NCSC Weekly Threat Report 14th May 2021


1.Colonial Pipeline hackers didn’t intend to cause problems
2.Microsoft May 2021 security updates
3.Over 25,000 servers in the UK still running vulnerable Exim versions
4.Active Cyber Defence takes down 1.5 million malicious cyber scams

Colonial Pipeline hackers didn’t intend to cause problems

Earlier this week a cyber criminal group, known as DarkSide, apologised for causing disruption for taking a US fuel pipeline, which supplies almost half of the East Coast of the US with diesel, petrol and jet fuel, offline.

It’s believed that the hackers could have gained access to the Colonial Pipeline’s IT network weeks before launching the ransomware attack. The criminals had obtained access to around 100GB of host data and threatened to leak it online unless a ransom was paid. Operations have since resumed after five days offline.

The NCSC has seen a trend to more targeted ransomware attacks and has published guidance on how organisations can defend themselves against malware or ransomware attacks.

Microsoft May 2021 security updates

Microsoft has released the May 2021 security update. A number of security issues are addressed, including security updates for Microsoft Exchange, SharePoint and a potentially wormable remote code execution vulnerability affecting the Microsoft HTTP stack (Microsoft recommends prioritising the updating of affected servers).

The NCSC recommends following vendor best practice advice in the mitigation of vulnerabilities. In this case, the most important aspect is to install the latest updates as soon as practicable and, where possible, ensure Windows automatic update is enabled.

More information can be found on the Microsoft website at

Over 25,000 servers in the UK still running vulnerable Exim versions

The NCSC is advising UK organisations using the Exim mail transfer agent to ensure that the necessary security update is installed as soon as possible. This follows Qualys’ discovery of multiple vulnerabilities in Exim.

Analysis shows that over 25,000 servers in the UK are running versions vulnerable to exploitation.

Some are critical and could allow for remote code execution (RCE). This group of vulnerabilities is sometimes publicly called ’21 Nails’ which is a reference to the number that Qualys publicly identified in early May 2021. More details about these vulnerabilities can be found in a Qualys security advisory.

To mitigate, the NCSC strongly advises organisations to update to the latest version of Exim as soon as is practicable because updating to version 4.94.2 (or later) addresses these vulnerabilities. This will prevent actors exploiting the above vulnerabilities identified by Qualys.

The latest version of Exim and additional information on obtaining Exim are available here:

NCSC guidance on patching and other information about keeping devices up to date is available on the NCSC website.

Active Cyber Defence takes down 1.5 million malicious cyber scams

The NCSC’s fourth annual Active Cyber Defence (ACD) report details how the NCSC has helped to take down numerous malicious URLs and thousands of phishing campaigns.

The service has received over four million emails and has helped identify more than 1.5 million malicious URLs which has led to the takedown of thousands of scams that hadn’t previously been identified.

Read the full report on the ACD programme’s activity during 2020.

NCSC © Crown Copyright 2021

Leave a Reply

scroll to top