CISA Releases Directive on Reducing the Significant Risk of Known Exploited Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries. The Directive establishes a CISA-managed catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.

CISA issued BOD 22-01 to drive federal agencies to mitigate actively exploited vulnerabilities on their networks, sending a clear message to all organizations across the country to focus patching on the subset of vulnerabilities that are causing harm now, and enable CISA to drive continuous prioritization of vulnerabilities based on our understanding of adversary activity. The Directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. With this Directive, CISA is imposing the first government-wide requirements to remediate vulnerabilities affecting both internet-facing and non-internet facing assets.

“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” said CISA Director Jen Easterly. “The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks. While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

With over 18,000 vulnerabilities identified in 2020 alone, organizations in the public and private sector find it challenging to prioritize limited resources toward remediating the vulnerabilities that are most likely to result in a damaging intrusion. This Directive addresses this challenge by driving mitigations of those vulnerabilities that are being actively exploited to compromise federal agencies and American businesses, building upon existing methods widely used to prioritize vulnerabilities by many organizations today.

This Directive applies to federal civilian agencies however, CISA strongly recommends that private businesses and state, local, tribal and territorial (SLTT) governments prioritize mitigation of vulnerabilities listed in CISA’s public catalog and sign up to receive notifications when new vulnerabilities are added.

NSA, CISA, and FBI detail Chinese State-Sponsored Actions, Mitigations

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a Cybersecurity Advisory, Chinese State-Sponsored Cyber Operations: Observed TTPs. This advisory describes over 50 tactics, techniques, and procedures (TTPs) Chinese state-sponsored cyber actors used when targeting U.S. and allied networks, and details mitigations.
Chinese state-sponsored cyber activity poses a major threat to U.S. and allied systems. These actors aggressively target political, economic, military, educational, and critical infrastructure personnel and organizations to access valuable, sensitive data. These cyber operations support China’s long-term economic and military objectives.
One significant tactic detailed in the advisory includes the exploitation of public vulnerabilities within days of their public disclosure, often in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. This advisory provides specific mitigations for detailed tactics and techniques aligned to the recently released, NSA-funded MITRE D3FEND framework.
General mitigations outlined include: prompt patching; enhanced monitoring of network traffic, email, and endpoint systems; and the use of protection capabilities, such as an antivirus and strong authentication, to stop malicious activity.

Microsoft update on brute force and password spraying activity

The NCSC has issued advice to organisations following an update from Microsoft on malicious cyber campaigns.
Microsoft has revealed that it had identified new activity from an Advanced Persistent Threat (APT) known as NOBELIUM targeting organisations globally.
The Microsoft Threat Intelligence Center says that this activity was mostly unsuccessful.
The NCSC has observed an increase in activity as part of malicious email and password spraying campaigns against a limited number of UK organisations. We are supporting those affected and would urge all organisations to familiarise themselves with our guidance on mitigating phishing attacks, including how to block phishing emails and how to implement two-factor/multi-factor authentication:
- Phishing attacks: defending your organisation
- Multi-factor authentication for online services
- Identity and access management (part of the 10 steps to cyber security collection)
- Home working: preparing your organisation and staff
The following blog posts from Microsoft provide further details, including IoCs, detection and mitigation advice:
- New Nobelium activity – Microsoft Security Response Center
- Investigating and Mitigating Malicious Drivers – Microsoft Security Response Center
- Nobelium Resource Center – updated March 4, 2021 – Microsoft Security Response Center

CISA Publish Rising Ransomware Threat to Operational Technology Assets Fact Sheet

CISA has published Rising Ransomware Threat to Operational Technology Assets, a fact sheet for critical infrastructure owners and operators detailing the rising threat of ransomware to operational technology (OT) assets and control systems. The document includes several recommended actions and resources that critical infrastructure entities should implement to reduce the risk of this threat.
The guidance:
- Provides steps to prepare for, mitigate against, and respond to attacks;
- Details how the dependencies between an entity’s IT and OT systems can provide a path for attackers; and
- explains how to reduce the risk of severe business degradation if affected by ransomware
Given the importance of critical infrastructure to national security and America’s way of life, CISA published this fact sheet to help organizations build effective resilience.

Italy announced the creation of the national cybersecurity agency

The Italian government has announced the creation of a new agency focused on cybersecurity. Prime Minister Mario Draghi provided its strong commitment to the creation of the agency that is tasked to protect the country and its critical national infrastructure from cyber threats.
The creation of the agency follows warnings by Prime Minister Mario Draghi that Europe needed to protect itself from Russian "interference". The announcements comes after a slew of ransomware attacks in recent months, with recent high profile examples including Colonial Pipeline and JBS.
It will need to "protect national interests and the resilience of services and essential functions of the State from cyber threats," a government statement said. Speaking in Brussels, following a European Union summit, Draghi said urgent action was needed.
"We need to strengthen ourselves a lot, especially in terms of cybersecurity, all of us, at national level and at EU level... because the level of [Russian] interference both with spies and with manipulation of the web has become truly alarming," he said.
The new Italian cybersecurity agency will develop and implement cyber strategies to prevent, monitor, detect and mitigate cyber attacks, and increase the level of cyber security of the country’ infrastructures.

