IT Solutions That Serve You

What is happening?

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.

These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Exploiting these vulnerabilities permits malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960).

VMware Vulnerabilities Chronology

VMware released updates for both vulnerabilities on April 6, 2022, and, according to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices. CISA was made aware of this exploit a week later and added CVE-2022-22954 and CVE-2022-22960 to its catalog of Known Exploited Vulnerabilities on April 14 and April 15, respectively. https://www.cisa.gov/known-exploited-vulnerabilities-catalog 

Why is this significant to business operations?

Note: based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products.  

CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information about observed exploitation of CVE-2022-22954 and CVE-2022-22960 by multiple threat actors at multiple other large organizations from trusted third parties. 

• CVE-2022-22954 enables an actor with network access to trigger a server-side template injection that may result in RCE. This vulnerability affects the following products:
  • VMware Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 
  • vIDM versions 3.3.6, 3.3.5, 3.3.4, 3.3.3 
  • VMware Cloud Foundation, 4.x 
  • vRealize Suite LifeCycle Manager, 8.x 

• CVE-2022-22960 enables a malicious actor with local access to escalate privileges to root due to improper permissions in support scripts. This vulnerability affects the following products:
  • VMware Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 
  • vIDM, versions 3.3.6, 3.3.5, 3.3.4, 3.3.3 
  • vRA, version7.6 
  • VMware Cloud Foundation, 3.x, 4.x
  • vRealize Suite LifeCycle Manager, 8.x 

At one compromised organization, on or around April 12, 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems. 

Threat actors have dropped post-exploitation tools, including the Dingo J-spy webshell. (Webshells are malicious scripts that enable threat actors to compromise web servers and launch additional attacks) During incident response activities CISA observed, on or around April 13, 2022, threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell. Around the same period, a trusted third party observed threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell at one other organization. According to the third party, the actors may have also dropped the Dingo J- spy webshell at a third organization.  

Note: analysis of the first compromise and associated malware is ongoing, and CISA will update information about this case more is learned. 

What can I do immediately?

DETECTION METHODS

Signatures

Note: servers vulnerable to CVE-2022-22954 may use Hypertext Transfer Protocol Secure (HTTPS) to encrypt client/server communications. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) decryption can be used as a workaround for network-based detection and threat hunting efforts. 

The following CISA-created Snort signature may detect malicious network traffic related to exploitation of CVE-2022-22954: 

The following third-party Snort signature may detect exploitation of VMware Workspace ONE Access server-side template injection: alert tcp any any ->any $HTTP_PORTS (msg:”VMware:HTTP GET URI contains ‘/catalog-portal/ui/oauth/verify?error=&deviceUdid=’:CVE-2022-22954″; sid:1;  rev:1;  flow:established,to_server; content:  “GET”; http_method; content:”/catalog-portal/ui/oauth/verify?error=&deviceUdid=”;  http_uri; reference:cve,2022-22954; reference:url,github.com/sherlocksecurity/VMware-CVE-2022-22954; reference:url,github.com/tunelko/CVE-2022-22954-PoC/blob/main/CVE-2022- 22954.py; priority:2; metadata:service http;) 

(msg:”Workspace One Serverside Template Injection”;content:”GET”; http_method; content:”freemarker.template.utility.Execute”;nocase; http_uri; priority:1; sid:;rev:1;) 10000001alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 

The following third-party YARA rule may detect unmodified instances of the Dingo J-spy webshell on infected hosts: 

 {  rule dingo_jspy_webshell

 strings:

$string1 = “dingo.length”

$string2 = “command = command.trim”

$string3 = “commandAction”

$string4 = “PortScan”

$string5 = “InetAddress.getLocalHost”

$string6 = “DatabaseManager”

$string7 = “ExecuteCommand”

$string8 = “var command = form.command.value”

$string9 = “dingody.iteye.com”

$string10 = “J-Spy ver”

$string11 = “no permission ,die”

string12 = “int iPort = Integer.parseInt”

condition:

filesize < 50KB and 12 of ($string*)

}

 Note: the Dingo J-spy webshell is an example of post-exploitation tools that actors have used. Administrators should examine their network for any sign of post-exploitation activity. 

