Security Feeds Archives - Page 71 of 133

Foreign Threat Actor Conducting Large-Scale Spear-Phishing Campaign with RDP Attachments

Posted on 31 October 2024 by

CISA has received multiple reports of a large-scale spear-phishing campaign targeting organizations in several sectors, including government and information technology (IT). The foreign threat actor, often posing as a trusted entity, is sending spear-phishing emails containing malicious remote desktop protocol (RDP) files to targeted organizations to connect to and access files stored on the target’s network. Once access has been gained, the threat actor may pursue additional activity, such as deploying malicious code to achieve persistent access to the target’s network.
CISA, government, and industry partners are coordinating, responding, and assessing the impact of this campaign. CISA urges organizations to take proactive measures:

Restrict Outbound RDP Connections:

It is strongly advised that organizations forbid or significantly restrict outbound RDP connections to external or public networks. This measure is crucial for minimizing exposure to potential cyber threats.
Implement a Firewall along with secure policies and access control lists.

Block RDP Files in Communication Platforms:

Organizations should prohibit RDP files from being transmitted through email clients and webmail services. This step helps prevent the accidental execution of malicious RDP configurations.

Prevent Execution of RDP Files:

Implement controls to block the execution of RDP files by users. This precaution is vital in reducing the risk of exploitation.

Enable Multi-Factor Authentication (MFA):

Multi-factor authentication must be enabled wherever feasible to provide an essential layer of security for remote access.
Avoid SMS MFA whenever possible.

Adopt Phishing-Resistant Authentication Methods:

Organizations are encouraged to deploy phishing-resistant authentication solutions, such as FIDO tokens. It is important to avoid SMS-based MFA, as it can be vulnerable to SIM-jacking attacks.

Implement Conditional Access Policies:

Establish Conditional Access Authentication Strength to mandate the use of phishing-resistant authentication methods. This ensures that only authorized users can access sensitive systems.

Deploy Endpoint Detection and Response (EDR):

Organizations should implement Endpoint Detection and Response (EDR) solutions to continuously monitor for and respond to suspicious activities within the network.

Consider Additional Security Solutions:

In conjunction with EDR, organizations should evaluate the deployment of antiphishing and antivirus solutions to bolster their defenses against emerging threats.

Conduct User Education:

Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails.
Recognize and Report Phishing: Avoid phishing with these simple tips.

Hunt For Activity Using Referenced Indicators and TTPs:

Utilize all indicators that are released in relevant articles and reporting to search for possible malicious activity within your organization’s network.
Search for unexpected and/or unauthorized outbound RDP connections within the last year.

CISA urges users and administrators to remain vigilant against spear-phishing attempts, hunt for any malicious activity, report positive findings to CISA, and review the following articles for more information:

Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files
AWS Security: Amazon identified internet domains abused by APT29
The Centre for Cybersecurity Belgium: Warning: Government-themed Phishing with RDP Attachments
Computer Emergency Response Team of Ukraine: RDP configuration files as a means of obtaining remote access to a computer or “Rogue RDP”

CISA has received multiple reports of a large-scale spear-phishing campaign targeting organizations in several sectors, including government and information technology (IT). The foreign threat actor, often posing as a trusted entity, is sending spear-phishing emails containing malicious remote desktop protocol (RDP) files to targeted organizations to connect to and access files stored on the target’s network. Once access has been gained, the threat actor may pursue additional activity, such as deploying malicious code to achieve persistent access to the target’s network.

