CISA and International Partners Release Advisory on Russia-based Threat Actor Group, Star Blizzard

12/07/2023 12:00 PM EST

Today, the Cybersecurity and Infrastructure Security Agency (CISA)—in coordination with the United Kingdom’s National Cyber Security Centre (UK-NCSC), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), and the U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cyber Command Cyber National Mission Force (CNMF)—released a joint Cybersecurity Advisory (CSA) Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. The joint CSA aims to raise awareness of the specific tactics, techniques, and delivery methods used by this Russia-based threat actor group to target individuals and organizations. Known Star Blizzard techniques include:

• Impersonating known contacts’ email accounts,
• Creating fake social media profiles,
• Using webmail addresses from providers such as Outlook, Gmail and others, and
• Creating malicious domains that resemble legitimate organizations.

CISA encourages network defenders and critical infrastructure organizations review the CSA to improve their cybersecurity posture and protect against similar exploitation based on threat actor activity. CISA also urges software manufacturers to incorporate secure-by-design and -default principles into their software development practices, limiting the impact of threat actor activity. For more guidance to protect against the most common and impactful threats, visit CISA’s Cross-Sector Cybersecurity Performance Goals. For more information on secure by design, see CISA’s Secure by Design webpage

In our increasingly digital world, data has become one of the most valuable assets for individuals and organizations alike. At the same time, data breaches have become all too common, with consequences that can be devastating. With this growing reliance on data comes the pressing need for cybersecurity and privacy controls to achieve confidentiality.

In response, the NIST National Cybersecurity Center of Excellence (NCCoE) has worked closely with the industry and tech community to develop two draft NIST Special Publications (SP):

• 1800-28, Data Confidentiality: Identifying and Protecting Assets Against Data Breaches (Vol A-C)
• 1800-29, Data Confidentiality: Detect, Respond to, and Recover from Data Breaches (Vol A-C)

These guides provide recommendations on how to prevent and recover from data breaches, including cybersecurity and privacy considerations to prepare for data breaches and specific technical direction for implementation.

We Want to Hear from You!

The NCCoE is making volumes A-C available as drafts for public comment. Review the drafts and submit comments online by January 15, 2024.

• Comment here. 1800-28, Data Confidentiality: Identifying and Protecting Assets Against Data Breaches (Vol A-C)
• Comment here. 1800-29, Data Confidentiality: Detect, Respond to, and Recover from Data Breaches (Vol A-C)

We welcome your input and look forward to your comments. We invite you to connect with us at [email protected] or join our Community of Interest to receive news and updates about this project.  

A vulnerability has been discovered in Apache Struts 2, which could allow for remote code execution. Apache Struts 2 is an open-source web application framework for developing Java EE web applications. Successful exploitation could allow for remote code execution in the context of underlying operating system. Depending on the privileges associated with the logged on user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence There are currently no reports of this vulnerability being exploited in the wild.

Systems Affected

Struts 2.0.0 – Struts 2.3.37 (EOL) Struts 2.5.0 – Struts 2.5.32 Struts 6.0.0 – Struts 6.3.0

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Technical Summary A vulnerability has been discovered in Apache Struts 2, which could allow for remote code execution.

Recommendations

Apply appropriate updates provided by Apache to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References Apache:  https://cwiki.apache.org/confluence/display/WW/S2-066

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50164

The US Federal Bureau of Investigation (FBI), US Cybersecurity and Infrastructure Security Agency (CISA), US National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.

Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations. Although the SVR used such access to compromise SolarWinds and its customers in 2020, limited number and seemingly opportunistic types of victims currently identified, indicate that the SVR has not used the access afforded by the TeamCity CVE in a similar manner. However, the SVR has been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.

To bring Russia’s actions to public attention, the authoring agencies are providing information on the SVR’s most recent compromise to aid organizations in conducting their own investigations and securing their networks, provide compromised entities with actionable indicators of compromise (IOCs), and empower private sector cybersecurity companies to better detect and counter the SVR’s malicious activity. The authoring agencies recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this Joint Cybersecurity Advisory. If potential compromise is detected, administrators should apply the incident response recommendations included in this advisory and report key findings to the FBI and CISA.

What’s next with generative AI in cybersecurity   Learn how AI can help protect your organization in this discussion with Microsoft Security leaders. In the security keynote from Microsoft Ignite, The Future of Security with AI, you’ll: Get a view into how cybersecurity will continue to evolve as AI advances.Explore how Microsoft Security Copilot capabilities enhance secure productivity.Gain deeper insights into the latest Microsoft Security product innovations announced at Microsoft Ignite.

Watch the video

As digital transformations accelerate, AI’s influence on business operations is emerging as a game-changer. AI promises not only growth and operational efficiency but also brings to light challenges, notably in data protection and oversight. In these exciting times, it’s imperative for businesses to be well-versed and proactive. Our detailed ebook offers valuable insights into these evolving dynamics. Highlights from our ebook include: Decoding Data Challenges: Get clarity on the issue of content oversharing and its relevance in the modern digital landscape. Guidelines for Data Protection in AI: Receive hands-on advice on upholding data security amidst AI implementations. Gearing Up for What’s Next: Equip your business with the know-how and strategies to embrace the forthcoming technological shifts confidently.

