Category: Homeland Security

Source: US Department of Homeland Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released, Cybersecurity Guidance: Chinese-Manufactured Unmanned Aircraft Systems (UAS), to raise awareness of the threats posed by Chinese-manufactured UAS and to provide critical infrastructure and state, local, tribal, and territorial (SLTT) partners with recommended cybersecurity safeguards to reduce the risk to networks and sensitive information. 

The People’s Republic of China (PRC) has enacted laws that provide the government with expanded legal grounds for accessing and controlling data held by firms in China. The use of Chinese-manufactured UAS in critical infrastructure operations risks exposing sensitive information to PRC authorities. This guidance outlines the potential vulnerabilities to networks and sensitive information when operated without the proper cybersecurity protocols and the potential consequences that could result.  

“Our nation’s critical infrastructure sectors, such as energy, chemical and communications, are increasingly relying on UAS for various missions that ultimately reduce operating costs and improve staff safety. However, the use of Chinese-manufactured UAS risks exposing sensitive information that jeopardizes U.S. national security, economic security, and public health and safety,” said CISA Executive Assistant Director for Infrastructure Security, Dr. David Mussington. “With our FBI partners, CISA continues to call urgent attention to China’s aggressive cyber operations to steal intellectual property and sensitive data from organizations. We encourage any organization procuring and operating UAS to review the guidance and take action to mitigate risk. We must work together to ensure the security and resilience of our critical infrastructure.”  

“Without mitigations in place, the widespread deployment of Chinese-manufactured UAS in our nation’s key sectors is a national security concern, and it carries the risk of unauthorized access to systems and data,” said Assistant Director of the FBI’s Cyber Division, Bryan A. Vorndran. “The FBI and our CISA partners have issued UAS guidance in order to help safeguard our critical infrastructure and reduce the risk for all of us.”   

Critical infrastructure organizations are encouraged to operate UAS that are secure-by-design and manufactured by U.S. companies. This guidance offers cybersecurity recommendations that organizations should consider as part of their UAS program, policies, and procedures.  

For more information, please visit CISA’s Unmanned Aircraft Systems Resources webpage.  

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) released its fourth annual Year in Review showcasing CISA’s work to protect the nation from cyber and physical threats, while working to increase the resilience of critical infrastructure Americans rely on every day. The 2023 Year in Review reflects on the agency’s accomplishments across its broad cybersecurity, infrastructure security and emergency communications missions as the nation and the world adapted to technological advances, spillover from international events and other major events. In 2024, CISA will continue to develop and deliver tools, training, technical expertise and other resources to help our critical infrastructure partners increase their own resilience and defenses against evolving risks. 

“This Year in Review report demonstrates CISA’s exceptional work in 2023 to protect critical infrastructure,” said CISA Director Jen Easterly. “It not only celebrates our progress from the past year but also spotlights groundbreaking milestones and pioneering ‘firsts’ achieved by the agency. These efforts are a testament to and reflect the dedication of CISA’s workforce. Because of their commitment to the mission, the critical infrastructure systems that Americans rely on every day are more secure and resilient than ever.”  

In 2023, the CISA accomplishments included:  

• Promoting Secure by Design Principles. As part of an Administration-wide push to promote secure software development, CISA launched its Secure by Design campaign in April 2023. This effort strives for a future where technology is safe, secure and resilient by design by encouraging software manufacturers to take ownership of customer security outcomes. In October 2023, CISA and 17 U.S. and international partners published an update to a joint Secure by Design white paper on “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.” Originally released April 13, 2023, this paper urges software manufacturers to revamp their design and development programs to produce only secure by design products. It also emphasizes three core principles: 1.) Take ownership of customer security outcomes, 2.) Embrace radical transparency and accountability, and 3.) Lead from the top. 
• Leading on Artificial Intelligence. CISA published its first Roadmap for Artificial Intelligence (AI) in November 2023, adding to the significant U.S. Department of Homeland Security and broader whole-of-government effort to ensure the secure development and implementation of AI capabilities. This Roadmap outlines a whole-of-agency plan to assess possible cyber-related risks to the use of AI, provide guidance to the critical infrastructure sectors that Americans rely on every hour of every day, and capitalize on AI’s potential to improve U.S. cyber defenses.   
• Reducing the Risk of Ransomware. In March 2023, CISA launched the Pre-Ransomware Notification Initiative, which measurably reduces risk by warning organizations of early-stage ransomware activity. Since the Initiative’s launch, the agency conducted more than 1,000 pre-ransomware notifications across a variety of critical infrastructure sectors and to partners abroad.  
• Encouraging Cyber Hygiene. In September 2023, CISA launched its Secure Our World program. Secure Our World is a new and enduring cybersecurity awareness program that emphasizes four simple cyber hygiene steps everyone should implement and continuously improve upon: 1.) Use Strong Passwords and a Password Manager, 2.) Turn On Multifactor Authentication, 3.) Recognize and Report Phishing, and 4.) Update Software. The campaign featured CISA’s first-ever public service announcement (PSA) and garnered significant public attention though outreach efforts including television, radio and billboard ads, podcasts, media coverage, social media and beyond.  
• Supporting Critical Infrastructure. CISA enhanced its engagement with “target rich, resource poor” organizations, including the Water and Wastewater Sector, K-12 Education Subsector, Healthcare and Public Health Sector and the Election Security Sector. In 2023, CISA completed more than 6,700 stakeholder engagements with government and private sector participants to share threat information and promote its cybersecurity services. 
• Enhancing Emergency Communications. In 2023, CISA accumulated new subscribers to CISA’s Priority Telecommunication Services (PTS) program which enables essential personnel to communicate when landline or wireless networks become degraded, congested or otherwise unavailable. The PTS program covers wireline communications under Government Emergency Telecommunications Service (GETS), wireless voice communications under Wireless Priority Service (WPS), and priority repair and installation of critical voice and data circuits under Telecommunications Service Priority (TSP). In 2023, GETS added 51,023 new subscribers, thanks in large part to focused outreach during the second annual Emergency Communications Month in April. In addition, WPS users increased by 283,357 subscribers. TSP also added restoration priority to 18,307 new circuits that support national security emergency preparedness missions. 
• Providing Resources to State and Local Governments. In 2023, CISA and the Federal Emergency Management Agency (FEMA) jointly implemented the State and Local Cybersecurity Grant Program (SLCGP). The SLCGP is a first-of-its-kind cybersecurity grant program specifically for state, local and territorial governments across the country.  In September 2023, CISA and FEMA announced the of Notice of Funding Opportunity for the Tribal Cybersecurity Grant Program, allocating $18.2 million to bolster cybersecurity among federally-recognized tribes.  
• Strengthening Regional Election Security Support. In 2023, CISA established dedicated election security advisors (ESAs) in each of its 10 regions to provide support and resources to promote secure elections. These ESAs work directly for CISA’s Regional Directors and with the agency’s cybersecurity and protective security advisors to ensure CISA’s capabilities and services are being optimally employed to meet the unique needs of each state or locality. 
• Improving Security for Chemical Facilities. CISA celebrated the second anniversary of its ChemLock voluntary program in November 2023. This program provides facilities possessing dangerous chemicals with tailored, scalable, no-cost services and tools to improve their chemical cyber and physical security posture. 

