Google Releases Security Updates for Chrome

Originally Posted from CISA Currently Activity
Read More
Original release date: June 10, 2021

Google has released Chrome version 91.0.4472.101 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities—CVE-2021-30551—has been detected in exploits in the wild.

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Addresses the Rise in Ransomware Targeting Operational Technology Assets

Originally Posted from CISA Currently Activity
Read More
Original release date: June 9, 2021

CISA has published the Rising Ransomware Threat to OT Assets fact sheet in response to the recent increase in ransomware attacks targeting operational technology (OT) assets and control systems. The guidance:

provides steps to prepare for, mitigate against, and respond to attacks;
details how the dependencies between an entity’s IT and OT systems can provide a path for attackers; and
explains how to reduce the risk of severe business degradation if affected by ransomware.

CISA encourages critical infrastructure (CI) owners and operators to review the Rising Ransomware Threat to OT Assets fact sheet as well as CISA’s Ransomware webpage to help them in reducing their CI entity’s vulnerability to ransomware.

This product is provided subject to this Notification and this Privacy & Use policy.

Got Backups?

Eventually, we all have an accident or get hacked. And when we do, backups are often the only way to recover. Backups are cheap and easy; make sure you are backing up all of your personal information at home (such as family photos) on a regular basis.

SANS Institute Security Awareness Tip of the Day – Read More

SAP Releases June 2021 Security Updates

Originally Posted from CISA Currently Activity
Read More
Original release date: June 8, 2021

SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the SAP Security Notes for June 2021 and apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases June 2021 Security Updates

Originally Posted from CISA Currently Activity
Read More
Original release date: June 8, 2021

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review Microsoft’s June 2021 Security Update Summary and Deployment Information and apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

Adobe Releases Security Updates for Multiple Products

Originally Posted from CISA Currently Activity
Read More
Original release date: June 8, 2021

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review Adobe’s Security Bulletins and apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

Unpatched VMware vCenter Software

Originally Posted from CISA Currently Activity
Read More
Original release date: June 4, 2021

CISA is aware of the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. Although patches were made available on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system.

CISA encourages users and administrators to review VMware’s VMSA-2021-010, blogpost, and FAQ for more information about the vulnerability and apply the necessary updates as soon as possible, even if out-of-cycle work is required. If an organization cannot immediately apply the updates, then apply the workarounds in the interim.   

This product is provided subject to this Notification and this Privacy & Use policy.

Fake News

Fake news is a false narrative that is published and promoted as if it were true. People (and organizations) create fake news to control and manipulate your thoughts and actions. Be skeptical of what you read on the Internet, use trusted sources that are vetted, check their motivations and funding.

SANS Institute Security Awareness Tip of the Day – Read More

Cisco Releases Security Updates for Multiple Products

Originally Posted from CISA Currently Activity
Read More
Original release date: June 3, 2021

Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

CISA encourages users and administrators to review the following Cisco advisories and apply the necessary updates:

Cisco Webex Network Recording Player and Webex Player Memory Corruption Vulnerability cisco-sa-webex-player-rCFDeVj2
Cisco Webex Player Memory Corruption Vulnerability cisco-sa-webex-player-kOf8zVT
Cisco Webex Network Recording Player and Webex Player Memory Corruption Vulnerability cisco-sa-webex-player-dOJ2jOJ
Cisco SD-WAN Software Privilege Escalation Vulnerability cisco-sa-sd-wan-fuErCWwF
Cisco ASR 5000 Series Software Authorization Bypass Vulnerabilities cisco-sa-asr5k-autho-bypass-mJDF5S7n

This product is provided subject to this Notification and this Privacy & Use policy.

Securing Your Wi-Fi Access Point

The first step to creating a cybersecure home is to start by securing your Wi-Fi Access Point. Change your Wi-Fi Access Points default administrator password to something only you know. Many Wi-Fi Access Points or Wi-Fi routers are shipped with default administrator passwords that are publicly known and posted on the Internet.

SANS Institute Security Awareness Tip of the Day – Read More

CISA Releases Best Practices for Mapping to MITRE ATT&CK®

Originally Posted from CISA Currently Activity
Read More
Original release date: June 2, 2021

As part of an effort to encourage a common language in threat actor analysis, CISA has released Best Practices for MITRE ATT&CK® Mapping. The guide shows analysts—through instructions and examples—how to map adversary behavior to the MITRE ATT&CK framework. CISA created this guide in partnership with the Homeland Security Systems Engineering and Development Institute™ (HSSEDI), a DHS-owned R&D center operated by MITRE, which worked with the MITRE ATT&CK team.