CISA, government, and industry partners are coordinating, responding, and assessing the impact of this campaign. CISA urges organizations to take proactive measures:

Restrict Outbound RDP Connections:
- It is strongly advised that organizations forbid or significantly restrict outbound RDP connections to external or public networks. This measure is crucial for minimizing exposure to potential cyber threats.
- Implement a Firewall along with secure policies and access control lists.
Block RDP Files in Communication Platforms:
- Organizations should prohibit RDP files from being transmitted through email clients and webmail services. This step helps prevent the accidental execution of malicious RDP configurations.
Prevent Execution of RDP Files:
- Implement controls to block the execution of RDP files by users. This precaution is vital in reducing the risk of exploitation.
Enable Multi-Factor Authentication (MFA):
- Multi-factor authentication must be enabled wherever feasible to provide an essential layer of security for remote access.
- Avoid SMS MFA whenever possible.
Adopt Phishing-Resistant Authentication Methods:
- Organizations are encouraged to deploy phishing-resistant authentication solutions, such as FIDO tokens. It is important to avoid SMS-based MFA, as it can be vulnerable to SIM-jacking attacks.
Implement Conditional Access Policies:
- Establish Conditional Access Authentication Strength to mandate the use of phishing-resistant authentication methods. This ensures that only authorized users can access sensitive systems.
Deploy Endpoint Detection and Response (EDR):
- Organizations should implement Endpoint Detection and Response (EDR) solutions to continuously monitor for and respond to suspicious activities within the network.
Consider Additional Security Solutions:
- In conjunction with EDR, organizations should evaluate the deployment of antiphishing and antivirus solutions to bolster their defenses against emerging threats.
Conduct User Education:
- Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails.
- Recognize and Report Phishing: Avoid phishing with these simple tips.
Hunt For Activity Using Referenced Indicators and TTPs:
- Utilize all indicators that are released in relevant articles and reporting to search for possible malicious activity within your organization’s network.
- Search for unexpected and/or unauthorized outbound RDP connections within the last year.

CISA urges users and administrators to remain vigilant against spear-phishing attempts, hunt for any malicious activity, report positive findings to CISA, and review the following articles for more information:

Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files
AWS Security: Amazon identified internet domains abused by APT29
The Centre for Cybersecurity Belgium: Warning: Government-themed Phishing with RDP Attachments
Computer Emergency Response Team of Ukraine: RDP configuration files as a means of obtaining remote access to a computer or “Rogue RDP”

Rockwell Automation FactoryTalk ThinManager

Posted on 31 October 2024 by

View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk ThinManager
Vulnerabilities: Missing Authentication For Critical Function, Out-of-Bounds Read

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to send crafted messages to the device resulting in database manipulation or a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Rockwell Automation FactoryTalk product versions are affected:

ThinManager: Versions 11.2.0 to 11.2.9
ThinManager: Versions 12.0.0 to 12.0.7
ThinManager: Versions 12.1.0 to 12.1.8
ThinManager: Versions 13.0.0 to 13.0.5
ThinManager: Versions 13.1.0 to 13.1.3
ThinManager: Versions 13.2.0 to 13.2.2
ThinManager: Version 14.0.0

3.2 Vulnerability Overview
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
An authentication vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in database manipulation.
CVE-2024-10386 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-10386. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 OUT-OF-BOUNDS READ CWE-125
A denial-of-service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, resulting in a denial-of-service condition.
CVE-2024-10387 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-10387. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Tenable Network Security reported these vulnerabilities to Rockwell Automation.
4. MITIGATIONS
Rockwell Automation has provided a fix for the affected versions on the FactoryTalk ThinManager download site.
Rockwell Automation encourages users of the affected software to apply these risk mitigations if possible.

Implement network hardening for ThinManager Device(s) by limiting communications to TCP 2031 to only the devices that need connection to the ThinManager.
For information on how to mitigate security risks on industrial automation control systems, users are encouraged to implement Rockwell Automation’s suggested security best practices to minimize the risk of the vulnerability.

For more information, see Rockwell Automation’s security bulletin.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

October 31, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk ThinManager
Vulnerabilities: Missing Authentication For Critical Function, Out-of-Bounds Read

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to send crafted messages to the device resulting in database manipulation or a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rockwell Automation FactoryTalk product versions are affected:

ThinManager: Versions 11.2.0 to 11.2.9
ThinManager: Versions 12.0.0 to 12.0.7
ThinManager: Versions 12.1.0 to 12.1.8
ThinManager: Versions 13.0.0 to 13.0.5
ThinManager: Versions 13.1.0 to 13.1.3
ThinManager: Versions 13.2.0 to 13.2.2
ThinManager: Version 14.0.0

3.2 Vulnerability Overview

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

An authentication vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in database manipulation.

