Google, Mozilla Ban Hundreds of Browser Extensions in Chrome, Firefox
After discovering a wide pattern of potentially malicious behavior in browser extensions, the two search giants are cracking down.
As Necurs Botnet Falls from Grace, Emotet Rises
Researchers wonder if a recent "amateur spam" campaign by the once-prevalant malware distribution botnet is a sign of trojans looking to other infection paths.
N.Y. Could Ban Cities from Paying Ransomware Attackers
State senators have issued proposals they say would encourage municipalities to upgrade their cyber-postures.
Mandatory IoT Security in the Offing with U.K. Proposal
The new U.K. law mandates that manufacturers apply several security controls to their connected devices.
ThreatList: Ransomware Costs Double in Q4, Sodinokibi Dominates
Ransomware actors are turning their sights on larger enterprises, making both average cost and downtime inflicted from attacks skyrocket.
Cisco Webex Flaw Lets Unauthenticated Users Join Private Online Meetings
The flaw could allow a remote, unauthenticated attacker to enter a password-protected video conference meeting.
New Bill Proposes NSA Surveillance Reforms
The newly-introduced bill targets the Patriot Act's Section 215, previously used by the U.S. government to collect telephone data from millions of Americans.
Fake Smart Factory Honeypot Highlights New Attack Threats
The honeypot demonstrates the various security concerns plaguing vulnerable industrial control systems.
Critical, Unpatched ‘MDhex’ Bugs Threaten Hospital Devices
The Feds have warned on six vulnerabilities in GE medical equipment that could affect patient monitor alarms and more.
U.S. Gov Agency Targeted With Malware-Laced Emails
The malicious email campaign included a never-before-seen malware downloader called Carrotball, and may be linked to the Konni Group APT.
One Small Fix Would Curb Stingray Surveillance
The technology needed to limit stingrays is clear—but good luck getting telecoms on board.
Intel Is Patching the Patch for the Patch for Its ‘Zombieload’ Flaw
Intel's made two attempts to fix the microprocessor vulnerability it was warned about 18 months ago. Third time’s the charm?
The Sneaky Simple Malware That Hits Millions of Macs
How the Shlayer Trojan topped the macOS malware charts—despite its “rather ordinary” methods.
Google Calls Out Safari for Privacy Flaws
Facial recognition, iCloud encryption, and the rest of this week's top security news.
The Doomsday Clock Moves Closer Than Ever to Midnight
Since the advent of the clock—even during the peak years of the Cold War—the minute hand has never advanced past the 11:58 mark.
Scraping the Web Is a Powerful Tool. Clearview AI Abused It
The facial recognition startup claims it collected billions of photos from sites like Facebook and Twitter. What does the practice mean for the open web?
Patreon Can't Solve Its Porn Pirate Problem
Two years ago, Patreon promised to crack down on piracy site Yiff.Party. Now it says its hands are tied.
Inside Pwn2Own's High-Stakes Industrial Hacking Contest
At Pwn2Own, hackers had no trouble dismantling systems that help run everything from car washes to nuclear plants.
Elections Globally Are Under Threat. Here's How to Protect Them
A new report calls for safeguards to reduce the dangers posed by misinformation, online extremism, and social media manipulation.
Jeff Bezos’ Hacked Phone, Coronavirus Hits the US, and More News
Catch up on the most important news from today in two minutes or less.
Everything We Know About the Jeff Bezos Phone Hack
A UN report links the attack on Jeff Bezos' iPhone X directly to Saudi Arabian Crown Prince Mohammed bin Salman.
Free Press Advocates Decry Cybercrime Charges Against Glenn Greenwald
Brazil has accused journalist Glenn Greenwald of aiding a hacking ring, with seemingly scant evidence.
A Handy Chrome Feature, a Sonos Update Warning, and More News
Catch up on the most important news from today in two minutes or less.
Donald Trump's 'National Security' Impeachment Defense Is a Red Herring
The president’s cry-wolf strategy is straight from Richard Nixon’s playbook.
How to Watch Donald Trump’s Impeachment Trial
The Senate gets set to debate the rules for Trump’s trial today. Tomorrow, the opening arguments begin.
