<div dir="ltr"><div class="gmail_quote"><div class="gmail_quote"><div bgcolor="#FFFFFF" text="#000000"><div class="m_-7046225294384125234m_8838011533847931373moz-forward-container"><div class="m_-7046225294384125234m_8838011533847931373moz-forward-container"><br><br>
<br>
<table align="center" border="0" width="700" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td>
<p><img src="http://content.govdelivery.com/attachments/fancy_images/USDHSUSCERT/2015/11/675988/us-cert-banner-700x100-2_original.png" alt="U.S. Department of Homeland Security US-CERT" title="US-CERT" height="100" width="700"></p>
<p>National Cyber Awareness System:</p>
<p> </p>
<div class="m_-7046225294384125234m_8838011533847931373rss_item" style="margin-bottom:2em">
<div class="m_-7046225294384125234m_8838011533847931373rss_title" style="font-weight:bold;font-size:120%;margin:0 0 0.3em;padding:0"><a href="https://www.us-cert.gov/ncas/alerts/TA16-250A" target="_blank">TA16-250A:
The Increasing Threat to Network Infrastructure
Devices and Recommended Mitigations</a></div>
<div class="m_-7046225294384125234m_8838011533847931373rss_pub_date" style="font-size:90%;font-style:italic;color:#666666;margin:0 0 0.3em;padding:0">09/06/2016 06:29 PM EDT</div>
<br>
<div class="m_-7046225294384125234m_8838011533847931373rss_description" style="margin:0 0 0.3em;padding:0">Original release date: September 06,
2016 | Last revised: September 28, 2016<br>
<h3>Systems Affected</h3>
<p>Network Infrastructure Devices<br>
</p>
<h3>Overview</h3>
<p>The advancing capabilities of organized hacker
groups and cyber adversaries create an increasing
global threat to information systems. The rising
threat levels place more demands on security
personnel and network administrators to protect
information systems. Protecting the network
infrastructure is critical to preserve the
confidentiality, integrity, and availability of
communication and services across an enterprise.</p>
<p>To address threats to network infrastructure
devices, this Alert provides information on recent
vectors of attack that advanced persistent threat
(APT) actors are targeting, along with prevention
and mitigation recommendations.<br>
</p>
<h3>Description</h3>
<p>Network infrastructure consists of interconnected
devices designed to transport communications
needed for data, applications, services, and
multi-media. Routers and firewalls are the focus
of this alert; however, many other devices exist
in the network, such as switches, load-balancers,
intrusion detection systems, etc. Perimeter
devices, such as firewalls and intrusion detection
systems, have been the traditional technologies
used to secure the network, but as threats change,
so must security strategies. Organizations can no
longer rely on perimeter devices to protect the
network from cyber intrusions; organizations must
also be able to contain the impact/losses within
the internal network and infrastructure.</p>
<p>For several years now, vulnerable network devices
have been the attack-vector of choice and one of
the most effective techniques for sophisticated
hackers and advanced threat actors. In this
environment, there has never been a greater need
to improve network infrastructure security. Unlike
hosts that receive significant administrative
security attention and for which security tools
such as anti-malware exist, network devices are
often working in the background with little
oversight—until network connectivity is broken or
diminished. Malicious cyber actors take advantage
of this fact and often target network devices.
