Volt Typhoon Targets Legacy Cisco Routers in New Campaign

A Chinese-state-backed hacking group is targeting legacy devices, primarily Cisco routers, to expand its attack infrastructure in a new campaign that marks a notable strategic shift in its threat activity. Volt Typhoon, an emerging advanced persistent threat (APT) group identified last year, is exploiting two known vulnerabilities, CVE-2019-1653 and CVE-2019-1652, to compromise Cisco RV320/325 routers that were discontinued in 2019. Neither vulnerability has a patch available. In its latest campaign, the threat group is leveraging a botnet  of compromised small office/home office (SOHO) devices linked to previous attacks attributed to Volt Typhoon. Notably, Volt Typhoon’s botnet infrastructure communicated with 27 IP addresses that host 69 sites belonging to government entities in the United States, the United Kingdom, and Australia.
New Indicators of Compromise (IOCs) and Shifting Tactics
SecurityScorecard’s STRIKE team released a report detailing their research into the group’s latest campaign after discovering that the group compromised approximately 30 percent of the Cisco RV320-325 routers observed by the team over a 37-day period. Of the 1,116 target devices analyzed, the team identified 325 devices communicating with two IP addresses of known proxies used by Volt Typhoon actors. The threat group is also deploying a custom web shell to maintain access to the compromised devices, which can be identified by the filename “fy.sh.”
Additionally, the STRIKE team uncovered multiple new IP addresses linked to their activity, providing further evidence of the threat group’s intent to develop new attack infrastructure:
45.63.60[.]39
45.32.174[.]131
82.117.159[.]158
46.10.197[.]206
176.102.35[.]175
93.62.0[.]77
194.50.159[.]3
80.64.80[.]169
24.212.225[.]54
208.97.106[.]10
70.60.30[.]222
184.67.141[.]110
89.203.140[.]
246 94.125.218[.]19
183.82.110[.]178
117.239.157[.]74
210.212.224[.]124
49.204.75[.]92
61.2.141[.]161
49.204.75[.]90
114.143.222[.]242
117.211.166[.]22
49.204.65[.]90
49.204.73[.]250
While Volt Typhoon continues to target SOHO devices, which are better for concealing malicious traffic, the group has shifted towards targeting legacy systems. The targeted Cisco routers are currently impacted by 35 vulnerabilities that may be left unaddressed. This tactic represents a significant shift, as focusing on end-of-life devices requires knowledge of older systems and associated vulnerabilities, which may not be widely known.

Power AI Innovations with Purpose-Built AI Infrastructure

Advances in cloud performance is paving the way for the acceleration of AI innovations across simulations, science, and industry. And as the complexity of AI models grows exponentially, Microsoft is leveraging a decade of experience in supercomputing and supporting the largest AI training workloads, to develop purpose built and optimized AI infrastructure for any scale.

Join this webinar and learn about:  Azure’s proven performance for generative AI advancements across both Microsoft and customers.   Purpose built AI infrastructure design and optimization.   Azure’s AI Infrastructure, combined with our overall AI solution stack, addresses these challenges for customers of all sizes.  
 
Azure webinar series
Power AI Innovations with Purpose-Built AI Infrastructure

Thursday, January 25, 2024
10:00 AM–11:00 AM Pacific Time

Note: If someone forwarded you this e-mail, you won’t be able to use the instant registration link. Register here instead. Registering with the button below will sign you up for this event using the e-mail address where you received this mail as well as the full name, contact information, company, and country you previously provided.
 
Register instantly >

NICE Webinar: Expanding Cybersecurity Learning and Workforce Opportunities for Rural Americans

Synopsis As we seek to attract underrepresented communities for the cybersecurity workforce, a demographic that is often overlooked and underserved are Americans who live in the rural and remote areas of the United States.  While rural America has become more economically diverse and access to information technology has improved in recent years, learners in rural areas still experience challenges as compared to their urban counterparts.  The challenges include limited broadband access, limited access to quality education and training, sparse job opportunities, lack of economic diversity, and transportation or community barriers*.  However, as rural broadband access improves, access to online learning content becomes ubiquitous, and remote work or telework becomes more prevalent, it seems that rural Americans represent an untapped resource for addressing the cybersecurity workforce needs of employers.  This webinar will explore promising practices and policies for expanding access and opportunity for rural Americans to pursue cybersecurity careers. *Source: Navigating Challenges Faced by Rural American job Seekers: A Comprehensive Guide (Center for Workforce Inclusion, August 22, 2023)