An Open Source Effort to Encrypt the Internet of Things
IoT is a security hellscape. One cryptography company has a plan to make it a little bit less so.
Don't Ignore Chrome's New Password Checkup Feature
It could help save you when the next big breach hits.
FBI Takes Down Site With 12 Billion Stolen Records
Turkey gets Wikipedia back, Mayor Pete loses his cyberguy, and more of the week's top security news.
A Windows 10 Vulnerability Was Used to Rickroll the NSA and Github
A researcher demonstrated the attack less than a day after Microsoft disclosed one of the most critical Windows vulnerabilities ever.
This Apple-FBI Fight Is Different From the Last One
In 2016 the iPhone encryption debate ended in a draw. Don't count on 2020's scuffle over the Pensacola shooter's devices to play out the same way.
AA20-020A: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP
Original release date: January 20, 2020 | Last revised: January 27, 2020
Note: As of January 24, 2020, Citrix has released all expected updates in response to CVE-2019-19781.
On January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0.
On January 22, 2020, Citrix released security updates for vulnerable SD-WAN WANOP appliances.
On January 23, 2020, Citrix released firmware updates for Citrix ADC and Gateway versions 12.1 and 13.0.
On January 24, 2020, Citrix released firmware updates for Citrix ADC and Gateway version 10.5.
The Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible.
On December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.
The vulnerability affects the following appliances:
See the National Security Agency’s Cybersecurity Advisory on CVE-2020-19781 for other detection measures.
CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781. CISA encourages administrators to visit CISA’s GitHub page to download and run the tool.
CISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP as soon as possible.
Until the appropriate update is implemented, users and administrators should apply Citrix’s interim mitigation steps for CVE-2019-19781. Verify the successful application of the above mitigations by using the tool in CTX269180 – CVE-2019-19781 – Verification ToolTest. Note: these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments.
Refer to table 1 for Citrix’s fix schedule.
Table 1. Fix schedule for Citrix appliances vulnerable to CVE-2019-19781
|Vulnerable Appliance||Firmware Update||Release Date|
|Citrix ADC and Citrix Gateway version 10.5||Refresh Build 10.5.70.12||January 24, 2020|
|Citrix ADC and Citrix Gateway version 11.1||Refresh Build 126.96.36.199||January 19, 2020|
|Citrix ADC and Citrix Gateway version 12.0||Refresh Build 188.8.131.52||January 19, 2020|
|Citrix ADC and Citrix Gateway version 12.1||Refresh Build 184.108.40.206||January 23, 2020|
|Citrix ADC and Citrix Gateway version 13.0||Refresh Build 220.127.116.11||January 23, 2020|
|Citrix SD-WAN WANOP Release 10.2.6||Build 10.2.6b||January 22, 2020|
|Citrix SD-WAN WANOP Release 11.0.3||Build 11.0.3b||January 22, 2020|
Administrators should review NSA’s Citrix Advisory for other mitigations, such as applying the following defense-in-depth strategy:
“Consider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN/TLSVPN is discouraged.”
AA20-014A: Critical Vulnerabilities in Microsoft Windows Operating Systems
Original release date: January 14, 2020
New vulnerabilities are continually emerging, but the best defense against attackers exploiting patched vulnerabilities is simple: keep software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:
The Cybersecurity and Infrastructure Security Agency (CISA) is unaware of active exploitation of these vulnerabilities. However, because patches have been publicly released, the underlying vulnerabilities can be reverse-engineered to create exploits that target unpatched systems.
CISA strongly recommends organizations install these critical patches as soon as possible—prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected information technology/operational technology (IT/OT) assets.
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates ECC certificates.
According to Microsoft, “an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.” Additionally, “a successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”
A cyber attacker could exploit CVE-2020-0601 to obtain sensitive information, such as financial information, or run malware on a targeted system; for example:
The Microsoft Security Advisory for CVE-2020-0601 addresses this vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
The National Security Agency (NSA) provides detection measures for CVE-2020-0601 in their Cybersecurity Advisory: Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers.
