Original release date: March 23, 2021
Adobe has released security updates to address a vulnerability affecting ColdFusion. An attacker could exploit this vulnerability to take control of an affected system.
CISA encourages users and administrators to review Adobe Security Bulletin APSB21-16 and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: March 18, 2021
CISA Hunt and Incident Response Program (CHIRP) is a new forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with the SolarWinds and Active Directory/M365 Compromise. CHIRP is freely available on the CISA GitHub repository.
Similar to the CISA-developed Sparrow tool—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment.
CISA Alert AA21-077A: Detecting Post-Compromise Threat Activity using the CHIRP IOC Detection Tool provide guidance on using the new tool. This Alert is a companion to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations and AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud.
CISA encourages users and administrations to review the Alert for more information. For more technical information on the SolarWinds Orion supply chain compromise, see CISA’s Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page. For general information on CISA’s response to the supply chain compromise, refer to cisa.gov/supply-chain-compromise.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: March 18, 2021
Cisco has released security updates to address a vulnerability in Cisco Small Business routers. A remote attacker could exploit this vulnerability to take control of an affected system.
CISA encourages users and administrators to review Cisco Advisory cisco-sa-rv-132w134w-overflow-Pptt4H2p and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: March 17, 2021
CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity.
CISA encourages network defenders to review SolarWinds and AD/M365 Compromise: Detecting APT Activity from Known TTPs and implement the recommendations. CISA also recommends network defenders review the following resources regarding this incident:
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: March 17, 2021
CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. A sophisticated group of cyber criminals are using phishing emails claiming to contain proof of traffic violations to lure victims into downloading TrickBot. TrickBot is a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.
To secure against TrickBot, CISA and the FBI recommend users and administrators review AA21-076A: TrickBot Malware as well as CISA’s Fact Sheet: TrickBot Malware for guidance on implementing specific mitigation measures to protect against this activity.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: March 16, 2021
Microsoft has released the Exchange On-premises Mitigation Tool (EOMT.ps1) that can automate portions of both the detection and patching process. Microsoft stated the following along with the release: “[the tool is intended] to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.” CISA recommends users review the EOMT.ps1 blog post for directions on using the tool.
CISA encourages users and administrators to review the following resources for more information.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: March 15, 2021
Google has released Chrome version 89.0.4389.90 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.
CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
A supply chain attack, sometimes referred to as a “value-chain” or “third-party attack”, occurs when someone penetrates your systems via an external partner or supplier who already has access to your systems, information and data. Due to the number of suppliers that companies are working with, as well as the recent increase in remote working across supply chains, the attack surface has increased drastically.
The Guardian reported on a recent incident of supply chain attacks using software from SolarWinds – a networking tools developer. As part of this Russia attributed attack, approximately 18 000 customers were affected, in which numerous government and company networks were penetrated. The attack impacted as many as 250 organizations. The hackers managed to penetrate multiple supply chain layers and the outsourcing of different software solutions seemed to be one of the main drivers that resulted in the attack, culminating in an estimated cost of $90 million for cyber insurance firms (according to Bitsight).
It is important to be aware of where supply chain attacks can come from. Companies may encounter five kinds of cybersecurity risks in supply chains, namely: physical threats, breakdowns, indirect attacks, direct attacks and insider threats.
Physical threats are associated with items such as switches, servers, routers and other information communication and technological devices. Furthermore, environmental disasters such as flooding, heavy snow and tornados, deliberate damage to a firm’s infrastructure, theft and malfunctioning of infrastructural components, as well as terrorist attacks, all fall under this category of physical threats.
In terms of breakdowns, risks such as outdated firewalls and delayed cybersecurity updates can also attract the attention of hackers. Although these risks are more predictable compared to some of the risks mentioned above, the effects can also be dire.
Deliberate attacks can be broken down into direct and indirect attacks. Direct attacks involve getting hacked, denied services or your password being sniffed, all for the purpose of manipulating or threatening you for money (consider industrial espionage or an individual compromising your firm’s intellectual property). Indirect attacks are like bait used for fishing. If employees fall for the bait, hackers can access systems for which the bait was meant for. Trojans, worms, viruses, counterfeit products, as well as compromised hardware and software come to mind. Malicious codes and spoofing attacks also feature in this category. In particular, phishing attacks (someone gaining access to sensitive information, whilst your employee thinks they can trust the software or device they are using) have increased in recent times.
