input ValidationDecember 1, 2021 - CISA
KNOWN EXPLOITED VULNERABILITIES CATALOG Full Text
Abstract
KNOWN EXPLOITED VULNERABILITIES CATALOGNovember 24, 2021 - FBI
HOLIDAY SCAMMERS TAKE ADVANTAGE OF ONLINE SHOPPERS Full Text
Abstract
The FBI warns of cyber criminals targeting shoppers hoping to take advantage of online bargains and hard to find gift items for the holidays.November 23, 2021 - FBI
Cyber Criminals Likely Developing and Selling Scamming Tools to Harvest Credentials of Brand-Name Consumers Full Text
Abstract
The Federal Bureau of Investigation (FBI) is releasing this PSA to inform the public of recent spear phishing email campaigns targeting consumers of brand-name companies, also known as brand-phishing, through their online User IDs and associated email accounts.November 22, 2021 - CISA, FBI
Reminder for Critical Infrastructure to Stay Vigilant Against Threats During Holidays and Weekends Full Text
Abstract
As Americans prepare to hit the highways and airports this Thanksgiving holiday, CISA and the Federal Bureau of Investigation (FBI) are reminding critical infrastructure partners that malicious cyber actors aren’t making the same holiday plans as you.November 19, 2021 - SEC
Beware of Communications Falsely Appearing to Come from the SEC – Investor Alert Full Text
Abstract
We are aware that several individuals recently received phone calls or voicemail messages that appeared to be from an SEC phone number. The calls and messages raised purported concerns about unauthorized transactions or other suspicious activity in the recipients’ checking or cryptocurrency accounts.November 17, 2021 - FBI, CISA, ACSC, and NCSC
Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities Full Text
Abstract
This joint cybersecurity advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran.November 16, 2021 - FBI
An APT Group Exploiting a 0-day in FatPipe WARP, MPVPN, and IPVPN Software Full Text
Abstract
As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN® device software going back to at least May 2021.November 11, 2021 - FBI
FBI: Iranian threat actor trying to acquire leaked data on US organizations Full Text
Abstract
The US Federal Bureau of Investigation says that a threat actor known to be associated with Iran is currently seeking to acquire data from organizations across the globe, including US targets.November 4, 2021 - FBI
The FBI Warns of Fraudulent Schemes Leveraging Cryptocurrency ATMs and QR Codes to Facilitate Payment Full Text
Abstract
The FBI warns the public of fraudulent schemes leveraging cryptocurrency ATMs and Quick Response (QR) codes to facilitate payment. The FBI has seen an increase in scammers directing victims to use physical cryptocurrency ATMs and digital QR codes to complete payment transactions.November 4, 2021 - CISA
KNOWN EXPLOITED VULNERABILITIES CATALOG Full Text
Abstract
KNOWN EXPLOITED VULNERABILITIES CATALOGNovember 4, 2021 - CISA
BrakTooth Proof of Concept Tool Demonstrates Bluetooth Vulnerabilities Full Text
Abstract
On November 1, 2021, researchers publicly released a BrakTooth proof-of-concept (PoC) tool to test Bluetooth-enabled devices against potential Bluetooth exploits using the researcher’s software tools.November 2, 2021 - FBI
ELECTION SECURITY RUMOR VS. REALITY Full Text
Abstract
Mis- and disinformation can undermine public confidence in the electoral process, as well as in our democracy. Elections are administered by state and local officials who implement numerous safeguards to protect the security of your vote pursuant to various state and federal laws and processes.November 1, 2021 - FBI
Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims Full Text
Abstract
The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.October 30, 2021 - MITRE, CISA
MITRE and CISA publish the 2021 list of most common hardware weaknesses Full Text
Abstract
The 2021 CWE™ Most Important Hardware Weaknesses is the first of its kind and the result of collaboration within the Hardware CWE Special Interest Group (SIG), a community forum for individuals representing organizations within hardware design, manufacturing, research, and security domains, as well as academia and government.October 28, 2021 - FBI
Tactics, Techniques, and Indicators of Compromise Associated Full Text
Abstract
The FBI first observed Hello Kitty/FiveHands ransomware in January 2021. Hello Kitty/FiveHands actors aggressively apply pressure to victims typically using the double extortion technique.October 25, 2021 - CISA, NSA
POTENTIAL THREAT VECTORS TO 5G INFRASTRUCTURE Full Text
Abstract
CISA, in coordination with the National Security Agency, and the Office of the Director of National Intelligence, as part of the Enduring Security Framework (ESF)—a cross-sector, public-private working group—released a Potential Threat Vectors to 5G Infrastructure paper. This paper identifies and assesses risks and vulnerabilities introduced by 5G.October 25, 2021 - FBI
Indicators of Compromise Associated with Ranzy Locker Ransomware Full Text
Abstract
The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector.October 24, 2021 - CISA
Critical RCE Vulnerability in Discourse Full Text
Abstract
Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.October 18, 2021 - CISA, FBI, NSA
BlackMatter Ransomware Full Text
Abstract
Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.October 15, 2021 - FBI
Cyber Criminals Using Spoofed Unemployment Benefit Websites to Defraud US Public Full Text
Abstract
Cyber criminals have created these spoofed websites to collect personal and financial data from US victims. These spoofed websites imitate the appearance of and can be easily mistaken for legitimate websites offering unemployment benefits.October 14, 2021 - FBI, CISA, EPA, NSA
Ongoing Cyber Threats to U.S. Water and Wastewater Systems Full Text
Abstract
This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities.October 7, 2021 - NSA
Avoid Dangers of Wildcard TLS Certificates, the ALPACA Technique Full Text
Abstract
FORT MEADE, Md. — NSA released the Cybersecurity Information Sheet, “Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique” today, warning network administrators about the risks of using poorly scoped wildcard Transport Layer Security (TLS) certificates. NSA recommends several actions web administrators should take to keep their servers secure. This guidance also outlines the risks of falling victim to a web application exploitation method called Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA), which malicious cyber actors can use to access sensitive information.September 28, 2021 - CISA
CISA RELEASES NEW TOOL TO HELP ORGANIZATIONS GUARD AGAINST INSIDER THREATS Full Text
Abstract
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) released an Insider Risk Mitigation Self-Assessment Tool today, which assists public and private sector organizations in assessing their vulnerability to an insider threat. By answering a series of questions, users receive feedback they can use to gauge their risk posture. The tool will also help users further understand the nature of insider threats and take steps to create their own prevention and mitigation programs.September 23, 2021 - CISA
ELECTION SECURITY RUMOR VS. REALITY Full Text
Abstract
Mis- and disinformation can undermine public confidence in the electoral process, as well as in our democracy. Elections are administered by state and local officials who implement numerous safeguards to protect the security of your vote pursuant to various state and federal laws and processes. This resource is designed to debunk common misinformation and disinformation narratives and themes that relate broadly to the security of election infrastructure and related processes.September 22, 2021 - NSA, CISA
NSA, CISA Release Guidance on Selecting and Hardening Remote Access VPNs Full Text
Abstract
FORT MEADE, Md. – The National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Information Sheet today detailing factors to consider when choosing a virtual private network (VPN) and top configurations for deploying it securely. “Selecting and Hardening Remote Access VPN Solutions” also will help leaders in the Department of Defense, National Security Systems and the Defense Industrial Base better understand the risks associated with VPNs.September 22, 2021 - FBI, CISA, NSA
Conti Ransomware Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. (See FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks.) In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.September 16, 2021 - FBI
Scammers Defraud Victims of Millions of Dollars in New Trend in Romance Scams Full Text
Abstract
The FBI warns of a rising trend in which scammers are defrauding victims via online romance scams, persuading individuals to send money to allegedly invest or trade cryptocurrency. From January 1, 2021 — July 31, 2021, the FBI Internet Crime Complaint Center (IC3) received over 1,800 complaints, related to online romance scams, resulting in losses of approximately $133,400,000.September 16, 2021 - CISA, FBI
APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus Full Text
Abstract
This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus—a self-service password management and single sign-on solution.September 15, 2021 - FTC
On Breaches by Health Apps and Other Connected Devices Full Text
Abstract
In recognition of the proliferation of apps and connected devices that capture sensitive health data, the Federal Trade Commission is providing this Policy Statement to offer guidance on the scope of the FTC’s Health Breach Notification Rule, 16 C.F.R. Part 318 (“the Rule”).September 13, 2021 - FTC
How to spot extortion scams on LGBTQ+ dating apps Full Text
Abstract
We’re hearing about scams targeting people on LGBTQ+ dating apps, like Grindr and Feeld. And they aren’t your typical I-love-you, please-send-money romance scams. They’re extortion scams.September 7, 2021 - SEC
Zoho Releases Security Update for ADSelfService Plus Full Text
Abstract
Zoho has released a security update on a vulnerability (CVE-2021-40539) affecting ManageEngine ADSelfService Plus builds 6113 and below. CVE-2021-40539 has been detected in exploits in the wild.September 3, 2021 - SEC
Be on the Lookout for Investment Scams Related to Hurricane Ida Full Text
Abstract
