Why Human Error is #1 Cyber Security Threat to Businesses in 2021

Phishing and Malware
Among the major cyber threats, the malware remains a significant danger. The 2017 WannaCry outbreak that cost businesses worldwide up to $4 billion is still in recent memory, and other new strains of malware are discovered on a daily basis.
Phishing has also seen a resurgence in the last few years, with many new scams being invented to take advantage of unsuspecting
The Hacker News – Read More

You Are a Target

You may not realize it, but you are a target. Your computer, your work and personal accounts and your information are all highly valuable to cyber criminals. Be mindful that bad guys are out to get you.
SANS Institute Security Awareness Tip of the Day – Read More

You Are a Target

You may not realize it, but you are a target. Your computer, work, personal accounts, and your information are all highly valuable to cyber criminals. Be mindful that bad guys are out to get you.

SANS Institute Security Awareness Tip of the Day – Read More

Microsoft Releases May 2021 Security Updates

Originally Posted from CISA Currently Activity
Read More
Original release date: May 11, 2021

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Microsoft’s May 2021 Security Update Summary and Deployment Information and apply the necessary updates.  

This product is provided subject to this Notification and this Privacy & Use policy.

Juniper Networks Releases Security Updates

Originally Posted from CISA Currently Activity
Read More
Original release date: May 11, 2021

Juniper Networks has released security updates to address multiple vulnerabilities in various Juniper products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Juniper’s 2021-05 Out-of-Cycle Security Bulletin and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Adobe Releases Security Updates for Multiple Products 

Originally Posted from CISA Currently Activity
Read More
Original release date: May 11, 2021

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Adobe’s Security Bulletins and apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

Citrix Releases Security Updates for Workspace App for Windows

Originally Posted from CISA Currently Activity
Read More
Original release date: May 11, 2021

Citrix has released security updates to address a vulnerability in Citrix Workspace App for Windows. An attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review Citrix Security Update CTX307794 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks

Posted from CISA Alerts
Read More
Original release date: May 11, 2021

Summary

This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entity—a pipeline company—in the United States. Malicious cyber actors deployed DarkSide ransomware against the pipeline company’s information technology (IT) network.[1] At this time, there is no indication that the entity’s operational technology (OT) networks have been directly affected by the ransomware.

CISA and FBI urge CI asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Joint Cybersecurity Advisory, including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI owners and operators improve their entity’s functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.

Click here for a PDF version of this report.

Technical Details

Note: the analysis in this Joint Cybersecurity Advisory is ongoing, and the information provided should not be considered comprehensive. CISA and FBI will update this advisory as new information is available.

After gaining initial access to the pipeline company’s network, DarkSide actors deployed DarkSide ransomware against the company’s IT network. In response to the cyberattack, the company has reported that they proactively disconnected certain OT systems to ensure the systems’ safety.[2] At this time, there are no indications that the threat actor moved laterally to OT systems.

DarkSide is ransomware-as-a-service (RaaS)—the developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.” According to open-source reporting, since August 2020, DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data. The DarkSide group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.[3],[4]

According to open-source reporting, DarkSide actors have previously been observed gaining initial access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI) (Phishing [T1566], Exploit Public-Facing Application [T1190], External Remote Services [T1133]).[5],[6] DarkSide actors have also been observed using Remote Desktop Protocol (RDP) to maintain Persistence [TA0003].[7]

After gaining access, DarkSide actors deploy DarkSide ransomware to encrypt and steal sensitive data (Data Encrypted for Impact [T1486]). The actors then threaten to publicly release the data if the ransom is not paid.[8],[9] The DarkSide ransomware uses Salsa20 and RSA encryption.[10]

DarkSide actors primarily use The Onion Router (TOR) for Command and Control (C2) [TA0011] (Proxy: Multi-hop Proxy [1090.003]).[11],[12] The actors have also been observed using Cobalt Strike for C2.[13]

Mitigations

CISA and FBI urge CI owners and operators to apply the following mitigations to reduce the risk of compromise by ransomware attacks.

Require multi-factor authentication for remote access to OT and IT networks.
Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails.
Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.
Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
Implement unauthorized execution prevention by
Disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
Monitor and/or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports). For more guidance, refer to Joint Cybersecurity Advisory AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor.
Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post exploitation tools.

CISA and FBI urge CI owners and operators to apply the following mitigations now to reduce the risk of severe business or functional degradation should their CI entity fall victim to a ransomware attack in the future.