Behavioral Analysis and Indicators of Compromise 

Information Security Analysts should conduct behavioral analysis on root accounts of vulnerable systems by: 

• Using the indicators listed in table 1 to detect potential malicious activity. 
• Reviewing systems logs and gaps in logs. 
• Reviewing abnormal connections to other assets. 
• Searching the command-line history. 
• Auditing running processes. 
• Reviewing local user accounts and groups. 
• Auditing active listening ports and connections. 

Table 1: Third-party IOCs for Exploitation of CVE-2022-22954 and CVE-2022-22960 

INCIDENT RESPONSE

If Information Security Analysts discover system compromise, CISA recommends they: 

-Immediately isolate affected systems. 

-Collect and review relevant logs, data, and artifacts. 

-Consider soliciting support from a third-party incident response organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation. 

– Report incidents to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888- 282-0870). 

MITIGATIONS

CISA recommends organizations update impacted VMware products to the latest version or remove impacted versions from organizational networks. CISA does not endorse alternative mitigation options. As noted in ED 22-03 Mitigate VMware Vulnerabilities, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. ED 22-03 directs all Federal Civilian Executive Branch agencies to enumerate all instances of impacted VMware products and deploy updates in VMware Security Advisory VMSA-2022-0014 or to remove the affected software from the agency network until the updates can be applied.

RESOURCES

• ED 22-03 Mitigate VMware Vulnerabilities https://www.cisa.gov/emergency-directive-22-03 
• VMware Security Advisory VMSA-2022-0011 https://www.vmware.com/security/advisories/VMSA-2022-0011.html 
• VMware Security Advisory VMSA-2022-0014 https://www.vmware.com/security/advisories/VMSA-2022-0014.html 

What is happening?

The FBI, the Cybersecurity and Infrastructure Security Agency, the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory to provide information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair.  

Why is this important?

Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim. 

Karakurt actors have typically provided screenshots or copies of stolen file directories as proof of stolen data. Karakurt actors have contacted victims’ employees, business partners, and clients [T1591.002] with harassing emails and phone calls to pressure the victims to cooperate. The emails have contained examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients. Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of files and, occasionally, a brief statement explaining how the initial intrusion occurred. 

Prior to January 5, 2022, Karakurt operated a leaks and auction website found at https://karakurt[.]group.  

The domain and IP address originally hosting the website went offline in spring 2022, the website is no longer accessible yet has been reported to be located elsewhere on the dark web. May 2022, the website contained several terabytes of data purported to belong to victims across North America and  

Europe, along with several “press releases” naming victims who had not paid or cooperated, and instructions for participating in victim data “auctions.”

TECHNICAL DETAILS

Karakurt does not appear to target any specific sectors, industries, or types of victims. During reconnaissance [TA0043], Karakurt actors appear to obtain access to victim devices primarily: 

• By purchasing stolen login credentials [T1589.001][T1589.002]; 
• Cooperating partners in the cybercrime community provide Karakurt access to already compromised victims; or 
• Through buying access to already compromised victims via third-party intrusion broker networks [T1589.001].
  • Note: Intrusion brokers, or intrusion broker networks, are malicious cyber actors who use a variety of tools to obtain initial access to, often creating marketable persistence within protected computer systems. Intrusion brokers then sell access to these compromised computer systems to other cybercriminal actors, i.e. those engaged in ransomware, business email compromise, corporate and government espionage, etc. 

Common intrusion vulnerabilities exploited for initial access [TA001] in Karakurt events include the following: 

• Outdated SonicWall SSL VPN appliances [T1133] are vulnerable to multiple recent CVEs 
• Log4j “Log4Shell” Apache Logging Services vulnerability (CVE-2021-44228) [T1190] 
• Phishing and spearphishing [T1566] 
• Malicious macros within email attachments [T1566.001] 
• Stolen virtual private network (VPN) or Remote Desktop Protocol (RDP) credentials [T1078] 
• Outdated Fortinet FortiGate SSL VPN appliances [T1133]/firewall appliances [T1190] vulnerable to multiple recent CVEs 
• Outdated and/or unserviceable Microsoft Windows Server instances. 

Network Reconnaissance, Enumeration, Persistence, and Exfiltration 

Upon developing or obtaining access to a compromised system, Karakurt actors deploy Cobalt Strike beacons to enumerate a network [T1083], install Mimikatz to pull plain-text credentials [T1078], use AnyDesk to obtain persistent remote control [T1219], and utilize additional situation-dependent tools to elevate privileges and move laterally within a network to their target(s). 