CVE-2024-10386 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-10386. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS READ CWE-125

A denial-of-service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, resulting in a denial-of-service condition.

CVE-2024-10387 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-10387. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Tenable Network Security reported these vulnerabilities to Rockwell Automation.

4. MITIGATIONS

Rockwell Automation has provided a fix for the affected versions on the FactoryTalk ThinManager download site.

Rockwell Automation encourages users of the affected software to apply these risk mitigations if possible.

Implement network hardening for ThinManager Device(s) by limiting communications to TCP 2031 to only the devices that need connection to the ThinManager.
For information on how to mitigate security risks on industrial automation control systems, users are encouraged to implement Rockwell Automation’s suggested security best practices to minimize the risk of the vulnerability.

For more information, see Rockwell Automation’s security bulletin.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 31, 2024: Initial Publication

CISA Releases Four Industrial Control Systems Advisories

Posted on 31 October 2024 by

CISA released four Industrial Control Systems (ICS) advisories on October 31, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-305-01 Rockwell Automation FactoryTalk ThinManager
ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products (Update A)
ICSA-24-135-04 Mitsubishi Electric Multiple FA Engineering Software Products (Update A)
ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update B)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA released four Industrial Control Systems (ICS) advisories on October 31, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-305-01 Rockwell Automation FactoryTalk ThinManager
ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products (Update A)
ICSA-24-135-04 Mitsubishi Electric Multiple FA Engineering Software Products (Update A)
ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update B)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Fortinet Updates Guidance and Indicators of Compromise following FortiManager Vulnerability Exploitation

Posted on 30 October 2024 by

Fortinet has updated their security advisory addressing a critical FortiManager vulnerability (CVE-2024-47575) to include additional workarounds and indicators of compromise (IOCs). A remote, unauthenticated cyber threat actor could exploit this vulnerability to gain access to sensitive files or take control of an affected system. At this time, all patches have been released.
CISA previously added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, as confirmed by Fortinet.
CISA strongly encourages users and administrators to apply the necessary updates, hunt for any malicious activity, assess potential risk from service providers, report positive findings to CISA, and review the following articles for additional information:

Fortinet Advisory FG-IR-24-423,
CISA alert on the Fortinet FortiManager Missing Authentication Vulnerability,
Google Threat Intelligence article Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575).

Fortinet has updated their security advisory addressing a critical FortiManager vulnerability (CVE-2024-47575) to include additional workarounds and indicators of compromise (IOCs). A remote, unauthenticated cyber threat actor could exploit this vulnerability to gain access to sensitive files or take control of an affected system. At this time, all patches have been released.

CISA previously added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, as confirmed by Fortinet.

CISA strongly encourages users and administrators to apply the necessary updates, hunt for any malicious activity, assess potential risk from service providers, report positive findings to CISA, and review the following articles for additional information:

Fortinet Advisory FG-IR-24-423,
CISA alert on the Fortinet FortiManager Missing Authentication Vulnerability,
Google Threat Intelligence article Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575).

Change Healthcare Breach Hits 100M Americans

Posted on 30 October 2024 by

Change Healthcare says it has notified approximately 100 million Americans that their personal, financial and healthcare records may have been stolen in a February 2024 ransomware attack that caused the largest ever known data breach of protected health information.

Change Healthcare says it has notified approximately 100 million Americans that their personal, financial and healthcare records may have been stolen in a February 2024 ransomware attack that caused the largest ever known data breach of protected health information.

Image: Tamer Tuncay, Shutterstock.com.

A ransomware attack at Change Healthcare in the third week of February quickly spawned disruptions across the U.S. healthcare system that reverberated for months, thanks to the company’s central role in processing payments and prescriptions on behalf of thousands of organizations.