Once on the device, they can remain there
undetected for long periods. After an incident,
where administrators and security professionals
perform forensic analysis and recover control, a
malicious cyber actor with persistent access on
network devices can reattack the recently cleaned
hosts. For this reason, administrators need to
ensure proper configuration and control of network
devices.</p>
<h4>Proliferation of Threats to Information Systems</h4>
<h4><em>SYNful Knock</em></h4>
<p>In September 2015, an attack known as SYNful
Knock was disclosed. SYNful Knock silently changes
a router’s operating system image, thus allowing
attackers to gain a foothold on a victim’s
network. The malware can be customized and updated
once embedded. When the modified malicious image
is uploaded, it provides a backdoor into the
victim’s network. Using a crafted TCP SYN packet,
a communication channel is established between the
compromised device and the malicious command and
control (C2) server. The impact of this infection
to a network or device is severe and most likely
indicates that there may be additional backdoors
or compromised devices on the network. This
foothold gives an attacker the ability to maneuver
and infect other hosts and access sensitive data.</p>
<p>The initial infection vector does not leverage a
zero-day vulnerability. Attackers either use the
default credentials to log into the device or
obtain weak credentials from other insecure
devices or communications. The implant resides
within a modified IOS image and, when loaded,
maintains its persistence in the environment, even
after a system reboot. Any further modules loaded
by the attacker will only exist in the router’s
volatile memory and will not be available for use
after the device reboots. However, these devices
are rarely or never rebooted.</p>
<p>To prevent the size of the image from changing,
the malware overwrites several legitimate IOS
functions with its own executable code. The
attacker examines the functionality of the router
and determines functions that can be overwritten
without causing issues on the router. Thus, the
overwritten functions will vary upon deployment.</p>
<p>The attacker can utilize the secret backdoor
password in three different authentication
scenarios. In these scenarios the implant first
checks to see if the user input is the backdoor
password. If so, access is granted. Otherwise, the
implanted code will forward the credentials for
normal verification of potentially valid
credentials. This generally raises the least
amount of suspicion. Cisco has provided an alert
on this attack vector. For more information, see
the <a href="https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html" target="_blank">Cisco
SYNful Knock Security Advisory</a>.</p>
<p>Other attacks against network infrastructure
devices have also been reported, including more
complicated persistent malware that silently
changes the firmware on the device that is used to
load the operating system so that the malware can
inject code into the running operating system. For
more information, please see <a href="https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" target="_blank">Cisco's
description of the evolution of attacks on Cisco
IOS devices</a>.</p>
<h4><em>Cisco Adaptive Security Appliance (ASA)</em></h4>
<p>A Cisco ASA device is a network device that
provides firewall and Virtual Private Network
(VPN) functionality. These devices are often
deployed at the edge of a network to protect a
site’s network infrastructure, and to give remote
users access to protected local resources.</p>
<p>In June 2016, NCCIC received several reports of
compromised Cisco ASA devices that were modified
in an unauthorized way. The ASA devices directed
users to a location where malicious actors tried
to socially engineer the users into divulging
their credentials.</p>
<p>It is suspected that malicious actors leveraged <a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3393" target="_blank">CVE-2014-3393
</a>to inject malicious code into the affected
devices. The malicious actor would then be able to
modify the contents of the Random Access Memory
Filing System (RAMFS) cache file system and inject
the malicious code into the appliance’s
configuration. Refer to the <a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa" target="_blank">Cisco
Security Advisory Multiple Vulnerabilities in
Cisco ASA Software </a>for more information and
for remediation details.</p>
<p>In August 2016, a group known as “Shadow Brokers”
publicly released a large number of files,
including exploitation tools for both old and
newly exposed vulnerabilities. Cisco ASA devices
were found to be vulnerable to the released
exploit code. In response, Cisco released an
update to address a newly disclosed Cisco ASA
Simple Network Management Protocol (SNMP) remote
code execution vulnerability (<a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6366" target="_blank">CVE-2016-6366</a>).
In addition, one exploit tool targeted a
previously patched Cisco vulnerability (<a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6367" target="_blank">CVE-2016-6367</a>).