CISA and other organizations in the cybersecurity community use MITRE ATT&CK to identify and analyze threat actor behavior. This analysis enables them to produce a set of mappings to develop adversary profiles; conduct activity trend analyses; and detect, respond to, and mitigate threats. An increase in the number of organizations integrating the ATT&CK framework in their analysis will have a positive impact on the efficiency and efficacy of information sharing within the community.

CISA, HSSEDI, and MITRE ATT&CK encourage users and administrators to review both the guide—as well as CISA Executive Assistant Director Eric Goldstein’s blog post on the guide—to strengthen the security posture of their organization and improve information sharing.

This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates for Firefox

Originally Posted from CISA Currently Activity
Read More
Original release date: June 2, 2021

Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Mozilla Security Advisory for Firefox 89 and Firefox ESR 78.11 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates for Multiple Products

Originally Posted from CISA Currently Activity
Read More
Original release date: June 2, 2021

Cisco has released security updates to address a vulnerability in multiple Cisco products. An attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review the following Cisco advisory and apply the necessary updates:

Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021 cisco-sa-lasso-saml-jun2021-DOXNRLkD

This product is provided subject to this Notification and this Privacy & Use policy.

Scamming You Through Social Media

You may be aware that cyber attacks will try to trick you over the phone or through email using phishing attacks, but do you realize they may try to attack you also over social media channels, such as Snapchat, Twitter, Facebook, or LinkedIn? Just like in email, if you get any social media messages that are highly urgent or too good to be true, it may be an attack.

SANS Institute Security Awareness Tip of the Day – Read More

Careers in Cybersecurity

Have you considered a career in cybersecurity? It is a fast-paced, highly dynamic field with a huge number of specialties to choose from, including forensics, endpoint security, critical infrastructure, incident response, secure coding, and awareness and training. In addition, a career in cybersecurity allows you to work almost anywhere in the world, with amazing benefits and an opportunity to make a real difference. However, the most exciting thing is you do NOT need a technical background, anyone can get started.

SANS Institute Security Awareness Tip of the Day – Read More

AA21-148A: Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs

Posted from CISA Alerts
Read More
Original release date: May 28, 2021

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are responding to a spearphishing campaign targeting government organizations, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs). A sophisticated cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to spoof a U.S.-based government organization and distribute links to malicious URLs.[1] Note: CISA and FBI acknowledge open-source reporting attributing the activity discussed in the report to APT29 (also known as Nobelium, The Dukes, and Cozy Bear).[2,3] However, CISA and FBI are investigating this activity and have not attributed it to any threat actor at this time. CISA and FBI will update this Joint Cybersecurity Advisory as new information becomes available.

This Joint Cybersecurity Advisory contains information on tactics, techniques, and procedures (TTPs) and malware associated with this campaign. For more information on the malware, refer to Malware Analysis Report MAR-10339794-1.v1: Cobalt Strike Beacon.

CISA and FBI urge governmental and international affairs organizations and individuals associated with such organizations to immediately adopt a heightened state of awareness and implement the recommendations in the Mitigations section of this advisory.

For a downloadable list of indicators of compromise (IOCs), refer to AA21-148A.stix, and MAR-10339794-1.v1.stix.

Technical Details

Based on incident reports, malware collection, and trusted third-party reporting, CISA and FBI are responding to a sophisticated spearphishing campaign. A cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to send phishing emails to more than 7,000 accounts across approximately 350 government organizations, IGOs, and NGOs. The threat actor sent spoofed emails that appeared to originate from a U.S. Government organization. The emails contained a legitimate Constant Contact link that redirected to a malicious URL [T1566.002, T1204.001], from which a malicious ISO file was dropped onto the victim’s machine.

The ISO file contained (1) a malicious Dynamic Link Library (DLL) named Documents.dll [T1055.001], which is a custom Cobalt Strike Beacon version 4 implant, (2) a malicious shortcut file that executes the Cobalt Strike Beacon loader [T1105], and (3) a benign decoy PDF titled “Foreign Threats to the 2020 US Federal Elections” with file name “ICA-declass.pdf” (see figure 1). Note: The decoy file appears to be a copy of the declassified Intelligence Community Assessment pursuant to Executive Order 13848 Section 1(a), which is available at https://www.intelligence.gov/index.php/ic-on-the-record-database/results/1046-foreign-threats-to-the-2020-us-federal-elections-intelligence-community-assessment.

