CISA encourages enterprise owners and administrators to review the NSA Info Sheet: Adopting Encrypted DNS in Enterprise Environments and consider implementing the recommendations to enhance DNS security.

CISA encourages users and administrators to review the Apache security advisory for CVE-2021-24122 and upgrade to the appropriate version.  

Microsoft has released a security advisory to address a remote code execution vulnerability, CVE-2021-1647, in Microsoft Defender. A remote attacker can exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.

CISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1647 and apply the necessary updates. 

Cisco has released security updates to address vulnerabilities in Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities see the Cisco Security Advisories page.

CISA encourages users and administrators to review the following Cisco Advisories and apply the necessary updates:

• AnyConnect Secure Mobility Client for Windows DLL Injection Vulnerability cisco-sa-anyconnect-dll-injec-pQnryXLf
• Connected Mobile Experiences Privilege Escalation Vulnerability cisco-sa-cmxpe-75Asy9k
• Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Command Injection Vulnerabilities cisco-sa-rv-command-inject-LBdQ2KRN
• Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Remote Command Execution and Denial of Service Vulnerabilities cisco-sa-rv-overflow-WUnUgv4U

CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.

CISA observed cyber threat actors using phishing emails with malicious links to harvest credentials for users? cloud service accounts (Phishing: Spearphishing Link [T1598.003]). The cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access [TA0001] to the user?s cloud service account (Valid Accounts [T1078]). CISA observed the actors? logins originating from foreign locations (although the actors could have been using a proxy or The Onion Router (Tor) to obfuscate their location). The actors then sent emails from the user?s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization?s file hosting service.

In one case, an organization did not require a virtual private network (VPN) for accessing the corporate network. Although their terminal server was located within their firewall, due to remote work posture, the terminal server was configured with port 80 open to allow remote employees to access it?leaving the organization?s network vulnerable. The threat actor attempted to exploit this by launching brute force login attempts (Brute Force [T1110]).

Forwarding Rules

In several engagements, CISA observed threat actors collecting sensitive information by taking advantage of email forwarding rules, which users had set up to forward work emails to their personal email accounts (Email Collection: Email Forwarding Rule [T1114.003]).

Modified Forwarding

In one case, CISA determined that the threat actors modified an existing email rule on a user?s account?originally set by the user to forward emails sent from a certain sender to a personal account?to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors? accounts.

Keyword Search Rule

Threat actors also modified existing rules to search users? email messages (subject and body) for several finance-related keywords (which contained spelling mistakes) and forward the emails to the threat actors? account.

New Rule Creation and Forwarding

In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users? Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.

Authentication

CISA verified that the threat actors successfully signed into one user?s account with proper multi-factor authentication (MFA). In this case, CISA believes the threat actors may have used browser cookies to defeat MFA with a ?pass-the-cookie? attack (Use Alternate Authentication Material: Web Session Cookie [T1550.004]).

The threat actors attempted brute force logins (Brute Force [T1110]) on some accounts. However, this activity was not successful. This thwarted attempt was due, in part, to the threat actors not guessing a correct username/password combination, as well as the organization?s use of MFA to access their cloud environment.

In response, CISA has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services which provides technical details and indicators of compromise to help detect and respond to potential attacks.

CISA encourages users and administrators to review AR21-013A and apply the recommendations to strengthen cloud environment configurations.

CISA encourages users and administrators to review Microsoft?s January 2021 Security Update Summary and Deployment Information and apply the necessary updates.

The National Security Agency (NSA) Cybersecurity Directorate has released its 2020 Year in Review, outlining key milestones and mission outcomes achieved during NSA Cybersecurity?s first full year of existence. Highlights include NSA Cybersecurity?s contributions to the 2020 elections, Operation Warp Speed, and the Department of Defense?s pandemic-influenced transition to telework.

For further details on those and other accomplishments, CISA encourages users and administrators to read the NSA Cybersecurity 2020 Year in Review.

CISA encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 78.6.1 and apply the necessary update.