Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations

The Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners are releasing this Joint Cybersecurity Advisory to warn of Russian state-sponsored cyber actors’ use of compromised Ubiquiti EdgeRouters to facilitate malicious cyber operations worldwide.
The FBI, NSA, US Cyber Command, and international partners assess the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), also known as APT28, Fancy Bear, and Forest Blizzard (Strontium), have used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spearphishing landing pages and custom tools.
The US Department of Justice, including the FBI, and international partners recently disrupted a GRU botnet consisting of such routers. However, owners of relevant devices should take the remedial actions described in the advisory to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises.

#StopRansomware: Phobos Ransomware

This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this Joint Cybersecurity Advisory to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open-source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million US dollars.
The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents.

NJCCIC :Beware of Active Subdomain Hijacking Operation

Subdomain hijacking occurs when threat actors gain control of a subdomain of a legitimate domain by taking over unused or abandoned subdomains or exploiting misconfigured DNS records. They systematically scan for forgotten subdomains with dangling CNAME records of abandoned domains via specific targeting or automated tools. The threat actors then register these subdomains under their ownership to host malicious content or initiate additional attacks, such as hosting phishing landing pages designed to harvest login credentials. Additionally, a DNS SPF record of a known domain may hold unused or abandoned subdomains associated with obsolete email or marketing-related services. Threat actors can take ownership of those subdomains, inject their IP address into the SPF record, and send emails on behalf of the primary domain name.
Since 2022, researchers have tracked a sophisticated subdomain hijacking operation dubbed SubdoMailing . Over 8,000 domains and 13,000 subdomains for legitimate brands and organizations have been impacted, including VMware, McAfee, Symantec, Better Business Bureau, and more. While subdomain hijacking is not new, what is concerning about this operation is the magnitude of identified domains and subdomains already compromised and counting. The impacts of these successful attacks can lead to reputational damage, financial losses, operational disruption, data breaches, phishing and fraud, and malware distribution.
The threat actor behind the SubdoMailing operation, ResurrecAds, leverages trusted domains and a sophisticated distribution architecture to bypass email authentication controls and send millions of spam and phishing emails daily. The emails are designed to appear legitimate and evade detection of standard text-based spam filters by including an image that, if clicked, triggers a series of click-redirects through different domains. The redirects check the device type and geographic location to custom tailor the content and maximize profit, such as malicious advertisements, affiliate links, quiz scams, phishing websites, and malware downloads.

The NJCCIC recommends that domain administrators and site owners utilize Guardio Lab’s SubdoMailing checker tool and website , which is updated daily, to search for impacted domains as detected by their systems. Additionally, the search results of affected domains display details of known abuses, type of hijack, and relevant subdomains and SPF records in need of attention. Furthermore, Guardio Labs offers recommendations, including monitoring all CNAME records, monitoring SPF policies, removing permissive SPF settings, and implementing DMARC. Also, regularly check DNS records for any unauthorized changes or unused or abandoned subdomains, train designated employees about subdomain hijacking to identify unusual changes to DNS records or website traffic, and confirm that third-party servers are not referenced in CNAME records of organization domains before deletion. If feasible, consider registering the domain name as intellectual property to provide legal protection in the event of a hijacking. Also, registrars recently have the option to block the registration of domains with similar appearances, spellings, or otherwise infringement on brand names to protect their trademark and help prevent malicious usage.
 
We recommend that users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders, and exercise caution with communications from known senders. If unsure of the legitimacy, contact the sender via a separate means of communication, such as by phone, from trusted sources before taking action. If you suspect your PII has been compromised, please review the  Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes and enabling MFA on accounts. Additionally, we advise reporting suspicious or fraudulent correspondence to the respective entity. Impersonation scams and other malicious cyber activity can be reported to the NJCCIC.

Non-Fungible Token (NFT) Security: NIST IR 8472 is Now Available

NIST has published the final version of Internal Report (IR) 8472, Non-Fungible Token Security.

