Although a patch has been available by VMware since May 25, 2021, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and Cyber Command this week urged users of VMware to update and apply a fix to software that is used to manage virtual machines in data centers.

The warning states, “Please patch immediately!” It is reported that hackers have already been leveraging the flaw, which allows them to remotely execute code and infiltrate environments running VMware’s server management software. The flaws are in VMware vCenter Server and VMware Cloud Foundation products.

Users and administrators of these VMware products are encouraged to “review VMware’s VMSA-2021-010, blogpost, and FAQs for more information about the vulnerability and apply the necessary updates as soon as possible, even if out-of-cycle work is required. If an organization cannot immediately apply the updates, then apply the workarounds in the interim.”

These urgent warnings from both VMware and CISA merit consideration and prompt attention.

The FBI recently issued a Flash Alert to Fortinet Fortigate users that Advanced Persistent Threat (APT) groups are continuing to exploit devices that have not been patched. Although Fortinet issued patches for these vulnerabilities in 2018, 2019, and 2020, many organizations have not applied the patches.

The exploitations are random,  not against specific industries or sectors, and seem to be focused on just targeting unpatched devices. According to a Joint CISA and FBI alert issued in April 2021, the vulnerabilities could be used by threat actors to exfiltrate data, encrypt data, and stage for additional attacks.

Not patching vulnerabilities in software that is actively being used by your organization is giving threat actors easy access to valuable data, akin to not locking your door and allowing a burglar to enter and steal all your valuables. These are not new vulnerabilities nor are they new patches. Check with your IT professionals to confirm that these patches have been applied.

Colonial Pipeline, a company that transports more than 100 million gallons of gasoline and other fuel daily across 14 states from Houston to New York Harbor, shut down the pipeline last Friday after discovering ransomware on its computer systems.  The FBI has blamed the attack on a ransomware group called DarkSide.

The hack reportedly began last Thursday when hackers stole about 100 gigabytes of data as part of a double extortion scheme.  After stealing the data, the hackers then locked Colonial’s computers. Darkside threatened to publish the stolen data online and to keep the computers locked unless Colonial paid an unknown ransom amount.

Colonial Pipeline notified the FBI of the attack on Friday morning and is cooperating with the investigation. The FBI also brought into the investigation the Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies that regulate energy and infrastructure.  The FBI and other government agencies are still awaiting access to the company’s security protocols to determine how hackers pulled off the crippling ransomware attack.

U.S. critical infrastructure has been the target of an increasing number of cyberattacks. Earlier this year, an unknown hacker breached the access controls at the Oldsmar, Florida, water treatment plant, in an attempt to poison the city’s water supply with lye. In 2020, an unnamed natural gas compressor facility was shut down for two days due to a cyberattack.  Several natural gas pipeline operators had service interruptions in 2018, when a technology vendor that facilitated electronic communications between the operators was hacked.

Many members of Congress and the Biden Administration agree that making cybersecurity improvements is essential for the nation’s critical infrastructure, including our electric grid, local energy and utility companies, water treatment plants, and wastewater facilities. All of these operators face significant challenges to make such improvements, including sufficient funding, staffing and training.  In addition, even though the federal government adopted cybersecurity requirements for certain infrastructure operators, funding shortages can result in very little oversight and inspection to make sure operators are complying with the requirements. Some states, like Connecticut, have adopted requirements for certain infrastructure as well as provided funding to make sure operators in the state are complying.

In addition, it is recognized that our cybersecurity standards need updating.  The Biden Administration has proposed significant funding for the National Institute of Standards and Technology (NIST) to work with industry, science, and government to evaluate and improve the standards for our critical infrastructure.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) recently released a free tool that will assist organizations with identifying indicators of compromise following threat activity in Microsoft 365 and Azure Environments.

The new CISA Hunt and Incident Response Program (CHIRP) tool, “is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs)”  associated with the activity CISA had earlier highlighted in  previous Alerts outlining the Sparrow program.

Like the Sparrow program before it, CHIRP is designed to identify IOCs within an on-premises environment and scans only Windows operating systems. To avail yourself of the free tool, you can obtain it by accessing CISA’s GitHub repository.  It is available in either a compiled executable or a python script.

In this episode of the podcast (#204) we’re joined by Josh Corman of CISA, the Cybersecurity and Infrastructure Security Agency, to talk about how that agency is working to secure the healthcare sector, in particular vaccine supply chains that have come under attack by nations like Russia, China and North Korea.


