US-CERT Activity

WordPress versions 4.7-5.7 are affected by multiple vulnerabilities. An attacker could exploit one of these vulnerabilities to take control of an affected website. 

CISA encourages users and administrators to review the WordPress Security and Maintenance Release and upgrade to WordPress 5.7.1.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) have analyzed additional SolarWinds-related malware variants—referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection. The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated.

The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).

CISA encourages users and administrators to review Malware Analysis Report MAR-10327841-1.v1, U.S. Cyber Command’s VirusTotal page, and the following resources for more information: 

• CISA web page: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
• CISA web page: Supply Chain Compromise
• CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

This product is provided subject to this Notification and this Privacy & Use policy.

CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on Russian Foreign Intelligence Service (SVR) actors scanning for and exploiting vulnerabilities to compromise U.S. and allied networks, including national security and government-related systems.

Specifically, SVR actors are targeting and exploiting the following vulnerabilities:

• CVE-2018-13379 Fortinet FortiGate VPN
• CVE-2019-9670 Synacor Zimbra Collaboration Suite
• CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
• CVE-2019-19781 Citrix Application Delivery Controller and Gateway
• CVE-2020-4006 VMware Workspace ONE Access

Additionally the White House has released a statement formally attributing this activity and the SolarWinds supply chain compromise to SVR actors. CISA has updated the following products to reflect this attribution:

• Alert AA20-352A: APT Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
• Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
• Alert AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
• Malware Analysis Report AR21-039A: MAR-10318845-1.v1 - SUNBURST
• Malware Analysis Report AR21-039B: MAR-10320115-1.v1 - TEARDROP
• Table: SolarWinds and Active Directory/M365 Compromise - Detecting APT Activity from Known TTPs
• Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page
• Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise

CISA strongly encourages users and administrators to review Joint CSA: Russian SVR Targets U.S. and Allied Networks for SVR tactics, techniques, and procedures, as well as mitigation strategies.

This product is provided subject to this Notification and this Privacy & Use policy.

Google has updated the stable channel for Chrome to 90.0.4430.72 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome release and apply the necessary changes.

This product is provided subject to this Notification and this Privacy & Use policy.

Juniper Networks has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Juniper Security Advisories webpage and apply the necessary updates or workarounds.

This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity researchers from Forescout and JSOF have released a report on a set of nine vulnerabilities—referred to as NAME:WRECK—affecting Domain Name System (DNS) implementations. NAME:WRECK affects at least four common TCP/IP stacks—FreeBSD, IPNet, NetX, and Nucleus NET—that are used in Internet of Things (IoT), operational technology (OT), and information technology (IT) devices. A remote attacker could exploit these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Forescout Research Labs and JSOF Research Labs report NAME:WRECK Breaking and Fixing DNS Implementations and Forescout NAME:WRECK web page for more information, including recommended mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

Google and Microsoft recently published reports on advanced persistent threat (APT) actors targeting cybersecurity researchers. The APT actors are using fake social media profiles and legitimate-looking websites to lure security researchers into visiting malicious websites to steal information, including exploits and zero-day vulnerabilities. APT groups often use elaborate social engineering and spear phishing schemes to trick victims into running malicious code through malicious links and websites.

CISA recommends cybersecurity practitioners to guard against this specific APT activity and review the following reports for more information:

• Google – Update on campaign targeting security researchers, published March 31, 2021
• Microsoft – ZINC attacks against security researchers, published January 28, 2021
• Google – New campaign targeting security researchers, published January 25, 2021
• CISA Tip – Avoiding social engineering and phishing attacks, updated August 25, 2020

Additionally, CISA strongly encourages cybersecurity practitioners use sandbox environments that are isolated from trusted systems or networks when examining untrusted code or websites. 

This product is provided subject to this Notification and this Privacy & Use policy.

Google has updated the stable channel for Chrome to 89.0.4389.128 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. 

CISA encourages users and administrators to review the Chrome release and apply the necessary changes.

This product is provided subject to this Notification and this Privacy & Use policy.

SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the SAP Security Notes for April 2021 and apply the necessary updates.
 

This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft's April 2021 Security Update mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019. An attacker could exploit these vulnerabilities to gain access and maintain persistence on the target host. CISA strongly urges organizations to apply Microsoft's April 2021 Security Update to mitigate against these newly disclosed vulnerabilities. Note: the Microsoft security updates released in March 2021 do not remediate against these vulnerabilities.

