Attention: Given widespread use of Microsoft Windows and Office applications that potentially use this component, system administrators are encouraged to review available advisories for CVE-2021-40444 and address accordingly for impacted systems within their environment. CISA has posted a current activity report, Microsoft Releases Mitigations and Workarounds for CVE-2021-40444.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
Alerts, Updates, and Bulletins:
A recent cybersecurity report found that organizations frequently miss the warning signs associated with an insider threat. The study, The State of Insider Threats 2021: Behavioral Awareness & Visibility Remain Elusive, surveyed 1,249 cyber professionals and utilized their responses along with thousands of past insider threat investigations and incidents to formulate its results.
The cyber insurance industry has definitely matured in recent years, but it’s far from being all grown-up (aren’t we all). However, a recent observation by critical infrastructure security industry veteran and evangelist Dale Peterson points out some attempted adjustments by insurers in response to increased claims, including raising rates (varying between 11% and 40%) and building in more exclusions. Two notable exclusions that would result in a claims denial noted by Dale, the presence or vulnerability of: (vulnerable versions of) SolarWinds Orion and Microsoft Exchange.
Cybersecurity firm KELA posted a report based on recent observations of ransomware discussions in dark web forums on what ransomware groups/actors are looking for in the ideal target. According to the report, approximately 40% of listings were created by players in the Ransomware-as-a-Service (RaaS) space. Here’s the quick list of desirables that some ransomware operators are willing to pay on average up to $100,000 for valuable initial access services:
The Cybersecurity and Infrastructure Security Agency (CISA) released a new Insights, Risk Considerations for Managed Service Provider Customers (MSPs), which provides a framework that government and private sector organizations (to include small and medium-sized businesses) outsourcing some level of IT support to MSPs can use to better mitigate against third-party risk. As CISA notes, IT managed services can provide cost benefits and operational efficiencies to many organizations. However, managing these services can be complex, costly, and time-consuming.
On September 3, 2021, Netgear issued patches for three authentication bypass vulnerabilities impacting several of its smart switches. The vulnerabilities have been dubbed Demon’s Cries, Draconian Fear, and Seventh Inferno and allow for complete takeover of the affected devices.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
Although ransomware incidents persistently make international headlines, Business Email Compromise (BEC) is still a global menace and may become more difficult to detect. In 2020, BEC cost U.S. businesses $1.8 billion and represented 43 percent of all cybercrime losses for the year. Researchers at the cybersecurity firm Intel 471 recently observed actors on multiple cybercrime forums seeking partnerships with other criminals to engage in BEC attacks.
No one plans on compounding deferred patches, but when error messages are confounding, we often move on to seemingly more immediate (and less frustrating) fires. This initial patch deferment often lasts months, or even years until the device is either compromised or replaced (often due to end-of-life). For instance, several events this year have highlighted the significant vulnerabilities affecting unpatched Microsoft Exchange Servers and the subsequent risk that presents to the system or an entire network.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
