Security Alerts

Cisco Small Business Smart and Managed Switches Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in the IPv6 packet processing engine of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient validation of incoming IPv6 traffic. An attacker could exploit this vulnerability by sending a crafted IPv6 packet through an affected device. A successful exploit could allow the attacker to cause the switch management CLI to stop responding, resulting in a DoS condition.

This vulnerability is specific to IPv6 traffic. IPv4 traffic is not affected.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbss-ipv6-dos-tsgqbffW


Security Impact Rating: Medium
CVE: CVE-2020-3496
Categories: Security Alerts

Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerabilities

Cisco Security Advisories - Wed, 2020-08-19 16:00

Multiple vulnerabilities in the Cisco Discovery Protocol implementation for Cisco Video Surveillance 8000 Series IP Cameras could allow an unauthenticated, adjacent attacker to execute code remotely or cause a reload of an affected IP camera.

These vulnerabilities are due to missing checks when the IP cameras process a Cisco Discovery Protocol packet. An attacker could exploit these vulnerabilities by sending a malicious Cisco Discovery Protocol packet to the targeted IP camera. A successful exploit could allow the attacker to execute code on the affected IP camera or cause it to reload unexpectedly, resulting in a denial of service (DoS) condition.

Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent).

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipcameras-rce-dos-uPyJYxN3


Security Impact Rating: High
CVE: CVE-2020-3506,CVE-2020-3507
Categories: Security Alerts

Cisco DNA Center Cross-Site Scripting Vulnerabilities

Cisco Security Advisories - Wed, 2020-08-19 16:00

Multiple vulnerabilities in the web-based management interface of Cisco DNA Center software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device.

The vulnerabilities exist because the web-based management interface on an affected device does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-mlt-xss-zUzbcdEV


Security Impact Rating: Medium
CVE: CVE-2020-3466
Categories: Security Alerts

Cisco Data Center Network Manager Stored Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-xss-stored-w4rJZJtO


Security Impact Rating: Medium
CVE: CVE-2020-3439
Categories: Security Alerts

Cisco Data Center Network Manager Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of the affected software.

The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-xss-JnHSWG5C


Security Impact Rating: Medium
CVE: CVE-2020-3518
Categories: Security Alerts

Cisco Data Center Network Manager Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-xss-5TdMJRB3


Security Impact Rating: Medium
CVE: CVE-2020-3523
Categories: Security Alerts

Cisco Data Center Network Manager Path Traversal Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in a specific REST API method of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to conduct a path traversal attack on an affected device.

The vulnerability is due to insufficient validation of user-supplied input to the API. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-patrav-pW9RkhyW


Security Impact Rating: Medium
CVE: CVE-2020-3519
Categories: Security Alerts

Cisco Data Center Network Manager Path Traversal Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in a certain REST API endpoint of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to perform a path traversal attack on an affected device.

The vulnerability is due to insufficient path restriction enforcement. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to overwrite or list arbitrary files on the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-pa-trav-bMdfSTTq


Security Impact Rating: Medium
CVE: CVE-2020-3538
Categories: Security Alerts

Cisco Data Center Network Manager Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, local attacker to obtain confidential information from an affected device.

The vulnerability is due to insufficient protection of confidential information on an affected device. An attacker at any privilege level could exploit this vulnerability by accessing local filesystems and extracting sensitive information from them. A successful exploit could allow the attacker to view sensitive data, which they could use to elevate their privilege.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-infordisc-DOAXVvFV


Security Impact Rating: Medium
CVE: CVE-2020-3520
Categories: Security Alerts

Cisco Data Center Network Manager Read File Path Traversal Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in a specific REST API of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device.

The vulnerability is due to insufficient validation of user-supplied input to the API. An attacker with a low-privileged account could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to read arbitrary files on the affected system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-file-path-6PKONjHe


Security Impact Rating: Medium
CVE: CVE-2020-3521
Categories: Security Alerts

Cisco Data Center Network Manager Authorization Bypass Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization.

The vulnerability is due to a failure to limit access to resources that are intended for administrators only. An attacker with low-level privileges could exploit this vulnerability by submitting a crafted URL to an affected device. A successful exploit could allow the attacker to list, view, create, edit, and delete templates in the same manner as a user with administrative privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-bypass-auth-mVDR6ygT


Security Impact Rating: Medium
CVE: CVE-2020-3540
Categories: Security Alerts

Cisco Data Center Network Manager Authorization Bypass Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization.

