Please see Security Advisories for the week ending May 28, 2021
- Microsoft Announces New Campaign from NOBELIUM
- Joint CISA-FBI Cybersecurity Advisory on Sophisticated Spearphishing Campaign
- Current Updates on Pulse Connect Secure
- Apple Releases Security Updates
- Google Releases Security Updates for the Chrome Browser
________________________________
Microsoft Announces New Campaign from NOBELIUM
Situation
The Microsoft Threat Intelligence Center (MSTIC) has released information on the uncovering of a widespread malicious email campaign undertaken by the activity group that Microsoft tracks as NOBELIUM.
Problem
This new wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links that were obscured behind the mailing service’s URL. MSTIC determined this campaign began around January 28, 2021, when the actor was performing early reconnaissance by only sending the tracking portion of the email, leveraging Firebase URLs to record targets who clicked. MSTIC further observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted like an external/network drive, which then set the stage for delivery and deployment of payloads. The successful deployment of these payloads enables NOBELIUM to achieve persistent access to compromised systems. Then, the successful execution of these malicious payloads could enable NOBELIUM to conduct objectives such as lateral movement, data exfiltration, and delivery of additional malware.
Implication
If the mitigations outlined by Microsoft in “New sophisticated email-based attack from NOBELIUM” are not implemented where applicable, it could leave an organization vulnerable to these types of targeted phishing attacks.
Need
CISA encourages users and administrators to review MSTIC’s blog post New sophisticated email-based attack from NOBELIUM and apply the necessary mitigations.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/05/27/microsoft-announces-new-campaign-nobelium
For a more technical overview:
________________________________
Joint CISA-FBI Cybersecurity Advisory on Sophisticated Spearphishing Campaign
Situation
CISA and the Federal Bureau of Investigation (FBI) are responding to an ongoing spearphishing campaign targeting government organizations, intergovernmental organizations, and non-governmental organizations.
Problem
A cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to send phishing emails to more than 7,000 accounts across 350 government organizations, intergovernmental organizations, and non-governmental organizations. The threat actor sent spoofed emails that appeared to originate from a U.S. Government organization. The emails contained a legitimate Constant Contact link that redirected to a malicious URL from which a malicious ISO file was dropped onto the victim’s machine. The ISO file contained a malicious Dynamic Link Library (DLL) named Documents.dll, which is a custom Cobalt Strike Beacon implant; a malicious shortcut file that executes the Cobalt Strike Beacon loader; and a benign decoy PDF titled “Foreign Threats to the 2020 US Federal Elections” with file name “ICA-declass.pdf”.
Implication
If the mitigations outlined by CISA and the FBI in AA21-148A and MAR-10339794-1.v1 are not implemented where applicable, it could leave an organization vulnerable to these types of targeted phishing attacks.
Need
CISA strongly encourages organizations to review AA21-148A and MAR-10339794-1.v1 and apply the necessary mitigations.
For a brief overview:
For a more technical overview:
https://us-cert.cisa.gov/ncas/alerts/aa21-148a
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a
________________________________
Current Updates on Pulse Connect Secure
Situation
Ivanti Pulse Connect Secure products has discovered multiple vulnerabilities. Since March 31, 2021, CISA and Ivanti have assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor. These entities confirmed the malicious activity after running the Pulse Secure Connect Integrity Tool.
Problem
CISA has updated this alert to include new threat actor techniques, tactics, and procedures (TTPs), indicators of compromise (IOCs), and updated mitigations. See Ivanti KB44755 - Pulse Connect Secure (PCS) Integrity Assurance for updated guidance to ensure the full integrity of your Pulse Connect Secure software.
Implication
Devices have been compromised; the threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.
Need
CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to immediately run the Pulse Secure Connect Integrity Tool, update to the latest software version, and investigate for malicious activity.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/05/27/updates-alert-pulse-connect-secure
For a more technical overview:
https://us-cert.cisa.gov/ncas/alerts/aa21-110a
________________________________
Apple Releases Security Updates
Situation
Apple has released security updates for multiple products including: MacOS Big Sur 11.4, iOS and iPadOS 14.6, and watchOS 7.5.
Problem
These security updates address vulnerabilities in the following products: macOS, iOS and iPadOS, and watchOS. These vulnerabilities include arbitrary code execution, out-of-bounds read and write, use-after-free, buffer overflow, and memory corruption issues.
Implication
If an attacker is able to successfully exploit some of these vulnerabilities it can allow them to take control of the affected device.
Need
Apple recommends installing all security updates for each Apple product to ensure security and functionality. Additional information can be found in the link below.
For a brief overview:
https://us-cert.cisa.gov/ncas/current-activity/2021/05/25/apple-releases-security-updates
________________________________
Google Releases Security Updates for the Chrome Browser
Situation
Google has announced Chrome 91 for Windows, Mac, and Linux. This update will address a number of fixes and improvements, as well as vulnerabilities.
Problem
Vulnerabilities fixed include heap buffer overflow, use after free, out of bounds memory access, insufficient policy enforcement, and more.
Implication
An attacker could exploit these vulnerabilities to take control of the affected systems.
Need
Apply the update for Chrome when available in the following weeks.
For a more technical overview:
https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html
