/ en Sat, 26 Apr 2025 13:34:39 -0500 Fri, 03 May 24 14:36:59 -0500 <div class="container row"><div class="row"><div class="col-md-8"><p>While not new, recent pandemics such as COVID-19and geopolitical fluctuations have highlighted the risk shortages pose to the EU healthcare sector.</p><p>View the entire report below.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Fri, 03 May 2024 14:36:59 -0500 FBI TLP Alert /fbi-tlp-alert/2024-02-16-fbi-flash-tlp-clear-identification-and-disruption-warzone-remote-access-trojan-rat <div class="container row"><div class="row"><div class="col-md-8"><p>The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the Warzone Remote Access Trojan (RAT), also identified as "Ave Maria" through open-source reporting and FBI investigation. On 7 February 2024, the FBI and international partners executed a coordinated operation to disrupt Warzone RAT infrastructure worldwide. The FBI is releasing this product to maximize awareness on the service and to seek additional reporting from victims. </p><p>View the entire report below.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>Senior Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div><hr><div class="panel module-typeC"><div class="panel-heading"><h3 class="panel-title">Latest Cybersecurity Alerts</h3></div><div class="panel-body"><div class="views-element-container"> <section class="top-level-view js-view-dom-id-85c93319a42a9a44732884ff6f15e8ee5d23cd9c410983a16ebb4a21bdfcb1bf resource-block"> <div class="resource-wrapper"> <div class="resource-view"> <div class="article views-row"> <div class="views-field views-field-created"> <span class="field-content"><time datetime="2025-04-25T09:40:18-05:00">Apr 25, 2025</time> </span> </div><div class="views-field views-field-title"> <span class="field-content"><a href="/center/cybersecurity-and-risk-advisory-services/preferred-cybersecurity/bringing-value/ep8-the-missing-link" hreflang="en">Episode 8: The Missing Link In Healthcare Cybersecurity Programs</a></span> </div></div> <div class="article views-row"> <div class="views-field views-field-created"> <span class="field-content"><time datetime="2025-04-17T14:53:41-05:00">Apr 17, 2025</time> </span> </div><div class="views-field views-field-title"> <span class="field-content"><a href="/news/headline/2025-04-17-cisa-releases-guidance-following-reported-legacy-oracle-cloud-breach" hreflang="en">CISA releases guidance following reported legacy Oracle cloud breach </a></span> </div></div> <div class="article views-row"> <div class="views-field views-field-created"> <span class="field-content"><time datetime="2025-04-10T15:22:15-05:00">Apr 10, 2025</time> </span> </div><div class="views-field views-field-title"> <span class="field-content"><a href="/news/headline/2025-04-10-agencies-issue-guidance-navigating-deceptive-online-recruitment-current-and-former-federal-employees" hreflang="en">Agencies issue guidance on navigating deceptive online recruitment of current and former federal employees </a></span> </div></div> <div class="article views-row"> <div class="views-field views-field-created"> <span class="field-content"><time datetime="2025-04-03T10:49:37-05:00">Apr 3, 2025</time> </span> </div><div class="views-field views-field-title"> <span class="field-content"><a href="/news/aha-cyber-intel/2025-04-03-3-must-know-cyber-and-risk-realities-whats-ahead-health-care-2025" hreflang="en">[Updated] 3 Must-know Cyber and Risk Realities: What’s Ahead for Health Care in 2025</a></span> </div></div> <div class="article views-row"> <div class="views-field views-field-created"> <span class="field-content"><time datetime="2025-04-01T15:44:23-05:00">Apr 1, 2025</time> </span> </div><div class="views-field views-field-title"> <span class="field-content"><a href="/news/headline/2025-04-01-house-subcommittee-holds-hearing-cybersecurity-vulnerabilities-legacy-medical-devices" hreflang="en">House subcommittee holds hearing on cybersecurity vulnerabilities in legacy medical devices</a></span> </div></div> </div> </div> <div class="more-link"><a href="/topics/cybersecurity">See all Cybersecurity Alerts</a></div> </section> </div> </div></div></div></div></div> Fri, 16 Feb 2024 13:48:44 -0600 FBI TLP Alert /fbi-tlp-alert/2023-08-23-quantum-readiness-migration-post-quantum-cryptography <div class="container"> <div class="row"> <div class="col-md-8"> <h2>Background</h2> <p>The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) created this factsheet to inform organizations — especially those that support Critical Infrastructure — about the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap. NIST is working to publish the first set of post-quantum cryptographic (PQC) standards, to be released in 2024, to protect against future, potentially adversarial, cryptanalytically-relevant quantum computer (CRQC) capabilities. A CRQC would have the potential to break public-key systems (sometimes referred to as asymmetric cryptography) that are used to protect information systems today.</p> <h2>Why Prepare Now?