Author: blogmirnet

Protecting Against Iranian Targeting of Accounts Associated with National Political Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this Fact Sheet, which provides information about threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) targeting and compromising accounts of Americans to stoke discord and undermine confidence in US democratic institutions.  

IRGC actors have previously gained and continue to seek access to personal and business accounts using social engineering techniques by targeting victims across email and chat platforms. This fact sheet includes steps that individuals and organizations can take to enhance their security and resilience to protect themselves against the common techniques used by these cyber actors.  

CISA and FBI strongly recommend all individuals and organizations associated with national political organizations apply the mitigations in this fact sheet, including protecting their sensitive accounts with phishing-resistant multi-factor authentication (MFA).  

Election infrastructure stakeholders and the public can find more resources on how to protect against cyber and physical threats at #Protect2024. CISA encourages organizations to review its Iran Cyber Threat webpage for advisories and actions to defend their networks.

Security Property Verification by Transition Model | NIST Invites Public Comments on IR 8539

The initial public draft of NIST Internal Report (IR) 8539, Security Property Verification by Transition Model, is now available for public comment. Verifying the security properties of access control policies is a complex and critical task. The policies and their implementation often do not explicitly express their underlying semantics, which may be implicitly embedded in the logic flows of policy rules, especially when policies are combined. Instead of evaluating and analyzing access control policies solely at the mechanism level, formal transition models are used to describe these policies and prove the system’s security properties. This approach ensures that access control mechanisms can be designed to meet security requirements.

This document explains how to apply model-checking techniques to verify security properties in transition models of access control policies. It provides a brief introduction to the fundamentals of model checking and demonstrates how access control policies are converted into automata from their transition models. The document then focuses on discussing property specifications in terms of linear temporal logic (LTL) and computation tree logic (CTL) languages with comparisons between the two. Finally, the verification process and available tools are described and compared.

The public comment period is open through November 25, 2024. See the publication details for a copy of the draft and instructions for submitting comments.


NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy Inclusion of Patents in ITL Publications

Read More

Critical Patches Issued for Microsoft Products, October 8, 2024 – PATCH NOW

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
The vulnerabilities Microsoft Management Console Remote Code Execution Vulnerability (CVE-2024-43572) and Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43573) have been seen exploited in the wild and disclosed publicly. 

SYSTEMS AFFECTED:

  • .NET and Visual Studio
  • .NET, .NET Framework, Visual Studio
  • Azure CLI
  • Azure Monitor
  • Azure Stack
  • BranchCache
  • Code Integrity Guard
  • DeepSpeed
  • Internet Small Computer Systems Interface (iSCSI)
  • Microsoft ActiveX
  • Microsoft Configuration Manager
  • Microsoft Defender for Endpoint
  • Microsoft Graphics Component
  • Microsoft Management Console
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft Simple Certificate Enrollment Protocol
  • Microsoft WDAC OLE DB provider for SQL
  • Microsoft Windows Speech
  • OpenSSH for Windows
  • Outlook for Android
  • Power BI
  • Remote Desktop Client
  • Role: Windows Hyper-V
  • RPC Endpoint Mapper Service
  • Service Fabric
  • Sudo for Windows
  • Visual C++ Redistributable Installer
  • Visual Studio
  • Visual Studio Code
  • Windows Ancillary Function Driver for WinSock
  • Windows BitLocker
  • Windows Common Log File System Driver
  • Windows Cryptographic Services
  • Windows EFI Partition
  • Windows Hyper-V
  • Windows Kerberos
  • Windows Kernel
  • Windows Kernel-Mode Drivers
  • Windows Local Security Authority (LSA)
  • Windows Mobile Broadband
  • Windows MSHTML Platform
  • Windows Netlogon
  • Windows Network Address Translation (NAT)
  • Windows NT OS Kernel
  • Windows NTFS
  • Windows Online Certificate Status Protocol (OCSP)
  • Windows Print Spooler Components
  • Windows Remote Desktop
  • Windows Remote Desktop Licensing Service
  • Windows Remote Desktop Services
  • Windows Resilient File System (ReFS)
  • Windows Routing and Remote Access Service (RRAS)
  • Windows Scripting
  • Windows Secure Channel
  • Windows Secure Kernel Mode
  • Windows Shell
  • Windows Standards-Based Storage Management Service
  • Windows Storage
  • Windows Storage Port Driver
  • Windows Telephony Server
  • Winlogon

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low 

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found in the Microsoft link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
       
  • Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
       
  • Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
    • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
       
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
    • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:Microsoft:
https://portal.msrc.microsoft.com/en-us/security-guidance
https://msrc.microsoft.com/update-guide/releaseNote/2024-Oct

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43573

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Chrome prior to 129.0.6668.100/.101 for Windows and Mac
  • Chrome prior to 129.0.6668.100 for Linux 

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low 

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows: 

TacticInitial Access (TA0001):

Technique: Drive-By Compromise (T1189):

  • Type Confusion in V8 (CVE-2024-9602, CVE-2024-9603)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

RECOMMENDATIONS:
We recommend the following actions be taken: 

  • Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
       
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
       
  • Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
     
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
       
  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
    • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
    • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
    • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
       
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
    • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
       

REFERENCES:

Google:
https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_8.html

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9602
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9603

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild. 