The SEC’s Office of Investor Education and Advocacy is issuing this Investor Alert to help educate investors, including individuals who may receive lump sum payouts from insurance companies and others as a result of damage from Hurricane Ida, about investment scams.September 3, 2021 - CISA
Atlassian Releases Security Updates for Confluence Server and Data Center Full Text
Abstract
On August 25, 2021, Atlassian released security updates to address a remote code execution vulnerability (CVE-2021-26084) affecting Confluence Server and Data Center. Recently, CVE-2021-26084 has been detected in exploits in the wild.September 2, 2021 - FBI
FBI Warns about an Increase in Sextortion Complaints Full Text
Abstract
The FBI Internet Crime Complaint Center (IC3) warns about a large increase in the number of sextortion complaints. Sextortion occurs when someone threatens to distribute your private and sensitive material if their demands are not met.September 2, 2021 - CISA
Cisco Releases Security Updates for Cisco Enterprise NFVIS Full Text
Abstract
Cisco has released security updates to address a critical vulnerability affecting Cisco Enterprise Network Function Virtualization Infrastructure Software (NFVIS) Release 4.5.1. A remote attacker could exploit this vulnerability to take control of an affected system.September 1, 2021 - FBI
Cyber Criminal Actors Targeting the Food and Agriculture Sector with Ransomware Attacks Full Text
Abstract
Ransomware attacks targeting the Food and Agriculture sector disrupt operations, cause financial loss, and negatively impact the food supply chain.August 31, 2021 - CISA
Ransomware Awareness for Holidays and Weekends Full Text
Abstract
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021.August 30, 2021 - CISA
CISA Adds Single-Factor Authentication to list of Bad Practices Full Text
Abstract
Today, CISA added the use of single-factor authentication for remote or administrative access systems to our Bad Practices list of exceptionally risky cybersecurity practices. Single-factor authentication is a common low-security method of authentication. It only requires matching one factor—such as a password—to a username to gain access to a system.August 27, 2021 - CISA
Microsoft Azure Cosmos DB Guidance Full Text
Abstract
CISA is aware of a misconfiguration vulnerability in Microsoft’s Azure Cosmos DB that may have exposed customer data. The misconfiguration has been fixed within the Azure cloud, and Microsoft has notified the customers who potentially would have been impacted.August 25, 2021 - FBI
Indicators of Compromise Associated with Hive Ransomware Full Text
Abstract
Hive ransomware, which was first observed in June 2021 and likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.August 24, 2021 - CISA
Exploitation of Pulse Connect Secure Vulnerabilities Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises affecting a number of U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related to vulnerabilities in certain Ivanti Pulse Connect Secure products.August 23, 2021 - FBI
Indicators of Compromise Associated with OnePercent Group Ransomware Full Text
Abstract
The FBI has learned of a cyber-criminal group who self identifies as the “OnePercent Group” and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020.August 21, 2021 - CSA
Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities Full Text
Abstract
Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine.August 18, 2021 - CSA
Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches Full Text
Abstract
Over the past several years, the Cybersecurity and Infrastructure Security Agency (CISA) and our partners have responded to a significant number of ransomware incidents, including recent attacks against a U.S. pipeline company and a U.S. software company, which affected managed service providers (MSPs) and their downstream customers.August 17, 2021 - FBI
BadAlloc Vulnerability Affecting BlackBerry QNX RTOS Full Text
Abstract
On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability—CVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries.August 17, 2021 - FBI
Cyber Actors Conduct Credential Stuffing Attacks Against US Financial Sector Full Text
Abstract
Since 2017, the FBI has received numerous reports on credential stuffing attacksa against US financial institutions, collectively detailing nearly 50,000 account compromises. The victims included banks, financial services providers, insurance companies, and investment. During this timeframe, the FBI noted many reports on attacks targeting application programming interfaces (APIs), which are less likely to require multi-factor authentication (MFA). The attackers masqueraded as legitimate account holders and bank employees to submit fraudulent transactions, including money transfers, bill payments, and credit card reward points purchases. Credential stuffing also caused losses from business costs associated with customer notification, system downtime, and remediationi.August 3, 2021 - NSA, CISA
NSA, CISA release Kubernetes Hardening Guidance Full Text
Abstract
FORT MEADE, Md. – The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, “Kubernetes Hardening Guidance,” today. This report details threats to Kubernetes environments and provides configuration guidance to minimize risk.July 29, 2021 - NIST