</h2> <p>A successful post-quantum cryptography migration will take time to plan and conduct. CISA, NSA, and NIST urge organizations to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. Early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation. Many of the cryptographic products, protocols, and services used today that rely on public key algorithms (e.g., Rivest-Shamir-Adleman [RSA], Elliptic Curve Diffie-Hellman [ECDH], and Elliptic Curve Digital Signature Algorithm [ECDSA]) will need to be updated, replaced, or significantly altered to employ quantum-resistant PQC algorithms, to protect against this future threat. Organizations are encouraged to proactively prepare for future migration to products implementing the post-quantum cryptographic standards. This includes engaging with vendors around their quantum-readiness roadmap and actively implementing thoughtful, deliberate measures within their organizations to reduce the risks posed by a CRQC.</p> <h2>Establish a Quantum-Readiness Roadmap</h2> <p>While the PQC standards are currently in development, the authoring agencies encourage organizations to create a quantum-readiness roadmap by first establishing a project management team to plan and scope the organization’s migration to PQC. Quantum-readiness project teams should initiate proactive cryptographic discovery activities that identify the organization’s current reliance on quantum-vulnerable cryptography. Systems and assets with quantum-vulnerable cryptography include those involved in creating and validating digital signatures, which also incorporates software and firmware updates. Having an inventory of quantum-vulnerable systems and assets enables an organization to begin the quantum risk assessment processes, demonstrating the prioritization of migration. Lead by an organization’s Information Technology (IT) and Operational Technology (OT) procurement experts, the inventory should include engagements with supply chain vendors to identify technologies that need to migrate from quantum-vulnerable cryptography to PQC.</p> <p>Organizations are often unaware of the breadth of application and functional dependencies on public-key cryptography that exist within the products, applications, and services widely deployed within their operational environments, leading to a lack of visibility. The project team should lead the creation of such an inventory. The team should also include the organization’s cybersecurity and privacy risk managers who can prioritize the assets that would be most impacted by a CRQC, and that would expose the organization to greater risk.</p> <h2>Prepare a Cryptographic Inventory</h2> <ul> <li>Having an inventory of quantum-vulnerable technology and associated criticality of the data enables an organization to begin planning for risk assessment processes to prioritize its migration to PQC. This cryptographic inventory will: o Help an organization become quantum-ready — a state where a CRQC is not a threat, <ul> <li>Help an organization prepare a transition to zero trust architecture,</li> <li>Help identify or correlate outside access to datasets, as those are more exposed and at higher risk, and</li> <li>Inform future analysis by identifying what data may be targeted now and decrypted when a CRQC is available.</li> </ul> </li> <li>Organizations should create a cryptographic inventory that offers visibility into how the organization leverages cryptography in its IT and OT systems. Cryptographic discovery tools should be used to identify quantum-vulnerable algorithms in: <ul> <li>Network protocols, used to identify quantum-vulnerable algorithms in network protocols that allow traceability</li> <li>Assets on end user systems and servers, including applications and associated libraries, both within application functionality and for firmware and software updates, and</li> <li> <p>Cryptographic code or dependencies in the continuous integration/continuous delivery development pipeline.</p> <p><strong>Note:</strong> Discovery tools may not be able to identify embedded cryptography used internally within products, hindering discoverability or documentation. Organizations should ask vendors for lists of embedded cryptography within their products.</p> </li> </ul> </li> <li>Organizations should include in their inventory when and where quantum-vulnerable cryptography is being leveraged to protect the most sensitive and critical datasets and include estimates on length of protection for these datasets. Organizations should: <ul> <li>Correlate cryptographic inventory with inventories available from existing programs, such as Asset Inventory, Identity, Credential, and Access Management, (ICAM), Identity & Access Management (IdAM), Endpoint Detection and Response (EDR), and Continuous Diagnostics and Mitigation (CDM),</li> <li>Understand which systems and protocols are being used to move or access their most sensitive and critical datasets, and</li> <li>Identify quantum-vulnerable cryptography that protects critical processes, especially for Critical Infrastructure.</li> </ul> </li> <li>Organizations should feed the quantum-vulnerable inventory into their risk assessment process, allowing risk officials to prioritize where to ensure use of PQC as soon as it is available.