Overall, Subject, and GeoPolitical Alerts

Whilst the alerts on product vulnerabilities are useful, we have introduced an Overall Alert when something big hits the security world, such as Wannacry etc. The definitions below will give an idea of the criteria considered when setting the status. 

We have also introduced more granular Subject Alert States and Geo-Political Alerts for when tensions around the world may lead to cyber security issues for everybody. 


Current Overall Alert State

Guarded


Current Subject Alerts States

Middle East

16 Oct, 2019 - Reuters confirms Cyber attacks on Iran after Saudi oil facility attack.  And of course, actual fighting in Turkey, Syria.
More here.
16 Sep, 2019 - We have raised a GeoPolitical Alert for the Middle East.  After the bombing of Saudi Aramco, tensions in the Middle East are increasing.   The players involved are many, and others would take advantage while the world's eyes are elsewhere.
More here, here, here, here, and here.


Overall Historical Alert State Details

2019 Overall Alert History

Unpatched Servers and US:Iran conflict

26 June, 2019 - "Everything is awesome, Everything is cool" Well, maybe not yet, but dropping to Guarded because it is quiet.
24 June, 2019 - dropping a level as the original items are quiet.
23 June, 2019 - US:Iran
With US:Iran increased tensions, the overall cyber world should be on high alert.
18 June, 2019 - BlueKeep, Exim, Infrastructure
Exploit code has been created, older OS versions are still vulnerable although it has been 5 weeks since patches were made available, time to patch people!
Also, there are multiple groups attempting to exploit the Exim RCE vulnerability, which allows root access.
Finally, US and Russia appear to be starting an Infrastructure "war". US and Russia attacking each other's infrastructure is bad for everyone.

2018 Overall Alert History

19 October, 2018 - Reduced Overall Alert back to Guarded
16 October, 2018 - Raised Overall Alert to Increased due to Oracle Quarterly Patches and the sheer number of remote vulnerabilities in Oracle products.

17 September, 2018 - Reduced Overall Alert to Guarded.
12 September, 2018 - Raised Overall Alert to Increased due to Patch Tuesday, patched 0-days, and other public exploits being patched. There's just a lot going on.

20 August, 2018 - Reduced Overall Alert to Guarded after appropriate patch time.
15 August, 2018 - Raised Overall Alert to Increased due to Microsoft 0-day patches in Patch Tuesday. More info.

22 March, 2018 - Overall Alert State reduced to Guarded after a few quiet days.
19 March, 2018 - Overall Alert State set to Increased based on increasing cyber security concerns between Russia and the UK, and Russia and the US.
The UK National Cyber Security Centre (NCSC) put the National Grid on alert.  More info.  
US-CERT detailed report on "Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors" here.

05 February, 2018 - Overall Alert State returned to Guarded, patches are expected for the Adobe Flash 0-day this week.
02 February, 2018 - Overall Alert State set to Increased based on AutoSploit and an Adobe Flash Player 0-Day both hitting just before the weekend.

09 January, 2018 - Overall Alert State returned to Guarded, patches are still rolling out but everyone pretty much has a plan.
04 January, 2018 - Overall Alert State set to Increased based on Meltdown and Spectre affecting all modern processors.

2017 Overall Alert History

29 June, 2017 - Overall Alert State returned to Guarded, Petya has run it's course for the most part, and it is in post-analysis and recovery stage.
27 June, 2017 - Overall Alert State set to Increased based on Petya ransomware reported effect in Eastern Europe, and the potential for similar issues across multiple industries.

15 May, 2017 - Overall Alert State set back to Guarded, based on little news about further spread of ransomware, and the availability of patches and procedures to stop the spread.
12 May, 2017 - Overall Alert State set to Increased based on WannaCry ransomware reported effect on Healthcare Infrastructure, and the potential for similar issues in other Infrastructure systems.

17 April, 2017 - Overall Alert State set back to Guarded.
12 April, 2017 - Overall Alert State set to Increased to bring notice to the Microsoft and Adobe Patch Days.