Figure 1: Decoy PDF: ICA-declass.pdf

Cobalt Strike is a commercial penetration testing tool used to conduct red team operations.[4] It contains a number of tools that complement the cyber threat actor’s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. The Cobalt Strike Beacon is the malicious implant that calls back to attacker-controlled infrastructure and checks for additional commands to execute on the compromised system [TA0011].

The configuration file for this Cobalt Strike Beacon implant contained communications protocols, an implant watermark, and the following hardcoded command and control (C2) domains:

dataplane.theyardservice[.]com/jquery-3.3.1.min.woff2
cdn.theyardservice[.]com/jquery-3.3.1.min.woff2
static.theyardservice[.]com/jquery-3.3.1.min.woff2
worldhomeoutlet[.]com/jquery-3.3.1.min.woff2

The configuration file was encoded via an XOR with the key 0x2e and a 16-bit byte swap.

For more information on the ISO file and Cobalt Strike Beacon implant, including IOCs, refer to Malware Analysis Report MAR-10339794-1.v1: Cobalt Strike Beacon.

Indicators of Compromise

The following IOCS were derived from trusted third parties and open-source research. For a downloadable list of IOCs, refer to AA21-148A.stix and MAR-10339794-1.v1.stix.

URL: https[:]//r20.rs6.net/tn.jsp?f=
Host IP: 208.75.122[.]11 (US)
Owner: Constant Contact, Inc.
Activity: legitimate Constant Contact link found in phishing email that redirects victims to actor-controlled infrastructure at https[:]//usaid.theyardservice.com/d/<target_email_address>
 
URL: https[:]//usaid.theyardservice.com/d/<target_email_address>
Host IP: 83.171.237[.]173 (Germany)
Owner: [redacted]
First Seen: May 25, 2021
Activity: actor-controlled URL that was redirected from https[:]//r20.rs6.net/tn.jsp?f=; the domain usaid[.]theyardservice.com was detected as a malware site; hosted a malicious ISO file “usaid[.]theyardservice.com”
 
File: ICA-declass.iso [MD5: cbc1dc536cd6f4fb9648e229e5d23361]
File Type: Macintosh Disk Image
Detection: Artemis!7EDF943ED251, Trojan:Win32/Cobaltstrike!MSR, or other malware
Activity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple URLs, domains, and IP addresses
 
File: /d/ [MD5: ebe2f8df39b4a94fb408580a728d351f]
File Type: Macintosh Disk Image
Detection: Cobalt, Artemis!7EDF943ED251, or other malware
Activity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple URLs, domains, and IP addresses
 
File: ICA-declass.iso [MD5: 29e2ef8ef5c6ff95e98bff095e63dc05]
File Type: Macintosh Disk Image
Detection: Cobalt Strike, Rozena, or other malware
Activity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple URLs, domains, and IP addresses
 
File: Reports.lnk [MD5: dcfd60883c73c3d92fceb6ac910d5b80]
File Type: LNK (Windows shortcut)
Detection: Worm: Win32-Script.Save.df8efe7a, Static AI – Suspicious LNK, or other malware
Activity: shortcut contained in malicious ISO files; executes a custom Cobalt Strike Beacon loader
 
File: ICA-declass.pdf [MD5: b40b30329489d342b2aa5ef8309ad388]
File Type: PDF
Detection: undetected
Activity: benign, password-protected PDF displayed to victim as a decoy; currently unrecognized by antivirus software
 
File: DOCUMENT.DLL [MD5: 7edf943ed251fa480c5ca5abb2446c75]
File Type: Win32 DLL
Detection: Trojan: Win32/Cobaltstrike!MSR, Rozena, or other malware
Activity: custom Cobalt Strike Beacon loader contained in malicious ISO files; communicating with multiple URLs, domains, and IP addresses by antivirus software
 
File: DOCUMENT.DLL [MD5: 1c3b8ae594cb4ce24c2680b47cebf808]
File Type: Win32 DLL
Detection: Cobalt Strike, Razy, Khalesi, or other malware
Activity: Custom Cobalt Strike Beacon loader contained in malicious ISO files; communicating with multiple URLs, domains, and IP addresses by antivirus software
 
Domain: usaid[.]theyardservice.com
Host IP: 83.171.237[.]173 (Germany)
First Seen: May 25, 2021
Owner: Withheld for Privacy Purposes
Activity: subdomain used to distribute ISO file according to the trusted third party; detected as a malware site by antivirus programs
 
