Category: Homeland Security

Source: US Department of Homeland Security

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.

This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally.

Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.

Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions. The authoring organizations urge HPH Sector and all critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from Black Basta and other ransomware attacks. Victims of ransomware should report the incident to their local FBI field office or CISA (see the Reporting section for contact information).

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Initial Access

Black Basta affiliates primarily use spearphishing [T1566] to obtain initial access. According to cybersecurity researchers, affiliates have also used Qakbot during initial access.[1]

Starting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709 [CWE-288] [T1190]. In some instances, affiliates have been observed abusing valid credentials [T1078].

Discovery and Execution

Black Basta affiliates use tools such as SoftPerfect network scanner (netscan.exe) to conduct network scanning. Cybersecurity researchers have observed affiliates conducting reconnaissance using utilities with innocuous file names such as Intel or Dell, left in the root drive C: [T1036].[1]

Lateral Movement

Black Basta affiliates use tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol (RDP), for lateral movement. Some affiliates also use tools like Splashtop, Screen Connect, and Cobalt Strike beacons to assist with remote access and lateral movement.

Privilege Escalation and Lateral Movement

Black Basta affiliates use credential scraping tools like Mimikatz for privilege escalation. According to cybersecurity researchers, Black Basta affiliates have also exploited ZeroLogon (CVE-2020-1472, [CWE-330]), NoPac (CVE-2021-42278 [CWE-20] and CVE-2021-42287 [CWE-269]), and PrintNightmare (CVE-2021-34527, [CWE-269]) vulnerabilities for local and Windows Active Domain privilege escalation [T1068].[1],[2]

Exfiltration and Encryption

Black Basta affiliates use RClone to facilitate data exfiltration prior to encryption. Prior to exfiltration, cybersecurity researchers have observed Black Basta affiliates using PowerShell [T1059.001] to disable antivirus products, and in some instances, deploying a tool called Backstab, designed to disable endpoint detection and response (EDR) tooling [T1562.001].[3] Once antivirus programs are terminated, a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files [T1486]. A .basta or otherwise random file extension is added to file names and a ransom note titled readme.txt is left on the compromised system.[4] To further inhibit system recovery, affiliates use the vssadmin.exe program to delete volume shadow copies [T1490].[5]

Leveraged Tools

See Table 1 for publicly available tools and applications used by Black Basta affiliates. This includes legitimate tools repurposed for their operations.

Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.

Table 1: Tools Used by Black Basta Affiliates

Tool Name	Description
BITSAdmin	A command-line utility that manages downloads/uploads between a client and server by using the Background Intelligent Transfer Service (BITS) to perform asynchronous file transfers.
Cobalt Strike	A penetration testing tool used by security professions to test the security of networks and systems. Black Basta affiliates have used it to assist with lateral movement and file execution.
Mimikatz	A tool that allows users to view and save authentication credentials such as Kerberos tickets. Black Basta affiliates have used it to aid in privilege escalation.
PSExec	A tool designed to run programs and execute commands on remote systems.
PowerShell	A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
RClone	A command line program used to sync files with cloud storage services such as Mega.
SoftPerfect	A network scanner (netscan.exe) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell. It also scans for remote services, registry, files, and performance counters.
ScreenConnect	Remote support, access, and meeting software that allows users to control devices remotely over the internet.
Splashtop	Remote desktop software that allows remote access to devices for support, access, and collaboration.
WinSCP	Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Black Basta affiliates have used it to transfer data from a compromised network to actor-controlled accounts.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 2–6 for all referenced threat actor tactics and techniques in this advisory.

Source: US Department of Homeland Security

WASHINGTON – As part of the Biden-Harris Administration’s continued efforts to enhance the security of our border and deliver more timely consequences for those encountered who do not have a legal basis to remain in the United States, today the Department of Homeland Security (DHS), through U.S. Citizenship and Immigration Services (USCIS), published a Notice of Proposed Rulemaking (NPRM) that would allow statutory bars to asylum to be applied much earlier in the process. Even though the number of migrants who are subject to these bars is small, this rule would enable DHS to more quickly remove those who are subject to the bars and pose a risk to our national security or public safety.

