Month: March 2024

This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this Joint Cybersecurity Advisory to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open-source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million US dollars.

The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents.

Subdomain hijacking occurs when threat actors gain control of a subdomain of a legitimate domain by taking over unused or abandoned subdomains or exploiting misconfigured DNS records. They systematically scan for forgotten subdomains with dangling CNAME records of abandoned domains via specific targeting or automated tools. The threat actors then register these subdomains under their ownership to host malicious content or initiate additional attacks, such as hosting phishing landing pages designed to harvest login credentials. Additionally, a DNS SPF record of a known domain may hold unused or abandoned subdomains associated with obsolete email or marketing-related services. Threat actors can take ownership of those subdomains, inject their IP address into the SPF record, and send emails on behalf of the primary domain name.

Since 2022, researchers have tracked a sophisticated subdomain hijacking operation dubbed SubdoMailing . Over 8,000 domains and 13,000 subdomains for legitimate brands and organizations have been impacted, including VMware, McAfee, Symantec, Better Business Bureau, and more. While subdomain hijacking is not new, what is concerning about this operation is the magnitude of identified domains and subdomains already compromised and counting. The impacts of these successful attacks can lead to reputational damage, financial losses, operational disruption, data breaches, phishing and fraud, and malware distribution.

The threat actor behind the SubdoMailing operation, ResurrecAds, leverages trusted domains and a sophisticated distribution architecture to bypass email authentication controls and send millions of spam and phishing emails daily. The emails are designed to appear legitimate and evade detection of standard text-based spam filters by including an image that, if clicked, triggers a series of click-redirects through different domains. The redirects check the device type and geographic location to custom tailor the content and maximize profit, such as malicious advertisements, affiliate links, quiz scams, phishing websites, and malware downloads. The NJCCIC recommends that domain administrators and site owners utilize Guardio Lab’s SubdoMailing checker tool and website , which is updated daily, to search for impacted domains as detected by their systems. Additionally, the search results of affected domains display details of known abuses, type of hijack, and relevant subdomains and SPF records in need of attention. Furthermore, Guardio Labs offers recommendations, including monitoring all CNAME records, monitoring SPF policies, removing permissive SPF settings, and implementing DMARC. Also, regularly check DNS records for any unauthorized changes or unused or abandoned subdomains, train designated employees about subdomain hijacking to identify unusual changes to DNS records or website traffic, and confirm that third-party servers are not referenced in CNAME records of organization domains before deletion. If feasible, consider registering the domain name as intellectual property to provide legal protection in the event of a hijacking. Also, registrars recently have the option to block the registration of domains with similar appearances, spellings, or otherwise infringement on brand names to protect their trademark and help prevent malicious usage.   We recommend that users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders, and exercise caution with communications from known senders. If unsure of the legitimacy, contact the sender via a separate means of communication, such as by phone, from trusted sources before taking action. If you suspect your PII has been compromised, please review the  Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes and enabling MFA on accounts. Additionally, we advise reporting suspicious or fraudulent correspondence to the respective entity. Impersonation scams and other malicious cyber activity can be reported to the NJCCIC.

NIST has published the final version of Internal Report (IR) 8472, Non-Fungible Token Security.

Non-fungible token (NFT) technology provides a mechanism to sell and exchange both virtual and physical assets on a blockchain. While NFTs are most often used for autographing digital assets (associating one’s name with a digital object), they utilize a strong cryptographic foundation that may enable them to regularly support ownership-transferring sales of digital and physical objects. For this, NFT implementations need to address potential security concerns to reduce the risk to purchasers.

This publication:

• Defines NFTs
• Identifies 11 properties that should be provided by most correctly functioning and secured NFT implementations
• Evaluates each property to reveal 27 potential security concerns

Read More

Work Role Categories and Work Roles Minor changes to Work Role Category names, descriptions, and ordering to create a more uniform and complementary approach modeled after technology lifecycles Updates to Work Role names, descriptions, and IDs to reflect category updates and to differentiate Work Role functions from job titles  New Insider Threat Analysis Work Role with associated TKS statements Competency Areas 11 Competency Areas with descriptions Task, Knowledge, and Skill (TKS) Statements Updates to align TKS statements with the TKS Authoring Guide principles Removal of duplicate and redundant statements Edits to address inconsistent and unclear language You can access version 1.0.0 of the NICE Framework components in the NICE Framework Resource Center. Also available is a summary of changes and the NICE Framework Components Mapping: 2017 to Version 1.0.0 (March 2024) spreadsheet.

Future Iterations of NICE Framework Components

Version 1.0.0 of the NICE Framework components is the first, official published version since 2017. The NICE Program Office intends to take a software update versioning approach for NICE Framework components, with a mix of minor and major updates over time. While users of the NICE Framework are always encouraged to reference the most recent published version of the components, users may choose to continue using older versions. Please note that outdated versions may not be supported by the NICE Program Office. A record of versions of the NICE Framework can be found on the NICE Framework History and Change Logs webpage. Stay Connected!   If you have ideas for new Work Roles, updates to existing components, or would like to be involved in identifying Competency Area statements, let us know: NICEFramework@nist.gov. In addition, the NICE Program Office will continue to look at ways to support use of the NICE Framework in various tools and through alignments by developing new support resources. Stay in touch to learn about these efforts and how to get involved by joining the NICE Framework Users Group. Find out more: Learn more about the NICE Framework evolution, how it can be used, and how to engage in its continued development at the NICE Framework Resource Center. Updated and new resources have been added, including: Getting Started with the NICE Framework NICE Framework Frequently Asked Questions NICE Framework Revision Process NICE Framework Change Request FAQs NICE Framework History and Change Logs

In August 2021, NIST’s Crypto Publication Review Board initiated a review process for NIST Special Publication (SP) 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC (2007).

On August 23, 2023, NIST proposed to revise SP 800-38D and received two public comments in response.

NIST has decided to revise SP 800-38D. See the full announcement for more details, links to comments received, and ways to monitor future developments.

Read More