CISA, FBI, the MS-ISAC, and international partners are releasing this Cybersecurity Advisory to detail LockBit ransomware incidents and provide recommended mitigations to enable network defenders to proactively improve their organization’s defenses against this ransomware operation. AA23-165A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. See the Center for Internet Security (CIS)...
Jun 15, 2023•3 min•Season 2Ep. 52
FBI and CISA are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023. AA23-158A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide . Zero-Day Vulnerability in MOVEit Tr...
Jun 09, 2023•3 min•Season 2Ep. 51
Cybersecurity authorities are issuing this joint Cybersecurity Advisory to highlight a recent cluster of activity associated with a People’s Republic of China state-sponsored cyber actor, also known as Volt Typhoon. AA23-144A Alert, Technical Details, and Mitigations Active Directory and domain controller hardening: Best Practices for Securing Active Directory | Microsoft Learn CISA regional cyber threats: China Cyber Threat Overview and Advisories Microsoft Threat Intelligence blog: Volt Typhoo...
May 25, 2023•3 min•Season 2Ep. 50
FBI, CISA, and the Australian Cyber Security Centre are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023. AA23-136A Alert, Technical Details, and Mitigations AA23-136A.STIX_.xml Stopransomware.gov , a whole-of-government approach with one central location for U.S. ransomware resources and alerts. cyber.gov.au for the Australian Government’s central location t...
May 18, 2023•3 min•Season 2Ep. 49
FBI and CISA are releasing this joint Cybersecurity Advisory in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF, software applications that help organizations manage printing services, and enables an unauthenticated actor to execute malicious code remotely without credentials. AA23-131A Alert, Technical Details, and Mitigations PaperCut: URGENT | PaperCut MF/NG vulnerability bulletin (March 2023) Huntress: Critic...
May 12, 2023•3 min•Season 2Ep. 48
The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service, or FSB, for long-term intelligence collection on sensitive targets. AA23-129A Alert, Technical Details, and Mitigations For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories ...
May 11, 2023•3 min•Season 2Ep. 47
The UK National Cyber Security Centre (NCSC), NSA, CISA, and FBI are releasing this joint advisory to provide TTPs associated with APT28’s exploitation of Cisco routers in 2021. AA23-108A Alert, Technical Details, and Mitigations Malware Analysis Report Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide . No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment . See CISA Insights M...
Apr 20, 2023•3 min•Season 2Ep. 46
CISA, FBI, and the Multi-State Information Sharing and Analysis Center are releasing this joint advisory to share known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023. AA23-075A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-I...
Mar 18, 2023•3 min•Season 2Ep. 45
CISA, FBI, and the Multi-State Information Sharing and Analysis Center are releasing this joint Cybersecurity Advisory to provide IT infrastructure defenders with TTPs, IOCs, and methods to detect and protect against recent exploitation against Microsoft Internet Information Services web servers. AA23-074A Alert, Technical Details, and Mitigations AA23-074A STIX XML MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server Telerik: Exploiting .NET JavaScriptSerializer Deserialization...
Mar 16, 2023•3 min•Season 2Ep. 44
CISA and FBI are releasing this joint advisory to disseminate known Royal ransomware IOCs and TTPs identified through recent FBI threat response activities. AA23-061A Alert, Technical Details, and Mitigations AA23-061A STIX XML Royal Rumble: Analysis of Royal Ransomware (cybereason.com) DEV-0569 finds new ways to deliver Royal ransomware, various payloads - Microsoft Security Blog 2023-01: ACSC Ransomware Profile - Royal | Cyber.gov.au See Stopransomware.gov , a whole-of-government approach, for...
Mar 03, 2023•3 min•Season 2Ep. 43
The Cybersecurity and Infrastructure Security Agency is releasing this Cybersecurity Advisory detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organization's cyber posture. AA23-059A Alert, Technical Details, and Mitigations No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment . See CISA Insights Mitigations and Hardening ...
Mar 03, 2023•3 min•Season 2Ep. 42
CISA, NSA, FBI, the US Department of Health and Human Services, the Republic of Korea National Intelligence Service, and the Republic of Korea Defense Security Agency are issuing this alert to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities. AA23-040A Alert, Technical Details, and Mitigations CISA’s North Korea Cyber Threat Overview and Advisories webpage. Stairwell provided a YARA rule to identify ...
Feb 10, 2023•3 min•Season 2Ep. 41
CISA and the FBI are releasing this alert in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors are exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. AA23-039A Alert, Technical Details, and Mitigations CISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-Recover VMware Security Response Center (vSR...
Feb 09, 2023•3 min•Season 2Ep. 40
CISA, NSA, and the MS-ISAC are releasing this alert to warn network defenders about malicious use of legitimate remote monitoring and management software. AA23-025A Alert, Technical Details, and Mitigations For a downloadable copy of IOCs, see AA23-025.stix Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment . See CISA Insights Mitigatio...
Jan 26, 2023•3 min•Season 2Ep. 39
The FBI and CISA are releasing this alert to disseminate known Cuba Ransomware Group indicators of compromise and TTPs identified through FBI investigations. FBI and CISA would like to thank BlackBerry, ESET, The National Cyber-Forensics and Training Alliance (NCFTA), and Palo Alto Networks for their contributions to this CSA. AA22-335A Alert, Technical Details, and Mitigations For a downloadable copy of IOCs, see AA22-335A.stix Stopransomware.gov is a whole-of-government approach that gives one...
