Adobe Releases Security Updates for ColdFusion

Original release date: March 23, 2021

Adobe has released security updates to address a vulnerability affecting ColdFusion. An attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review Adobe Security Bulletin APSB21-16 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Using CHIRP to Detect Post-Compromise Threat Activity in On-Premises Environments

Original release date: March 18, 2021

CISA Hunt and Incident Response Program (CHIRP) is a new forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with the SolarWinds and Active Directory/M365 Compromise. CHIRP is freely available on the CISA GitHub repository.

Similar to the CISA-developed Sparrow tool—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment.

CISA Alert AA21-077A: Detecting Post-Compromise Threat Activity using the CHIRP IOC Detection Tool provide guidance on using the new tool. This Alert is a companion to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations and AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud.

CISA encourages users and administrations to review the Alert for more information. For more technical information on the SolarWinds Orion supply chain compromise, see CISA’s Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page. For general information on CISA’s response to the supply chain compromise, refer to

This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates

Original release date: March 18, 2021

Cisco has released security updates to address a vulnerability in Cisco Small Business routers. A remote attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review Cisco Advisory cisco-sa-rv-132w134w-overflow-Pptt4H2p and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

TTP Table for Detecting APT Activity Related to SolarWinds and Active Directory/M365 Compromise

Original release date: March 17, 2021

CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity.

CISA encourages network defenders to review SolarWinds and AD/M365 Compromise: Detecting APT Activity from Known TTPs and implement the recommendations. CISA also recommends network defenders review the following resources regarding this incident:

This product is provided subject to this Notification and this Privacy & Use policy.

CISA-FBI Joint Advisory on TrickBot Malware

Original release date: March 17, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. A sophisticated group of cyber criminals are using phishing emails claiming to contain proof of traffic violations to lure victims into downloading TrickBot. TrickBot is a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.

To secure against TrickBot, CISA and the FBI recommend users and administrators review AA21-076A: TrickBot Malware as well as CISA’s Fact Sheet: TrickBot Malware for guidance on implementing specific mitigation measures to protect against this activity.


This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases Exchange On-premises Mitigation Tool

Original release date: March 16, 2021

Microsoft has released the Exchange On-premises Mitigation Tool (EOMT.ps1) that can automate portions of both the detection and patching process. Microsoft stated the following along with the release: “[the tool is intended] to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.” CISA recommends users review the EOMT.ps1 blog post for directions on using the tool.

CISA encourages users and administrators to review the following resources for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome

Original release date: March 15, 2021

Google has released Chrome version 89.0.4389.90 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Supply Chain Attacks

Are You Vulnerable to Supply Chain Attacks?

A supply chain attack, sometimes referred to as a “value-chain” or “third-party attack”, occurs when someone penetrates your systems via an external partner or supplier who already has access to your systems, information and data. Due to the number of suppliers that companies are working with, as well as the recent increase in remote working across supply chains, the attack surface has increased drastically.

The Guardian reported on a recent incident of supply chain attacks using software from SolarWinds – a networking tools developer. As part of this Russia attributed attack, approximately 18 000 customers were affected, in which numerous government and company networks were penetrated. The attack impacted as many as 250 organizations. The hackers managed to penetrate multiple supply chain layers and the outsourcing of different software solutions seemed to be one of the main drivers that resulted in the attack, culminating in an estimated cost of $90 million for cyber insurance firms (according to Bitsight).

It is important to be aware of where supply chain attacks can come from. Companies may encounter five kinds of cybersecurity risks in supply chains, namely: physical threats, breakdowns, indirect attacks, direct attacks and insider threats.

Physical threats are associated with items such as switches, servers, routers and other information communication and technological devices. Furthermore, environmental disasters such as flooding, heavy snow and tornados, deliberate damage to a firm’s infrastructure, theft and malfunctioning of infrastructural components, as well as terrorist attacks, all fall under this category of physical threats.

In terms of breakdowns, risks such as outdated firewalls and delayed cybersecurity updates can also attract the attention of hackers. Although these risks are more predictable compared to some of the risks mentioned above, the effects can also be dire.

Deliberate attacks can be broken down into direct and indirect attacks. Direct attacks involve getting hacked, denied services or your password being sniffed, all for the purpose of manipulating or threatening you for money (consider industrial espionage or an individual compromising your firm’s intellectual property). Indirect attacks are like bait used for fishing. If employees fall for the bait, hackers can access systems for which the bait was meant for. Trojans, worms, viruses, counterfeit products, as well as compromised hardware and software come to mind. Malicious codes and spoofing attacks also feature in this category. In particular, phishing attacks (someone gaining access to sensitive information, whilst your employee thinks they can trust the software or device they are using) have increased in recent times.

Finally, employees posing a cybersecurity threat are referred to as an insider threat. From this perspective, careless employees who use simplistic passwords, write down their passwords or who unintentionally disclose sensitive information are associated with this risk. These risks can also be fuelled by intent. For example: opportunistic misuse of information or taking revenge. Whether these risks occur based on negligence or premeditation, the human factor is key here.