Domain: worldhomeoutlet.com
Host IP: 192.99.221[.]77 (Canada)
Created Date: March 11, 2020
Owner: Withheld for Privacy Purposes by Registrar
Activity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software; associated with Cobalt Strike malware
 
Domain: dataplane.theyardservice[.]com
Host IP: 83.171.237[.]173 (Germany)
First Seen: May 25, 2021
Owner: [redacted]
Activity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software; observed in phishing, malware, and spam activity
 
Domain: cdn.theyardservice[.]com
Host IP: 83.171.237[.]173 (Germany)
First Seen: May 25, 2021
Owner: Withheld for Privacy Purposes by Registrar
Activity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software
 
Domain: static.theyardservice[.]com
Host IP: 83.171.237[.]173 (Germany)
First Seen: May 25, 2021
Owner: Withheld for Privacy Purposes
Activity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and observed communicating with multiple malicious files according to antivirus software
 
IP: 192.99.221[.]77
Organization: OVH SAS
Resolutions: 7
Geolocation: Canada
Activity: detected as a malware site; hosts a suspicious domain worldhomeoutlet[.]com; observed in Cobalt Strike activity
 
IP: 83.171.237[.]173
Organization: Droptop GmbH
Resolutions: 15
Geolocation: Germany
Activity: Categorized as malicious by antivirus software; hosted multiple suspicious domains and multiple malicious files were observed downloaded from this IP address; observed in Cobalt Strike and activity
 
Domain: theyardservice[.]com
Host IP: 83.171.237[.]173 (Germany)
Created Date: January 27, 2010
Owner: Withheld for Privacy Purposes
Activity: Threat actor controlled domain according to the trusted third party; categorized as suspicious by antivirus software; observed in Cobalt Strike activity

 

Table 1 provides a summary of the MITRE ATT&CK techniques observed.

Table 1: MITRE ATT&CK techniques observed

Technique Title

Technique ID

Process Injection: Dynamic-link Library Injection

T1055.001

Ingress Tool Transfer

T1105

User Execution: Malicious Link

T1204.001

Phishing: Spearphishing Link

T1566.002

Mitigations

CISA and FBI urge CI owners and operators to apply the following mitigations.

Implement multi-factor authentication (MFA) for every account. While privileged accounts and remote access systems are critical, it is also important to ensure full coverage across SaaS solutions. Enabling MFA for corporate communications platforms (as with all other accounts) provides vital defense against these types of attacks and, in many cases, can prevent them.
Keep all software up to date. The most effective cybersecurity programs quickly update all of their software as soon as patches are available. If your organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited.
Implement endpoint and detection response (EDR) tools. EDR allows a high degree of visibility into the security status of endpoints and is can be an effective tool against threat actors.
Note: Organizations using Microsoft Defender for Endpoint or Microsoft 365 Defense should refer to Microsoft: Use attack surface reduction rules to prevent malware infection for more information on hardening the enterprise attack surface.
Implement centralized log management for host monitoring. A centralized logging application allows technicians to look out for anomalous activity in the network environment, such as new applications running on hosts, out-of-place communication between devices, or unaccountable login failures on machines. It also aids in troubleshooting applications or equipment in the event of a fault. CISA and the FBI recommend that organizations:
Forward logs from local hosts to a centralized log management server—often referred to as a security information and event management (SIEM) tool.
Ensure logs are searchable. The ability to search, analyze, and visualize communications will help analysts diagnose issues and may lead to detection of anomalous activity.
Correlate logs from both network and host security devices. By reviewing logs from multiple sources, an organization can better triage an individual event and determine its impact to the organization as a whole.
Review both centralized and local log management policies to maximize efficiency and retain historical data. Organizations should retain critical logs for a minimum of 30 days.

Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post-exploitation tools.
Implement unauthorized execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
Configure and maintain user and administrative accounts using a strong account management policy.
Use administrative accounts on dedicated administration workstations.
Limit access to and use of administrative accounts.
Use strong passwords. For more information on strong passwords, refer to CISA Tip: Choosing and Protecting Passwords and National Institute of Standards (NIST) SP 800-63: Digital Identity Guidelines: Authentication and Lifecycle Management.
Remove default accounts if unneeded. Change the password of default accounts that are needed.
Disable all unused accounts.

Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails.

RESOURCES

Volexity Blog: Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns | Volexity
Microsoft Blog: New sophisticated email-based attack from NOBELIUM – Microsoft Security
Microsoft Blog: Another Nobelium Cyberattack

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [email protected].

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp/.

