/ en Fri, 25 Apr 2025 18:30:28 -0500 Thu, 06 Mar 25 11:24:58 -0600 /cybersecurity-government-intelligence-reports/2022-12-13-tlp-white-nsa-apt5-citrix-adc-threat-hunting-guidance-december-2022 <h2>Executive summary</h2><p>APT5 has demonstrated capabilities against Citrix® Application Delivery Controller™ (ADC™) deployments (“Citrix ADCs”). Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls. As such, NSA, in collaboration with partners, has developed this threat hunting guidance to provide steps organizations can take to look for possible artifacts of this type of activity. Please note that this guidance does not represent all techniques, tactics, or procedures (TTPs) the actors may use when targeting these environments. This activity has been attributed to APT5, also known as UNC2630 and MANGANESE.</p><h2>Introduction</h2><p>NSA recommends organizations hosting Citrix ADC environments take the following steps as part of their investigation. Treat these detection mechanisms as independent ways of identifying potentially malicious activity on impacted systems. Artifacts may vary based on the environment and the stage of that activity. As such, NSA recommends investigating any positive result even if other detections return no findings.</p> Tue, 13 Dec 2022 11:06:06 -0600 Cybersecurity Government Intelligence Reports <div class="container row"><div class="row"><div class="col-md-8"><p>The following guidance was developed by the Joint Cyber Defense Collaborative (JCDC) in coordination with the Joint Ransomware Task Force (JRTF) in support of operational collaboration and greater cyber defense efforts.</p><p>The goal of this guidance is to highlight mitigations that can be implemented to better defend against Vidar Infostealer, which is known to abuse Google Chrome’s remote debugging capabilities to steal credentials by bypassing current defenses (including app-bound encryption).</p><p>View details below.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Thu, 06 Mar 2025 11:24:58 -0600 Cybersecurity Government Intelligence Reports <p><em>Please contact the FBI with any questions related to this FBI Liaison Alert System (FLASH) via your local Cyber Squad. www.fbi.gov/contact-us/field-offices</em></p><h2> Summary </h2><p>The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate indicators of compromise (IOCs) associated with malicious cyber activities targeting the FBI’s computer network between 1 July 2024 and 30 September 2024. During this time frame, the FBI observed a variety of tactics employed by cyber actors, including: reconnaissance, attempted resource development, initial access attempts, and attempted web application attacks. FBI continued to observe the use of Virtual Private Networks (VPNs) or proxies in additional malicious cyber activities targeting FBI’s computer network, with the overwhelming majority resolving to Germany, United States, or India. This information is being provided for general awareness, and the indicators in this report provide actionable information that may be used by recipients for network defense. Some of the IP addresses outlined below are several months old. FBI recommends vetting these IP addresses prior to taking forward-looking action, such as blocking</p><p>View the detailed report below.</p> Thu, 20 Feb 2025 10:34:23 -0600 Cybersecurity Government Intelligence Reports <div class="container row"><div class="row"><div class="col-md-8"><p>As outlined in the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure by Design initiative, software manufacturers should ensure that security is a core consideration from the onset of software development and throughout the entirety of the development lifecycle. This voluntary guidance provides an overview of product security bad practices that are considered exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs). This guidance also provides recommendations for software manufacturers to mitigate these risks.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Fri, 17 Jan 2025 10:30:09 -0600 Cybersecurity Government Intelligence Reports /cybersecurity-government-intelligence-reports/2025-01-17-hc3-monthly-cybersecurity-vulnerability-bulletin-january-16-2025 <div class="container row"><div class="row"><div class="col-md-8"><h2>December Vulnerabilities of Interest to the Health Sector</h2><p>In December 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for November are from Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, Adobe, Fortinet, Ivanti, VMware and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Fri, 17 Jan 2025 09:03:36 -0600 Cybersecurity Government Intelligence Reports /cybersecurity-government-intelligence-reports/2025-01-08-hc3-analyst-note-tlp-clear-securing-telehealth-challenges-and <div class="container row"><div class="row"><div class="col-md-8"><h2>Executive Summary</h2><p>Telehealth leverages telecommunications and information technology to bridge the gap between healthcare providers and