Although Cisco provided <a href="https://blogs.cisco.com/security/shadow-brokers" target="_blank">patches</a> to
fix this Cisco ASA command-line interface (CLI)
remote code execution vulnerability in 2011,
devices that remain unpatched are still vulnerable
to the described attack. Attackers may target
vulnerabilities for months or even years after
patches become available.</p>
<h3>Impact</h3>
<p>If the network infrastructure is compromised,
malicious hackers or adversaries can gain full
control of the network infrastructure enabling
further compromise of other types of devices and
data and allowing traffic to be redirected,
changed, or denied. Possibilities of manipulation
include denial-of-service, data theft, or
unauthorized changes to the data.</p>
<p>Intruders with infrastructure privilege and
access can impede productivity and severely hinder
re-establishing network connectivity. Even if
other compromised devices are detected, tracking
back to a compromised infrastructure device is
often difficult.</p>
<p>Malicious actors with persistent access to
network devices can reattack and move laterally
after they have been ejected from previously
exploited hosts.<br>
</p>
<h3>Solution</h3>
<h4>1. Segregate Networks and Functions</h4>
<p>Proper network segmentation is a very effective
security mechanism to prevent an intruder from
propagating exploits or laterally moving around an
internal network. On a poorly segmented network,
intruders are able to extend their impact to
control critical devices or gain access to
sensitive data and intellectual property. Security
architects must consider the overall
infrastructure layout, segmentation, and
segregation. Segregation separates network
segments based on role and functionality. A
securely segregated network can contain malicious
occurrences, reducing the impact from intruders,
in the event that they have gained a foothold
somewhere inside the network.</p>
<h5><em>Physical Separation of Sensitive Information</em></h5>
<p>Local Area Network (LAN) segments are separated
by traditional network devices such as routers.
Routers are placed between networks to create
boundaries, increase the number of broadcast
domains, and effectively filter users’ broadcast
traffic. These boundaries can be used to contain
security breaches by restricting traffic to
separate segments and can even shut down segments
of the network during an intrusion, restricting
adversary access.</p>
<h5>Recommendations:</h5>
<ul>
<li>Implement Principles of Least Privilege and
need-to-know when designing network segments.</li>
<li>Separate sensitive information and security
requirements into network segments.</li>
<li>Apply security recommendations and secure
configurations to all network segments and
network layers.</li>
</ul>
<h5><em>Virtual Separation of Sensitive Information
</em></h5>
<p>As technologies change, new strategies are
developed to improve IT efficiencies and network
security controls. Virtual separation is the
logical isolation of networks on the same physical
network. The same physical segmentation design
principles apply to virtual segmentation but no
additional hardware is required. Existing
technologies can be used to prevent an intruder
from breaching other internal network segments.</p>
<h5>Recommendations:</h5>
<ul>
<li>Use Private Virtual LANs to isolate a user
from the rest of the broadcast domains.</li>
<li>Use Virtual Routing and Forwarding (VRF)
technology to segment network traffic over
multiple routing tables simultaneously on a
single router.</li>
<li>Use VPNs to securely extend a host/network by
tunneling through public or private networks.</li>
</ul>
<h4> <br>
2. Limit Unnecessary Lateral Communications</h4>
<p>Allowing unfiltered workstation-to-workstation
communications (as well as other peer-to-peer
communications) creates serious vulnerabilities,
and can allow a network intruder to easily spread
to multiple systems. An intruder can establish an
effective “beach head” within the network, and
then spread to create backdoors into the network
to maintain persistence and make it difficult for
defenders to contain and eradicate.</p>
<h5>Recommendations:</h5>
<ul>
<li>Restrict communications using host-based
firewall rules to deny the flow of packets from
other hosts in the network. The firewall rules
can be created to filter on a host device, user,
program, or IP address to limit access from
services and systems.</li>
<li>Implement a VLAN Access Control List (VACL), a
filter that controls access to/from VLANs. VACL
filters should be created to deny packets the
ability to flow to other VLANs.</li>
<li>Logically segregate the network using physical
or virtual separation allowing network
administrators to isolate critical devices onto
network segments.<br>
</li>
</ul>
<h4>3. Harden Network Devices</h4>
<p>A fundamental way to enhance network
infrastructure security is to safeguard networking
devices with secure configurations. Government
agencies, organizations, and vendors supply a wide
range of resources to administrators on how to
harden network devices. These resources include
benchmarks and best practices. These
recommendations should be implemented in
conjunction with laws, regulations, site security
policies, standards, and industry best practices.
