/ en Sun, 15 Jun 2025 00:45:26 -0500 Wed, 28 May 25 08:19:54 -0500 /cybersecurity-government-intelligence-reports/2022-12-13-tlp-white-nsa-apt5-citrix-adc-threat-hunting-guidance-december-2022 <h2>Executive summary</h2><p>APT5 has demonstrated capabilities against Citrix® Application Delivery Controller™ (ADC™) deployments (“Citrix ADCs”). Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls. As such, NSA, in collaboration with partners, has developed this threat hunting guidance to provide steps organizations can take to look for possible artifacts of this type of activity. Please note that this guidance does not represent all techniques, tactics, or procedures (TTPs) the actors may use when targeting these environments. This activity has been attributed to APT5, also known as UNC2630 and MANGANESE.</p><h2>Introduction</h2><p>NSA recommends organizations hosting Citrix ADC environments take the following steps as part of their investigation. Treat these detection mechanisms as independent ways of identifying potentially malicious activity on impacted systems. Artifacts may vary based on the environment and the stage of that activity. As such, NSA recommends investigating any positive result even if other detections return no findings.</p> Tue, 13 Dec 2022 11:06:06 -0600 Cybersecurity Government Intelligence Reports <h2>Executive summary</h2><p>This Cybersecurity Information Sheet (CSI) provides essential guidance on securing data used in artificial intelligence (AI) and machine learning (ML) systems. It also highlights the importance of data security in ensuring the accuracy and integrity of AI outcomes and outlines potential risks arising from data integrity issues in various stages of AI development and deployment.</p><p>This CSI provides a brief overview of the AI system lifecycle and general best practices to secure data used during the development, testing, and operation of AI-based systems. These best practices include the incorporation of techniques such as data encryption, digital signatures, data provenance tracking, secure storage, and trust infrastructure. This CSI also provides an in-depth examination of three significant areas of data security risks in AI systems: data supply chain, maliciously modified (“poisoned”) data, and data drift. Each section provides a detailed description of the risks and the corresponding best practices to mitigate those risks.</p><p>View the detailed report below.</p> Wed, 28 May 2025 08:19:54 -0500 Cybersecurity Government Intelligence Reports /cybersecurity-government-intelligence-reports/2025-05-12-2024-fbi-internet-crime-report <p>Dear Reader:<br>This year marks the 25th anniversary of the FBI’s Internet Crime Complaint Center, or IC3. Originally intended to serve the law enforcement community, IC3 has evolved to become the primary destination for the public to report cyber-enabled crime and fraud as well as a key source for information on scams and cyber threats. Since its founding, IC3 has received over 9 million complaints of malicious activity. During its infancy, IC3 received roughly 2,000 complaints every month. For the past five years, IC3 has averaged more than 2,000 complaints every day.</p><p>As nearly all aspects of our lives have become digitally connected, the attack surface for cyber actors has grown exponentially. Scammers are increasingly using the Internet to steal Americans’ hard-earned savings. And with today’s technology, it can take mere taps on a keyboard to hijack networks, cripple water systems, or even rob virtual exchanges. Cryptocurrency has become an enticing means to cheat investors, launder proceeds, and engage in other illicit schemes.</p><p>Last year saw a new record for losses reported to IC3, totaling a staggering $16.6 billion. Fraud represented the bulk of reported losses in 2024, and ransomware was again the most pervasive threat to critical infrastructure, with complaints rising 9% from 2023. As a group, those over the age of 60 suffered the most losses and submitted the most complaints.</p><p>These rising losses are even more concerning because last year, the FBI took significant actions to make it harder, and more costly, for malicious actors to succeed. We dealt a serious blow to LockBit, one of the world’s most active ransomware groups. Since 2022, we have offered up thousands of decryption keys to victims of ransomware, avoiding over $800 million in payments.</p><p>Also in 2024, we worked proactively to prevent losses and minimize victim harm through private sector collaboration and initiatives like Operation Level Up. We disbanded fraud and laundering syndicates, shut down scam call centers, shuttered illicit marketplaces, dissolved nefarious “botnets,” and put hundreds of other actors behind bars. Our partnerships across the intelligence, law enforcement, and private sector communities have never been stronger.</p><p>The criminals Americans face today may look different than in years past, but they still want the same thing: to harm Americans for their own benefit. This brings me back to IC3’s quarter-century milestone. While the top threats facing our country have certainly shifted over the decades, protecting American citizens—whether that means your safety, your money, or your data—remains a cornerstone of the FBI’s mission.