According to Microsoft, “A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction.”,
According to Microsoft, “A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client.”
CVE-2020-0611 requires the user to connect to a malicious server via social engineering, Domain Name Server (DNS) poisoning, a man-in the-middle attack, or by the attacker compromising a legitimate server.
The Microsoft Security Advisory for CVE-2020-0611 addresses this vulnerability.
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
CISA strongly recommends organizations read the Microsoft January 2020 Release Notes page for more information and apply critical patches as soon as possible—prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers. Organizations should then prioritize patching other affected IT/OT assets.
AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability
Original release date: January 10, 2020
Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix a remote code execution (RCE) vulnerability, known as CVE-2019-11510, can become compromised in an attack. 
Although Pulse Secure  disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510.   
CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes. 
A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.
This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates.
CISA strongly urges users and administrators to upgrade to the corresponding fixes. 
AA20-006A: Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad
Original release date: January 6, 2020
The Cybersecurity and Infrastructure Security Agency (CISA) is sharing the following information with the cybersecurity community as a primer for assisting in the protection of our Nation’s critical infrastructure in light of the current tensions between the Islamic Republic of Iran and the United States and Iran’s historic use of cyber offensive activities to retaliate against perceived harm. Foremost, CISA recommends organizations take the following actions:
Iran has a history of leveraging asymmetric tactics to pursue national interests beyond its conventional capabilities. More recently, its use of offensive cyber operations is an extension of that doctrine. Iran has exercised its increasingly sophisticated capabilities to suppress both social and political perspectives deemed dangerous to Iran and to harm regional and international opponents.
Iranian cyber threat actors have continuously improved their offensive cyber capabilities. They continue to engage in more “conventional” activities ranging from website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information (PII), but they have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and, potentially, cyber-enabled kinetic attacks.
The U.S. intelligence community and various private sector threat intelligence organizations have identified the Islamic Revolutionary Guard Corps (IRGC) as a driving force behind Iranian state-sponsored cyberattacks–either through contractors in the Iranian private sector or by the IRGC itself.
According to open-source information, offensive cyber operations targeting a variety of industries and organizations—including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base—have been attributed, or allegedly attributed, to the Iranian government. The same reporting has associated Iranian actors with a range of high-profile attacks, including the following:
The following is a composite of actionable technical recommendations for IT professionals and providers to reduce their overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will likely have the highest return on investment. In general, CISA recommends two courses of action in the face of potential threat from Iranian actors: 1) vulnerability mitigation and 2) incident preparation.
|Iranian APT Technique||Mitigation and Detection|
|Obfuscated Files or Information|
|Registry Run Keys/Startup Folder|
|Remote File Copy|
CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at http://www.us-cert.gov/.
AA19-339A: Dridex Malware
Original release date: December 5, 2019 | Last revised: January 2, 2020
This Alert is the result of recent collaboration between the Department of the Treasury Financial Sector Cyber Information Group (CIG) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) to identify and share information with the financial services sector. Treasury and the Cybersecurity and Infrastructure Security Agency (CISA) are providing this report to inform the sector about the Dridex malware and variants. The report provides an overview of the malware, related activity, and a list of previously unreported indicators of compromise derived from information reported to FinCEN by private sector financial institutions. Because actors using Dridex malware and its derivatives continue to target the financial services sector, including financial institutions and customers, the techniques, tactics, and procedures contained in this report warrant renewed attention. Treasury and CISA encourage network security specialists to incorporate these indicators into existing Dridex-related network defense capabilities and planning. For information regarding the malicious cyber actors responsible for the development and distribution of the Dridex malware, see the Treasury press release, Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware and the FBI press release, Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses Resulting in Tens of Millions in Losses and Second Russian National Charged with Involvement in Deployment of “Bugat” Malware.
This Alert does not introduce a new regulatory interpretation, nor impose any new requirements on regulated entities. Except where noted, there is no indication that the actual owner of the email address was involved in the suspicious or malicious activity. If activity related to these indicators of compromise is detected, please notify appropriate law enforcement and the CIG.
