Category: US Department of Homeland Security

Source: US Department of Homeland Security

Summary

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory to warn network defenders of Iranian cyber actors’ use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors, including the healthcare and public health (HPH), government, information technology, engineering, and energy sectors. The actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals.

Since October 2023, Iranian actors have used brute force, such as password spraying, and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations. The actors frequently modified MFA registrations, enabling persistent access. The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access. The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity.

This advisory provides the actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). The information is derived from FBI engagements with entities impacted by this malicious activity.

The authoring agencies recommend critical infrastructure organizations follow the guidance provided in the Mitigations section. At a minimum, organizations should ensure all accounts use strong passwords and register a second form of authentication.

Download the PDF version of this report:

For a downloadable list of IOCs, see:

Technical Details

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section in Appendix A for a table of the actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Overview of Activity

The actors likely conduct reconnaissance operations to gather victim identity [T1589] information. Once obtained, the actors gain persistent access to victim networks frequently via brute force [T1110]. After gaining access, the actors use a variety of techniques to further gather credentials, escalate privileges, and gain information about the entity’s systems and network. The actors also move laterally and download information that could assist other actors with access and exploitation.

Initial Access and Persistence

The actors use valid user and group email accounts [T1078], frequently obtained via brute force such as password spraying [T1110.003] although other times via unknown methods, to obtain initial access to Microsoft 365, Azure [T1078.004], and Citrix systems [T1133]. In some cases where push notification-based MFA was enabled, the actors send MFA requests to legitimate users seeking acceptance of the request. This technique—bombarding users with mobile phone push notifications until the user either approves the request by accident or stops the notifications— is known as “MFA fatigue” or “push bombing” [T1621].

Once the threat actors gain access to an account, they frequently register their devices with MFA to protect their access to the environment via the valid account:

• In two confirmed compromises, the actors leveraged a compromised user’s open registration for MFA [T1556.006] to register the actor’s own device [T1098.005] to access the environment.
• In another confirmed compromise, the actors used a self-service password reset (SSPR) tool associated with a public facing Active Directory Federation Service (ADFS) to reset the accounts with expired passwords [T1484.002] and then registered MFA through Okta for compromised accounts without MFA already enabled [T1556] [T1556.006].

The actors frequently conduct their activity using a virtual private network (VPN) service [T1572]. Several of the IP addresses in the actors’ malicious activity originate from exit nodes tied to the Private Internet Access VPN service.

Lateral Movement

The actors use Remote Desktop Protocol (RDP) for lateral movement [T1021.001]. In one instance, the actors used Microsoft Word to open PowerShell to launch the RDP binary mstsc.exe [T1202].

Credential Access

The actors likely use open-source tools and methodologies to gather more credentials. The actors performed Kerberos Service Principal Name (SPN) enumeration of several service accounts and received Kerberos tickets [T1558.003]. In one instance, the actors used the Active Directory (AD) Microsoft Graph Application Program Interface (API) PowerShell application likely to perform a directory dump of all AD accounts. Also, the actors imported the tool [T1105] DomainPasswordSpray.ps1, which is openly available on GitHub [T1588.002], likely to conduct password spraying. The actors also used the command Cmdkey /list, likely to display usernames and credentials [T1555].

Privilege Escalation

In one instance, the actors attempted impersonation of the domain controller, likely by exploiting Microsoft’s Netlogon (also known as ”Zerologon”) privilege escalation vulnerability (CVE-2020-1472) [T1068].

Discovery

The actors leverage living off the land (LOTL) to gain knowledge about the target systems and internal networks. The actors used the following Windows command-line tools to gather information about domain controllers [T1018], trusted domains [T1482], lists of domain administrators, and enterprise administrators [T1087.002] [T1069.002] [T1069.003]:

• Nltest /dclist
• Nltest /domain_trusts
• Nltest /domain_trusts/all_trusts
• Net group “Enterprise admins” /domain
• Net group “Domain admins” /domain

Next, the actors used the following Lightweight Directory Access Protocol (LDAP) query in PowerShell [T1059.001]to search the AD for computer display names, operating systems, descriptions, and distinguished names [T1082].