These guides provide a baseline security
configuration for the enterprise that protects the
integrity of network infrastructure devices. This
guidance supplements the network security best
practices supplied by vendors.</p>
<h5>Recommendations:</h5>
<ul>
<li>Disable unencrypted remote admin protocols
used to manage network infrastructure (e.g.,
Telnet, FTP).</li>
<li>Disable unnecessary services (e.g. discovery
protocols, source routing, HTTP, SNMP, BOOTP).</li>
<li>Use SNMPv3 (or subsequent version) but do not
use SNMP community strings.</li>
<li>Secure access to the console, auxiliary, and
VTY lines.</li>
<li>Implement robust password policies and use the
strongest password encryption available.</li>
<li>Protect router/switch by controlling access
lists for remote administration.</li>
<li>Restrict physical access to routers/switches.</li>
<li>Backup configurations and store offline. Use
the latest version of the network device
operating system and update with all patches.</li>
<li>Periodically test security configurations
against security requirements.</li>
<li>Protect configuration files with encryption
and/or access controls when sending them
electronically and when they are stored and
backed up.<br>
</li>
</ul>
<h4>4. Secure Access to Infrastructure Devices</h4>
<p>Administrative privileges on infrastructure
devices allow access to resources that are
normally unavailable to most users and permit the
execution of actions that would otherwise be
restricted. When administrator privileges are
improperly authorized, granted widely, and/or not
closely audited, intruders can exploit them. These
compromised privileges can enable adversaries to
traverse a network, expanding access and
potentially allowing full control of the
infrastructure backbone. Unauthorized
infrastructure access can be mitigated by properly
implementing secure access policies and
procedures.</p>
<h5>Recommendations:</h5>
<ul>
<li>Implement Multi-Factor Authentication –
Authentication is a process to validate a user’s
identity. Weak authentication processes are
commonly exploited by attackers. Multi-factor
authentication uses at least two identity
components to authenticate a user’s identity.
Identity components include something the user
knows (e.g., password); an object the user has
possession of (e.g., token); and a trait unique
to the specific person (e.g., biometric).</li>
<li>Manage Privileged Access – Use an
authorization server to store access information
for network device management. This type of
server will enable network administrators to
assign different privilege levels to users based
on the principle of least privilege. When a user
tries to execute an unauthorized command, it
will be rejected. To increase the strength and
robustness of user authentication, implement a
hard token authentication server in addition to
the AAA server, if possible. Multi-factor
authentication increases the difficulty for
intruders to steal and reuse credentials to gain
access to network devices.</li>
<li>Manage Administrative Credentials – Although
multi-factor authentication is highly
recommended and a best practice, systems that
cannot meet this requirement can at least
improve their security level by changing default
passwords and enforcing complex password
policies. Network accounts must contain complex
passwords of at least 14 characters from
multiple character domains including lowercase,
uppercase, numbers, and special characters.
Enforce password expiration and reuse policies.
If passwords are stored for emergency access,
keep these in a protected off-network location,
such as a safe.<br>
</li>
</ul>
<h4>5. Perform Out-of-Band Management</h4>
<p>Out-of-Band (OoB) management uses alternate
communication paths to remotely manage network
infrastructure devices. These dedicated paths can
vary in configuration to include anything from
virtual tunneling to physical separation. Using
OoB access to manage the network infrastructure
will strengthen security by limiting access and
separating user traffic from network management
traffic. OoB management provides security
monitoring and can implement corrective actions
without allowing the adversary who may have
already compromised a portion of the network to
observe these changes.</p>
<p>OoB management can be implemented physically or
virtually, or through a hybrid of the two.
