Today, CISA, the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and international partners released Understanding Ransomware Threat Actors: LockBit, a joint Cybersecurity Advisory (CSA) to help organizations understand and defend against threat actors using LockBit, the most globally used and prolific Ransomware-as-a-Service (RaaS) in 2022 and 2023. This guide is a comprehensive resource detailing the observed common vulnerabilities and exposures (CVEs) exploited, as well as the tools, and tactics, techniques, and procedures (TTPs) used by LockBit affiliates. Additionally, it includes recommended mitigations to help reduce the likelihood and impact of future ransomware incidents.

In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. The LockBit Ransomware-as-a-Service (RaaS) attracts affiliates to use LockBit for conducting ransomware attacks, resulting in a large web of unconnected threat actors conducting wildly varying attacks. Affiliates have attacked organizations of various sizes across an array of critical infrastructure sectors including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit has been successful through its innovation and continual development of the group’s administrative panel (i.e., a simplified, point-and-click interface making ransomware deployment accessible to those with lower degrees of technical skill), affiliate supporting functions, and constant revision of TTPs.
 
CISA and the authoring agencies of this joint CSA encourage the implementation of recommendations provided to proactively improve their organization’s defenses against this global ransomware operation, and to reduce the likelihood and impact of future ransomware incidents.

Adobe has released security updates to address multiple vulnerabilities in Adobe software. An attacker can exploit these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

• Experience Manager APSB23-31
• Commerce APSB23-35
• Animate APSB23-36
• Substance 3D Designer APSB23-39

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2023-27997 Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Cisco has released security advisories for vulnerabilities affecting multiple Cisco products. A remote cyber threat actor could exploit these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following advisories and apply the necessary updates:

• Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows Privilege Escalation Vulnerability cisco-sa-ac-csc-privesc-wx4U4Kw
• Cisco Expressway Series and Cisco TelePresence Video Communication Server Privilege Escalation Vulnerabilities cisco-sa-expressway-priv-esc-Ls2B9t7b
• Cisco Unified Communications Manager IM & Presence Service Denial of Service Vulnerability cisco-sa-cucm-imp-dos-49GL7rzT
• Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software for Firepower 2100 Series Appliances SSL/TLS Denial of Service Vulnerability cisco-sa-asaftd-ssl-dos-uu7mV5p6
• Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows Privilege Escalation Vulnerability cisco-sa-ac-csc-privesc-wx4U4Kw
• Cisco Small Business 200, 300, and 500 Series Switches Web-Based Management Stored Cross-Site Scripting Vulnerability cisco-sa-smb-sxss-OPYJZUmE
• Cisco Unified Communications Manager Denial of Service Vulnerability cisco-sa-cucm-dos-4Ag3yWbD
• Cisco Secure Workload Authenticated OpenAPI Privilege Escalation Vulnerability cisco-sa-csw-auth-openapi-kTndjdNX

For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

Fortinet has released security updates to address a heap-based buffer overflow vulnerability CVE-2023-27997 in FortiOS and FortiProxy. An attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review Fortinet security advisory FG-IR-23-097 and apply the necessary updates.