Microsoft has shared details on the latest campaign conducted by the Russian-backed threat actor NOBELIUM. It notes that since May 2021, NOBELIUM has targeted hundreds of cloud service providers (CSPs), managed service providers (MSPs), and other IT services organizations to exploit the administrative or privileged access provided to these companies by their downstream customers.
A critical Discourse remote code execution (RCE) vulnerability, tracked as CVE-2021-41163, was remedied after the developer released a security update last week. The vulnerability can be exploited in Discourse versions 2.7.8 and earlier and thus users are urged to update to patched versions 2.7.9 or later. Discourse is an open-source platform for community discussion. In unpatched versions of Discourse, maliciously crafted requests can lead to remote code executions because of a lack of validation in “subscribe_url” values.
The FBI has published a TLP:WHITE FLASH providing indicators of compromise associated with the Ranzy Locker ransomware. The FLASH indicates that Ranzy Locker ransomware, which was first detected in late 2020, has targeted more than 30 U.S. organizations, including critical infrastructure entities. Past incidents indicate the threat actors conducted brute force attacks targeting Remote Desktop Protocol (RDP) credentials to gain access to the victims’ networks. The actors also utilized Microsoft Exchange Server vulnerabilities and phishing to compromise a victim’s network.
Update - October 21, 2021
More details have been revealed about the former employee of the Post Rock Rural Water District (a.k.a., Ellsworth County Rural Water District No. 1) in Kansas who was indicted for unauthorized computer access with intent to harm, including an updated plea to guilty.
Microsoft’s 365 software package is one of the most widely used products in the world but also one of the most targeted vectors where data breaches and cyberattacks occur. To protect data privacy and against data breaches, Microsoft released a Privacy Management tool. The privacy package continuously locates where personal data is stored on an enterprise network, maps it, and provides an aggregated view of an entity’s privacy posture.
Although most people are aware of the major Solar Winds attack that compromised many organizations through its supply chain, lower-scale, less sophisticated supply chains are also increasingly being exploited, specifically in the developer or mobile environments. Indeed, many entities are being compromised not because of poor enterprise security, but because of unsecured connections in their supply chains.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
Alerts, Updates, and Bulletins:
Amidst increasing awareness of phishing attacks, one phishing campaign is using the DocuSign software to target lower ranking employees and trick them into providing login credential to scammers. In this campaign, victims receive an email impersonating someone in their organization asking them to “sign” a document by clicking on the attachment and entering their credentials. These emails are created to appear legitimate, but real DocuSign emails never ask users to enter password instead asking them to enter an authentication code emailed to them separately.
As if phishing emails weren’t enough, a new vishing campaign involves threat actors posing as Microsoft employees to trick victims into granting remote access to their devices. Vishing is a variation of phishing where the attackers speak with a victim over the phone. This vishing campaign was identified by the security firm Armorblox.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