Building additional physical network
infrastructure is the most secure option for the
network managers, although it can be very
expensive to implement and maintain. Virtual
implementation is less costly, but still requires
significant configuration changes and
administration. In some situations, such as access
to remote locations, virtual encrypted tunnels may
be the only viable option.</p>
<h5>Recommendations:</h5>
<ul>
<li>Segregate standard network traffic from
management traffic.</li>
<li>Enforce that management traffic on devices
only comes from the OoB.</li>
<li>Apply encryption to all management channels.</li>
<li>Encrypt all remote access to infrastructure
devices such as terminal or dial-in servers.</li>
<li>Manage all administrative functions from a
dedicated host (fully patched) over a secure
channel, preferably on the OoB.</li>
<li>Harden network management devices by testing
patches, turning off unnecessary services on
routers and switches, and enforcing strong
password policies. Monitor the network and
review logs Implement access controls that only
permit required administrative or management
services (SNMP, NTP SSH, FTP, TFTP).<br>
</li>
</ul>
<h4>6. Validate Integrity of Hardware and
Software</h4>
<p>Products purchased through unauthorized channels
are often known as “counterfeit,” “secondary,” or
“grey market” devices. There have been numerous
reports in the press regarding grey market
hardware and software being introduced into the
marketplace. Grey market products have not been
thoroughly tested to meet quality standards and
can introduce risks to the network. Lack of
awareness or validation of the legitimacy of
hardware and software presents a serious risk to
users’ information and the overall integrity of
the network environment. Products purchased from
the secondary market run the risk of having the
supply chain breached, which can result in the
introduction of counterfeit, stolen, or
second-hand devices. This could affect network
performance and compromise the confidentiality,
integrity, or availability of network assets.
Furthermore, breaches in the supply chain provide
an opportunity for malicious software or hardware
to be installed on the equipment. In addition,
unauthorized or malicious software can be loaded
onto a device after it is in operational use, so
integrity checking of software should be done on a
regular basis.</p>
<h5>Recommendations:</h5>
<ul>
<li>Maintain strict control of the supply chain;
purchase only from authorized resellers.</li>
<li>Require resellers to implement a supply chain
integrity check to validate hardware and
software authenticity.</li>
<li>Inspect the device for signs of tampering.</li>
<li>Validate serial numbers from multiple sources.</li>
<li>Download software, updates, patches, and
upgrades from validated sources.</li>
<li>Perform hash verification and compare values
against the vendor’s database to detect
unauthorized modification to the firmware.</li>
<li>Monitor and log devices, verifying network
configurations of devices on a regular schedule.</li>
<li>Train network owners, administrators, and
procurement personnel to increase awareness of
grey market devices.</li>
</ul>
<p> </p>
<table class="m_-7046225294384125234m_8838011533847931373general-table" style="width:100%" align="center" border="1" cellpadding="0" cellspacing="0">
<caption><strong>Shadow Broker Exploits</strong></caption>
<thead> <tr>
<th scope="col"><strong>Vendor</strong></th>
<th scope="col"><strong>CVE</strong></th>
<th scope="col"><strong>Exploit Name</strong></th>
<th scope="col"><strong>Vulnerability</strong></th>
</tr>
</thead> <tbody>
<tr>
<td>Fortinet</td>
<td> <a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6909" target="_blank">CVE-2016-6909</a> </td>
<td>EGREGIOUSBLUNDER</td>
<td>Authentication cookie overflow</td>
</tr>
<tr>
<td>WatchGuard </td>
<td><a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7089" target="_blank">CVE-2016-7089</a></td>
<td>ESCALATEPLOWMAN</td>
<td>Command line injection via ipconfig</td>
</tr>
<tr>
<td>Cisco</td>