In April, Change estimated the breach would affect a “substantial proportion of people in America.” On Oct 22, the healthcare giant notified the U.S. Department of Health and Human Resources (HHS) that “approximately 100 million notices have been sent regarding this breach.”

A notification letter from Change Healthcare said the breach involved the theft of:

-Health Data: Medical record #s, doctors, diagnoses, medicines, test results, images, care and treatment;
-Billing Records: Records including payment cards, financial and banking records;
-Personal Data: Social Security number; driver’s license or state ID number;
-Insurance Data: Health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.

The HIPAA Journal reports that in the nine months ending on September 30, 2024, Change’s parent firm United Health Group had incurred $1.521 billion in direct breach response costs, and $2.457 billion in total cyberattack impacts.

Those costs include $22 million the company admitted to paying their extortionists — a ransomware group known as BlackCat and ALPHV — in exchange for a promise to destroy the stolen healthcare data.

That ransom payment went sideways when the affiliate who gave BlackCat access to Change’s network said the crime gang had cheated them out of their share of the ransom. The entire BlackCat ransomware operation shut down after that, absconding with all of the money still owed to affiliates who were hired to install their ransomware.

A breach notification from Change Healthcare.

A few days after BlackCat imploded, the same stolen healthcare data was offered for sale by a competing ransomware affiliate group called RansomHub.

“Affected insurance providers can contact us to prevent leaking of their own data and [remove it] from the sale,” RansomHub’s victim shaming blog announced on April 16. “Change Health and United Health processing of sensitive data for all of these companies is just something unbelievable. For most US individuals out there doubting us, we probably have your personal data.”

It remains unclear if RansomHub ever sold the stolen healthcare data. The chief information security officer for a large academic healthcare system affected by the breach told KrebsOnSecurity they participated in a call with the FBI and were told a third party partner managed to recover at least four terabytes of data that was exfiltrated from Change by the cybercriminal group. The FBI did not respond to a request for comment.

Change Healthcare’s breach notification letter offers recipients two years of credit monitoring and identity theft protection services from a company called IDX. In the section of the missive titled “Why did this happen?,” Change shared only that “a cybercriminal accessed our computer system without our permission.”

But in June 2024 testimony to the Senate Finance Committee, it emerged that the intruders had stolen or purchased credentials for a Citrix portal used for remote access, and that no multi-factor authentication was required for that account.

Last month, Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.) introduced a bill that would require HHS to develop and enforce a set of tough minimum cybersecurity standards for healthcare providers, health plans, clearinghouses and businesses associates. The measure also would remove the existing cap on fines under the Health Insurance Portability and Accountability Act, which severely limits the financial penalties HHS can issue against providers.

According to the HIPAA Journal, the biggest penalty imposed to date for a HIPPA violation was the paltry $16 million fine against the insurer Anthem Inc., which suffered a data breach in 2015 affecting 78.8 million individuals. Anthem reported revenues of around $80 billion in 2015.

A post about the Change breach from RansomHub on April 8, 2024. Image: Darkbeast, ke-la.com.

There is little that victims of this breach can do about the compromise of their healthcare records. However, because the data exposed includes more than enough information for identity thieves to do their thing, it would be prudent to place a security freeze on your credit file and on that of your family members if you haven’t already.

The best mechanism for preventing identity thieves from creating new accounts in your name is to freeze your credit file with Equifax, Experian, and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file. Parents and guardians can now also freeze the credit files for their children or dependents.

Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stymie all sorts of ID theft shenanigans. Having a freeze in place does nothing to prevent you from using existing lines of credit you may already have, such as credit cards, mortgage and bank accounts. When and if you ever do need to allow access to your credit file — such as when applying for a loan or new credit card — you will need to lift or temporarily thaw the freeze in advance with one or more of the bureaus.

All three bureaus allow users to place a freeze electronically after creating an account, but all of them try to steer consumers away from enacting a freeze. Instead, the bureaus are hoping consumers will opt for their confusingly named “credit lock” services, which accomplish the same result but allow the bureaus to continue selling access to your file to select partners.

