The FY 2025 Budget provides critical resources to combat terrorism, secure our borders, strengthen disaster resilience, continue investment in cybersecurity and promote the responsible use of artificial intelligence, and much more
DHS needs Congress to pass the Senate’s bipartisan border security agreement, enabling DHS to hire more CBP, ICE, and USCIS personnel and provide new tools to fix our broken immigration system and help secure the border
WASHINGTON – The Biden-Harris Administration today submitted to Congress the President’s Budget for Fiscal Year (FY) 2025, which provides $62.2 billion in discretionary funding for the Department of Homeland Security (DHS). In addition, the Budget provides $22.7 billion for the Disaster Relief Fund to respond to major disasters and emergencies, and $4.7 billion for the Southwest Border Contingency Fund to resource border security and immigration enforcement efforts along the Southwest border. When accounting for the effects of the Southwest Border Contingency Fund, the Budget request for DHS is an increase of 10 percent above FY 2023. The budget includes a Transportation Security Administration (TSA) fee proposal that, if enacted, would decrease the discretionary funding request by $1.6 billion.
However, DHS’s border security and immigration enforcement efforts along the Southwest border desperately require the additional funds requested by the Administration and included in the Senate’s bipartisan border security legislation, which would provide DHS with approximately $19 billion to fund additional personnel, facilities, repatriation capabilities, and other enforcement resources.
“The President’s Budget, in combination with the Senate’s bipartisan border security legislation, is vital to meeting the needs of our workforce and the challenges we face. The President’s Budget prioritizes staying ahead of the diverse and complex threats facing the homeland and highlights our unwavering dedication to protecting the security of the American people,” said Secretary of Homeland Security Alejandro N. Mayorkas. “This budget invests in our homeland security today and lays the groundwork to protect the American people well into the future. It supports efforts to advance the responsible use of Artificial Intelligence across DHS, as well as our work to protect against malicious cyber threats to Federal networks and critical infrastructure. The President’s Budget continues to invest in the security of our borders, even as we continue to call on Congress to pass the February bipartisan border security legislation to provide urgently needed resources and tools to our frontline personnel. It also includes funding to combat the trafficking of fentanyl and its precursors; protect the trade that is vital to our economic strength; build resilience to climate change and strengthen recovery from natural disasters; counter threats from the PRC and bolster our support for allies in the Indo-Pacific; and invest in the dedicated and professional workforce of the Department of Homeland Security.”
At the Department of Homeland Security, the Budget will:
Advance Our Mission to Combat Terrorism. The President’s Budget supports the Department’s continued efforts to combat terrorism, both domestically and abroad. The FY 2025 Budget funds the DHS Special Events Program, a critical program that gathers information on more than 57,000 special events, conducts risk assessments, coordinates Departmental and federal support thereto, and ensures that relevant information sharing occurs. The FY 2025 Budget provides $25.9 billion to meet core budget requirements of critical funding to U.S. Customs and Border Protection (CBP) and U.S. Immigration and Customs Enforcement (ICE). This funding would support CBP’s mission to protect the Nation from acts of terrorism and criminality with constant vigilance at and between the Nation’s POEs. As the principal criminal investigative agency within the DHS, the funding would support ICE, Homeland Security Investigations (HSI) with overseeing its responsibility to investigate, disrupt, and dismantle terrorist networks threatening or exploiting the customs and immigration laws of the United States. The President’s Budget also supports continued operational funding for the U.S. Coast Guard’s Maritime Security Operations, whose mission program encompasses activities to detect, deter, prevent, and disrupt terrorist attacks, and other criminal acts in the maritime domain. It includes antiterrorism, response, and select recovery operations.
Help Secure the Border and Facilitate Lawful Trade and Immigration. The President’s Budget provides critical resources to secure our border while enforcing immigration laws that safeguard Americans from national security and public safety threats and support a humane, orderly immigration system. The Budget provides $25.9 billion to meet core budget requirements of CBP and ICE. This funding provides $2.5 billion to ICE-HSI to enhance investigative capabilities to combat Transnational Criminal Organizations that engage in the smuggling of humans, narcotics including fentanyl, firearms, and money. Additionally, the Budget invests $210 million to increase staffing capacity at the Southwest border, $86 million for CBP air and marine operational support, and $127 million for modernizing border security technology such as deploying new Integrated Surveillance Towers. The Budget also provides $145 million to U.S. Citizenship and Immigration Services to support timely processing of up to 125,000 refugee cases.
DHS reiterates previously submitted funding requests that are critical to secure the border, build immigration enforcement capacity, combat fentanyl and address domestic needs like natural disaster response, which Congress has failed to act on. Among them, the October funding request, which includes $8.7 billion for border, immigration, and counter fentanyl requirements and $9.2 billion for FEMA’s Disaster Relief Fund and Nonprofit Security Grant Program. Notably, the Administration’s border supplemental request includes funding to build capacity in the areas of border security, immigration enforcement, and countering fentanyl. DHS strongly supports the additional $19 billion in funding proposals included in the Senate’s bipartisan border legislation that would, among other things, enable DHS to hire more CBP agents and officers, ICE enforcement and investigative personnel, and USCIS asylum officers and provide new tools to bolster the Department’s efforts to secure and manage the border.
Invest in Cybersecurity Protection and Emergency Communications. The President’s Budget continues to support the Cybersecurity and Infrastructure Security Agency’s mission to secure cyberspace and protect against malicious threats capable of compromising and disrupting Federal networks and critical infrastructure. The Budget includes $3 billion for programs strengthening cybersecurity, infrastructure security, and emergency communications. Notably, $470 million is provided for the Continuous Diagnostics and Mitigation program that enhances the overall security posture of federal networks and $116 million towards implementing the Cyber Incident Reporting for Critical Infrastructure Act, which requires critical infrastructure entities to report cyberattacks.