In response to these the newly disclosed vulnerabilities, CISA has issued Supplemental Direction Version 2 to Emergency Directive (ED) 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities. ED 20-02 Supplemental Direction V2 requires federal departments and agencies to apply Microsoft's April 2021 Security Update to mitigate against these significant vulnerabilities affecting on-premises Exchange Server 2016 and 2019.

Although CISA Emergency Directives only apply to Federal Civilian Executive Branch agencies, CISA strongly encourages state and local governments, critical infrastructure entities, and other private sector organizations to review ED 21-02 Supplemental Direction V2 and apply the security updates immediately. Review the following resources for additional information:

• Microsoft April 2021 Security Update Summary and Deployment Information
• CISA ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities Supplemental Direction V2
• CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
• CISA web page: Remediating Microsoft Exchange Vulnerabilities

This product is provided subject to this Notification and this Privacy & Use policy.

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

• RoboHelp APSB21-20
• Bridge APSB21-23
• Digital Editions APSB21-26
• Photoshop APSB21-28

This product is provided subject to this Notification and this Privacy & Use policy.

CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities.

• MAR-10331466-1.v1: China Chopper Webshell identifies a China Chopper webshell observed in post-compromised Microsoft Exchange Servers. After successfully exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system.
• MAR-10330097-1.v1: DearCry Ransomware identifies ransomware that has been used to exploit compromised on-premises Exchange servers. The malware encrypts files on a device and demands ransom in exchange for decryption.

CISA encourages users and administrators to review the following resources for more information:

• CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
• CISA web page Remediating Microsoft Exchange Vulnerabilities
• CISA web page Ransomware Guidance and Resources

This product is provided subject to this Notification and this Privacy & Use policy.

Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise. Aviary—a Splunk-based dashboard—facilitates analysis of Sparrow data outputs.

CISA encourages network defenders wishing to use Aviary to facilitate their analysis of output from Sparrow to review CISA Alert: AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Note: CISA has updated the Sparrow tool section of AA21-008A with instructions on using the Aviary tool.

CISA recommends the following resources for additional information:

• CISA Alert: AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
• CISA Alert: AA21-077A: Detecting Post-Compromise Activity using the CHIRP IOC Detection Tool
• CISA web page: Remediating Networks Affected by the SolarWinds and Active Directory/M365
• CISA web page: Supply Chain Compromise

This product is provided subject to this Notification and this Privacy & Use policy.

Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.
 
CISA encourages users and administrators to review the following Cisco Advisory and apply the necessary updates:

• Cisco SD-WAN vManage Software Vulnerabilities cisco-sa-vmanage-YuTVWqy
• Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability cisco-sa-rv-rce-q3rxHnvm
• Cisco Small Business RV Series Routers Vulnerabilities cisco-sa-sb-rv-bypass-inject-Rbhgvfdx
• Cisco Small Business RV Series Routers Link Layer Discovery Protocol Vulnerabilities cisco-sa-rv-multi-lldp-u7e4chCe
• Cisco Unified Communications Products Remote Code Execution Vulnerability cisco-sa-cucm-rce-pqVYwyb
• Cisco Advanced Malware Protection for Endpoints Windows Connector, ClamAV for Windows, and Immunet DLL Hijacking Vulnerability cisco-sa-amp-imm-dll-tu79hvkO

This product is provided subject to this Notification and this Privacy & Use policy.

SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks. SAP applications help organizations manage critical business processes—such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management.  

On April 6 2021, security researchers from Onapsis, in coordination with SAP, released an alert detailing observed threat actor activity and techniques that could lead to full control of unsecured SAP applications. Impacted organizations could experience:

• theft of sensitive data, 
• financial fraud, 
• disruption of mission-critical business processes,
• ransomware, and
• halt of all operations. 

CISA recommends operators of SAP systems review the Onapsis Alert Active Cyberattacks on Mission-Critical SAP Applications for more information and apply necessary updates and mitigations. 

See CISA’s previous alerts on SAP:

• Alert AA20-195A: Critical Vulnerability in SAP NetWeaver AS Java, published July 13, 2020
• Alert AA19-122A: New Exploits for Unsecure SAP Systems, published May 02, 2019
• CA: Malicious Cyber Activity Targeting ERP Applications, published July 25, 2018
• Alert TA16-132A: Exploitation of SAP Business Applications, published May 11, 2016

This product is provided subject to this Notification and this Privacy & Use policy.