Adobe has released security updates to address a critical vulnerability (CVE-2023-38203) affecting ColdFusion. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review the Adobe security release APSB23-41 and apply the necessary updates.
The National Cybersecurity Center of Excellence (NCCoE) today released for public comment the initial public draft of NIST Internal Report (NIST IR) 8473, Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure. The comment period is open through August 28, 2023.
This Cybersecurity Framework Profile (Profile) has been developed for the Electric Vehicle Extreme Fast Charging (EV/XFC) ecosystem and the subsidiary functions that support each of the four domains: (i) Electric Vehicles (EV); (ii) Extreme Fast Charging (XFC); (iii) XFC Cloud or Third-Party Operations; (iv) and Utility and Building Networks. The document provides a foundation that relevant parties may use to develop profiles specific to their organization to assess their cybersecurity posture as a part of their risk management process. This non-regulatory, voluntary profile is intended to supplement, not replace, an existing risk management program or the current cybersecurity standards, regulations, and industry guidelines that are in current use by the EV/XFC industry.
The EV/XFC Cybersecurity Framework Profile is designed to be part of an enterprise risk management program to aid organizations in managing threats to systems, networks, and assets within the EV/XFC ecosystem. The EV/XFC Cybersecurity Framework Profile is not intended to serve as a solution or compliance checklist. Users of this profile will understand that its application cannot eliminate the likelihood of disruption or guarantee some level of assurance.
Use of the Profile will help organizations:
The public comment period closes at 11:59 p.m. EDT on Monday, August 28, 2023. Please email all draft comments to evxfc-nccoe@nist.gov. We encourage you to submit all feedback using the comment template found on our project page.
If you have expertise in EV/XFC and/or cybersecurity, consider joining the Community of Interest (COI) to receive the latest project news and announcements. Email the team at evxfc-nccoe@nist.gov declaring your interest or complete the sign-up form on our project page.Learn More
| Create more business impact using proactive and predictive analytics at Azure Virtual Training Day: Digitally Transform with Modern Analytics from Microsoft Learn. Join us for this free training event to learn how to build an analytics solution using Azure Synapse Analytics. Maximize your organization’s intelligent decision-making capabilities and learn to build an end-to-end solution by preparing data for storage, processing, and analysis. You will have the opportunity to: Create a data warehouse in the cloud. Accelerate your big data engineering with Spark in Azure Synapse Analytics. Build automated data integration with Azure Synapse Pipelines. Learn to perform operation analytics with Azure Synapse Link. Join us at an upcoming two-part event: Monday, August 14, 2023 | 9:00 AM – 12:15 PM | (GMT-08:00) Pacific Time (US & Canada) Tuesday, August 15, 2023 | 9:00 AM – 10:45 AM | (GMT-08:00) Pacific Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English |
| REGISTER TODAY > |
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress.
Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations. Storm-0978 operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022. The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.
Storm-0978 is known to target organizations with trojanized versions of popular legitimate software, leading to the installation of RomCom. Storm-0978’s targeted operations have impacted government and military organizations primarily in Ukraine, as well as organizations in Europe and North America potentially involved in Ukrainian affairs. Identified ransomware attacks have impacted the telecommunications and finance industries, among others.
Microsoft 365 Defender detects multiple stages of Storm-0978 activity. Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884. In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office. Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. More mitigation recommendations are outlined in this blog.
Storm-0978 has conducted phishing operations with lures related to Ukrainian political affairs and targeting military and government bodies primarily in Europe. Based on the post-compromise activity identified by Microsoft, Storm-0978 distributes backdoors to target organizations and may steal credentials to be used in later targeted operations.
The actor’s ransomware activity, in contrast, has been largely opportunistic in nature and entirely separate from espionage-focused targets. Identified attacks have impacted the telecommunications and finance industries.
Storm-0978 uses trojanized versions of popular, legitimate software, leading to the installation of RomCom, which Microsoft assesses is developed by Storm-0978. Observed examples of trojanized software include Adobe products, Advanced IP Scanner, Solarwinds Network Performance Monitor, Solarwinds Orion, KeePass, and Signal. To host the trojanized installers for delivery, Storm-0978 typically registers malicious domains mimicking the legitimate software (for example, the malicious domain advanced-ip-scaner[.]com).
In financially motivated attacks involving ransomware, Storm-0978 uses the Industrial Spy ransomware, a ransomware strain first observed in the wild in May 2022, and the Underground ransomware. The actor has also used the Trigona ransomware in at least one identified attack.