                                           $i=0
                                           $D= [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
                                           $L='LDAP://' . $D
                                           $D = [ADSI]$L
                                           $Date = $((Get-Date).AddDays(-90).ToFileTime())
                                           $str = '(&(objectcategory=computer)(operatingSystem=*serv*)(|(lastlogon>='+$Date+')(lastlogontimestamp>='+$Date+')))'
                                           $s = [adsisearcher]$str
                                           $s.searchRoot = $L.$D.distinguishedName
                                           $s.PropertiesToLoad.Add('cn') > $Null
                                           $s.PropertiesToLoad.Add('operatingsystem') > $Null
                                           $s.PropertiesToLoad.Add('description') > $Null
                                           $s.PropertiesToLoad.Add('distinguishedName') > $Null
                                           Foreach ($CA in $s.FindAll()) {
                                                         Write-Host $CA.Properties.Item('cn')
                                                         $CA.Properties.Item('operatingsystem')
                                                         $CA. Properties.Item('description')
                                                         $CA.Properties.Item('distinguishedName')
                                                         $i++
                                           }
                                           Write-host Total servers: $i

Command and Control

On one occasion, using msedge.exe, the actors likely made outbound connections to Cobalt Strike Beacon command and control (C2) infrastructure [T1071.001].

Exfiltration and Collection

In a couple instances, while logged in to victim accounts, the actors downloaded files related to gaining remote access to the organization and to the organization’s inventory [T1005], likely exfiltrating the files to further persist in the victim network or to sell the information online.

Detection

To detect brute force activity, the authoring agencies recommend reviewing authentication logs for system and application login failures of valid accounts and looking for multiple, failed authentication attempts across all accounts.

To detect the use of compromised credentials in combination with virtual infrastructure, the authoring agencies recommend the following steps:

• Look for “impossible logins,” such as suspicious logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the user’s expected geographic location.
• Look for one IP used for multiple accounts, excluding expected logins.
• Look for “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses with significant geographic distance (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the period between the logins). Note: Implementing this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting into networks.
• Look for MFA registrations with MFA in unexpected locales or from unfamiliar devices.
• Look for processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the ntds.dit file from a domain controller.
• Look for suspicious privileged account use after resetting passwords or applying user account mitigations.
• Look for unusual activity in typically dormant accounts.
• Look for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.

Mitigations

The authoring agencies recommend organizations implement the mitigations below to improve organizations’ cybersecurity posture based on the actors’ TTPs described in this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA. The CPGs, which are organized to align to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, are a subset of cybersecurity practices, aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. These voluntary CPGs strive to help small- and medium-sized organizations kick-start their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT helpdesk password procedures may not align to company policy for user verification or password strength, creating a security gap. Avoid common passwords (e.g. “Spring2024” or “Password123!”).
• Disable user accounts and access to organizational resources for departing staff [CPG 2.D]. Disabling accounts can minimize system exposure, removing options actors can leverage for entry into the system. Similarly, create new user accounts as close as possible to an employee’s start date.
• Implement phishing-resistant MFA [CPG 2.H]. See CISA’s resources Phishing-Resistant Multifactor Authentication and More than a Password for additional information on strengthening user credentials.
• Continuously review MFA settings to ensure coverage over all active, internet-facing protocols to ensure no exploitable services are exposed [CPG 2.W].
• Provide basic cybersecurity training to users [CPG 2.I] covering concepts such as:
  • Detecting unsuccessful login attempts [CPG 2.G].
  • Having users deny MFA requests they have not generated.
  • Ensuring users with MFA-enabled accounts have MFA set up appropriately.
• Ensure password policies align with the latest NIST Digital Identity Guidelines.
  • Meeting the minimum password strength [CPG 2.B] by creating a password using 8-64 nonstandard characters and long passphrases, when possible.
• Disable the use of RC4 for Kerberos authentication.

These mitigations apply to critical infrastructure entities across sectors.