Dec 07, 2022•3 min•Season 2Ep. 38
The FBI, CISA, and the Department of Health and Human Services are releasing this alert to disseminate known Hive Ransomware Group indicators of compromise and TTPs identified through FBI investigations. AA22-321A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomw...
Nov 18, 2022•3 min•Season 1Ep. 37
From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch organization where CISA observed suspected advanced persistent threat activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller, compromised credentials, and then implanted Ngrok ...
Nov 16, 2022•3 min•Season 1Ep. 36
FBI, CISA, and Department of Health and Human Services are releasing this joint advisory to provide information on the Daixin Team, a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health Sector. AA22-294A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sh...
Oct 24, 2022•3 min•Season 1Ep. 35
This joint Cybersecurity Advisory provides the top CVEs used by the People’s Republic of China state-sponsored cyber actors. PRC cyber actors continue to exploit these known vulnerabilities and use publicly available tools to target networks of interest. PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks. AA22-279A Alert, Technical Details, and Mitiga...
Oct 07, 2022•3 min•Season 1Ep. 34
From November 2021 through January 2022, the CISA responded to APT activity against a Defense Industrial Base organization’s enterprise network. During incident response activities, CISA discovered that multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltratio...
Oct 04, 2022•3 min•Season 1Ep. 33
This alert builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure. The alert documentation linked in the show notes describes TTPs that malicious actors use to compromise OT/ICS assets. It also recommends mitigations that owners and operators can use to defend their systems from each of the listed TTPs. NSA and CISA encourage OT and ICS owners and operators to apply the recommendations in this documentation. AA22-265A Alert, Technical Details, and Mitigati...
Sep 22, 2022•3 min•Season 1Ep. 32
In July 2022, Iranian state cyber actors—identifying as “HomeLand Justice”—launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable. An FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. AA22-264A Alert, Technical Details, and Mitigations CI...
Sep 22, 2022•3 min•Season 1Ep. 31
This joint Cybersecurity Advisory highlights continued malicious cyber activity by advanced persistent threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. AA22-257A Alert, Technical Details, and Mitigations AA22-257A.stix CISA’s Iran Cyber Threat...
Sep 15, 2022•3 min•Season 1Ep. 30
CISA, the FBI, and the Multi-State Information Sharing and Analysis Center, or MS ISAC, are releasing this advisory to disseminate indicators of compromise and TTPs associated with Vice Society actors and their ransomware campaigns. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks. AA22-249A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives on...
Sep 06, 2022•3 min•Season 1Ep. 29
CISA and the Multi-State Information Sharing & Analysis Center, or MS-ISAC are publishing this joint Cybersecurity Advisory in response to active exploitation of multiple Common Vulnerabilities and Exposures against Zimbra Collaboration Suite, an enterprise cloud-hosted collaboration software and email platform. AA22-228A Alert, Technical Details, and Mitigations Volexity’s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925 Hackers are actively exploiting password-stealing fla...
Aug 17, 2022•3 min•Season 1Ep. 28
Zeppelin ransomware functions as a ransomware-as-a-service (RaaS), and since 2019, actors have used this malware to target a wide range of businesses and critical infrastructure organizations. Actors use remote desktop protocol (RDP), SonicWall firewall vulnerabilities, and phishing campaigns to gain initial access to victim networks and then deploy Zeppelin ransomware to encrypt victims’ files. AA22-223A Alert, Technical Details, and Mitigations Zeppelin malware YARA signature What is Zeppelin ...
Aug 11, 2022•3 min•Season 1Ep. 27
This joint Cybersecurity Advisory was coauthored by CISA and the Australian Cyber Security Centre, or ACSC. This advisory provides details on the top malware strains observed in 2021. AA22-216A Alert, Technical Details, and Mitigations For alerts on malicious and criminal cyber activity, see the FBI Internet Crime Complaint Center webpage. For more information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov , a centralized, U.S. Government webpage pr...
Aug 04, 2022•3 min•Season 1Ep. 26
CISA and the US Coast Guard Cyber Command are releasing this joint Cybersecurity Advisory to warn network defenders that cyber threat actors, including state-sponsored APT actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations that did not apply available patches or workarounds. AA22-174A Alert, Technical Details, and Mitigations (Update July 18, 2022) Malware Analysis Report 10382580-2 stix Malw...
Jul 18, 2022•4 min•Season 1Ep. 25
The FBI, CISA, and the Department of the Treasury are releasing this joint Cybersecurity Advisory to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health Sector organizations. AA22-187A Alert, Technical Details, and Mitigations Stairwell Threat Report: Maui Ransomware North Korea Cyber Threat Overview and Advisories Updated Advisory on Potential Sanctions Risks for Facilitating Rans...
Jul 06, 2022•3 min•Season 1Ep. 24
CISA, the FBI, the Department of the Treasury, and the Financial Crimes Enforcement Network are releasing this alert to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol to access victims’ networks. AA22-181A Alert, Technical Details, and Mitigations Stop Ransomware CISA Ransomware Guide CISA No-cost Ransomware Services All organizations should report incidents and anomalous activ...
Jun 30, 2022•3 min•Season 1Ep. 23