SYSTEMS AFFECTED:

  • Android OS patch levels prior to 2024-10-05 

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution in the context of the logged on user. Following the MITRE ATT&CK framework, exploitation of the most severe of these vulnerabilities can be classified as follows:

Tactic: Execution (TA0002)

Technique: Exploitation for Client Execution (T1203):

  • A vulnerability in System that could allow for remote code execution. (CVE-2024-40673)
  • Multiple vulnerabilities in Framework that could allow for elevation of privilege. (CVE-2024-0044, CVE-2024-40676)
  • Multiple vulnerabilities in System that could allow for elevation of privilege. (CVE-2024-40672, CVE-2024-40677)

Details of lower-severity vulnerabilities are as follows:

  • A vulnerability in Framework that could allow for denial of service. (CVE-2024-40675)
  • A vulnerability in System that could allow for denial of service. (CVE-2024-40674)
  • Multiple vulnerabilities in Imagination Technologies. (CVE-2024-34732, CVE-2024-34733, CVE-2024-34748, CVE-2024-40649, CVE-2024-40651, CVE-2024-40669, CVE-2024-40670)
  • Multiple vulnerabilities in MediaTek components. (CVE-2024-20100, CVE-2024-20101, CVE-2024-20103, CVE-2024-20090, CVE-2024-20092, CVE-2024-20091, CVE-2024-20093, CVE-2024-20094)
  • Multiple vulnerabilities in Qualcomm components. (CVE-2024-33049, CVE-2024-33069, CVE-2024-38399)
  • A vulnerability in Qualcomm closed-source components. (CVE-2024-23369) 

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights. 

RECOMMENDATIONS:
We recommend the following actions be taken: 

  • Apply appropriate patches provided by Google to vulnerable systems, immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
       
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources. (M1017: User Training)
     
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.
    • Safeguard 13.10 : Perform Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway. 

REFERENCES:

Google:
https://source.android.com/docs/security/bulletin/2024-10-01

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0044
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20100
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20101
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20103
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23369
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34748
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38399
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40649
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40669
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40670
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40672
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40673
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40674
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40675
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40676
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40677 

Submit Comments | Draft Report: Attribute Validation Services for Identity Management

In this digital age, the accurate identification of individuals is paramount to ensuring security, privacy, and trust in online interactions. Whether it’s for accessing medical records, applying for benefits, or engaging in other high-stakes transactions, the need to confirm the identity and attributes of individuals is crucial. The draft NIST report Attribute Validation Services for Identity Management delves into the architecture, security, privacy, and operational considerations surrounding Attribute Validation Services (AVS), offering considerations for government agencies seeking to implement these critical services.

At its core, an attribute is a “quality or characteristic ascribed to someone or something,” such as a person’s date of birth, residential address, or Social Security Number. Attributes are essential in confirming an individual’s identity or their eligibility to access certain services or information. An AVS validates these attributes against reliable data sources to confirm their accuracy; this validation process plays a pivotal role in secure identity proofing, access control, and fraud prevention.

The draft NIST report Attribute Validation Services for Identity Management positions AVS as a cornerstone of secure, privacy-preserving digital identity management. Whether through traditional query-based models or emerging technology such as cryptographically verifiable attributes, AVSs can offer a reliable way to validate user attributes, reduce fraud, and improve access control. For government agencies, the report provides a foundation for building AVS solutions that enhance security while ensuring equity and privacy.

The public comment period is open through 11:59 pm Eastern Time on Friday, November 8, 2024. Comments may be submitted to [email protected].

Learn More

Trinity Ransomware

The United States Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) released this Threat Actor Profile regarding a relatively new threat actor identified as Trinity Ransomware. Even though the analysis is focused on the Healthcare and Public Health (HPH) Sector, all agencies and organizations are encouraged to review the information contained in the Threat Actor Profile.
Trinity ransomware is a relatively new threat actor, known for employing a double extortion strategy. This method involves exfiltrating sensitive data before encrypting files, thereby increasing pressure on victims to pay the ransom. This ransomware uses the ChaCha20 encryption algorithm, and encrypted files are tagged with the .trinitylock file extension. Trinity operates a victim support site for decryption assistance and a leak site that displays their victims. It also shares similarities with two other ransomware groups—2023Lock and Venus—suggesting possible connections or collaborations among these threat actors. The group’s tactics and techniques are sophisticated, making them a significant threat to the US HPH. HC3 is aware of at least one healthcare entity in the United States that has fallen victim to Trinity ransomware recently.
This HC3 Threat Actor Profile provides an overview, likely tactics, techniques, and procedures, indicators of compromise, and recommended mitigations. This advisory is being provided to assist all agencies and organizations in guarding against the persistent malicious actions of cyber criminals.