The authoring agencies also recommend software manufacturers incorporate secure by design principles and tactics into their software development practices to protect their customers against actors using compromised credentials, thereby strengthening the security posture of their customers.  For more information on secure by design, see CISA’s Secure by Design webpage and joint guide.

Validate Security Controls

In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating organization security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Table 1 to Table 12).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

Contact Information

Organizations are encouraged to report suspicious or criminal activity related to information in this advisory to:

• CISA via CISA’s 24/7 Operations Center [report@cisa.gov or 1-844-Say-CISA (1-844-729-2472)] or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
• For NSA cybersecurity guidance inquiries, contact CybersecurityReports@nsa.gov.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.

Intrusion events connected to this Iranian group may also include a different set of cyber actors–likely the third-party actors who purchased access from the Iranian group via cybercriminal forums or other channels. As a result, some TTPs and IOCs noted in this advisory may be tied to these third-party actors, not the Iranian actors. The TTPs and IOCs are in the advisory to provide recipients the most complete picture of malicious activity that may be observed on compromised networks. However, exercise caution if formulating attribution assessments based solely on matching TTPs and IOCs.

Version History

October 2, 2024: Initial version.

Appendix A: MITRE ATT&CK Tactics and Techniques

See Tables 1–12 for all referenced actors’ tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 1: Reconnaissance

Technique Title	ID	Use
Gather Victim Identity Information	T1589	The actors likely gathered victim information.

Table 2: Resource Development

Technique Title	ID	Use
Obtain Capabilities: Tool	T1588.002	The actors obtained a password spray tool through an open-source repository.

Source: US Department of Homeland Security

Source: US Department of Homeland Security

Preamble

We, the Interior and Security Ministers of the G7, in the context of the G7 Coalition to Prevent and Counter the Smuggling of Migrants launched by our Governments at the G7 Apulia summit as part of an approach ‘to enhance border management and enforcement and curb transnational organized crime involved in migrant smuggling and trafficking in persons’, reiterate and confirm our determination to intensify our efforts to prevent, counter and eradicate organized crime groups engaged in migrant smuggling, also in its connection with trafficking in persons, and strip them of the proceeds generated by these heinous crimes while always providing protection and assistance to migrants and victims of trafficking in persons, particularly women and girls.

While the smuggling of migrants and trafficking in persons are different phenomena, they often interact and both endanger the lives of the most vulnerable, exposing them to dangerous journeys and to an increased risk of serious violence and exploitation, including, but not limited to, sexual and labour exploitation, forced begging, and forced criminality.

Although difficult to quantify in statistical terms due to its unlawful and hidden nature, the United Nations Office on Drugs and Crime (UNODC) estimates that the migrant smuggling trade generates about US$ 6.75 billion a year for criminal organizations in two of the principal migrant smuggling routes leading from East, North and West Africa to Europe and from South America to North America. The global figure is likely to be much higher. Migrant smuggling is a form of irregular migration which undermines the sovereign right of states to regulate and manage the entry of foreign nationals and control their borders, which impacts security and damage public confidence in our systems.

While migrant smuggling affects G7 countries in different ways, it is a global phenomenon and we affirm our collective commitment and shared responsibility to a whole-of-route, whole-of-society, integrated, comprehensive, inclusive, sustainable and balanced approach. We will, in partnership with one another and with civil society organisations, tackle the challenges irregular migration presents and seize the opportunities created by regular, controlled migration, in line with the Global Alliance to counter migrant smuggling launched by the EU, including its call to action.

Recalling our G7 Leaders’ Communique, in our shared efforts to counter organised crime involved in migrant smuggling, we reaffirm our commitment to protecting human rights and fundamental freedoms, regardless of their migratory status, and, in this regard, we also recall the right of everyone to seek asylum from persecution as set forth in the Universal Declaration of Human Rights, and the obligations of states parties related to international protection under the 1951 Refugees Convention and its 1967 Protocol. In this sense we also acknowledge the importance action carried by the UNHCR in protecting victims of trafficking in persons. Furthermore, we will seek to ensure compliance with our international obligations, including those under the United Nations Convention against Transnational Organised Crime.