This digitally interactive 2023 Year in Review takes on a new look and feel, providing the reader with a brief snapshot of CISA’s accomplishments while linking back to corresponding CISA.gov webpages for a deeper dive into its programs and initiatives.  

Read the full Year in Review to learn more about CISA’s accomplishments and success stories from 2023. 

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.

Source: US Department of Homeland Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) published a Request for Information from all interested parties on secure by design software practices, including the Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software whitepaper, as part of our ongoing, collective secure by design campaign across the globe.  

To better inform CISA’s Secure by Design campaign, CISA and our partners seek information on a wide range of topics, including the following:  

• Incorporating security early into the software development life cycle (SDLC): What changes are needed to allow software manufacturers to build and maintain software that is secure by design, including smaller software manufacturers? How do companies measure the dollar cost of defects in their SDLC?  
• Security is often relegated to be an elective in education: What are some examples of higher education incorporating foundational security knowledge into their computer science curricula; When new graduates look for jobs, do companies evaluate security skills, knowledge, and experience during the hiring stage, or are employees reskilled after being hired? 
• Recurring vulnerabilities: What are barriers to eliminating recurring classes of vulnerability; how can we lead more companies to identify and invest in eliminating recurring vulnerabilities; how could the common vulnerabilities and exposures (CVE) and common weakness enumeration (CWE) programs help? 
• Operational technology (OT): What incentives would likely lead customers to increase their demand for security features; Which OT products or companies have implemented some of the core tenants of secure by design engineering? 
• Economics of secure by design: What are the costs to implement secure by design and default principles and tactics, and how do these compare to costs responding to incidents and breaches? 

“While we have already received a wide range of feedback on our secure by design campaign, we need to incorporate the broadest possible range of perspectives,” said CISA Director Jen Easterly. Our goal to drive toward a future where technology is safe and secure by design requires action by every technology manufacturer and clear demand by every customer, which in turn requires us to rigorously seek and incorporate input. The President’s National Cybersecurity Strategy calls for a fundamental shift in responsibility for security from the customer to software manufacturers, and input from this RFI will help us define our path ahead, including updates to our joint seal Secure by Design whitepaper.  

Co-sealed by 18 U.S. and international agencies, our recent Secure by Design guidance strongly encourages every software manufacturer to build products in a way that reduces the burden of cybersecurity on customers. More recently, CISA launched a new series of Secure by Design Alerts outlining the real-world harms that result from technology products that are not secure by design.  

With our partners, CISA encourages technology manufacturers and all interested stakeholders to review the Request for Information and provide written comment on or before 20 February 2024. Instructions for submitting comment are available in the Request for Information. The feedback on our current analysis or approaches will help inform future iterations of the whitepaper and our collaborative work with the global community.  

To learn more about Secure by Design, visit our webpage. Questions regarding the RFI can be emailed to SecureByDesign@cisa.dhs.gov. 

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, CISA leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day. 

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.  

