Calculating the severity of information technology vulnerabilities
is important for prioritizing vulnerability remediation and helping to
understand the risk of a vulnerability. The Common Vulnerability Scoring System
(CVSS) is a widely used approach to evaluating properties that lead to a
successful attack and the effects of a successful exploitation. CVSS is managed
under the auspices of the Forum of Incident Response and Security Teams (FIRST)
and is maintained by the CVSS Special Interest Group (SIG). Unfortunately,
ground truth upon which to base the CVSS measurements has not been available.
Thus, CVSS SIG incident response experts maintain the equations by leveraging
CVSS SIG human expert opinion.
This work evaluates the accuracy of the CVSS “base score”
equations and shows that they represent the CVSS maintainers’ expert opinion to
the extent described by these measurements. NIST requests feedback on the
approach, the significance of the results, and any CVSS measurements that
should have been conducted but were not included within the initial scope of
this work. Finally, NIST requests comments on sources of data that could
provide ground truth for these types of measurements.
The public comment review period for this draft is open through
July 29, 2022. See the publication
details for instructions on how to submit comments.
NIST is in the process of a periodic review and maintenance of its
cryptography standards and guidelines.
This announcement initiates the review of Federal Information Processing
Standard (FIPS) 180-4, Secure Hash
Standard (SHS), 2015.
NIST requests public
comments on all aspects of FIPS 180-4. Additionally, NIST would
appreciate feedback on the following two areas of particular concern:
SHA-1. In recent years, the cryptanalytic attacks on the SHA-1
hash function have become increasingly severe and practical (see, e.g., the 2020
paper “SHA-1 is a Shambles” by Leurent and Peyrin).
NIST, therefore, plans to remove SHA-1 from a revision of FIPS 180-4 and
to deprecate and eventually disallow all uses of SHA-1. The Cryptographic
Module Validation Program will establish a validation
transition schedule.
* How will this plan impact fielded and
planned SHA-1 implementations?
* What should NIST consider in establishing the timeline for
disallowing SHA-1?
Interface. The “Init, Update, Final” interface was part
of the SHA-3 Competition submission requirements. Should a revision of
FIPS 180-4 discuss the “Init, Update, Final” hash function interface?
The public comment period is open through September 9, 2022. Comments
may address the concerns raised in this announcement or other issues around
security, implementation, clarity, risk, or relevance to current
applications.
Traditional business impact analyses (BIAs) have been successfully
used for business continuity and disaster recovery (BC/DR) by triaging damaged
infrastructure recovery actions that are primarily based on the duration and
cost of system outages (i.e., availability compromise). However, BIA analyses
can be easily expanded to consider other cyber-risk compromises and remedies.
This initial
public draft of NIST IR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and
Response, provides comprehensive asset confidentiality and
integrity impact analyses to accurately identify and manage asset risk
propagation from system to organization and from organization to enterprise,
which in turn better informs Enterprise Risk Management deliberations. This document
adds expanded BIA protocols to inform risk prioritization and response by
quantifying the organizational impact and enterprise consequences of
compromised IT Assets.
The public comment period for this draft is open through July 18,
2022. See the publication
details for a copy of the draft and instructions for submitting
comments.
NIST is leveraging the new Special Publication (SP) 800-53 Public
Comment Site for its first round of public comments. Participate in the
inaugural 30-day public comment period
for a minor (errata) release of SP 800-53, Revision 5, Security and Privacy Controls for
Information Systems and Organizations. The minor release will
result in corrections to the current publication but will not introduce new
technical information or requirements. Submit your comments on proposed changes using the Public Comment
Site through August 12, 2022.
All proposed changes to SP 800-53 (“candidates”) for
review and comment are available online.
Candidates can be filtered by control family, control name, and submission
date. To view the specific changes for each control or control enhancement and
provide your feedback, select the Tracking Number on the Candidates page.
The SP 800-53 Public Comment Site is designed to:
Reduce the level of effort
needed for stakeholders to review and comment on proposed changes
(“candidates”)
Feature new and updated
controls and control enhancements and highlight specific changes
Increase transparency and
promote community engagement by making comments on candidates publicly
available
Provide traceability on
submitted feedback through automatic updates
Learn more about
the SP 800-53 Comment Site, and leverage the online User Guide for
step-by-step instructions on how to participate in the public comment process,
available under “View Candidates” and “Provide comments on
candidates.”
NIST looks forward to stakeholder feedback on the proposed changes
(“candidates”) for the first minor release using the online platform.
The end result of this effort will be the second update of SP 800-53 Rev. 5.
Please direct your questions to 800-53comments@list.nist.gov.
Protecting Controlled
Unclassified Information: Pre-Draft Call for Comments on the CUI Series
NIST is seeking information for a planned update of the Controlled
Unclassified Information (CUI) series of publications, starting with Special
Publication (SP) 800-171, Protecting
Controlled Unclassified Information in Nonfederal Systems and Organizations. This Pre-Draft
Call for Comments solicits feedback from interested parties to
improve SP 800-171 and its supporting publications, SP 800-171A, SP 800-172,
and SP 800-172A.