Subject Historical Alert State Details

2019 Subject Alert History

US:Iran

12 Aug 2019 - It seems this new level of tension between US:Iran and others has become the norm, so we're dropping this geopolitical alert.  Should things escalate higher, we'll raise a new alert.
06 Aug 2019 - More warships, now from UK, to the Strait of Hormuz to defend oil tankers.  More info.
Another tanker seized by Iran.  More info.
29 July, 2019 - More warships to the Strait of Hormuz to defend oil tankers.  More info.  And here.
More words from both sides, leading to nothing.  More info.
22 July, 2019 - Iran has seized a British-flagged oil tanker.  More info
They also report to have identified Iranian citizens working for the CIA and executed some.  More info.
18 July, 2019 - Iran has reported seizure of a tanker smuggling oil.  More info.
15 July, 2019 - Iran has attacked Iraq’s Kurdistan region.  More info.
11 July, 2019 - A British warship forced three Iranian boats to back off after they sought to block a British tanker.  More info.
8 July, 2019 - Iran is going to enrich Uranium, and President Trump responds.  More info.
5 July, 2019 - Britian seized an Iranian oil tanker, Iran threatens to seize a British one.  More info.
26 June, 2019 - Cyber is still the preferred attack vector in this conflict, but things are quiet.
24 June, 2019 - dropping a level as it seems quiet for the moment.
23 June, 2019 - After the reported Cyber Attack on Iranian weapons systems, CISA has reported increased Cyber Attacks on US interests.  More info.  And here.
20 June, 2019 - Iran has shot down a US drone.  More info.
19 June, 2019 - One US Oil company is evacuating staff after several rocket strikes in as many days, the most recent hitting the headquarters.  More info.
18 June, 2019
Tensions continue after the tanker attacks in the Gulf of Oman, and US sends more troops to the Gulf area. Time to be a bit more wary of what else is happening on the Cyber front.  More info.  And here.

BlackHat

12 Aug, 2019 - Removed Subject Alert.
06 Aug, 2019 - It's Hacker Summer Camp, hijinx and disclosures may ensue. Pay attention to the news from BlackHat and DefCon.

DNS Poisoning

18 July, 2019 - Removed Subject Alert.
15 July, 2019 - In January 2019 the NCSC published an alert to highlight a large-scale global campaign to hijack DNS. Activity continues, with victims of DNS hijacking identified across multiple regions and sectors. Please take steps to protect yourselves..  More info.  And here.

US:IRAN - May 2019

21 May, 2019 - Removed the Geopolitical Alert
17 May, 2019 - Still lots of rhetoric out there, we will leave this alert over the weekend at least.
15 May, 2019 - US is pulling people from Iraq, we're keeping the the Alert at Increased.  The story.
13 May, 2019 - Raised Geopolitical Alert for US:Iran
During times of political conflict, cyberactivity increases as well. US and Iran are currently escalating, the latest story is here.

INDIA:PAKISTAN - Feb-Mar 2019

04 March, 2019 - Reduced Alert State to Guarded.
27 February, 2019 - Created Subject Alert for India:Pakistan based on News reports of increased tensions in the Kashir area, Indian air strikes in Pakistan, and Indian fighter jets shot down over Kashmir. Increased geopolitical tensions typically result in increased cyber activity as well. More info.
A live blog of activity can be seen here.

2018 Subject Alert History

IRAN:US Aug 2018

21 September, 2018 - Removed Subject Alert for US:Iran
13 August, 2018 - Created Subject Alert for US:Iran based on expected Iranian response to US sanctions.  Given the quantity of ICS/SCADA, Building, and Infrastructure alerts we have posted lately, the attack surface is broad in several areas.  More info.

VPNFILTER - May-Jun 2018

20 June, 2018 - Removed Subject Alert, no new news, everyone that cares already knows.
18 June, 2018
 - Lowered state to Guarded, there has been no new coverage since 12 June, except that SMBs aren't heeding the warnings.
07 June, 2018
 - Raised back to High, based on Talos research group's latest report that the malware hits more brands, and can infect endpoints.  More info.