Artificial Intelligence Risk Management Framework Full Text
Abstract
The National Institute of Standards and Technology (NIST) is developing a framework that can be used to improve the management of risks to individuals, organizations, and society associated with artificial intelligence (AI).July 29, 2021 - DHS
CISA ANNOUNCES NEW VULNERABILITY DISCLOSURE POLICY (VDP) PLATFORM Full Text
Abstract
Last fall, we issued the final version of Binding Operational Directive (BOD 20-01), which was issued in support of the Office of Management and Budget M-20-32, “Improving Vulnerability Identification, Management, and Remediation”.July 28, 2021 - DHS
Top Routinely Exploited Vulnerabilities Full Text
Abstract
This advisory provides details on the top 30 vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021.July 27, 2021 - DHS
Fraudsters Posing as Brokers or Investment Advisers – Investor Alert Full Text
Abstract
Fraudsters may falsely claim to be registered with the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA) or a state securities regulator in order to lure investors into scams, or even impersonate real investment professionals who actually are registered with these organizations.July 21, 2021 - DHS
Exploitation of Pulse Connect Secure Vulnerabilities Full Text
Abstract
On March 31, 2021, Ivanti released the Pulse Secure Connect Integrity Tool to detect the integrity of Pulse Connect Secure appliances. Their technical bulletin states ...July 21, 2021 - DHS
Malware Targeting Pulse Secure Devices Full Text
Abstract
As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed 13 malware samples related to exploited Pulse Secure devices.July 19, 2021 - FBI
Potential for Malicious Cyber Activities to Disrupt the 2020 Tokyo Summer Olympics Full Text
Abstract
The FBI is warning entities associated with the Tokyo 2020 Summer Olympics that cyber actors who wish to disrupt the event could use distributed denial of service (DDoS) attacks ...July 13, 2021 - DHS
Mitigate Windows Print Spooler Service Vulnerability Full Text
Abstract
CISA has become aware of active exploitation, by multiple threat actors, of a vulnerability (CVE-2021-34527) in the Microsoft Windows Print Spooler service. Exploitation of the vulnerability allows an attacker to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization.July 3, 2021 - CISA
FBI Statement on Kaseya Ransomware Attack Full Text
Abstract
The FBI is investigating this situation and working with Kaseya, in coordination with CISA, to conduct outreach to possibly impacted victims.July 2, 2021 - CISA
PrintNightmare, Critical Windows Print Spooler Vulnerability Full Text
Abstract
CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print.July, 2021 - NSA
Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments Full Text
Abstract
CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print.June 30, 2021 - CISA
CISA’s CSET Tool Sets Sights on Ransomware Threat Full Text
Abstract
CISA has released a new module in its Cyber Security Evaluation Tool (CSET): the Ransomware Readiness Assessment (RRA).June 15, 2021 - CISA
ICS Advisory (ICSA-21-166-01) ThroughTek P2P SDK Full Text
Abstract
ThroughTek supplies multiple original equipment manufacturers of IP cameras with P2P connections as part of its cloud platform. Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds.June 9, 2021 - CISA
CISA Fact Sheet: Rising Ransomware Threat to OT Assets Full Text
Abstract
In recent months, ransomware attacks targeting critical infrastructure have demonstrated the rising threat of ransomware to operational technology (OT) assets and control systems.May 27, 2021 - CISA
APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity Full Text
Abstract
The FBI is continuing to warn about Advanced Persistent Threat (APT) actors exploiting Fortinet vulnerabilities. As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government. The APT actors likely created an account with the username “elie” to further enable malicious activity on the network.May 20, 2021 - CISA
Conti Ransomware Attacks Impact Healthcare and First Responder Networks Full Text
Abstract
The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year.May 11, 2021 - CISA
DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entity—a pipeline company—in the United States. Malicious cyber actors deployed DarkSide ransomware against the pipeline company’s information technology (IT) network.[1] At this time, there is no indication that the entity’s operational technology (OT) networks have been directly affected by the ransomware.May 6, 2021 - CISA
FiveHands Ransomware Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a recent successful cyberattack against an organization using a new ransomware variant, which CISA refers to as FiveHands. Threat actors used publicly available penetration testing and exploitation tools, FiveHands ransomware, and SombRAT remote access trojan (RAT), to steal information, obfuscate files, and demand a ransom from the victim organization. Additionally, the threat actors used publicly available tools for network discovery and credential access.April 29, 2021 - NSA