Source: US Department of Homeland Security

Since 2021, Over 1,200 Students in 32 States Created Projects to help prevent targeted violence and terrorism in their communities

WASHINGTON – On Wednesday, January 24, the Department of Homeland Security’s (DHS) Center for Prevention Programs and Partnerships (CP3), hosted 27 students selected as finalists from three out of 18 universities and three out of 24 high schools who are developing innovative projects to help prevent targeted violence and terrorism in their communities. The students are finalists in Invent2Prevent (I2P), a contest launched in Spring 2021 that has seen more than 1,200 students participate from 119 universities across 32 states and Washington, D.C., and 138 high schools across 25 states.

Iowa State University, Ames, IA and North Panola Career and Technical Center, Como, MS were named the winners of the university and high school categories, respectively. These teams will use the resources to further advance and scale their initiatives and projects. Thirteen I2P teams have successfully continued their projects through the McCain Institute Sustainment Program, and four of those teams have secured additional funding through DHS CP3’s Targeted Violence and Terrorism Prevention (TVTP) Grant Program.

“Prevention is a community effort, and programs like I2P give young minds the opportunity to work together to take on the toughest challenges facing the world today,” said CP3 Director William Braniff. “The next generation of changemakers understand that acts of targeted violence and terrorism are often preventable, and they are helping their peers and their schools do just that. I am inspired by their work and their commitment to building safe and resilient communities.”

“The freedom that I2P gave us to choose a topic such as school shootings allowed us to make a TRUE impact towards preventing them and making real progress for mental health accountability,” said Kathleen Hepworth, Student at Iowa State University. “I’m grateful for their support all semester and their feedback and guidance was crucial to our project success.”

“Invent2Prevent has been very helpful and encouraging during our semester of work. They gave us a free space to express an important cause in our community,” said Keniya Davis, Student at North Panola Career and Technical Center. “Peer No Pressure had a very positive impact on our community and grabbed a lot of people’s attention. With us being able to amplify our message even more with the help of I2P, we are definitely making a change in the community.”

As part of a semester-long project, each team evaluated a current threat facing the nation, such as campus safety, cyberbullying, and violent extremism. The teams then created a program or tool to educate or build on the strengths of their community to decrease the likelihood of targeted violence and terrorism. During the final round of competition in Washington, D.C., students presented their projects for the opportunity to be awarded funding to carry-out their proposed initiatives. The students presented their projects to a panel of judges consisting of government officials and civil society leaders with expertise in the fields of protection and prevention, education, youth engagement, and mental health, along with past I2P student participants.

CP3 strengthens our country’s ability to prevent targeted violence and terrorism nationwide through funding, training, increased public awareness, and partnerships across every level of government, the private sector, and in local communities. CP3 seeks to ensure that the leaders of tomorrow play an active role in designing innovative solutions to build more resilient communities today through programs, such as Invent2Prevent.

Through the TVTP Grant Program, CP3 provides funding for state, local, tribal, and territorial governments, nonprofits, and institutions of higher education to establish or enhance their capabilities to prevent targeted violence and terrorism. In 2022, DHS awarded $20 million in TVTP Grants, of which more than $1 million has been awarded to amplify the impact of previous Invent2Prevent projects. For more information on the TVTP Grants Program, please visit www.dhs.gov/tvtpgrants.

“Invent2Prevent is a fantastic program that harnesses the creativity and enthusiasm of youth to support CP3’s public health approach to prevention,” said Brette Steele, Senior Director for Preventing Targeted Violence at the McCain Institute. “Our I2P students are at the forefront of innovation in the prevention field. Each semester, we look to them to help us develop solutions that resonate and build resilience in their respective communities. This semester we saw more creative ideas than ever before, and the competition to make it to D.C. was fierce. Congratulations to the finalist teams and to all the I2P teams on their hard work this semester.”

“These competitions are what we live for. There is nothing more exciting than to witness what these Invent2Prevent finalists have created,” said Tony Sgro, Founder and CEO of EdVenture Partners. “Each semester I am continually amazed by the level of student innovation. These students are addressing difficult issues that they are personally facing in their schools, on their campuses, and in their communities and they are providing credible, authentic solutions; it is pretty incredible. I have absolute belief that these young learners are tomorrow’s leaders.”

The three university finalists finished in the following order:

Iowa State University, Ames, IA
The Iowa State University team created MIND SPACE, an initiative that creates a connected, supportive community by providing educational resources that help others understand mental health and behaviors that destigmatize help-seeking behaviors, while offering a physical location where students can access mental health resources in privacy on campus. MIND SPACE was created to reduce the mental health stigma in academic settings and help prevent individuals from engaging in violence, and specifically school shootings. By fostering protective factors and a connected community, the initiative ensures bystanders feel confident in aiding those with mental health issues, while helping reduce social isolation for people experiencing mental health concerns.

Middlebury Institute for International Studies, Monterey, CA
The Middlebury Institute for International Studies team created Project Gravity, a SoftLanding GPT artificial intelligence (AI) powered chatbot that acts as a resource toolkit to help individuals whose loved ones could be on a path toward violent extremism. The Project Gravity chatbot is intended to provide resources and responses that give people the confidence they need to have difficult conversations. Project Gravity embraces a public health model of targeted violence prevention by reducing the attractiveness of violent narratives through resiliency building on individual, family, and community levels.