</p><p>And in the fight against increasingly savvy criminals, the FBI also relies on you. Without the information you report to us through IC3 or your local FBI Field Office, we simply cannot piece together the puzzle of this ever-shifting threat landscape. If ever you suspect you’re a victim of cyber-enabled crime, do not hesitate to let us know. We want to be there for you, and what you report will help us help others.</p><p>/s/</p><p>B. Chad Yarbrough<br>Operations Director for Criminal and Cyber<br>Federal Bureau of Investigation</p><p>View the detailed report below.</p> Mon, 12 May 2025 13:09:52 -0500 Cybersecurity Government Intelligence Reports <div class="container row"><div class="row"><div class="col-md-8"><p>The following guidance was developed by the Joint Cyber Defense Collaborative (JCDC) in coordination with the Joint Ransomware Task Force (JRTF) in support of operational collaboration and greater cyber defense efforts.</p><p>The goal of this guidance is to highlight mitigations that can be implemented to better defend against Vidar Infostealer, which is known to abuse Google Chrome’s remote debugging capabilities to steal credentials by bypassing current defenses (including app-bound encryption).</p><p>View details below.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Thu, 06 Mar 2025 11:24:58 -0600 Cybersecurity Government Intelligence Reports <p><em>Please contact the FBI with any questions related to this FBI Liaison Alert System (FLASH) via your local Cyber Squad. www.fbi.gov/contact-us/field-offices</em></p><h2> Summary </h2><p>The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate indicators of compromise (IOCs) associated with malicious cyber activities targeting the FBI’s computer network between 1 July 2024 and 30 September 2024. During this time frame, the FBI observed a variety of tactics employed by cyber actors, including: reconnaissance, attempted resource development, initial access attempts, and attempted web application attacks. FBI continued to observe the use of Virtual Private Networks (VPNs) or proxies in additional malicious cyber activities targeting FBI’s computer network, with the overwhelming majority resolving to Germany, United States, or India. This information is being provided for general awareness, and the indicators in this report provide actionable information that may be used by recipients for network defense. Some of the IP addresses outlined below are several months old. FBI recommends vetting these IP addresses prior to taking forward-looking action, such as blocking</p><p>View the detailed report below.</p> Thu, 20 Feb 2025 10:34:23 -0600 Cybersecurity Government Intelligence Reports <div class="container row"><div class="row"><div class="col-md-8"><p>As outlined in the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure by Design initiative, software manufacturers should ensure that security is a core consideration from the onset of software development and throughout the entirety of the development lifecycle. This voluntary guidance provides an overview of product security bad practices that are considered exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs). This guidance also provides recommendations for software manufacturers to mitigate these risks.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Fri, 17 Jan 2025 10:30:09 -0600 Cybersecurity Government Intelligence Reports /cybersecurity-government-intelligence-reports/2025-01-17-hc3-monthly-cybersecurity-vulnerability-bulletin-january-16-2025 <div class="container row"><div class="row"><div class="col-md-8"><h2>December Vulnerabilities of Interest to the Health Sector</h2><p>In December 2024, vulnerabilities to the health sector have been released that require attention. This includes the monthly Patch Tuesday vulnerabilities released by several vendors on the second Tuesday of each month, along with mitigation steps and patches. Vulnerabilities for November are from Microsoft, Google/Android, Apple, Mozilla, Cisco, SAP, Adobe, Fortinet, Ivanti, VMware and Atlassian. A vulnerability is given the classification of a zero-day when it is actively exploited with no fix available, or if it is publicly disclosed. HC3 recommends patching all vulnerabilities, with special consideration to the risk management posture of the organization.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Fri, 17 Jan 2025 09:03:36 -0600 Cybersecurity Government Intelligence Reports /cybersecurity-government-intelligence-reports/2025-01-08-hc3-analyst-note-tlp-clear-securing-telehealth-challenges-and <div class="container row"><div class="row"><div class="col-md-8"><h2>Executive Summary</h2><p>Telehealth leverages telecommunications and information technology to bridge the gap between healthcare providers and patients physically separated by distance. It encompasses a wide range of services, including health assessment, diagnosis, intervention, consultation, supervision, and information exchange. As telehealth evolves, its applications extend beyond traditional clinical settings, reaching patients in the comfort of their homes through virtual consultations and remote monitoring, but it also brings with it a new set of challenges, particularly in the field of cybersecurity. The integration of technology into healthcare services introduces vulnerabilities that malicious actors may exploit, and cyberattacks in the healthcare sector can lead to significant consequences. Understanding the associated cybersecurity risks is crucial for developing strategies to safeguard patient data, maintain privacy, and ensure the integrity of telehealth systems. The growing importance of cybersecurity in telehealth and the need for robust security measures is essential.