Stop Malicious Cyber Activity Against Connected Operational Technology Full Text
Abstract
A significant shift in how operational technologies (OT) are viewed, evaluated, and secured within the U.S. is needed to prevent malicious cyber actors (MCA) from executing successful, and potentially damaging, cyber effects. As OT components continue being connected to information technology (IT), IT exploitation increasingly can serve as a pivot to OT destructive effects. Recent adversarial exploitation of IT management software and its supply chain has resulted in publicly documented impacts across the U.S. Government (USG) and the Defense Industrial Base (DIB). Malicious cyber activities directed at OT also continue to threaten these networks.April 29, 2021 - CISA
ISC Releases Security Advisory for BIND Full Text
Abstract
The Internet Systems Consortium (ISC) has released a security advisory that addresses a vulnerability affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit this vulnerability to take control of an affected system.April 26, 2021 - FBI, DHS, CISA
FBI-DHS-CISA Joint Advisory on Russian Foreign Intelligence Service Cyber Operations Full Text
Abstract
The Federal Bureau of Investigation (FBI), Department of Homeland Security, and CISA have released a Joint Cybersecurity Advisory (CSA) addressing Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium—continued targeting of U.S and foreign entities. The SVR activity—which includes the recent SolarWinds Orion supply chain compromise—primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.April 22, 2021 - CISA
Mitsubishi Electric GOT Full Text
Abstract
A password authentication bypass vulnerability exists in the VNC function of the GOT2000 series and the GOT SIMPLE series due to improper authentication.April 22, 2021 - CISA
Horner Automation Cscape Full Text
Abstract
The affected application lacks proper validation of user-supplied data when parsing project files. This could lead to memory corruption. An attacker could leverage this vulnerability to execute code in the context of the current process.April 20, 2021 - CISA
CISA ISSUES EMERGENCY DIRECTIVE REQUIRING FEDERAL AGENCIES TO CHECK PULSE CONNECT SECURE PRODUCTS Full Text
Abstract
WASHINGTON — The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 21-03 today requiring federal civilian departments and agencies running Pulse Connect Secure products to assess and mitigate any anomalous activity or active exploitation detected on their networks. All affected agencies are required to use the Pulse Connect Secure Integrity Tool to check the integrity of their file systems, and if mismatches or new files are found, they must take mitigation actions and contact CISA for potential incident response activities.April 15, 2021 - NSA, CISA, FBI
Russian SVR Targets U.S. and Allied Networks Full Text
Abstract
Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access. This targeting and exploitation encompasses U.S. and allied networks, including national security and government-related systems.April 14, 2021 - CISA
Threat Actors Targeting Cybersecurity Researchers Full Text
Abstract
Google and Microsoft recently published reports on advanced persistent threat (APT) actors targeting cybersecurity researchers. The APT actors are using fake social media profiles and legitimate-looking websites to lure security researchers into visiting malicious websites to steal information, including exploits and zero-day vulnerabilities. APT groups often use elaborate social engineering and spear phishing schemes to trick victims into running malicious code through malicious links and websites.April 13, 2021 - Department of Justice
Justice Department Announces Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities Full Text
Abstract
WASHINGTON – The Justice Department today announced a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level e-mail service.April 8, 2021 - CISA
Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments Full Text
Abstract
This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA20-352A primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies, critical infrastructure entities, and private network organizations. As noted in AA20-352A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products.April 6, 2021 - CISA
Malicious Cyber Activity Targeting Critical SAP Applications Full Text
Abstract
SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks. SAP applications help organizations manage critical business processes—such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management.April 2, 2021 - FBI, CISA
APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks Full Text
Abstract
In March 2021 the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) observed Advanced Persistent Threat (APT) actors scanning devices on ports 4443, 8443, and 10443 for CVE-2018-13379, and enumerated devices for CVE-2020-12812 and CVE-2019-5591. It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks. APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns.March 31, 2021 - DOJ
Justice Department Warns About Fake Post-Vaccine Survey Scams Full Text
Abstract