Priorities of the Action Plan

Within this framework and shared approach, we have been instructed by our Leaders to develop the following “G7 Action Plan to Prevent and Counter the Smuggling of Migrants“, pursuing the following priorities:

• promote enhanced cooperation on investigative capacities, involving the relevant authorities in the countries of origin, transit and destination of irregular migratory flows as well as relevant international organisations;

• strengthen border management processes, while respecting the sovereign right of States to control their borders and their prerogatives to govern migration within their jurisdiction. This should be conducted in accordance with international law, in particular as regards to the applicable rights of migrants, and in compliance with the applicable non-refoulement obligations and the prohibition of torture and cruel, inhuman or degrading treatment;

• develop concrete collaborative actions to be taken in the global fight against transnational criminal organizations engaged in migrant smuggling and trafficking in persons;

• promote a productive and reliable exchange of information as well as effective cooperation activities between our law enforcement, immigration and border control agencies and those of Coalition partner countries, which are essential for joint law enforcement actions based on established evidence against migrant smuggling and human trafficking networks;

• engage with all facets of the international transportation system. Transportation companies – whether transport operators or supporting industries – play a critical role in preventing abuse of their service by migrant smugglers and traffickers in persons and in identifying potential victims of trafficking in persons. Engagement with aviation transport stakeholders – be it airlines or aviation authorities – is key to addressing the use of commercial means of transport to facilitate irregular migration, in line with the measures outlined in the EU’s ‘Toolbox addressing the use of commercial means of transport to facilitate irregular migration to the EU’;

• discourage migrants from embarking on irregular and potentially perilous journeys by informing them about the heightened risks associated with migrant smuggling including the risk of trafficking in persons and of return from the destination country, if there is no lawful right to remain as well as on the availability of legal migration pathways opportunities and alternative economic opportunities in their regions.

The Action Plan is divided into five pillars: (i) strengthening the operational and investigative capacities of law enforcement agencies; (ii) strengthening international, judicial and police cooperation; (iii) intensified cooperation with third countries of origin and transit of irregular migration flows; (iv) prevention and awareness raising; and (v) knowledge and monitoring of the phenomenon.

Development of the Action Plan

1. Strengthening the operational and investigative capacities of law enforcement agencies in the fight against organized criminal groups engaged in migrant smuggling and trafficking in persons by:

• creating in the G7 countries considering themselves affected by migrant smuggling, where not already existing, law enforcement units specialized in crimes and investigations in the field of migrant smuggling and trafficking in persons;

• creating or reinforcing, in the G7 countries considering themselves affected by migrant smuggling, a network of liaison officers from the relevant G7 countries (Police Liaison Officers, Internal Affairs and Justice Experts, etc.) in the countries of origin and transit of irregular migration flows;

• enhancing intelligence and information exchange as a crucial element for possible subsequent joint law enforcement actions, including in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT) and by using established channels (e.g. Interpol’s I-24/7, Europol’s SIENA) for this purpose;

• establishing and launching joint investigative actions by law enforcement officers from G7 countries considering themselves affected by the phenomenon, and also from third countries, where appropriate. These actions should be aimed at conducting investigations on targets of common interest and identifying “High Value Targets,” (i.e., organized transnational criminal groups, migrant smugglers and traffickers in persons) to be located for the purpose of capture, on which to focus the investigative attention and using INTERPOL and Europol capacities for centralised analysis;

• Working collaboratively with social media companies to monitor internet and social networks platforms, as appropriate, to prevent their use in enabling migrant smuggling and trafficking in persons including through collectively calling on social media companies to do more to respond to online content that advertises migrant smuggling services, taking into account the duty to comply with existing domestic and international legislation and to cooperate intra-industry, especially supporting smaller companies, and make effective use of new technology, such as Artificial Intelligence tools, to promptly remove online activity of smugglers promoting irregular migration and offering illicit transportation services to migrants.