Register Here  

Multiple Vulnerabilities in VMware Products

Multiple vulnerabilities have been discovered in VMware vCenter Server and Cloud Foundation, the most severe of which could allow for remote code execution. VMware vCenter Server is the centralized management utility for VMware. VMware Cloud Foundation is a multi-cloud platform that provides a full-stack hyperconverged infrastructure (HCI) that is made for modernizing data centers and deploying modern container-based applications. Successful exploitation of these vulnerabilities could allow for remote code execution in the context of the administrator account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Threat Intelligence VMware is aware of confirmed reports that CVE-2023-34048 has been exploited in the wild.
Systems Affected
VMware vCenter Server versions prior to 8.0U2 VMware vCenter Server versions prior to 8.0U1d VMware vCenter Server versions prior to 7.0U3o VMware Cloud Foundation (VMware vCenter Server) versions prior to KB88287
Risk
Government:
– Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High
– Small business entities: Medium
Home Users: Low
Technical Summary Multiple vulnerabilities have been discovered in VMware vCenter Server and Cloud Foundation, most severe of which could allow for remote code execution.
Recommendations
Apply appropriate updates provided by VMware to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. Use intrusion detection signatures to block traffic at network boundaries. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
References
VMware:
https://www.vmware.com/security/advisories/VMSA-2023-0023.html
SecurityWeek:
https://www.securityweek.com/vmware-vcenter-server-vulnerability-exploited-in-wild/
Mandiant:
https://www.mandiant.com/resources/blog/chinese-vmware-exploitation-since-2021
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34056

Security issue with Ivanti Connect Secure and Ivanti Policy Secure solutions

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 24-01 that requires Federal Civilian Executive Branch (FCEB) agencies to implement vendor published mitigation guidance immediately to Ivanti Connect Secure and Ivanti Policy Secure solutions to prevent future exploitation and to run the vendor’s Integrity Checker Tool to identify any active or past compromise.  
Last week, Ivanti released information regarding two vulnerabilities, CVE-2023-46805 and CVE-2024-21887 , that allow an attacker to move laterally across a target network, perform data exfiltration, and establish persistent system access. CISA has determined an Emergency Directive is necessary based on the widespread exploitation of these vulnerabilities by multiple threat actors, prevalence of the affected products in the federal enterprise, high potential for compromise of agency information systems, and potential impact of a successful compromise.
While this Directive only applies to FCEB agencies, the threat extends to every sector using these products and we urge all organizations to adopt this guidance.

NORTH AMERICA MCT SUMMIT 8-9 MARCH 2024

Join other MCTs, industry experts, and guest speakers to learn a lot and have some fun.

This is a premier opportunity to update your skills and network.

Learn what you need to know to be successful.

The event will be held 8-9 March 2024 at the Aloft Seattle Redmond | Element by Westin hotel in Redmond, Wa.

The hotel is walking distance to the Microsoft campus.

To Register or learn more go here

Measurement Guide for Information Security: Draft of NIST SP 800-55 Available for Comment

The initial public drafts (ipd) of NIST Special Publication (SP) 800-55, Measurement Guide for Information Security, Volume 1 — Identifying and Selecting Measures, and Volume 2 — Developing an Information Security Measurement Program, are now available for public review and comment through March 18, 2024. 

This update to SP 800-55 is comprised of two volumes. Volume 1 — Identifying and Selecting Measures is a flexible approach to the development, selection, and prioritization of information security measures. This volume explores both quantitative and qualitative assessments and provides basic guidance on data analysis techniques, as well as impact and likelihood modeling. Volume 2 — Developing an Information Security Measurement Program is a flexible methodology for developing and implementing a structure for an information security measurement program.

