Special Edition
December 28, 2020
Happy New Year from all of us to all of you!
Thank you for your partnership and for your work to help your community through 2020. We look forward to 2021!
URGENT Cybersecurity Alert & Resources for You

Summary: The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.

Message & Resources from the Wisconsin Department of Administration, Bill Nash, Chief Information Security Officer:

Since the CISA reporting on SolarWinds Orion has been so well publicized and is causing a lot of concern, we wanted to provide a summary and reminder of services available. If you have already confirmed that you do not have SolarWinds Orion, this is a reminder of the services available to you.

Official details and updates, including the indicators of compromise can be found here:  https://us-cert.cisa.gov/ncas/alerts/aa20-352a

To recap, if you do not have one of the following affected versions of SolarWinds Orion, you do not need to take action:
Affected Versions:
·      Orion Platform 2019.4 HF5, version 2019.4.5200.9083
·      Orion Platform 2020.2 RC1, version 2020.2.100.12219
·      Orion Platform 2020.2 RC2, version 2020.2.5200.12394
·      Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
If you are operating one of the vulnerable versions, then the information below can help you determine what category you fall in and determine the level of risk and effort necessary to put your SolarWinds back into operation:

·       Category 1 includes those who do not have the identified malicious binary. These owners can patch their systems and resume use as determined by and consistent with their internal risk evaluations.

·       Category 2 includes those who have identified the presence of the malicious binary-with or without beaconing to avsvmcloud[.]com. Owners with malicious binary whose vulnerable appliance's only unexplained external communications are with avsvmcloud[.]com-a fact that can be verified by comprehensive network monitoring for the device-can harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation.

·       Category 3 includes those with the binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address. If you observed communications with avsvmcloud[.]com that appear to suddenly cease prior to December 14, 2020-not due to an action taken by your network defenders-you fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately.

NSA’s recent report on detecting abuse of authentication mechanisms (like SAML) is available here: https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF.

If you are in need of assistance, the MS-ISAC and CISA are excellent resources:
·       For reporting indications of potential compromise, contact:  www.cisa.gov or central@cisa.dhs.gov.
·       For general questions and inquiries, contact: CyberLiaison@cisa.dhs.gov
·       For reporting indications of potential compromise, contact: https://us-cert.cisa.gov/report​.
·       Please also include the MS-ISAC SOC, soc@msisac.org, on any outreach to CISA if you are an MS-ISAC member.
If you are in need of state resources:
Wisconsin Statewide Intelligence Center (WSIC)
·       Reporting Cybercrime: https://wifusion.widoj.gov/ and click “Cyber Incident Reporting Form”
·       Subscribe to WSIC Analytic Reports email:  wsic@doj.state.wi.us.
Wisconsin Cyber Response Team (CRT)
·       To become a CRT member email: crt@wisconsin.gov
·       For cyber incident assistance call: WEM Duty Officer at 800-943-0003

Bill Nash | Chief Information Security Officer
Department of Administration
Division of Enterprise Technology
Important New Tool! DHS Covid Exposure App to Help Stop the Spread!

What is WI Exposure Notification?
WI Exposure Notification is a smartphone app that uses Bluetooth Low Energy technology (link is external) to help stop the spread of COVID-19 in Wisconsin. Once you activate the app, your phone exchanges anonymous signals with other phones that are near it for at least 15 minutes. If somebody who has the app tests positive for COVID-19, they can then send an alert using the app to those other phones. This will allow people who are close contacts to quickly get the care they need and avoid exposing others to the virus.

Learn more about the privacy protections and how to activate the app on the DHS website here. It is available for both Android and iPhone users.

EASY SHARE! The more people that have the app, the more effective it will be!

Click here to Share the app on Facebook from the League's Facebook page to your own or your municipalities page. And/or leave a "thumbs up" once you have the app on your own phone. You can help the post "go viral."

Click here to Share the app on LinkedIn from the League's page.

Click here to retweet the League's Tweet with news of the app.
DHS COVID-19: At-Home Collection Kit

The State of Wisconsin and Vault Medical Services have teamed up to offer a new COVID-19 testing option for everyone who lives in Wisconsin, with or without symptoms, at no cost. This new service allows people to collect their own saliva samples for testing in their home. The capacity is expected to expand over time. Learn more.

EASY SHARE! Click here to share the news from the League's Facebook page to your own or your municipalities page.
Bonus - NLC's Covid Resources

NLC’s recent COVID-19 Local Response Principles brief on Supporting Small Businesses, Essential Workers, and Jobseekers outlines strategies that cities (and villages) can use, like understanding local employment trends; leveraging connections with workforce boards and community colleges to connect training to local needs; tracking and understanding changes in the needs of local entrepreneurs; waiving or reducing fees for outdoor space use and license renewals, and working with local lenders to be strategic about business funding.
Calendar these Upcoming League Member Virtual Roundtables

Tuesday, January 12, 2021 12:00 to 1:00 pm
Tuesday, February 9, 2021 12:00 to 1:00 pm
Tuesday, March 9, 2021 12:00 to 1:00 pm
Tuesday, April 13, 2021 12:00 to 1:00 pm

Zoom information is posted here on the League's Covid-19 page.