The Department of Justice has received reports that fraudsters are creating fraudulent COVID-19 vaccine surveys for consumers to fill out with the promise of a prize or cash at the conclusion of the survey. In reality, the surveys are used to steal money from consumers and unlawfully capture consumers’ personal information.March 31, 2021 - CISA
Citrix Releases Security Updates for Hypervisor Full Text
Abstract
Citrix has released security updates to address vulnerabilities in Hypervisor (formerly XenServer). An attacker could exploit some of these vulnerabilities to cause a denial-of-service condition.March 31, 2021 - CISA
Mitigate Microsoft Exchange Server Vulnerabilities Full Text
Abstract
Cybersecurity and Infrastructure Security (CISA) partners have observed active exploitation of vulnerabilities in Microsoft Exchange Server products. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. Microsoft released out-of-band patches to address vulnerabilities in Microsoft Exchange Server. The vulnerabilities impact on-premises Microsoft Exchange Servers and are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services.March 23, 2021 - FBI
Mamba Ransomware Weaponizing DiskCryptor Full Text
Abstract
Mamba ransomware has been deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses. Mamba ransomware weaponizes DiskCryptor—an open source full disk encryption software— to restrict victim access by encrypting an entire drive, including the operating system. DiskCryptor is not inherently malicious but has been weaponized. Once encrypted, the system displays a ransom note including the actor’s email address, ransomware file name, the host system name, and a place to enter the decryption key. Victims are instructed to contact the actor’s email address to pay the ransom in exchange for the decryption key.March 18, 2021 - CISA
Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool Full Text
Abstract
This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:March 17, 2021 - FBI
Business Email Compromise Actors Targeting State, Local, Tribal, and Territorial Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.March 17, 2021 - CISA
TrickBot Malware Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.March 16, 2021 - CISA
GE UR family Full Text
Abstract
GE reports the vulnerabilities affect the following UR family (B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, T60) of advanced protection and control relays:March 16, 2021 - FBI
Increase in PYSA Ransomware Targeting Education Institutions Full Text
Abstract
FBI reporting has indicated a recent increase in PYSA ransomware targeting education institutions in 12 US states and the United Kingdom. PYSA, also known as Mespinoza, is a malware capable of exfiltrating data and encrypting users’ critical files and data stored on their systems. The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries. These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments.March 10, 2021 - FBI
FBI-CISA Joint Advisory on Compromise of Microsoft Exchange Server Full Text
Abstract
CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) to address recently disclosed vulnerabilities in Microsoft Exchange Server. CISA and FBI assess that adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack.March 10, 2021 - CISA
F5 Security Advisory for RCE Vulnerabilities in BIG-IP, BIG-IQ Full Text
Abstract
F5 has released a security advisory to address remote code execution (RCE) vulnerabilities—CVE-2021-22986, CVE-2021-22987—impacting BIG-IP and BIG-IQ devices. An attacker could exploit these vulnerabilities to take control of an affected system.March 10, 2021 - CISA
Microsoft Releases March 2021 Security Updates Full Text
Abstract
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.March 09, 2021 - CISA
SAP Releases March 2021 Security Updates Full Text
Abstract
SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.March 09, 2021 - CISA
Adobe Releases Security Updates Full Text
Abstract
Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system.March 09, 2021 - CISA
Apple Releases Security Updates Full Text
Abstract
Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.March 09, 2021 - CISA
Guidance on Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise Full Text
Abstract
Since December 2020, CISA has been responding to a significant cybersecurity incident involving an advanced persistent threat (APT) actor targeting networks of multiple U.S. government agencies, critical infrastructure entities, and private sector organizations. The APT actor added malicious code to multiple versions of the SolarWinds Orion platform and leveraged it—as well as other techniques, including—for initial access to enterprise networks. After gaining persistent, invasive access to select organizations’ enterprise networks, the APT actor targeted their federated identity solutions and their Active Directory/M365 environments. CISA has published two new resources on the follow-on activity from this compromise:March 08, 2021 - CISA
CISA Strongly Urges All Organizations to Immediately Address Microsoft Exchange Vulnerabilities Full Text
Abstract
