Mozilla has released security updates to address vulnerabilities in Firefox
and Firefox ESR. An attacker could exploit some of these vulnerabilities to
take control of an affected system.
CISA encourages users and administrators to review the Mozilla Security
Advisory for Firefox
100 and Firefox ESR 91.9
and apply the necessary updates.
The NIST National Cybersecurity Center of Excellence (NCCoE) has
published NIST Internal Report (NISTIR) 8419, Blockchain and Related Technologies to Support
Manufacturing Supply Chain Traceability: Needs and Industry Perspectives.
Supply chains are increasingly complex, making the origins of
products difficult to discern. Efforts are emerging to increase traceability of
goods by exchanging traceability data records using blockchain and related
technologies among relevant supply chain participants.
NISTIR 8419 explores the issues that surround traceability,
the role that blockchain and related technologies may be able to play to
improve traceability, and several industry case studies of efforts in use
today.
The publication covers:
If you have questions, or would like to join the NCCoE Blockchain
Project Community of Interest, email: blockchain_nccoe@nist.gov.
Each of the reports below, NISTIR 8320A, NISTIR 8320B, and NISTIR
8320C, are intended to be used as a blueprint or template that the general
security community can use as example proof of concept implementations.
CISA, the National Security Agency (NSA), the Federal Bureau of
Investigation (FBI), the Australian Cyber Security Centre (ACSC), the Canadian
Centre for Cyber Security (CCCS), the New Zealand National Cyber Security
Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre
(NCSC-UK) have released a joint Cybersecurity
Advisory that provides details on the top 15 Common Vulnerabilities
and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as
well as other CVEs frequently exploited.
CISA encourages users and administrators to review joint Cybersecurity
Advisory: 2021 Top Routinely Exploited Vulnerabilities and apply the
recommended mitigations to reduce the risk of compromise by malicious cyber
actors.
Microsoft has discovered several vulnerabilities, collectively referred to as Nimbuspwn, that could allow an attacker to elevate privileges to root on many Linux desktop endpoints. The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution. Moreover, the Nimbuspwn vulnerabilities could potentially be leveraged as a vector for root access by more sophisticated threats, such as malware or ransomware, to achieve greater impact on vulnerable devices.
We discovered the vulnerabilities by listening to messages on the System Bus while performing code reviews and dynamic analysis on services that run as root, noticing an odd pattern in a systemd unit called networkd-dispatcher. Reviewing the code flow for networkd-dispatcher revealed multiple security concerns, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues, which could be leveraged to elevate privileges and deploy malware or carry out other malicious activities. We shared these vulnerabilities with the relevant maintainers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Fixes for these vulnerabilities, now identified as CVE-2022-29799 and CVE-2022-29800, have been successfully deployed by the maintainer of the networkd-dispatcher, Clayton Craft. We wish to thank Clayton for his professionalism and collaboration in resolving those issues. Users of networkd-dispatcher are encouraged to update their instances.
To read the full details go here
The National Cybersecurity Center of Excellence (NCCoE) has
released a new preliminary draft publication, Special Publication (SP) 1800-33
Volume B, 5G Cybersecurity: Approach, Architecture, and Security Characteristics.
Commercial mobile network operators, potential private 5G network operators,
and organizations using and managing 5G-enabled technology will find SP 1800-33
Volume B of particular interest.
About This Guide
As 5G rolls out more widely, we must safeguard the technology from
cyberattacks as 5G development, deployment, and usage continuously evolves. The
NCCoE is addressing these challenges by collaborating with industry to design
and implement examples of practical solutions that operators and users of 5G
networks can use to mitigate 5G cybersecurity risks.
Our solutions build upon the work of the NCCoE’s Trusted Cloud project, where hardware-enabled
security serves as the foundation of cloud security. We are also using a
combination of 5G standards-based security features and a secure cloud-based
hosting infrastructure. The result will be a commercial-grade security
reference architecture for 5G networks that bridges the gap between IT and
telecommunications cybersecurity capabilities.
Other features of this volume include—
We Want to Hear from You!
The NCCoE is making each SP 1800-33 volume available as a
preliminary draft for public comment while work continues on the project.
Review the preliminary draft and submit comments online on or before June 27, 2022. You
can also email your comments to 5g-security@nist.gov.
We welcome your input and look forward to your comments. We invite
you to join the 5G
Community of Interest to receive news and updates about this
project.
The National Initiative for Cybersecurity Education (NICE) is continuing to refine and clarify the Workforce Framework for Cybersecurity (NICE Framework) as a fundamental reference resource that is agile, flexible, modular, and interoperable. As such, a review of the NICE Framework data – Competency Areas, Work Roles, and Task, Knowledge, and Skill (TKS) statements – is in progress and we are pleased to announce that the initial review of Knowledge and Skill statements is ready for your feedback!
Updated Knowledge and Skill statements are here!
Draft updated Knowledge statements and Skill statements are available for public review and comment. Adjustments address:
As a result of these adjustments, the TKS building blocks are more measurable, meaningful, and useful. Please note that this process will be an iterative one, and the NICE Program Office will conduct a full review of the updated Knowledge and Skill statements and the refactored Ability statements (previously released for comment) as a whole following comment adjudication.
We want to hear from you!
Comments on the updated Knowledge and Skill statements should be submitted by email to NICEFramework@nist.gov by 11:59pm ET on June 3, 2022.
This FLASH is part of a
series of FBI reports to disseminate known indicators of compromise (IOCs)
and tactics, techniques and procedures (TTPs) associated with ransomware
variants identified through FBI investigations. As of March 2022, BlackCat/ALPHV
ransomware as a service (RaaS) had compromised at least 60 entities
worldwide and is the first ransomware group to do so successfully using
RUST, considered to be a more secure programming language that offers
improved performance and reliable concurrent processing.
BlackCat-affiliated threat actors typically request ransom payments of
several million dollars in Bitcoin and Monero but have accepted ransom
payments below the initial ransom demand amount. Many of the developers
and money launderers for BlackCat/ALPHV are linked
to Darkside/Blackmatter, indicating they have extensive networks and
experience with ransomware operations.
Details
to read the full details go here
The National Cybersecurity Center of Excellence (NCCoE) announces
the release of three related publications on trusted cloud and hardware-enabled
security. The foundation of any data center or edge computing security strategy
should be securing the platform on which data and workloads will be executed
and accessed. The physical platform represents the first layer for any layered
security approach and provides the initial protections to help ensure that
higher-layer security controls can be trusted.
|
Trusted Cloud: Security Practice Guide for VMware |
NIST Special Publication (SP) 1800-19 presents an example of a |
|
|
|
|
Hardware-Enabled Security: Policy-Based Governance in |
NISTIR 8320B explains an approach based on hardware-enabled |
|
Hardware-Enabled Security: Machine Identity Management |
Draft NISTIR 8320C presents an approach for overcoming security |
We Want to Hear from You!
Review the draft NISTIR 8320C and submit comments online on or before
June 6, 2022. You can also contact us at hwsec@nist.gov.
We value and welcome your input and look forward to your comments.
|
The cybersecurity authorities of Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to U.S., Australian, Canadian, New For more information on current |