Security News

Following attribution of the SolarWinds supply chain attack to Russia's APT29, the US CISA infosec agency has published a list of the spies' known tactics - including a penchant for using a naughtily named email provider. APT29* is the Western infosec world's codename for what we now know is the Russian Foreign Intelligence Service, known by its Russian acronym SVR. As well as publishing a list of things US counterintelligence know about their Russian offensive counterparts, CISA has also added some advice on how to avoid these common Russian intelligence compromise tactics.

The software supply chain is part of the information and communications technology supply chain framework, which represents "The network of retailers, distributors, and suppliers that participate in the sale, delivery, and production of hardware, software, and managed services," CISA and NIST explain. Aside from the SolarWinds incident, other notorious supply chain attacks over the past several years include the CCleaner malware campaign, the MeDoc compromise leading to NotPetya, Operation ShadowHammer, the infection of IoT devices running Windows 7, and the abuse of Kaspersky Lab software to steal NSA files.

The US Cybersecurity and Infrastructure Security Agency has issued a new emergency directive ordering federal agencies to mitigate an actively exploited vulnerability in Pulse Connect Secure VPN appliances on their networks by Friday. CISA issued the Emergency Directive 21-03 Tuesday after Pulse Secure confirmed a FireEye report saying that at least two state-backed threat groups exploited the bug to breach government and defense organizations in the US and across the globe.

The US Cybersecurity and Infrastructure Security Agency has ordered federal agencies to install newly released Microsoft Exchange security updates by Friday. Today, Microsoft released security updates for four Microsoft Exchange vulnerabilities discovered by the NSA. These Exchange vulnerabilities are capable of remote code execution, with two vulnerabilities not requiring attackers to authenticate first.

The U.S. Cybersecurity and Infrastructure Security Agency this week published details on additional malware identified on compromised Microsoft Exchange servers, namely China Chopper webshells and DearCry ransomware. The malware operators target Exchange servers through a series of vulnerabilities that were made public on March 3, the same day Microsoft released patches for them.

The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency has released a new tool to help with the detection of potential compromise within Microsoft Azure and Microsoft 365 environments. Dubbed Aviary, the new tool is a dashboard that makes it easy to visualize and analyze output from Sparrow, the compromise detection tool that was released in December 2020.

Image: CISA. The Cybersecurity and Infrastructure Security Agency has released a companion Splunk-based dashboard that helps review post-compromise activity in Microsoft Azure Active Directory, Office 365, and Microsoft 365 environments. CISA's new tool, dubbed Aviary, helps security teams visualize and analyze data outputs generated using Sparrow, an open-source PowerShell-based tool for detecting potentially compromised applications and accounts in Azure and Microsoft 365.

The U.S. government is warning that Advanced Persistent Threat actors are exploiting vulnerabilities in Fortinet FortiOS in ongoing attacks targeting commercial, government, and technology services networks. The warning, issued in a joint advisory by FBI and the Cybersecurity and Infrastructure Security Agency, follows the recent release of security patches covering serious security flaws in Fortinet's flagship FortiOS product.

The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency warn of advanced persistent threat actors targeting Fortinet FortiOS servers using multiple exploits. In the Joint Cybersecurity Advisory published today, the agencies warn admins and users that the state-sponsored hacking groups are "Likely" exploiting Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

The Cybersecurity and Infrastructure Security Agency has ordered federal agencies to scan their networks again for any signs of compromised on-premises Microsoft Exchange servers and report their findings within five days. CISA issued another directive ordering federal agencies to urgently update or disconnect their Exchange on-premises servers after Microsoft released security updates for zero-day bugs collectively dubbed ProxyLogon.