Security researchers at Palo Alto Unit 42 and Microsoft have uncovered an unknown threat actor, tracked as DEV-0322, compromising systems using the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign. The threat actor has successfully compromised at least nine global organizations in the energy and defense sectors, among others.
Microsoft Exchange ProxyShell vulnerabilities are once again being exploited by threat actors to conduct ransomware attacks. Recently, researchers at Cisco Talos have observed a campaign of Babuk ransomware targeting victims via vulnerabilities in their Microsoft Exchange servers. The unknown threat actor, who researchers label “Tortilla,” has infected systems worldwide but has predominantly attacked U.S.-based entities. Typically, a Babuk ransomware attack begins with a DLL, or .NET executable loaded on the Exchange server via the ProxyShell vulnerability.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
Alerts, Updates, and Bulletins:
The Cybersecurity and Infrastructure Security Agency (CISA) announced a new Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. The intent of the BOD is to address the remediation of vulnerabilities which are being actively exploited by adversaries. CISA has also created a public catalog of pertinent vulnerabilities. The catalog will be updated regularly and members are encouraged to register to receive notification when new vulnerabilities are added.
Researchers at the cybersecurity firm Lookout have observed a notable uptick in mobile phishing attacks over the past year, specifically in the energy sector. Since the second half of last year, “there’s been a 161 [percent] increase in mobile phishing attacks targeting the energy sector,” and the energy sector accounts for around 17 percent of all mobile phishing attacks globally. The possibility of energy providers being compromised, and services rendered non-operational represents a risk across the critical infrastructure community because of cross-sector reliance on power.
There is a juncture where a maturing cybersecurity program will experience an audit, where policies and procedures will be evaluated for accuracy and adherence. While it’s important to compose effective governance documents, Dale Peterson suggests that concurrently developing your cybersecurity audit program has equal benefits. Incorporating audit testing criteria during development should help identify the “must” policies versus the “shall” guidance often found confusingly intertwined in governance documents.
Phishing is one of the most widely used cyber attack techniques and has grown more sophisticated in the form of brand impersonation attacks. While many phishing scams are easy to spot, brand impersonation – through its use of impersonating the likeness of trusted brands – is typically more difficult to detect. Indeed, “brand impersonation emails increased 44% in 2020 vs. 2019. However, it’s not only a significant increase in frequency as much as an increasing level of sophistication,” according to Dirk Jan Koekkoek, VP DMARC at Mimecast.
FBI FLASH: Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware
The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses List.
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published the first of a four-part series, Security Guidance for 5G Cloud Infrastructures.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