Non-fungible token (NFT) technology provides a mechanism to sell and exchange both virtual and physical assets on a blockchain. While NFTs are most often used for autographing digital assets (associating one’s name with a digital object), they utilize a strong cryptographic foundation that may enable them to regularly support ownership-transferring sales of digital and physical objects. For this, NFT implementations need to address potential security concerns to reduce the risk to purchasers.

This publication:

  • Defines NFTs
  • Identifies 11 properties that should be provided by most correctly functioning and secured NFT implementations
  • Evaluates each property to reveal 27 potential security concerns
Read More

Unveiling NICE Framework Components v1.0.0: Explore the Latest Updates Today!

Work Role Categories and Work Roles Minor changes to Work Role Category names, descriptions, and ordering to create a more uniform and complementary approach modeled after technology lifecycles Updates to Work Role names, descriptions, and IDs to reflect category updates and to differentiate Work Role functions from job titles  New Insider Threat Analysis Work Role with associated TKS statements Competency Areas 11 Competency Areas with descriptions Task, Knowledge, and Skill (TKS) Statements Updates to align TKS statements with the TKS Authoring Guide principles Removal of duplicate and redundant statements Edits to address inconsistent and unclear language You can access version 1.0.0 of the NICE Framework components in the NICE Framework Resource Center. Also available is a summary of changes and the NICE Framework Components Mapping: 2017 to Version 1.0.0 (March 2024) spreadsheet. 
Future Iterations of NICE Framework Components
Version 1.0.0 of the NICE Framework components is the first, official published version since 2017. The NICE Program Office intends to take a software update versioning approach for NICE Framework components, with a mix of minor and major updates over time. While users of the NICE Framework are always encouraged to reference the most recent published version of the components, users may choose to continue using older versions. Please note that outdated versions may not be supported by the NICE Program Office. A record of versions of the NICE Framework can be found on the NICE Framework History and Change Logs webpage. Stay Connected!   If you have ideas for new Work Roles, updates to existing components, or would like to be involved in identifying Competency Area statements, let us know: [email protected]. In addition, the NICE Program Office will continue to look at ways to support use of the NICE Framework in various tools and through alignments by developing new support resources. Stay in touch to learn about these efforts and how to get involved by joining the NICE Framework Users Group.
Find out more:
Learn more about the NICE Framework evolution, how it can be used, and how to engage in its continued development at the NICE Framework Resource Center. Updated and new resources have been added, including: Getting Started with the NICE Framework NICE Framework Frequently Asked Questions NICE Framework Revision Process NICE Framework Change Request FAQs NICE Framework History and Change Logs

NIST to Revise Special Publication 800-38D | Galois/Counter Mode (GCM) and GMAC Block Cipher Modes

In August 2021, NIST’s Crypto Publication Review Board initiated a review process for NIST Special Publication (SP) 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC (2007).

On August 23, 2023, NIST proposed to revise SP 800-38D and received two public comments in response.

NIST has decided to revise SP 800-38D. See the full announcement for more details, links to comments received, and ways to monitor future developments.

Read More

Explore the strategies used to disrupt cybercrime group, Storm-1152

Here is a interesting article from Microsoft on how Russian cyberthreat actor work.

Gain insight into the cybercrime ecosystem with this overview of the Storm-1152 organization and the disruption of their fraudulent activities. Read the story from the Microsoft Digital Crimes Unit on Security Insider to:

  • Learn how Storm-1152 created and sold fraudulent Microsoft accounts that bypassed identity verification systems.
  • Discover how cybercriminals used Storm-1152 services to conduct cyberattacks like ransomware.
  • See how Microsoft and its partners seized Storm-1152’s websites and disrupted its operations.

Discover how Russian cyberthreat actors are exploiting war fatigue Get a behind-the-scenes look at how Russia is using cyberattacks to gain an advantage in the war in Ukraine.