NIST seeks your feedback on the use, potential updates, and
opportunities for ongoing improvement to the CUI series. Potential topics for
comments and feedback range from how organizations are currently using the CUI
series of publications – including how the series is being used with other
frameworks and standards (e.g., NIST Risk Management Framework, NIST
Cybersecurity Framework, GSA Federal Risk and Authorization Management Program
[FedRAMP], DOD Cybersecurity Maturity Model Certification [CMMC], etc.) – to
suggestions for features of the CUI series that should be modified, added, or
removed.
A Florida-based CEO was charged with selling
$1 billion worth of counterfeit Cisco equipment imported from China, according
to the Department of Justice.
The Justice Department announced in a release
on Friday that they arrested 38-year-old Onur Aksoy for allegedly running
multiple stores that sold fraudulent Cisco hardware. The DOJ alleged that Aksoy
imported the fake equipment from China and resold them to included hospitals,
schools, government agencies, and the military under the company name “Pro
Network” to make it appear legitimate.
According to a DOJ complaint filed in 2013,
Aksoy bought counterfeit hardware at “95 to 98%” lower than authentic
Cisco products. The counterfeit hardware malfunctioned, damaging the users’
network and operations and costing them tens of thousands of dollars.
Aksoyn”allegedly ran at least 19
companies formed in New Jersey and Florida as well as at least 15 Amazon
storefronts, at least 10 eBay storefronts, and multiple other entities,”
the
According to the DOJ statement, between 2014
and 2022, Customs and Border Protection seized 180 shipments of counterfeit
Cisco devices being shipped to Pro Network. Under the alias of “Dave
Durden,” Aksoy falsely submitted paperwork to CBP to avoid investigation.
In July 2021, federal agents obtained a warrant to search Aksoy’s warehouse,
where they seized 1,156 counterfeit Cisco hardware valued at over 7 million
dollars.
“We are committed to maintaining the
integrity and quality of Cisco products and services. Cisco is grateful to law
enforcement and customs officials for their tremendous collaboration in this
investigation and to the DOJ for bringing the perpetrator to justice,”
Cisco said in a statement to PC Mag.
According to the DOJ, Aksoy is charged with
conspiracy to traffic in counterfeit goods and to commit mail and wire fraud,
three counts of mail fraud, four counts of wire fraud, and three counts of
trafficking in counterfeit goods. Prosecutors have set up a website for anyone
who believed they were a victim of Aksoy’s companies.
The Zero Trust Architecture (ZTA) team at NIST’s National Cybersecurity Center of Excellence (NCCoE) has
published volume B of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” and is
seeking the public’s comments on its contents. This guide summarizes how the
NCCoE and its collaborators are using commercially available technology to
build interoperable, open standards-based ZTA example implementations that
align to the concepts and principles in NIST Special Publication (SP) 800-207,
Zero Trust Architecture. As the project progresses, the preliminary draft will
be updated, and additional volumes will also be released for comment.
As an enterprise’s data and resources have become distributed
across the on-premises environment and multiple clouds, protecting them has
become increasingly challenging. Many users need access from anywhere, at any
time, from any device. The NCCoE is addressing these challenges by
collaborating with industry participants to demonstrate several approaches to a
zero trust architecture applied to a conventional, general purpose
enterprise IT infrastructure on premises and in the cloud.
We Want to Hear from You!
The NCCoE is making volume B available as a preliminary draft for
public comment while work continues on the project. Review the preliminary
draft and submit comments online on or before August 8th, 2022.
We welcome your input and look forward to your comments. We invite
you to join nccoe-zta-coi@list.nist.gov to receive
news and updates about this project.
This Public Service Announcement is an update and companion piece to Business Email Compromise PSA I-091019-PSA posted on www.ic3.gov. This PSA includes new Internet Crime Complaint Center complaint information and updated statistics from October 2013 to December 2021.
DEFINITION
Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.
The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.
The scam is not always associated with a transfer-of-funds request. One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even crypto currency wallets.
STATISTICAL DATA
The BEC/EAC scam continues to grow and evolve, targeting small local businesses to larger corporations, and personal transactions. Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars. This increase can be partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually.
The BEC scam has been reported in all 50 states and 177 countries, with over 140 countries receiving fraudulent transfers. Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds. China, which ranked in the top two destinations in previous years, ranked third in 2021 followed by Mexico and Singapore.
