NERC needs your expertise to produce the most rewarding sessions for grid security professionals at GridSecCon 2021. As a leader in grid security, your views on best practices and the challenges facing the industry are invaluable. Submit an abstract [hXXp://www.cvent.com/c/abstracts/89308c6d-c7dd-4c35-ad1c-5780fd86a6b6] by April 21 for training sessions (October 18) or breakout sessions (October 19-20) for GridSecCon 2021. Training sessions will be in four hour increments; breakout sessions will be in one hour increments. Successful submissions will be notified by May 17.
The E-ISAC is seeking abstracts from:
- Asset owners and operators in a physical or cyber security role;
- Academic researchers in the electricity industry;
- Sector-specific trade associations;
- Government partners;
- Cross-sector partners; and
- Industry vendors.
Please complete and submit your abstract submission by April 21.
Thank you, and we look forward to seeing you there virtually!
For more information or assistance, please contact events[@]eisac.com [mailto:events[@]eisac.com].
Save the Dates for GridSecCon 2021
NERC and Texas RE are co-hosting the 10th grid security conference, GridSecCon, on October 19–20, with training opportunities available on October 18. GridSecCon brings together cyber and physical security leaders from industry and government to deliver expert training sessions, share best practices, present lessons learned, and share effective threat mitigation programs.
The event will be held virtually due to the ongoing pandemic. More details will be available on the E-ISAC website, NERC website, and Texas RE website. We look forward to seeing you there virtually.
For more information or assistance, please contact firstname.lastname@example.org.
Active Exploitations: Multiple Vulnerabilities in Mozilla Firefox and Thunderbird Could Allow for Arbitrary Code Execution - PATCH NOW
Mozilla has reported multiple vulnerabilities in Mozilla Firefox, Firefox Extended Support Release (ESR), and Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Depending on the user's privileges, an attacker could then install programs, view, change, or delete data; or create new accounts with full user rights. Users whose accounts having fewer user rights on the system could be less impacted than those who operate with administrative user rights.
- There are reports of adversarial exploitation of these vulnerabilities in the wild.
- Software security updates are available.
- Mozilla Firefox versions prior to 86
- Firefox ESR versions prior to 78.8
- Mozilla Thunderbird versions prior to 78.8
With National Vulnerability Database details at hXXps://nvd.nist.gov/search pending, specific vulnerabilities addressed in available software updates include the following:
- CVE-2021-23968 - If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs.
- CVE-2021-23969 - As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin.
- CVE-2021-23970 - Context-specific code was included in a shared jump table; resulting in assertions being triggered in multithreaded Wasm (WebAssembly) code.
- CVE-2021-23971 - When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. This would have potentially resulted in more information than intended by the original origin being provided to the destination of the redirect.
- CVE-2021-23972 - One phishing tactic on the web is to provide a link with HTTP Auth. For example https://email@example.com. To mitigate this type of attack, Firefox will display a warning dialog; however, this warning dialog would not have been displayed if evil.com used a redirect that was cached by the browser.
- CVE-2021-23973 - When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource.
- CVE-2021-23974 - The DOMParser API did not properly process <noscript> elements for escaping. This could be used as an mXSS vector to bypass an HTML Sanitizer.
- CVE-2021-23975 - The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked we incorrectly called the sizeof function, instead of using the API method that checks for invalid pointers.
- CVE-2021-23976 - When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites.
Note: This issue is a different issue from CVE-2020-26954 and only affected Firefox for Android. Other operating systems are unaffected.
- CVE-2021-23977 - Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories.
Note: This issue is only affected Firefox for Android. Other operating systems are unaffected.
- CVE-2021-23978 - Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and Mats Palmgren reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
- CVE-2021-23979 - Mozilla developers Tyson Smith, Lars T Hansen, Valentin Gosu, and Sebastian Hengst reported memory safety bugs present in Firefox 85. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
What to Do:
Many home users choose to receive updates automatically, and most organizations orchestrate regular software security updates to maintain end-user software, e.g., Patch Tuesday [hXXps://en.wikipedia.org/wiki/Patch_Tuesday] monthly. Given that there are active adversarial exploits of these issues reported, there is an opportunity to reduce risk with timely software update deployment.
General recommendations include:
- Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.
The E-ISAC thanks the MS-ISAC and other partners for advising of this development, and is providing this information for member awareness. The E-ISAC has not established any specified threat to the electricity community based upon these vulnerabilities. We will continue to monitor this situation and provide relevant updates when necessary. Your feedback helps us improve our products for the industry. If you have comments, questions, or if your organization experiences malicious activity, please create a Portal post for rapid community awareness or directly contact E-ISAC Watch Operations [mailto:operations[@]eisac.com] at firstname.lastname@example.org or 202-790-6000.
- “Mozilla Foundation Security Advisory 2021-07: Security Vulnerabilities fixed in Firefox 86.” Mozillia Security Advisories. February 23, 2021. hXXps://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
- “Mozilla Foundation Security Advisory 2021-08: Security Vulnerabilities fixed in Firefox ESR 78.8.” Mozillia Security Advisories. February 23, 2021. hXXps://www.mozilla.org/en-US/security/advisories/mfsa2021-08/
- “Mozilla Foundation Security Advisory 2021-09: Security Vulnerabilities fixed in Thunderbird 78.8. Mozillia Security Advisories. February 23, 2021. hXXps://www.mozilla.org/en-US/security/advisories/mfsa2021-09/
The E-ISAC is hiring and providing this bulletin to increase awareness of the current three vacancies to its members and partners. Please direct all questions to hr@nerc[.]net
The available positions are:
- Engagement and Outreach Coordinator - More information may be found here: hXXps://www.nerc[.]com/AboutNERC/careers/Career%20Opportunities%20DL/E-ISAC%20-%20Engagement%20and%20Outreach%20Coordinator.pdf
- Senior Cyber Threat Intelligence Analyst - More information may be found here: hXXps://www.nerc[.]com/AboutNERC/careers/Career%20Opportunities%20DL/Senior_CTI_Analyst_job_description_Dec_2020%20FINAL.pdf
- Watch Officer / All-Source Analyst - More information may be found here: hXXps://www.nerc.com/AboutNERC/careers/Career%20Opportunities%20DL/Watch%20Officer%20-%20All%20Source%20Analyst%20JD.pdf
Effective January 1, 2021, applicable NERC registered entities must comply with the expanded incident reporting requirements in revised Reliability Standard CIP-008-6. Reports must be submitted to the E-ISAC and, for those entities subject to the jurisdiction of the United States, the U.S. Department of Homeland Security Cybersecurity, and Infrastructure Agency (DHS CISA). Staff should work with their compliance departments on their entity’s specific requirements and obligations.
To report to the E-ISAC you may use, but are not limited to, the following reporting mechanisms:
• EOP-004 (hXXps://www.nerc.com/pa/Stand/Reliability%20Standards/EOP-004-4[.]pdf)
• E-ISAC Portal Bulletin
• Email to operations@eisac[.]com
• Call E-ISAC Watch Operations at 202-790-6000
• Copy of an OE-417 (hXXps://www.oe.netl.doe.gov/docs/OE417_Form_05312021[.]pdf)
To report to DHS CISA - Submissions should be marked as CIP-008 reporting when submitted to CISA:
CISA Incident Reporting
• (hXXps://us-cert.cisa[.]gov/forms/report) (a copy of this report may also be sent to the E- ISAC to reduce duplication of efforts)
The E-SIAC is providing this information for situational awareness. If you have specific questions about the revised CIP-008-6 Reliability Standard applicability, or guidance, please contact NERC’s Compliance Assurance or your respective Regional Entity Compliance or Enforcement Staff.
If you have any questions about submitting a CIP-008-6 report to the E-ISAC, please contact operations@eisac[.]com or call 202-790-6000.
The Department of Homeland Security (DHS) has designated October as National Cyber Security Awareness Month (NCSAM). Join the E-ISAC in spreading cyber security awareness and learn how you can do your part to be #CyberSmart. Visit the NCSAM website [hXXps://www.cisa.gov/national-cyber-security-awareness-month] to access the full suite of resources, including informative tip sheets, interactive presentations, and social media posts to promote awareness. These resources are free and may be modified to meet your needs.
On September 30th, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) [hXXps://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDEsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDA5MzAuMjc5OTMzNTEiLCJ1cmwiOiJodHRwczovL3d3dy5jaXNlY3VyaXR5Lm9yZy9tcy1pc2FjLyJ9.7v2XSX1JNtnMTrXq4tQn8_KE1SGHnNUOROR5WE3vTKY/s/1193534695/br/86179474531-l] have released a joint Ransomware Guide [hXXps://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDIsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDA5MzAuMjc5OTMzNTEiLCJ1cmwiOiJodHRwczovL3d3dy5jaXNhLmdvdi9wdWJsaWNhdGlvbi9yYW5zb213YXJlLWd1aWRlIn0.NUO8HfPvxdkwGTNC8lOYL3e4gBFLzz5K5SImnlNqADk/s/1193534695/br/86179474531-l] that details practices that organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The in-depth guide provides actionable best practices for ransomware prevention as well as a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.
CISA encourages users and administrators to review the Ransomware Guide [hXXps://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDMsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDA5MzAuMjc5OTMzNTEiLCJ1cmwiOiJodHRwczovL3d3dy5jaXNhLmdvdi9wdWJsaWNhdGlvbi9yYW5zb213YXJlLWd1aWRlIn0.pxB81LrotFbFoTH3Ou1eAfLdf4Gv4G1kIQmc0JCIklo/s/1193534695/br/86179474531-l] and CISA’s Ransomware webpage [hXXps://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDQsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDA5MzAuMjc5OTMzNTEiLCJ1cmwiOiJodHRwczovL3VzLWNlcnQuY2lzYS5nb3YvUmFuc29td2FyZSJ9.WFYEQh4Joyt5B_BzP4DtxexVgHwats0q03cdcNF1hdI/s/1193534695/br/86179474531-l] for additional information.
E-ISAC is re-sharing this information for your situational awareness.
If any adversarial action is experienced due to ransomware or any other cyber threat, contact the E-ISAC Watch Operations Team [mailto:operations[@]eisac.com], and create a Portal Post for instant community awareness.
Cybersecurity and Infrastructure Security Agency (CISA). CISA Publication. “Ransomware Guide”. September 30, 2020. hXXps://www.cisa.gov/publication/ransomware-guide [hXXps://www.cisa.gov/publication/ransomware-guide%20]
Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing & Analysis Center (MS-ISAC). “Ransomware Guide”. September 30, 2020. hXXps://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf [hXXps://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf]
The Centers for Disease Control and Prevention (CDC) has made a connection between COVID-19 and Multi-System Inflammatory Syndrome in Children (MIS-C).
The U.S. Centers for Disease Control and Prevention (CDC) on Thursday released guidance that schools, businesses, and other organizations can use as states reopen from coronavirus shutdowns.
CDC issued a health advisory to doctors across the country Thursday advising them to be on the lookout for a troubling new syndrome that may be associated with COVID-19 infection.
The syndrome, called multisystem inflammatory syndrome in children (MIS-C), has been seen in children across Europe and in at least 18 states, plus Washington, D.C.
"In early May 2020, the New York City Department of Health and Mental Hygiene received reports of children with multisystem inflammatory syndrome," the CDC health advisory said. "There is limited information currently available about risk factors, pathogenesis, clinical course, and treatment for MIS-C," it said.
"CDC is requesting healthcare providers report suspected cases to public health authorities to better characterize this newly recognized condition in the pediatric population," the advisory said.
Traditional Media Sources
Updated ESCC COVID-19 Resource Guide
This is an updated novel coronavirus (or COVID-19) Resource Guide for the electric power industry. This living document was developed under the direction of the Electricity Subsector Coordinating Council (ESCC), with participation from all segments of the industry and the natural gas sector. It provides information and options to consider when making localized decisions in response to the current global health emergency.
SANS WFH Deployment Kit
The spread of the global pandemic COVID-19 has resulted in many organizations adopting work-from-home policies. This professional change in shifting to an entirely remote workforce may be new for many businesses, which means they could lack the processes, policies, and technologies required for business continuity. In an effort to assist businesses in creating a secure remote workforce, SANS published a “Securely Working From Home Deployment Kit,” which can be found here [hXXps://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit?utm_medium=Email&utm_source=HL&utm_content=SANS+Resources+WFH+deployment+kit&utm_campaign=SANS+Resources].