• Encourage, where appropriate, trauma informed approaches to law enforcement interacting with survivors of migrant smuggling and victims of trafficking in persons.

 

2. Strengthening international cooperation between police, judicial and border officials to combat organized crime groups engaged in migrant smuggling and trafficking in persons;

• supporting key source and transit countries to fully implement their obligations under the UN Convention against Transnational Organised Crime (UNTOC) and its Protocols on the Smuggling of Migrants and Trafficking in Persons, working with the United Nations Office on Drugs and Crime (UNODC) as appropriate to assist those countries in the criminalization of smuggling of migrants;

• utilising existing multilateral forums and multilateral relations with international initiatives and stakeholders including the Roma-Lyon Group, the Venice Justice Group, the Financial Action Task Force, EU’s Global Alliance to Counter Migrant Smuggling, the International Criminal Police Organization (INTERPOL), the United Nations Office on Drugs and Crime (UNODC) and other United Nations bodies, and the European Union Agency for Law Enforcement Cooperation (Europol), through the European Multidisciplinary Platform Against Criminal Threats (EMPACT), and the European Border and Coast Guard Agency (Frontex) within their respective mandates, and regional initiatives such as Niamey, Rabat, Khartoum and Budapest Process – in order to improve the effectiveness of the implementation of this plan and avoid duplication considering available resources;

• using national-level and regional resources, Europol, and INTERPOL’s capabilities to support police, immigration and criminal intelligence cooperation and maximize the use of both national-level and multilateral databases and information exchange channels;

• develop and share good practice on disrupting the enablers of smuggling of migrants including work to degrade the supply and value chains. This should include sharing expertise on the seizure and confiscation of criminal proceeds or instrumentalities to maximise law enforcement efforts by taking a ‘follow the money’ approach. This would target the proceeds of organised crime groups engaged in migrant smuggling and trafficking in persons and would also strengthen cooperation to identify, trace, freeze, manage and potentially confiscate illegal profits from migrants smuggling. To this purpose, the G7 members should take full advantage of the the potential of the Financial Investigation Units’ network.

 

3.  Stronger cooperation with countries of origin and transit of irregular migration flows, where appropriate through:

• the development and implementation of cooperation initiatives for the support of transit and origin countries in managing the challenges associated with, and providing alternatives to, irregular migration;

• exploring equitable and mutually beneficial partnerships and bilateral or multilateral instruments with countries of origin, transit, and destination, aimed at cooperation in the field of combating smuggling of migrants, trafficking in persons and border security;

• collaborating, where appropriate, with international organizations to enhance multifunctional centres along key migration routes offering information and assistance to migrants and the facilitatation of the safe and orderly repatriation of those not entitled to remain in G7 countries;

• supporting host and transit countries along key migration routes in strengthening their capacities in the field of asylum and refugee protection;

• facilitating voluntary returns of migrants from transit and destination countries, fostering cooperation on enforced returns of persons with no right to stay, in full respect of human rights and the principle of non-refoulement, allowing for increased options for migrants and more effective management of migration flows;

• strengthening the management capacity of land and sea borders of the main countries of transit of irregular migration flows, identifying target countries and providing naval and land surveillance resources and assets or training;

• consideration of visa requirements for certain individuals with a nexus to migrant smuggling, where appropriate, and consistent with domestic and international obligations;

• working with the transportation industry and law enforcement of countries of transit to better identify potential migrant smuggling and cases of trafficking in persons and adjust responses based on emerging threats and knows risks;

• promoting the cooperation on international obligations to readmit own citizens who have no right to stay including under the Convention on International Civil Aviation of 7 December 1944, known as the Chicago Convention;

 

4. Prevention and awareness raising by:

• developing and promoting effective information and awareness raising campaigns in key countries of origin and transit, on the risks of irregular migration, smuggling of migrants and trafficking in persons. Campaigns may also signpost on available legal pathways, the effectiveness of migration policies and measures to repatriate migrants without authorization to remain in country, in cooperation with local authorities and international bodies (such as UNHCR, IOM and European External Action Service) present both in countries of origin and transit. This may be in collaboration with international organisations and civil society where appropriate.

