Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Threat IntelligenceApple is aware of a report that CVE-2023-42916 and CVE-2023-42917 may have been actively exploited against versions of iOS released before iOS 16.7.1.
Systems Affected
Versions prior to macOS Sonoma 14.1.2 Versions prior to iOS 17.1.2 and iPadOS 17.1.2 Versions prior Safari 17.1.2
Risk Government: – Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High – Small business entities: Medium
Home Users: Low
Technical Summary Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:
Recommendations
Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Block execution of code on a system through application control, and/or script blocking. Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.
Access Reference Data from NIST’s Various Standards, Guidelines & Frameworks—All in One Place
The NIST Cybersecurity and Privacy Reference Tool (CPRT) provides a way to browse, view mappings, and download reference data from select NIST cybersecurity and privacy standards, guidelines, and Frameworks– all in standardized data formats (you can currently pick from XLSX or JSON). These tabular datasets will make it easier for users of NIST guidance to identify, locate, compare, and customize content without needing to review hundreds of pages of narrative within publications.
CPRT was developed a few years back— to liberate, manage, and map NIST cybersecurity and privacy data. Today’s launch is the first step to improving the user experience; CPRT now includes more NIST resources than it did when we first unveiled it (and more will continue to be added…so it’ll evolve even more with time).
NIST will continue to collaborate with the public to ensure access to our community-developed resources is manageable, streamlined and usable—and CPRT is a big step in this direction. We look forward to the further evolution of this tool and welcome your comments, questions, and feedback via cprt@nist.gov.
The Cybersecurity and Infrastructure Security Agency (CISA) has released a Cybersecurity Advisory in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch agency. This vulnerability presents an improper access control issue impacting specific versions of Adobe ColdFusion, some of which are no longer supported.
In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two federal agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint alerted the agencies of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software, which are vulnerable to various CVEs.
Adobe ColdFusion is a commercial application server used for rapid web-application development, such as supporting proprietary markup languages for building web applications and integrating external components like databases and other third-party libraries.
The advisory provides network defenders with details on the vulnerability; tactics, techniques, and procedures (TTPs): indicators of compromise (IOCs); and methods to detect and protect against similar exploitation. Organizations should prioritize remediating known exploited vulnerabilities, employ proper network segmentation, and enable multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
Organizations are encouraged to implement the recommended mitigations in the advisory to improve their cybersecurity posture against this particular threat actor activity. CISA also recommends software manufacturers incorporate secure-by-design principles and tactics into their software development practices to limit the impact of threat actor techniques and strengthen the security posture for their customers.
NICE is continuing to refine and clarify the Workforce Framework for Cybersecurity (NICE Framework) as a fundamental reference resource that is agile, flexible, modular, and interoperable. Proposed Insider Threat Analysis Work Role NICE is proposing one new Work Role for addition to the NICE Framework: Insider Threat Analysis. Codifying the Insider Threat Analysis Work Role in the NICE Framework supports learning and career pathways that help ensure that organizations are well equipped to address insider threats. This proposed role includes a name, description, Task statements, and identifies the category to which it best fits. Comments on the proposed new Work Role are due by December 22, 2023.Refactored Task Statements Proposed updates to the NICE Framework Task statements follow the principles set forth in the Task, Knowledge, Skill (TKS) Statements Authoring Guide for Workforce Frameworks. Updates include improvements for: Consistency: Statements follow a common structure that begins with the activity to be executed and focus on the work to be done (not the knowledge or skills needed to do that work) Clarity: Statements are clearly stated Redundancy: Statements are unique and do not duplicate or unnecessarily overlap with others Compound statements: Statements do not include more than one task Comments on the proposed updates to Task statements are due by January 29, 2024.
In a landmark collaboration, the Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom National Cyber Security Centre (NCSC) released Guidelines for Secure AI System Development. Co-sealed by 23 domestic and international cybersecurity organizations, this publication marks a significant step in addressing the intersection of artificial intelligence (AI), cybersecurity, and critical infrastructure.
The Guidelines, complementing the US Voluntary Commitments on Ensuring Safe, Secure, and Trustworthy AI, provide essential recommendations for AI system development and emphasize the importance of adhering to Secure by Design principles. The approach prioritizes ownership of security outcomes for customers, embraces radical transparency and accountability, and establishes organizational structures where secure design is a top priority.
The Guidelines apply to all types of AI systems, not just frontier models. We provide suggestions and mitigations that will help data scientists, developers, managers, decision-makers, and risk owners make informed decisions about the secure design, model development, system development, deployment, and operation of their machine learning AI systems.
This document is aimed primarily at providers of AI systems, whether based on models hosted by an organization or making use of external application programming interfaces. However, we urge all stakeholders—including data scientists, developers, managers, decision-makers, and risk owners make—to read this guidance to help them make informed decisions about the design, deployment, and operation of their machine learning AI systems.
CISA invites stakeholders, partners, and the public to explore the Guidelines for Secure AI System Development as well as the recently published Roadmap for AI to learn more about our strategic vision for AI technology and cybersecurity. To access learn more, visit CISA.gov/AI.