Finally, employees posing a cybersecurity threat are referred to as an insider threat. From this perspective, careless employees who use simplistic passwords, write down their passwords or who unintentionally disclose sensitive information are associated with this risk. These risks can also be fuelled by intent. For example: opportunistic misuse of information or taking revenge. Whether these risks occur based on negligence or premeditation, the human factor is key here.
Following the mantra, “smart executives learn from their mistakes, wise executives learn from the mistakes of others”, below are some ways you can take action:
In order to identify the threats highlighted in any of the five threat categories mentioned above and to develop appropriate strategies in your supply chain, our risk and crisis management approach can help you to build your cybersecurity defensive and offensive capabilities, reduce your exposure, minimise your vulnerabilities and strengthen your defences, thereby decreasing the chances of a potential breach.
In addition, our threat management and incident response capabilities will enable you to take action quickly and forcefully against unexpected cybersecurity threats and increase your ability to respond and recover timely.
If the situation in your supply chain does not require urgent action at this moment, we also offer cybersecurity training programs, such as our cybersecurity in a day for executives program as well as our cyber security training and awareness program for your workforce, which is delivered inpartnership with the British Computer Society (BCS).
Original release date: March 13, 2021
CISA has added seven Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each MAR identifies a webshell associated with exploitation of the vulnerabilities in Microsoft Exchange Server products. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actors can upload a webshell to enable remote administration of the affected system.
In addition to the MARs, CISA added information on ransomware activity associated with exploitation of the Exchange Server products, including DearCry ransomware.
CISA encourages users and administrators to review the following resources for more information.
This product is provided subject to this Notification and this Privacy & Use policy.
A Gartner study from October 2019 forecasted that the public cloud technologies services market would reach $266.4 billion in 2020. 17% growth seems excessive, but it pales against the 50% overall increase in cloud utilization across the enterprise that McAfee reported in 2020, partially motivated by COVID-19 related mandates.
Great time to market, apparent simplicity as well as lower technology, business and financial barriers, made the cloud the preferred real-estate among individuals and enterprise alike. Cloud technology is a game changer and a life saver, but it can also be a cybersecurity nightmare.
As organizations extended their technology landscape across multiple physical and trust boundaries, what used to be a solid perimeter to protect is now a series of highly dynamic “micro-borders” or just no clearly delimited border at all. This change in the technology landscape also unveils a problem with current cybersecurity approaches and paradigms that were originally designed to protect organizations, starting at their borders.
When organizations extend their networks to the cloud, they are trading security for time to market, productivity, efficiency, usability, and accessibility. A price that businesses will pay gladly. Many times, these implementations are a product of firms’ strategies or planned processes, but often cloud technology adoption responds to emergencies. When the latter happens, the outcome is an implementation plagued with vulnerabilities.
We know now that architecting and designing solutions in or for cloud technologies require a different set of skills. The selection, deployment, configuration and integration of cloud artifacts, the leverage of trusted domains, the management of certificates, the whitelisting of addresses, the practice of allowing apps to bypass inline defenses, the need for data movement across boundaries and the vulnerabilities intrinsic to browsers open opportunities for vulnerabilities that could be used by malicious actors to gain access to our data.
The attack vectors that corporate cloud users should be aware of include:
So how do companies adapt their cybersecurity postures and develop the policies, controls, processes, and technologies to protect their data and achieve regulatory compliance requirements?
Our recommendations to protect your data and your users in the cloud include the following:
The adoption of these technologies is quick and simple. Cloud services enable organizations’ processes, improve quality, increase productivity and speed to market, but it also creates vulnerabilities that must be addressed before it is too late. As organizations extend their technology landscape across boundaries, traditional cybersecurity postures may not be able to provide the level of protection needed. Cystel specializes in detecting and remediating cybersecurity vulnerabilities in these enterprise deployments, reducing your risk so you can focus on your core business.
UK Tel: +44 333 1223 372
USA Tel: +1 833 838 6754
LATAM Tel: +52 (55) 5335 0800
E: info@cystel.org
Clavering House, Clavering Place, Newcastle Upon Tyne, England, UK NE1 3NG
2001 L STREET N.W. SUITE 500, WASHINGTON, DC, 20036
Rio Lerma 232, Piso 23 (Torre Diana), Ciudad de Mexico, CP 06500, Mexico