The Federal Trade Commission (FTC) has released an article promoting International Charity Fraud Awareness Week (ICFAW), which runs October 21–25. FTC, the National Association of State Charities Officials, and state and international partners coordinated this campaign to help both charities and donors avoid charity fraud.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages charities and donors to review FTC’s article and the following resources for more information:

• How to Donate Wisely and Avoid Charity Scams Tip
• Avoiding Social Engineering and Phishing Attacks Tip
• ICFAW resources and tips on FTC’s Twitter and Facebook accounts

The National Security Agency (NSA) and the United Kingdom National Cyber Security Centre (NCSC) have released a joint advisory on advanced persistent threat (APT) group Turla—widely reported to be Russian. The advisory provides an update to NCSC’s January 2018 report on Turla’s use of the malicious Neuron, Nautilus, and Snake tools to steal sensitive data. Additionally, the advisory states that Turla has compromised—and is currently leveraging—an Iranian APT group’s infrastructure and resources, which include the Neuron and Nautilus tools.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources for more information:
•    NSA Advisory Turla Group Exploits Iranian APT To Expand Coverage Of Victims
•    UK NCSC Advisory Turla group exploits Iranian APT to expand coverage of victims
•    January 2018 UK NCSC Report Turla Group Malware

The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ISC advisories for CVE-2019-6475 and CVE-2019-6476 for more information and to apply the necessary updates and workarounds.

Cisco has released security updates to address vulnerabilities in Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities see the Cisco Security Advisories page.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco Advisories and apply the necessary updates:

• Aironet Access Points Unauthorized Access Vulnerability cisco-sa-20191016-airo-unauth-access
• Wireless LAN Controller Secure Shell Denial of Service Vulnerability cisco-sa-20191016-wlc-ssh-dos
• SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities cisco-sa-20191016-spa-rce
• Small Business Smart and Managed Switches Cross-Site Request Forgery Vulnerability cisco-sa-20191016-sbss-csrf
• Aironet Access Points Point-to-Point Tunneling Protocol Denial of Service Vulnerability cisco-sa-20191016-airo-pptp-dos
• Aironet Access Points and Catalyst 9100 Access Points CAPWAP Denial of Service Vulnerability cisco-sa-20191016-airo-capwap-dos

The CERT Coordination Center (CERT/CC) has released information on multiple vulnerabilities affecting Pulse Secure Virtual Private Network (VPN). An attacker could exploit these vulnerabilities to take control of an affected system. These vulnerabilities have been targeted by advanced persistent threat (APT) actors.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources for more information and to apply the necessary updates:

• CERT/CC Vulnerability Note VU#927237 Multiple Vulnerabilities in Pulse Secure VPN
• Pulse Secure Security Advisory SA44101 Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX
• National Security Agency (NSA) Cybersecurity Advisory Mitigating Recent VPN Vulnerabilities
• CISA Current Activity Vulnerabilities in Multiple VPN Applications

VMware has released a security update to address a vulnerability affecting Harbor Container Registry for Pivotal Cloud Foundry (PCF). An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2019-0016 and apply the necessary update.

Oracle has released its Critical Patch Update for October 2019 to address 219 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Oracle October 2019 Critical Patch Update and apply the necessary updates.

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates:

• Experience Manager APSB19-48
• Acrobat and Reader APSB19-49
• Experience Manager Forms APSB19-50
• Download Manager APSB19-51

WordPress 5.2.3 and prior versions are affected by multiple vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected website.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the WordPress Security Release and upgrade to WordPress 5.2.4.

Google has released Chrome version 77.0.3865.120 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.