CISA has published a Remediating Microsoft Exchange Vulnerabilities web page that strongly urges all organizations to immediately address the recent Microsoft Exchange Server product vulnerabilities. As exploitation of these vulnerabilities is widespread and indiscriminate, CISA strongly advises organizations follow the guidance laid out in the web page. The guidance provides specific steps for both leaders and IT security staff and is applicable for all sizes of organizations across all sectors.March 06, 2021 - CISA
Microsoft IOC Detection Tool for Exchange Server Vulnerabilities Full Text
Abstract
Microsoft has released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021.March 05, 2021 - CISA
Microsoft Releases Alternative Mitigations for Exchange Server Vulnerabilities Full Text
Abstract
Microsoft has released alternative mitigation techniques for Exchange Server customers who are not able to immediately apply updates that address vulnerabilities disclosed on March 2, 2021.March 04, 2021 - CISA
Update to Alert on Mitigating Microsoft Exchange Server Vulnerabilities Full Text
Abstract
CISA is aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers and advises entities to investigate for signs of a compromise from at least September 1, 2020. CISA has updated the Alert on the Microsoft Exchange server vulnerabilities with additional detailed mitigations.March 04, 2021 - NSA
Joint NSA and CISA Guidance on Strengthening Cyber Defense Through Protective DNS Full Text
Abstract
The National Security Agency (NSA) and CISA have released a Joint Cybersecurity Information (CSI) sheet with guidance on selecting a protective Domain Name System (PDNS) service as a key defense against malicious cyber activity. Protective DNS can greatly reduce the effectiveness of ransomware, phishing, botnet, and malware campaigns by blocking known-malicious domains. Additionally organizations can use DNS query logs for incident response and threat hunting activities.March 04, 2021 - CISA
Cisco Releases Security Updates Full Text
Abstract
Cisco has released security updates to address a vulnerability in multiple Cisco products. An attacker could exploit this vulnerability to cause a denial-of-service condition. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.March 04, 2021 - CISA
VMware Releases Security Update Full Text
Abstract
VMware has released a security update to address a vulnerability in View Planner. An attacker could exploit this vulnerability to take control of an affected system.March 03, 2021 - CISA
CISA Issues Emergency Directive and Alert on Microsoft Exchange Vulnerabilities Full Text
Abstract
CISA has issued Emergency Directive (ED) 21-02 and Alert AA21-062A addressing critical vulnerabilities in Microsoft Exchange products. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange servers, enabling them to gain persistent system access and control of an enterprise network.March 3, 2021 - CISA
Mitigate Microsoft Exchange On-Premises Product Vulnerabilities Full Text
Abstract
CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.February 24, 2021 - CISA
Exploitation of Accellion File Transfer Appliance Full Text
Abstract
This joint advisory is the result of a collaborative effort by the cybersecurity authorities of Australia,[1] New Zealand,[2] Singapore,[3] the United Kingdom,[4] and the United States.[5][6] These authorities are aware of cyber actors exploiting vulnerabilities in Accellion File Transfer Appliance (FTA).[7] This activity has impacted organizations globally, including those in Australia, New Zealand, Singapore, the United Kingdom, and the United States.February 18, 2021 - CISA
AppleJeus: Analysis of North Korea’s Cryptocurrency Malware Full Text
Abstract
This joint advisory is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber threat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and provide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus Group—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency.February 17, 2021 - FBI
Telephony Denial of Service Attacks Can Disrupt Emergency Call Center Operations Full Text
Abstract
The Federal Bureau of Investigation is issuing this announcement to provide public steps to help mitigate the impact of Telephony Denial of Service (TDoS) attacks. TDoS attacks affect the availability and readiness of call centers.February 11, 2021 - FBI
Compromise of U.S. Water Treatment Facility Full Text
Abstract
On February 5, 2021, unidentified cyber actors obtained unauthorized access to the supervisory control and data acquisition (SCADA) system at a U.S. drinking water treatment plant. The unidentified actors used the SCADA system’s software to increase the amount of sodium hydroxide, also known as lye, a caustic chemical, as part of the water treatment process. Water treatment plant personnel immediately noticed the change in dosing amounts and corrected the issue before the SCADA system’s software detected the manipulation and alarmed due to the unauthorized change. As a result, the water treatment process remained unaffected and continued to operate as normal. The cyber actors likely accessed the system by exploiting cyber-security weaknesses, including poor password security, and an outdated operating system. Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system. Onsite response to the incident included Pinellas County Sheriff Office (PCSO), U.S. Secret Service (USSS), and the Federal Bureau of Investigation (FBI).February 04, 2021 - FBI