Additionally, based on attributed phishing activity, Storm-0978 has acquired exploits targeting zero-day vulnerabilities. Identified exploit activity includes abuse of CVE-2023-36884, including a remote code execution vulnerability exploited via Microsoft Word documents in June 2023, as well as abuse of vulnerabilities contributing to a security feature bypass.
Read the full article on Microsoft Here
| Get the skills to drive employee engagement at Microsoft 365 Virtual Training Day: Introduction to Microsoft Viva. Join us at this free event from Microsoft Learn to explore how the Viva employee experience platform works with Microsoft Teams to connect Viva Connections, Viva Insights, Viva Topics, and Viva Learning, helping you create more continuity and balance in a hybrid work environment. Learn how to help teams collaborate more effectively, use data-driven insights to work smarter, learn on the job, and nurture well-being. Discover how to create a more informed, connected, and inspired workforce and easily connect Viva with your existing systems and tools. You will have the opportunity to: Create a thriving culture that improves employee well-being through an employee experience platform. Use AI to recommend related documents and subject matter experts in the apps you use every day. Use data-driven, personalized insights to identify opportunities to improve employee well-being. Create a personalized destination for employees to discover relevant news, conversations, and the tools they need to succeed. Join us at an upcoming two-part event: Wednesday, August 9, 2023 | 10:00 AM – 12:20 PM | (GMT-05:00) Eastern Time (US & Canada) Thursday, August 10, 2023 | 10:00 AM – 11:45 AM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English |
| REGISTER TODAY > |
 NIST Digital Identity Events | Public Workshop (7/25) & Government-Only Meeting (7/26) Coming up in about two weeks! During these two separate events, NIST presenters will provide updates on Digital Identity Guidelines, share major themes from our recent public comment period, discuss plans for substantive updates and changes, and talk about the Identity and Access Management (IAM) Roadmap. Public Workshop (all are encouraged to attend) July 25, 2023 | 9:00 a.m. – 1:30 p.m. EDT | Hybrid Event (in-person and virtual) – Agenda just added! This event will give the public an opportunity to participate in discussions and talk about potential changes to our guidance as we continue the adjudication of comments received on NIST Special Publication 800-63, Digital Identity Guidelines (Draft NIST SP 800-63-4). The focus will be on key themes and major changes.Learn More & Register Now! NIST Cybersecurity and Privacy ProgramQuestions/Comments about this notice: dig-comments@nist.gov NCCoE Website questions: nccoe@nist.gov |
If you are a cybersecurity/IT practitioner or developer or a human-centered cybersecurity researcher, we want to hear from you!
The National Institute of Standards and Technology (NIST) is conducting a survey to understand the interactions between human-centered cybersecurity researchers and practitioners, including if/how practitioners use human-centered cybersecurity insights.
The survey results will lead to the creation of mutually beneficial “bridges” between the research and practitioner communities that facilitate the relevance and application of research findings to real-world practice.
We invite you to share your thoughts and experiences by responding to our survey, which is open through July 31:
PRACTITIONERS – Take the survey here: https://usability.gov1.qualtrics.com/jfe/form/SV_80us9OFNHPPjiPs?so=govdel
(Note: You don’t have to be familiar with human-centered cybersecurity to take the survey.)
HUMAN-CENTERED SECURITY RESEARCHERS – Take the survey here: https://usability.gov1.qualtrics.com/jfe/form/SV_3CqcCk5wMAeFLqm?so=govdel
Are you BOTH a practitioner and a researcher? Choose one of the surveys above!
We understand that your time is valuable. The practitioner survey should only take about 5 minutes to complete, and the researcher survey about 10 minutes. Your responses will be anonymous.
Contact Susanne Furman susanne.furman@nist.gov (through July 21) or Clyburn Cunningham (after July 21) at clyburn.cunningham@nist.gov should you have any questions about the study. We also encourage you to forward this email to your colleagues.
