A fake website called freevaccinecovax.org, which claimed to be an official company developing a COVID-19 vaccine, has been seized by the US attorney’s office in Maryland.

The fake website, which used trademarked logos for Pfizer and the World Health Organization (WHO), was used to collect personal information from victims for fraudulent purposes, including phishing attacks and attempts to deploy malware.

The UK has seen similar scams using the pandemic as a lure to trick people in to providing personal information, including bank details.

The NCSC has guidance on how to spot the most obvious signs of a scam, and what to do if you’ve already responded.


Multiple Vulnerabilities Affecting the Exim Mail Server

The NCSC is aware of multiple vulnerabilities affecting the Exim mail server. The vulnerabilities were responsibly disclosed to the vendor by the Qualys Research Team. Successful exploitation of these vulnerabilities could allow a remote attacker to gain full root privileges on the target server and execute commands to install programs, modify data, and create new accounts.

The NCSC recommends following vendor best practice advice in the mitigation of vulnerabilities. In this case, the most important aspect is to install the latest update as soon as practicable. The latest version of Exim addresses these vulnerabilities, and more information can be found on the Exim website.

Qualys have also published a report on the vulnerabilities, called 21Nails.


Updated advice on Pulse Connect Secure RCE Vulnerability

In April, the NCSC published advice on Pulse Connect Secure RCE vulnerabilities.

The vendor has now provided a solution to address the PCS vulnerabilities CVE-2021-22893, CVE-2021-22894, CVE-2021-22899 and CVE-2021-22900. The solution is to upgrade the Pulse Connect Secure server software version to 9.1R.11.4.

The NCSC strongly advises UK organisations to install the upgrade as soon as is practicable, in line with vendor guidance. This should now replace the workaround recommended previously. The vendor also advises removing this temporary mitigation and outlines how to do this.

Pulse Secure previously published a workaround as a temporary measure. The upgraded release on 3 May 2021 now replaces this.


Ransomware Task Force publishes framework to tackle ransomware threat

Last week, the US-led Ransomware Task Force (RTF) published a new report setting out a framework of actions to help the international community tackle the threat from ransomware.

The report, which the NCSC contributed to, highlights the global nature of the threat and states that ransomware should be designated a national security risk with the potential to impact on public safety.

The recommendations in the framework aim to help policy makers and industry leaders deter and disrupt ransomware actors while ensuring organisations are equipped to prepare and respond if incidents do occur.

The NCSC has previously warned about the evolving threat from ransomware and published guidance on mitigating malware and ransomware which sets out actions organisations can take to secure their networks.


Further TTPs associated with SVR cyber actors

The NCSC, alongside the US Department for Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA), FBI and the National Security Agency (NSA), has today published a report to provide further details of Tactics, Techniques and Procedures (TTPs) associated with SVR cyber actors. SVR cyber actors are known and tracked in open source as APT29, Cozy Bear, and The Dukes.

This advisory follows the public attribution of the SVR to the SolarWinds compromise in 2020.

Organisations are advised to follow the mitigation advice and guidance outlined, as well as the detection rules in the appendix in order to help protect against this activity. A recently published joint NSA, CISA, FBI advisory and joint FBI , DHS, CISA alert, also detail further TTPs linked to SVR cyber actors.