• facilitate legal and safe migration alternatives, as set out in the G7 Apulia Leaders’ Communique which highlights regular pathways as a key part of comprehensive migration management strategies.

• Cooperation with social media companies, including through a roundtable event organised by G7 partners, for the active engagement to identify and counter online content which promotes and offers intermediation and irregular migration services.

 

5. Increasing knowledge and Monitoring of migrant smuggling

• Encourage the conducting of field studies, including in collaboration with the international organizations, civil society organizations and academia to monitor and anticipate developments and trends in irregular migration flows, at global level and with regional focus;

• sharing among the relevant authorities of the G7 countries of good practices, in the fight against migrant smuggling and trafficking in persons and all related offences and exploitation, in the protection of smuggled migrants and victims of trafficking in persons, as well as in maintaining border management;

• supporting and further developing collective mechanisms for the exchange and analysis of statistical data on irregular migration flows and related phenomena, in order for G7 countries to improve their ability to monitor, identify and respond to identified trends;

• encourage, in a manner consistent with applicable law, collection of gender and age disaggregated data, and dissemination of data on labor exploitation connected to trafficking in persons;

• monitoring and review of the state of implementation of this Action Plan, to be conducted within the Roma-Lyon Group with progress reporting to the RLG Heads of Delegation to take place at the bi-annual meetings.

Source: US Department of Homeland Security

Countering foreign interference: hybrid threats including foreign information manipulation and interference (FIMI)

Security in the cyberspace and virtual assets Security perspectives in the cyberspace and new frontiers of investigation into the Virtual assets

Illicit synthetic drugs From Methamphetamines to Fentanyl and beyond: a constantly evolving threat

Irregular Migration Preventing and Countering migrant smuggling and trafficking in persons: a common security challenge

Source: US Department of Homeland Security

Microsoft released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following and apply necessary updates:

Source: US Department of Homeland Security

Fact sheet provides information on actors’ techniques and recommended mitigations for individuals and organizations associated with national political campaigns

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) published a fact sheet today, How to Protect against Iranian Targeting of Accounts Associated with National Political Organizations. Actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) are using social engineering techniques across email and chat applications probably to stoke discord and undermine confidence in U.S. democratic institutions. This fact sheet provides recommended actions to protect against this malicious activity.

IRGC actors target and compromise the personal and business accounts of Americans, in particular. individuals associated with national political organizations. They also target individuals and organizations working or have worked on issues related to Iranian and Middle Eastern affairs.

CISA and the FBI recommend mitigations and best practices that will help organizations and individuals strengthen their security and resilience, including keeping applications and operating systems updated, training staff to only use official accounts for business, and implementing phishing-resistant multifactor authentication (MFA).  

“With FBI, CISA works to provide timely, actionable information that helps our partners reduce their risk from myriad threats,” said CISA Executive Assistant Director for Cybersecurity, Jeff Greene. “IRGC cyber actors pose an ongoing and escalating risk. We urge individuals and organizations associated with national political organizations or campaigns to review and implement actions in this joint fact sheet.”

The FBI and CISA continue to work closely to provide services and information to safeguard public and private sector and individuals.

For more information, please visit CISA’s Iran Cyber Threat and #Protect2024 webpages.

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

WASHINGTON – On October 7, the U.S. Department of Homeland Security (DHS) held an awards ceremony hosted at DHS headquarters located at St. Elizabeths campus in Southeast Washington, D.C. where 350 employees received a Secretary’s Award in recognition of their outstanding contributions to the Department’s mission.

“Every single day, with great determination, integrity, and skill, the 268,000 men and women of the Department of Homeland Security ensure the safety and security of the American people,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Thanks to these extraordinary public servants, our shores, harbors, skies, cyberspace, and borders are protected; fentanyl and other deadly drugs are prevented from entering our country; communities are able to recover and rebuild after a natural disaster; the scourges of human trafficking, forced labor, and online exploitation are mitigated; and so much more. The individuals we recognize today with our Department’s highest honor, the Secretary’s Award, reflect the very best of DHS – and in their selfless dedication to mission, the very best of public service.”

