RSS Bulletins from National Cyber Awareness System
Immediate Actions WWS Facilities Can Take Now to Protect Against Malicious Cyber Activity
• Do not click on suspicious links.
• If you use RDP, secure and monitor it.
• Use strong passwords.
• Use multi-factor authentication.
Note: This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) to highlight ongoing malicious cyber activity—by both known and unknown actors—targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities. This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities. Note: although cyber threats across critical infrastructure sectors are increasing, this advisory does not intend to indicate greater targeting of the WWS Sector versus others.
To secure WWS facilities—including Department of Defense (DoD) water treatment facilities in the United States and abroad—against the TTPs listed below, CISA, FBI, EPA, and NSA strongly urge organizations to implement the measures described in the Recommended Mitigations section of this advisory.
Click here for a PDF version of this report.
WWS facilities may be vulnerable to the following common tactics, techniques, and procedures (TTPs) used by threat actors to compromise IT and OT networks, systems, and devices.
Cyber intrusions targeting U.S. WWS facilities highlight vulnerabilities associated with the following threats:
WWS Sector cyber intrusions from 2019 to early 2021 include:
The FBI, CISA, EPA, and NSA recommend WWS facilities—including DoD water treatment facilities in the United States and abroad—use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations to prevent, detect, and respond to cyber threats.
Personnel responsible for monitoring WWS should check for the following suspicious activities and indicators, which may be indicative of threat actor activity:
Note: The increased use of remote operations due to the COVID-19 pandemic increases the necessity for asset owner-operators to assess the risk associated with enhanced remote access to ensure it falls within acceptable levels.
FBI, CISA, EPA, and NSA would like to thank Dragos as well as the WaterISAC for their contributions to this advisory.
CISA offers a range of no-cost cyber hygiene services—including vulnerability scanning and ransomware readiness assessments—to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors.
The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
The StopRansomware.gov webpage is an interagency resource that provides guidance on ransomware protection, detection, and response. This includes ransomware alerts, reports, and resources from CISA and other federal partners, including:
For additional resources that can assist in preventing and mitigating this activity, see:
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov.
This product is provided subject to this Notification and this Privacy & Use policy.
Immediate Actions You Can Take Now to Protect Against Conti Ransomware
• Use multi-factor authentication.
• Segment and segregate networks and functions.
• Update your operating system and software.
Note: This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. (See FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks.) In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.
To secure systems against Conti ransomware, CISA, FBI, and the National Security Agency (NSA) recommend implementing the mitigation measures described in this Advisory, which include requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.
Click here for a PDF version of this report.
Click here for indicators of compromise (IOCs) in STIX format.
While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack.
Conti actors often gain initial access [TA0001] to networks through:
In the execution phase [TA0002], actors run a getuid
payload before using a more aggressive payload to reduce the risk of triggering antivirus engines. CISA and FBI have observed Conti actors using Router Scan, a penetration testing tool, to maliciously scan for and brute force [T1110] routers, cameras, and network-attached storage devices with web interfaces. Additionally, actors use Kerberos attacks [T1558.003] to attempt to get the Admin hash to conduct brute force attacks.
Conti actors are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence [TA0003] on victim networks.[5] The actors use tools already available on the victim network—and, as needed, add additional tools, such as Windows Sysinternals and Mimikatz—to obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges [TA0004] within a domain and perform other post-exploitation and lateral movement tasks [TA0008]. In some cases, the actors also use TrickBot malware to carry out post-exploitation tasks.
According to a recently leaked threat actor “playbook,” [6] Conti actors also exploit vulnerabilities in unpatched assets, such as the following, to escalate privileges [TA0004] and move laterally [TA0008] across a victim’s network:
Artifacts leaked with the playbook identify four Cobalt Strike server Internet Protocol (IP) addresses Conti actors previously used to communicate with their command and control (C2) server.
162.244.80[.]235
85.93.88[.]165
185.141.63[.]120
82.118.21[.]1
CISA and FBI have observed Conti actors using different Cobalt Strike server IP addresses unique to different victims.