Karakurt actors then compress (typically with 7zip) and exfiltrate large sums of data entire network-connected shared drives in volumes exceeding 1 terabyte (TB) using open-source applications and File Transfer Protocol (FTP) services [T1048], such as Filezilla, and cloud storage services including rclone and Mega.nz [T1567.002]. 

Extortion

Following exfiltration of data, Karakurt actors present the victim with ransom notes by way of “readme.txt” files, via emails sent to victim employees over the compromised email networks, and emails sent to victim employees from external email accounts. The ransom notes reveal the victim has been hacked by the “Karakurt Team” and threaten public release or auction of the stolen data. The instructions include a link to a TOR URL with an access code. Visiting the URL with the access code to open a chat application, victims can negotiate with Karakurt actors to have their data deleted. 

Karakurt victims have reported extensive harassment campaigns by Karakurt actors in which employees, business partners, and clients receive numerous emails and phone calls warning the recipients to encourage the victims to negotiate with the actors to prevent the dissemination of victim data. These communications often included samples of stolen data, primarily personally identifiable information (PII), such as employment records, health records, and financial business records. 

Victims who negotiate with Karakurt actors receive a “proof of life,” such as screenshots showing file trees of allegedly stolen data or, in some cases, actual copies of stolen files. Upon reaching an agreement on the price of the stolen data with the victims, Karakurt actors provided a Bitcoin address, a new, previously unused address, to which ransom payments could be made. 

Upon receiving the ransom, Karakurt actors provide some form of alleged proof of deletion of the stolen files, such as a screen recording of the files being deleted, a deletion log, or credentials for a victim to log into a storage server and delete the files themselves. 

Although Karakurt’s primary extortion leverage is a promise to delete stolen data and keep the incident confidential, some victims reported Karakurt actors did not maintain the confidentiality of victim information after a ransom was paid.  

Note: he U.S. government strongly discourages the payment of any ransom to Karakurt threat actors, or any cyber criminals promising to delete stolen files in exchange for payments. 

In some cases, Karakurt actors have conducted extortion against victims previously attacked by other ransomware variants. In such cases, Karakurt actors likely purchased or otherwise obtained previously stolen data. Karakurt actors have also targeted victims at the same time these victims were under attack by other ransomware actors. In such cases, victims received ransom notes from multiple ransomware variants simultaneously, suggesting Karakurt actors purchased access to a compromised system that was also sold to another ransomware actor. 

Karakurt actors have also exaggerated the degree to which a victim had been compromised and the value of data stolen, i.e. Karakurt actors claimed to steal volumes of data far beyond the storage capacity of compromised systems or claimed to steal data that did not belong to the victim. 

Indicators of Compromise

MITRE ATT&CK TECHNIQUES

Table 1: Karakurt actors ATT&CK techniques for enterprise

What can I do?

MITIGATIONS

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). 
• Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization. 
• Regularly back up data and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides. 
• Install and regularly update antivirus software on all hosts and enable real time detection. 
• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. 
• Review domain controllers, servers, workstations, and active directories for new or unrecognized accounts.

• Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges. 
• Disable unused ports. 
• Consider adding an email banner to emails received from outside your organization. 
• Disable hyperlinks in received emails. 
• Enforce multi-factor authentication. 
• Use National Institute for Standards and Technology (NIST) standards for developing and managing password policies. 
  • Use longer passwords consisting of at least 15 characters and no more than 64 characters in length; 
  • Store passwords in hashed format using industry-recognized password managers; 
  • Add password user “salts” to shared login credentials; 
  • Avoid reusing passwords; 
  • Implement multiple failed login attempt account lockouts; 
  • Disable password “hints”; 
  • Refrain from requiring password changes more frequently than once per year. 

Note: NIST guidance favors longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher. 

• • Require administrator credentials to install software. 

• Only use secure networks and avoid using public Wi-Fi networks.   
• Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams). 