Responsibly Deploy Artificial Intelligence (AI) Technology. The FY 2025 Budget includes $5 million for the Department’s Chief AI Officer (CAIO). The CAIO is responsible for setting priorities and directing policies and oversight for the responsible use of AI across DHS. To support this work, last month, the Department announced its first-ever hiring sprint to recruit 50 AI technology experts in 2024. The new DHS “AI Corps” will leverage this new technology across priority missions of the homeland security enterprise including efforts to counter fentanyl, combat child sexual exploitation and abuse, secure travel, fortify our critical infrastructure, enhance our cybersecurity, and deliver immigration services.
Invest in a Disaster-Resilient Nation. The President’s Budget continues to support the Federal Emergency Management Agency’s (FEMA) mission to help people before, during, and after disasters. In addition to the $22.7 billion allocated to the Disaster Relief Fund, the Budget provides $3.2 billion in FEMA grants to improve disaster resilience and preparedness strategies at the State, Local, Tribal, and Territorial government level. It also provides additional resources for community-wide climate resilience initiatives. This includes an increase of $51 million for Flood Hazard Mapping and Risk Analysis, which will further expand FEMA’s inventory and leverage those maps to help communities better prepare for future conditions.
Protect the Homeland from Threats of Weapons of Mass Destruction. The President’s Budget supports the mission of the Countering Weapons of Mass Destruction Office (CWMD), which protects the country from chemical, biological, radiological, and nuclear (CBRN) threats. The Budget provides $418 million to CWMD for its mission. This includes $181 million to fund programs supporting public and private sector organizations to improve technical capabilities and increase knowledge of CBRN threats.
Increase Coast Guard Presence in the Indo-Pacific Region. The Budget provides $263 million to expand Coast Guard operations in the Indo-Pacific along three primary lines of effort: increased presence, maritime governance, and meaningful engagement. This investment supports acquisition of two Fast Response Cutters and increases training and engagement with partners, enabling the Service to transition from episodic to persistent presence in the region.
Modernize TSA Pay and Workforce Policies. The President’s Budget continues to improve security effectiveness and efficiency and honor previous commitments to the Transportation Security Administration’s (TSA) workforce to continue to pay them at a level that is commensurate to their general schedule federal counterparts. The Budget includes $1.5 billion to ensure TSA employees do not suffer a pay differential. In anticipation of an increase in aviation passenger volume in FY 2025, the Budget also provides $356 million for additional Transportation Security Officers to staff airport checkpoints and $90 million for Checkpoint Property Screening System programs to more reliably detect aviation threats.
Secure Special Events and the 2024 Presidential Campaign. The U.S. Secret Service (USSS) continuously evaluates threats and reallocates resources based on the changing threat environment. The Budget includes $70 million for Secret Service operations related to the 2024 Presidential Election to ensure the safety of major candidates, nominees, their spouses, and nominating conventions. It also provides USSS $16 million to procure necessary assets, personnel, and establish cross-agency communication centers for the 2026 FIFA World Cup. Finally, the Budget includes $19 million for other planned NSSEs that Secret Service is charged with protecting.
WASHINGTON – Today, Secretary of Homeland Security Alejandro N. Mayorkas released the following statement on the death of U.S. Border Patrol Agent Chris Luna and two National Guardsmen.
“We are devastated by the tragic death of Border Patrol Agent Chris Luna, a heroic public servant who lost his life Friday in a helicopter crash while on a Border Patrol mission in Texas. Two National Guardsmen were also killed, and one National Guardsman was seriously injured.
“Every single day, our Border Patrol Agents place themselves in harm’s way so that the rest of us can be safe and secure. My thoughts, and the deepest condolences of our Department, are with Agent Luna’s family, loved ones, and colleagues, and with those of the National Guardsmen who lost their lives. We hope for the injured servicemember’s swift recovery, and hold our National Guard colleagues and their families in our thoughts as well.”
WASHINGTON – Today, Secretary of Homeland Security Alejandro N. Mayorkas issued the following statement following U.S. District Judge Drew B. Tipton’s decision to allow the Biden-Harris Administration’s parole processes for Cubans, Haitians, Nicaraguans, and Venezuelans to continue.
“We are pleased that today’s court ruling means that the parole processes for individuals from Cuba, Haiti, Nicaragua, and Venezuela will continue. These processes — a safe and orderly way to reach the United States — have resulted in a significant reduction in the number of these individuals encountered at our southern border. It is a key element of our efforts to address the unprecedented level of migration throughout our hemisphere, and other countries around the world see it as a model to tackle the challenge of increased irregular migration that they too are experiencing.
“We will continue to deliver strengthened consequences for those who attempt to circumvent lawful pathways on land or at sea. Do not believe the lies of smugglers. Those who do not have a legal basis to remain in the United States will be subject to prompt removal, a minimum five-year bar on admission, and potential criminal prosecution for unlawful reentry. Migrants should continue to use safe and orderly lawful pathways and processes that have been expanded under the Biden-Harris Administration.”
Wildfire sensor technology aims to detect fires and alert earlier to save lives
WASHINGTON – The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and U.S. Fire Administration (USFA) – along with Hawaiʻi Governor Josh Green, M.D., Maui County Mayor Richard Bissen, and state of Hawai‘i Department of Defense Adjutant General Kenneth Hara – announced the planned deployment of 80 wildfire sensors and 16 wind sensors across the Hawaiian Islands. The initiative reflects the Department’s continued commitment to supporting long-term recovery efforts following the unprecedented August 2023 wildfires on Maui, Hawaiʻi and driving innovative responses to extreme weather events. As wildfires become more frequent and severe, advanced sensors will allow first responders to suppress an initial blaze before it spreads and grant time needed for communities to make life-saving evacuation decisions
“In the aftermath of the devastating wildfires that struck Maui last summer, the Biden-Harris Administration and the Department of Homeland Security vowed not just to help Hawaiʻi recover, but also to help safeguard it against the tragic destruction of another such fire,” said Secretary of Homeland Security Alejandro N. Mayorkas. “We continue to execute on that promise. Today we are deploying dozens of state-of-the-art fire and wind sensors in strategic locations across the Hawaiian Islands to enable local officials and firefighters to quickly target an initial blaze and initiate evacuation procedures. As wildfires and other climate change-driven challenges increase in frequency and severity, our Department will continue working every day to develop innovative solutions and deploy them across the country for the safety and security of our communities.”
