Original release date: July 21, 2021

As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed 13 malware samples related to exploited Pulse Secure devices. CISA encourages users and administrators to review the following 13 malware analysis reports (MARs) for threat actor techniques, tactics, and procedures (TTPs) and indicators of compromise (IOCs) and to review CISA’s Alert Exploitation of Pulse Connect Secure Vulnerabilities for more information. 

MARS:

• MAR-10333209-1.v1: Pulse Connect Secure
• MAR-10333243-1.v1: Pulse Connect Secure
• MAR-10334057-1.v1: Pulse Connect Secure
• MAR-10334057-2.v1: Pulse Connect Secure
• MAR-10334587-1.v1: Pulse Connect Secure
• MAR-10334587-2.v1: Pulse Connect Secure
• MAR-10335467-1.v1: Pulse Connect Secure
• MAR-10336161-1.v1: Pulse Connect Secure
• MAR-10336935-1.v1: Pulse Connect Secure
• MAR-10337580-1.v1: Pulse Connect Secure
• MAR-10337580-2.v1: Pulse Connect Secure
• MAR-10338401-1.v1: Pulse Connect Secure
• MAR-10338868-1.v1: Pulse Connect Secure

Original release date: July 20, 2021

Citrix has released security updates to address multiple vulnerabilities in Application Delivery Controller, Gateway, and SD-WAN WANOP Edition. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Citrix Security Update CTX319135 and apply the necessary updates.

Original release date: July 20, 2021

Protecting our Nation’s critical infrastructure is the responsibility of federal and state, local, tribal, and territorial (SLTT) governments and owners and operators of that infrastructure. The cybersecurity threats posed to the industrial control systems (ICS) that control and operate critical infrastructure are among the most significant and growing issues confronting our Nation.

To raise awareness of the risks to—and improve the cyber protection of—critical infrastructure, CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory as well as updates to five alerts and advisories. These alerts and advisories contain information on historical cyber-intrusion campaigns that have targeted ICS:

• Joint CISA-FBI Cybersecurity Advisory (CSA): AA21-201A: Gas Pipeline Intrusion Campaign, 2011-2013 Note: CISA released the initial version of this publication to affected stakeholders in 2012.
• ICS Joint Security Awareness Report: JSAR-12-241-01B: Shamoon/DistTrack Malware (Update B)
• ICS Advisory: ICSA-14-178-01: ICS Focused Malware – Havex
• ICS Alert: ICS-ALERT-14-281-01E: Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)
• ICS Alert: IR-ALERT-H-16-056-01: Cyber-Attack Against Ukrainian Critical Infrastructure
• Technical Alert: TA17-163A: CrashOverride Malware

CISA urges critical infrastructure owners and operators to review the publications listed above and apply the mitigations in Joint CISA-FBI CSA AA21-201A: Gas Pipeline Intrusion Campaign, 2011-2013. CISA also encourages owners and operators to review AR-17-20045: Enhanced Analysis of Malicious Cyber Activity. These products contain threat actor tactics, techniques, and procedures (TTPs); technical indicators; and forensic analysis that critical infrastructure owners and operators can use to reduce their organizations’ exposure to cyber threats. Note: although these publications detail historical activity, the TTPs remain relevant to help network defenders protect against intrusions.

CISA encourages critical infrastructure owners and operators to report cyber incidents to CISA. Note: for information on the U.S. Department of State’s reward program for identifying persons who participate in the malicious cyber activities against U.S. critical infrastructure, see the U.S. Department of State press release.

Original release date: July 19, 2021

CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed increasingly sophisticated Chinese state-sponsored activity targeting U.S. political, economic, military, educational, and critical infrastructure personnel and organizations. In response:

• The White House has released a statement attributing recent Microsoft Exchange server exploitation activity to the People’s Republic of China (PRC).
• The Department of Justice has indicted four Chinese cyber actors from the advanced persistent threat (APT) group APT40 for malicious cyber activities, carried out on orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD). These activities resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organizations in the United States and abroad, as well as from multiple foreign governments.
• CISA and FBI have released Joint Cybersecurity Advisory: TTPs of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department to help network defenders identify and remediate APT40 intrusions and established footholds.
• CISA, NSA and FBI have released Joint Cybersecurity Advisory: Chinese Observed TTPs, which describes Chinese cyber threat behavior and trends and provides mitigations to help protect the Federal Government; state, local, tribal, and territorial governments; critical infrastructure, defense industrial base, and private industry organizations.
• CISA, NSA and FBI have released CISA Insights: Chinese Cyber Threat Overview for Leaders to help leaders understand this threat and how to reduce their organization’s risk of falling victim to cyber espionage and data theft.

CISA also encourages users and administrators to review the blog post, Safeguarding Critical Infrastructure against Threats from the People’s Republic of China, by CISA Executive Assistant Director Eric Goldstein and the China Cyber Threat Overview and Advisories webpage.