Month: October 2023

The National Cybersecurity Center of Excellence (NCCoE) is hosting a virtual event open to the public! Join the NCCoE Internet of Things (IoT) Onboarding team as we explore a process known as trusted network-layer onboarding, which in combination with additional device security capabilities could improve the security of networks and IoT devices.  

During this webinar, attendees will: 

• Meet the NCCoE IoT Onboarding team and their industry collaborators
• Learn about Draft NIST SP 1800-36, Vols. A-E, Trusted IoT Device Network-Layer Onboarding and Lifecycle Management, and how it can be used to help organizations protect both their IoT devices and their networks 
• Hear from the project’s collaborators about example technology solutions using Wi-Fi Easy Connect, BRSKI, and Thread 
• Engage in a Q&A period with the project team and industry experts 
• Gain resources and additional information to help contribute to this project  

Speakers

• Cherilyn Pascoe, Director, NIST NCCoE 
• Paul Watrobski, Principal Investigator, NIST NCCoE  
• Susan Symington, Cyber Architecture and Resiliency Principal, NCCoE/MITRE 
• Dan Harkins, Fellow, HPE Aruba  
• Danny Jump, Senior Product Manager, HPE Aruba  
• Michael Richardson, Chief Scientist, Sandelman Software Works  
• Craig Pratt, Lead Software Engineer, CableLabs 
• Darshak Thakore, Principal Architect, CableLabs 
• Andy Dolan, Senior Security Engineer, CableLabs 
• Brecht Wyseur, Senior Product Manager and Product Strategy, Kudelski IoT 
• Nick Allott, CEO, NquiringMinds  
• Steve Clark, Security Technologist, SEALSQ, a division of WISeKey

Contact Us

If you have any questions about this event, please reach out to the team at [email protected].  

To receive the latest project news and updates, consider joining the NCCoE IoT Onboarding Community of Interest (COI). You can sign up by completing the COI form here or by emailing the team declaring your interest. 

View Agenda and Register

---

My Research Can Help Protect You — and Your Company — From Hackers Trying to Steal Your Money and Information A scene from the movie Ocean’s 8 provides a surprisingly useful lesson on cybersecurity. The character played by Rihanna needs to hack into a security person’s computer. She looks up his social media to find he loves corgis. The Rihanna character sends him a phishing email featuring corgis, and he can’t help but click on it. With one click of a mouse, someone can accidentally give away their company’s secrets, their bank account information, or an organization’s medical records. Read More

Learning

Learn how to enable Advanced Security in your Azure Repos > Step by step tutorial to enable Advanced Security at the organization, project, or repository level.   Microsoft Azure Developer Cloud Skills Challenge > In under 30 hours, you’ll learn about storing data in Azure, creating serverless applications, connecting your services together, and more.   Learn how to provision and manage Azure AI Services > This learning path helps prepare you for Exam AI-102: Designing and Implementing a Microsoft Azure AI Solution.

It’s week three in our Cybersecurity Awareness Month blog series! 

This week, we interviewed NIST’s Michael Ogata (Computer Scientist) and Paul Watrobski (IT Security Specialist) about the importance of updating software.

1. This week’s Cybersecurity Awareness Month theme is ‘updating software.’ How does your work/specialty area at NIST tie into this behavior?

NIST’s Applied Cybersecurity Division’s core mission is to explore, measure, and evaluate both the cybersecurity guidance NIST provides as well as industry best practices. One of our current projects involves putting the practices described in NIST 800-218 Secure Software Development Framework (SSDF) into action. Many people think of updating software in the context of “that thing that happens randomly after I purchase a piece of software”…but today’s continuous integration and continuous delivery (CI/CD) environments—and the rapid pace of software evolution—tightly couple software updates into the daily functionality of many systems…

Read the Blog

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released this Joint Cybersecurity Advisory in response to the active exploitation of CVE-2023-22515 . This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation.

CISA, FBI, and MS-ISAC strongly encourage network administrators to immediately apply the upgrades provided by Atlassian. CISA, FBI, and MS-ISAC also encourage organizations to hunt for malicious activity on their networks using the detection signatures and indicators of compromise (IOCs) contained in this advisory. If a potential compromise is detected, organizations should apply the incident response recommendations found in this advisory.

For additional information on upgrade instructions, a complete list of affected product versions, and IOCs, see Atlassian’s security advisory for CVE-2023-22515. While Atlassian’s advisory provides interim measures to temporarily mitigate known attack vectors, CISA, FBI, and MS-ISAC strongly encourage upgrading to a fixed version or taking servers offline to apply necessary updates.

The US Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) released this Analyst Note to provide awareness of NoEscape ransomware.