“Wildfire risk continues to increase across the nation as we live through unprecedented heat waves and drought spurred by climate change,” said Federal Emergency Management Agency (FEMA) Administrator Deanne Criswell. “This collaboration between the U.S. Fire Administration, the Department of Homeland Security, and S&T to deploy these new wildfire and wind sensors is a huge step forward in the work we’re doing to prevent and mitigate against future wildfires in Hawaii. Ultimately, this technology will help our firefighters respond faster, save lives, and keep residents safe from future fire events.”
“We welcome this early alert system and are grateful to our federal partners for providing these wildfire and wind sensors to help keep our residents safe,” said Hawaiʻi Governor Josh Green. “We have seen how rapid and devastating wildfires can be. No community, in our islands or elsewhere, should ever have to experience so much suffering and loss. This technology will help save the lives of Hawaiʻi residents and visitors.”
“Reflecting on the tragedy our people have endured, fire mitigation remains at the forefront of our recovery efforts,” said Maui County Mayor Richard Bissen. “With this new technology, detecting fires at the very early phases will save lives. We are already exploring ways to rebuild Lahaina safer, and the introduction of an early detection system will give our emergency responders a critical advantage in protecting our community.”
“The wildfire challenge we face as a nation today, and the solutions to it, are complex,” said U.S. Fire Administrator Dr. Lori Moore Merrell. “Protecting our nations’ homelands against fire and hazardous threats requires continued collaborative research and development in the field of firefighting. The deployment of these sensors marks a major step forward in wildfire prevention and mitigation, enhancing our capabilities for predicting the incidence and spread of large-scale fires.”
“DHS S&T’s research and development is laying the groundwork for breakthroughs that have the potential to improve fire safety and firefighting efforts,” said Dr. Dimitri Kusnezov, Under Secretary for Science and Technology. “The sensors deployed today are more effective than traditional optical cameras or thermal imaging sensors as they ‘sniff’ out the fires as soon as they start. This announcement today reflects our continued commitment to utilizing the latest advancements in technology and data-driven insights to ensure communities have the resources needed to respond in real time to wildfires.”
Hawaiʻi will be the first location to receive the new Beta wildfire sensors developed by DHS S&T and USFA in coordination with small business N5 Sensors Inc. These wildfire detection sensors identify changes in conditions before wildfires start, providing 24-hour sensing and alerting capabilities. The sensors continuously transmit information and send an email or text notification to a pre-programmed contact when these components are detected. The system housing the sensors is small and compact, able to sit on a utility pole or a traffic light and can work in all weather conditions.
DHS S&T, in collaboration with FEMA and USFA, undertook wildfire sensor research after a successful five-year effort to test and develop flood sensors. In 2023, the wildfire sensor initiative deployed 200 initial Alpha phase pilot sensors in collaboration with state and local government stakeholders throughout the U.S. and Canada. Those sensors continue to provide fire alerts and warnings and have collected over 1,000,000 hours of data in the field to enhance the Artificial Intelligence (AI) learning algorithms now being deployed in the Beta version, which requires less solar power to recharge, is equipped with wind sensors to increase the accuracy of wildfire location prediction, and has better ability to operate in areas with limited cellular coverage. The Department will deploy 200 Beta wildfire sensors to high-risk areas across the U.S. in 2024 for operational testing and evaluation, including the 80 sensors across the Hawaiian Islands. This first round of fire sensors is being provided at no cost to the state of Hawaiʻi.
DHS is driving federal efforts to prepare and equip communities to address the increased risk of fires and other natural disasters. In addition to deploying wildfire sensors, the Department is advancing research to increase the effectiveness and reliability of fire warnings, develop new types of personal protective equipment to keep our firefighters safe, and work on new capabilities for tracking and predicting fire behavior, among other initiatives. Learn more about the steps the Department has taken to promote wildfire preparedness and resilience at DHS.gov and S&T’s work on wildfire sensor technology at DHS.gov/Science-And-Technology.
WASHINGTON— Today, Secretary of Homeland Security Alejandro N. Mayorkas issued the following statement on President Biden’s State of the Union address:
“Tonight, President Biden recognized the incredible work the men and women of the Department of Homeland Security do every day, often at great personal risk, to help keep the American people safe and secure. We have made historic efforts to seize more fentanyl and bring more smugglers to justice than ever before. To further those efforts and save more lives, this Administration worked across party lines to negotiate the strongest border security bill in decades.
“I join President Biden and urge Congress to bring this bill to a vote. Only Congress can address our desperate need to hire more Border Patrol Agents and Officers and equip them with state-of-the-art security technology. Only Congress can provide the funds necessary to hire more asylum officers and immigration judges, charter more removal flights, and build more facilities.
“Congress must put partisan politics aside and work with this Administration to pass common-sense, effective solutions to the challenges at our border and across our country.”
Underscores Collaboration with the Open Source Community
WASHINGTON – Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) concluded a two-day Open Source Software (OSS) Security Summit convening OSS community leaders and announced key actions to help secure the open source ecosystem. Recognizing that OSS underpins the essential services and functions of modern life, the Summit sought to catalyze progress in advancing security of this critical ecosystem. This urgency was underscored by security flaws such as the Log4Shell vulnerability in 2021.
CISA Director Jen Easterly opened the summit with keynote remarks and was followed by a panel discussion with Office of National Cyber Director (ONCD) Assistant National Cyber Director for Technology Security Anjana Rajan, CISA Open Source Security Section Chief Aeva Black, and CISA Senior Technical Advisor Jack Cable. The summit also featured a tabletop exercise on open source vulnerability response and a roundtable discussion on package manager security.