Radically accelerate your productivity without compromising security

Download now >

Just Released for Public Comment! Draft NIST SP 800-226, Guidelines for Evaluating Differential Privacy Guarantees

Dear Colleagues,

We’re excited to announce the release of the NIST Special Publication (SP) 800-226 Initial Public Draft (IPD), Guidelines for Evaluating Differential Privacy Guarantees, which is all about differential privacy, a privacy-enhancing technology that quantifies privacy risk to individuals when their information appears in a dataset. In response to President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, SP 800-226 is intended to help agencies and practitioners of all backgrounds—policy makers, business owners, product managers, IT technicians, software engineers, data scientists, researchers, and academics—better understand how to evaluate promises made (and not made) when deploying differential privacy, including for privacy-preserving machine learning. Additionally, there is a supplemental, interactive software archive that illustrates how to achieve differential privacy and other concepts described in the publication.

The comment period for this draft is open until 11:59 p.m. EST on Thursday, January 25, 2024. Visit our publication page for additional details about SP 800-226 and the comment form.

If you have any questions, please reach out by contacting [email protected].

All the best,

NIST Privacy Engineering Program

Read More

Just Released! Draft NIST SP 800-226, Guidelines for Evaluating Differential Privacy Guarantees & UK-US Privacy-Preserving Federated Learning Blog Series

Dear Colleagues, 

We’re excited to announce the release of the NIST Special Publication (SP) 800-226 Initial Public Draft (IPD), Guidelines for Evaluating Differential Privacy Guarantees, which is all about differential privacy, a privacy-enhancing technology that quantifies privacy risk to individuals when their information appears in a dataset. In response to President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, SP 800-226 is intended to help agencies and practitioners of all backgrounds—policy makers, business owners, product managers, IT technicians, software engineers, data scientists, researchers, and academics—better understand how to evaluate promises made (and not made) when deploying differential privacy, including for privacy-preserving machine learning. Additionally, there is a supplemental, interactive software archive that illustrates how to achieve differential privacy and other concepts described in the publication.

The comment period for this draft is open until 11:59 p.m. EST on Thursday, January 25, 2024. Visit our publication page for additional details about SP 800-226 and the comment form.  

In addition, last week we launched a new blog series on privacy-preserving federated learning (PPFL) as a follow on to the past UK-US PETs Prize Challenges collaboration. Modeled after our successful differential privacy blog series, this joint UK-US series focuses on addressing the privacy challenges in federated learning, an approach that enables machine learning models to be trained across separate datasets. Over the coming months, we’ll be publishing a number of blogs to provide practical guidance on PPFL. The series will feature guest authors from organizations involved in the UK-US PETs Prize Challenges, and other leading experts in the field. Future topics will include privacy threat models in federated learning, solutions developed during the prize challenges, and resources for getting started with federated learning.

The UK-US Blog Series on Privacy-Preserving Federated Learning: Introduction | by Joseph Near, David Darais, Dave Buckley, and Naomi Lefkovitz: Read the post.

If you have any questions about:

• the SP 800-226 publication, please reach out by contacting [email protected]; or
• the blog series, please reach out by contacting [email protected] and [email protected].

Help us advance the adoption of PETs by providing feedback on these new releases!

All the best,

NIST Privacy Engineering Program

Read More

NIST Offers Draft Guidance on Evaluating a Privacy Protection Technique for the AI Era

Here’s a tricky situation: A business that sells fitness trackers to consumers has amassed a large database of health data about its customers. Researchers would like access to this information to improve medical diagnostics. While the business is concerned about sharing such sensitive, private information, it also would like to support this important research. So how do the researchers obtain useful and accurate information that could benefit society while also keeping individual privacy intact?

Helping data-centric organizations to strike this balance between privacy and accuracy is the goal of a new publication from the National Institute of Standards and Technology (NIST) that offers guidance on using a type of mathematical algorithm called differential privacy. Applying differential privacy allows the data to be publicly released without revealing the individuals within the dataset.

Read More

December 11, 2023   NJCCIC Public/Private Sector IT-Security Professional Members,      The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and industry partners have released a guide developed by the Enduring Security Framework entitled, Securing the Software Supply Chain: Recommended Practices for Managing Open-Source Software and Software Bill of Materials (SBOMs).   This report provides guidance in line with industry best practices and principles, including managing open source SBOM to maintain and provide awareness about the security of software. Specifically, the report provides more details on Open Source Software (OSS) adoption and the areas to consider when evaluating and deploying an open source component into an existing product development environment including: its composition; process and procedures used when adopting OSS; and management, tracking and distribution of approved software components using an SBOM.    OSS is an essential and valuable component in many commercial and public-sector products and services, and collaboration on OSS often enables great cost-savings for participants. However, organizations that do not follow a consistent and secure by design management practice for the OSS they utilize are more likely to become vulnerable to known exploits in open source packages and encounter more difficulty when reacting to an incident.    The Enduring Security Framework is a cross-sector working group that operates under the auspices of Critical Infrastructure Partnership Advisory Council (CIPAC) to address threats and risks to the security and stability of US national security systems. It is comprised of experts from the US government as well as industry representatives from information technology, communications, and the Defense Industrial Base.    For more information on CISA’s work in these areas, visit Open Source Software Security and Software Bill of Materials.