CISA Issues Ransomware Advisories, Key Vulnerability Update

The agency is partnering with other federal entities to sound alarms and offer support.

Ransomware

The Cybersecurity and Infrastructure Security Agency recently made a number of key announcements.

Working in conjunction with the Federal Bureau of Investigation and the National Security Agency, CISA released a joint Cybersecurity Advisory - Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. This advisory provides overlapping cybersecurity industry cyber threat intelligence, tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs) associated with Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) cyber actors, both during and succeeding their deployment of the WhisperGate malware against Ukraine.

These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. The authoring agencies encourage organizations to review this advisory for recommended mitigations against such malicious activity.

For additional information on Russian state-sponsored malicious cyber activity and related indictments, see the recent U.S. Department of Justice (DOJ) press release for June 26, 2024 and Sept. 5, 2024..

The agency has also released the #StopRansomware: RansomHub Ransomware advisory. It provides network defenders with indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with RansomHub activity identified through FBI investigations and third-party reporting as recently as August 2024.

RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—which has recently attracted high-profile affiliates from other prominent variants such as LockBit and ALPHV.

CISA encourages network defenders to review this advisory and apply the recommended mitigations. CISA also encourages software manufacturers to take ownership of improving the security outcomes of their customers by applying secure by design methods. For more information on Secure by Design, see CISA’s Secure by Design webpage.

Finally, CISA released an analysis and infographic detailing the findings from the 143 Risk and Vulnerability Assessments (RVAs) conducted across multiple critical infrastructure sectors in fiscal year 2023 (FY23).

The analysis details a sample attack path, including tactics and steps a cyber threat actor could follow to compromise an organization with weaknesses representative of those CISA observed in FY23 RVAs. The infographic highlights the most successful techniques for each tactic that RVAs documented. Both the analysis and infographic map threat actor behavior to the MITRE ATT&CK® framework.

More in Cybersecurity