During the summit, OSS community leaders, including open source foundations, package repositories, civil society, industry and federal agencies explored approaches to help strengthen the security of the open source infrastructure we all rely upon. As part of this collaborative effort, CISA announced several initial key actions that CISA will take to help secure the open source ecosystem in partnership with the open source community:
CISA, as detailed below, is working closely with package repositories to foster adoption of the Principles for Package Repository Security Developed by CISA and the Open Source Security Foundation’s (OpenSSF) Securing Software Repositories Working Group, this framework was published recently and outlines voluntary security maturity levels for package repositories.
CISA has launched a new effort to enable voluntary collaboration and cyber defense information sharing with open source software infrastructure operators to better protect the open source software supply chain.
Materials from the summit’s tabletop exercise will be published by CISA so that the lessons learned can be used by any open source community to improve their vulnerability and incident response capabilities.
Additionally, five of the most widely used package repositories are taking steps in line with the Principles for Package Repository Security framework:
The Rust Foundation is working on implementing Public Key Infrastructure for the Crates.io package repository for mirroring and binary signing and plans to issue a Request for Comment. The Rust Foundation also published a detailed threat model for Crates.io and has created tooling to identify malicious activity. Further steps are highlighted in the Rust Foundation’s Security Initiative Report.
The Python Software Foundation is working to add additional providers to PyPI for credential-less publishing (“Trusted Publishing”), expanding support from GitHub to include GitLab, Google Cloud and ActiveState as well. Work is ongoing to provide an API and related tools for quickly reporting and mitigating malware, with the goal of increasing PyPI’s ability to respond to malware in a timely manner without consuming significant resources. Finally, the Python ecosystem is finalizing PEP 740 (“Index support for digital attestations”) to enable uploading and distributing digitally signed attestations and metadata used to verify these attestations on a Python package repository, like PyPI.
Packagist and Composer have recently introduced vulnerability database scanning and measures to prevent attackers from taking over packages without authorization. Further work to increase security in line with the Principles for Package Repository Security framework is in progress, and a thorough security audit of existing codebases will take place this year.
The package repository npm requires maintainers of high-impact projects to enroll in multifactor authentication. Additionally, npm has introduced tooling that allows maintainers to automatically generate package provenance and SBOMs, giving consumers of those open source packages the ability to trace and verify the provenance of dependencies.
Maven Central (maintained by Sonatype) is the largest open source repository for Java and JVM languages, and enforces validation and metadata requirements with clear namespaces. Since 2021, all staged repositories have automatically been scanned for vulnerabilities when published, and developers receive a report with any security issues. In 2024, Maven Central is transitioning publishers to a new publishing portal that has enhanced repository security, including planned support for multifactor authentication. Upcoming key initiatives include Sigstore implementation, Trusted Publishing evaluation, and access control on namespaces. This includes Maven Central benchmarking the maturity of its security processes against best practices, which will also guide backlog prioritization.
“Open Source Software is foundational to the critical infrastructure Americans rely on every day,” said CISA Director Jen Easterly. “As the national coordinator for critical infrastructure security and resilience, we’re proud to announce these efforts to help secure the open source ecosystem in close partnership with the open source community, and are excited for the work to come.”
“Open source software is a mission-critical foundation of cyberspace that the U.S. Government must continue to defend,” says Anjana Rajan, Assistant National Cyber Director for Technology Security. “Ensuring that we have a secure and resilient open source software ecosystem is a national security imperative, a technology innovation enabler, and an embodiment of our democratic values. As the chair of the Open Source Software Security Initiative (OS3I), ONCD is committed to ensuring this remains a priority for the Biden-Harris Administration and commends CISA’s leadership in convening this important forum.”
“OpenSSF’s mission is to improve the security of open source software. Package repositories are critical infrastructure for the open source community. We thank CISA for facilitating this Open Source Software (OSS) Security Summit to help secure package repositories. Through continued cooperation in activities such as this summit and the Principles for Package Repository Security, we will improve the security of open source package repositories for everyone,” Omkhar Arasaratnam, General Manager, OpenSSF.
“Securing the open source software supply chain is crucial for protecting global economic infrastructure,” said Mike Milinkovich, Executive Director of the Eclipse Foundation. “CISA is working to improve open source security, focusing on both current issues and future application development. We’re proud to contribute to this vital work, helping CISA improve the global development ecosystem and supporting its vision for the future.”
“OSI and the Open Policy Alliance commend CISA for engaging with the open source software community and appreciate the opportunity to participate in this week’s Open Source Security Summit. Including less represented, small open source non-profits into the discussion will facilitate workable, practical policies and practices, building upon the strength of the collaborative model of Open Source,” said Deb Bryant, US Policy Director, Open Source Initiative.
The federal government has coordinated its efforts around open source software security through the ONCD Open Source Software Security Initiative. Last year, ONCD, CISA, the National Science Foundation, the Defense Advanced Research Projects Agency, and the Office of Management and Budget published a Request for Information (RFI) on open source software security and memory safe languages, which received more than 100 substantive responses. The issuing agencies are currently reviewing responses and will publish a summary of the RFI submissions.
In 2023, CISA released its Open Source Software Security Roadmap to help secure the federal government’s use of open source software and support the global open source ecosystem. It lays out four key goals: establishing CISA’s role in supporting the security of open source software, driving visibility into open source software usage and risks, reducing risks to the federal government, and hardening the open source software ecosystem. The actions announced today from the summit represent key steps in fulfillment of the Roadmap’s goals, including Objective 1.1. Partner With OSS Communities and Objective 1.2. Encourage Collective Action From Centralized OSS Entities.
Open source community members interested in getting involved with CISA’s work can contact OpenSource@cisa.dhs.gov.
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Disclaimer: CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked or referenced within this press release. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
WASHINGTON – Tomorrow, Super Tuesday, is one of the largest national-level election days of the year. Primary elections and caucuses are taking place across a number of states and one U.S. territory. As the federal agency responsible for supporting the efforts of state and local election officials to secure election infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) will host an Election Operations Center on Tuesday. This Elections Operations Center brings together federal, state and local election officials, and the private sector to share real-time threat information to election security. As always, CISA stands ready to provide technical security support to the election infrastructure community.