Incidents like the Solar Winds hack have focused our attention on the threat posed by nation states like Russia and China, as they look to steal sensitive government and private sector secrets. But in the vital healthcare sector, nation state actors are just one among many threats to the safety and security of networks, data, employees and patients.

Joshua Corman is the Chief Strategist for Healthcare and COVID on the CISA COVID Task Force.
Joshua Corman is the Chief Strategist for Healthcare and COVID on the CISA COVID Task Force.

In recent years, China has made a habit of targeting large health insurers and healthcare providers as it seeks to build what some have described as a “data lake” of U.S. residents that it can mine for intelligence. Criminal ransomware groups have released their malicious wares on the networks of hospitals, crippling their ability to deliver vital services to patients and – more recently – nation state actors like North Korea, China and Russia have gone phishing – with a “ph” – for information on cutting edge vaccine research related to COVID 19.

How is the U.S. government responding to this array of threats? In this episode of the podcast, we’re bringing you an exclusive interview with Josh Corman, the Chief Strategist for Healthcare and COVID for the COVID Task Force at CISA, Cybersecurity and Infrastructure Security Agency.

Cryptocurrency Exchanges, Students Targets of North Korea Hackers

In this interview, Josh and I talk about the scramble within CISA to secure a global vaccine supply chain in the midst of a global pandemic. Among other things, Josh talks about the work CISA has done in the last year to identify and shore up the cyber security of vital vaccine supply chain partners – from small biotech firms that produce discrete but vital components needed to produce vaccines to dry ice manufacturers whose product is needed to transport and store vaccines.

Episode 194: What Happened To All The Election Hacks?

To start off I asked Josh to talk about CISA’s unique role in securing vaccines and how the Federal Government’s newest agency works with other stake holders from the FBI to the FDA to address widespread cyber threats.



As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

On the heels of the concerning security incident experienced by FireEye [view related post], during the investigation of its own incident, FireEye discovered that multiple updates issued by SolarWinds, a cybersecurity firm that many governmental and private companies use to monitor networks, were “trojanized” and malware was inserted into the updates between March and May of 2020.

The malware allowed Russian operatives to hack into several governmental agencies, including the Departments of Homeland Security (DHS), State, National Institutes of Health, Commerce (National Telecommunications and Information Administration Office) and Treasury. In addition, it is reported that the Departments of Justice and Defense also were customers of SolarWinds. The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to all government agencies to disconnect and stop using SolarWinds.

This compromising situation is obviously concerning for national security, particularly when CISA’s Director Christopher Krebs was recently summarily dismissed and many other top leaders of the organization have departed when we most need strong leadership from the federal agency in charge of cybersecurity.

Unfortunately, the bad news doesn’t stop there. SolarWinds reported to the Securities and Exchange Commission this week that it believes that approximately 18,000 of its private company customers also could be affected by the malware.

Security experts are warning all private companies  to follow the CISA emergency directive to federal agencies and to disconnect and stop using SolarWinds until the details can be sorted out. Sound guidance for companies that use SolarWinds to mitigate risk until more information is available. It is important that executives and IT personnel be in close contact about whether the company uses SolarWinds and heed the CISA emergency directive to disconnect while the effects of the compromise are being determined.

The Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) this week issued Alert (AA20-301A) titled North Korean Advanced Persistent Threat Focus: Kimsuky warning U.S. businesses, and particularly those in the commercial sector, about tactics used by North Korean advanced persistent threat (APT) group Kimusky. https://us-cert.cisa.gov/ncas/alerts/aa20-301a

The Alert, co-authored by the Federal Bureau of Investigation (FBI) and the U.S. Cyber Command Cyber National Mission Force, “describes the tactics, techniques and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government.”

The key findings of the government on Kimsuky’s activities include:

  • The Kimsuky APT group has most likely been operating since 2012.
  • Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.
  • Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.
  • Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.
  • Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.
  • Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
  • Kimsuky specifically targets:
    • Individuals identified as experts in various fields,
    • Think tanks, and
    • South Korean government entities.
  • CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.

The methods used by Kimsuky include social engineering and spearphishing, which are outlined in the Alert and are worth reviewing. After obtaining access, Kimsuky uses BabyShark Malware, PowerShell or the Windows Command Shell to execute the malware.

The Alert lists the indicators of compromise, including domains that have been used by Kimsuky, which IT professionals may wish to consult.