For a downloadable copy of IOCs, see:
The Dridex malware, and its various iterations, has the capability to impact confidentiality of customer data and availability of data and systems for business processes. According to industry reporting, the original version of Dridex first appeared in 2012, and by 2015 had become one of the most prevalent financial Trojans. We expect actors using Dridex malware and its derivatives to continue targeting the financial services sector, including both financial institutions and customers.
Actors typically distribute Dridex malware through phishing e-mail spam campaigns. Phishing messages employ a combination of legitimate business names and domains, professional terminology, and language implying urgency to persuade victims to activate open attachments. Sender e-mail addresses can simulate individuals (firstname.lastname@example.org), administrative (email@example.com, firstname.lastname@example.org), or common “do not reply” local parts (email@example.com). Subject and attachment titles can include typical terms such as “invoice”, “order”, “scan”, “receipt”, “debit note”, “itinerary”, and others.
The e-mail messages vary widely. The e-mail body may contain no text at all, except to include attachments with names that are strings of numbers, apparently relying on the subject line and victim curiosity to coerce the opening of the malicious file. Where there is a message body, the body may specifically state that the contents of the e-mail underwent virus scanning or simply directs the victim toward the link or attachment. In other cases, the body may include a long, substantive message, providing multiple points of contact and context for the malicious attachment. Attachment and hyperlink names vary from random sets of numbers or imitation automatic filenames from scanners to filenames purporting to reference financial records. Attachments may or may not have direct references using the same file name or strings of numbers in the bodies of the e-mails.
Example Links and Filenames (Note: link information is representative. Italicized statements are automatically generated by the cloud storage provider. # represents a random number.):
Link: HTTPS://WWW.GOOGLE[.]COM/URL?Q=HTTPS://WWW.(Cloud Services Provider) [.]COM/S/ Cloud Account Value/AUTOMATEDCLEARINGHOUSE%20 PAYMENT####.DOC? (Cloud Provided Sequence)
Link: Malicious File: ID201NLD0012192016.DOC
By default, software generally prevents execution of macros without user permission. Attached files, particularly .doc and .xls files, contain instructions on how a user should enable content and specifically macros, effectively using social engineering to facilitate the download. Malicious files sometimes even include screenshots of the necessary actions to enable macros.
Dridex malware operates from multiple modules that may be downloaded together or following the initial download of a “loader” module. Modules include provisions for capturing screenshots, acting as a virtual machine, or incorporating the victim machine into a botnet. Through its history and development, Dridex has used several exploits and methods for execution, including modification of directory files, using system recovery to escalate privileges, and modification of firewall rules to facilitate peer-to-peer communication for extraction of data. Recent versions of Dridex exploit vulnerability CVE-2017-0199, which allows remote execution of code. This vulnerability is specific to Microsoft Office and WordPad. Microsoft released a patch in 2017.
Once downloaded and active, Dridex has a wide range of capabilities, from downloading additional software to establishing a virtual network to deletion of files. The primary threat to financial activity is the Dridex’s ability to infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software, via API hooking, to steal customer login information. Dridex modules package, encrypt, and transmit captured information, screenshots, etc., via peer-to-peer (P2P) networks in the XML format or in binary format, as seen in newer versions. After stealing the login data, the attackers have the potential to facilitate fraudulent automated clearing house (ACH) and wire transfers, open fraudulent accounts, and potentially adapt victim accounts for other scams involving business e-mail compromise or money mule activity.
The Dridex malware has evolved through several versions since its inception, partially to adapt to updated browsers. Although the characteristics described reflect some of the most recent configurations, actors continue to identify and exploit vulnerabilities in widely used software.
While Dridex is among the most prevalent sources of infection, previous variants and similar malware continue to represent a threat. Dridex is itself an improved variant of the Cridex and Bugat Trojans that preceded it, and it shares some of their codes. Although the previous variants’ theft activities operate in mostly the same way, the P2P communication aspects of Dridex improve its concealment and redundancy.
Actors distributing Dridex likely employ ransomware with similar configurations. Code for BitPaymer, also known as Friedex, includes numerous similarities to Dridex, despite its function as ransomware rather than data extraction. The two malwares use the same mechanics for several functions, and the authors compiled the codes at nearly the same time. The ransomware distributed through these malwares has targeted U.S. financial institutions and resulted in data and financial loss.