 

References

[1] Microsoft Blog: New Sophisticated Email-Based Attack from NOBELIUM [2] Ibid. Volexity Blog: Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns [4] MITRE ATT&CK: Cobalt Strike

Revisions

Initial version: May 28, 2021

This product is provided subject to this Notification and this Privacy & Use policy.

Joint CISA-FBI Cybersecurity Advisory on Sophisticated Spearphishing Campaign

Originally Posted from CISA Currently Activity
Read More
Original release date: May 28, 2021

CISA and the Federal Bureau of Investigation (FBI) are responding to an ongoing spearphishing campaign targeting government organizations, intergovernmental organizations, and non-governmental organizations. A sophisticated cyber threat actor leveraged a compromised end-user account from Constant Contact—a legitimate email marketing software company—to spoof a U.S. government organization and distribute links to malicious URLs.

In response, CISA and FBI have released Joint Cybersecurity Advisory AA21-148A: Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs and Malware Analysis Report MAR-10339794-1.v1, providing tactics, techniques, and procedures (TTPs); downloadable indicators of compromise (IOCs); and recommended mitigations.

CISA strongly encourages organizations to review AA21-148A and  MAR-10339794-1.v1 and apply the necessary mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

FBI Update on Exploitation of Fortinet FortiOS Vulnerabilities

Originally Posted from CISA Currently Activity
Read More
Original release date: May 28, 2021

The Federal Bureau of Investigation (FBI) has released an FBI FLASH, APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity, which describes advanced persistent threat (APT) actors exploiting known Fortinet FortiOS vulnerabilities. APT actors may exploit these vulnerabilities to gain initial access to multiple government, commercial, and technology services to conduct future attacks. This is a follow up to the FBI-CISA Joint Cybersecurity Advisory AA21-092A: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attack, originally published April 2, and provides indicators of compromise (IOCs) and additional recommended mitigations.

CISA encourages users and administrators to review the IOCs and updated mitigations in FBI FLASH MI-000148-MW and refer back to AA21-092A for additional information.

This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Announces New Campaign from NOBELIUM

Originally Posted from CISA Currently Activity
Read More
Original release date: May 27, 2021

The Microsoft Threat Intelligence Center (MSTIC) has released information on the uncovering of a widespread malicious email campaign undertaken by the activity group that Microsoft tracks as NOBELIUM. NOBELIUM was initially identified in November 2020, during an intrusion at a major cybersecurity organization. Microsoft security researchers identify NOBELIUM as the actor responsible for the 2020 compromise of the SolarWinds Orion platform, and subsequent activity targeting other Microsoft customer networks and cloud assets.

CISA encourages users and administrators to review MSTIC’s blog post New sophisticated email-based attack from NOBELIUM and apply the necessary mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

Updates to Alert on Pulse Connect Secure

Originally Posted from CISA Currently Activity
Read More
Original release date: May 27, 2021

CISA has updated Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities to include new threat actor techniques, tactics, and procedures (TTPs), indicators of compromise (IOCs), and updated mitigations.  

CISA encourages users and administrators to review AA21-110A and the following resources for more information:
•    Re-Checking Your Pulse
•    Ivanti KB44755 – Pulse Connect Secure (PCS) Integrity Assurance
•    Ivanti Security Advisory SA44784
•    Emergency Directive 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities

 

This product is provided subject to this Notification and this Privacy & Use policy.

Drupal Releases Security Updates

Originally Posted from CISA Currently Activity
Read More
Original release date: May 27, 2021

Drupal has released security updates to address a vulnerability affecting Drupal 8.9, 9.0, and 9.1. An attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review Drupal Advisory SA-CORE-2021-003 and apply the necessary updates or mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome

Originally Posted from CISA Currently Activity
Read More
Original release date: May 26, 2021

Google has released Chrome version 91.0.4472.77 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

VMware Releases Security Updates

Originally Posted from CISA Currently Activity
Read More
Original release date: May 26, 2021

VMware has released security updates to address multiple vulnerabilities in vCenter Server and Cloud Foundation. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0010 and apply the necessary updates and workarounds.

This product is provided subject to this Notification and this Privacy & Use policy.

CEO Fraud

CEO Fraud / BEC is a type of targeted email attack. It commonly involves a cyber criminal pretending to be your boss or a senior leader and then tricking you into sending the criminal highly sensitive information, buying gift cards or initiating a wire transfer. Be highly suspicious of any emails demanding immediate action and/or asking you to bypass any security procedures.

SANS Institute Security Awareness Tip of the Day – Read More