JCDC Success Stories Archive

2023

JCDC Participants Share Real-Time Threat Information on NetScaler Vulnerability Post-Exploitation Activity

Since July 2023, JCDC participants, including Mandiant, Shadowserver, GreyNoise, ZeroFox, and IBM Security X-Force, have provided continuous insight into post-exploitation activity of the NetScaler (formerly Citrix) Application Delivery Controller and NetScaler Gateway vulnerability (CVE-2023-3519). 

Recognizing the importance of open multi-directional communication, CISA established real-time information sharing with industry partners possessing advanced insight into exploitation of the vulnerability. JCDC participants shared numerous detection methods; threat actor tactics, techniques, and procedures; and indicators of compromise. CISA then consolidated and shared those details with federal, state, local, tribal, and territorial governments, as well as international partners, to assist their response efforts. 

As a result of the initial information-sharing efforts, many JCDC participants shared additional associated technical information that CISA was then able to amplify and enrich. CISA also used this information to update Cybersecurity Advisory Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells with the new information to assist cyber defenders with detecting and responding to this malicious activity.

 2022

Chinese APT Campaign Targeting SLTT Organizations

Between 2021 and 2022, CISA recognized an emerging Chinese APT campaign impacting state, local, tribal, and territorial (SLTT) partners, with the actors employing the use of common tactics, techniques, and procedures. CISA collaborated with affected SLTT government organizations and JCDC members to better understand the nature of the activity and identify multiple zero-day vulnerabilities used as initial intrusion vectors. CISA also acted as a broker to share timely and actionable network defense information among JCDC members and SLTT governments. This broader perspective enabled multiple SLTT governments to locate and respond to associated intrusion activity while supporting JCDC members’ understanding of the same. Finally, CISA collaborated with SLTT organizations and JCDC members, including interagency partners, to develop two network defense advisories based on this activity and share with JCDC members and SLTT partners.

CISA Releases U.S. Elections Cybersecurity Toolkit

With the approach of the 2022 midterm elections, JCDC has ramped up efforts to support the CISA elections security mission via a range of events, resources, and synchronized communications and operations for the duration of the election season. In August 2022, CISA worked with JCDC members to release a new toolkit of free services and tools to help enhance the cybersecurity and cyber resilience of U.S. election infrastructure. The toolkit includes free tools, services, and resources provided by CISA, JCDC members, and others across the cybersecurity community. The toolkit offers stakeholders—including state and local government officials, election officials, and vendors—resources to protect themselves against common cyber threats like phishing, ransomware, and distributed denial-of-service attacks.

JCDC Supports Albania's CERT

In July 2022, JCDC coordinated the response to a high-visibility, high-priority international event: an intrusion into the network of the Albanian National Agency for Information Society (AKSHI), which is Albania’s national Computer Emergency Response Team (CERT). After learning of the compromise, JCDC engaged with AKSHI and U.S. federal partners to learn more about the incident and determine next steps. AKSHI shared indicators of compromise (IOCs) and malware samples with JCDC and granted JCDC permission to further share the IOCs and samples with trusted industry partners, including JCDC member companies. JCDC members, in turn, shared helpful analysis back with AKSHI. JCDC also connected Albania with partners at Twitter and Discord to remove content posted by the AKSHI network intruders from the social media platforms. This incident demonstrates the power of JCDC’s public-private partnerships model to provide a foreign government with quick and comprehensive expert analysis and incident response guidance.

Expansion to Include Industrial Control

Recognizing the need to further increase U.S. government focus on the cybersecurity and resilience of industrial control systems (ICS), CISA recently expanded JCDC to form JCDC-ICS. JCDC-ICS includes ICS industry experts, 10 new companies—including security vendors, integrators, and distributors—and two current JCDC partners with experience in ICS and operational technology (OT).

JCDC-ICS leverages the knowledge, visibility, and capabilities of the ICS community to build plans around the protection and defense of control systems; inform U.S. government guidance on ICS/OT cybersecurity; and contribute to operational fusion across private and public partners in the ICS/OT space.

Geopolitical Tensions Cyber Defense Plan

In early 2022, CISA developed a Russia-Ukraine Tensions Plan with JCDC members that lays out phases and objectives of operational coordination between the U.S. government and private sector partners amidst escalating geopolitical tensions. Additionally, JCDC conducted a tabletop exercise of this plan with interagency and private sector members. The plan serves to guide and align collective operational posture and support the ability to synchronize defensive actions to mitigate harmful impacts to U.S. critical infrastructure from Russian cyber operations.

JCDC members worked together to compile a list of free cybersecurity tools and services to help organizations further advance their security capabilities. This list has proved particularly impactful for small businesses and other organizations who are target rich and resource poor.

Amplified Discovery of Daxin

In February 2022, researchers from JCDC member and global software company, Broadcom, discovered a backdoor malware known as Daxin attributed to China that allows the controller to install malicious software and collect information from specific government targets as part of a larger espionage campaign.

Broadcom leveraged JCDC’s operational collaboration to notify foreign governments that are not Broadcom customers about the threat.

"Within 48 hours of contacting JCDC, we put on a call with the first government that we worked with, along with DHS and JCDC,” said Vikram Thakur, technical director at Symantec Threat Intelligence, a division of Broadcom Software.

CISA leveraged pre-existing relationships with both the U.S. private sector and international partners to notify foreign governments affected by this activity and assist in remediation. Specifically, as JCDC members, CISA and Broadcom were able to uncover the new "Daxin" malware and provide advice on both detection and remediation to partners across the globe.

For more information, see CISA's Current Activity on Daxin and the Broadcom blog post, “Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks.”

2021

Defense Against Log4Shell

Upon the discovery of the Log4Shell vulnerability in Apache Log4j software in December 2021, JCDC shared indicators of compromise, threat activity, and intelligence with and among JCDC members to enable partners to act quickly on this threat affecting software broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. JCDC partners built true operational collaboration by helping the cybersecurity community to better understand and manage the threat posed by Log4Shell and related vulnerabilities.

For more information, see Apache Log4j Vulnerability Guidance.