Home » Security Information

Security Information

This page is dedicated to security, it includes local security information, as well as a number of syndicated security feeds, alerts, tools and news from major security portals. This page aims to provide a single security information access point, helping you stay current with recent security threats. You can check the SG Security FAQ and visit the SG Security forum with any questions you might have.

SG Security Scan

SG Security Articles

Latest Security Advisories (US-CERT)

CISA released two Industrial Control Systems (ICS) advisories on July 25, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-207-01 Siemens SICAM Products
• ICSA-24-207-02 Positron Broadcast Signal Processor

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Today, CISAin partnership with the Federal Bureau of Investigation (FBI)released a joint Cybersecurity Advisory, North Korea State-Sponsored Cyber Group Conducts Global Espionage Campaign to Advance Regimes Military and Nuclear Programs. The advisory was coauthored with the following organizations:

• U.S. Cyber National Mission Force (CNMF);
• U.S. Department of Defense Cyber Crime Center (DC3);
• U.S. National Security Agency (NSA);
• Republic of Koreas National Intelligence Service (NIS);
• Republic of Koreas National Police Agency (NPA); and
• United Kingdoms National Cyber Security Centre (NCSC).

This advisory was crafted to highlight cyber espionage activity associated with the Democratic Peoples Republic of Korea (DPRK)s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju. The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regimes military and nuclear programs and ambitions.

The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India.

All critical infrastructure organizations are encouraged to review the advisory and implement the recommended mitigations. For more information on North Korean state-sponsored threat actor activity, see CISAs North Korea Cyber Threat Overview and Advisories page.

Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities. For more information on this ransomware activity, see joint advisories #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities and North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.

CISA released four Industrial Control Systems (ICS) advisories on July 23, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-205-01 National Instruments IO Trace
• ICSA-24-205-02 Hitachi Energy AFS/AFR Series Products
• ICSA-24-205-03 National Instruments LabVIEW
   
• ICSA-22-333-02 Hitachi Energy IED Connectivity Packages and PCM600 Products (Update A)

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2012-4792 Microsoft Internet Explorer Use-After-Free Vulnerability
• CVE-2024-39891 Twilio Authy Information Disclosure Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Note: CISA will update this Alert with more information as it becomes available.

Update 12:30 p.m., EDT, July 26, 2024: 

• CrowdStrikes Counter Adversary Operations blog lists various reports of malicious cyber activity leveraging last weeks outage. 
• CISA encourages users and administrators to remain vigilant and maintain robust cybersecurity measures, including:
  • Only follow guidance from legitimate sources.
  • Block malicious domains.
  • Follow CrowdStrikes recommendations to protect against the outage-related phishing activity listed in their Counter Adversary Operations reports.
• CrowdStrike also continues to provide updated information through its remediation and guidance hub.

Update 12:00 p.m., EDT, July 24, 2024: 

• CrowdStrike continues to provide updates to its guidance, including:
  • An instructional video to guide users through a self-remediation process.
  • An update to their initial remediation that accelerates remediation of impacted systems; CrowdStrike encourages customers to follow the Tech Alerts for latest updates as they happen.
  • A Preliminary Incident Review, which provides answers to why and how the outage occurred and how they will prevent such outages going forward.
• CrowdStrike also published a list of domains impersonating the CrowdStrike brand, which threat actors could use to deliver malicious content. 

Update 9:45 a.m., EDT, July 21, 2024: 

• Microsoft released a recovery tool that uses a USB drive to boot and repair affected systems. 
• Microsoft also published a blog post that provides links to various remediation solutions and outlines their actions in response to the outage, which include working with CrowdStrike to expedite restoring services to disrupted systems.
• In the blog post, Microsoft estimates the outage affected 8.5 million Windows devices. Microsoft notes that this number makes up less than one percent of all Windows machines.

Update 12:30 p.m., EDT, July 20, 2024: 

• CrowdStrike continues to provide updated guidance on yesterdays widespread IT outage, including remediation steps for specific environments.
• CrowdStrike released technical details that provide:
  • A technical summary of the outage and the impact.
  • Information on how the update to the CrowdStrike Falcon sensor configuration file, Channel File 291, caused the logic error that led to the outage.
  • A discussion of the root cause analysis CrowdStrike is undertaking to determine how the logic error occurred.
• Cyber threat actors continue to leverage the outage to conduct malicious activity, including phishing attempts. CISA continues to work closely with CrowdStrike and other private sector and government partners to actively monitor any emerging malicious activity.
  • According to a new CrowdStrike blog, threat actors have been distributing a malicious ZIP archive file. This activity appears to be targeting Latin America-based CrowdStrike customers. The blog provides indicators of compromise and recommendations.

Update 7:30 p.m., EDT, July 19, 2024: 

• The CrowdStrike guidance is updated with additional guidance regarding impacts to specific environments, e.g., Azure, AWS. 
• For additional information:
  
  • Update from the United Kingdom's National Cyber Security Centre (NCSC-UK)
  • Update from the Australian Cyber Security Centre (ACSC)
  • Update from the Canadian Centre for Cyber Security (CCCS)
• Threat actors continue to use the widespread IT outage for phishing and other malicious activity. CISA urges organizations to ensure they have robust cybersecurity measures to protect their users, assets, and data against this activity.

CISA continues to monitor the situation and will update this Alert to provide continued support.

Initial Alert (11:30 a.m., EDT, July 19, 2024):

CISA is aware of the widespread outage affecting Microsoft Windows hosts due to an issue with a recent CrowdStrike update and is working closely with CrowdStrike and federal, state, local, tribal and territorial (SLTT) partners, as well as critical infrastructure and international partners to assess impacts and support remediation efforts. CrowdStrike has confirmed the outage:

• Impacts Windows 10 and later systems.
• Does not impact Mac and Linux hosts.
• Is due to the CrowdStrike Falcon content update and not to malicious cyber activity.

According to CrowdStrike, the issue has been identified, isolated and a fix has been deployed. CrowdStrike customer organizations should reference CrowdStrike guidance and their customer portal to resolve the issue.

Of note, CISA has observed threat actors taking advantage of this incident for phishing and other malicious activity. CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.

Ivanti released security updates to address vulnerabilities in Ivanti Endpoint Manager (EPM) and Ivanti Endpoint Manager for Mobile (EPMM). A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following Ivanti advisories and apply the necessary updates:

• Security Advisory EPM
• Security Advisory Ivanti Endpoint Manager for Mobile (EPMM)

Cisco released security updates to address vulnerabilities in Cisco software. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following advisories and apply necessary updates:

• Cisco Secure Email Gateway Arbitrary File Write Vulnerability
• Cisco Smart Software Manager On-Prem Password Change Vulnerability
• Cisco Secure Web Appliance Privilege Escalation Vulnerability
• Cisco Identity Services Engine Arbitrary File Upload Vulnerability
• Cisco Intelligent Node Software Static Key Vulnerability
• Cisco Webex App Vulnerabilities
• Cisco RV340 and RV345 Dual WAN Gigabit VPN Routers Authenticated Remote Code Execution Vulnerability
• Cisco Expressway Series Open Redirect Vulnerability
• Cisco Secure Email Gateway Server-Side Template Injection Vulnerability