<td><a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6366" target="_blank">CVE-2016-6366</a></td>
<td>EXTRABACON</td>
<td>SNMP remote code execution</td>
</tr>
<tr>
<td>Cisco</td>
<td><a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6367" target="_blank">CVE-2016-6367</a></td>
<td>EPICBANANA</td>
<td>Command line injection remote code
execution</td>
</tr>
<tr>
<td>Cisco</td>
<td><a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6415" target="_blank">CVE-2016-6415</a></td>
<td>BENIGNCERTAIN/PIXPOCKET </td>
<td>Information/memory leak</td>
</tr>
<tr>
<td>TOPSEC</td>
<td>N/A</td>
<td>ELIGIBLEBACHELOR</td>
<td>Attack vector unknown, but has an XML-like
payload<br>
beginning with <?tos length="001e.%8.8x"?</td>
</tr>
<tr>
<td>TOPSEC</td>
<td>N/A</td>
<td>ELIGIBLEBOMBSHELL</td>
<td>HTTP cookie command injection</td>
</tr>
<tr>
<td>TOPSEC</td>
<td>N/A</td>
<td>ELIGIBLECANDIDATE</td>
<td>HTTP cookie command injection</td>
</tr>
<tr>
<td>TOPSEC</td>
<td>N/A</td>
<td>ELIGIBLECONTESTANT</td>
<td>HTTP POST parameter injection</td>
</tr>
</tbody>
</table>
<p><br>
</p>
<h3>References</h3>
<ul>
<li><a href="http://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html" target="_blank">Cisco
SYNful Knock Security Advisory</a></li>
<li><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa" target="_blank">Cisco
Security Advisory Multiple Vulnerabilities in
Cisco ASA Software</a></li>
<li><a href="https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices" target="_blank">Cisco
Evolution of Attacks on Cisco IOS Devices </a></li>
<li><a href="https://cisco.com/c/en/us/about/security-center/integrity-assurance.html" target="_blank">Cisco
IOS Software Integrity Assurance </a></li>
<li><a href="https://www.iad.gov/iad/library/ia-advisories-alerts/recommendations-to-mitigate-unauthorized-cisco-rommon-access-and-validate-boot-roms.cfm" target="_blank">Information
Assurance Advisory NO. IAA U/OO/802097-16
Mitigate Unauthorized Cisco ROMMON</a></li>
<li><a href="https://www.iad.gov/iad/library/ia-advisories-alerts/vulnerability-in-cisco-adaptive-security-appliances-identified-in-open-source-v1.cfm" target="_blank">Information
Assurance Advisory NO. IAA U/OO/802488-16
Vulnerabilities in Cisco Adaptive Security
Appliances</a></li>
<li><a href="https://www.iad.gov/iad/library/ia-guidance/security-tips/network-mitigations-package-infrastructure.cfm" target="_blank">Information
Assurance Directorate Network Mitigations
Package – Infrastructure </a></li>
<li><a href="https://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/guide_c07-665160.html" target="_blank">Cisco
Guide to Securing Cisco NX-OS Software Devices</a></li>
<li><a href="https://cisco.com/web/about/security/intelligence/CiscoIOSXR.html" target="_blank">Cisco
Guide to Harden Cisco IOS XR Devices</a></li>
<li><a href="https://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml" target="_blank">Cisco
Guide to Harden Cisco IOS Devices </a></li>
<li><a href="https://www.cisco.com/c/en/us/about/security-center/framework-segmentation.html" target="_blank">Cisco:
A Framework to Protect Data Through
Segmentation </a></li>
</ul>
<h3>Revision History</h3>
<ul>
<li>September 6, 2016: Initial release</li>
<li>September 13, 2016: Added additional
references</li>
</ul>
<hr>
<p>This product is provided subject to this <a href="http://www.us-cert.gov/privacy/notification" target="_blank">Notification</a>
and this <a href="http://www.us-cert.gov/privacy/" target="_blank">Privacy
& Use</a> policy.</p>
</div>
</div>
<div id="m_-7046225294384125234m_8838011533847931373mail_footer">
<hr>
<table style="width:100%" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="color:#757575;font-size:10px;font-family:Arial" height="60" width="89%">A
copy of this publication is available at <a class="m_-7046225294384125234m_8838011533847931373moz-txt-link-abbreviated" href="http://www.us-cert.gov" target="_blank"></a><a class="m_-7046225294384125234m_8838011533847931373moz-txt-link-abbreviated" href="http://www.us-cert.gov" target="_blank">www.us-cert.gov</a>.