RANSOMEWARE, What It Is & What To Do About It Full Text
Abstract
Ransomware is a type of malicious software, or malware, that encrypts data on a computer making it unusable. A malicious cyber criminal holds the data hostage until the ransom is paid. If the ransom is not paid, the victim’s data remains unavailable. Cyber criminals may also pressure victims to pay the ransom by threatening to destroy the victim’s data or to release it to the public.February 04, 2021 - FBI
The National Cyber Investigative Joint Task Force Releases Ransomware Fact Sheet Full Text
Abstract
The National Cyber Investigative Joint Task Force (NCIJTF) has released a new joint-seal ransomware fact sheet. This educational product is intended to provide the public important information on the current ransomware threat and the government’s response, as well as common infection vectors, tools for attack prevention, and important contacts in the event of a ransomware attack.January 15, 2021 - NSA
Adopting Encrypted DNS in Enterprise Environments Full Text
Abstract
Use of the Internet relies on translating domain names (like “nsa.gov”) to Internet Protocol addresses. This is the job of the Domain Name System (DNS). In the past, DNS lookups were generally unencrypted, since they have to be handled by the network to direct traffic to the right locations. DNS over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), often referred to as DNS over HTTPS (DoH), encrypts DNS requests by using HTTPS to provide privacy, integrity, and “last mile” source authentication with a client’s DNS resolver. It is useful to prevent eavesdropping and manipulation of DNS traffic. While DoH can help protect the privacy of DNS requests and the integrity of responses, enterprises that use DoH will lose some of the control needed to govern DNS usage within their networks unless they allow only their chosen DoH resolver to be used. Enterprise DNS controls can prevent numerous threat techniques used by cyber threat actors for initial access, command and control, and exfiltration.January 13, 2021 - CISA
Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration. The information in this report is derived exclusively from several CISA incident response engagements and provides the tactics, techniques, and procedures; indicators of compromise (IOCs) that CISA observed as part of these engagements; and recommended mitigations for organization to strengthen their cloud environment configuration to protect against, detect, and respond to potential attacks.January 14, 2021 - FBI
Cyber Criminals Exploit Network Access and Privilege Escalation Full Text
Abstract
Cyber criminals are focusing their operations to target employees of companies worldwide who maintain network access and an ability to escalate network privilege. During COVID-19 shelter-in-place and social distancing orders, many companies had to quickly adapt to changing environments and technology. With these restrictions, network access and privilege escalation may not be fully monitored. As more tools to automate services are implemented on companies’ networks, the ability to keep track of who has access to different points on the network, and what type of access they have, will become more difficult to regulate.January 14, 2021 - CISA
Securing Web Browsers and Defending Against Malvertising for Federal Agencies Full Text
Abstract
Web browsers are the primary mechanism for user interaction with the internet. As such, their security is a constant concern due to the ease of exploitation and the ability of adversaries to interact directly with users. Common vulnerabilities associated with browsers include unsecure configurations, exposure to malicious websites and applications, and unsecure browsing habits due to poorly trained or unaware users.January 08, 2021 - CISA
Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments Full Text
Abstract
This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA20-352A primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies, critical infrastructure entities, and private network organizations. As noted in AA20-352A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products.January 06, 2021 - FBI
Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data Full Text
Abstract
The FBI first observed Egregor ransomware in September 2020. To date, the threat actors behind this ransomware variant claim to have compromised over 150 victims worldwide. Once a victim company’s network is compromised, Egregor actors exfiltrate data and encrypt files on the network. The ransomware leaves a ransom note on machines instructing the victim to communicate with the threat actors via an online chat. Egregor actors often utilize the print function on victim machines to print ransom notes. The threat actors then demand a ransom payment for the return of exfiltrated files and decryption of the network. If the victim refuses to pay, Egregor publishes victim data to a public site.January 05, 2021 - NSA
Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations Full Text