Following the mantra, “smart executives learn from their mistakes, wise executives learn from the mistakes of others”, below are some ways you can take action:

Key strategies to protecting against supply chain attacks

  1. Develop an approach to identify, prioritize, and mitigate cybersecurity supply chain attacks and disruptions.
  2.  Publish emergency response and crisis management guidelines.
  3.  Create a risk-mitigation approach, which supports your global sourcing strategy.
  4.  Collaborate with suppliers to support them in developing business continuity programmes which ensure the continuation of supply.
  5.  Improve logistics continuity plans with global logistics partners.

Important Outcomes for ensuring effective cybersecurity measures

  • Emergency response and crisis management guidelines to decrease the effects of supply chain attacks and disruptions
  • A cybersecurity preparedness plan
  • A supply continuity plan for suppliers of critical parts
  • A warehousing and inventory positioning strategy, which buffers supply disruptions
  • A risk exposure database including a traffic light system, which provides early warning indicators of supply disruption

In order to identify the threats highlighted in any of the five threat categories mentioned above and to develop appropriate strategies in your supply chain, our risk and crisis management approach can help you to build your cybersecurity defensive and offensive capabilities, reduce your exposure, minimise your vulnerabilities and strengthen your defences, thereby decreasing the chances of a potential breach.

In addition, our threat management and incident response capabilities will enable you to take action quickly and forcefully against unexpected cybersecurity threats and increase your ability to respond and recover timely.

If the situation in your supply chain does not require urgent action at this moment, we also offer cybersecurity training programs, such as our cybersecurity in a day for executives program as well as our cyber security training and awareness program for your workforce, which is delivered inpartnership with the British Computer Society (BCS).

Updates on Microsoft Exchange Server Vulnerabilities

Original release date: March 13, 2021

CISA has added seven Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each MAR identifies a webshell associated with exploitation of the vulnerabilities in Microsoft Exchange Server products. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actors can upload a webshell to enable remote administration of the affected system.

In addition to the MARs, CISA added information on ransomware activity associated with exploitation of the Exchange Server products, including DearCry ransomware.

CISA encourages users and administrators to review the following resources for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

cloud technologies

Cloud Technologies: Easy Solution or Security Nightmare?

A Gartner study from October 2019 forecasted that the public cloud technologies services market would reach $266.4 billion in 2020. 17% growth seems excessive, but it pales against the 50% overall increase in cloud utilization across the enterprise that McAfee reported in 2020, partially motivated by COVID-19 related mandates.
Great time to market, apparent simplicity as well as lower technology, business and financial barriers, made the cloud the preferred real-estate among individuals and enterprise alike. Cloud technology is a game changer and a life saver, but it can also be a cybersecurity nightmare.

As organizations extended their technology landscape across multiple physical and trust boundaries, what used to be a solid perimeter to protect is now a series of highly dynamic “micro-borders” or just no clearly delimited border at all. This change in the technology landscape also unveils a problem with current cybersecurity approaches and paradigms that were originally designed to protect organizations, starting at their borders.

When organizations extend their networks to the cloud, they are trading security for time to market, productivity, efficiency, usability, and accessibility. A price that businesses will pay gladly. Many times, these implementations are a product of firms’ strategies or planned processes, but often cloud technology adoption responds to emergencies. When the latter happens, the outcome is an implementation plagued with vulnerabilities.

We know now that architecting and designing solutions in or for cloud technologies require a different set of skills. The selection, deployment, configuration and integration of cloud artifacts, the leverage of trusted domains, the management of certificates, the whitelisting of addresses, the practice of allowing apps to bypass inline defenses, the need for data movement across boundaries and the vulnerabilities intrinsic to browsers open opportunities for vulnerabilities that could be used by malicious actors to gain access to our data.

The attack vectors that corporate cloud users should be aware of include:

  • Data breaches and loss
  • Insider attacks
  • DoS and DDoS attacks
  • Cloud phishing
  • Cloud malware injection
  • Cross-cloud attacks
  • Side channel attacks
  • Credential stuffing attacks.

So how do companies adapt their cybersecurity postures and develop the policies, controls, processes, and technologies to protect their data and achieve regulatory compliance requirements?

Our recommendations to protect your data and your users in the cloud include the following:

  • Implementation of a Zero Trust security approach to control access to your workloads and limit network lateral movement.
  • Use of strong passwords, multi-factor authentication (MFA) and access controls.
  • Adaptive access based on user, app, instance, device, location, data, and destination to selectively grant access.
  • Protect endpoints using endpoint threat management and response solutions.
  • Implement continuous risk security assessments.
  • Secure and manage network traffic.
  • Restrict cloud utilization and manage adoption in a centralized manner.
  • Implement granular data protection controls.
  • Implement cloud data loss prevention.
  • Implement threat hunting.
  • Continuous training and awareness programs.

The adoption of these technologies is quick and simple. Cloud services enable organizations’ processes, improve quality, increase productivity and speed to market, but it also creates vulnerabilities that must be addressed before it is too late. As organizations extend their technology landscape across boundaries, traditional cybersecurity postures may not be able to provide the level of protection needed. Cystel specializes in detecting and remediating cybersecurity vulnerabilities in these enterprise deployments, reducing your risk so you can focus on your core business.