06 June, 2018 - Lowered state to Increased, based on waning news coverage.
05 June, 2018 - More News Coverage.  VPNFilter continues to target the Ukraine (more info).
29 May, 2018 - FBI has taken control of C&C domain toknowall.com, and is asking everyone to reboot their routers.  More info.
24 May, 2018
 - Raised a Subject Alert State for VPNFilter and set it at High.  Cisco Talos is warning of a sophisticated modular malware system known as VPNFilter.  They estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. Note Cisco is not in this list.  Research is not complete, but risks are high.  More info.

 IRAN:US May 2018

24 May, 2018 - Removed Subject Alert
23 May, 2018 - Reduced Subject Alert State to Guarded.  Let's see what happens...
11 May, 2018 - Subject Alert State modified to Iran:USA based on the idea that cyber activity will increase as a result of US sanctions.
     https://www.recordedfuture.com/iran-hacker-hierarchy/
11 May, 2018 - Subject Alert State added and set to Increased for Israel:Iran.  Expect increased cyber activity.

RUSSIA:US, UK, FRANCE Apr-May 2018

11 May, 2018 - Subject Alert State for France, UK, US removed
03 May, 2018 - Subject Alert State for France, UK, US lowered to Guarded
17 April, 2018 - Subject Alert State for France, UK, US set to Increased based on escalating tensions between Russia and the ally group.  Following the Syrian drone strikes by the ally group, tensions are increasing. 
https://www.securityweek.com/us-britain-warn-russian-campaign-hack-networks
https://www.theregister.co.uk/2018/04/16/russian_hackers_internet_routers/
https://www.securityweek.com/us-britain-warn-russian-campaign-hack-networks
https://www.mirror.co.uk/news/politics/britain-braces-putins-dirty-cyber-12370560
https://www.mirror.co.uk/news/politics/russia-hacking-millions-computers-pave-12374598
http://www.dailymail.co.uk/news/article-5619039/Fears-retaliation-Putin-Syria-strikes.html

https://www.telegraph.co.uk/politics/2018/04/15/russia-launches-cyber-war-uk-dirty-tricks-campaign-boris-johnson/
https://www.us-cert.gov/ncas/alerts/TA18-106A
https://www.ncsc.gov.uk/alerts/russian-state-sponsored-cyber-actors-targeting-network-infrastructure-devices 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180416-tsa18-106a

RUSSIA:UK Mar-Apr 2018

16 April, 2018 - Removed subject alert.
26 March, 2018 - Subject Alert State reduced to Guarded after a few more quiet days.
22 March, 2018 - Subject Alert State reduced to Increased after a few quiet days.
19 March, 2018:  Subject Alert state for Russia:UK raised to High.  The UK National Cyber Security Centre (NCSC) put the National Grid on alert.  More info.
UPDATE:  Russia said they had no motive for the attack on Sergei Skripal and his daughter.  PM May to "announce measures".  More info.
16 March, 2018:  US has issued sanctions in support of the UK and in response to reports that Russia is responsible for cyberactivity targeting US Infrastructure.  More info.
13 March, 2018 - Subject Alert State for Russia:UK set to Increased based on escalating tensions between Russia and the UK.  Following the Weapon of Mass Destruction attack on the UK mainland, allegedly by Russia, the UK have given Russia until midnight (GMT) on 13 March to respond.  UK media are speculating that the likely response from the UK will be a cyber attack against Russia.  More info.

RUSSIA:US CNI Mar 2018

23 March, 2018 - Subject Alert State removed.
22 March, 2018 - Subject Alert State reduced to Guarded after a few quiet days.
19 March, 2018:  Subject Alert created for Russia:US CNI and set to Increased.  US-CERT detailed report on "Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors" here.

2017 Subject Alert History

APT on CRITICAL INFRASTRUCTURE Oct 2017

23 Oct, 2017 - Subject Alert State for APT for Critical Infrastucture set to Increased based on CERT report of advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.  More info.

