Red Alert 2 Update

[Ophelia Gurin]

Thesite is secure.

The ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Through product testing, the FDA has determined that the ground cinnamon products listed in the table below contain elevated levels of lead and that prolonged exposure to these products may be unsafe.

The FDA is advising consumers to throw away and not to buy these ground cinnamon products. The FDA has recommended that the firms voluntarily recall these products, with the exception of the MTCI cinnamon. The FDA has been unable to reach MTCI to share our findings and request that the company initiate a recall. The FDA will update this notice with the communications from firms that voluntarily agree to recall as we receive them.

Following the October 2023 recall of cinnamon apple puree and applesauce products due to elevated lead levels linked to the cinnamon in those products and the concern for lead toxicity in children, the FDA initiated a targeted survey of ground cinnamon products from discount retail stores and analyzed the samples for lead and chromium.

Based on results from the survey, the FDA is recommending recalls of ground cinnamon from six distributors whose products had elevated lead levels ranging from 2.03 to 3.4 parts per million (ppm) (see table above for a full list of lead levels in these products). These levels are significantly lower than the levels of lead associated with the ongoing investigation into ground cinnamon from Ecuador supplied by Negasmart to Austrofoods, the manufacturer of the apple puree and applesauce products, which were between 2,270 ppm to 5,110 ppm in the cinnamon.

The FDA will continue to work with manufacturers, distributors, and retailers to remove unsafe products from the market, and to further investigate the sources of the lead contamination as appropriate.

The FDA is also continuing its Toxic Elements monitoring program, which includes testing of a variety of foods including colored spices offered for sale in the U.S. Our sampling at import has prevented some cinnamon with elevated lead levels from entering U.S. commerce; however, like all of our surveillance activities, these monitoring programs only evaluate a subset of the commodity being imported. FDA will follow-up on these findings as well as continue our activities at import to prevent unsafe cinnamon from reaching consumers in the U.S., including by adding firms and products to import alert where appropriate. Ultimately, it is the responsibility of the manufacturers and the importers to ensure the safety of the products that enter into the U.S. market.

The FDA also sent a letter to all cinnamon manufacturers, processors, distributors, and facility operators in the U.S. reminding them of the requirement to implement controls to prevent contamination from potential chemical hazards in food, including in ground cinnamon products. The FDA will continue to work with firms to ensure they are meeting their responsibilities under provisions of the Current Good Manufacturing Practice, Hazard Analysis, and Risk-Based Preventive Controls for Human Food rule.

The potential for adverse health effects from consuming food contaminated with lead vary depending on the level of lead in the food; age of the consumer; length, amount, and frequency of exposure to lead in the food; and other exposures to different sources of lead. For example, the very young are particularly vulnerable to the potential harmful effects from lead exposure because of their smaller body sizes and rapid metabolism and growth. High levels of exposure to lead in utero, infancy, and early childhood can lead to neurological effects such as learning disabilities, behavior difficulties, and lowered IQ.

Close Topics Topics Cybersecurity Best Practices Cyber Threats and Advisories Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events News Events Cybersecurity Alerts & Advisories Directives Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks HireVue Applicant Reasonable Accommodations Process Hiring Resume & Application Tips Students & Recent Graduates Veteran and Military Spouses Work @ CISA About About Culture Divisions & Offices Regions Leadership Doing Business with CISA Site Links Reporting Employee and Contractor Misconduct CISA GitHub CISA Central 2023 Year In Review Contact Us Free Cyber Services#protect2024Secure Our WorldShields UpReport A Cyber Issue

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.

Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. [1]

The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. DHS analysis identified the threat actors accessing publicly available information hosted by organization-monitored networks during the reconnaissance phase. Based on forensic analysis, DHS assesses the threat actors sought information on network and organizational design and control system capabilities within organizations. These tactics are commonly used to collect the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.

In previous reporting, DHS and FBI noted that all of these spear-phishing emails referred to control systems or process control systems. The threat actors continued using these themes specifically against intended target organizations. Email messages included references to common industrial control equipment and protocols. The emails used malicious Microsoft Word attachments that appeared to be legitimate rsums or curricula vitae (CVs) for industrial control systems personnel, and invitations and policy documents to entice the user to open the attachment.

The threat actors used distinct and unusual TTPs in the phishing campaign directed at staging targets. Emails contained successive redirects to [.]ly/2m0x8IH link, which redirected to [.]com/h3sdqck link, which redirected to the ultimate destination of [.]com/nitel. The imageliner[.]com website contained input fields for an email address and password mimicking a login page for a website.

DHS observed the threat actors using this and similar scripts to create multiple accounts within staging target networks. Each account created by the threat actors served a specific purpose in their operation. These purposes ranged from the creation of additional accounts to cleanup of activity. DHS and FBI observed the following actions taken after the creation of these local accounts:

Account 1: Account 1 was named to mimic backup services of the staging target. This account was created by the malicious script described earlier. The threat actor used this account to conduct open-source reconnaissance and remotely access intended targets.

Account 4: In the latter stage of the compromise, the threat actor used Account 1 to create Account 4, a local administrator account. Account 4 was then used to delete logs and cover tracks.

After achieving access to staging targets, the threat actors installed tools to carry out operations against intended victims. On one occasion, threat actors installed the free version of FortiClient, which they presumably used as a VPN client to connect to intended target networks.

Consistent with the perceived goal of credential harvesting, the threat actors dropped and executed open source and free tools such as Hydra, SecretsDump, and CrackMapExec. The naming convention and download locations suggest that these files were downloaded directly from publically available locations such as GitHub. Forensic analysis indicates that many of these tools were executed during the timeframe in which the actor was accessing the system. Of note, the threat actors installed Python 2.7 on a compromised host of one staging victim, and a Python script was seen at C:\Users\\Desktop\OWAExchange\.

DHS and FBI identified the threat actors leveraging remote access services and infrastructure such as VPN, RDP, and Outlook Web Access (OWA). The threat actors used the infrastructure of staging targets to connect to several intended targets.

3a8082e126