RESOURCES

• For additional resources related to the prevention and mitigation of ransomware, visit Stopransomware.gov  and NIST’s Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events.                           https://www.nccoe.nist.gov/data-integrity-detecting-and-responding-ransomware-and-other-destructive-events 

•  CISA’s Ransomware Readiness Assessment is a no-cost self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident. https://github.com/cisagov/cset/releases/tag/v10.3.0.0 
• CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. 
• Financial Institutions must comply with any applicable Bank Secrecy Act requirements, including suspicious activity reporting obligations. Indicators of Compromise, such as suspicious email addresses, file names, hashes, domains, and IP addresses, can be provided under Item 44 of the Suspicious Activity Report (SAR) form. For more information on mandatory and voluntary reporting of cyber events via suspicious activity reports (SARs),  
• see FinCEN Advisory FIN-2016-A005, Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, October 25, 2016, https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a005  and  
• FinCEN Advisory FIN-2021-A004, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, November 8, 2021, which updates FinCEN Advisory FIN-2020-A006 https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2021-a004 

• The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely. https://www.state.gov/rewards-for-justice/ 

What is happening?

Microsoft has shared mitigation measures to block attacks exploiting a newly discovered Microsoft Office zero-day flaw abused in the wild to execute malicious code remotely. 

Why is this important?

The bug is a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability. It is used by threat actors to execute malicious PowerShell commands via MSDT in what Redmond describes as Arbitrary Code Execution (ACE) attacks when opening or previewing Word documents. 

An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. 

The flaw impacts all Windows versions still receiving security updates (Windows 7+ and Server 2008+). Microsoft is now tracking it as CVE-2022-30190. More here https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190 

What can I do?

Workaround available 

Admins and users can block attacks by disabling the MSDT URL protocol, which malicious actors use to launch troubleshooters and execute code on vulnerable systems. To disable the MSDT URL protocol on a Windows device, use the following procedure: 

1. Run Command Prompt as Administrator. 
2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdt.reg” 
3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f” 

After Microsoft releases a CVE-2022-30190 patch, you can undo the workaround by launching an elevated command prompt and executing the reg import ms-msdt.reg command (filename is the name of the registry backup created when disabling the protocol). 

Microsoft Defender Antivirus 1.367.719.0 or newer now also comes with detections for possible vulnerability exploitation under the following signatures: 

• Trojan:Win32/Mesdetty.A
• Trojan:Win32/Mesdetty.B 
• Behavior:Win32/MesdettyLaunch.A 
• Behavior:Win32/MesdettyLaunch.B 
• Behavior:Win32/MesdettyLaunch.C 

While Microsoft says that Microsoft Office’s Protected View and Application Guard would block CVE-2022-30190 attacks, CERT/CC vulnerability analyst Will Dormann found that the security feature will not block exploitation attempts if the target previews the malicious documents in Windows Explorer. Therefore, it is also advised to disable the Preview pane in Windows Explorer to also remove this attack vector. 

What is happening?

US automobile manufacturer General Motors (GM) announced that it was hit by a credential stuffing attack last month that exposed customer information and allowed hackers to redeem rewards points for gift cards. GM said that they detected the malicious login activity between April 11-29, 2022. 

Why is this important?

A credential stuffing attack is a cyber-attack in which credentials obtained from a previous data breach on one service are used to attempt to log in to another unrelated service. 

What can I do?

GM Notice to customers  

May 16, 2022 

NOTICE OF DATA BREACH 

We’re happy to have you as a Member of the General Motors family, appreciate your loyalty and take the protection of your personal information seriously. 

We are writing to follow up on our email to you, advising you of a data incident involving the identification of recent redemption of your reward points that appears to be without your authorization. We are investigating and will restore any points that were redeemed without your authorization. 

In that email, we also informed you that for you to continue accessing your account, you need to reset your password. If you have not already done so, click on this link and follow the instructions: Recover GM Account How To’s here https://experience.gm.com/myaccount/authorize/forgot-password/email-input 

This action is necessary to help keep your personal information safe and your account secure. 

We want you to understand what happened and the steps we have taken to address the incident. Although we have no reason to believe that any further misuse of the information included in your GM account will occur, we have included suggestions on measures you can take to better protect your account and your personal information. 

What happened?

Between April 11, 2022, and April 29, 2022, we identified some suspicious log ins to certain GM online customer accounts and identified recent redemption of customer reward points for gift cards that may have been performed without the customers’ authorizations. Upon discovery, we suspended this feature on the account website and notified affected customers of these issues, advising them that they would need to reset their passwords in order to gain access to their online customer accounts. We also reported the activity to law enforcement. We continue to monitor account activity to protect our customers and personal information about them. 

What information was involved?

Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.

Through this unauthorized activity, the unauthorized parties could have gained access to limited personal information of your GM online or mobile application accounts, such as first and last name, personal email address, personal address, username and phone number for registered family members tied to your account, last known and saved favorite location information, your currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile picture, search and destination information, reward card activity, and fraudulently redeemed reward points. 

