Updates on Microsoft Exchange Server Vulnerabilities

/in ,

Original release date: April 12, 2021

CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities.

  • MAR-10330097-1.v1: DearCry Ransomware identifies ransomware that has been used to exploit compromised on-premises Exchange servers. The malware encrypts files on a device and demands ransom in exchange for decryption.
  • MAR-10331466-1.v1: China Chopper Webshell identifies a China Chopper webshell observed in post-compromised Microsoft Exchange Servers. After successfully exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system.

CISA encourages users and administrators to review the following resources for more information:

This product is provided subject to this Notification and this Privacy & Use policy.

Using Aviary to Analyze Post-Compromise Threat Activity in M365 Environments

/in ,

Original release date: April 8, 2021

Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise. Aviary—a Splunk-based dashboard—facilitates analysis of Sparrow data outputs.

CISA encourages network defenders wishing to use Aviary to facilitate their analysis of output from Sparrow to review CISA Alert: AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Note: CISA has updated the Sparrow tool section of AA21-008A with instructions on using the Aviary tool.

CISA recommends the following resources for additional information:

 

This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for Multiple Products

/in ,

Original release date: April 8, 2021

Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.
 
CISA encourages users and administrators to review the following Cisco Advisory and apply the necessary updates:

This product is provided subject to this Notification and this Privacy & Use policy.

Malicious Cyber Activity Targeting Critical SAP Applications

/in ,

Original release date: April 6, 2021

SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks. SAP applications help organizations manage critical business processes—such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management.  

On April 6 2021, security researchers from Onapsis, in coordination with SAP, released an alert detailing observed threat actor activity and techniques that could lead to full control of unsecured SAP applications. Impacted organizations could experience:

  • theft of sensitive data, 
  • financial fraud, 
  • disruption of mission-critical business processes,
  • ransomware, and
  • halt of all operations. 

CISA recommends operators of SAP systems review the Onapsis Alert Active Cyberattacks on Mission-Critical SAP Applications for more information and apply necessary updates and mitigations. 

See CISA’s previous alerts on SAP:

This product is provided subject to this Notification and this Privacy & Use policy.

FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities

/in ,

Original release date: April 2, 2021

The Federal Bureau of Investigation (FBI) and CISA have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services. Gaining initial access pre-positions the APT actors to conduct future attacks.

CISA encourages users and administrators to review Joint CSA AA21-092A: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks and implement the recommended mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

VMware Releases Security Update

/in ,

Original release date: April 2, 2021

VMware has released a security update to address a vulnerability in VMware Carbon Black Cloud Workload appliance. A remote attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-005 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Should We Prepare for a New Era of Cyber Pandemic in 2021

/in

COVID-19 has led to the prolific use of virtual technologies to support remote work. This is gradually paving the way for a new pandemic- a sharp increase in organisations being held hostage by cyber criminals, data theft, privacy breaches and disruption to supply chain across the globe.

Organisations, already under pressure from COVID-19 are being targeted by a variety of scams and threats and are increasingly giving in to these threats. Fatface, a UK fashion retailer has paid out $2 million to a ransomware gang that breached their systems in January 2021.

More recently, in March 2021, Acer, a Taiwanese electronic company, were attacked by a group called REvil , who demanded a ransom of $50 million, one of the largest ransomware demands in recent history. A wide range of reports by cybersecurity scholars (Fireeye 2021, Hiscox 2020, Vasek,2019) have established that cyberattacks are rapidly evolving and growing in both frequency and severity, with costs reaching up to $6 trillion in 2021 and set to rise further. These reports, amongst other security news outlets, have discussed trends that will dominate the cybersecurity landscape in 2021. Some of these are:

1. Evolution of attack techniques and IoT threats

Common attack techniques such as phishing, ransom ware, botnets, trojans and phreaking will remain prominent. However they will likely be automated using artificial intelligence and tailored to specific companies as targets, having carefully mined data on personnel, social networks, and social media. The lack of time to prepare staff for training in the use of remote technology applications and use of IoT in homes is set to exacerbate the problem.

2. The cloud footprint

95% of companies have a cloud presence, if only for payroll or HR functions. Cloud attacks are likely to grow and be executed through hacking-vulnerable cloud applications, stealing credentials via phishing, exploitation of any misconfigurations and through the supply chain, such as cloud vendors.

3. Nation State Attacks

The attack on Solarwinds in 2020 has demonstrated that threat actors can take the form of nation states and can sponsor regional and global attacks. Spear phishing, a common tool, will continue to dominate in 2021. However there is an increased focus on intrusion techniques such as exploitation of web facing applications, password spraying and increased use of third-party intrusion vendors.

4. Fileless malware

Fileless malware depends on tools that are a part of the workflow for most enterprises, specifically tools that are pre-installed on every Windows machine and are vital for all operations. Attackers could use a range of windows processes such as PowerShell, Windows Management Instrumentation (WMI) and .NET. We are likely to see attackers continuously innovate and share techniques as they develop such malware as a service model in 2021.

2021 brings new challenges on the health and cyber front. As cyber criminals are getting organised as ‘companies’ and improving both technologies and attack strategies, we must, as a matter of urgency, look at our own cybersecurity and data protection. Surface level products and software are not enough to combat the threats that 2021 brings. Advanced solutions are needed to monitor risks and assess vulnerabilities and endpoint solutions to thwart threats and build cyber resilience.

The World Economic Forum lists cybersecurity failures among the main global risks in 2021.

Can you shield against a cyber pandemic?

A risk management approach is vital to digital security. A significant part of securing the cyber landscape is knowing how to best protect the most significant assets and effectively defend against security incidents and breaches. As with a biological pandemic some key steps are:

  • Reduce the rate of infection. Check your systems to protect critical assets and detect and remove threats in real-time.
  • Prevent an infection. Develop an SOC for real time prevention and access to continuous security intelligence.
  • Improve cyber hygiene. Practice cyber hygiene by keeping up-to-date with security threats and ensure compliance with regulations and latest standards.

At Cystel, we recommended asking the following key questions to test your state of preparedness.

  • What is my current security protocol?
  • What vulnerabilities or gaps do I have in my remote infrastructure?
  • Do I understand security effectiveness as a business metric?
  • What is my risk management approach to mitigating threats of IoT?
  • Is my organisation’s security training state-of-the-art?

As cybersecurity researchers at Cystel, we believe cyber readiness needs to be a top priority for every connected individual . There is no one size that fits all and there are a variety of solutions, services, and protocols to evaluate to help meet security challenges. Speak to us about your cyber challenges for 2021 and stay safe during the next wave of cyber attacks.