Computer Safety & News

CISA Issues Emergency Directive on Pulse Connect Secure | CISA

Exploitation of Pulse Connect Secure Vulnerabilities | CISA

CISA has issued Emergency Directive (ED) 21-03, as well as Alert AA21-110A, to address the exploitation of vulnerabilities affecting Pulse Connect Secure (PCS) software. An attacker could exploit these vulnerabilities to gain persistent system access and take control of the enterprise network operating the vulnerable PCS device. These vulnerabilities are being exploited in the wild.

Specifically, ED 21-03 directs federal departments and agencies to run the Pulse Connect Secure Integrity Tool on all instances of PCS virtual and hardware appliances to determine whether any PCS files have been maliciously modified or added.

Although ED 21-03 applies to Federal Civilian Executive Branch departments and agencies, CISA strongly recommends state and local governments, the private sector, and others to run the Pulse Connect Secure Integrity Tool and review ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities for additional mitigation recommendations.

ADMINS & DBAs should apply the latest updates for Oracle across a wide spectrum of products as applicable:

Oracle Releases April 2021 Critical Patch Update | CISA

Oracle Critical Patch Update Advisory – April 2021

This Critical Patch Update contains 390 new security patches across the product families listed below.  Oracle has released its Critical Patch Update for April 2021 to address 384 vulnerabilities across multiple products.   Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay

Often companies protect the outer shell facing the Internet well — but they may not safeguard their own internal web (aka Intranet) as well.  Encryption & other best security practices are a must in 2021 at every point (email, web, company network, routers, etc.)

HTTPS Support for All Internal Services (sans.edu)

Why and How You Should be Using an Internal Certificate Authority (sans.edu)

The landscape is changing to force more and more people to switch to encrypted communications and this is good!   Yesterday diary covered the deployment of your own internal CA to generate certificates and switch everything to secure communications. This is a good point. Especially, by deploying your own root CA, you will add an extra  string to your securitybow: SSL interception and inspection.

The SolarWinds Orion software hack & advanced exploit (aka Solorigate) got embedded in hundreds of GOVT & corporate organizations.  CISA recommends latest APRIL 2021 Microsoft updates for Exchange Server as shared below

Apply Microsoft April 2021 Security Update to Mitigate Newly Disclosed Microsoft Exchange Vulnerabilities | CISA

Microsoft’s April 2021 Security Update mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019. An attacker could exploit these vulnerabilities to gain access and maintain persistence on the target host. CISA strongly urges organizations to apply Microsoft’s April 2021 Security Update to mitigate against these newly disclosed vulnerabilities. Note: the Microsoft security updates released in March 2021 do not remediate against these vulnerabilities.

In response to these the newly disclosed vulnerabilities, CISA has issued Supplemental Direction Version 2 to Emergency Directive (ED) 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities. ED 20-02 Supplemental Direction V2 requires federal departments and agencies to apply Microsoft’s April 2021 Security Update to mitigate against these significant vulnerabilities affecting on-premises Exchange Server 2016 and 2019.

Although CISA Emergency Directives only apply to Federal Civilian Executive Branch agencies, CISA strongly encourages state and local governments, critical infrastructure entities, and other private sector organizations to review ED 21-02 Supplemental Direction V2 and apply the security updates immediately. Review the following resources for additional information:

• • Microsoft April 2021 Security Update Summary and Deployment Information
  • CISA ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities Supplemental Direction V2
  • CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
  • CISA web page: Remediating Microsoft Exchange Vulnerabilities

Microsoft has released important “Patch Tuesday” monthly security updates. These should applied promptly as some of these vulnerabilities have potential to be actively exploited in-the-wild later:

https://isc.sans.edu/forums/diary/Microsoft+April+2021+Patch+Tuesday/27306/

https://blog.talosintelligence.com/2021/04/microsoft-patch-tuesday-for-april-2021.html

https://www.zerodayinitiative.com/blog/2021/4/13/the-april-2021-security-update-review

https://msrc.microsoft.com/update-guide/releaseNote/2021-Apr

https://patchtuesdaydashboard.com/https://portal.msrc.microsoft.com/en-us/security-guidance/summary

This month’s score includes 114 Vulnerabilities. There are 19 Critical this month with 4 previously disclosed and 1 being exploited. Four new remote code execution vulnerabilities in Microsoft Exchange Server are included in today’s security update. This month’s security update provides patches for several other pieces of software, including Microsoft Office, the Windows Kernel and Visual Studio.

Cisco is a key vendor for many organizations & several products have had recent security updates.

