CISA Issues Warning to Patch Your Systems Against State-Sponsored Cyber Threats

A joint Cybersecurity Advisory (CSA) was issued by CISA, the FBI, and the NSA to warn organizations of threats posed by Russian state-sponsored cyber attack operations. The CSA is part of the organization’s mission to warn organizations and help the community reduce the risk posed by these threats. In addition, the advisory lists several CVEs for prioritized mitigation to increase organizational resiliency and reduce the risk of network compromise and business infrastructure degradation.

Of the 16 noted CVEs, only 4 were published within the last year, and several dating back to 2018 and 2019. Surprisingly, this is a rather “new” set of vulnerabilities compared to previous CSAs published. Although these are newer vulnerabilities than before, many organizations without strong automation and patch management solutions will find themselves unable to patch even years-old vulnerabilities, much less reach the critical 24/72 threshold for patching zero-day vulnerabilities (24-hour response) and critical vulnerabilities (72-hour response).

CISA Recommends Best Practices for Vulnerability Management

In its cybersecurity advisory, CISA provides some best practices to consider for patching and protecting corporate systems from a potential breach. Here’s a quick breakdown of those recommendations and what you can do to address them with an automated endpoint management platform like Automox:

  • Be prepared
    Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.
  • Enhance your organization’s cyber posture
    Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
  • Increase organizational vigilance
    Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.
  • Keep systems and products updated and patched as soon as possible after patches are released
    Automation is the only way to address the number of vulnerabilities patched each month. Most organizations take 102 days to patch systems, but with Automox you can confidently patch on day-0 of patch release, keeping your organization protected. Automation can ensure the next time the NSA releases a cybersecurity advisory like this you are already up to date and patched.

CISA also has a list of direct recommendations for vulnerability and configuration management:

  • Update software
    Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
  • Use industry recommended antivirus programs
    Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures.
  • Implement rigorous configuration management programs
    Ensure the programs can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses.
  • Disable all unnecessary ports and protocols
    Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.

You can read more about patch management best practices for modern workforces in a previous blog.

Vulnerabilities You Can Patch Now in Automox

Using Automox, you can immediately patch the Windows OS vulnerabilities highlighted in the NSA brief. These include:

CVE-2021-26855

  • Found in Windows Exchange Server 2016 and 2019
    CVSS: 9.8 - Critical

CVE-2021-26855 is a remote code execution vulnerability that exists in Microsoft Exchange. The vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.

CVE-2019-10149

  • Found in Exim Simple Mail Transfer Protocol versions 4.87 to 4.91
    CVSS: 9.8 - Critical

CVE-2019-10149 is an Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.

CVE-2021-26857

  • Found in Windows Exchange Server 2010, 2013, 2016 and 2019
    CVSS: 7.8 - High

CVE-2021-26857 is a remote code execution vulnerability that exists in Microsoft Exchange. This CVE ID is unique from CVE-2019-0685, CVE-2019-0859. The vulnerability is part of an attack chain as with CVE 2021-26855.

CVE-2021-26858

  • Found in Windows Exchange Server 2013, 2016 and 2019
    CVSS: 7.8 - High

CVE-2021-26858 is a remote code execution vulnerability that exists in Microsoft Exchange. This CVE ID is unique from CVE-2019-0685, CVE-2019-0859. The vulnerability is part of an attack chain as with CVE 2021-26855.

CVE-2021-27065

  • Found in Windows Exchange Server 2013, 2016 and 2019
    CVSS: 7.8 - High

CVE-2021-27065 is a remote code execution vulnerability that exists in Microsoft Exchange. This CVE ID is unique from CVE-2019-0685, CVE-2019-0859. The vulnerability is part of an attack chain as with CVE 2021-26855.

To search for and identify if known vulnerabilities exist and are patched on your systems, refer to this support documentation for  more information. And if you have any additional questions, please feel free to contact our technical support team.



About Automox Automated IT Operations

Today’s IT leaders deserve better than tedious legacy tools to manage their infrastructure. From our single cloud-native platform, automate and scale your IT operations to meet the growing business demands of the modern workforce. With complete visibility of your entire environment, you can easily monitor, identify, and respond to issues in real-time across any endpoint, regardless of OS or location.

Demo Automox to see how you can immediately gain effortless command of your endpoints.