Staying on top of cybersecurity news can seem like a daunting task in today’s rapidly-evolving world of cyber threats. That’s why we’re summarizing the most relevant cybersecurity vulnerabilities, advisories, and news for our many U.S. federal government customers. This post also offers insight on how customers can use Axonius to easily find devices affected by these vulnerabilities.
On March 2, cybersecurity firm Volexity reported in-the-wild-exploitation of four zero-day Microsoft Exchange Server vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
By successfully exploiting these vulnerabilities, an attacker can execute arbitrary code on vulnerable Exchange Servers (versions 2013, 2016 and 2019). This allows them to gain persistent system access, and access to files, mailboxes, and credentials stored on that system.
Microsoft has released out-of-band security patches to address these vulnerabilities. CISA has determined that these exploitations pose an “unacceptable risk” to federal agencies and require “emergency action”.
Using the aggregated query capability that searches across all adapter connections, this query finds any software beginning with “Microsoft Exchange Server”. This may also return language packs, API modules, and other results. Still, it’s a good initial list to start identifying any assets running Microsoft Exchange Server.
Axonius Query Language (AQL): ("specific_data.data.installed_software.name" == regex("^Microsoft Exchange Server", "i"))
If you’re already tracking installed software applications in your Axonius dashboard, you can filter results and sift through all Microsoft Exchange Server software without running a new query.
Finally, if you’ve run a recent vulnerability scan and have connected vulnerability scanners in the Axonius platform, you can search for the new CVEs disclosed for Microsoft Exchange Server.
This query will return results if any of the vulnerabilities are observed by any adapter connected in Axonius.
AQL:
("specific_data.data.software_cves.cve_id" == "CVE-2021-26855") or ("specific_data.data.software_cves.cve_id" == "CVE-2021-26857") or ("specific_data.data.software_cves.cve_id" == "CVE-2021-26858") and ("specific_data.data.software_cves.cve_id" == "CVE-2021-27065")
If you’ve found any active, vulnerable instances of Microsoft Exchange Server, you can also run the below Microsoft scripts to identify any potential indicators of compromise: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log
Apple released security updates to address vulnerabilities in multiple products. Threat actors could exploit these vulnerabilities to take control of an affected system.
The products and versions affected by these vulnerabilities are Safari 14.0.3 (v.14610.4.3.1.7 and 15610.4.3.1.7), macOS Big Sur 11.2.3, watchOS 7.3.2, iOS 14.4.1 and iPadOS 14.4.1. Since they were all discovered at the same time by the same researchers, they all fall under CVE-2021-1844.
If you’ve run a recent vulnerability scan and have connected vulnerability scanners in the Axonius platform, you can search for the CVE associated with the Apple vulnerabilities (CVE-2021-1844).
This query will return results if any of the vulnerabilities have been observed by any adapter connected in Axonius.
AQL:
("specific_data.data.software_cves.cve_id" == "CVE-2021-1844")
Another option is to look for devices running the affected versions of the Apple products on your network, that aren’t covered by a Mac/iOS specific endpoint protection provider like Jamf. This may reduce the likelihood of compromise if a vulnerability is present.
AQL: ("specific_data.data.os.os_str" == regex("mac os 11", "i")) and not (("adapters_data.jamf_adapter.id" == ({"$exists":true,"$ne":""})))
These Apple vulnerabilities didn’t just affect operating systems — a certain version of the Safari web browser was also affected. Using Axonius, you can run a query for all devices that have the affected version of Safari installed, then push out patches or notify the users.
Below you can see we’re looking for installed software by software name and specifying the exact version we’re looking for.
AQL: ("specific_data.data.installed_software.name_version" == regex("safari\-14\.0\.3", "i"))
F5 announced several remote code vulnerabilities (CVE-2021-22986, CVE-2021-22987) and fixes for both BIG-IP and BIG-IQ, urging customers to update their BIG-IP and BIG-IQ deployments to a fixed version. The flaws could allow attackers to take full control over a vulnerable system.
Axonius currently has adapters that connect directly into F5 BIG-IP and BIG-IQ. If you were running the F5 products mentioned, you could use the Axonius adapter to get direct, real-time information from them.
Some example queries could be querying the F5 adapters to pull all devices connected to BIP-IP and/or BIG-IQ systems with the affected versions or earlier. You could also conduct a query looking at vulnerable software on devices by software name, version, vendor, or CVE ID.
VMware released a security update to address a remote code execution vulnerability (CVE-2021-21978) in View Planner. A threat actor could exploit this vulnerability to take control of an affected system. Applying the VMware update will help remediate the issue.
To find devices with the affected VMware View Planner using Axonius, either use a complex query to search specifically for the installed software name and version number, or search by the CVE ID like shown above with the Microsoft Exchange Server and Apple vulnerabilities.
AQL: ("specific_data.data.installed_software" == match([("name" == regex("View Planner", "i")) and ("version" == "4.6")]))
AQL: ("specific_data.data.software_cves.cve_id" == "CVE-2021-21978")
This joint advisory highlights indicators of compromise for vulnerabilities in Accellion FTA and offers mitigation measures. Threat actors have exploited these vulnerabilities to target several federal, state, local, tribal and territorial government agencies, as well as private organizations.
Like the other CVE queries we’ve shown, if you’ve run a recent vulnerability scan and have connected vulnerability scanners in the Axonius platform, you can search for the CVEs disclosed for Accellion FTA.
This query will return results if any of the vulnerabilities have been observed by any adapter connected in Axonius.
AQL: ("specific_data.data.software_cves.cve_id" == "CVE-2021-27101 ") or ("specific_data.data.software_cves.cve_id" == "CVE-2021-27102 ") or ("specific_data.data.software_cves.cve_id" == "CVE-2021-27103 ") or ("specific_data.data.software_cves.cve_id" == "CVE-2021-27104")
This guidance looks at two new resources from CISA to deal with the follow-on activity from the SolarWinds and AD-M365 compromise, which targeted networks of multiple U.S. government agencies, critical infrastructure entities, and private sector organizations:
The Cybersecurity Information (CSI) sheet from NSA and CISA offers guidance on selecting a protective Domain Name System (PDNS) service for defending against cyber threats. It outlines both benefits and risks of using a PDNS service, and how it can help defend against ransomware, phishing, botnet, and malware campaigns by blocking known-malicious domains.
This report analyzes a malicious Hypertext Preprocessor (PHP) webshell that has been used in recent cyberattacks targeting Accellion File Transfer Appliance customers.
This report highlights the cyberthreat to cryptocurrency posed by North Korean state-sponsored hackers known as Lazarus Group. It provides detailed indicators of compromise used to facilitate cryptocurrency theft by using several variants of the AppleJeus malware, along with offering mitigation strategies.
CISA’s guidance on remediating Microsoft Exchange Server Vulnerabilities, details specific steps on how organizations can help address these recently discovered vulnerabilities.
The National Security Agency’s guidance on Zero Trust highlights implementation best practices and offers pointers on how this security model can better position organizations to secure their data, systems, and services. Read more on our blog.
41 Madison Avenue, 37th Floor
New York, NY 10010