The DHS Secretary’s Awards are an annual program that recognizes the extraordinary individual and collective achievements of the workforce. The 350 awardees recognized in today’s ceremony represent the Office of Civil Rights and Civil Liberties (CRCL), the Office of the General Counsel (OGC), U.S. Immigration and Customs Enforcement (ICE), and the United States Citizenship and Immigration Services (USCIS).

“In recognizing these outstanding DHS personnel with a Secretary’s Award, we recognize all our talented personnel; the achievements of one are not possible without the contributions of others,” added Secretary Mayorkas. “We also express our appreciation to their families and loved ones; when one serves, the family serves too.”

This year’s award recipients developed and issued policy and procedures associated with a whole-scale transition to a new pay system for TSA; launched a series of coordinated and collaborative initiatives, operations and investigations targeting Transnational Criminal Organizations (TCOs) and national security threats operating and transiting through the Darien Gap region; arrested over 8,000 human smugglers, produced over 5,000 intelligence reports, and seized over $38M USD in real property; ensured over 2,300 vital alerts and warnings were provided to owners and operators of critical infrastructure to protect against cyberattacks; among many other achievements.

This year, DHS is holding nine Secretary’s Awards ceremonies across the country, honoring over 1,700 employees, the most annual awardees ever.

Last year, Secretary Mayorkas unveiled 12 priorities for the Department, including a commitment to champion the workforce and transform the employee experience. DHS has the third largest workforce of any federal department, behind the Department of Defense and Department of Veterans Affairs. The Department is home to more than 92,000 sworn law enforcement officers, the greatest number of law enforcement officers of any department in the federal government. DHS has committed to increasing the representation of women in law enforcement or related occupations at DHS to 30% by 2030. Over 54,000 veterans, or nearly 21% of the workforce, continue serving their country by working at DHS.

DHS operational components interact more frequently on a daily basis with the American public than any other federal department, from travelers moving through air, land, and sea ports of entry, to businesses importing goods into the country, to immigrants applying for services. To learn more about the impact DHS makes every day, visit: DHS.gov/TodayDHSWill.

Last year, DHS improved the efficiency of processing noncitizens at the Southwest Border, deployed across the country to respond to natural disasters, investigated cybercrimes, created a new streamlined process for adjudicating asylum applications, safely and securely resettled nearly 90,000 evacuated Afghans in the United States, provided resources for organizations to enhance their cybersecurity resilience, established a process for Ukrainian nationals seeking refuge, secured the 2022 midterm elections, and demonstrated heroism by acting quickly and courageously to save lives in harrowing circumstances.

For the full list of awardees, visit 2024 Secretary’s Awards | Homeland Security (dhs.gov).  

Source: US Department of Homeland Security

During emergency events, the Department of Homeland Security (DHS) works with its federal, state, local, and non-governmental partners to support the needs of the people in the areas that may be impacted.

In such circumstances, U.S. Immigration and Customs Enforcement (ICE) and U.S. Customs and Border Protection (CBP) remind the public that sites that provide emergency response and relief are considered protected areas. To the fullest extent possible, ICE and CBP do not conduct immigration enforcement activities at protected areas such as along evacuation routes, sites used for sheltering or the distribution of emergency supplies, food or water, or registration sites for disaster-related assistance or the reunification of families and loved ones.

At the request of FEMA or local and state authorities, ICE and CBP may help conduct search and rescue, air traffic de-confliction and public safety missions. ICE and CBP provide emergency assistance to individuals regardless of their immigration status. DHS officials do not and will not pose as individuals providing emergency-related information as part of any enforcement activities.

DHS is committed to ensuring that every individual who seeks shelter, aid, or other assistance as a result of a natural disaster or emergency event is able to do so regardless of their immigration status.

DHS carries out its mission without discrimination on the basis of race, religion, gender, sexual orientation or gender identity, ethnicity, disability or political associations, and in compliance with law and policy.

