Microsoft Releases April 2023 Security Updates
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review Microsoft’s April 2023 Security Update Guide and Deployment Information and apply the necessary updates.
Microsoft Releases Guidance for the BlackLotus Campaign
Microsoft has released Guidance for investigating attacks using CVE-2022-21894: The BlackLotus Campaign. According to Microsoft, “[t]his guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.” An attacker could exploit this vulnerability to take control of an affected system.
CISA urges users and organizations to review the Microsoft Blog Post for more information, and apply necessary detection, recovery, and prevention strategies.
Fortinet Releases April 2023 Vulnerability Advisories
Fortinet has released its April 2023 Vulnerability Advisories to address vulnerabilities affecting multiple products. An attacker could exploit one of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review the Fortinet April 2023 Vulnerability Advisories page for more information and apply the necessary updates.
CISA Releases Zero Trust Maturity Model Version 2
CISA has released an update to the Zero Trust Maturity Model (ZTMM), superseding the initial version released in September 2021. ZTMM provides a roadmap for agencies to reference as they transition towards a zero-trust architecture. ZTMM also provides a gradient of implementation across five distinct pillars to facilitate federal implementation, allowing agencies to make minor advancements toward optimization over time.
The objective of this update is to facilitate the distribution of the ZTMM Version 2 and educate federal civilian agencies on the updated ZTMM and its application to their zero-trust implementations. CISA encourages state, local, tribal, and territorial governments, and the private sector to use ZTMM as a baseline for implementing zero trust architecture.