FS-ISAC Report Finds Cybercriminals and Nation-State Actors Converging, Increasing Cross-Border and Supply Chain Attacks

FS-ISAC, the only global cyber intelligence sharing community solely focused on financial services, announced today the findings of its latest report, which found that wittingly or otherwise, nation-states and cyber criminals are leveraging each other’s tools and tactics, leading to an increase in cross-border attacks targeting financial services suppliers.
The pandemic has accelerated digitization, connectivity, and the sector’s interdependence, as demonstrated by recent supply chain incidents. Increasingly, the financial sector needs a trusted conduit of real-time cyber information between institutions and third-parties.
"FS-ISAC was the logical host for us to brief the financial services sector to reach a critical mass of institutions around the world all at once," said Jonathan Yaron, CEO of Accellion. "This way, we could ensure that the industry received critical and correct information via a trusted source, enabling it to act quickly to mitigate the impact of the incident."
“Organizations properly practicing defense-in-depth with multi-layered controls are still vulnerable to large-scale and even systemic issues through third party suppliers,” said J.R. Manes, Global Head of Cyber Intelligence at HSBC. “The FS-ISAC community provides its members the visibility into emerging threats that could impact customers and business, even when they are not directly exposed. Ensuring and encouraging the sharing of cyber threat intelligence is a vital part of the defense of not only the financial sector, but the whole business ecosystem that runs on top of the Internet.”
FS-ISAC’s report outlines today’s top threats:
- Convergence of nation-states and cyber criminals: Nation-state actors are leveraging the skills and tools of cyber criminals, either knowingly or not, to enhance their own capabilities.
- Third-party risk on an upward trend: Suppliers to financial firms will continue to be lucrative targets for threat actors, as shown by three highly visible incidents in the last two quarters.
- Cross-border attacks will increase: Cyber criminals test their attack in one country before hitting multiple continents and sub-verticals, as shown by a DDoS extortion campaign targeting ~100 financial institutions in months.
“Trying to outpace evolving cyber threats diverts resources from a financial firm’s core business,” said Steve Silberstein, FS-ISAC CEO. “As the global fincyber utility, FS-ISAC enables industry-wide cross-border sharing to pool resources, expertise, and capabilities to manage cyber risks and incident response.”
Report Methodology
The Navigating Cyber 2021 report is derived from FS-ISAC’s rigorous threat intelligence monitoring maintained by its intelligence operations team. The intelligence is sourced from FS-ISAC's thousands of member financial firms in more than 70 countries and further augmented by analysis by the Global Intelligence Office. Multiple streams of intelligence were leveraged for the curation of the round-up, which examined data across a one year period from January 2020 to January 2021.

CISA releases new 5G paper with NSAcyber and ODNIgov: Potential Threat Vectors to 5G Infrastructure

Securing Critical Infrastructure operations means ensuring cybersecurity practices are incorporated within 5G.
The deployment of 5G has begun, and with it, a wealth of benefits that has the potential to impact every aspect of our lives and work. With faster connectivity, ultra-low latency, greater network capacity, 5G will redefine the operations of critical infrastructure activities from the plant floor to the cloud. It will enable large-scale connections, capabilities, and services that can pave the way for smart cities, remote surgery, autonomous vehicles, and other emergent technologies. However, these capabilities also make 5G networks an attractive target for criminals and foreign adversaries to exploit for valuable information and intelligence and even global disruption.
To secure the full scope of 5G use cases, it is critical that strong cybersecurity practices are incorporated within the design and development of 5G technology. In March 2020, the White House developed the National Strategy to Secure 5G, which outlines how the Nation will safeguard 5G infrastructure domestically and abroad. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, and the Office of the Director of National Intelligence, as part of the Enduring Security Framework (ESF)—a cross-sector, public-private working group—initiated an assessment of the cybersecurity and vulnerabilities to 5G infrastructure. The ESF established the 5G Threat Model Working Panel which developed this paper, Potential Threat Vectors to 5G Infrastructure, to enhance understanding of the threats posed to 5G adoption.
The Working Panel reviewed existing bodies of public and private research and analysis to identify and generate an aggregated list of known and potential threats to the 5G environment. From that list, they identified three primary threat vectors areas—Policy and Standards, Supply Chain, and 5G Systems Architecture—and within these threat vectors, 11 sub-threats were identified as additional points of vulnerability for threat actors to exploit (i.e., open standards, counterfeit parts, and multi-access edge computing). This paper represents the beginning of the Working Panel’s thinking on the types of risks introduced by 5G adoption in the Unites States, and not the culmination of it.
With the promise of connectivity between billions of Internet of Things (IoT) devices, it is critical that government and industry collaborate to ensure that cybersecurity is prioritized within the design and development of 5G technology.
https://www.cisa.gov/publication/5g-potential-threat-vectors