Federal law bars individuals who pose a national security or public safety risk from asylum and withholding of removal, specifically those who have been convicted of a particularly serious crime, participated in the persecution of others, are inadmissible on national security or terrorism-related grounds, or for whom there are reasonable grounds to deem them a danger to the security of the United States. While anyone who is deemed to pose a public safety threat is taken into custody, the asylum eligibility determination is not currently made until later in the process – at the merits adjudication stage of the asylum and withholding of removal claims. Today’s proposed rule would permit Asylum Officers to consider these bars to asylum and withholding of removal during initial credible fear screening, which happens just days after an individual is encountered. This will allow DHS to expeditiously remove individuals who pose a threat to the United States much sooner than is currently the case, better safeguarding the security of our border and our country.

“The proposed rule we have published today is yet another step in our ongoing efforts to ensure the safety of the American public by more quickly identifying and removing those individuals who present a security risk and have no legal basis to remain here,” said Secretary of Homeland Security Alejandro Mayorkas. “We will continue to take action, but fundamentally it is only Congress that can fix what everyone agrees is a broken immigration system.”

Noncitizens who present a national security or public safety risk remain in DHS custody while their cases are referred for full immigration hearings before an immigration judge, a process that can take years and is resource intensive. The proposed rule would allow Asylum Officers to issue denial of claims within days after an individual is encountered when there is evidence that the individual is barred from asylum because of a terrorism, national security, or criminal bar, thereby significantly shortening the overall time between encounter and removal from the United States.

In addition to this proposed rule and in close coordination with vetting and law enforcement partners, DHS is updating its policy and procedures regarding the use of classified information in immigration proceedings. This updated guidance clarifies the circumstances in which classified information should be used in immigration proceedings. Consistent with longstanding practice, DHS will continue to screen and vet individuals prior to their entry to the United States to identify national security or public safety threats and take appropriate action.

The Department also continues enforcing the Circumvention of Lawful Pathways (CLP) rule. This rule incentivizes the use of orderly processes and imposes swifter consequences for those without a legal basis to remain in the United States. Today, USCIS issued revised guidance to Asylum Officers to consider whether an asylum seeker could reasonably relocate to another part of the country of feared persecution when assessing claims of future persecution in all credible fear cases. Internal relocation has always been a part of an analysis of future claims of harm, and this new guidance, consistent with the CLP rule, will ensure early identification and removal of individuals who would ultimately be found ineligible for protection because of their ability to remain safe by relocating elsewhere in the country from which they fled.

The Biden-Harris Administration has already taken numerous actions to address migration challenges in the region and at our border, while overseeing a historic expansion of lawful pathways. These efforts, with partner countries in the region and across the world, have made a significant impact. From May 12, 2023 through May 1, 2024, DHS has removed or returned more than 720,000 individuals, the vast majority of whom crossed the Southwest Border, including more than 109,000 individual family members. That includes removals to 170 countries around the world. Total removals and returns since mid-May 2023 exceed removals and returns in every full fiscal year since 2011. DHS has also significantly expanded the capacity to conduct the credible fear interviews needed to ultimately remove those without a legal basis to stay in the United States.

The Administration again calls on Congress to pass needed reforms and provide DHS the resources and tools it needs to fully implement expedited processing of all individuals encountered at the border. The public is invited to submit comments on the NPRM during the 30-day public comment period from May 13, 2024 to June 12, 2024. 

Source: US Department of Homeland Security

From May 6-7, Senior Official Performing the Duties of the Deputy Secretary Kristie Canegallo joined Secretary of State Antony Blinken, White House National Security Council’s Marcela Escobari, and USAID Acting Assistant Administrator for Latin America and the Caribbean Michael Camilleri in Guatemala City, Guatemala to represent the United States Government at the third Los Angeles Declaration on Migration and Protection Ministerial. Over the course of the last two years, the Los Angeles Declaration has provided a framework for its signatories throughout the Americas to take action on shared goals including strengthening border enforcement, expanding lawful pathways, and addressing the root causes of migration.