The following BEC/EAC statistics were reported to the FBI IC3, law enforcement and derived from filings with financial institutions between June 2016 and December 2021:
Domestic and international incidents:
241,206
Domestic and international exposed dollar loss:
$43,312,749,946
The following BEC/EAC statistics were reported in victim complaints to the IC3 between October 2013 and December 2021:
Total U.S. victims:
116,401
Total U.S. exposed dollar loss:
$14,762,978,290
Total non-U.S. victims:
5,260
Total non-U.S. exposed dollar loss:
$1,277,131,099
The following statistics were reported in victim complaints to the IC3 between June 2016 and December 2021:
Total U.S. financial recipients:
59,324
Total U.S. financial recipient exposed dollar loss:
$9,153,274,323
Total non-U.S. financial recipients:
19,731
Total non-U.S. financial recipient exposed dollar loss:
$7,859,268,158
BEC AND CRYPTOCURRENCY
The IC3 has received an increased number of BEC complaints involving the use of cryptocurrency. Cryptocurrency is a form of virtual asset that uses cryptography (the use of coded messages to secure communications) to secure financial transactions and is popular among illicit actors due to the high degree of anonymity associated with it and the speed at which transactions occur.
The IC3 tracked two iterations of the BEC scam where cryptocurrency was utilized by criminals. A direct transfer to a cryptocurrency exchange (CE) or a “second hop” transfer to a CE. In both situations, the victim is unaware that the funds are being sent to be converted to cryptocurrency.
DIRECT TRANSFER – Mirrors the traditional pattern of BEC incidents in the past.
SECOND HOP TRANSFER – Uses victims of other cyber-enabled scams such as Extortion, Tech Support, and Romance Scams. Often, these individuals provided copies of identifying documents such as driver’s licenses, passports, etc., that are used to open cryptocurrency wallets in their names.
In the past, the use of cryptocurrency was regularly reported in other crime types seen at the IC3 (e.g., tech support, ransomware, employment), however, it was not identified in BEC-specific crimes until 2018. By 2019, reports had increased, culminating in the highest numbers to-date in 2021 with just over $40M in exposed losses. Based on the increasing data received, the IC3 expects this trend to continue growing in the coming years.
SUGGESTIONS FOR PROTECTION
Use secondary channels or two-factor authentication to verify requests for changes in account information.
Ensure the URL in emails is associated with the business/individual it claims to be from.
Be alert to hyperlinks that may contain misspellings of the actual domain name.
Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.
If you discover you are the victim of a fraud incident, immediately contact your financial institution to request a recall of funds. Regardless of the amount lost, file a complaint withwww.ic3.govor, for BEC/EAC victims,BEC.ic3.gov, as soon as possible.
The FBI Internet Crime Complaint Center (IC3) warns of an increase in complaints reporting the use of deepfakes and stolen Personally Identifiable Information (PII) to apply for a variety of remote work and work-at-home positions. Deepfakes include a video, an image, or recording convincingly altered and manipulated to misrepresent someone as doing or saying something that was not actually done or said.
The remote work or work-from-home positions identified in these reports include information technology and computer programming, database, and software related job functions. Notably, some reported positions include access to customer PII, financial data, corporate IT databases and/or proprietary information.
Complaints report the use of voice spoofing, or potentially voice deepfakes, during online interviews of the potential applicants. In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually.
IC3 complaints also depict the use of stolen PII to apply for these remote positions. Victims have reported the use of their identities and pre-employment background checks discovered PII given by some of the applicants belonged to another individual.
Report It
Companies or victims who identify this type of activity should report it to the IC3, www.ic3.gov.
If available, include any subject information such as IP or email addresses, phone numbers, or names provided.
This uses vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks
Summary
Actions to take today to mitigate cyber threats from ransomware: • Prioritize remediating known exploited vulnerabilities. • Train users to recognize and report phishing attempts. • Enable and enforce multifactor authentication.
Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder.
Download the PDF version of this report: pdf, 633 kb
Technical Details
MedusaLocker ransomware actors most often gain access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations [T1133]. Actors also frequently use email phishing and spam email campaigns—directly attaching the ransomware to the email—as initial intrusion vectors [T1566].
MedusaLocker ransomware uses a batch file to execute PowerShell script invoke-ReflectivePEInjection [T1059.001]. This script propagates MedusaLocker throughout the network by editing the EnableLinkedConnections value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and to detect shared storage via Server Message Block (SMB) Protocol.
MedusaLocker then:
Restarts the LanmanWorkstation service, which allows registry edits to take effect.
Kills the processes of well-known security, accounting, and forensic software.
Restarts the machine in safe mode to avoid detection by security software [T1562.009].
Encrypts victim files with the AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key [T1486].
Runs every 60 seconds, encrypting all files except those critical to the functionality of the victim’s machine and those that have the designated encrypted file extension.
Establishes persistence by copying an executable (svhost.exe or svhostt.exe) to the %APPDATA%Roaming directory and scheduling a task to run the ransomware every 15 minutes.
Attempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies [T1490].
MedusaLocker actors place a ransom note into every folder containing a file with the victim’s encrypted data. The note outlines how to communicate with the MedusaLocker actors, typically providing victims one or more email address at which the actors can be reached. The size of MedusaLocker ransom demands appears to vary depending on the victim’s financial status as perceived by the actors.