NCCoE Releases Draft Guide on Securing the Industrial Internet of Things

Example Solution Addresses Cybersecurity Challenges for Distributed Energy Resources
The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has published for comment a preliminary draft of NIST SP 1800-32, Securing the Industrial Internet of Things: Cybersecurity for Distributed Energy Resources.
In this practice guide, the NCCoE applies standards, best practices, and commercially available technology to protect the digital communication, data, and control of cyber-physical grid-edge devices. The guide demonstrates an example solution for monitoring and detecting anomalous behavior of connected industrial internet of things (IIoT) devices and building a comprehensive audit trail of trusted IIoT data flows.
By releasing Volumes A and B as a preliminary draft, we are sharing our progress made to date, using the feedback received to shape future drafts of the practice guide, and featuring technologies and practices that organizations can use to monitor, trust, and protect information exchanges between commercial- and utility-scale distributed energy resources (DERs).
Addressing Emerging Cybersecurity Concerns of DERs
The use of small-scale DERs, such as wind and solar photovoltaics, are growing rapidly and transforming the power grid. In fact, a distribution utility may need to remotely communicate with thousands of DERs and other grid-edge devices—many of which are not owned by them. Any attack that can deny, disrupt, or tamper with DER communications could prevent a utility from performing necessary control actions and could diminish grid resiliency—a concern that was highlighted in a recent United States General Accounting Office report, Electricity Grid Cybersecurity.
This NCCoE practice guide aims to help companies provide secure access to DERs and monitor and trust the ever-growing amount of data coming from them.

FS-ISAC Leads Financial Sector in World’s Largest International Live-Fire Cyber Exercise

FS-ISAC, the only global cyber intelligence sharing community solely focused on financial services, announced its leadership role in devising the financial sector’s scenario during this year’s NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) Exercise Locked Shields.
Locked Shields simulated a series of realistic and sophisticated cyber attack scenarios using cutting-edge technologies, complex networks, and diverse attack methods to test the countries’ ability to protect vital services and critical infrastructure.
This year the exercise strategic track scenario included a large-scale disruption across multiple aspects of the financial services sector. To do this, FS-ISAC convened a Scenario Expert Planning Group comprised of its members including the Bank for International Settlements (BIS) Cyber Resilience Coordination Centre (CRCC), Mastercard, NatWest Group, and SWITCH-CERT among others.
“Given the cross-border nature of today’s cyber threats, exercises like Locked Shields are critical tools in preparing the global financial services industry to better defend against increasingly sophisticated threat actors,” said Teresa Walsh, Global Head of Intelligence of FS-ISAC. “To strengthen the financial sector’s resiliency, FS-ISAC has facilitated cyber exercises for more than ten years. This is a natural extension of our role in helping protect the global financial system.”
A key focus of the exercise strategic track is the cyber dependencies of the financial services industry and how they relate to government and critical infrastructure. The exercise will also examine and account for the new realities brought about by the pandemic, such as the greater security vulnerabilities caused by accelerated digitization and remote work.
“Large-scale exercises like Locked Shields provide both the public and private sectors an opportunity to pressure test response capabilities across borders,” said Ron Green, Chief Security Officer, Mastercard. “Moving with speed and purpose are crucial during an actual incident and everyone involved will gain from the enhanced collaboration and information sharing.”
“Locked Shields continually strives to address the most pressing needs of our nations by emulating current challenges faced by leaders in the cyber domain. Partnerships, such as with FS ISAC, allows us to present current real-world challenges to national leadership. The exercise tests the ability of nations to address a massive cyber attack from internal government cooperation to what mechanisms can be used for coordination and information sharing with the private sector and international partners,” said Colonel Jaak Tarien, Director of the CCDCOE, a NATO-affiliated cyber defence hub that has organized this Exercise every year since 2010.

Security updates released for Microsoft Exchange Servers

The National Cyber Security Centre (NCSC) is encouraging organisations to install critical updates following a number of vulnerabilities being addressed in Microsoft Exchange.
As part of Microsoft's scheduled April update cycle, a number of critical severity vulnerabilities were addressed in Microsoft Exchange. We have no information to suggest that these vulnerabilities are being used in active exploitation. However, given the recent focus on Exchange, we recommend the installation of updates as soon as practicable, as attackers may seek to build exploit capability which could be used against systems before the updates are applied.
The vulnerabilities affect Microsoft Exchange Server. The affected versions are:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
Organisations running an out-of-support version of Microsoft Exchange should update to a supported version without delay.
Exchange Online customers are already protected.
Recommendation
The NCSC recommends following vendor best practice advice in the mitigation of vulnerabilities. In this case, the most important aspect is to install the latest security updates immediately. The April 2021 security update fixes a number of security vulnerabilities and more information can be found on Microsoft's website.
1 2