Conti actors often use the open-source Rclone command line program for data exfiltration [TA0010]. After the actors steal and encrypt the victim's sensitive data [T1486], they employ a double extortion technique in which they demand the victim pay a ransom for the release of the encrypted data and threaten the victim with public release of the data if the ransom is not paid.
Conti ransomware uses the ATT&CK techniques listed in table 1.
Initial Access |
Technique Title | ID | Use |
---|---|---|
Valid Accounts | T1078 | Conti actors have been observed gaining unauthorized access to victim networks through stolen Remote Desktop Protocol (RDP) credentials. |
Phishing: Spearphishing Attachment | T1566.001 | Conti ransomware can be delivered using TrickBot malware, which is known to use an email with an Excel sheet containing a malicious macro to deploy the malware. |
Phishing: Spearphishing Link | T1566.002 | Conti ransomware can be delivered using TrickBot, which has been delivered via malicious links in phishing emails. |
Execution |
Technique Title | ID | Use |
---|---|---|
Command and Scripting Interpreter: Windows Command Shell | T1059.003 | Conti ransomware can utilize command line options to allow an attacker control over how it scans and encrypts files. |
Native Application Programming Interface (API) | T1106 | Conti ransomware has used API calls during execution. |
Persistence |
Technique Title | ID | Use |
---|---|---|
Valid Accounts | T1078 | Conti actors have been observed gaining unauthorized access to victim networks through stolen RDP credentials. |
External Remote Services | T1133 | Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as virtual private networks (VPNs), Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally. |
Privilege Escalation |
Technique Title | ID | Use |
---|---|---|
Process Injection: Dynamic-link Library Injection | T1055.001 | Conti ransomware has loaded an encrypted dynamic-link library (DLL) into memory and then executes it. |
Defense Evasion |
Technique Title | ID | Use |
---|---|---|
Obfuscated Files or Information | T1027 | Conti ransomware has encrypted DLLs and used obfuscation to hide Windows API calls. |
Process Injection: Dynamic-link Library Injection | T1055.001 | Conti ransomware has loaded an encrypted DLL into memory and then executes it. |
Deobfuscate/Decode Files or Information | T1140 | Conti ransomware has decrypted its payload using a hardcoded AES-256 key. |
Credential Access |
Technique Title | ID | Use |
---|---|---|
Brute Force | T1110 | Conti actors use legitimate tools to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces. |
Steal or Forge Kerberos Tickets: Kerberoasting | T1558.003 | Conti actors use Kerberos attacks to attempt to get the Admin hash. |
System Network Configuration Discovery | T1016 | Conti ransomware can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-internet systems. |
System Network Connections Discovery | T1049 | Conti ransomware can enumerate routine network connections from a compromised host. |
Process Discovery | T1057 | Conti ransomware can enumerate through all open processes to search for any that have the string sql in their process name. |
File and Directory Discovery | T1083 | Conti ransomware can discover files on a local system. |
Network Share Discovery | T1135 | Conti ransomware can enumerate remote open server message block (SMB) network shares using NetShareEnum() . |
Lateral Movement |
Technique Title | ID | Use |
---|---|---|
Remote Services: SMB/Windows Admin Shares | T1021.002 | Conti ransomware can spread via SMB and encrypts files on different hosts, potentially compromising an entire network. |
Taint Shared Content | T1080 | Conti ransomware can spread itself by infecting other remote machines via network shared drives. |
Impact |
Technique Title | ID | Use |
---|---|---|
Data Encrypted for Impact | T1486 | Conti ransomware can use CreateIoCompletionPort() , PostQueuedCompletionStatus() , and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe , .dll , and .lnk . It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti ransomware can use "Windows Restart Manager" to ensure files are unlocked and open for encryption. |
Service Stop | T1489 | Conti ransomware can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop. |
Inhibit System Recovery | T1490 | Conti ransomware can delete Windows Volume Shadow Copies using vssadmin . |
CISA, FBI, and NSA recommend that network defenders apply the following mitigations to reduce the risk of compromise by Conti ransomware attacks.
Review CISA’s APTs Targeting IT Service Provider Customers guidance for additional mitigations specific to IT Service Providers and their customers.