Cisco Releases Security Updates for Multiple Products | CISA

https://tools.cisco.com/security/center/publicationListing.x

Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.  CISA encourages users and administrators to review the following Cisco Advisory and apply the necessary updates:

• • Cisco SD-WAN vManage Software Vulnerabilities cisco-sa-vmanage-YuTVWqy
  • Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability cisco-sa-rv-rce-q3rxHnvm
  • Cisco Small Business RV Series Routers Vulnerabilities cisco-sa-sb-rv-bypass-inject-Rbhgvfdx
  • Cisco Small Business RV Series Routers Link Layer Discovery Protocol Vulnerabilities cisco-sa-rv-multi-lldp-u7e4chCe
  • Cisco Unified Communications Products Remote Code Execution Vulnerability cisco-sa-cucm-rce-pqVYwyb
  • Cisco Advanced Malware Protection for Endpoints Windows Connector, ClamAV for Windows, and Immunet DLL Hijacking Vulnerability cisco-sa-amp-imm-dll-tu79hvkO

An excellent article for IT & business leaders can be helpful in guiding team members when needed

Managing a Chronic Complainer (hbr.org)

New studies of human brains show stress may shrink neurons (8/96) (stanford.edu)

Why Complain? — Complaining isn’t all bad. Occasional venting and expression of negative emotions to a colleague about difficult situations allow us to get our concerns out into the open, and in doing so, lessen possible stress reactions. Repressing our feelings may stop us from naming our problem and getting to the bottom of it. But complaints can also be used as a way to exercise power and influence perceptions. Especially within organizations, which can be hotbeds of political games, people use complaining in order to get people’s support.

Managing a Complainer — Attempts to help chronic complainers often have little or no effect. It’s better to begin by setting clear boundaries. Tell the complainer not to engage in a repetitive conversation. Going over the same thing over and over again isn’t doing either of them a service. They may still feel bad but constant complaining is upsetting everyone in the organization. Acknowledge that everyone complains at some point, but also point out that most people do so in moderation and that there is a right and a wrong way to complain.

CISA is reporting active & hidden cyberattacks are circulating on vulnerable SAP systems …. ADMINs are encouraged to promptly review settings, patch, and employ other protected measures as documented in links below:

Malicious Cyber Activity Targeting Critical SAP Applications | CISA

Active Cyberattacks on Mission-Critical SAP Applications | Onapsis

On April 6, Onapsis and SAP released a new threat intelligence report to help SAP customers protect from active cyber threats seeking to specifically target, identify and compromise organizations running unprotected SAP applications, through a variety of cyberattack vectors.SAP and Onapsis strongly advise organizations to take immediate action including swift application of the relevant SAP security patches and a thorough review of security configurations of their SAP landscapes, as well as performing a compromise assessment and forensic investigation of at-risk environments.

See CISA’s previous alerts on SAP:

• • Alert AA20-195A: Critical Vulnerability in SAP NetWeaver AS Java, published July 13, 2020
  • Alert AA19-122A: New Exploits for Unsecure SAP Systems, published May 02, 2019
  • CA: Malicious Cyber Activity Targeting ERP Applications, published July 25, 2018
  • Alert TA16-132A: Exploitation of SAP Business Applications, published May 11, 2016

 Impacted organizations could experience:

• • theft of sensitive data, 
  • financial fraud, 
  • disruption of mission-critical business processes,
  • ransomware, and
  • halt of all operations. 

A security research found a huge file on the “dark web” containing over 533 million users from a prior hacking attack in 2019

The Personal Data of More Than 533M Facebook Users Has Been Posted Online | PCMag

https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4

The personal data of more than 533 million users from 106 countries has been leaked and published online. That includes Facebook IDs, full names, locations, phone numbers, birthdates, and email addresses of more than 32 million people in the US. Business Insider reviewed and verified a sample of the leaked records, which Facebook claims were scraped “due to a vulnerability” that was patched in 2019.

Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, spotted the disclosure on Saturday, explaining, “A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts.”   There’s not much Facebook can do in terms of security to help affected users, Gal explained, aside from warning folks to keep an eye out for phishing schemes or fraudulent activity.

Govt. security agencies are warning of active scanning for devices on ports 4443, 8443, and 10443.  Documented attacks include: DDoS attacks, ransomware attacks, SQL injection attacks, spearphishing campaigns, website defacements, & disinformation campaigns

FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities | CISA

210402.pdf (ic3.gov)

FBI & CISA have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities  CVE-2018-13379,  CVE-2020-12812,  and CVE-2019-5591. APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services. CISA encourages users and administrators to review Joint CSA AA21-092A: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks and implement the recommended mitigations.