On the margins of the ministerial, Senior Official Performing the Duties of Deputy Secretary Canegallo participated in bilateral and trilateral meetings with counterparts from several countries, including Guatemala, Costa Rica, Belize, Ecuador, and Mexico, to continue enhancing hemispheric cooperation across several areas including information sharing, coordinating enforcement measures, and attacking transnational criminal organizations. During a bilateral meeting with Costa Rican Foreign Affairs Minister Arnoldo André, the Department of Homeland Security signed an agreement establishing a Biometric Data Sharing Partnership and the Department of State signed a separate agreement on countering human trafficking—measures that will boost security for both our nations and for the hemisphere. Senior Official Performing the Duties of the Deputy Secretary Canegallo also participated in a Labor Mobility event, where she highlighted this Administration’s work to boost temporary worker visas, noting that the United States issued a record number of H-2B visas to workers from Central and South America in 2023. Ms. Canegallo emphasized that the United States will continue to work with foreign partners to advance hemispheric efforts that expand labor opportunities, safeguard human rights, and contribute to bolstering the national and regional economy.  The following is a detailed fact sheet outlining achievements of the Los Angeles Declaration and the work the region is leading on.

Fact Sheet: Third Ministerial Meeting on the Los Angeles Declaration On Migration and Protection in Guatemala

Nearly two years ago, in response to the historic challenge of migration and forced displacement, President Biden launched the Los Angeles Declaration on Migration and Protection, with 20 leaders from across the Western Hemisphere. The Los Angeles Declaration is a first-of-its-kind framework to promote coordinated action under three core pillars: (1) addressing root causes and supporting the integration of migrants to foster long-term stabilization; (2) expanding lawful pathways; and (3) strengthening humane enforcement.

On May 7, 2024, Guatemala hosted the third Los Angeles Declaration Ministerial with foreign ministers and senior representatives from 21 endorsing countries. Secretary of State Antony Blinken led the U.S. delegation, alongside White House Coordinator for the Los Angeles Declaration Marcela Escobari, Department of Homeland Security Senior Official Performing the Duties of the Deputy Secretary Kristie Canegallo, and USAID Acting Assistant Administrator for Latin America and the Caribbean Michael Camilleri. The United States is grateful for President Arévalo’s leadership in hosting the Ministerial.

On behalf of the United States, Secretary Blinken announced $578 million in humanitarian, development, and economic assistance to support partner countries and host communities in responding to urgent humanitarian needs, expanding lawful pathways, and supporting the regularization and integration of migrants. The United States also announced expanded enforcement partnerships to deter irregular migration, including increased consequences for the smuggling networks that prey on vulnerable migrants. The U.S. Government reiterated its commitment to work alongside partners to establish a permanent, regionally-driven Secretariat to ensure that coordinated progress is sustained under the Los Angeles Declaration.

The endorsing countries presented progress toward their commitments under the Los Angeles Declaration and announced the following new initiatives.