For information about filing a complaint with the DHS Office for Civil Rights and Civil Liberties about these matters, please visit our Make a Civil Rights Complaint page.

Source: US Department of Homeland Security

Secretary of Homeland Security Alejandro N. Mayorkas issued the following statement marking one year since the October 7, 2023 terrorist attacks on Israel.

“One year ago today, brutal Hamas terrorists attacked innocent people in Israel, massacring more than 1,200 innocent men, women, and children of all ages, committing gruesome acts of sexual violence, gravely wounding others, and abducting more than 250 hostages. In the days, weeks, and months since, Hamas has killed hostages and Israel has rescued others. To this day, innocent people remain captive in the cruel hands of Hamas.

“The terrorist attacks of October 7, 2023 wreaked the deadliest day for the Jewish people since the Holocaust. Today especially, one year later, we mourn the lives lost and pray for those carrying wounds, including those innocent Palestinians who have suffered as a result of Hamas’s terrorism. We express our enduring resolve to rescue the remaining hostages.

“In the Department of Homeland Security, we work tirelessly to combat the hate that has only become more pronounced since the October 7 terrorist attacks. We combat the rise in antisemitism, Islamophobia, and all forms of hate by engaging with communities across our country, providing tools to enhance the safety of worshippers of all faiths, and distributing grant funds that Congress has provided at an unprecedented level to help religious institutions and other nonprofit organizations keep their communities secure.

“On this day, we commemorate the victims of the October 7, 2023 terrorist attacks. May the memory of the lives lost continue to be a blessing. We pray for the release of the hostages. We redouble our efforts to combat hate, and we pray for peace.”

Source: US Department of Homeland Security

WASHINGTON – On October 1, 2024, the Department of Homeland Security (DHS) and the Polish Ministry of Digital Affairs (MDA) signed a Memorandum of Understanding (MOU) to deepen collaboration in cybersecurity and emerging technology. This arrangement strengthens the already close partnership by providing a framework for future policy and operational cooperation. It also demonstrates the shared commitment between the two sides towards the broader transatlantic security alliance in addressing global challenges such as cybersecurity and artificial intelligence, particularly as Russia continues its unprovoked and unjustified invasion of Ukraine.

The MOU specifically calls for increased exchanges in areas including cyber policy and strategy; Secure by Design work; information sharing; incident response; human capital development; and emerging technology. The MOU highlights an explicit intent for future work related to the development of safe and secure artificial intelligence as well as Internet of Things technologies.

“This arrangement lays the groundwork to strengthen and continue building our collaboration, helping DHS and MDA tackle shared responsibilities and achieve our security goals,” said Under Secretary for Policy Robert Silvers. “Through our strong public-private partnerships, DHS is the key link domestically for cybersecurity and critical infrastructure, and we’re increasingly becoming that link for global partners facing similar threats. I am proud to sign this MOU with such a valued partner as Poland.”

The signing comes in the midst of the White House’s Fourth Counter Ransomware Initiative Summit. There, the United States and Poland – along with representatives from nearly 70 other countries and international organizations – committed to continuing to fight the global rise in ransomware incidents. DHS and MDA also enter this arrangement ahead of Poland assuming the rotating presidency of the Council of the European Union in January 2025, where the stated priorities include strengthening relations with the United States, as well as ensuring European information security. 

“Poland has long championed solidarity in civil society, but effectively doing so requires ensuring societal safety and security, especially in cyberspace. With this in mind, as we consider the range of threats and potentially disruptive consequences of emerging technologies in the modern world, we believe it is crucial to partner with our closest security partners,” said MDA Under Secretary of State Rafał Rosiński, signatory for Poland.

Various DHS entities, including the Cybersecurity and Infrastructure Security Agency (CISA), the Office of Strategy, Policy, and Plans, and the Science and Technology Directorate, will advance cybersecurity and emerging technology cooperation. Poland’s MDA will similarly coordinate implementation including via its National Research Institute (NASK).