“While millions of Americans head to the polls for Super Tuesday, election officials have been preparing all year round to ensure a safe and secure election, and CISA has been right there supporting them,” said CISA Director Jen Easterly. “I want to express my gratitude for the state and local election officials and thousands of poll workers supporting elections across the country. They are public servants and heroes, and CISA is proud to stand shoulder to shoulder with them. It’s because of their efforts that the American people can have confidence in the security and resilience of the 2024 elections.”
Elections are administered at the state and local levels. CISA coordinates across the federal government and with the private sector to help ensure whole-of-nation support to those officials. CISA encourages all Americans to turn to their state and local election officials as the trusted sources of information about the election process in their state and for official election results.
For more information on CISA’s election security efforts, visit CISA.gov/Protect2024.
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Advisory provides guidance for detecting exploitation activity, recommended actions and mitigations, and novel post-exploitation findings
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC), United Kingdom’s National Cyber Security Centre (NCSC), Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment, and New Zealand’s National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT-NZ) released a Cybersecurity Advisory (CSA) today in response to the active exploitation of multiple vulnerabilities within Ivanti Connect Secure and Ivanti Policy Secure gateways.
The authoring organizations and industry partners have observed persistent targeting of these vulnerabilities by a variety of cyber threat actors. These vulnerabilities (CVE-2023-46805, CVE-2024-21887, CVE- 2024-22024, and CVE-2024-21893) can be used in a chain of exploits to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. In turn, exploitation of these vulnerabilities may allow lateral movement, data exfiltration, web shell deployment, credential theft including domain administrators, and persistent access on a target network.
This joint advisory provides technical details on observed tactics used by these threat actors and indicators of compromise to help organizations detect malicious activity. All organizations using these devices should assume a sophisticated threat actor could achieve persistence and may lay dormant for a period of time before conducting malicious activity. Organizations are urged to exercise due caution in making appropriate risk decisions when considering a virtual private network (VPN), to include whether to continue operating these Ivanti devices.
“Since initial disclosure of these vulnerabilities, CISA and our partners have urgently worked to provide actionable guidance and assist impacted victims. This includes an emergency directive to remove and rebuild vulnerable Ivanti devices to reduce risk to federal systems upon which Americans depend,” said CISA Executive Assistant Director Eric Goldstein. “Today’s joint advisory provides further details based upon industry partnerships, incident response findings and evaluations of the relevant products. Every organization using these products are strongly encouraged to adopt the actions outlined in this advisory.”
“The FBI and our partners are releasing this Cybersecurity Advisory so that organizations are able to protect themselves from malicious actors exploiting their networks,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “Private and public sector entities should follow the guidance included in this advisory to ensure these critical vulnerabilities are mitigated.”
“The continued targeting of widely used security applications and appliances speaks to the determination of cyber threat actors, with government entities and private organizations alike caught in the crosshairs. Implementing effective controls in areas like asset and vulnerability management, multi-factor authentication, and incident response planning are essential to operational resilience amid today’s fast-moving threat landscape,” said Randy Rose, VP, Security Operations & Intelligence, Center for Internet Security, Inc.
“We strongly urge all organisations to patch and take other recommended actions to address this vulnerability. We know it is subject to exploitation by malicious actors who use it to bypass authentication mechanisms and access restricted data on affected devices,” said the acting Head of the Australian Cyber Security Centre, Phil Winzenberg. “If your organisation is using these products, it’s crucial that the guidance in this advisory is implemented immediately, in particular I urge critical infrastructure operators to be alert to new risks.”
“We encourage organisations who have not already to take immediate action to mitigate vulnerabilities impacting affected Ivanti devices by following the recommended steps. This is particularly important for those organisations working across critical infrastructure, as we are aware of the active exploitation of some of these vulnerabilities,” said UK NCSC Chief Technology Officer Ollie Whitehouse. “The NCSC and our international partners also urge software manufacturers to embed secure by design principles into their practices to promote a positive security culture and help improve our collective resilience.”
“Today we join our partners across the Five Eyes to urge organizations in Canada and internationally to follow the advice included in today’s joint advisory as quickly as possible. These vulnerabilities can significantly impact organizations’ networks, emphasizing the need for organizations to implement resilient defence-in-depth mitigations and for manufacturers to prioritize secure by design engineering practices,” said Rajiv Gupta, Associate Head, Canadian Centre for Cyber Security.
“This advisory clearly shows that malicious actors are continuing to seek out, and actively exploit, vulnerabilities in commonly used technology and software”, said Rob Pope, Director CERT NZ, a part of New Zealand’s National Cyber Security Centre. “Businesses need to stay alert to these vulnerabilities and immediately follow all steps to mitigate or prevent attacks from happening. We strongly recommend that anyone working in the IT sector sign up for updates from their country’s cyber security agencies to stay ahead of the bad guys.”
To assist organizations with understanding the impacts of this threat, the joint advisory provides key findings from a variety of tests conducted by CISA from an attacker’s perspective.
With our partners, CISA recommends that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices. By aligning to these principles, we will reduce the prevalence and impact of avoidable vulnerabilities and insecure configurations that jeopardize the safety of organizations around the world.
All organizations are urged to review the advisory and implement recommended actions and mitigations.
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
The Cybersecurity and Infrastructure Security Agency (CISA) and the following partners (hereafter referred to as the authoring organizations) are releasing this joint Cybersecurity Advisory to warn that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. CISA and authoring organizations appreciate the cooperation of Volexity, Ivanti, Mandiant and other industry partners in the development of this advisory and ongoing incident response activities. Authoring organizations:
Federal Bureau of Investigation (FBI)
Multi-State Information Sharing & Analysis Center (MS-ISAC)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
United Kingdom National Cyber Security Centre (NCSC-UK)
Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment
New Zealand National Cyber Security Centre (NCSC-NZ)
CERT-New Zealand (CERT NZ)
Of particular concern, the authoring organizations and industry partners have determined that cyber threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise.
