<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Franklin Gothic Book";
panose-1:2 11 5 3 2 1 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.xxxmsonospacing, li.xxxmsonospacing, div.xxxmsonospacing
{mso-style-name:x_x_x_msonospacing;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.xmsonospacing, li.xmsonospacing, div.xmsonospacing
{mso-style-name:x_msonospacing;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.xcontentpasted0
{mso-style-name:x_contentpasted0;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="xxxmsonospacing">FYSA<o:p></o:p></p>
<p class="xxxmsonospacing"><o:p> </o:p></p>
<p class="xmsonospacing"><span class="xcontentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the
Health and Human Services (HHS) released a <a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-321a" title="https://www.cisa.gov/uscert/ncas/alerts/aa22-321a">
joint Cybersecurity Advisory (CSA)</a> with technical details associated with <a href="https://www.cisa.gov/uscert/ncas/current-activity/2022/11/17/stopransomware-hive" title="https://www.cisa.gov/uscert/ncas/current-activity/2022/11/17/stopransomware-hive">
Hive ransomware</a> variants identified through FBI investigations as recently as November 2022. </span></span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonospacing"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonospacing"><span class="xcontentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">From June 2021 through at least November 2022, threat actors have used Hive ransomware, which follows the Ransomware-as-a-Service
(RaaS) model, to target a wide range of businesses and critical infrastructure sectors, including government facilities, communications, manufacturing, information technology, and especially organizations in the Healthcare and Public Health (HPH) sector. </span></span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonospacing"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonospacing"><span class="xcontentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">The method of initial intrusion depends upon the Hive RaaS affiliate that targets the network, which include using compromised credentials
in Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols in which multifactor authentication (MFA) is not enabled. </span></span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonospacing"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonospacing"><span class="xcontentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">Actions that organizations can take today to mitigate cyber threat to ransomware include, prioritize remediating known exploited vulnerabilities,
enable and enforce multi-factor authentication with strong passwords, and close unused ports and remove any application not deemed necessary for day-to-day operations. </span></span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonospacing"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonospacing"><span class="xcontentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">CISA, FBI and HHS urge all organizations, particularly those in the HPH sector, to apply the recommended mitigations in this CSA to
reduce the likelihood of compromise from Hive and other ransomware operations. Victims of ransomware should report the incident to their local FBI field office or CISA. </span></span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonospacing"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonospacing"><span class="xcontentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">This joint CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware
variants and ransomware threat actors. </span></span><span style="color:black"><o:p></o:p></span></p>
<p class="xmsonospacing"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><b><span style="color:#1F497D">Theresa A. Masse<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity and Infrastructure Security Agency<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Department of Homeland Security<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Phone: (503) 930-5671
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Email:</span><span style="font-size:10.0pt;color:#777777">
</span><a href="mailto:theresa.masse@cisa.dhs.gov"><span style="font-size:10.0pt;color:#0563C1">theresa.masse@cisa.dhs.gov</span></a><u><span style="font-size:10.0pt;color:#0760C1"><o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><img border="0" width="97" height="97" style="width:1.0138in;height:1.0138in" id="Picture_x0020_1" src="cid:image001.png@01D8FA7D.C14BB590"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
</div>
</body>
</html>