Learn more

Just Published | Final SP 800-66r2, Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide

NIST published the final version of Special Publication (SP) 800-66r2 (Revision 2), Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. This publication, revised in collaboration with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, provides guidance for regulated entities (i.e., HIPAA-covered entities and business associates) on assessing and managing risks to electronic Protected Health Information (ePHI), identifies typical activities that a regulated entity might consider implementing as part of an information security program, and presents guidance that regulated entities can utilize in whole or in part to help improve their cybersecurity posture and assist with achieving compliance with the HIPAA Security Rule.

To assist regulated entities, key document content has been posted online. A list of resources (e.g., guidance, templates, tools) that regulated entities can consult for assistance about particular topics has been hosted on the SP 800-66r2 web page (see under “Supplemental Material” in the gray Documentation box). Additionally, the key activities, descriptions, and sample questions from the tables in Section 5 of the publication have been posted in NIST’s Cybersecurity and Privacy Reference Tool (CPRT). The content in CPRT also includes mappings of the HIPAA Security Rule’s standards and implementation specifications to NIST Cybersecurity Framework Subcategories and SP 800-53r5 security controls as well as listings of NIST publications relevant to each HIPAA Security Rule standard. Readers may draw upon these NIST publications and mappings for assistance in implementing HIPAA Security Rule standards and implementation specifications.

NIST appreciates and looks forward to further collaboration and feedback from the community. Questions or ideas?

Reach out to us at [email protected].

Read More

 NIST: New PPFL Blog Post and CRC Update

In our last privacy-preserving federated learning blog post, we discussed known privacy attacks in federated learning and provided recent examples from the research literature. In this new post, Data Distribution in Privacy-Preserving Federated Learning, we define and explain the different ways data can be distributed, or partitioned, among participants in federated learning systems.  Learn more in the third post in our series.   

Data Distribution in Privacy-Preserving Federated Learning by David Darais, Joseph Near, Dave Buckley, and Mark Durkee

Read the post.  

In addition to our new blog post, we have an update on our NIST Collaborative Research Cycle (CRC), an ongoing effort to benchmark, compare, and investigate deidentification technologies. The CRC program asks the research community to deidentify a compact and interesting dataset called the NIST Diverse Communities Data Excerpts, demographic data from communities across the U.S. sourced from the American Community Survey. We’ve received more than 450 deidentified instances of the data along with detailed abstracts describing how each was privatized. Approaches include differential privacy, generative adversarial networks, k-anonymity, statistical disclosure limitations and many others from both open-source tools and proprietary algorithms. We conducted an extensive standardized evaluation of each deidentified instance using a host of fidelity, utility, and privacy metrics, using our tool, SDNist. We’ve packaged the data, abstracts, and evaluation results into a human- and machine-readable archive. The research community is currently using these tools to drive research. 

In December, we held a workshop showcasing research efforts using the CRC resources. See the CRC website to access recordings of the sessions and the draft proceedings. The program continues to accept data and will be planning additional workshops. Subscribe to the CRC mailing list for updates. 

We encourage readers to ask questions and share knowledge using the contribute section of the Privacy Engineering Collaboration Space. You can also contact us at [email protected] or [email protected].

Meanwhile—stay tuned for the next privacy-preserving federated learning blog post!  


All the best, 
NIST Privacy Engineering Program

Overview of the NIST Cybersecurity Framework (CSF) 2.0 Small Business Quick Start Guide

Event Date: March 20, 2024

Event Time: 2:00 p.m. to 2:45 p.m. ET

Event Location: Virtual

Event Description:

Did you hear the big news? The NIST Cybersecurity Framework 2.0 was published on February 26, 2024. If that wasn’t exciting enough, we also published the CSF 2.0 Small Business Quick Start Guide along with it.

As a supplement to the CSF 2.0, the new Small Business Quick Start Guide provides small-to medium-sized businesses (SMB) with resources and considerations to kick-start their cybersecurity risk management strategy using the CSF 2.0.

During the webinar on March 20, 2024, we will spend 30 minutes providing an overview of the Small Business Quick Start Guide, will highlight other new CSF 2.0 resources, and we will reserve 15 minutes at the end for audience questions. 

Register Here