Strengthening Humane Enforcement

• The United States took steps on May 6 to impose visa restrictions on executives of several Colombian maritime transportation companies for facilitating irregular migration to the United States. These are part of a broader set of U.S. actions targeting owners, executives, and senior officials of companies providing transportation by land, sea, or charter air designed for use primarily by persons intending to irregularly migrate to the United States. Earlier restrictions were placed on individuals in the charter air sector.
• The International Air Transport Association and several of its member airlines committed to concerted action to limit the use of commercial flights for irregular migration.
• The United States and Costa Rica announced the establishment of a new Biometric Data Sharing Partnership to enhance Costa Rica’s biometric collection and matching, and strengthen its border management, thereby increasing safety and security in the region. The United States and Costa Rica also signed a memorandum of understanding outlining bilateral cooperation in countering trafficking in persons.
• The United States is deploying additional resources to Guatemala to increase security at land, air, and sea ports throughout the country, increasing screening and vetting in the region.
• The United States will expand public awareness of the CBP One™ mobile app among migrants seeking to enter the United States. From January 2023 through the end of March 2024, more than 547,000 individuals have used CBP One™ and presented themselves to a port of entry for processing, instead of risking their lives at the hands of smugglers.
• The United States leads the Countering Human Trafficking and Migrant Smuggling Action Package Committee under the Los Angeles Declaration, coordinating international efforts to target, investigate, arrest, and prosecute human smuggling organizations that are preying on vulnerable migrants.
• Partner countries reaffirmed their commitment to stem extracontinental irregular migration through increased use of transit visas, passenger vetting, and enforcement measures against entities and individuals that profit from irregular migration.

Expanding Lawful Pathways for Migration and Protection

• President Biden rebuilt our refugee resettlement program and led a historic expansion of lawful pathways to the United States and partner countries.  Under the President’s Safe Mobility Offices initiative to deter irregular migration and expand lawful pathways in the Western Hemisphere, we are on track to increase six-fold the number of approved refugees from the region.  Already, over 21,000 individuals have been approved to resettle safely and legally in the United States through the Safe Mobility Offices in Guatemala, Costa Rica, Colombia, and Ecuador.
• Guatemala and the United States announced that the Safe Mobility Offices in Guatemala will expand eligibility to include Hondurans, Salvadorans, and Nicaraguans present in Guatemala.
• Costa Rica and the United States announced that the Safe Mobility Offices in Costa Rica will expand eligibility to accept Ecuadorians.
• The United States reaffirmed its commitment to strengthening lawful pathways. Under the Cuba, Haiti, Nicaragua, Venezuela (CHNV) parole process, flows of irregular migrants from these four countries have been reduced significantly, while 435,000 vetted and cleared individuals of these nationalities have been approved to lawfully enter the United States. Applicants must have a U.S.-based financial supporter, pass vetting and background checks, and meet other established criteria to receive advanced travel authorization. Once paroled on a case-by-case basis, CHNV nationals are eligible to apply for work authorization and start work immediately.
• USAID announced plans to launch a new regional labor mobility initiative — “Alianza de Movilidad Laboral para las Américas” or “Labor Neighbors” — to increase access to lawful temporary labor pathways for new migrant-source and destination countries. The initiative will work with international organizations and other partners to provide technical assistance to countries across the region to identify eligible workers to meet pressing labor needs.
• The Department of Labor launched a $3 million project to strengthen protections for workers participating in U.S. temporary foreign worker programs. The United States also announced it is joining the International Labor Organization’s Fair Recruitment Initiative and its Advisory Committee. The initiative seeks to ensure that domestic and cross-border recruitment practices are grounded in international labor standards, promote gender equality, and prevent human trafficking and forced labor. These steps reinforce the Biden Administration’s Presidential Memorandum on Advancing Worker Empowerment, Rights, and High Labor Standards Globally and its steadfast commitment to protecting worker rights at home and around the world.
• Mexico announced that, since 2022, it has issued over 17,500 temporary visas to individuals seeking international protection to address labor shortages in the country. Additionally, Mexico has launched a pilot program in collaboration with the Haitian Embassy, International Organization for Migration, and the Tent Partnership to expand labor pathways, offering job opportunities and work permits to Haitian migrants.
• Costa Rica committed to continue modernizing its asylum system through digitalization, data-driven solutions, and adopting practices to streamline refugee status determination with support from UNHCR and the international community.  
• Canada confirmed it will take UNHCR referrals from the Safe Mobility Offices, as part of Canada’s ongoing commitment to this important initiative. Canada has also made significant progress on its commitment to welcome 15,000 migrants from the Americas region. Canada is also investing $75 million Canadian dollars over six years to fund capacity building projects to strengthen migration and protection systems in the region.