New Chinese APT, Salt Typhoon, Targets ISPs

A suspected Chinese (PRC) state-sponsored cyber threat group known as Salt Typhoon was recently identified accessing multiple United States internet service providers (ISPs) to conduct cyber espionage. This cyberattack is just the latest in a series of campaigns sponsored by the Chinese government. Salt Typhoon’s actions are part of a larger Chinese strategy to conduct cyber operations to gain access to other countries’ infrastructure for espionage and potential disruption. These attacks on ISPs are particularly concerning as they can be used to compromise sensitive communications, establish a foothold for future cyberattacks, and impact national security.
Previously, PRC state-sponsored cyber threat group Volt Typhoon was observed exploiting a zero-day vulnerability in Versa Director, a software platform used by ISPs and managed service providers (MSPs) to manage SD-WAN infrastructure. The Federal Bureau of Investigation (FBI) issued a joint cybersecurity advisory listing the group’s tactics, techniques, and procedures (TTPs). The advisory confirmed that Volt Typhoon compromised the IT environments of multiple critical infrastructure organizations, including those in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors.
The FBI recently disrupted a portion of botnet infrastructure used by another PRC state-sponsored cyber threat group, Flax Typhoon. The botnet infrastructure contained hundreds of US-based small-office or home-office (SOHO) routers. The group commonly exploits vulnerabilities in networking appliances from companies such as Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco to gain initial access. Salt Typhoon and Flax Typhoon likely use similar techniques for initial infections. One source indicated that Salt Typhoon may also be recognized as GhostEmperor and FamousSparrow, which historically targets government entities and telecommunications in Southeast Asia using a rootkit named Demodex.
APT40 TTP Activity Flowchart. Image Source: CISA
Current and former US intelligence officials have expressed serious concern regarding the bold nature and persistent use of cyber operations to infiltrate critical infrastructure networks. FBI Director Christopher Wray stated that the cyber threat posed by the Chinese government is immense. Analysts assess that there are strong indicators that recent Salt Typhoon activity may be linked to China’s Ministry of State Security, particularly APT40 (also known as Gingham Typhoon), a group known for its expertise in intelligence collection. Based on recent federal agency alerts regarding PRC state-sponsored cyber campaigns, China has escalated from surveillance-only goals toward installing offensive capabilities to disrupt critical US civilian and military infrastructure.
Recommendations
Critical infrastructure administrators are encouraged to review analyses of recent state-sponsored cyber threat activity and apply recommendations to prevent victimization.
Keep systems up to date and apply patches after appropriate testing. Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs).
Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from information technology (IT) environments.

Report cyber incidents to the FBI’s IC3

Threat Actors Use Session Hijacking to Hunt for Cookies

As the implementation of multi-factor authentication (MFA) becomes prevalent, there is a growing surge in attempts to bypass, breach, and hijack its security measures. Threat actors have increasingly utilized session hijacking in attempts to bypass MFA checkpoints. In this attack, threat actors steal session cookies to take over a live user session. Threat actors can import these harvested session cookies into their browser to resume an active session without entering credentials or passing through MFA checkpoints.
Adversary-in-the-Middle (AitM), Browser-in-the-Middle (BitM) attacks and infostealing malware  are prevalent session hijacking methods. During AitM attacks, threat actors set up a reverse proxy that captures HTTP requests sent from the victim’s browser to a genuine website after a victim visits a malicious domain. BitM’s technique involves tricking users into remotely controlling the threat actor’s browser, which allows threat actors to steal the user’s credentials and access confidential information saved on their device. Infostealers, commonly distributed through phishing attacks, are popular for harvesting session cookies. Unlike AitM and BitM attacks that typically target one account, infostealers can gather multiple credentials and session information and are not limited to active sessions.
Session hijacking attacks have become more prevalent, especially in ransomware operations, where threat actors utilize infostealers to compromise accounts. Threat actors have also previously compromised Google’s MultiLogin, allowing them to revive expired session tokens. While some browsers, such as Google Chrome, have taken steps to protect session cookies, threat actors have already claimed to have found methods to bypass these new security features.
Recommendations
Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats. Facilitate user awareness training to include these types of phishing-based techniques. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools.

Guidance on Principles of OT Cybersecurity for Critical Infrastructure Organizations

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)—in partnership with the Cybersecurity and Infrastructure Security Agency (CISA), United States government, and international partners—released the Principles of Operational Technology Cybersecurity guide. This guidance provides critical information on how to create and maintain a safe, secure operational technology (OT) environment.
The six principles outlined in this guide are intended to aid organizations in identifying how business decisions may adversely impact the cybersecurity of OT and the specific risks associated with those decisions. Filtering decisions that impact the security of OT will enhance the comprehensive decision-making that promotes security and business continuity.
CISA encourages critical infrastructure organizations review the best practices and implement recommended actions which can help ensure the proper cybersecurity controls are in place to reduce residual risk in OT decisions.
For more information on OT cybersecurity, review CISA’s Industrial Control Systems page and the Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems  Joint Cybersecurity Advisory to help critical infrastructure organizations manage and enhance their OT cybersecurity.