The vulnerability is due to a failure to limit access to resources that are intended for users with Administrator privileges. An attacker could exploit this vulnerability by convincing a user to click a malicious URL. A successful exploit could allow a low-privileged attacker to list, view, create, edit, and delete templates in the same manner as a user with Administrator privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-authbypass-YVJzqgk2


Security Impact Rating: Medium
CVE: CVE-2020-3539
Categories: Security Alerts

Cisco Data Center Network Manager Authorization Bypass Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to bypass authorization on an affected device and access sensitive information that is related to the device.

The vulnerability exists because the affected software allows users to access resources that are intended for administrators only. An attacker could exploit this vulnerability by submitting a crafted URL to an affected device. A successful exploit could allow the attacker to add, delete, and edit certain network configurations in the same manner as a user with administrative privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-auth-bypass-MYeFpFcF


Security Impact Rating: Medium
CVE: CVE-2020-3522
Categories: Security Alerts

Cisco Vision Dynamic Signage Director Stored Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an authenticated, remote attacker with administrative privileges to conduct a cross-site scripting (XSS) attack against a user of the interface on an affected device.

The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need to have administrative privileges on the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cvdsd-xss-teMmLyUr


Security Impact Rating: Medium
CVE: CVE-2020-3491
Categories: Security Alerts

Cisco Vision Dynamic Signage Director Role-Based Access Control Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in the role-based access control (RBAC) functionality of the web management software of Cisco Vision Dynamic Signage Director could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform.

The vulnerability exists because the web management software does not properly handle RBAC. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to view and delete certain screen content on the system that the attacker would not normally have privileges to access.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cvdsd-rbac-y9LM5jw4


Security Impact Rating: Medium
CVE: CVE-2020-3485
Categories: Security Alerts

Cisco Vision Dynamic Signage Director Path Traversal Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an authenticated, remote attacker with administrative privileges to conduct directory traversal attacks and obtain read access to sensitive files on an affected system. 

The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to read files on the underlying operating system with root privileges. To exploit this vulnerability, the attacker would need to have administrative privileges on the affected system. 

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cvdsd-pathtrv-5tLJRrFn


Security Impact Rating: Medium
CVE: CVE-2020-3490
Categories: Security Alerts

Cisco Connected Mobile Experiences Restricted Shell Escape Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in the CLI of Cisco Connected Mobile Experiences (CMX) could allow an authenticated, local attacker with administrative credentials to bypass restrictions on the CLI.

The vulnerability is due to insufficient security mechanisms in the restricted shell implementation. An attacker could exploit this vulnerability by sending crafted commands to the CLI. A successful exploit could allow the attacker to escape the restricted shell and execute a set of normally unauthorized commands with the privileges of a non-root user. To exploit this vulnerability, an attacker would need to have valid administrative credentials.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmx-rshell-esc-L6hBwjbg


Security Impact Rating: Medium
CVE: CVE-2020-3151
Categories: Security Alerts

Cisco Connected Mobile Experiences Privilege Escalation Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow an authenticated, local attacker with administrative credentials to execute arbitrary commands with root privileges.

The vulnerability is due to improper user permissions that are configured by default on an affected system. An attacker could exploit this vulnerability by sending crafted commands to the CLI. A successful exploit could allow the attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. To exploit this vulnerability, an attacker would need to have valid administrative credentials.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmx-prvesc-6g37hjAL


Security Impact Rating: Medium
CVE: CVE-2020-3152
Categories: Security Alerts

Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Memory Leak Vulnerability

Cisco Security Advisories - Wed, 2020-08-19 16:00

A vulnerability in the Cisco Discovery Protocol of Cisco Video Surveillance 8000 Series IP Cameras could allow an unauthenticated, adjacent attacker to cause a memory leak, which could lead to a denial of service (DoS) condition on an affected device.

The vulnerability is due to incorrect processing of certain Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending certain Cisco Discovery Protocol packets to an affected device. A successful exploit could allow the attacker to cause the affected device to continuously consume memory, which could cause the device to crash and reload, resulting in a DOS condition.

Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent).

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdp-memleak-k5Z7m55t


Security Impact Rating: Medium
CVE: CVE-2020-3505
Categories: Security Alerts

AA20-227A: Phishing Emails Used to Deploy KONNI Malware

US-CERT - Fri, 2020-08-14 05:59
Original release date: August 14, 2020
Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts.

Technical Details

KONNI malware is often delivered via phishing emails as a Microsoft Word document with a malicious VBA macro code (Phishing: Spearphising Attachment [T1566.001]). The malicious code can change the font color from light grey to black (to fool the user to enable content), check if the Windows operating system is a 32-bit or 64-bit version, and construct and execute the command line to download additional files (Command and Scripting Interpreter: Windows Command Shell [T1059.003]).

Once the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator. It also incorporates a built-in function to decode base64-encoded files. The Command Prompt silently copies certutil.exe into a temp directory and renames it to evade detection.

The cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.

MITRE ATT&CK Techniques

According to MITRE, KONNI uses the ATT&CK techniques listed in table 1.

Table 1: KONNI ATT&CK techniques

Technique Use

System Network Configuration Discovery [T1016]

KONNI can collect the Internet Protocol address from the victim’s machine.

System Owner/User Discovery [T1033]

KONNI can collect the username from the victim’s machine.

Masquerading: Match Legitimate Name or Location [T1036.005]

KONNI creates a shortcut called Anti virus service.lnk in an apparent attempt to masquerade as a legitimate file.

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol [T1048.003]

KONNI has used File Transfer Protocol to exfiltrate reconnaissance data out.

Input Capture: Keylogging  [T1056.001]

KONNI has the capability to perform keylogging.

Process Discovery [T1057]

KONNI has used tasklist.exe to get a snapshot of the current processes’ state of the target machine.

Command and Scripting Interpreter: PowerShell [T1059.001]

KONNI used PowerShell to download and execute a specific 64-bit version of the malware.

Command and Scripting Interpreter: Windows Command Shell  [T1059.003]

KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection change.

Indicator Removal on Host: File Deletion [T1070.004]

KONNI can delete files.

Application Layer Protocol: Web Protocols [T1071.001]

KONNI has used Hypertext Transfer Protocol for command and control.

System Information Discovery [T1082]

KONNI can gather the operating system version, architecture information, connected drives, hostname, and computer name from the victim’s machine and has used systeminfo.exe to get a snapshot of the current system state of the target machine.

File and Directory Discovery [T1083]

A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.

Ingress Tool Transfer [T1105]

KONNI can download files and execute them on the victim’s machine.

Modify Registry [T1112]

KONNI has modified registry keys of ComSysApp service and Svchost on the machine to gain persistence.

Screen Capture [T1113]

KONNI can take screenshots of the victim’s machine.

Clipboard Data [T1115]

KONNI had a feature to steal data from the clipboard.

Data Encoding: Standard Encoding [T1132.001]

KONNI has used a custom base64 key to encode stolen data before exfiltration.

Access Token Manipulation: Create Process with Token [T1134.002]

KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.

Deobfuscate/Decode Files or Information [T1140]

KONNI has used CertUtil to download and decode base64 encoded strings.

Signed Binary Proxy Execution: Rundll32 [T1218.011]

KONNI has used Rundll32 to execute its loader for privilege escalation purposes.

Event Triggered Execution: Component Object Model Hijacking [T1546.015]

KONNI has modified ComSysApp service to load the malicious DLL payload.

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]

A version of KONNI drops a Windows shortcut into the Startup folder to establish persistence.

Boot or Logon Autostart Execution: Shortcut Modification [T1547.009]

A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.

Abuse Elevation Control Mechanism: Bypass User Access Control [T1548.002]

KONNI bypassed User Account Control with the "AlwaysNotify" settings.

Credentials from Password Stores: Credentials from Web Browsers [T1555.003]

KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.

Detection Signatures

CISA developed the following Snort signatures for use in detecting KONNI malware exploits.

alert tcp any any -> any $HTTP_PORTS (msg:"HTTP URI contains '/weget/*.php' (KONNI)"; sid:1; rev:1; flow:established,to_server; content:"/weget/"; http_uri; depth:7; offset:0; fast_pattern; content:".php"; http_uri; distance:0; within:12; content:!"Referrer|3a 20|"; http_header; classtype:http-uri; priority:2; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg:"KONNI:HTTP header contains 'User-Agent|3a 20|HTTP|0d 0a|'"; sid:1; rev:1; flow:established,to_server; content:"User-Agent|3a 20|HTTP|0d 0a|"; http_header; fast_pattern:only; content:"POST"; nocase; http_method; classtype:http-header; priority:2; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg:"KONNI:HTTP URI contains '/weget/(upload|uploadtm|download)'"; sid:1; rev:1; flow:established,to_server; content:"/weget/"; http_uri; fast_pattern:only; pcre:"/^\/weget\x2f(?:upload|uploadtm|download)\.php/iU"; content:"POST"; http_method; classtype:http-uri; priority:2; reference:url,blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html; metadata:service http;)

Mitigations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
  • Keep operating system patches up to date. See Understanding Patches and Software Updates.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
  • Enforce a strong password policy. See Choosing and Protecting Passwords.
  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  •  Scan all software downloaded from the internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate access control lists.
  • Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.

For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, "Guide to Malware Incident Prevention and Handling for Desktops and Laptops."

Resources Revisions
  • August 14, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

Pages

Subscribe to Willing Minds aggregator - Security Alerts