Addressing Root Causes and Supporting the Integration of Migrants to Foster Long-term Stabilization

• The United States reaffirmed its commitment to addressing the root causes of irregular migration. The U.S. International Development Finance Corporation is announcing the approval of a $20 million direct loan to Cosami, a savings and loan cooperative, for low-income mortgages in rural Guatemala. Cosami’s assistance will help finance the construction of borrowers’ first homes, helping to improve living conditions, create jobs, and promote economic growth in lower-income communities.
• With initial support from the U.S. Government, the International Organization for Migration launched a new online platform and data portal for the Los Angeles Declaration, which enables endorsing countries to obtain, share, and disseminate best practices and data.
• Ecuador announced that, under a new regularization program, those who have already registered will be able to complete their process to obtain a temporary resident visa and more migrants will be able to apply for a temporary visa.
• Colombia announced a plan for regularization of irregular migrants through special permits for parents and legal guardians of children with valid Temporary Protective Status. Colombia also announced a new special permanent visa for Latin American and Caribbean migrants without regular status in the country. The Colombian government estimates these actions will benefit up to 600,000 individuals.
• Costa Rica committed to expand the Special Temporary Category regularization pathway and reduce barriers to access with continued assistance from the international community.

Source: US Department of Homeland Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced voluntary commitments by 68 of the world’s leading software manufacturers to CISA’s Secure by Design pledge to design products with greater security built in.

“More secure software is our best hope to protect against the seemingly never-ending scourge of cyberattacks facing our nation. I am glad to see leading software manufacturers recognize this by joining us at CISA to build a future that is more secure by design,” CISA Director Jen Easterly said. “I applaud the companies who have already signed our pledge for their leadership and call on all software manufacturers to take the pledge and join us in creating a world where technology is safe and secure right out of the box.”

A list of the 68 companies, including leading software manufacturers, participating in the pledge can be found at the Secure by Design Pledge page, and statements of support for the pledge can be read here.

By catalyzing action by some of the largest technology manufacturers, the Secure by Design pledge marks a major milestone in CISA’s Secure by Design initiative. Participating software manufacturers are pledging to work over the next year to demonstrate measurable progress towards seven concrete goals. Collectively, these commitments will help protect Americans by securing the technology that our critical infrastructure relies on.

“A more secure by design future is indeed possible. The items in the pledge directly address some of the most pervasive cybersecurity threats we at CISA see today, and by taking the pledge software manufacturers are helping raise our national cybersecurity baseline,” CISA Senior Technical Advisor Jack Cable said. “Every software manufacturer should recognize that they have a responsibility to protect their customers, contributing to our national and economic security. I appreciate the leadership of those who signed on and hope that every technology manufacturer will follow suit.”

The seven goals of the pledge are:

• Multi-factor authentication (MFA). Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
• Default passwords. Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
• Reducing entire classes of vulnerability. Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
• Security patches. Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
• Vulnerability disclosure policy. Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
• CVEs. Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.
• Evidence of intrusions. Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.

Each goal has core criteria which manufacturers are committing to work towards, in addition to context and example approaches to achieve the goal and demonstrate measurable progress. To enable a variety of approaches, software manufacturers participating in the pledge have the discretion to decide how best they can meet and demonstrate the core criteria of each goal, but progress should be demonstrated in public.

CISA’s global Secure by Design initiative, launched last year, implements the White House’s National Cybersecurity Strategy by shifting the cybersecurity burden away from end users and individuals to technology manufacturers who are most able to bear it. CISA urges software manufacturers to review CISA’s Secure by Design guidance and Secure by Design alerts to build security into their products.