University of Nebraska, Lincoln, NE
The University of Nebraska, Lincoln (UNL) team created SafeSpace Nebraska, an initiative that focuses on enhancing the preparedness of college students for school shooting events. While school safety protocols have been actively promoted in high schools, this initiative is intended to address a lack of preparedness training on campuses. The project increases awareness of the “Run. Hide. Fight!” protocol in the UNL community. Through a variety of interactive tactics, including scenario-based training, SafeSpace Nebraska engages UNL students and staff to enhance their knowledge of what to do in the event of an active shooter situation on campus. Additionally, SafeSpace Nebraska advocates for university safety protocols to be added to all UNL class syllabi through the creation of a Change.org petition.

The three high school finalists finished in the following order:

North Panola Career and Technical Center, Como, MS
The North Panola Career and Technical Center team created Peer No Pressure, an initiative dedicated to providing students, ages 12-18, with a safe and supportive space to minimize bullying and peer pressure, through the use of peer-led discussions, engaging skits, and a mentorship program. Peer No Pressure seeks to rewrite the narrative on peer pressure and bullying, while cultivating an environment where peers’ voices matter and produce change. Peer No Pressure believes that by embracing empathy and fostering a culture of prevention, the resulting shared commitment to creating safe spaces and positive relationships can form a united front against bullying and peer pressure.

Burlington Township High School, Burlington NJ
The Burlington Township High School team created CTRL + ALT + DELETE Cyberbullying, where “Being a Bystander is Saying Bye to Your Standards,” an initiative to educate 5th grade students on how to identify, report, and stop cyberbullying. It was created with four goals in mind: 1) educate students about cyberbullying; 2) create a support group among students; 3) provide parents with knowledge and information; and 4) educate students on reporting acts of cyberbullying. The team partnered with the Burlington Township District guidance counselor and the Fountain Woods Elementary School head guidance counselor to bring this project to life. The team worked to create an in-person outreach that was both easy for teachers to implement and effective among their target audience.

Louisiana Youth Advisory Council, Baton Rouge, LA
The Louisiana Youth Advisory Council team wrote “Thao, Pradeep, and Carolina,” a children’s book meant to expose kindergarten students to new cultures. Each character in the book introduces their unique cultural holiday by talking about their favorite traditions and how they celebrate. By exposing and educating children about different cultures early in their schooling, the project seeks to prevent racism and othering in the future. By promoting inclusivity, this book is intended to encourage students to be open-minded to unfamiliar ideas and instill positive associations with those of different backgrounds beginning at a young age. This project was created with four goals in mind: 1) curtail discrimination against different cultures and races through exposure; 2) provide an opportunity for education and discussion; 3) introduce differences in culture at an early age to encourage children to welcome differences of others; and 4) create a more inclusive and embracing environment where children are more empathetic to their peers.

DISCLAIMER
Statements attributed to non-governmental organizations are for informational purposes only. References do not constitute an official endorsement of the organization, its work, or its product or services by the U.S. Department of Homeland Security or the Federal Government.

###

Source: US Department of Homeland Security

New Customer Experience Directorate has reduced public burden by 21 million+ hours in 2023 and improved delivery of Department’s services, resources and support

WASHINGTON – Following the second anniversary of President Biden’s Executive Order 14058 “Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government,” the Department of Homeland Security (DHS) recognized significant strides toward improving customer experience (CX) and reducing the administrative burden on the American public in 2023 and pledged to build upon those improvements in 2024.

“More Americans interact with the Department of Homeland Security every day than with any other Department in the federal government, and our personnel are focused on ensuring our services, resources, and support are easily and readily accessible. That is why we established an office dedicated to improving customer experience,” said Secretary Alejandro N. Mayorkas. “We have made significant progress in modernizing our delivery of services through the use of new technologies and the talent, ingenuity, and dedication of our extraordinary personnel. Looking ahead, we will continue to improve the customer experience for the millions of individuals with whom we interact every day, while advancing equity, protecting individuals’ privacy rights and civil liberties, and increasing our openness, transparency, and accountability.”

In addition to announcing the permanent Customer Experience Directorate in September 2023, the DHS workforce has improved CX and reduced public burden in a variety of ways, including:

• Saving Customers’ Time: Forms to request services and benefits are getting faster and easier to use across DHS. The Department reduced public burden by 21,425,258 hours, exceeding its 20-million-hour goal, by making forms fully digital, pre-populating fields, and eliminating unnecessary fields.
• Making Services More Accessible for Customers: Most people applying for immigration benefits with USCIS can now go online to update addresses, reschedule biometric appointments, and track personalized processing times on select forms, eliminating the need to call in or fill out a paper form to take care of most basic tasks.
• Focusing on Disaster Survivors’ Specific Needs: Disaster survivors will have a faster, easier, and more streamlined digital way of applying for individual assistance at disasterassistance.gov. FEMA used customer feedback and user research to improve and redesign registration and intake processes, requiring disaster survivors to provide only information relevant to their individual needs.
• Streamlining Immigration Obligations: Noncitizens in immigration proceedings can now use the ICE Portal, a central, online way to manage and track their responsibilities, such as scheduling appointments, updating their addresses, and checking immigration court hearing information.
• Improving Travelers’ Experiences: TSA’s implementation of new identity verification technology for PreCheck^® passengers in 28 airports speeds up checkpoints while ensuring security.
• Automating Key Points in the Supply Chain: Vessel agents and ship operators will free up time using U.S. Customs and Border Protection’s transformed vessel entry and clearance process, which is now digital.  A transaction that used to take hours will now take just a few minutes and can be completed almost entirely online, when the system is fully deployed nationwide in FY 2024.
• Validating Improvements: This past spring, over 13,000 passengers in airports across the U.S. gave TSA feedback on its services, and the results measured high satisfaction with their experiences on the day they took the survey.
  • 93 percent overall Customer Satisfaction score.
  • 95 percent of passengers surveyed reported that interactions with officers were professional and respectful during the screening process.
  • 94 percent of passengers reported confidence in the ability of officers to keep air travel safe.
  • 91 percent of passengers experienced reasonable wait times with 89 percent waiting less than 15 minutes at their checkpoint.
  • 78 percent of passengers reported experiencing no challenges at their checkpoint.
• Embedding CX throughout the Department: DHS has hired more than 70 CX professionals, who are working across components to build and scale CX capacity.