patients physically separated by distance. It encompasses a wide range of services, including health assessment, diagnosis, intervention, consultation, supervision, and information exchange. As telehealth evolves, its applications extend beyond traditional clinical settings, reaching patients in the comfort of their homes through virtual consultations and remote monitoring, but it also brings with it a new set of challenges, particularly in the field of cybersecurity. The integration of technology into healthcare services introduces vulnerabilities that malicious actors may exploit, and cyberattacks in the healthcare sector can lead to significant consequences. Understanding the associated cybersecurity risks is crucial for developing strategies to safeguard patient data, maintain privacy, and ensure the integrity of telehealth systems. The growing importance of cybersecurity in telehealth and the need for robust security measures is essential.</p><h2>Report</h2><p>Telehealth offers numerous benefits. Its convenience allows patients to receive medical consultations and treatments from the comfort of their homes, eliminating the need for travel and reducing wait time. Telehealth also enhances accessibility, especially for individuals in rural or underserved areas who might otherwise struggle to access healthcare services. It is also cost effective, reducing healthcare expenses by minimizing the need for physical infrastructure and enabling efficient resource utilization, ultimately leading to lower costs for patients and providers.</p><p>View the detailed Analysis Note below.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Wed, 08 Jan 2025 14:21:06 -0600 Cybersecurity Government Intelligence Reports /fbi-pin-notification-hiatusrat-actors-targeting-web-cameras-and-dvrs <h2>Summary</h2><p>The Federal Bureau of Investigation (FBI) is releasing this Private Industry Notification (PIN) to highlight HiatusRAT<sup>1</sup> scanning campaigns against Chinese-branded web cameras and DVRs. Private sector partners are encouraged to implement the recommendations listed in the “Mitigation” column of the table below to reduce the likelihood and impact of these attack campaigns.</p><h2>Threat</h2><p>HiatusRAT is a Remote Access Trojan (RAT) whose latest iteration has likely been employed since July 2022. Malicious cyber actors commonly use RATs to take over and control a targeted device from a distance. The Hiatus campaign originally targeted outdated network edge devices. Cybersecurity companies have also observed these actors using the malware to target a range of Taiwan-based organizations and to carry out reconnaissance against a US government server used for submitting and retrieving defense contract proposals.<sup>2</sup></p><p>In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom. The actors scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak vendor-supplied passwords. Many of these vulnerabilities have not yet been mitigated by the vendors. In particular, the actors targeted Xiongmai and Hikvision devices with telnet access. They used Ingram—a webcam-scanning tool available on Github—to conduct scanning activity. And they used Medusa—an open-source brute-force authentication cracking tool—to target Hikvision cameras with telnet access. Targeted TCP ports have included: 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575.</p><p>View the detailed notification below.</p><p>__________<br><small class="sm"><sup>1</sup> (U) Previous HiatusRAT campaigns have targeted edge routers to passively collect traffic and function as a covert network of command-and-control (C2) infrastructure.</small><br><small class="sm"><sup>2</sup> https://blog.lumen.com/hiatusrat-take-little-time-off-in-a-return-to-action/</small></p><p> </p> Mon, 16 Dec 2024 08:31:06 -0600 Cybersecurity Government Intelligence Reports /cybersecurity-government-intelligence-reports/2024-12-03-fbi-cyber-report-tlp-clear-enhanced-visibility-and-hardening-guidance <h2>Introduction</h2><p>The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Canadian Cyber Security Centre (CCCS), and New Zealand’s National Cyber Security Centre (NCSC-NZ) warn that People’s Republic of China (PRC)-affiliated threat actors compromised networks of major global telecommunications providers to conduct a <a href="https://www.cisa.gov/news-events/news/joint-statement-fbi-and-cisa-peoples-republic-china-prc-targeting-commercial-telecommunications" target="_blank">broad and significant cyber espionage campaign</a>. The authoring agencies are releasing this guide to highlight this threat and provide network engineers and defenders of communications infrastructure with best practices to strengthen their visibility and harden their network devices against successful exploitation carried out by PRC-affiliated and other malicious cyber actors. Although tailored to network defenders and engineers of communications infrastructure, this guide may also apply to organizations with on-premises enterprise equipment. The authoring agencies encourage telecommunications and other critical infrastructure organizations to apply the best practices in this guide.