If you need help or have questions, please
send an email to <a href="mailto:info@us-cert.gov" title="Mail
to info@us-cert.gov" target="_blank">info@us-cert.gov</a>.
Do not reply to this message since this email
was sent from a notification-only address that
is not monitored. To ensure you receive future
US-CERT products, please add <a class="m_-7046225294384125234m_8838011533847931373moz-txt-link-abbreviated" href="mailto:US-CERT@ncas.us-cert.gov" target="_blank"></a><a class="m_-7046225294384125234m_8838011533847931373moz-txt-link-abbreviated" href="mailto:US-CERT@ncas.us-cert.gov" target="_blank">US-CERT@ncas.us-cert.gov</a>
to your address book.</td>
</tr>
</tbody>
</table>
<table style="width:400px" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="color:#666666;font-family:Arial,sans-serif;font-size:12px" height="24" valign="bottom">OTHER RESOURCES:</td>
</tr>
<tr>
<td style="color:#666666;font-family:Arial,sans-serif;font-size:12px" height="24" valign="middle"> <a href="http://www.us-cert.gov/contact-us/" target="_blank">Contact Us</a> | <a href="http://www.us-cert.gov/security-publications" target="_blank">Security Publications</a> |
<a href="http://www.us-cert.gov/ncas" target="_blank">Alerts and Tips</a> | <a href="http://www.us-cert.gov/related-resources" target="_blank">Related Resources</a> </td>
</tr>
</tbody>
</table>
<table style="width:150px" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="color:#666666;font-family:Arial,sans-serif;font-size:12px" colspan="7" height="24" valign="bottom">STAY CONNECTED:</td>
</tr>
<tr>
<td width="41"><a href="http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new" target="_blank"><img src="https://service.govdelivery.com/banners/GOVDELIVERY/SOCIAL_MEDIA/envelope.gif" alt="Sign up for email updates" border="0" height="25" width="25"></a></td>
</tr>
</tbody>
</table>
<p style="color:#666666;font-family:Arial,sans-serif;font-size:12px">SUBSCRIBER SERVICES:<br>
<a href="http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true" target="_blank">Manage Preferences</a> | <a href="https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.ab2898216f26e20f1e8530b478b96ee9&destination=john.papa%40oracle.com" target="_blank">Unsubscribe</a> |<wbr> <a href="https://subscriberhelp.govdelivery.com/" target="_blank">Help</a></p>
</div>
<div id="m_-7046225294384125234m_8838011533847931373tagline">
<hr>
<table style="width:100%" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="color:#757575;font-size:10px;font-family:Arial" width="89%">This email
was sent to <a class="m_-7046225294384125234m_8838011533847931373moz-txt-link-abbreviated" href="mailto:john.papa@oracle.com" target="_blank">john.papa@oracle.com</a>
using GovDelivery, on behalf of: United States
Computer Emergency Readiness Team (US-CERT) ·
245 Murray Lane SW Bldg 410 · Washington, DC
20598 · <span><a href="tel:%28888%29%20282-0870" value="+18882820870" target="_blank">(888) 282-0870</a></span> </td>
<td align="right" width="11%"><a href="http://www.govdelivery.com/portals/powered-by" target="_blank"><img src="https://service.govdelivery.com/banners/GOVDELIVERY/logo_gd_poweredby.gif" alt="Powered by GovDelivery" border="0" height="35" width="115"></a></td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
</tbody>
</table>
<br>
</div>
<br>
<br>
</div>
<br>
</div>
</div>
</div><br></div>