The Customer Experience Directorate is in the Office of the Chief Information Officer to further advance CX as a Department-wide priority.

“Our workforce places customers at the center of everything we do,” said DHS Chief Information Officer Eric Hysen. “I am proud of the work our Customer Experience professionals do across the Department as we continue to implement President Biden’s customer experience vision.”

Earlier this year, DHS published its Burden Reduction Plan for FY24, which outlines the Department’s goal of eliminating an additional 10 million hours of public burden by September 30, 2024. Additionally, Secretary Mayorkas has tasked each Component with creating its own burden reduction strategies. All of these priorities are part of the new DHS IT Strategic Plan for 2024-2028, which includes a strategic goal of improving customer experience and transforming the delivery of DHS services.

To learn more about the Department’s progress to improve customer experience, please visit DHS’s CX website.

# # #

Source: US Department of Homeland Security

In first year of new process for workers supporting labor investigations and enforcement actions, DHS has protected over one thousand workers

DHS announces process for requesting renewal of deferred action for these workers

WASHINGTON – Through the enhanced process announced one year ago, the Department of Homeland Security (DHS), in partnership with the Department of Labor and other federal, state and local labor agencies, has protected over one thousand noncitizen workers who were victims of, or witnesses to, a violation of labor rights. This process to streamline and expedite consideration of workers’ deferred action requests has maintained DHS’s longstanding practice of using its discretionary authority to consider labor and employment agency-related deferred action requests for workers on a case-by-case basis.

These improvements advance the Biden-Harris Administration’s commitment to empowering workers and to improving workplace conditions by enabling all workers, including noncitizens, to more freely assert their legal rights. Fear of reporting violations due to immigration-based retaliation can create an unfair labor market and perpetuate the commission of unlawful and inhumane acts by employers, ranging from nonpayment of wages to imposing unsafe working conditions and chilling workers’ ability to organize and collectively bargain to improve their work conditions. Workers can visit DHS.gov for additional information and to submit requests.

“Noncitizen workers should never be afraid to report exploitation in the workplace or fear retaliatory actions from an abusive employer,” said Secretary of Homeland Security Alejandro N. Mayorkas. “No employer is above the law. DHS will work with our law enforcement partners to hold those who prey on the vulnerability of migrants accountable and provide protection to those who come forward to report abuse. Combatting labor exploitation helps ensure fair wages and safe working conditions for all workers in our country.”

DHS is announcing new guidance for noncitizen workers requesting a renewal of deferred action through these processes. A noncitizen granted deferred action based on a labor agency enforcement interest may request a subsequent period of deferred action for an additional two years when there continues to be an ongoing labor agency need. This will protect workers when the labor agency investigation or enforcement action has not yet concluded. DHS is also releasing information for labor agencies on how to provide updated statements describing the ongoing labor agency need.

Subsequent requests from workers must be accompanied by an updated statement from the labor agency explaining the continued need for workers to assist in their investigation or prosecution, or in the enforcement of any court order or settlement agreement.

Agencies tasked with enforcing labor and employment laws depend on the cooperation of these workers in their investigations and enforcement actions. DHS’s practice of offering discretionary protection on a case-by-case basis to workers increases the ability of labor and employment agencies to more fully investigate worksite violations and support those agencies in fulfilling their mission to hold abusive employers accountable through their enforcement actions.

Noncitizens can submit such requests to U.S. Citizenship and Immigration Services (USCIS) through a central intake point established specifically to support labor agency investigative and enforcement efforts. Learn about the process for workers and labor agencies.

###

Source: US Department of Homeland Security

During first in-person meeting of the Tribal Homeland Security Advisory Council, Tribal leaders from across the country shared perspectives on homeland security policies and practices that affect Tribal Nations and indigenous communities.

Last week, Secretary of Homeland Security Alejandro N. Mayorkas convened tribal representatives to discuss key challenges facing their communities, including the accessibility of Department of Homeland Security (DHS) grants, improving cyber resilience, and best practices to address the crisis of missing and murdered indigenous people. Subcommittees of the Tribal Homeland Security Advisory Council (THSAC) presented their recommendations to the full Council on ways the Department can address these challenges. This was the THSAC’s first in-person meeting since forming on September 7, 2022.   

