CISA Releases New Alert on Post-Compromise Threat Activity in Microsoft Cloud Environments and Tools to Help Detect This Activity

Original release date: January 8, 2021

CISA has evidence of post-compromise advanced persistent threat (APT) activity in the cloud environment. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment and using additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. This activity is in addition to what has been previously detailed in AA20-352A.

In response, CISA has released AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments to describe this malicious APT activity and offer guidance on three open-source tools—including a CISA-developed tool, Sparrow, released on December 24. Network defenders can use these tools to help detect and remediate malicious APT actor activity as part of the ongoing supply chain compromise.

CISA strongly encourages users and administrators to review the Activity Alert for additional information and detection countermeasures.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases New Alert on Post-Compromise Threat Activity in Microsoft Cloud Environments and Tools to Help Detect This Activity

Original release date: January 8, 2021

CISA has evidence of post-compromise advanced persistent threat (APT) activity in the cloud environment. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment and using additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. This activity is in addition to what has been previously detailed in AA20-352A.

In response, CISA has released AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments to describe this malicious APT activity and offer guidance on three open-source tools—including a CISA-developed tool, Sparrow, released on December 24. Network defenders can use these tools to help detect and remediate malicious APT actor activity as part of the ongoing supply chain compromise.

CISA strongly encourages users and administrators to review the Activity Alert for additional information and detection countermeasures.

This product is provided subject to this Notification and this Privacy & Use policy.

MS-ISAC Releases Cybersecurity Advisory on Zyxel Firewalls and AP Controllers

Original release date: January 8, 2021

The Multi-State Information Sharing and Analysis Center (MS-ISAC) has released an advisory on a vulnerability in Zyxel firewalls and AP controllers. A remote attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review the MS-ISAC Advisory 2021-001 and Zyxel Security Advisory for CVE-2020-29583 and apply the necessary updates and mitigation recommendations.

This product is provided subject to this Notification and this Privacy & Use policy.

MS-ISAC Releases Cybersecurity Advisory on Zyxel Firewalls and AP Controllers

Original release date: January 8, 2021

The Multi-State Information Sharing and Analysis Center (MS-ISAC) has released an advisory on a vulnerability in Zyxel firewalls and AP controllers. A remote attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review the MS-ISAC Advisory 2021-001 and Zyxel Security Advisory for CVE-2020-29583 and apply the necessary updates and mitigation recommendations.

This product is provided subject to this Notification and this Privacy & Use policy.