</li> </ul> <h2>Discuss Post-quantum Roadmaps with Technology Vendors</h2> <p>CISA and the authoring agencies encourage organizations to start engaging with their technology vendors to learn about vendors’ quantum-readiness roadmaps, including migration. Solidly built roadmaps should describe how vendors plan to migrate to PQC, charting timelines for testing PQC algorithms and integration into products. This applies to both on-premises commercial-off-the-shelf (COTS) and cloud-based products. Ideally, vendors will publish their own PQC roadmap, framing their commitment to implementing post-quantum cryptography. The authoring agencies also urge organizations to proactively plan for necessary changes to existing and future contracts. Considerations should be in place ensuring that new products will be delivered with PQC built-in, and older products will be upgraded with PQC to meet transition timelines.</p> <h2>Supply Chain Quantum-Readiness</h2> <p>Organizations should develop an understanding of their reliance/dependencies on quantum-vulnerable cryptography in systems and assets, as well as how the vendors in their supply chain will be migrating to PQC. As noted above, understanding your organization’s dependencies on quantum-vulnerable cryptography involves discovering where quantum-vulnerable algorithms are used in current IT and OT systems and devices (custom-built or COTS) and in the organization’s reliance on cloud services, ensuring that plans will reduce as much quantum risk as feasible and meet the organization’s transition strategy.</p> <p>Organizations should also begin to ask their vendors how they are addressing quantum-readiness and supporting migration to PQC. Additional considerations:</p> <ul> <li>Prioritization should be given to high impact systems, industrial control systems (ICSs), and systems with long-term confidentiality/secrecy needs.</li> <li>If an organization discovers quantum-vulnerable cryptography in its custom-built technologies, it should identify the risk to data or functions that rely on those technologies. The organization could either migrate to PQC within those technologies or develop system security upgrades that mitigate the risk of their continued use. Custom-built products, especially those in older systems, will likely require the most effort to make quantum-resistant.</li> <li>For COTS products, engagement with vendors on their PQC roadmap is critical. Migration to PQC should be viewed as an IT/OT modernization effort. An organization’s quantum-readiness roadmap should include details of when and how each COTS vendor plans to deliver updates or upgrades to enable the use of PQC, as well as the expected cost associated with migration to PQC.</li> <li>For cloud-hosted products, organizations should engage with their cloud service providers to understand the provider’s quantum-readiness roadmap. Once PQC standards are available, engagements should evolve to focus on how to enable the use of PQC, for example through configuration changes or application updates.</li> </ul> <h2>Technology Vendor Responsibilities</h2> <p>Technology manufacturers and vendors whose products support the use of quantum-vulnerable cryptography should begin planning and testing for integration. CISA, NSA, and NIST encourage vendors to review the NIST-published draft PQC standards, which contain algorithms, with the understanding that final implementation specifics for these algorithms are incomplete. Ensuring that products use post-quantum cryptographic algorithms is emblematic of Secure by Design principles. Vendors should prepare themselves to support PQC as soon as possible after NIST finalizes its standards.</p> </div> <div class="col-md-4"> <p><a href="/system/files/media/file/2023/08/Quantum-Readiness-Migration-to-Post-quantum-Cryptography.pdf" target="_blank" title="Click here to download the Quantum-Readiness: Migration to Post-quantum Cryptography TLP:CLEAR report PDF."><img alt="Quantum-Readiness: Migration to Post-quantum Cryptography TLP:CLEAR report page 1." data-entity-type="file" data-entity-uuid="81c86569-3c78-45bb-8427-a3f4a340193f" src="/sites/default/files/inline-images/Page-1-Quantum-Readiness-Migration-to-Post-quantum-Cryptography.png" width="695" height="900"> </a></p> </div> </div> </div> Wed, 23 Aug 2023 14:18:21 -0500 FBI TLP Alert /fbi-tlp-alert/2023-03-16-joint-cybersecurity-advisory-aa23-075a-tlpclear-stopransomware-lockbit-30 <div class="container"> <div class="row"> <div class="col-md-8"> <h2>#StopRansomware: LockBit 3.0</h2> <h3>Summary</h3> <p><em>Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.</em></p> <p>The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.</p> <p>The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.</p> <p>The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.</p> <p><strong><em><a href="/system/files/media/file/2023/03/CSA-AA23-075A-TLP-CLEAR-1.pdf"><span>View the full report.</span></a></em></strong></p> </div> <div class="col-md-4"> <div> <h3>Actions to take today to mitigate cyber threats from ransomware:</h3> <ul> <li>Prioritize remediating <strong>known exploited vulnerabilities.