Locky ransomware operates using the same delivery method for the downloader, with similar subject lines and attachments. Attackers also use the same botnets to deliver both Dridex and Locky ransomware, sometimes simultaneously. Variants of Locky include Zepto and Osiris. Locky ransomware and its variants have a wide footprint, with varying impact depending on victim IT policies and practices and network configurations.
Although the highest infection rates took place in late 2015 and early 2016, concurrent with Locky ransomware distribution, Dridex continues to impact numerous countries. The Dridex hackers appear to direct the majority of attacks at English-speaking countries. Cybersecurity industry reporting attributes Dridex, BitPaymer, and Locky campaigns, as well as other massive malware spam (malspam) campaigns to actors known alternately as Evil Corp or TA505. (Note: some cybersecurity industry reporting simply refers to the actors as “Dridex” or the “Dridex hackers.”) Actors distribute the malware via massive spam campaigns, sending up to millions of messages per day, although volume of messages varies widely.
The following indicators are associated with the activity described in this report:
|Indicator Type||Indicator Value||Associated Activity|
Treasury and CISA encourage users and organizations to:
The following mitigation recommendations respond directly to Dridex TTPs:
The National Institute of Standards and Technology (NIST) has published additional information on malware incident prevention and handling in their Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops:
The National Security Agency (NSA) recently published its Top Ten Cybersecurity Mitigation Strategies (This is the current website for Top 10 mitigation strategies: https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf?v=1). Aligned with the NIST Cybersecurity Framework, the Strategies offer a risk-based approach to mitigating exploitation techniques used by Advance Persistent Threat (APT) actors.
The Strategies counter a broad range of exploitation techniques used by malicious cyber actors. NSA’s mitigations set priorities for enterprise organizations to minimize mission impact. The mitigations also build upon the NIST Cybersecurity Framework functions to manage cybersecurity risk and promote a defense-in-depth security posture. The mitigation strategies are ranked by effectiveness against known APT tactics. Additional strategies and best practices will be required to mitigate the occurrence of new tactics.
Reporting Suspected Malicious Activity
To report an intrusion and request resources for incident response or technical assistance, contact CISA (CISAservicedesk@cisa.dhs.gov or 888-282-0870), FBI through a local field office (https://www.fbi.gov/contact-us/field-offices), or FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
Institutions should determine whether filing of a Suspicious Activity Report (“SAR”) is required under Bank Secrecy Act regulations. In instances where filing is not required, institutions may file a SAR voluntarily to aid FinCEN and law enforcement efforts in protecting the financial sector. Financial institutions are encouraged to provide relevant cyber-related information and indicators in their SAR reporting. For questions regarding cyber SAR filing, please contact the FinCEN Resource Center (FRC@fincen.gov or 1-800-767-2825).
The following represents an alphabetized selection of open-source reporting by U.S. government and industry sources on Dridex malware and its derivatives:
AA19-290A: Microsoft Ending Support for Windows 7 and Windows Server 2008 R2
Original release date: October 17, 2019 | Last revised: October 18, 2019
Note: This alert does not apply to federally certified voting systems running Windows 7. Microsoft will continue to provide free security updates to those systems through the 2020 election. See Microsoft’s article, Extending free Windows 7 security updates to voting systems, for more information.
On January 14, 2020, Microsoft will end extended support for their Windows 7 and Windows Server 2008 R2 operating systems. After this date, these products will no longer receive free technical support, or software and security updates.
Organizations that have regulatory obligations may find that they are unable to satisfy compliance requirements while running Windows 7 and Windows Server 2008 R2.
All software products have a lifecycle. “End of support” refers to the date when the software vendor will no longer provide automatic fixes, updates, or online technical assistance. 
For more information on end of support for Microsoft products see the Microsoft End of Support FAQ.