BLACKHAT/BROADCOM WI-FI Jul 2017

30 July, 2017 - Subject Alert State for BlackHat removed, since BlackHat and DefCon are over.
24 July, 2017 - Subject Alert State for BlackHat set to Increased based on Broadcom Wi-Fi chipset vulnerabilities and the upcoming BlackHat presentation.  Both Apple and Google have addressed this in recent updates for iOS, Boot Camp, and Android.  Apple's bulletins for iOS and Boot CampGoogle's bulletin for Android.

PETYA RANSOMWARE Jun 2017

30 June, 2017 - Removed the Subject Alert, we all know about it and the myriad of ideas around it.
29 June, 2017 - Subject Alert State set to Increased, Petya has run it's course for the most part, and it is in post-analysis and recovery stage.  Some wariness is still required, and patch, patch patch!
27 June, 2017 - Created a Subject Alert state for Ransomware set to High, based on fast spreading infections of a ransomware called "Petya".  Starting in Eastern Europe, and hitting financial and infrastructure hard.  The ransomware uses the Microsoft SMB vulnerability as WannaCry.

WINDOWS Apr 2017

17 April, 2017 - Subject Alert for Windows removed.
13 April, 2017 - Set to Increased, since updates should be rolling...
12 April, 2017 - A Subject Alert for Windows was added and set at High, to highlight the patch for the Office and WordPad 0-day announced a few days ago.  Exploitation of this issue has increased, indicating a need to patch quickly.  Also, Vista is now officially EOL, with no new security updates.

WANNACRY RANSOMWARE May 2017

16 May, 2017 - Removed, nothing left but the patching...
15 May, 2017 - Lowered to Guarded with little new reporting
13 May, 2017 - Lowered to Increased based on the registration of the domain that acted as a kill switch, and Microsoft publication of patches for unsupported versions of the software.
12 May, 2017 - Raised to High based on the pace of infections...
12 May, 2017
 - Created a Subject Alert state for Ransomware set to Increased, based on fast spreading infections of a ransomware called "WannaCry".  ISPs, Hospitals, and Energy Infrastructure companies are among the victims.  The ransomware uses a Microsoft SMB vulnerability patched in March, 2017.  More info here and here.

 

Overall Alert Definitions


Overall

GUARDED 

This is the lowest envisaged Alert State for the foreseeable future.
Remain vigilant and be prepared for attack. There are no discernible issues impacting end networks or the infrastructure of the Internet.

UK Military Terminology – Stand Down
Civilian Terminology – Chillax


Overall

INCREASED 

There is unrest in cyber space requiring increased vigilance for possible cyber disruption, such as:

  • Several severe vulnerabilities across multiple platforms (eg Patch Tuesday)
  • Increased political unrest or International hostilities between Nation States which may result in indiscriminate cyber attacks and watering hole acquisition to build botnets.
  • There is a new attack vector which is taking hold and may require mitigation but not yet raising too much cause for concern.

UK Military Terminology – Stand To
Civilian Terminology – Keep Calm and Carry On


Overall

HIGH 

There is a marked escalation in cyber attacks and actual effect, security staff should align their security posture to mitigate the threat and exercise possible use cases relating to the threat, the threats might include:

  • Significant degradation of the Internet infrastructure, such as loss of backbones, DDoS, DNS etc.
  • Several significant vulnerabilities which are being actively exploited and/or proving difficult to mitigate.
  • Malware which is spreading quickly and causing significant issues.
  • Outbreak of Cyber hostilities between Nation States, those nations involved go to Critical Alert State

UK Military Terminology – Watch and Shoot
Civilian Terminology – Wake Up and Smell the Coffee


Overall

CRITICAL 

There is a direct cyber threat which will impact the majority of systems and significantly hamper IT operations, this Alert State will be used sparingly.

Where the Critical Alert State can be localised, by Product Type, Attack Vector, Threat Actor or Nations, these will be reflected in the sub heading as per the example shown.

Military Terminology – Incoming, Take Cover
Civilian Terminology – OMG!


© Computer Network Defence Limited 2019