</strong></li> <li>Train users to recognize and report <strong>phishing attempts.</strong></li> <li>Enable and enforce phishing- resistant <strong>multifactor authentication.</strong></li> </ul> </div> </div> </div> </div> Thu, 16 Mar 2023 14:52:36 -0500 FBI TLP Alert /2022-10-21-joint-hhs-cisa-fbi-tlp-white-advisory-stopransomware-daixin-team-october-21-2022 <div class="container row"> <div class="row"> <div class="col-md-8">SUMMARY <p><em>Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing <a href="https://www.cisa.gov/stopransomware/stopransomware" target="_blank">#StopRansomware</a> effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit <a href="https://www.cisa.gov/stopransomware" target="_blank">stopransomware.gov</a> to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.</em></p> <p><img alt="#StopRansomware Daixin Team Chart" data-entity-type="file" data-entity-uuid="8595de9b-e96e-42a2-ba8b-26574aeafd98" height="207" src="/sites/default/files/inline-images/StopRansomware-Daixin-Team-chart.png" width="262" class="align-right">The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.</p> <p>This joint CSA provides TTPs and IOCs of Daixin actors obtained from FBI threat response activities and third-party reporting.</p> <p>View the detailed report below.</p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>National Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Fri, 21 Oct 2022 15:13:03 -0500 FBI TLP Alert /fbi-tlp-alert/2022-01-31-fbi-tlp-white-pin-potential-malicious-cyber-activities-disrupt-2022 <div class="container row"> <div class="row"> <div class="col-md-8"> <h2>Summary</h2> <p>The FBI is warning entities associated with the February 2022 Beijing Winter Olympics and March 2022 Paralympics that cyber actors could use a broad range of cyber activities to disrupt these events. These activities include distributed denial of service (DDoS) attacks, ransomware, malware, social engineering, data theft or leaks, phishing campaigns, disinformation campaigns, or insider threats, and when successful, can block or disrupt the live broadcast of the event, steal or leak sensitive data, or impact public or private digital infrastructure supporting the Olympics. Additionally, the FBI warns Olympic participants and travelers of potential threats associated with mobile applications developed by untrusted vendors. The download and use of applications, including those required to participate or stay in country, could increase the opportunity for cyber actors to steal personal information or install tracking tools, malicious code, or malware1. The FBI urges all athletes to keep their personal cell phones at home and use a temporary phone while at the Games. The National Olympic Committees in some Western countries are also advising their athletes to leave personal devices at home or use temporary phones due to cybersecurity concerns at the Games. The FBI to date is not aware of any specific cyber threat against the Olympics, but encourages partners to remain vigilant and maintain best practices in their network and digital environments.</p> <h2>Threat</h2> <p>As we mentioned in PIN 20210719-001, large, high-profile events provide an opportunity for criminal and nation-state cyber actors to make money, sow confusion, increase their notoriety, discredit adversaries, and advance ideological goals. Due to the ongoing COVID-19 pandemic, no foreign spectators will be allowed to attend the Olympics or Paralympics. Spectators will be reliant on remote streaming services and social media throughout the duration of the Games. Adversaries could use social engineering and phishing campaigns leading up to and during the event to implant malware to disrupt networks broadcasting the event. Cyber actors could use ransomware or other malicious tools and services available for purchase to execute DDoS attacks against Internet service providers and television broadcast companies to interrupt service during the Olympics. Similarly, actors could target the networks of hotels, mass transit providers, ticketing services, event security infrastructure or similar Olympic support functions.</p> <p>For example, during the 2020 Tokyo Olympics and Paralympics, the NTT Corporation––which provided its services for the Tokyo Olympic & Paralympic Games––revealed there were more than 450 million attempted cyber-related incidents during the event, though none were successful due to cybersecurity measures in place. While there were no major cyber disruptions, the most popular attack methods used were malware, email spoofing, phishing and the use of fake websites and streaming services designed to look like official Olympic service providers.</p> <p>In addition, the use of new digital infrastructure and mobile applications, such as digital wallets or applications that track COVID testing or vaccination status, could also increase the opportunity for cyber actors to steal personal information or install tracking tools, malicious code, or malware. Athletes will be required to use the smartphone app, MY2022, which will be used to track the athletes’ health and travel data.