We hope you can participate in the survey. Thank you!
| Search engine optimization (SEO) is the process of improving the quality and quantity of website traffic to a website or a web page from search engines. SEO poisoning is a tactic in which threat actors strategically create malicious websites and use techniques such as keyword stuffing to insert irrelevant keywords into a webpage’s text, meta tags, and other areas of the website. This technique deceives search engine algorithms to increase the website’s visibility and rankings, causing these websites to display at the top of search engine result pages (SERPs). Unsuspecting users who click on these “poisoned” search results without scrutiny could navigate to these malicious sites, potentially leading to financial losses, credential theft, and malware infections. |
| Threat actors employ SEO poisoning and impersonation to display fraudulent customer service or technical support numbers for reputable companies and retail services with the intent to steal funds and sensitive information, including account login credentials. Cybercriminals often attempt to exploit trending topics , such as Amazon Prime Day, for financial gain. For example, when a user conducted a search to cancel Amazon Prime Membership, the Google SERP displayed an illegitimate Amazon customer service phone number that, when called, directed the user to the threat actor rather than the correct Amazon customer service department. The threat actor stated the membership could not be canceled online because the user supposedly had several pending gift card and Bitcoin purchases. Although the user stated they did not authorize these pending purchases, the threat actor attempted to obtain new financial information. Threat actors also spoof utility websites in SERPs to convince potential victims to contact a fraudulent customer service number. If called, the threat actors attempt to obtain sensitive information and login credentials that can be leveraged to compromise other accounts belonging to the victim. They also impersonate reputable clothing, footwear, and apparel brands—such as Nike, Puma, Adidas, New Balance, and more—to scam unsuspecting customers into purchasing items on fraudulent websites, potentially exposing financial and personal information. |
 |
| Image Source: MalwareBytes Labs |
| Additionally, threat actors impersonate legitimate brands and advertisers on SERPs and malicious websites via malvertising, or malicious advertising. For example, a malvertising campaign via brand impersonation was discovered when performing a search for USPS tracking . The legitimate-looking ad contained the official USPS website and branding and targeted both mobile and desktop users; however, the advertiser’s identity and location did not match. If clicked, victims are redirected to a phishing website and prompted to enter their tracking number, resulting in an error message. The target is then directed to enter their full address and credit card information to pay a small fee in order to receive the package. The website also requests the financial institution’s account login credentials to confirm the credit card, allegedly to protect against fraud. |
| Malvertising campaigns may also be used to distribute malware via spoofed webpages of legitimate organizations. For example, a user searching for WinSCP (a popular open-source Windows application for file transfer) may inadvertently click on a malvertisement, which leads to a malicious website containing a “Download” button. If clicked, an ISO file downloads to their system and the malicious payload is dropped. This activity was identified as a BlackCat (aka ALPHV) infection, and the threat actors utilized SpyBoy terminator in an attempt to tamper with security protection agents. Additionally, researchers discovered a new Big Head ransomware variant distributed through malvertising of fraudulent Windows updates and Microsoft Word installers. |
SUMMARY
In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.
CISA and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory to provide guidance to critical infrastructure organizations on enhancing monitoring of Microsoft Exchange Online environments. Organizations can enhance their cyber posture and position themselves to detect similar malicious activity by implementing logging recommendations in this
advisory. Organizations that identify suspicious, anomalous activity should contact Microsoft for proceeding with mitigation actions due to the cloud-based infrastructure affected, as well as report to CISA and the FBI.
TECHNICAL DETAILS
In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and
CISA.
Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts. The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse.[1]
The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity
CISA and FBI are not aware of other audit logs or events that would have detected this activity. Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.
LOGGING
CISA and the FBI strongly encourage critical infrastructure organizations to ensure audit logging is enabled. Note: Per CISA’s Microsoft Exchange Online Microsoft 365 Minimum Viable Secure Configuration Baselines, FCEB agencies shall enable audit logging. These minimum viable secure configuration baselines are part of CISA’s Secure Cloud Business Applications (SCuBA) Project, which provides guidance for FCEB agencies securing their cloud business application environments
and protecting federal information created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments. The Office of Management and Budget (OMB) M-21-31 requires Microsoft audit logs be retained for at least twelve months in active storage and an additional eighteen months in cold storage. This can be accomplished either by offloading the logs out of the
cloud environment or natively through Microsoft by creating an audit log retention policy. In addition to enabling audit logging, CISA and FBI strongly encourage organizations to:
| Discover how to simplify and customize audio and video calling at Microsoft 365 Virtual Training Day: Microsoft Teams Phone. Join us at this free event from Microsoft Learn to see how to enable seamless collaboration by setting up calling plans, operator connect, and direct routing within Teams Phone. You will have the opportunity to: Configure, deploy, and manage Teams Phone devices. Deploy and configure an AudioCodes virtual session border controller for direct routing within Teams Phone. Join us at an upcoming event: Wednesday, July 19, 2023 | 10:00 AM – 1:45 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English |
| REGISTER TODAY > |