If a ransomware incident occurs at your organization, CISA, FBI, and NSA recommend the following actions:
CISA, FBI, and NSA strongly discourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.
CISA offers a range of no-cost cyber hygiene services to help organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
The StopRansomware.gov webpage is an interagency resource that provides guidance on ransomware protection, detection, and response. This includes ransomware alerts, reports, and resources from CISA and other federal partners, including:
The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov.
This product is provided subject to this Notification and this Privacy & Use policy.
This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the ATT&CK for Enterprise for referenced threat actor tactics and for techniques.
This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus—a self-service password management and single sign-on solution.
CVE-2021-40539, rated critical by the Common Vulnerability Scoring System (CVSS), is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution. The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.
Zoho ManageEngine ADSelfService Plus build 6114, which Zoho released on September 6, 2021, fixes CVE-2021-40539. FBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114. Additionally, FBI, CISA, and CGCYBER strongly urge organizations ensure ADSelfService Plus is not directly accessible from the internet.
The FBI, CISA, and CGCYBER have reports of malicious cyber actors using exploits against CVE-2021-40539 to gain access [T1190] to ManageEngine ADSelfService Plus, as early as August 2021. The actors have been observed using various tactics, techniques, and procedures (TTPs), including:
NTDS.dit
) [T1003.003] or registry hivesnet
Windows command [1087.002]The FBI, CISA, and CGCYBER are proactively investigating and responding to this malicious cyber activity.
Sharing technical and/or qualitative information with the FBI, CISA, and CGCYBER helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims while working to unmask and hold accountable, those conducting malicious cyber activities. See the Contact section below for details.
Click here for a PDF version of this report.
Click here for indicators of compromise (IOCs) in STIX format.
Successful compromise of ManageEngine ADSelfService Plus, via exploitation of CVE-2021-40539, allows the attacker to upload a .zip
file containing a JavaServer Pages (JSP) webshell masquerading as an x509 certificate: service.cer
. Subsequent requests are then made to different API endpoints to further exploit the victim's system.
After the initial exploitation, the JSP webshell is accessible at /help/admin-guide/Reports/ReportGenerate.jsp
. The attacker then attempts to move laterally using Windows Management Instrumentation (WMI), gain access to a domain controller, dump NTDS.dit
and SECURITY/SYSTEM
registry hives, and then, from there, continues the compromised access.
Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult—the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell.
(Updated November 19, 2021): APT actors are using the following suite of tools to enable this campaign:
The FBI, CISA, and CGCYBER cannot confirm the CVE-2021-40539 is the only vulnerability APT actors are leveraging as part of this activity, so it is key that network defenders focus on detecting the tools listed above in addition to initial access vector. For more information, see:
Note: The FBI, CISA, and CGCYBER do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, CISA, and CGCYBER. This document does not change any legal requirements or impose new requirements on the public.
APT cyber actors have targeted entities across the 16 critical infrastructure sectors, including academic institutions, defense contractors as well as transportation, information technology, manufacturing, communications, and finance. Illicitly obtained access and information may disrupt company operations/logistics and subvert U.S. research across critical infrastructure sectors.
Hashes:
068d1b3813489e41116867729504c40019ff2b1fe32aab4716d429780e666324
49a6f77d380512b274baff4f78783f54cb962e2a8a5e238a453058a351fcfbba
File paths:
C:ManageEngineADSelfService Pluswebappsadssphelpadmin-guidereportsReportGenerate.jsp
C:ManageEngineADSelfService Pluswebappsadssphtmlpromotionadap.jsp
C:ManageEngineADSelfService PlusworkCatalinalocalhostROOTorgapachejsphelp
C:ManageEngineADSelfService PlusjrebinSelfSe~1.key (filename varies with an epoch timestamp of creation, extension may vary as well)
C:ManageEngineADSelfService PluswebappsadsspCertificatesSelfService.csr
C:ManageEngineADSelfService Plusbinservice.cer
C:UsersPubliccustom.txt
C:UsersPubliccustom.bat
C:ManageEngineADSelfService PlusworkCatalinalocalhostROOTorgapachejsphelp (including subdirectories and contained files)
Webshell URL Paths:
/help/admin-guide/Reports/ReportGenerate.jsp
/html/promotion/adap.jsp
Check log files located at C:ManageEngineADSelfService Pluslogs
for evidence of successful exploitation of the ADSelfService Plus vulnerability:
/help/admin-guide/Reports/ReportGenerate.jsp
/ServletApi/../RestApi/LogonCustomization
/ServletApi/../RestAPI/Connection
Keystore will be created for "admin"
The status of keystore creation is Upload!