To date, the following 68 companies have signed the pledge: 1touch.io, Akamai, Amazon Web Services, Apiiro, Armis, Automox, BigID, BlackBerry, Bugcrowd, Chainguard, Cisco, Claroty, Cloudflare, CrowdStrike, Cybeats, Resilience, ESET, Everfox, Finite State, Forescout, Fortinet, Gigamon, GitHub, GitLab, Google, Hewlett Packard Enterprise, HiddenLayer, HP, Huntress, IBM, Infoblox, InfoSec Global, Ivanti, Kiteworks, Lasso Security, Lenovo, Manifest, Microsoft, N-able, NetApp, Netgear, Okta, Palo Alto Networks, Pangea, Proofpoint, Qualys, Rapid7, Red Queen Dynamics, Scale AI, Secureworks, Securin, Security Compass, SentinelOne, Socket, Sonatype, Sophos, Tenable, ThreatQuotient, ThriveDX, Tidelift, Trellix, Trend Micro, Vanta, Veracode, Veritas Technologies LLC, Wiz, Xylem, and Zscaler.

Learn more about this voluntary pledge and sign it today by visiting: cisa.gov/securebydesign/pledge.

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.

Source: US Department of Homeland Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) is pleased to launch We Can Secure Our World, the second PSA in its Secure Our World cybersecurity public awareness program. The PSA will be promoted widely across the U.S. on television, radio, digital ads, retail centers, social media platforms, and billboards throughout 2024. We Can Secure Our World builds on the success of CISA’s first ever public service announcement (PSA) which launched in September 2023.

A Pew Research Center survey conducted last year shows that 95% of American adults use the internet, 90% have a smartphone and 80% subscribe to high-speed internet at home. Additionally, the survey also reported nearly 70% of children and adolescents have been exposed to at least one cyber risk in the past year. With cyber threats increasing among Americans of all ages, CISA is working to empower all Americans to protect themselves from hackers getting into their devices through easy steps that anyone can do anywhere and anytime.

The Secure Our World cybersecurity public awareness program, initially launched in September 2023, with its first PSA receiving nearly 20,000 views on YouTube, and educational materials including “How to” videos and tip sheets, were downloaded approximately 50,000 times. CISA also had a video that aired at the NFL Experience in the week leading up to the Super Bowl. CISA had a Super Bowl-related social media campaign that garnered more than 200,000 views and reached audiences spanning America’s diverse population.

The Secure Our World program is designed to educate and empower individuals to take proactive steps in safeguarding their digital lives. Tapping into the nostalgia of beloved musical cartoon series from the 1970s and 1980s, the new PSA features lovable character Max from the first PSA and introduces “Joan the Phone” who teaches us how to stay safe online. Through engaging messaging encouraging simple steps to protect ourselves online, the program aims to raise awareness about the importance of cybersecurity and empower individuals to adopt best practices to mitigate online risks.

“Basic cyber hygiene prevents 98% of cyber attacks—why we’re on a mission to make cyber hygiene as common as brushing our teeth and washing our hands. BUT(!) “cyber” anything can seem overly technical and complicated to the vast majority of Americans from K through Gray—why we’re also on a mission to make such information more accessible,” said CISA Director Jen Easterly. “As someone who grew up with Saturday morning cartoons, I am super excited about what we’ve done with our new Secure Our World PSA to leverage a recognizable educational medium to promote cybersecurity best practices. We’re really excited to take public awareness of cyber safety to a whole new level of creativity.”

We encourage organizations large and small to join forces with CISA today to bolster cybersecurity awareness, empower individuals to take action, and drive adoption of critical behaviors, Together, let’s champion the cybersecurity basics: encourage the use of strong passwords and multi-factor authentication, recognize and report phishing attempts, and prioritize software updates. Our collaboration can have a far-reaching effect to protect individuals, businesses and critical infrastructure from cyber threats, promoting trust, resilience and security in the digital realm.

View the We Can Secure Our World PSA on CISA.gov.

Source: US Department of Homeland Security

WASHINGTON – Today, the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) announced changes to the Cyber Safety Review Board (CSRB) membership. With deep gratitude, four current members of the CSRB will depart and four new members will join the board. 