The Subcommittee on Accessibility to DHS Grants recommended that DHS improve access to grant programs for tribes and tribal communities. Key policy recommendations from the committee include the establishment of a more accessible grant and application process with more flexibility and improving the consultation process with tribes to ensure grant priorities match the needs of tribal communities. The subcommittee also proposed a few legislative recommendations that would require Congressional action.  

The Subcommittee on Cybersecurity recommended that DHS improve accessibility to cybersecurity resources for tribes and tribal communities. Key recommendations included addressing the talent deficit of tribal cybersecurity professionals and providing equity assessments in rural regions to understand cybersecurity vulnerabilities in Tribal Nations. 

The Subcommittee on Addressing the Crisis of Missing and Murdered Indigenous People (MMIP) recommended that DHS improve its role in support of Executive Order 14053, which tasked the Department with providing support to federal partner agencies, including the Department of Justice, Department of the Interior, and the Department of Health and Human Services, with their efforts to combat the crisis of MMIP. Key recommendations include the creation of a secure, updated, and centralized Tribal Nation Platform for data collection and networking, and the consolidation of victim and survivor services under one platform to improve available resources.  

The Tribal Homeland Security Advisory Council enables Tribal leaders to advise the Secretary on homeland security policies and practices that affect Indian Country and indigenous communities, in areas including emergency management, law enforcement, cybersecurity, domestic terrorism and targeted violence, and border security. The Council engages with DHS agencies and offices to produce recommendations and reports for the Secretary. The Council is charged with collaborating on all matters of homeland security.  

The Tribal Homeland Security Advisory Council is one of four Councils of outside experts that provide advice and recommendations to the Secretary on matters related to various aspects of homeland security. The Faith-Based Security Advisory Council provides advice and recommendations to the Secretary and other senior leadership on matters related to protecting houses of worship, preparedness, and enhanced coordination with the faith community. The Homeland Security Academic Partnership Council provides strategic and actionable recommendations to the Secretary on campus safety and security, improved coordination, research priorities, hiring, and more. Members represent higher education associations, campus law enforcement, two- and four-year colleges and universities, Historically Black Colleges and Universities, Hispanic-Serving Institutions, Tribal Colleges, and Asian American and Pacific Islander-Serving Institutions. And the Homeland Security Advisory Council, comprised of private sector leaders, produced a record eight reports in 2023 for the Council on critical topics ranging from Customer Service to AI. These recommendations led to the development of new initiatives, like the Supply Chain Resilience Center, customer experience improvements across component agencies, and critical AI policy. 

To learn more about the Council, please visit https://www.dhs.gov/tribal-advisory-council. 

Learn more about the Biden-Harris Administration’s efforts to better support tribal nations.

Source: US Department of Homeland Security

SUMMARY

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on Androxgh0st malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.

The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

Androxgh0st malware has been observed establishing a botnet [T1583.005] for victim identification and exploitation in target networks. According to open source reporting[1], Androxgh0st is a Python-scripted malware [T1059.006] primarily used to target .env files that contain confidential information, such as credentials [T1552.001] for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework). Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning [T1046] and exploiting exposed credentials [T1078] and application programming interfaces (APIs) [T1114], and web shell deployment [T1505.003].

Targeting the PHPUnit

Androxgh0st malware TTPs commonly involves the use of scripts, conducting scanning [T1595] and searching for websites with specific vulnerabilities. In particular, threat actors deploying Androxgh0st have been observed exploiting CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on fallible websites via PHPUnit [T1190]. Websites using the PHPUnit module that have internet-accessible (exposed) /vendor folders are subject to malicious HTTP POST requests to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php uniform resource identifier (URI). This PHP page runs PHP code submitted through a POST request, which allows the threat actors to remotely execute code.

Malicious actors likely use Androxgh0st to download malicious files [T1105] to the system hosting the website. Threat actors are further able to set up a fake (illegitimate) page accessible via the URI to provide backdoor access to the website. This allows threat actors to download additional malicious files for their operations and access databases.

Laravel Framework Targeting

Androxgh0st malware establishes a botnet to scan for websites using the Laravel web application framework. After identifying websites using the Laravel web application, threat actors attempt to determine if the domain’s root-level .env file is exposed and contains credentials for accessing additional services. Note: .env files commonly store credentials and tokens. Threat actors often target .env files to steal these credentials within the environment variables.

If the .env file is exposed, threat actors will issue a GET request to the /.env URI to attempt to access the data on the page. Alternatively, Androxgh0st may issue a POST request to the same URI with a POST variable named 0x[] containing certain data sent to the web server. This data is frequently used as an identifier for the threat actor. This method appears to be used for websites in debug mode (i.e., when non-production websites are exposed to the internet). A successful response from either of these methods allows the threat actors to look for usernames, passwords, and/or other credentials pertaining to services such as email (via SMTP) and AWS accounts.

Androxgh0st malware can also access the application key [TA0006] for the Laravel application on the website. If the threat actors successfully identify the Laravel application key, they will attempt exploitation by using the key to encrypt PHP code [T1027.010]. The encrypted code is then passed to the website as a value in the cross-site forgery request (XSRF) token cookie, XSRF-TOKEN, and included in a future GET request to the website. The vulnerability defined in CVE-2018-15133 indicates that on Laravel applications, XSRF token values are subject to an un-serialized call, which can allow for remote code execution. In doing so, the threat actors can upload files to the website via remote access.