Java traceback errors that include references to NullPointerException in addSmartCardConfig or getSmartCardConfig
TTPs:
wmic.exe
)pg_dump.exe
to dump ManageEngine databasesNTDS.dit
and SECURITY/SYSTEM/NTUSER
registry hivesYara Rules:
Organizations that identify any activity related to ManageEngine ADSelfService Plus indicators of compromise within their networks should take action immediately.
Zoho ManageEngine ADSelfService Plus build 6114, which Zoho released on September 6, 2021, fixes CVE-2021-40539. FBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114. Additionally, FBI, CISA, and CGCYBER strongly urge organizations ensure ADSelfService Plus is not directly accessible from the internet.
Additionally, FBI, CISA, and CGCYBER strongly recommend domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if any indication is found that the NTDS.dit
file was compromised.
Immediately report as an incident to CISA or the FBI (refer to Contact Information section below) the existence of any of the following:
Recipients of this report are encouraged to contribute any additional information that they may have related to this threat.
For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:
This product is provided subject to this Notification and this Privacy & Use policy.
Immediate Actions You Can Take Now to Protect Against Ransomware
• Make an offline backup of your data.
• Do not click on suspicious links.
• If you use RDP, secure and monitor it.
• Update your OS and software.
• Use strong passwords.
• Use multi-factor authentication.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021. The FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday. However, the FBI and CISA are sharing the below information to provide awareness to be especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.
Click here for a PDF copy of this report.
Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The FBI and CISA do not currently have specific information regarding cyber threats coinciding with upcoming holidays and weekends. Cyber criminals, however, may view holidays and weekends—especially holiday weekends—as attractive timeframes in which to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.
The FBI's Internet Crime Complaint Center (IC3), which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints for all types of internet crime—a record number—from the American public in 2020, with reported losses exceeding $4.1 billion. This represents a 69 percent increase in total complaints from 2019. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20 percent increase in the number of incidents, and a 225 percent increase in ransom demands. From January to July 31, 2021, the IC3 has received 2,084 ransomware complaints with over $16.8M in losses, a 62 percent increase in reporting and 20 percent increase in reported losses compared to the same time frame in 2020.
The destructive impact of ransomware continues to evolve beyond encryption of IT assets. Cyber criminals have increasingly targeted large, lucrative organizations and providers of critical services with the expectation of higher value ransoms and increased likelihood of payments. Cyber criminals have also increasingly coupled initial encryption of data with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption, to further encourage payment of ransom. (See CISA’s Fact Sheet: Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches.) Malicious actors have also added tactics, such as encrypting or deleting system backups—making restoration and recovery more difficult or infeasible for impacted organizations.
Although cyber criminals use a variety of techniques to infect victims with ransomware, the two most prevalent initial access vectors are phishing and brute forcing unsecured remote desktop protocol (RDP) endpoints. Additional common means of initial infection include deployment of precursor or dropper malware; exploitation of software or operating system vulnerabilities; exploitation of managed service providers with access to customer networks; and the use of valid, stolen credentials, such as those purchased on the dark web. Precursor malware enables cyber actors to conduct reconnaissance on victim networks, steal credentials, escalate privileges, exfiltrate information, move laterally on the victim network, and obfuscate command-and-control communications. Cyber actors use this access to:
The FBI and CISA suggest organizations engage in preemptive threat hunting on their networks. Threat hunting is a proactive strategy to search for signs of threat actor activity to prevent attacks before they occur or to minimize damage in the event of a successful attack. Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack. Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data. Threat hunting encompasses the following elements of understanding the IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems.