Departing members include:

• Katie Moussouris, Founder and CEO, Luta Security
• Chris Novak, Co-Founder and Managing Director, Verizon Threat Research Advisory Center
• Tony Sager, Senior Vice President and Chief Evangelist, Center for Internet Security, and
• Wendi Whitmore, Senior Vice President, Unit 42, Palo Alto Networks

Joining the CSRB:

• Jamil Jaffer, Venture Partner Paladin Capital Group and Founder and Executive Director, National Security Institute, George Mason University Scalia Law School
• David Luber, Director, Cybersecurity Directorate, NSA
• Katie Nickels, Senior Director of Intelligence Operations, Red Canary
• Chris Krebs, Chief Intelligence and Public Policy Officer, Sentinel One

David Luber will serve as the Federal CSRB representative from the NSA, replacing Rob Joyce upon his retirement. Joyce has been asked to continue to serve on the board as a private sector member.

“I can’t thank Katie, Chris, Tony, and Wendi enough for the outstanding contributions they’ve made as CSRB members. I am truly grateful for their service on the Board,” said CISA Director Jen Easterly.  “I am also very pleased to welcome Jamil, Dave, Katie, and Chris to the Board. I know their cybersecurity expertise and experience will be instrumental in the continuing evolution of the CSRB as a catalyst for positive change in the cybersecurity ecosystem.”

Robert Silvers, DHS Under Secretary for Policy, and Heather Adkins, Vice President for Security Engineering at Google, have been re-appointed as the Chair and Deputy Chair respectively for a second term by Easterly. 

“I send my sincere thanks to the departing members and welcome those who are beginning their service,” said Under Secretary Silvers. “The Cyber Safety Review Board will continue in its charge to conduct fact finding and develop lessons learned from the most serious cyber incidents.”

“It has been an honor to serve on the CSRB and I am looking forward to seeing the Board continue to evolve its important role in the cybersecurity ecosystem as we increase the security of the nation,” said Deputy Chair Adkins.  

Other returning members include:

• Dmitri Alperovitch, Co-Founder and Chairman, Silverado Policy Accelerator and Co-Founder and former CTO of CrowdStrike, Inc.
• Harry Coker, Jr., National Cyber Director, Office of the National Cyber Director
• Jerry Davis, Founder, Gryphon X
• Chris DeRusha, Federal Chief Information Security Officer, Office of Management and Budget
• Eric Goldstein, Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency
• Marshall Miller, Principal Associate Deputy Attorney General, Department of Justice
• John Sherman, Chief Information Officer, Department of Defense
• Bryan Vorndran, Assistant Director, Cyber Division, Federal Bureau of Investigation

The CSRB conducts fact-finding and issues recommendations in the wake of major cyber incidents. The Board is made up of cybersecurity luminaries from the private sector and senior officials from DHS, CISA, the Department of Defense, the National Security Agency, the Department of Justice, the Federal Bureau of Investigation, the Office of the National Cyber Director, and the Office of Management and Budget.

As directed by President Biden through Executive Order 14028 Improving the Nation’s Cybersecurity, Secretary Mayorkas established the CSRB in February 2022. The Board is administered by CISA on behalf of the Secretary. The Board’s reviews are conducted independently, and its conclusions are independently reached. DHS and the CSRB are committed to transparency and will, whenever possible, release public versions of CSRB reports, consistent with applicable law and the need to protect sensitive information from disclosure.  

The Board’s reviews and other information about the CSRB can be found on the CSRB website.

###

Source: US Department of Homeland Security

WASHINGTON – Secretary of Homeland Security Alejandro N. Mayorkas issued the following statement on Microsoft’s announcement of security updates following recommendations from the Department of Homeland Security’s Cyber Security Review Board:

“We applaud Microsoft for its commitment to strengthen its security by embracing and acting upon the recommendations of the Cyber Safety Review Board and further advancing the company’s Secure Future Initiative. Microsoft’s full cooperation with the Board’s review helped create the tangible recommendations that will benefit not only Microsoft’s customers, but also the public at large that depends on the security of cloud services.  We look forward to continuing our work with Microsoft and other partners to strengthen the security of the cyber ecosystem on which we all depend.” 