Implement and ensure robust network segmentation between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone that eliminates unregulated communication between the IT and OT networks.
Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to filter network traffic and monitor communications between zones. Prohibit industrial control system (ICS) protocols from traversing the IT network.
Identify OT and IT network inter-dependencies and develop workarounds or manual controls to ensure ICS networks can be isolated if the connections create risk to the safe and reliable operation of OT processes. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident. Ensure that the OT network can operate at necessary capacity even if the IT network is compromised. 
Regularly test manual controls so that critical functions can be kept running if ICS or OT networks need to be taken offline.
Implement regular data backup procedures on both the IT and OT networks. Backup procedures should be conducted on a frequent, regular basis. The data backup procedures should also address the following best practices:
Ensure that backups are regularly tested.
Store your backups separately. Backups should be isolated from network connections that could enable the spread of ransomware. It is important that backups be maintained offline as many ransomware variants attempt to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems to its previous state. Best practice is to store your backups on a separate device that cannot be accessed from a network, such as on an external hard drive. (See the Software Engineering Institute’s page on ransomware).
Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.
Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred. Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images.
Store source code or executables. It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.

Ensure user and process accounts are limited through account use policies, user account control, and privileged account management. Organize access rights based on the principles of least privilege and separation of duties.

If your organization is impacted by a ransomware incident, CISA and FBI recommend the following actions:

Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected, whether wired or wireless.  
Turn off other computers and devices. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that shared a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists. (See Before You Connect a New Computer to the Internet for tips on how to make a computer more secure before you reconnect it to a network.)
Secure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.
Refer to Joint Cybersecurity Advisory: AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity for more best practices on incident response.

Note: CISA and the FBI do not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered. CISA and FBI urge you to report ransomware incidents to your local FBI field office.

CISA offers a range of no-cost cyber hygiene services to help CI organizations assess, identify and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.

Resources

CISA and MS-ISAC: Joint Ransomware Guide
CISA: Ransomware page
CISA Tip: Protecting Against Ransomware
CISA: CISA Ransomware One-Pager and Technical Document
CISA Insights: Ransomware Outbreak
CISA: Pipeline Cybersecurity Initiative
CISA Webinar: Combating Ransomware
CISA: Cybersecurity Practices for Industrial Control Systems
FBI: Incidents of Ransomware on the Rise
National Security Agency (NSA): Stop Malicious Cyber Activity Against Connected Operational Technology
Department of Energy: Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model
Transportation Security Agency: Pipeline Security Guidelines
National Institute of Standards and Technology (NIST): Framework for Improving Critical Infrastructure Cybersecurity
NIST: Ransomware Protection and Response
NIST: Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
NIST: Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events
NIST: Data Integrity: Recovering from Ransomware and Other Destructive Events
NIST: Guide to Industrial Control Systems (ICS) Security
Software Engineering Institute: Ransomware: Best Practices for Prevention and Response

Contact Information

Victims of ransomware should report it immediately to CISA at https://us-cert.cisa.gov/report, a local FBI Field Office, or U.S. Secret Service Field Office. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [email protected].

References

[1] Colonial Pipeline Media Statement on Pipeline Disruption [2] Ibid [3] SonicWall: Darkside Ransomware Targets Large Corporations. Charges up to $2M. [4] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign [5] BankInfo Security: FBI: DarkSide Ransomware Used in Colonial Pipeline Attack [6] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign [7] Ibid [8] SonicWall: Darkside Ransomware Targets Large Corporations. Charges up to $2M [9] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign [10] McAfee: Threat Landscape Dashboard DarkSide – Ransomware [11] SonicWall: Darkside Ransomware Targets Large Corporations. Charges up to $2M [12] Varonis: Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign [13] McAfee: Threat Landscape Dashboard DarkSide – Ransomware

Revisions

May 11, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Joint CISA-FBI Cybersecurity Advisory on DarkSide Ransomware

Originally Posted from CISA Currently Activity
Read More
Original release date: May 11, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on a ransomware-as-a-service (RaaS) variant—referred to as DarkSide—recently used in a ransomware attack against a critical infrastructure (CI) company. 

Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data. These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy. 

Prevention is the most effective defense against ransomware. It is critical to follow best practices to protect against ransomware attacks, which can be devastating to an individual or organization and recovery may be a difficult process. In addition to the Joint CSA, CISA and FBI urge CI asset owners and operators to review the following resources for best practices on strengthening cybersecurity posture:

CISA and Multi-State Information Sharing and Analysis Center: Joint Ransomware Guide
CISA webpage: Ransomware Guidance and Resources
CISA Insights: Ransomware Outbreak
CISA Pipeline Cybersecurity Initiative
CISA Pipeline Cybersecurity Resources Library

Victims of ransomware should report it immediately to CISA, a local FBI Field Office, or a Secret Service Field Office.