</p> <p>During the 2018 PyeongChang Winter Olympics, Russian cyber actors conducted a destructive cyber attack against the opening ceremony, enabled through spearphishing campaigns and malicious mobile applications.</p> <p>View the detailed report below. </p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>National Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Mon, 31 Jan 2022 16:08:40 -0600 FBI TLP Alert /fbi-tlp-alert/2022-01-26-fbi-pin-tlp-white-context-and-recommendations-protect-against-malicious <div class="container row"> <div class="row"> <div class="col-md-8"> <p>This Private Industry Notice provides a historical overview of Iran-based cyber company Emennet Pasargad’s tactics, techniques, and procedures (TTPs) to enable recipients to identify and defend against the group’s malicious cyber activities. On 20 October 2021, a grand jury in the US District Court for the Southern District of New York indicted two Iranian nationals employed by Emennet Pasargad (formerly known as Eeleyanet Gostar) for computer intrusion, computer fraud, voter intimidation, interstate threats, and conspiracy offenses for their alleged participation in a multi-faceted campaign aimed at influencing and interfering with the 2020 US Presidential Election. In addition, the Department of the Treasury Office of Foreign Assets Control designated Emennet along with four members of the company’s management and the two indicted employees for attempting to influence the same election. The Department of State’s Rewards for Justice Program also offered up to $10 million for information on the two indicted actors.</p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>National Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Wed, 26 Jan 2022 14:31:00 -0600 FBI TLP Alert <h2>Request for Information</h2> <p>This request for information (RFI) is for informational purposes only. Receiving entities may determine logical sources with the capability to provide information in response to this RFI.</p> <h2>Executive Summary</h2> <div class="container row"> <div class="row"> <div class="col-md-8"> <p>The FBI is seeking information regarding the recent buildup of Russian armed forces along Russia’s border with Ukraine accompanied by diplomatic pressures, threats to Ukraine’s critical infrastructure, threats to US critical infrastructure, and heightened Russian activity.</p> <p>View the detailed alert below. </p> <p> </p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>National Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Fri, 21 Jan 2022 13:00:11 -0600 FBI TLP Alert /fbi-tlp-alert/2022-01-19-fbi-flash-tlp-white-indicators-compromise-associated-diavol-ransomware <div class="container row"> <div class="row"> <div class="col-md-8"> <p>Summary</p> <p>The FBI first learned of Diavol ransomware in October 2021. Diavol is associated with<br /> developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan.<br /> Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing<br /> file types to encrypt based on a pre-configured list of extensions defined by the attacker. While<br /> ransom demands have ranged from $10,000 to $500,000, Diavol actors have been willing to<br /> engage victims in ransom negotiations and accept lower payments. The FBI has not yet<br /> observed Diavol leak victim data, despite ransom notes including threats to leak stolen<br /> information.</p> <p>Technical Details</p> <p>Diavol creates a unique identifier for victim computers via the generation of a System or Bot ID<br /> with the following format:</p> <h5><span>EXAMPLEHOSTNAME-EXAMPLEUSERNAME_W617601.6A8DA4GEEV11E43V85556FE984GG94W1G</span></h5> <p>The Bot ID generated by Diavol is nearly identical to the format used by TrickBot and the<br /> Anchor DNS malware, also attributed to Trickbot. Once the Bot ID is generated, Diavol attempts<br /> to connect to a hardcoded command and control (C2) address. If the registration to the botnet<br /> is successful, the infected device connects to the C2 again to request updated configuration<br /> values. Diavol encrypts files and appends the “.lock64” file extension to the encrypted files. The<br /> file contents are encrypted using Microsoft CryptoAPI functions and then written to the new<br /> encrypted file. Diavol can also terminate processes and services.</p> <p>View the detailed report below. </p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>National Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Wed, 19 Jan 2022 08:30:18 -0600 FBI TLP Alert /fbi-tlp-alert/2022-01-11-joint-cybersecurity-advisory-tlp-white-understanding-and-mitigating <div class="container row"> <div class="row"> <div class="col-md-8"> <p>This joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)—is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats.</p> <p>View the detailed report below, </p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>National Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Tue, 11 Jan 2022 11:16:09 -0600 FBI TLP Alert