Systems running Windows 7 and Windows Server 2008 R2 will continue to work at their current capacity even after support ends on January 14, 2020. However, using unsupported software may increase the likelihood of malware and other security threats. Mission and business functions supported by systems running Windows 7 and Windows Server 2008 R2 could experience negative consequences resulting from unpatched vulnerabilities and software bugs. These negative consequences could include the loss of confidentiality, integrity, and availability of data, system resources, and business assets.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and organizations to:
AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability
Original release date: June 17, 2019
The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a vulnerability, known as “BlueKeep,” that exists in the following Microsoft Windows Operating Systems (OSs), including both 32- and 64-bit versions, as well as all Service Pack versions:
An attacker can exploit this vulnerability to take control of an affected system.
BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows OSs listed above. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system.
According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled. After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs. This exploit, which requires no user interaction, must occur before authentication to be successful.
BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.
CISA has coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep.
CISA encourages users and administrators review the Microsoft Security Advisory  and the Microsoft Customer Guidance for CVE-2019-0708  and apply the appropriate mitigation measures as soon as possible:
For OSs that do not have patches or systems that cannot be patched, other mitigation steps can be used to help protect against BlueKeep:
AA19-122A: New Exploits for Unsecure SAP Systems
Original release date: May 2, 2019 | Last revised: May 3, 2019
The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP components. 
A presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with unsecure configurations exposed to the internet. Typically, SAP systems are not intended to be exposed to the internet as it is an untrusted network. Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed “10KBLAZE.” The presentation details the new exploit tools and reports on systems exposed to the internet.
The SAP Gateway allows non-SAP applications to communicate with SAP applications. If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands. According to the OPCDE presentation, about 900 U.S. internet-facing systems were detected in this vulnerable condition.
The SAP router is a program that helps connect SAP systems with external networks. The default
secinfo configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access a misconfigured SAP router, the router can act as an internal host and proxy the attacker’s requests, which may result in remote code execution.
According to the OPCDE presentation, 1,181 SAP routers were exposed to the internet. It is unclear if the exposed systems were confirmed to be vulnerable or were simply running the SAP router service.
SAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication. If an attacker can access a Message Server, they can redirect and/or execute legitimate man-in-the-middle (MITM) requests, thereby gaining credentials. Those credentials can be used to execute code or operations on AS servers (assuming the attacker can reach them). According to the OPCDE presentation, there are 693 Message Servers exposed to the internet in the United States. The Message Server ACL must be protected by the customer in all releases.
CISA worked with security researchers from Onapsis Inc. to develop the following Snort signature that can be used to detect the exploits:
CISA recommends administrators of SAP systems implement the following to mitigate the vulnerabilities included in the OPCDE presentation:
secinfo) and Message Servers (
rdisp/msserv=0 rdisp/msserv_internal=39NN. 
tcp/39NN) to clients or the internet.
AA19-024A: DNS Infrastructure Hijacking Campaign
Original release date: January 24, 2019 | Last revised: February 13, 2019
The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.
See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:
Note: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses:
Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.
NCCIC recommends the following best practices to help safeguard networks against this threat:
AA18-337A: SamSam Ransomware
Original release date: December 3, 2018
The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation.
The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.
The actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point.
After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.
Analysis of tools found on victims’ networks indicated that successful cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces. FBI analysis of victims’ access logs revealed that the SamSam actors can infect a network within hours of purchasing the credentials. While remediating infected systems, several victims found suspicious activity on their networks unrelated to SamSam. This activity is a possible indicator that the victims’ credentials were stolen, sold on the darknet, and used for other illegal activity.
SamSam actors leave ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network.
NCCIC recommends organizations review the following SamSam Malware Analysis Reports. The reports represent four SamSam malware variants. This is not an exhaustive list.
For general information on ransomware, see the NCCIC Security Publication at https://www.us-cert.gov/security-publications/Ransomware.
DHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes before implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, from the National Institute of Standards and Technology.
To report an intrusion and request resources for incident response or technical assistance, contact NCCIC, FBI, or the FBI’s Cyber Division via the following information:
DHS strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback.
Please call us at 1-855-474-1700, or fill out the form below to contact us. Customer Support numbers can be located on the CARRIERS page under ABOUT US.