Identify, remediate, and limit data risks at Security Virtual Training Day: Protect Data and Mitigate Risk from Microsoft Learn. At this free event, you’ll learn how to secure data and reduce risks with Microsoft Purview Information Protection and risk management solutions. You’ll also explore how to manage data protection policies across your organization to help protect people and data against cyberthreats. You will have the opportunity to: Manage and monitor data in new, comprehensive ways to help prevent data loss with Microsoft Purview. Identify privacy risks and help protect personal data using Microsoft Priva. Discover sensitive data and respond to inquiries efficiently with Microsoft Purview. Join us at an upcoming two-part event: December 04, 2023 | 12:00 PM – 2:45 PM | (GMT-05:00) Eastern Time (US & Canada) December 05, 2023 | 12:00 PM – 2:30 PM | (GMT-05:00) Eastern Time (US & Canada)
Delivery Language: English Closed Captioning Language(s): English
Grow your skills at Security Virtual Training Day: Security, Compliance, and Identity Fundamentals from Microsoft Learn. At this free, introductory event, you’ll gain the security skills and training you need to create impact and take advantage of opportunities to move your career forward. You’ll explore the basics of security, compliance, and identity—including best practices to help protect people and data against cyberthreats for greater peace of mind. You’ll also learn more about identity and access management while exploring compliance management fundamentals. You will have the opportunity to: Learn the fundamentals of security, compliance, and identity. Understand the concepts and capabilities of Microsoft identity and access management solutions, as well as compliance management capabilities. Gain the skills and knowledge to jumpstart your preparation for the certification exam. Join us at an upcoming two-part event: December 06, 2023 | 12:00 PM – 3:45 PM | (GMT-05:00) Eastern Time (US & Canada) December 07, 2023 | 12:00 PM – 2:15 PM | (GMT-05:00) Eastern Time (US & Canada)
Delivery Language: English Closed Captioning Language(s): English
Comment Period Extended to December 8th for Drafts of SP 800-73-5 and SP 800-78-5: PIV Interfaces, Algorithms, and Key Sizes The public comment periodhas been extended toDecember 8, 2023, for the initial public drafts of NIST Special Publication (SP) 800-73-5 (Parts 1-3) and SP 800-78-5. Full details can be found in the announcement for these drafts related to Personal Identify Verification (PIV). NIST Cybersecurity and Privacy Program Questions/Comments about this notice: piv_comments@nist.gov CSRC Website questions: csrc-inquiry@nist.gov
As the nation’s cyber defense agency and the national coordinator for critical infrastructure security and resilience, CISA envisions a secure and resilient digital ecosystem for the nation that supports unparalleled innovation and significant enhancement of critical infrastructure services provided to the American public. This roadmap includes a comprehensive set of actions that underscore CISA’s dedication to translating these goals into action. This work is structured around five lines of effort:
Line of Effort 1: Responsibly use AI to support our mission. CISA will use AI-enabled software tools to strengthen cyber defense and support its critical infrastructure mission. CISA’s adoption of AI will ensure responsible, ethical, and safe use—consistent with the Constitution and all applicable laws and policies, including those addressing federal procurement, privacy, civil rights, and civil liberties. Line of Effort 2: Assure AI systems. CISA will assess and assist secure by design, AI-based software adoption across a diverse array of stakeholders, including federal civilian government agencies; private sector companies; and state, local, tribal, and territorial (SLTT) governments through the development of best practices and guidance for secure and resilient AI software development and implementation, including the development of recommendations for red-teaming of generative AI. Line of Effort 3: Protect critical infrastructure from malicious use of AI. CISA will assess and recommend mitigation of AI threats facing our nation’s critical infrastructure in partnership with other government agencies and industry partners that develop, test, and evaluate AI tools. As part of this effort, CISA will establish JCDC.AI to catalyze focused collaboration around threats, vulnerabilities, and mitigations related to AI systems. Line of Effort 4: Collaborate and communicate on key AI efforts with the interagency, international partners, and the public. CISA will contribute to DHS-led and interagency processes on AI-enabled software. This line of effort includes developing policy approaches for the US government’s overall national strategy on AI and supporting a whole-of-DHS approach on AI-based-software policy issues. This line of effort also includes coordinating with international partners to advance global AI security best practices and principles. Line of Effort 5: Expand AI expertise in our workforce. CISA will continue to educate our workforce on AI software systems and techniques, and the agency will continue to actively recruit interns, fellows, and future employees with AI expertise. CISA will ensure that internal training reflects—and new recruits understand—the legal, ethical, and policy aspects of AI-based software systems in addition to the technical aspects.
CISA’s mission sits at the intersection of strengthening cybersecurity and protecting critical infrastructure and therefore plays a key role in advancing the Administration’s goal of ensuring that AI is safe, secure, and resilient. Among key actions CISA will take, our role will be to assess possible risks related to the use of AI and providing guidance to the critical infrastructure sectors that Americans rely on every hour of every day. Additionally, we will work to capitalize on AI’s potential to improve US cyber defenses and develop recommendations for red teaming of generative AI.
CISA invites stakeholders, partners, and the public to explore the Roadmap for Artificial Intelligence and learn more about our strategic vision for AI technology and cybersecurity. To access the full Roadmap, visit www.cisa.gov/AI.
This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released this Joint Cybersecurity Advisory to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as September 2023. Rhysida—an emerging ransomware variant—has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023. The information in this joint advisory is derived from related incident response investigations and malware analysis of samples discovered on victim networks.
The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of Rhysida ransomware and other ransomware incidents.