Apache Web Server Targeting

In correlation with CVE-2021-41773, Androxgh0st actors have been observed scanning vulnerable web servers [T1595.002] running Apache HTTP Server versions 2.4.49 or 2.4.50. Threat actors can identify uniform resource locators (URLs) for files outside root directory through a path traversal attack [T1083]. If these files are not protected by the “request all denied” configuration and Common Gateway Interface (CGI) scripts are enabled, this may allow for remote code execution.

If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations. For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies [T1136]. Additionally, Andoxgh0st actors have been observed creating new AWS instances to use for conducting additional scanning activity [T1583.006].

INDICATORS OF COMPROMISE (IOCs)

Based on investigations and analysis, the following requests are associated with Androxgh0st activity:

• Incoming GET and POST requests to the following URIs:
  • /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /.env
• Incoming POST requests with the following strings:
  • [0x%5B%5D=androxgh0st]
  • ImmutableMultiDict([('0x[]', 'androxgh0st')])

In both previously listed POST request strings, the name androxgh0st has been observed to be replaced with other monikers.

Additional URIs observed by the FBI and a trusted third party used by these threat actors for credential exfiltration include:

• /info
• /phpinfo
• /phpinfo.php
• /?phpinfo=1
• /frontend_dev.php/$
• /_profiler/phpinfo
• /debug/default/view?panel=config
• /config.json
• /.json
• /.git/config
• /live_env
• /.env.dist
• /.env.save
• /environments/.env.production
• /.env.production.local
• /.env.project
• /.env.development
• /.env.production
• /.env.prod
• /.env.development.local
• /.env.old
• //.env
  • Note: the actor may attempt multiple different potential URI endpoints scanning for the .env file, for example /docker/.env or /local/.env.
• /.aws/credentials
• /aws/credentials
• /.aws/config
• /.git
• /.test
• /admin
• /backend
• /app
• /current
• /demo
• /api
• /backup
• /beta
• /cron
• /develop
• /Laravel
• /laravel/core
• /gists/cache
• /test.php
• /info.php
• //.env
• /admin-app/.env%20
• /laravel/.env%20
• /shared/.env%20
• /.env.project%20
• /apps/.env%20
• /development/.env%20
• /live_env%20
• /.env.development%20

Targeted URIs for web-shell drop:

• /.env/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //dev/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //lib/phpunit/phpunit/Util/PHP/eval-stdin.php
• //lib/phpunit/src/Util/PHP/eval-stdin.php
• //lib/phpunit/Util/PHP/eval-stdin.php
• //new/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //old/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //phpunit/phpunit/Util/PHP/eval-stdin.php
• //phpunit/src/Util/PHP/eval-stdin.php
• //phpunit/Util/PHP/eval-stdin.php
• //protected/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/evalstdin.php
• //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
• //vendor/phpunit/src/Util/PHP/eval-stdin.php
• //vendor/phpunit/Util/PHP/eval-stdin.php
• //wp-content/plugins/cloudflare/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //wp-content/plugins/mm-plugin/inc/vendors/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /admin/ckeditor/plugins/ajaxplorer/phpunit/src/Util/PHP/eval-stdin.php
• /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /api/vendor/phpunit/phpunit/src/Util/PHP/Template/eval-stdin.php
• /lab/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /laravel_web/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /laravelao/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /lib/phpunit/phpunit/Util/PHP/eval-stdin.php
• /lib/phpunit/phpunit/Util/PHP/eval
• stdin.php%20/lib/phpunit/src/Util/PHP/eval-stdin.php
• /lib/phpunit/src/Util/PHP/eval-stdin.php
• /lib/phpunit/Util/PHP/eval-stdin.php
• /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /libraries/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /phpunit/phpunit/Util/PHP/eval-stdin.php
• /phpunit/phpunit/Util/PHP/eval-stdin.php%20/phpunit/src/Util/PHP/evalstdin.php
• /phpunit/src/Util/PHP/eval-stdin.php
• ./phpunit/Util/PHP/eval-stdin.php
• /phpunit/Util/PHP/eval-stdin.php%20/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php.dev
• /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
• /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php%20/vendor/phpunit/src/Util/PHP/eval-stdin.php
• /vendor/phpunit/src/Util/PHP/eval-stdin.php
• /vendor/phpunit/Util/PHP/eval-stdin.php
• /vendor/phpunit/Util/PHP/eval-stdin.php%20
• /phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

An example of attempted credential exfiltration through (honeypot) open proxies:

POST /.aws/credentials HTTP/1.1
host: www.example.com
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
accept-encoding: gzip, deflate
accept: */*
connection: keep-alive
content-length: 20
content-type: application/x-www-form-urlencoded

0x%5B%5D=androxgh0st

An example of attempted web-shell drop through (honeypot) open proxies:

GET http://www.example.com/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
host: www.example.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76
accept-encoding: gzip, deflate
accept: */*
connection: keep-alive
x-forwarded-for: 200.172.238.135
content-length: 279

Monikers used instead of Androxgh0st (0x%5B%5D=???):