If you haven’t done so in a while, now would be an excellent time to review your credit file for any mischief or errors. By law, everyone is entitled to one free credit report every 12 months from each of the three credit reporting agencies. But the Federal Trade Commission notes that the big three bureaus have permanently extended a program enacted in 2020 that lets you check your credit report at each of the agencies once a week for free.

JCDC’s Industry-Government Collaboration Speeds Mitigation of CrowdStrike IT Outage

Posted on 29 October 2024 by

CISA, through the Joint Cyber Defense Collaborative (JCDC), enabled swift, coordinated response and information sharing in the wake of a significant IT outage caused by a CrowdStrike software update. This outage, which impacted government, critical infrastructure, and industry across the globe, led to disruptions in essential services, including air travel, healthcare, and financial operations.
Leveraging its unique ability to bring together public and private sector partners, JCDC facilitated virtual engagements with over 1,000 federal agency representatives. In close collaboration with CrowdStrike, a JCDC partner, CISA provided critical updates, mitigation guidance, and analysis on the potential for malicious exploitation of the outage. This rapid coordination enabled key information to be quickly disseminated across federal networks, helping to expedite mitigation and protect U.S. government systems.
This successful response underscores JCDC’s essential role in uniting industry and government partners to address cyber challenges that could impact national security and resilience. For more information about JCDC’s collaborative efforts, visit the JCDC Success Stories webpage and CISA.gov/JCDC.

CISA, through the Joint Cyber Defense Collaborative (JCDC), enabled swift, coordinated response and information sharing in the wake of a significant IT outage caused by a CrowdStrike software update. This outage, which impacted government, critical infrastructure, and industry across the globe, led to disruptions in essential services, including air travel, healthcare, and financial operations.

Leveraging its unique ability to bring together public and private sector partners, JCDC facilitated virtual engagements with over 1,000 federal agency representatives. In close collaboration with CrowdStrike, a JCDC partner, CISA provided critical updates, mitigation guidance, and analysis on the potential for malicious exploitation of the outage. This rapid coordination enabled key information to be quickly disseminated across federal networks, helping to expedite mitigation and protect U.S. government systems.

This successful response underscores JCDC’s essential role in uniting industry and government partners to address cyber challenges that could impact national security and resilience. For more information about JCDC’s collaborative efforts, visit the JCDC Success Stories webpage and CISA.gov/JCDC.

Apple Releases Security Updates for Multiple Products

Posted on 29 October 2024 by

Apple released security updates to address vulnerabilities in multiple Apple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following advisories and apply necessary updates:

iOS 18.1 and iPadOS 18.1

iOS 17.7.1 and iPadOS 17.7.1

macOS Sequoia 15.1

macOS Sonoma 14.7.1

macOS Ventura 13.7.1

watchOS 11.1

tvOS 18.1

visionOS 2.1

Apple released security updates to address vulnerabilities in multiple Apple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following advisories and apply necessary updates:

iOS 18.1 and iPadOS 18.1

iOS 17.7.1 and iPadOS 17.7.1

Solar-Log Base 15

Posted on 29 October 2024 by

View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 5.1
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Solar-Log
Equipment: Base 15
Vulnerability: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

2. RISK EVALUATION
Successful exploitation of this vulnerability could result in an attacker obtaining unauthorized access.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Solar-Log Base 15 are affected:

Base 15: Firmware 6.0.1 Build 161

3.2 Vulnerability Overview
The affected product is vulnerable to a cross-site scripting attack, which may allow an attacker to bypass access controls and gain unauthorized access.
CVE-2023-46344 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2023-46344. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Multiple
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
CISA discovered a public proof of concept (PoC) as authored by Vincent McRae and Mesut Cetin of Redteamer IT Security and reported it to Solar-Log.
4. MITIGATIONS
Solar-Log has released the following versions for users to download:

Base 15: Firmware 6.2.0-170

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

October 29, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.1
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Solar-Log
Equipment: Base 15
Vulnerability: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker obtaining unauthorized access.