CISA & FBI Joint Alert: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

28th October 2020


CISA has recently observed Advanced Persistent Threats (APT)s, targeting state, local, tribal, and territorial (SLTT) government networks by leveraging vulnerability chaining. When an attacker uses vulnerability chaining in an intrusion, he/she strings together a series of vulnerabilities to exploit the target organization. The common theme linking these intrusions is using multiple legacy vulnerabilities on web-facing infrastructure. Citrix NetScaler, MobileIron, Pulse Secure, Palo Alto Networks, Fortinet FortiOS, and F5 BIG-IP are among a few of the vendors with vulnerabilities leveraged by these APTs for intrusion. Common protocols used in these attacks include VPN, SSL, and RDP which are heavily relied upon by many organizations especially those with distributed workforces. CISA recommends organizations review their internet-facing infrastructure and make sure all these devices are patched in addition to monitoring network traffic for protocols including SSH, SMB, and RDP where such use is abnormal or violates policy(source).

Some organizations are not certain which devices are active on their network. This is critical for understanding which subset of devices is accessible to the public-facing internet. CyGlass is a network defense as a service (NDaaS) provider offering several features to support business information security objectives including attack surface discovery, protection policy management, and threat detection & response. CyGlass also uses cutting edge AI/ML technology to detect abnormalities on your network which brings your visibility and defense capabilities beyond those only a firewall and antivirus can offer. CyGlass can help SLTT organizations comply with CISA’s guidance above by providing attack surface discovery and policy alerts indicating when RDP or VPN are used in violation of policy.

CyGlass offers customers robust attack surface discovery capabilities through an easy to use user interface. This functionality shows the device type, name or IP, a threat score, criticality level, open monitoring alerts impacting the asset, in addition to other helpful information including asset tagging.

Having visibility into your organization’s attack surface helps to determine which devices are public-facing and which maybe should not be. Understanding the criticality of each system facilitates key business enablers like risk management so teams can assess the risk posed by each asset and ascertain which mitigation steps are best suited.


CyGlass also offers exciting features called policy alerts. Businesses have disparate policies related to remote use, traffic to certain countries, and social media use to name a few. Policies help businesses keep their networks safe and lean but where many policies fall short is mechanisms. Mechanisms are how one can alert to policy violations to facilitate prioritization and enforcement. This is where CyGlass policy alerts can make a huge impact on your environment. Each installation of CyGlass arrives with a default set of alerts including RDP attempts from external to internal, unauthorized outbound SSH, Active Directory to external, activity to blocked countries, and several more. Below you can view an example of a policy alert page.

These alerts inform teams when unapproved activity is occurring in the environment so action and mitigation steps can be taken to address the same. Each alert can be selected to view more granular information related to it including web traffic information. The alert description column is particularly helpful to explain what each policy means in plain language so even fledgling network defenders know how to take the information from a policy alert and transform it into actionable intelligence making your environment more secure.


As attackers become more sophisticated your organization must have a strong asset inventory, protection policy management, and threat monitoring capabilities. CyGlass can help your organization on all three fronts in addition to providing a comprehensive, user-friendly platform capable of alerting you to complex attacks and numerous TTPs. Contact the CyGlass team today to see how your organization can bring better value to shareholders by avoiding costly downtime and costly post-incident remediation.