</p><p>As of this release date, identified exploitations or compromises associated with these threat actors’ activity align with existing weaknesses associated with victim infrastructure; no novel activity has been observed. Patching vulnerable devices and services, as well as generally securing environments, will reduce opportunities for intrusion and mitigate the actors’ activity.</p><p>VIew the detailed report below. </p> Tue, 03 Dec 2024 14:47:32 -0600 Cybersecurity Government Intelligence Reports <div class="container row"><div class="row"><div class="col-md-8"><p><em><small class="sm">The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients to protect against cyber threats. This data is provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber actors. This FLASH was coordinated with DHS/CISA.</small></em></p><p><strong>Please contact the FBI with any questions related to this Private Industry Notification via your local Cyber Squad. </strong><a href="https://www.fbi.gov/contact-us/field-office" target="_blank"><strong>www.fbi.gov/contact-us/field-office</strong></a><strong>s</strong></p><p>The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate indicators of compromise (IOCs) associated with malicious cyber activities targeting the FBI’s computer network between 1 April 2024 and 30 June 2024. During this time frame, the FBI observed a variety of tactics employed by cyber actors, including: reconnaissance, attempted resource development, initial access attempts, execution attempts, as well as privilege escalation attempts. The overwhelming activity during this time frame comprised of attempted exploitation attempts of Common Vulnerabilities and Exposures (CVE)-2013-3612, and CVE- 2016-10401. The FBI continued to observe the use of Virtual Private Networks (VPNs) or proxies in addition to malicious cyber activities targeting the FBI’s computer network. This information is being provided for general awareness, and the indicators in this report provide actionable information that may be used by recipients for network defense.</p><p>View the detailed FLASH below.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Mon, 02 Dec 2024 13:29:57 -0600 Cybersecurity Government Intelligence Reports /cybersecurity-government-intelligence-reports/2024-11-12-hc3-tlp-clear-analyst-note-godzilla-webshell <h2>Executive Summary </h2><p>Godzilla webshell is a weapon used by cyber threat actors to execute commands, manipulate files, and engage in other harmful and malicious activity on victim systems as part of a larger cyberattack. It has been attributed to Chinese state threat actors with relatively high confidence, and has been used to target a number of industries, including the health sector. It is publicly available and therefore accessible for use by any number of bad actors, and should be treated as a serious threat. This article concludes with defense and mitigation recommendations, which we implore all healthcare organizations to review and action in accordance with their risk mitigation plan. </p><h2>What is Godzilla? </h2><p>Godzilla <a href="https://blog.gigamon.com/2022/09/28/investigating-web-shells/" target="_blank" title="Godzilla webshell info">webshell</a> is a Chinese-language backdoor created by an individual who goes by the online handle BeichenDream. BeichenDream claims Godzilla was created in response to existing webshells that are often detected in attacks; Godzilla avoids detection by using Advanced Encryption Standard encryption for its network traffic, which makes it more difficult to detect. Godzilla is considered highly capable and full of functionality. It facilitates file management and manipulation, including uploading, downloading, deleting, and modifying files on a victim system. It also allows the execution of files and commands—one of the primary functions of any webshell. It allows for reconaissance, such as the collection of details related to operating systems, network configurations, and versions of software and applications. It facilitates the maintenace of persistant access. As previously noted, it is capable of encryption. It also executes in memory, or “filelessly”, which also makes it challenging to detect. There are a number of reports that attribute Godzilla to the Chinese government. We recommend that this be understood as probable, but not certain. It is also worth noting that BeichenDream maintains Godzilla, including its code, on a publically accessible repository. This means it is relatively trivial for another threat actor—foreign government, cybercriminal gang or anyone else—to acquire, modify, and utilize the code in accordance with their unique purposes.</p><p>View the detailed report below. </p> Tue, 12 Nov 2024 14:58:19 -0600 Cybersecurity Government Intelligence Reports