Indicators of suspicious activity that threat hunters should look for include:
See the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. Also review the Ransomware Response Checklist in the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
CISA offers a range of no-cost cyber hygiene services—including vulnerability scanning and ransomware readiness assessments—to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors.
The FBI and CISA strongly discourage paying a ransom to criminal actors. Payment does not guarantee files will be recovered, nor does it ensure protection from future breaches. Payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of malware, and/or fund illicit activities. Regardless of whether you or your organization decide to pay the ransom, the FBI and CISA urge you to report ransomware incidents to CISA, a local FBI field office, or by filing a report with IC3 at IC3.gov. Doing so provides the U.S. Government with critical information needed to help victims, track ransomware attackers, hold attackers accountable under U.S. law, and share information to prevent future attacks.
Upon receiving an incident report, the FBI or CISA may seek forensic artifacts, to the extent that affected entities determine such information can be legally shared, including:
The FBI and CISA highly recommend organizations continuously and actively monitor for ransomware threats over holidays and weekends.
Note: for help with developing your plan, review available incident response guidance, such as the Public Power Cyber Incident Response Playbook and the Ransomware Response Checklist in the CISA-MS-ISAC Joint Ransomware Guide.
If your organization is impacted by a ransomware incident, the FBI and CISA recommend the following actions.
For additional resources related to the prevention and mitigation of ransomware, go to https://www.stopransomware.gov as well as the CISA-MS-ISAC Joint Ransomware Guide. Stopransomware.gov is the U.S. Government’s new, official one-stop location for resources to tackle ransomware more effectively. Additional resources include:
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.
This product is provided subject to this Notification and this Privacy & Use policy.
On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability—CVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries.[1] A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices.[2] BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions. Note: at this time, CISA is not aware of active exploitation of this vulnerability.
CISA strongly encourages critical infrastructure organizations and other organization developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible. Refer to the Mitigations section for more information about patching.
Click here for a PDF version of this report.
CVE-2021-22156 is an integer overflow vulnerability affecting the calloc()
function in the C runtime library of multiple BlackBerry QNX products. Exploitation of this vulnerability could lead to a denial-of-service condition or arbitrary code execution in affected devices. To exploit this vulnerability, an attacker must have control over the parameters to a calloc()
function call and the ability to control what memory is accessed after the allocation. An attacker with network access could remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet.[3]
CVE-2021-22156 is part of a collection of integer overflow vulnerabilities, known as BadAlloc, which affect a wide range of industries using Internet of Things (IoT), and operational technology (OT)/industrial control systems (ICS) devices. See CISA ICS Advisory ICSA-21-119-04 and Microsoft’s BadAlloc blog post for more information.
All BlackBerry programs with dependency on the C runtime library are affected by this vulnerability (see table 1 for a list of affected BlackBerry QNX products). Because many affected devices include safety-critical devices, exploitation of this vulnerability could result in a malicious actor gaining control of sensitive systems, possibly leading to increased risk of damage to infrastructure or critical functions.
Product | Affected Version |
QNX SDP | 6.5.0SP1, 6.5.0, 6.4.1, 6.4.0 |
QNX Momentics Development Suite | 6.3.2 |
QNX Momentics | 6.3.0SP3, 6.3.0SP2, 6.3.0SP1, 6.3.0, 6.2.1b, 6.2.1, 6.2.1A, 6.2.0 |
QNX Realtime Platform | 6.1.0a, 6.1.0, 6.0.0a, 6.0.0 |
QNX Cross Development Kit | 6.0.0, 6.1.0 |
QNX Development Kit (Self-hosted) | 6.0.0, 6.1.0 |
QNX Neutrino RTOS Safe Kernel | 1.0 |
QNX Neutrino RTOS Certified Plus | 1.0 |
QNX Neutrino RTOS for Medical Devices | 1.0, 1.1 |
QNX OS for Automotive Safety | 1.0 |
QNX OS for Safety | 1.0, 1.0.1 |
QNX Neutrino Secure Kernel | 6.4.0, 6.5.0 |
QNX CAR Development Platform | 2.0RR |
CISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible.
Critical infrastructure organizations are encouraged to review the following guidance for additional information:
This product is provided subject to this Notification and this Privacy & Use policy.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |