SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to disseminate QakBot infrastructure indicators of compromise (IOCs) identified through FBI investigations as of August 2023. On August 25, FBI and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. The FBI is working closely with industry partners to share information about the malware to maximize detection, remediation, and prevention measures for network defenders.

CISA and FBI encourage organizations to implement the recommendations in the Mitigations section to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Note: The disruption of QakBot infrastructure does not mitigate other previously installed malware or ransomware on victim computers. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to a local FBI Field Office or CISA at cisa.gov/report.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

TECHNICAL DETAILS

Overview

QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally. QakBot has been the precursor to a significant amount of computer intrusions, to include ransomware and the compromise of user accounts within the Financial Sector. In existence since at least 2008, QakBot feeds into the global cybercriminal supply chain and has deep-rooted connections to the criminal ecosystem. QakBot was originally used as a banking trojan to steal banking credentials for account compromise; in most cases, it was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network.

Since its initial inception as a banking trojan, QakBot has evolved into a multi-purpose botnet and malware variant that provides threat actors with a wide range of capabilities, to include performing reconnaissance, engaging in lateral movement, gathering and exfiltrating data, and delivering other malicious payloads, including ransomware, on affected devices. QakBot has maintained persistence in the digital environment because of its modular nature. Access to QakBot-affected (victim) devices via compromised credentials are often sold to further the goals of the threat actor who delivered QakBot.

QakBot and affiliated variants have targeted the United States and other global infrastructures, including the Financial Services, Emergency Services, and Commercial Facilities Sectors, and the Election Infrastructure Subsector. FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood of QakBot-related infections and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other previously installed malware or ransomware on victim computers. If a potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA and FBI.

QakBot Infrastructure

QakBot’s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike^[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti^[2], ProLock^[3], Egregor^[4], REvil^[5], MegaCortex^[6], Black Basta^[7], Royal^[8], and PwndLocker.

Historically, QakBot’s C2 infrastructure relied heavily on using hosting providers for its own infrastructure and malicious activity. These providers lease servers to malicious threat actors, ignore abuse complaints, and do not cooperate with law enforcement. At any given time, thousands of victim computers running Microsoft Windows were infected with QakBot—the botnet was controlled through three tiers of C2 servers.

The first tier of C2 servers includes a subset of thousands of bots selected by QakBot administrators, which are promoted to Tier 1 “supernodes” by downloading an additional software module. These supernodes communicate with the victim computers to relay commands and communications between the upstream C2 servers and the infected computers. As of mid-June 2023, 853 supernodes have been identified in 63 countries, which were active that same month. Supernodes have been observed frequently changing, which assists QakBot in evading detection by network defenders. Each bot has been observed communicating with a set of Tier 1 supernodes to relay communications to the Tier 2 C2 servers, serving as proxies to conceal the main C2 server. The Tier 3 server controls all of the bots.

Indicators of Compromise

FBI has observed the following threat actor tactics, techniques, and procedures (TTPs) in association with OakBot infections:

1. QakBot sets up persistence via the Registry Run Key as needed. It will delete this key when running and set it back up before computer restart: HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
2. QakBot will also write its binary back to disk to maintain persistence in the following folder: C:UsersAppDataRoamingMicrosoft
3. QakBot will write an encrypted registry configuration detailing information about the bot to the following registry key: HKEY_CURRENT_USERSoftwareMicrosoft

In addition, the below IP addresses were assessed to have obtained access to victim computers. Organizations are encouraged to review any connections with these IP addresses, which could potentially indicate a QakBot and/or follow-on malware infection.

Disclaimer: The below IP addresses are assessed to be inactive as of August 29, 2023. Several of these observed IP addresses were first observed as early as 2020, although most date from 2022 or 2023, and have been historically linked to QakBot. FBI and CISA recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.

Organizations are also encouraged to review the Qbot/QakBot Malware presentation from the U.S. Department of Health & Human Services Cybersecurity Program for additional information.

MITRE ATT&CK TECHNIQUES

For detailed associated software descriptions, tactics used, and groups that have been observed using this software, see MITRE ATT&CK’s page on QakBot.^[9]

MITIGATIONS

Note: For situational awareness, the following SHA-256 hash is associated with FBI’s QakBot uninstaller: 7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117

CISA and FBI recommend network defenders apply the following mitigations to reduce the likelihood of QakBot-related activity and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other already-installed malware or ransomware on victim computers. Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Best Practice Mitigation Recommendations

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud) [CPG 2.O, 2.R, 5.A].
• Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards when developing and managing password policies [CPG 2.B]. This includes:
  • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;
  • Store passwords in hashed format using industry-recognized password managers;
  • Add password user “salts” to shared login credentials;
  • Avoid reusing passwords;
  • Implement multiple failed login attempt account lockouts;
  • Disable password “hints”;
  • Refrain from requiring password changes more frequently than once per year.
    Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
  • Require administrator credentials to install software.
• Use phishing-resistant multi-factor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services as possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins. For additional guidance on secure MFA configurations, visit cisa.gov/MFA and CISA’s Implementing Phishing-Resistant MFA Factsheet.
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities of internet-facing systems [CPG 1.E]. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. Specifically, Cyber Hygiene services can help provide a second-set of eyes on organizations’ internet-accessible assets. Organizations can email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services” to get started.
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks to restrict adversary lateral movement [CPG 2.F].
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated malware with a networking monitoring tool. To aid in detecting the malware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.D, 2.E].
• Disable unused ports [CPG 2.V, 2.W, 2X].
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task [CPG 2.E].
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
• Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

Ransomware Guidance

• CISA.gov/stopransomware is a whole-of-government resource that serves as one central location for ransomware resources and alerts.
• CISA, FBI, the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020.
• CISA has released a new module in its Cyber Security Evaluation Tool (CSET), the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate cybersecurity practices on their networks.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see MITRE ATT&CK’s page on QakBot).^[9]
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques.

REPORTING

FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with QakBot-affiliated actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisa.gov/report.

RESOURCES

• HHS: Qbot/QakBot Malware
• CISA: CPGs
• NIST: 800-63B Digital Identity Guidelines
• CISA: MFA
• CISA: Implementing Phishing-Resistant MFA
• CISA: Known Exploited Vulnerabilities Catalog
• CISA: Cyber Hygiene
• CISA: Zero Trust
• CISA: #StopRansomware
• CISA: #StopRansomware Guide
• CISA: CSET Tool Sets Sights on Ransomware Threat

REFERENCES

1. MITRE: Cobalt Strike
2. MITRE: Conti
3. MITRE: ProLock
4. MITRE: Egregor
5. MITRE: REvil
6. MITRE: MegaCortex
7. MITRE: Black Basta
8. MITRE: Royal
9. MITRE: QakBot

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.

VERSION HISTORY

August 30, 2023: Initial version.

CISA released one Industrial Control Systems (ICS) advisory on August 29, 2023. This advisory provides timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

• ICSA-23-241-01 PTC CodeBeamer

CISA encourages users and administrators to review the newly released ICS advisory for technical details and mitigations.

1. EXECUTIVE SUMMARY

• ​CVSS v3 8.8
• ​ATTENTION: Exploitable remotely/low attack complexity
• ​Vendor: PTC
• ​Equipment: Codebeamer
• ​Vulnerability: Cross site scripting

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to inject arbitrary JavaScript code, which could be executed in the victim’s browser upon clicking on a malicious link.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following versions of PTC Codebeamer, Application Lifecycle Management (ALM) platform for product and software development, are affected:

• ​Codebeamer: v22.10-SP6 or lower
• ​Codebeamer: v22.04-SP2 or lower
• ​Codebeamer: v21.09-SP13 or lower

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE SCRIPTING CWE-79

​If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.

​CVE-2023-4296 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• ​CRITICAL INFRASTRUCTURE SECTORS: Multiple
• ​COUNTRIES/AREAS DEPLOYED: Worldwide
• ​COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

​Niklas Schilling of SEC Consult Vulnerability Lab reported this vulnerability to CISA.

4. MITIGATIONS

​PTC recommends the following:

• ​Version 22.10.X: upgrade to 22.10-SP7 or newer version
• ​Version 22.04.X: upgrade to 22.04-SP3 or newer version
• ​Version 21.09.X: upgrade to 21.09-SP14 or newer version

​Docker Image download: https://hub.docker.com/r/intland/codebeamer/tags

​Codebeamer installers: https://intland.com/codebeamer-download/

​Hosted customers may request an upgrade through the support channel.

​Note that version 2.0 is not impacted by this vulnerability.

​For more information refer to PTC Security Advisory and Resolution.

​CISA recommends users take the following measures to protect themselves from social engineering attacks:

• ​Do not click web links or open attachments in unsolicited email messages.
• ​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• ​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

CISA has released additional indicators of compromise (IOCs) associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. Malicious threat actors exploited this vulnerability as a zero day as early as October 2022 to gain access to ESG appliances. 

Download the newly released IOCs associated with this activity:

Review the following advisories for more information:  

• Barracuda: Barracuda Email Security Gateway Appliance (ESG) Vulnerability
• Mandiant: Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)

See CISA Releases Malware Analysis Reports on Barracuda Backdoors for malware analysis reports (MARs) covering previously released IOCs and YARA rules and Barracuda Networks Releases Update to Address ESG Vulnerability. 

Today, the Cybersecurity and Infrastructure Security Agency (CISA) released its inaugural Vulnerability Disclosure Policy (VDP) Platform 2022 Annual Report, highlighting the service’s progress supporting vulnerability awareness and remediation across the Federal Civilian Executive Branch (FCEB). This report showcases how agencies have used the VDP Platform—launched in July 2021—to safeguard the FCEB and support risk reduction. The VDP platform gives federal agencies a single, user-friendly interface to intake vulnerability information and to collaborate with the public researcher community for vulnerability awareness and remediation.

CISA urges FCEB agencies to review the VDP Platform 2022 Annual Report and encourages use of the platform to promote good-faith security research if they are not already doing so. By promoting an agency’s VDP to the public security researcher community, the platform benefits users by harnessing researchers’ expertise to search for and detect vulnerabilities that traditional scanning technology might not find.

CISA is actively seeking to enhance future collaborations with the public security researcher community and welcomes participation and partnership.

1. EXECUTIVE SUMMARY

• ​CVSS v3 8.6 
• ​ATTENTION: Exploitable remotely/low attack complexity 
• ​Vendor: Rockwell Automation  
• ​Equipment: 1734-AENT/1734-AENTR Series C, 1734-AENT/1734-AENTR Series B, 1738-AENT/ 1738-AENTR Series B, 1794-AENTR Series A, 1732E-16CFGM12QCWR Series A, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12QCR Series A, 1732E-16CFGM12P5QCR Series A, 1732E-12X4M12P5QCDR Series A, 1732E-16CFGM12P5QCWR Series B, 1732E-IB16M12R Series B, 1732E-OB16M12R Series B, 1732E-16CFGM12R Series B, 1732E-IB16M12DR Series B, 1732E-OB16M12DR Series B, 1732E-8X8M12DR Series B, 1799ER-IQ10XOQ10 Series B 
• ​Vulnerability: Out-of-Bounds Write 

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service on the affected products.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following versions of select Input/Output Modules from Rockwell Automation are affected: 

• ​1734-AENT/1734-AENTR Series C: Versions 7.011 and prior  
• ​1734-AENT/1734-AENTR Series B: Versions 5.019 and prior  
• ​1738-AENT/ 1738-AENTR Series B: Versions 6.011 and prior  
• ​1794-AENTR Series A: Versions 2.011 and prior  
• ​1732E-16CFGM12QCWR Series A: Versions 3.011 and prior 
• ​1732E-12X4M12QCDR Series A: Versions 3.011 and prior  
• ​1732E-16CFGM12QCR Series A: Versions 3.011 and prior  
• ​1732E-16CFGM12P5QCR Series A: Versions 3.011 and prior  
• ​1732E-12X4M12P5QCDR Series A: Versions 3.011 and prior 
• ​1732E-16CFGM12P5QCWR Series B: Versions 3.011 and prior  
• ​1732E-IB16M12R Series B: Versions 3.011 and prior  
• ​1732E-OB16M12R Series B: Versions 3.011 and prior  
• ​1732E-16CFGM12R Series B: Versions 3.011 and prior  
• ​1732E-IB16M12DR Series B: Versions 3.011 and prior  
• ​1732E-OB16M12DR Series B: Versions 3.011 and prior  
• ​1732E-8X8M12DR Series B: Versions 3.011 and prior 
• ​1799ER-IQ10XOQ10 Series B: Versions 3.011 and prior  

3.2 VULNERABILITY OVERVIEW

3.2.1 ​OUT-OF-BOUNDS WRITE CWE-787 

​Pyramid Solutions’ affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner may be vulnerable to an out-of-bounds write, which may allow an unauthorized threat actor to send a specially crafted packet that may result in a denial-of-service condition. 

​CVE-2022-1737 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). 

3.3 BACKGROUND

• ​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
• ​COUNTRIES/AREAS DEPLOYED: Worldwide 
• ​COMPANY HEADQUARTERS LOCATION: United States 

3.4 RESEARCHER

​Rockwell Automation reported this vulnerability to CISA. 

4. MITIGATIONS

​Rockwell Automation has released and recommends users apply the following mitigations: 

• ​1734-AENT/1734-AENTR Series C: Versions 7.011 and prior. Upgrade to 7.013 
• ​1734-AENT/1734-AENTR Series B: Versions 5.019 and prior. Upgrade to 5.021  
• ​1738-AENT/ 1738-AENTR Series B: Versions 6.011 and prior. Upgrade to 6.013  
• ​1794-AENTR Series A: Versions 2.011 and prior. Upgrade to 2.012  
• ​1732E-16CFGM12QCWR Series A: Versions 3.011 and prior. Upgrade to 3.012 
• ​1732E-12X4M12QCDR Series A: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-16CFGM12QCR Series A: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-16CFGM12P5QCR Series A: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-12X4M12P5QCDR Series A: Versions 3.011 and prior. Upgrade to 3.012 
• ​1732E-16CFGM12P5QCWR Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-IB16M12R Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-OB16M12R Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-16CFGM12R Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-IB16M12DR Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-OB16M12DR Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-8X8M12DR Series B: Versions 3.011 and prior. Upgrade to 3.012 
• ​1799ER-IQ10XOQ10 Series B: Versions 3.011 and prior. Upgrade to 3.012 

​Rockwell Automation encourages users of the affected software to apply the risk mitigations below, if possible. Additionally, users are encouraged to implement suggested security best practices to minimize the risk of vulnerability. 

​Users should upgrade to the corrected firmware to mitigate the issues:

• ​Security best practices 

​For more information, see Rockwell Automation’s Security Advisory. 

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.