[CDP-development] Important Alert from CISA and the FBI – Advanced Persistent Threat Scanning - TLP: AMBER

Masse, Theresa theresa.masse at cisa.dhs.gov
Fri Oct 21 09:47:41 PDT 2022 

FYSA

CISA and the FBI have recently become aware of vulnerability scanning activities carried out by an advanced persistent threat (APT) group associated with the People’s Republic of China (PRC). Based on the information CISA and the FBI have available at this time, this scanning activity was carried out against, at least, U.S. state-level and national-level political party web domains as well as general and election-specific state, local, tribal, and territorial (SLTT) networks.
This scanning is considered network reconnaissance and potentially an early warning sign of future attempts by the APT group to conduct initial network exploitation activities that could lead to additional malicious cyber activity. Scanning was conducted from malicious infrastructure located at U.S. IP address (exercise caution) 24[.]154[.]134[.]54 in the approximate timeframe of at least as early as April through October of this year, with the most recent scanning observed on October 14th. This IP address was likely used for this scanning activity in order to obfuscate the cyber actor's true origin point. CISA and FBI assess that any potential follow-on malicious cyber activity will likely originate from a different IP address.
This activity was conducted using a vulnerability scanning and domain enumeration tool, likely so the PRC cyber actor could build a target network for possible future operations (T1590.001<https://urldefense.us/v3/__https:/attack.mitre.org/techniques/T1590/001/__;!!BClRuOV5cvtbuNI!URATbOA635PB-CZlRfT_QLoRJvJF6U1pYsq-efSI8p22PM_o0mcQUIIAF2pTZuCpy29areNnpL9q$>). Given the capabilities of the vulnerability scanning and domain enumeration tool, it is likely the domains were scanned so the actor could obtain additional sub-domains for possible future computer network exploitation (CNE) operations.
CISA, FBI, and the MS- and EI-ISAC are reaching out to proactively notify all identified affected organizations. CISA and the FBI are not aware of additional related malicious cyber activity, beyond the vulnerability scanning described in this message, at this time.

Recommended Actions:
CISA and the FBI recommend that all organizations in receipt of this message take the following steps for network defense:

  *   Search logs, as far back as possible, for any network interactions with the provided IP. If potentially related malicious activity is detected, organizations should investigate it as a priority and share related information and context with CISA, FBI, or the MS- and EI-ISAC, as appropriate (contact information provided below). Remain vigilant for similar or potentially related activity even if it is not tied to the same IP address listed above.

     *   CISA Central at 888-282-0870 or via email at report at cisa.gov<mailto:report at cisa.gov>
     *   FBI Field Office (https://www.fbi.gov/contact-us/field-offices/<https://urldefense.us/v3/__https:/www.fbi.gov/contact-us/field-offices/__;!!BClRuOV5cvtbuNI!URATbOA635PB-CZlRfT_QLoRJvJF6U1pYsq-efSI8p22PM_o0mcQUIIAF2pTZuCpy29arVQvUVIt$>).

            Additional contacts for SLTT/Election organizations:

     *   MS- and EI-ISAC at 866-787-4722 or via email at SOC at cisecurity.org<mailto:SOC at cisecurity.org>
     *   Local jurisdictions are recommended to contact their state election official
     *   State jurisdictions are recommended to contact local jurisdictions
     *   State Fusion Centers (https://www.dhs.gov/fusion-center-locations-and-contact-information).


  *   See CISA's Security Tip (ST18-006) Website Security<https://www.cisa.gov/uscert/ncas/tips/ST18-006> for web security best practices. In particular, it is best practice to utilize a web application firewall and regularly conduct web application and vulnerability scanning against your network and address findings in a timely manner.

     *   CISA offers no-cost web application scanning and vulnerability scanning services, please see CISA's Cyber Resource Hub<https://www.cisa.gov/cyber-resource-hub>.
     *   In addition, SLTT election organizations should review CISA’s no-cost Cybersecurity Toolkit to Protect Elections<https://www.cisa.gov/cybersecurity-toolkit-protect-elections>.

CISA and the FBI recommend prioritizing the patching of vulnerabilities listed within CISA’s Alert Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors<https://www.cisa.gov/uscert/ncas/alerts/aa22-279a> and CISA’s Known Exploited Vulnerabilities<https://www.cisa.gov/known-exploited-vulnerabilities-catalog> Catalog.


Theresa A. Masse
Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image007.png at 01D8E532.19291D40]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20221021/acac3989/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 16152 bytes
Desc: image007.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20221021/acac3989/attachment-0001.png>

More information about the CDP-development mailing list