Cyber threat actors are actively exploiting multiple previously identified vulnerabilities—CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893—affecting Ivanti Connect Secure and Ivanti Policy Secure gateways. The vulnerabilities impact all supported versions (9.x and 22.x) and can be used in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.
During multiple incident response engagements associated with this activity, CISA identified that Ivanti’s internal and previous external ICT failed to detect compromise. In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets.
The authoring organizations encourage network defenders to (1) assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised, (2) hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory, (3) run Ivanti’s most recent external ICT, and (4) apply available patching guidance provided by Ivanti as version updates become available. If a potential compromise is detected, organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.
Based upon the authoring organizations’ observations during incident response activities and available industry reporting, as supplemented by CISA’s research findings, the authoring organizations recommend that the safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time. For example, as outlined in PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure), sophisticated actors may remain silent on compromised networks for long periods. The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.
This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques in Appendix C for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Overview
On January 10, 2024, Volexity reported on two vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways observed being chained to achieve unauthenticated remote code execution (RCE):[1]
Volexity first identified active exploitation in early December 2023, when they detected suspicious lateral movement [TA0008] on the network of one of their network security monitoring service customers. Volexity identified that threat actors exploited the vulnerabilities to implant web shells, including GLASSTOKEN and GIFTEDVISITOR, on internal and external-facing web servers [T1505.003]. Once successfully deployed, these web shells are used to execute commands on compromised devices.[1]
After Ivanti provided initial mitigation guidance in early January, threat actors developed a way to bypass those mitigations to deploy BUSHWALK, LIGHTWIRE, and CHAINLINE web shell variants.[2] Following the actors’ developments, Ivanti disclosed three additional vulnerabilities:
CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA that allows an attacker to access restricted resources without authentication.
CVE-2024-22024 is an XML vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and ZTA gateways that allows an attacker to access restricted resources without authentication.
CVE-2024-21888 is a privilege escalation vulnerability found in the web component of Ivanti Connect Secure and Ivanti Policy Secure. This vulnerability allows threat actors to gain elevated privileges to that of an administrator.
Observed Threat Actor Activity
CISA has responded to multiple incidents related to the above vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways. In these incidents, actors exploited these CVEs for initial access to implant web shells and to harvest credentials stored on the devices. Post-compromise, the actors moved laterally into domain environments and have been observed leveraging tools that are native to the Ivanti appliances—such as freerdp, ssh, telnet, and nmap libraries—to expand their access to the domain environment. The result, in some cases, was a full domain compromise.
During incident response investigations, CISA identified that Ivanti’s internal and external ICT failed to detect compromise. The organizations leveraged the integrity checker to identify file mismatches in Ivanti devices; however, CISA incident response analysis confirmed that both the internal and external versions of the ICT were not reliable due to the existence of web shells found on systems that had no file mismatches according to the ICTs. Additionally, forensic analysis showed evidence the actors were able to clean up their efforts by overwriting files, time-stomping files, and re-mounting the runtime partition to return the appliance to a “clean state.” This reinforces that ICT scans are not reliable to indicate previous compromise and can result in a false sense of security that the device is free of compromise.
As detailed in Appendix A, CISA conducted independent research in a lab environment validating that the ICT is likely insufficient for detecting compromise and that a cyber threat actor may be able to maintain root level persistence despite issuing factory resets and appliance upgrades.
INDICATORS OF COMPROMISE
See Tables 1 – 4 in Appendix B for IOCs related to cyber actors exploiting multiple CVEs related to Ivanti appliances.
For additional indicators of compromise, see:
Memory and disk forensics were used during forensic analysis, combined with the Integrity Checker Tool, to identify malicious files on the compromised Ivanti Connect Secure VPN appliance. This advisory provides a list of combined authoring organization IOCs and open source files identified by Volexity via network analysis.
Disclaimer: Some IP addresses in this advisory may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action such as blocking. Activity should not be attributed as malicious without analytical evidence to support it is used at the direction of, or controlled by, threat actors.
The authoring organizations encourage you to assess your organization’s user interface (UI) software and systems for evidence of compromise and to hunt for malicious activity using signatures outlined within this advisory. If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the Ivanti Connect Secure VPN appliance as well as executing arbitrary code and installing malicious payloads.
Note: These are vendor-managed appliances and systems may be encrypted with limited access. Thus, collecting artifacts may be limited on some versions of appliances. The authoring organizations recommend investigating associated devices on the network to identify lateral movement in the absence of access to the Secure Connect appliance.
If a potential compromise is detected, organizations should:
Quarantine or take offline potentially affected hosts.
Reimage compromised hosts.
Reset all credentials that may have been exposed during the compromise, including user and service accounts.
Identify Ivanti hosts with Active Directory (AD) access, threat actors can trivially export active domain administrator credentials during initial compromise. Until there is evidence to the contrary, it is assumed that AD access on compromised systems is connected to external authentication systems such as Lightweight Directory Access Protocol (LDAP) and AD.
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
Note: Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.
Report the compromise to FBI Internet Crime Complaint Center (IC3) at IC3.gov, local FBI field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or 888-282-0870). State, local, tribal, or territorial government entities can also report to MS-ISAC (SOC@cisecurity.org or 866-787-4722). Organizations outside of the United States should contact their national cyber center. (See the Reporting section.)
MITIGATIONS
These mitigations apply to all critical infrastructure organizations and network defenders using Ivanti Connect Secure VPN and Ivanti Policy Secure. The authoring organizations recommend that software manufacturers incorporate Secure by Design principles and tactics into their software development practices. These principles and tactics can limit the impact of exploitation—such as threat actors leveraging newly discovered, unpatched vulnerabilities within Ivanti appliances—thus, strengthening the secure posture for their customers.
