Alert: Identify and Mitigate Potential Compromise of Cisco Devices
The United States Environmental Protection Agency (EPA) is issuing this alert to inform water and wastewater systems about Emergency Directive (ED) 25-03 issued by the Cybersecurity and Infrastructure Security Agency (CISA). This directive highlights an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to achieve unauthenticated remote code execution on Cisco ASAs. Additionally, it includes the manipulation of read-only memory (ROM), enabling threat actors to maintain access even through reboots and system upgrades.
Link to Emergency Directive 25-03
Mitigations
Although Emergency Directive 25-03 is directed at federal agencies, EPA strongly recommends that water and wastewater systems review the Emergency Directive and follow the mitigation steps. The Emergency Directive includes a detailed step-by-step guide along with resources to assist in implementing each mitigation. Systems that outsource technology support should consult with their service providers for assistance with these steps.
Important: Water and wastewater systems are not required to report their activities to CISA, including those outlined in mitigation steps 2, 3, and 6 in the Emergency Directive. This requirement applies only to federal agencies; however, systems may choose to report voluntarily and are encouraged to do so if a compromise is detected.
Conclusion
If you have questions about any of the information in this alert, including assistance with the mitigation steps included in the Emergency Directive, please submit a request to EPA’s Cybersecurity Technical Assistance Program for the Water Sector.
Additionally, CISA has provided the following contact information specific to this Emergency Directive:
- General information, assistance, and reporting: CyberDirectives@cisa.dhs.gov
- Reporting indications of compromise: contact@cisa.dhs.gov
- Colroado specific assistance and interpretation of the emergency directive for the water sector: kindra.brewer@cisa.dhs.gov
Alert: SonicWall Releases Advisory After Cybersecurity Incident
The United States Environmental Protection Agency (EPA) is issuing this alert to inform water and wastewater systems that are customers of SonicWall Firewalls, particularly those customers with preference files backed up on MySonicWall.com. SonicWall's security teams have recently detected suspicious activity targeting firewall preference files stored in the cloud. Although there is no current evidence of these files being leaked online by threat actors, they may contain information that could facilitate unauthorized network access by making it easier for attackers to exploit the related firewalls.
Mitigations
All water and wastewater systems that are customers of SonicWall are recommended to follow the remediation steps provided by SonicWall. Water and wastewater systems that outsource technology support are recommended to consult with their service providers for assistance with these steps.
- Log in to your MySonicWall.com account and verify if cloud backups exist for all registered firewalls. If the fields are blank, you are not at risk.
- If the fields contain backup details, verify whether impacted serial numbers are listed in your account. Upon login, navigate to “Product Management | Issue List” and the affected serial numbers will be flagged. If serial numbers are shown, the firewalls are at risk, and you should immediately follow the containment and remediation guidelines provided by SonicWall.
If you have used the Cloud Backup feature, but no Serial Numbers are shown, SonicWall will provide additional guidance in the coming days to determine if your backup files were impacted.
Please continue to check back on the following page for additional information and updates: MySonicWall Cloud Backup File Incident.
Conclusion
If you have questions about any of the information in this alert, please contact EPA’s Water Infrastructure and Cyber Resilience Division, Cybersecurity Branch at watercyberta@epa.gov. Organizations are encouraged to report suspicious or criminal activity to the FBI Internet Crime Complaint Center (IC3) at IC3.gov or CISA via CISA’s Incident Reporting System