</p><h2>Report</h2><p>Telehealth offers numerous benefits. Its convenience allows patients to receive medical consultations and treatments from the comfort of their homes, eliminating the need for travel and reducing wait time. Telehealth also enhances accessibility, especially for individuals in rural or underserved areas who might otherwise struggle to access healthcare services. It is also cost effective, reducing healthcare expenses by minimizing the need for physical infrastructure and enabling efficient resource utilization, ultimately leading to lower costs for patients and providers.</p><p>View the detailed Analysis Note below.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Wed, 08 Jan 2025 14:21:06 -0600 Cybersecurity Government Intelligence Reports /fbi-pin-notification-hiatusrat-actors-targeting-web-cameras-and-dvrs <h2>Summary</h2><p>The Federal Bureau of Investigation (FBI) is releasing this Private Industry Notification (PIN) to highlight HiatusRAT<sup>1</sup> scanning campaigns against Chinese-branded web cameras and DVRs. Private sector partners are encouraged to implement the recommendations listed in the “Mitigation” column of the table below to reduce the likelihood and impact of these attack campaigns.</p><h2>Threat</h2><p>HiatusRAT is a Remote Access Trojan (RAT) whose latest iteration has likely been employed since July 2022. Malicious cyber actors commonly use RATs to take over and control a targeted device from a distance. The Hiatus campaign originally targeted outdated network edge devices. Cybersecurity companies have also observed these actors using the malware to target a range of Taiwan-based organizations and to carry out reconnaissance against a US government server used for submitting and retrieving defense contract proposals.<sup>2</sup></p><p>In March 2024, HiatusRAT actors conducted a scanning campaign targeting Internet of Things (IoT) devices in the US, Australia, Canada, New Zealand, and the United Kingdom. The actors scanned web cameras and DVRs for vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260, and weak vendor-supplied passwords. Many of these vulnerabilities have not yet been mitigated by the vendors. In particular, the actors targeted Xiongmai and Hikvision devices with telnet access. They used Ingram—a webcam-scanning tool available on Github—to conduct scanning activity. And they used Medusa—an open-source brute-force authentication cracking tool—to target Hikvision cameras with telnet access. Targeted TCP ports have included: 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575.</p><p>View the detailed notification below.</p><p>__________<br><small class="sm"><sup>1</sup> (U) Previous HiatusRAT campaigns have targeted edge routers to passively collect traffic and function as a covert network of command-and-control (C2) infrastructure.</small><br><small class="sm"><sup>2</sup> https://blog.lumen.com/hiatusrat-take-little-time-off-in-a-return-to-action/</small></p><p> </p> Mon, 16 Dec 2024 08:31:06 -0600 Cybersecurity Government Intelligence Reports /cybersecurity-government-intelligence-reports/2024-12-03-fbi-cyber-report-tlp-clear-enhanced-visibility-and-hardening-guidance <h2>Introduction</h2><p>The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Canadian Cyber Security Centre (CCCS), and New Zealand’s National Cyber Security Centre (NCSC-NZ) warn that People’s Republic of China (PRC)-affiliated threat actors compromised networks of major global telecommunications providers to conduct a <a href="https://www.cisa.gov/news-events/news/joint-statement-fbi-and-cisa-peoples-republic-china-prc-targeting-commercial-telecommunications" target="_blank">broad and significant cyber espionage campaign</a>. The authoring agencies are releasing this guide to highlight this threat and provide network engineers and defenders of communications infrastructure with best practices to strengthen their visibility and harden their network devices against successful exploitation carried out by PRC-affiliated and other malicious cyber actors. Although tailored to network defenders and engineers of communications infrastructure, this guide may also apply to organizations with on-premises enterprise equipment. The authoring agencies encourage telecommunications and other critical infrastructure organizations to apply the best practices in this guide.</p><p>As of this release date, identified exploitations or compromises associated with these threat actors’ activity align with existing weaknesses associated with victim infrastructure; no novel activity has been observed. Patching vulnerable devices and services, as well as generally securing environments, will reduce opportunities for intrusion and mitigate the actors’ activity.</p><p>VIew the detailed report below. </p> Tue, 03 Dec 2024 14:47:32 -0600 Cybersecurity Government Intelligence Reports