The authoring organizations recommend organizations implement the mitigations below to improve your cybersecurity posture based on threat actor activity and to reduce the risk of compromise associated with Ivanti vulnerabilities. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
As organizations make risk decisions in choosing a VPN, to include decisions regarding continued operation of Ivanti Connect Secure and Policy Secure gateways, avoid VPN solutions that use proprietary protocols or non-standard features. VPNs as a class of devices carry some specific risks that a non-expert implementer may trigger (e.g., authentication integration and patching). When choosing a VPN, organizations should consider vendors who:
Provide a Software Bill of Materials (SBOM) to proactively identify, and enable remediation of, embedded software vulnerabilities, such as deprecated operating systems.
Allow a restore from trusted media to establish a root of trust. If the software validation tooling can be modified by the software itself, there is no way to establish a root of trust other than returning the device to the manufacturer (return material authorization [RMA]).
Are a CVE Numbering Authority (CNA) so that CVEs are assigned to emerging vulnerabilities in a timely manner.
Have a public Vulnerability Disclosure Policy (VDP) to enable security researchers to proactively share and disclose vulnerabilities through coordinated vulnerability disclosure (CVD).
Have in place a clear end-of-life policy (EoL) to prepare customers for updating to supported product versions.
Limit outbound internet connections from SSL VPN appliances to restrict access to required services. This will limit the ability of an actor to download tools or malware onto the device or establish outbound connections to command and control (C2) servers.
Ensure SSL VPN appliances configured with Active Directory or LDAP authentication use low privilege accounts for the LDAP bind.
Limit SSL VPN connections to unprivileged accounts only to help limit the exposure of privileged account credentials.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
Secure remote access tools.
Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
Strictly limit the use of Remote Desktop Protocols (RDP) and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
Use longer passwords consisting of at least 15 characters [CPG 2.B].
Store passwords in hashed format using industry-recognized password managers.
Add password user “salts” to shared login credentials.
In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how the controls perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (Appendix C).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
REPORTING
U.S. organizations should report every potential cyber incident to the U.S. government. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Reports can be submitted to the FBI’s Internet Crime Complaint Center (IC3), local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at report@cisa.gov or (888) 282-0870.
The FBI encourages organizations to report information concerning suspicious or criminal activity to their local FBI Field Office.
Australian organizations that have been impacted or require assistance regarding Ivanti compromise, contact ASD’s ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au.
UK organizations that have been impacted by Ivanti compromise, should report the incident to the National Cyber Security Centre.
Organizations outside of the United States or Australia should contact their national cyber center.
The information in this report is being provided “as is” for informational purposes only. CISA and authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and authoring organizations.
ACKNOWLEDGEMENTS
Volexity, Mandiant, and Ivanti contributed to this advisory.
VERSION HISTORY
February 29, 2024: Initial version.
APPENDIX A: CISA’S PRODUCT EVALUATION FINDINGS
Research Approach
As part of ongoing efforts to effectively serve the cybersecurity community with actionable insights and guidance, CISA conducted research by using a free and downloadable version of the Ivanti Connect Secure virtual appliance to assess potential attack paths and adversary persistence mechanisms. The virtual appliances were not connected to the internet, and were deployed in a closed virtualized network, with a non-internet connected Active Directory. This research included a variety of tests on version 22.3R1 Build 1647, connected to Active Directory credentials, to leverage the access obtained through CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893. Put simply, CISA’s research team wanted to answer the question: “How far could an attacker go if they set were to exploit these CVEs remotely?”
Persistent Post-Reset and -Upgrade Access
Leveraging these vulnerabilities, CISA researchers were able to exfiltrate domain administrator cleartext credentials [TA0006], gain root-level persistence [TA0003], and bypass integrity checks used by the Integrity Checker application. CISA’s Incident Response team observed these specific techniques leveraged during the agency’s incident response engagements, along with the native tools and libraries to conduct internal reconnaissance and compromise domains behind the Ivanti appliances. CISA researchers assess that threat actors are able to use the credentials to move deeper into the environment.
The ability to exfiltrate domain administrator cleartext credentials, if saved when adding an “Active Directory Authentication server” during setup, was accomplished by using the root-level access obtained from the vulnerabilities to interface directly with the internal server and retrieve the cached credentials as shown in Figure 4, APPENDIX A. Users who currently have active sessions to the appliance could have their base64 encoded active directory cleartext passwords, in addition to the New Technology LAN Manager (NTLM) password hashes, retrieved with the same access, as shown in Figure 10, APPENDIX A. In addition to users with active sessions, users previously authenticated can have base64 encoded active directory plaintext passwords and NTLM hashes harvested from the backups of the data.mdb database files stored on the appliance, as shown in Figure 15 and 16, APPENDIX A.
The root-level access allows adversaries to maintain persistence despite issuing factory resets and appliance upgrades while deceiving the provided integrity checkers, creating the illusion of a clean installation. Due to the persistence mechanism being stored on the encrypted partition of the drive and inaccurate integrity check results, it is untenable for network administrators to validate their application has not been compromised without also decrypting the partition and validating against a clean installation of the appliance, which are actions not easily accomplished at present. Without major alterations of the integrity checking process, it is conceivable that new vulnerabilities that afford root-level access to the appliance could also result in root-kit level persistence to the appliance.