The GM accounts did not include date of birth, Social Security number, driver’s license number, credit card information, or bank account information, as that information is not stored in your GM account. 

What are we doing?

As discussed above, we took swift action in response to the suspicious activity by suspending gift card redemption and notifying affected customers of these issues. We also took steps to require those customers to reset their passwords at their next log in, and we reported this incident to law enforcement. 

What you can do

If you haven’t yet, please follow the steps outlined above to reset your GM password. We recommend, as good security practices, that you not use the same password for different accounts, and that you update any use of duplicate passwords. 

Please review the additional resources included with this letter (Attachment A). This attachment describes additional best practices you can take to help protect personal information about you generally, including recommendations by the Federal Trade Commission regarding identity theft protection and details on how to place a fraud alert or a security freeze on your credit file. 

Placing a Fraud Alert

If you have concerns about possible identity theft, you have the right to place an initialor extended fraud alert on your credit file at no cost. An initial fraud alert is a one-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. You may obtain additional information from the FTC and the credit reporting agencies listed above about placing a fraud alert and/or security freeze on your credit report. 

Obtain a Police Report

For security incidents generally, you have the right to file and obtain a copy of a police report. 

We regret any inconvenience or concern this incident may have caused. If you have any questions concerning this incident, please call the GM toll-free number at (844) 764-2665, Monday through Saturday, 9:00 a.m.-8:00 p.m. Eastern Time. 

Sincerely, 

My GM Account Connection Center Support 

ATTACHMENT A

Order You Free Credit Report

Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus (Equifax, Experian, and TransUnion). To order your free annual credit report, visit www.annualcreditreport.com, call toll-free at (877) 322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s (FTC) website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. The three credit bureaus provide free annual credit reports only through the website, toll-free number, or request form. You may also purchase a copy of your credit report by contacting any of the credit reporting agencies below: 

Upon receiving your credit report, review it carefully. Errors may be a warning sign of possible identity theft. Here are a few tips of what to look for: 

• Look for accounts you did not open. 
• Look in the “inquiries” section for names of creditors from whom you have not requested credit. Some companies bill under names other than their store or commercial names; the credit bureau will be able to tell if this is the case. 
• Look in the “personal information” section for any inaccuracies in information (such as home address and Social Security Number). 

If you see anything you do not understand, call the credit bureau at the telephone number on the report. Errors may be a warning sign of possible identity theft. You should notify the credit bureaus of any inaccuracies in your report, whether due to error or fraud, as soon as possible so the information can be investigated and, if found to be in error, corrected. If there are accounts or charges you did not authorize, immediately notify the appropriate credit bureau by telephone and in writing. Information that cannot be explained should also be reported to your local police or sheriff’s office because it may signal criminal activity. 

We encourage you remain vigilant for incidents of fraud and identity theft, including regularly reviewing and monitoring your credit reports and account statements. 

As a reminder, if you detect any unauthorized transactions in any of your financial accounts, promptly notify the appropriate payment card company or financial institution. If you detect any incidence of identity theft or fraud, promptly report the matter to your local law enforcement authorities (from whom you can obtain a police report), state Attorney General, and the Federal Trade Commission (FTC). You can contact the FTC to learn more about how to protect yourself from becoming a victim of identity theft by using the contact information below: 

Federal Trade Commission Bureau of Consumer Protection 600 Pennsylvania Avenue NW Washington, DC 20580 (877) IDTHEFT (438-4338) 

www.ftc.gov/idtheft 

Placing a Security Freeze

Under the federal Fair Credit Reporting Act, you have a right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. 

You can place, temporarily lift, or permanently remove a security freeze on your credit report online, by phone, or by mail. You will need to provide certain personal information, such as address, date of birth, and Social Security number to request a security freeze and may be provided with a unique personal identification number (PIN) or password, or both, that can be used by you to authorize the removal or lifting of the security freeze. Information on how to place a security freeze with the credit reporting agencies is also contained in the links below: 

https://www.equifax.com/personal/credit-report-services/https://www.experian.com/freeze/center.htmlhttps://www.transunion.com/credit-freeze 

As of April 18, 2022, the reporting agencies allow you to place a credit freeze through the online, physical mail and phone numbers and request that you provide the information listed below. Where possible, please consult the websites listed above for the most up-to-date instructions.