This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome

Originally Posted from CISA Currently Activity
Read More
Original release date: May 11, 2021

Google has released Chrome version 90.0.4430.212 for Windows, Mac, and Linux.   This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.

 

This product is provided subject to this Notification and this Privacy & Use policy.

Virtual Private Networks

Virtual Private Networks (VPN) create encrypted tunnels when you connect to the Internet. They are a fantastic way to protect your privacy and data, especially when traveling and connecting to untrusted or unknown networks, such as at hotels or coffee shops. Use a VPN whenever possible, both for work and personal use.

SANS Institute Security Awareness Tip of the Day – Read More

Exim Releases Security Update

Originally Posted from CISA Currently Activity
Read More
Original release date: May 7, 2021

Exim has released a security update to address multiple vulnerabilities in Exim versions prior to 4.94.2. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Exim 4.94.2 update page and apply the necessary update. CISA also encourages users and administrators to review Center for Internet Security Advisory 2021-064 for more information.  

This product is provided subject to this Notification and this Privacy & Use policy.

Joint NCSC-CISA-FBI-NSA Cybersecurity Advisory on Russian SVR Activity

Originally Posted from CISA Currently Activity
Read More
Original release date: May 7, 2021

CISA has joined with the United Kingdom’s National Cyber Security Centre (NCSC), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), in releasing a Joint Cybersecurity Advisory on Russian Foreign Intelligence Service (SVR) tactics, techniques, and procedures. Further TTPs associated with SVR cyber actors provides additional details on SVR activity including exploitation activity following their initial compromise of SolarWinds Orion software supply chain.

CISA has also released Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise that provides summaries of three key joint publications that focus on SVR activities related to the SolarWinds Orion supply chain compromise.

CISA strongly encourages users and administrators to review the joint advisory as well as the other two advisories summarized on the fact sheet for mitigation strategies to aid organizations in securing their networks against Russian SVR activity.

This product is provided subject to this Notification and this Privacy & Use policy.

Anti-Virus

Make sure you have anti-virus software installed on your computer and that it is automatically updating. However, keep in mind that no anti-virus can catch all malware; your computer can still be infected. That is why it’s so important you use common sense and be wary of any messages that seem odd or suspicious.

SANS Institute Security Awareness Tip of the Day – Read More

CISO Challenge: Check Your Cybersecurity Skills On This New Competition Site

InfoSec leaders tend to be a specific type. Their jobs require them to think of possible threats, take actions that may not pay immediate results, plan for unknown security risks, and react quickly when emergencies arise, often before the morning’s first coffee.
The high-stakes position also means that CISOs need to keep their knowledge and skills sharp – you can never really know what’s around
The Hacker News – Read More

 Cisco Releases Security Updates for Multiple Products 

Originally Posted from CISA Currently Activity
Read More
Original release date: May 6, 2021

Cisco has released security updates to address vulnerabilities in multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

•    Cisco SD-WAN vManage Software Vulnerabilities cisco-sa-sd-wan-vmanage-4TbynnhZ
•    Cisco HyperFlex HX Command Injection Vulnerabilities cisco-sa-hyperflex-rce-TjjNrkpR
•    Cisco SD-WAN Software vDaemon Denial of Service Vulnerability cisco-sa-sdwan-dos-Ckn5cVqW
•    Cisco SD-WAN vEdge Software Buffer Overflow Vulnerabilities cisco-sa-sdwan-buffover-MWGucjtO
•    Cisco SD-WAN vManage Software Authentication Bypass Vulnerability cisco-sa-sdw-auth-bypass-65aYqcS2
•    Cisco Small Business 100, 300, and 500 Series Wireless Access Points Vulnerabilities cisco-sa-sb-wap-multi-ZAfKGXhF
•    Cisco Enterprise NFV Infrastructure Software Command Injection Vulnerability cisco-sa-nfvis-cmdinj-DkFjqg2j
•    Cisco Unified Communications Manager IM & Presence Service SQL Injection Vulnerabilities cisco-sa-imp-inj-ereCOKjR
•    Cisco AnyConnect Secure Mobility Client for Windows DLL and Executable Hijacking Vulnerabilities cisco-sa-anyconnect-code-exec-jR3tWTA6

This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Firefox

Originally Posted from CISA Currently Activity
Read More
Original release date: May 6, 2021

Mozilla has released security updates to address vulnerabilities in Firefox. An attacker could exploit these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Mozilla Security Advisory for Firefox 88.0.1 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

VMware Releases Security Update

Originally Posted from CISA Currently Activity
Read More
Original release date: May 6, 2021

VMware has released a security update to address a vulnerability in VMware vRealize Business for Cloud. A remote attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0007 and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases Analysis Reports on New FiveHands Ransomware

Originally Posted from CISA Currently Activity
Read More
Original release date: May 6, 2021

CISA is aware of a recent, successful cyberattack against an organization using a new ransomware variant, known as FiveHands, that has been used to successfully conduct a cyberattack against an organization.  