A relatively new threat actor and ransomware to the cybercriminal community, NoEscape ransomware emerged in May 2023, but is believed to be a rebrand of Avaddon, a now defunct ransomware group shut down in 2021. Unlike many of its contemporaries, however, the unknown developers of this ransomware claim that in lieu of using source code or leaks from other established ransomware families, they have constructed their malware and its associated infrastructure entirely from scratch. Using unique features and aggressive multi-extortion tactics, in just under a year, it has targeted multiple industries, including the Healthcare and Public Health (HPH) sector. Their recent activities highlight the prominence and influence they have as a Ransomware-as-a-Service (RaaS) group.

This HC3 Analyst Note provides an overview of the group, possible connections to the Avaddon threat group, an analysis of NoEscape’s ransomware attacks, its target industries and victim countries, sample MITRE ATT&CK techniques, recommended defense and mitigations against the ransomware,  and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cyber criminals.

Now Available — Final NIST IR 8473, Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure

The NIST NCCoE has published the final version of NIST Internal Report (NIST IR) 8473, Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure. 

Overview

This Profile is designed to be part of an enterprise risk management program to aid organizations in managing threats to systems, networks, and assets within the Electric Vehicle Extreme Fast Charging Infrastructure (EV/XFC) ecosystem (it is not intended to serve as a solution or compliance checklist). 

The Profile is an application of the NIST Cybersecurity Framework Categories and Subcategories in the context of the EV/XFC cybersecurity ecosystem as provided by the Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response and Office of Energy Efficiency and Renewable Energy and Electric Power Research Institute. It is a non-regulatory, voluntary profile intended to supplement, not replace, an existing risk management program or the current cybersecurity standards, regulations, and industry guidelines that are in current use by the EV/XFC industry.

The Profile also provides ecosystem relevant parties with a means to assess and communicate their cybersecurity posture in a manner consistent with the Framework. It also offers users an industry level risk-based approach for managing cybersecurity activities and facilitates cross-collaboration between industry parties, vendors, and end users.

Use of the Profile will help organizations:

• Identify key assets and interfaces in each of the ecosystem domains.
• Address cybersecurity risk in the management and use of EV/XFC services.
• Identify the threats, vulnerabilities, and associated risks to EV/XFC services, equipment, and data.
• Apply protection mechanisms to reduce risk to manageable levels.
• Detect disruptions and manipulation of EV/XFC services.
• Respond to and recover from EV/XFC service anomalies in a timely, effective, and resilient manner.

What changed from the draft to final Profile?

We received over 220 comments. Based on the input received, a few major changes from the draft to final Profile include:

• Added additional informative references for applicable subcategories, including: NIST Special Publication (SP) 800-207 Zero Trust Architecture, International Organization for Standardization (ISO) ISO/SAE 21434, and International Organization for Standardization (ISO) 24089.
• Added acknowledgements for individual contributors from the COI and public comment period.
• Updated content in the subcategories to better articulate relevancy to specific domains within the EV XFC ecosystem.
• Updated front matter language to represent the rapid growth of EV vehicles globally.

Questions? Email the team at [email protected].

View the Publication

Researchers and vendors have disclosed a denial-of-service (DoS) vulnerability in HTTP/2 protocol. The vulnerability (CVE-2023-44487), known as Rapid Reset, has been exploited in the wild beginning in August 2023 through October 2023.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends organizations that provide HTTP/2 services apply patches when available and consider configuration changes and other mitigations discussed in the references below. For more information on Rapid Reset, see:

Cloudflare: HTTP/2 Rapid Reset: deconstructing the record-breaking attack Google: How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack AWS: CVE-2023-44487 – HTTP/2 Rapid Reset Attack NGINX: HTTP/2 Rapid Reset Attack Impacting NGINX Products

Organizations can take proactive steps to reduce the effects of DoS attacks. See the following guidance for more information:

CISA: Understanding and Responding to Distributed Denial-of-Service Attacks CISA: Additional DDoS Guidance for Federal Agencies

NIST has released the initial public draft of Special Publication (SP) 800-92r1 (Revision 1), Cybersecurity Log Management Planning Guide, for public comment. Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. It facilitates log usage and analysis for many purposes, including identifying and investigating cybersecurity incidents, finding operational issues, and ensuring that records are stored for the required period of time.

This document defines a playbook to help any organization plan improvements to its cybersecurity log management practices in support of regulatory requirements and recommended practices. While the playbook is not comprehensive, the listed plays are noteworthy and generally beneficial for cybersecurity log management planning by organizations.

The public comment period for this draft is open through November 29, 2023. Submit your comments to [email protected].

NOTE: A call for patent claims is included on page iii of this document. For additional information, see the Information Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL Publications.Read More

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this Joint Cybersecurity Advisory to disseminate known TTPs, IOCs, and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023.

AvosLocker operates under a ransomware-as-a-service (RaaS) model. AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States, affecting Windows, Linux, and VMware ESXi environments. AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data.

This advisory updates the March 17, 2022, AvosLocker ransomware Joint Cybersecurity Advisory released by FBI and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). This update includes TTPs and IOCs not included in the previous advisory and a YARA rule FBI developed after analyzing a tool associated with an AvosLocker compromise.