###

Source: US Department of Homeland Security

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: Delta Electronics
• Equipment: CNCSoft-G2 DOPSoft
• Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Delta Electronics CNCSoft-G2, a Human-Machine Interface (HMI) software, are affected:

• CNCSoft-G2: Versions 2.0.0.5 (with DOPSoft v5.0.0.93) and prior

3.2 Vulnerability Overview

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2024-4192 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ).

A CVSS v4 score has also been calculated for CVE-2024-4192. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics recommends users update to CNCSoft-G2 v2.1.0.4 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• April 30, 2024: Initial Publication

Source: US Department of Homeland Security

WASHINGTON – Secretary of Homeland Security Alejandro N. Mayorkas issued the following statement on the National Security Memorandum (NSM) to secure and enhance the resilience of U.S. critical infrastructure, signed today by President Biden:

“Our nation’s critical infrastructure consists of the systems and services upon which Americans rely in their daily lives. From the banking system to the electric grid, from healthcare to our nation’s water systems and more, we depend on the safety and defense of our critical infrastructure as a matter of homeland and national security. President Biden’s new National Security Memorandum empowers the Department of Homeland Security to lead our government’s efforts, alongside our Administration partners, to better confront the increasingly complex and frequent threats facing our critical infrastructure.  Together, we will ensure America remains vigilant, secure, and resilient.”

###

Source: US Department of Homeland Security

WASHINGTON, DC – Today, the Department of Homeland Security (DHS) received a grade of “A+,” the highest grade possible on the Small Business Administration’s Fiscal Year (FY) 2023 Small Business Procurement Scorecard and was the largest federal agency to exceed all ten of the Scorecard’s small business prime and subcontracting goals. The Scorecard is an assessment tool that measures how well federal agencies meet their small business and socioeconomic prime contracting and subcontracting goals. This is the fifteenth consecutive fiscal year DHS has earned a grade of “A” or higher, starting in FY 2009.

“America’s small businesses are essential partners in equipping the Department’s workforce with the tools to fulfill our mission of protecting the homeland,” said the Senior Official Performing the Duties of the Deputy Secretary Kristie Canegallo. “We are proud of DHS’s 15 year record and are committed to ensure that it continues. This year’s “A+” rating achievement is the result of modernizing and streamlining our processes to meet our contracting goals.”

In FY 2023, DHS obligated $9.9 billion, the highest amount in the Department’s history, to small businesses. Over $4.7 billion was awarded to small, disadvantaged businesses– a result of the Department’s increased targeted small business outreach efforts, which include a focus on undeserved vendor communities. Notably, DHS awarded 38.21% of its total eligible contracting dollars to small businesses, greatly exceeding the government-wide prime goal of 23%.

“Our achievements are the result of collaboration between DHS leadership and the acquisition workforce,” said E. Darlene Bullock, DHS Executive Director, Office of Small and Disadvantaged Business Utilization. “DHS will continue to implement various programs and policies to support small business participation.”

For the second time in the Department’s history, DHS exceeded all ten small business prime and subcontracting goals, making it the largest federal agency with this record of achievement. “DHS’s sustained accomplishments on the SBA scorecard for the past 15 years truly highlight the Department’s efforts to partner with small businesses. We are proud of our efforts and look forward to continued excellence in this area,” said Paul Courtney, DHS Chief Procurement Officer.

Small businesses play an instrumental role in strengthening the capabilities of the Department and helping us protect our homeland. DHS is committed to maximizing opportunities for small businesses and will continue to partner with industry to increase diversity in our contractor community.

For more information about the Department’s small business program, visit Office of Small and Disadvantaged Business Utilization | Homeland Security (dhs.gov).