Below is proof of concept being released by CISA, which demonstrates the capacity of and opportunity for a threat actor to exfiltrate Domain Administrator credentials that were used during appliance configuration:
Figure 1: Ivanti Domain Join Configuration with “Save Credentials”Figure 2: CVE-2023-46805 Exploitation for Reverse Netcat ConnectionFigure 3: Upgrade Netcat Connection to Sliver ImplantFigure 4: Leverage Sliver Implant to Run Perl Script for Retrieval of Cached Domain Administrator Credentials
Below is a demonstration of the capacity for post exploitation exfiltration of base64 encoded cleartext credentials for active directory users and their associated NTLM password hashes:
Figure 5: Configuration of User RealmFigure 6: User Realm Configuration to DomainFigure 7: Configuration of User Realm MappingFigure 8: Login as “vpnuser1” to Establish an Active SessionFigure 9: Using Sliver Implant as Shown in Figure 3, Execute Perl Script to Retrieve base64 Encoded Cleartext Password and NTLM Password Hash for Authenticated UserFigure 10: Decode base64 Encoded Blob to Display User’s Plaintext CredentialsFigure 11: Using Mimikatz Validate NTLM Password Hash Obtained in Figure 10 Matches Active Directory User Credential HashFigure 12: Inactive Sessions for “vpnuser2” and “vpnuser3” Appear in Server LogsFigure 13: Exfiltrate “lmdb/data” and “lmdb-backup/data” data.mb Database Files Containing Credentials for Active and Inactive SessionsFigure 14: Parse Database Files to Disclose base64 Encoded Plaintext Credentials from LMDB Database FilesFigure 15: Parse Database Files to Disclose NTLM Hashes from LMDB Database FilesFigure 16: Parse Backup Database Files to Disclose Additional base64 Encoded Plaintext Credentials from LMDB-Backup Database FilesFigure 17: Decode Credentials from LMDB-Backup Database FilesFigure 18: Parse Database Files to Disclose NTLM Hashes for Additional Users from LMDB-Backup Database Files
APPENDIX B: INDICATORS OF COMPROMISE
Table 1: Ivanti Connect Secure VPN Indicators of Compromise
Filename
Description
Purpose
/home/perl/DSLogConfig.pm
Modified Perl module.
Designed to execute sessionserver.pl.
/usr/bin/a.sh
gcore.in core dump script.
/bin/netmon
Sliver binary.
/home/venv3/lib/python3.6/site-packages/*.egg
Python package containing WIREFIRE among other files.
/home/etc/sql/dsserver/sessionserver.pl
Perl script to remount the filesystem with read/write access.
Make sessionserver.sh executable, execute it, then restore original mount settings.
/home/etc/sql/dsserver/sessionserver.sh
Script executed by sessionserver.pl.
Uses regular expressions to modify compcheckresult.cgi to insert a web shell into it; also creates a series of entries into files associated with the In-build Integrity Checker Tool to evade detection when periodic scans are run.
Modified legitimate component of the ICS VPN appliance, with new Perl module imports added and a one-liner to execute commands based on request parameters.
Allows remote code execution over the Internet if the attacker can craft a request with the correct parameters.
Cyber actors leverage code execution from request parameters that are decoded from hex to base64 decoded, then passed to Assembly.Load(). Which is used to execute arbitrary powershell commands.
Cyber actors will exploit software vulnerabilities such as command-injection and achieve unauthenticated remote code execution (RCE).
APPENDIX D: DETECTION METHODS
rule apt_webshell_pl_complyshell: UTA0178 { meta: author = "threatintel@volexity.com" date = "2023-12-13" description = "Detection for the COMPLYSHELL webshell." hash1 = "8bc8f4da98ee05c9d403d2cb76097818de0b524d90bea8ed846615e42cb031d2" os = "linux" os_arch = "all" report = "TIB-20231215" scan_context = "file,memory" last_modified = "2024-01-09T10:05Z" license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt" rule_id = 9995 version = 4
strings: $s = "eval{my $c=Crypt::RC4->new("
condition: $s }
rule apt_webshell_aspx_glasstoken: UTA0178 { meta: author = "threatintel@volexity.com" date = "2023-12-12" description = "Detection for a custom webshell seen on external facing server. The webshell contains two functions, the first is to act as a Tunnel, using code borrowed from reGeorg, the second is custom code to execute arbitrary .NET code." hash1 = "26cbb54b1feb75fe008e36285334d747428f80aacdb57badf294e597f3e9430d" os = "win" os_arch = "all" report = "TIB-20231215" scan_context = "file,memory" last_modified = "2024-01-09T10:08Z" license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt" rule_id = 9994 version = 5
condition: for any i in (0..#s1): ( $re in (@s1[i]..@s1[i]+512) ) }
rule webshell_aspx_regeorg { meta: author = "threatintel@volexity.com" date = "2018-08-29" description = "Detects the reGeorg webshell based on common strings in the webshell. May also detect other webshells which borrow code from ReGeorg." hash = "9d901f1a494ffa98d967ee6ee30a46402c12a807ce425d5f51252eb69941d988" os = "win" os_arch = "all" reference = "https://github.com/L-codes/Neo-reGeorg/blob/master/templates/tunnel.aspx" report = "TIB-20231215" scan_context = "file,memory" last_modified = "2024-01-09T10:04Z" license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt" rule_id = 410 version = 7
From February 27 to February 29, the Senior Official Performing the Duties of the Deputy Secretary Kristie Canegallo and Indian Home Secretary Ajay Bhalla met in New Delhi to co-chair the U.S.-India Homeland Security Dialogue. The Homeland Security Dialogue deepens the strategic partnership between the United States and India on issues ranging from counternarcotics cooperation and Customs-to-Customs collaboration, to combatting terrorism and cybercrime and addressing irregular migration.
During the meeting, the leaders reaffirmed the commitment of the United States and India to strengthen access to lawful immigration pathways while enforcing immigration law to include returns of individuals who do not have a legal basis to remain in the United States. They also agreed to work together to expand law enforcement cooperation to target smugglers who prey and profit on vulnerable migrants.
The Homeland Security Dialogue acknowledged the work of the U.S.-India Counternarcotics Working Group, which guides our joint efforts to address drug regulatory issues, law enforcement cooperation and collaboration, coordination in multilateral fora, and drug demand reduction efforts. The leaders reaffirmed the need to deepen information sharing efforts to prevent diversion of pharmaceuticals and other chemicals of concern used as precursors for illicit fentanyl and other illicit synthetic drugs.
At the conclusion of the Dialogue, the leaders signed a Memorandum of Cooperation to expand law enforcement collaboration between the United States and India. The new Memorandum between the Federal Law Enforcement Training Centers and India’s National Police Academy institutionalizes police training cooperation between our governments through the sharing of best practices and joint programming.
DHS looks forward to building upon these productive discussions and commitments as we continue working to strengthen our partnership with India to further our shared security interests.