CISA has released AR21-126A: FiveHands Ransomware and MAR-10324784-1.v1: FiveHands Ransomware to provide analysis of the threat actor’s tactics, techniques, and procedures as well as indicators of compromise (IOCs).  These reports also provide CISA’s recommended mitigations for strengthening networks to protect against, detect, and respond to potential FiveHands ransomware attacks.

CISA encourages organizations to review AR21-126A and MAR-10324784.r1.v1 for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Older Generation

Using technology securely can be overwhelming or confusing, especially for those who did not grow up with it. When helping secure those who are uncomfortable with technology focus on just the basics – 1) be aware of social engineering attacks 2) secure your home network 3) keep your systems updated 4) use strong, unique passwords 5) backup your key personal data

SANS Institute Security Awareness Tip of the Day – Read More

Apple Releases Security Updates

Originally Posted from CISA Currently Activity
Read More
Original release date: May 4, 2021

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device.

CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates.

macOS Big Sur 11.3.1
iOS 14.5.1 and iPadOS 14.5.1
iOS 12.5.3
watchOS 7.4.1

This product is provided subject to this Notification and this Privacy & Use policy.

Ivanti Releases Pulse Secure Security Update

Originally Posted from CISA Currently Activity
Read More
Original release date: May 3, 2021

Ivanti has released a security update to address vulnerabilities affecting Pulse Connect Secure (PCS) software outlined in CVE-2021-22893. An attacker could exploit these vulnerabilities to gain system access and take control of an affected system. In response, CISA released AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities on April 20 and added detection information on April 30.  

CISA strongly encourages customers using Ivanti Pulse Connect Secure appliances to review the Pulse Security Advisory and apply the necessary updates. For additional information, CISA recommends reviewing the following resources and tools below.  

CISA Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities
Pulse Security Integrity Checker Tool

This product is provided subject to this Notification and this Privacy & Use policy.

Two-Step Verification

Two-step verification (also called two-factor authentication or 2FA) is one of the best steps you can take to secure any account. Two-step verification is when you require both a password and code sent to or generated by your mobile device. At a minimum enable two-step verification for your most important accounts such as email, financial and retirement accounts.

SANS Institute Security Awareness Tip of the Day – Read More

CISA Updates Alert on Pulse Connect Secure

Originally Posted from CISA Currently Activity
Read More
Original release date: April 30, 2021

CISA has updated Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities, originally released April 20. This update adds a new Detection section providing information on Impossible Travel and Transport Layer Security (TLS) Fingerprinting that may be useful in identifying malicious activity.

CISA encourages users and administrators to review the following resources for more information:

AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities
Emergency Directive 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities

This product is provided subject to this Notification and this Privacy & Use policy.

Codecov Releases New Detections for Supply Chain Compromise

Originally Posted from CISA Currently Activity
Read More
Original release date: April 30, 2021

CISA is aware of a compromise of the Codecov software supply chain in which a malicious threat actor made unauthorized alterations of Codecov’s Bash Uploader script, beginning on January 31, 2021. Upon discovering the compromise on April 1, 2021, Codecov immediately remediated the affected script. On April 15, 2021, Codecov notified customers of the compromise and on April 29, 2021, Codecov released an update containing new detections—including indicators of compromise (IOCs) and a non-exhaustive data set of likely compromised environment variables—to assist organizations in determining whether they have been affected.

CISA urges all Codecov users to review the Codecov update and:

Search for the IOCs provided.
Log in to Codecov to see any additional information specific to their organization and repositories. 

Affected users should immediately implement the guidance in the Recommended Actions for Affected Users and FAQ sections of Codecov’s update. CISA recommends giving special attention to Codecov’s guidance on changing (“re-rolling”) potentially affected credentials, tokens, and keys. CISA also recommends revoking and reissuing any potentially affected certificates.

This product is provided subject to this Notification and this Privacy & Use policy.

Samba Releases Security Updates

Originally Posted from CISA Currently Activity
Read More
Original release date: April 30, 2021

The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Samba Security Announcements for CVE-2021-20254 and apply the necessary updates and workarounds.

This product is provided subject to this Notification and this Privacy & Use policy.