• Ridho
• Aws
• 0x_0x
• x_X
• nopebee7
• SMTPEX
• evileyes0
• privangga
• drcrypter
• errorcool
• drosteam
• androxmen
• crack3rz
• b4bbyghost
• 0x0day
• janc0xsec
• blackb0x
• 0x1331day
• Graber

Example malware drops through eval-stdin.php:

hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt
59e90be75e51c86b4b9b69dcede2cf815da5a79f7e05cac27c95ec35294151f4

hxxps://chainventures.co[.]uk/.well-known/aas
dcf8f640dd7cc27d2399cce96b1cf4b75e3b9f2dfdf19cee0a170e5a6d2ce6b6

hxxp://download.asyncfox[.]xyz/download/xmrig.x86_64
23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066

hxxps://pastebin[.]com/raw/zw0gAmpC
ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72

hxxp://raw.githubusercontent[.]com/0x5a455553/MARIJUANA/master/MARIJUANA.php
0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef

hxxp://45.95.147[.]236/tmp.x86_64
6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc

hxxp://main.dsn[.]ovh/dns/pwer
bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7

hxxp://tangible-drink.surge[.]sh/configx.txt
de1114a09cbab5ae9c1011ddd11719f15087cc29c8303da2e71d861b0594a1ba

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 1-10 for all referenced threat actor tactics and techniques in this advisory.

Table 1: Reconnaissance

Technique Title	ID	Use
Active Scanning: Vulnerability Scanning	T1595.002	The threat actor scans websites for specific vulnerabilities to exploit.

Table 2: Resource Development

Technique Title	ID	Use
Acquire Infrastructure: Botnet	T1583.005	The threat actor establishes a botnet to identify and exploit victims.
Acquire Infrastructure: Web Services	T1583.006	The threat actor creates new AWS instances to use for scanning.

Table 3: Initial Access

Technique Title	ID	Use
Exploit Public-Facing Application	T1190	The threat actor exploits CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on websites via PHPUnit.

Table 4: Execution

Technique Title	ID	Use
Command and Scripting Interpreter: Python	T1059.006	The threat actor uses Androxgh0st, a Python-scripted malware, to target victim files.

Table 5: Persistence

Technique Title	ID	Use
Valid Accounts	T1078	The threat actor abuses the simple mail transfer protocol (SMTP) by exploiting exposed credentials.
Server Software Component: Web Shell	T1505.003	The threat actor deploys web shells to maintain persistent access to systems.
Create Account	T1136	The threat actor attempts to create new users and user policies with compromised AWS credentials from a vulnerable website.

Table 6: Defense Evasion

Technique Title	ID	Use
Obfuscated Files or Information: Command Obfuscation	T1027.010	The threat actor can exploit a successfully identified Laravel application key to encrypt PHP code, which is then passed to the site as a value in the XSRF-TOKEN cookie.

Table 7: Credential Access

Technique Title	ID	Use
Credential Access	TA0006	The threat actor can access the application key of the Laravel application on the site.
Unsecured Credentials: Credentials in Files	T1552.001	The threat actor targets .env files that contain confidential credential information.

Table 8: Discovery

Technique Title	ID	Use
File and Directory Discovery	T1083	The threat actor can identify URLs for files outside root directory through a path traversal attack.
Network Service Discovery	T1046	The threat actor uses Androxgh0st to abuse simple mail transfer protocol (SMTP) via scanning.

Table 9: Collection

Technique Title	ID	Use
Email Collection	T1114	The threat actor interacts with application programming interfaces (APIs) to gather information.

Table 10: Command and Control

Technique Title	ID	Use
Ingress Tool Transfer	T1105	The threat actor runs PHP code through a POST request to download malicious files to the system hosting the website.

MITIGATIONS

The FBI and CISA recommend implementing the mitigations below to improve your organization’s cybersecurity posture based on Androxgh0st threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

These mitigations apply to all critical infrastructure organizations and network defenders. FBI and CISA recommend that software manufacturers incorporate secure by design principles and tactics into their software development practices, limiting the impact of actor techniques and strengthening their customers’ security posture. For more information on secure by design, see CISA’s Secure by Design webpage.

The FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by actors using Androxgh0st malware.

• Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
• Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
• Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from .env files and revoke them. All cloud providers have safer ways to provide temporary, frequently rotated credentials to code running inside a web server without storing them in any file.
• On a one-time basis for previously stored cloud credentials, and on an on-going basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
• Scan the server’s file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
• Review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, pastebin, etc., particularly when the request accesses a .php file.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Tables 1-10).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REPORTING

The FBI encourages organizations to report information concerning suspicious or criminal activity to their local FBI field office. With regards to specific information that appears in this CSA, indicators should always be evaluated in light of an organization’s complete security situation.

When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Reports can be submitted to the FBI Internet Crime Complaint Center (IC3), a local FBI Field Office, or to CISA via its Incident Reporting System or its 24/7 Operations Center at report@cisa.gov or (888) 282-0870.

RESOURCES

REFERENCES

1. Fortinet – FortiGuard Labs: Threat Signal Report: AndroxGh0st Malware Actively Used in the Wild

ACKNOWLEDGEMENTS

Amazon contributed to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.

VERSION HISTORY

January 16, 2024: Initial version.