To facilitate continued collaboration, the Cybersecurity Risk Analytics and Measurement Team proposes the establishment of a Community of Interest (CoI) in which practitioners and other enthusiasts can work together to identify cybersecurity measurement needs, action items, solutions to problems, and opportunities for improvement. Individuals and organizations who work or are planning to work with SP 800-55 and are interested in joining the Cybersecurity Measurement and Metrics CoI can contact the Cybersecurity Risk Analytics and Measurement Team at cyber-measures@list.nist.gov.

Submit Your Comments

The public comment period for both drafts is open through March 18, 2024. See the publication details for volumes 1 and 2 to download the documents and comment templates. We strongly encourage you to comment on all or parts of both volumes and use the comment templates provided.

Please direct questions and submit comments to cyber-measures@list.nist.gov.NIST Cybersecurity and Privacy Program
Questions/Comments about this notice: cyber-measures@list.nist.gov
CSRC Website questions: csrc-inquiry@nist.gov

NIST Offers Guidance on Measuring and Improving Your Company’s Cybersecurity Program

Imagine you’re the new head of cybersecurity at your company. Your team has made a solid start at mounting defenses to ward off hackers and ransomware attacks. As cybersecurity threats continue to mount, you need to show improvements over time to your CEO and customers. How do you measure your progress and present it using meaningful, numerical details?

You might want a road map for creating a practical information security measurement program, and you’ll find it in newly revised draft guidance from the National Institute of Standards and Technology (NIST). The two-volume document, whose overall title is NIST Special Publication (SP) 800-55 Revision 2: Measurement Guide for Information Security, offers guidance on developing an effective program, and a flexible approach for developing information security measures to meet your organization’s performance goals. NIST is calling for public comments on this initial public draft by March 18, 2024.

Read More

Vulnerability in the Apache OFBiz

A vulnerability has been discovered in the Apache OFBiz, which could allow for remote code execution. Apache OFBiz is an open source product for the automation of enterprise processes. It includes framework components and business applications for ERP, CRM, E-Business/E-Commerce, Supply Chain Management and Manufacturing Resource Planning. Successful exploitation could allow for remote code execution in the context of the Server. Depending on the privileges associated with the logged on user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Threat Intelligence The Hacker News is reporting that this vulnerability has been exploited in the wild, and PoC (Proof of Concept) code for Remote Code Execution is available on GitHub.
Systems Affected
Apache OFBiz versions 18.12.10 and below
Risk
Government:
– Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High
– Small business entities: Medium
Home Users: Low
Technical Summary A vulnerability has been discovered in Apache OFBiz, which could allow for remote code execution.
Recommendations
Apply appropriate updates provided by Apache to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
References
Apache:
https://lists.apache.org/thread/9tmf9qyyhgh6m052rhz7lg9vxn390bdv
SonicWall:
https://blog.sonicwall.com/en-us/2023/12/sonicwall-discovers-critical-apache-ofbiz-zero-day-authbiz/
The Hacker News:
https://thehackernews.com/2024/01/new-poc-exploit-for-apache-ofbiz.html
CVE:
https:/cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51467

Register for the NIST Workshop on Secure Development for AI Models (January 17th 9:00am EST)

Date/Time: Wednesday, January 17th, 2024 / 9:00 AM – 1:00 PM EST

We look forward to welcoming you to NIST’s Virtual Workshop on Secure Development Practices for AI Models on January 17. This workshop is being held in support of Executive Order (EO) 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. EO 14110 tasked NIST with “developing a companion resource to the Secure Software Development Framework [SSDF] to incorporate secure development practices for generative AI and for dual-use foundation models.”

What You Will Learn

This workshop will bring together industry, academia, and government to discuss secure development practices for AI models. Feedback from these communities will inform NIST’s creation of SSDF companion resources to support both AI model producers and the organizations who are adopting those AI models within their own software and services. Also, attendees will gain insights on major cybersecurity challenges in developing and using AI models, as well as recommended practices for addressing those challenges.

We Want to Hear from You

Participants are encouraged to share their input during the workshop. Your feedback will inform the SSDF companion resources that NIST will be developing in support of EO 14110.

Visit the NIST workshop page to learn more. If you have any questions, feel free to reach out to our team at ssdf@nist.gov.

*Registration for this event is required so the webinar connection details can be shared with you.

Register Now