At a glance.
- Updates on the SVR's cyberespionage campaign.
- NIST's draft IoT guidelines.
- CMMC updates (with some additional urgency driven by the SolarWinds incident).
Russian intelligence infiltrates nuclear, energy agencies.
A US Energy Department representative said Cozy Bear’s foray through SolarWinds’ backdoor into the National Nuclear Security Administration (NNSA) was confined to “business networks” as far as investigators know, and did not touch mission critical systems, according to Politico. The NNSA oversees the country’s nuclear arsenal and receives a very large share of Energy’s budget. Nuclear weapons research facilities in two states were hit, along with the NNSA Office of Secure Transportation, the body responsible for ferrying materials like enriched uranium.
The Federal Energy Regulatory Commission (FERC) also found “evidence of highly malicious activity.” CISA apparently told FERC it didn’t have resources to spare, so the Department of Energy is stepping up to the plate. An official said compromised software has been removed, but as we’ve seen, the APT swiftly dug further footholds. Politico speculates the FERC attack could lay the groundwork for an electric grid assault, since the agency maintains information “that could be used to identify the most disruptive locations for future attacks.” The total scope of the breaches may not be evident for some time.
Third-party risk, and counting the costs of the Sunburst compromise.
It turns out that what we’ve come to call the SolarWinds compromise isn’t confined to SolarWinds. CISA advises that it has evidence, still under investigation, of other access vectors the threat actors used. It’s a very serious problem whose extent is still being determined. CISA says the hostile campaign poses a “grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.” CISA offers four major takeaways:
- First, “this is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.”
- Second, “the SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.”
- Third, “not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.”
- And fourth, “organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.”
NSA has also weighed in. The US National Security Agency yesterday released a Cybersecurity Advisory, “Detecting Abuse of Authentication Mechanisms.” NSA is concerned to explain two tactics the attackers used to compromise US Government networks.
One was SAML forgery: on-premises components of a federated single-sign-on infrastructure were compromised to steal the credential or private key used to sign Security Assertion Markup Language (SAML) tokens. Trusted authentication tokens were then forged to gain access to cloud resources. A variation of this approach involved obtaining admin privileges in the cloud sufficient to permit the attackers to add a malicious certificate trust relationship that would in turn enable SAML token forging.
In the second tactic, “the actors leverage a compromised global administrator account to assign credentials to cloud application service principals.” They’re then able to invoke the application’s credentials to gain automated access to such cloud resources as email. NSA advises “locking down SSO configuration and service principal usage.”
Lamar Bailey, senior director of security research at Tripwire, offered some explanation of NSA's Advisory:
“Organizations need to extend the same security best practices use for on-premise assets to cloud assets. All too often we see organizations that assume the cloud provider is taking care of security and in many instances that is not the case. Checking assets and services for vulnerabilities is still required. And while many times the provider is hosting the service or asset, the customer may still need to initiate and upgrade from a marketplace to get the new version with security fixes. Access and Change Control along with File Integrity Monitoring are also extremely important. Compromised accounts and unsecured storage account for a large portion of the cloud data breaches. Even though the assets or services are not in the physical data center, they need to be protected with the same controls the tools may look different but the security controls are the same.”
We've heard from some other industry experts on the incident. Ekaterina Khrustaleva, COO at ImmuniWeb wrote about the need for a new awareness of software supply chain integrity:
"'SolarWinds-gate' illustrates the emerging trend of sophisticated supply chain attacks. Very few, if any, organizations ever cared to verify an update's integrity till today. The question is how many other software products from different vendors were silently compromised without triggering an alert so far? How many vendors were breached and backdoored to release a malicious update upon a signal from organized crime or a nation-state cybercrime actor?
"Most organizations narrow down their Third Party Risk Management program to questionnaires with boilerplate questions about obsolete, irrelevant or one-size-fits-all security controls. Such an approach may be because of budgetary restraints, however, an organization should at least tailor risk and threat assessments for their trusted third parties, such as IT and cybersecurity vendors. Furthermore, an independent risk assessment of a vendor’s attack surface and Dark Web exposure should complement the questionnaires at least on the annual basis.”
Mark Carrigan, COO at PAS Global, sees one part of the challenge as a lack of visibility. "Given the massive global scale of installations, the stakes are high with the SolarWinds hack. Many of these installations are across highly-sensitive industrial operations where network visibility is traditionally weaker. In fact, just today the ESCC, whose members include some of the largest U.S. power utility companies, gathered to discuss the emerging threat and how to respond."
And for those concerned about doing what they can to minimize risk in the near term, Chris Hickman, chief security officer at digital identity security vendor Keyfactor offers us some perspective on code signing:
"Code signing is one component of the SolarWinds breach, but not because of a stolen certificate. Attackers were able to inject malware into the build process, which is difficult to detect. They were able to compromise certificates allowing them to fabricate fake tokens for network access, transversing that to cloud access and subsequently manage network access and user permissions.
"This attack was highly sophisticated and the overarching theme here is not SolarWinds or FireEye. This is endemic of many organization's broad inability to track certificates within the business, know how those certificates are used and how to manage them effectively when something might be wrong. This kind of breach can happen to anyone and highlights the importance of certificate lifecycle management and having the processes and technology in place for visibility and certificate management.
He also shared some advice. "Here are some best practices to mitigate misuse of keys and certificates:
- "Never store code-signing keys on developer workstations, web servers or build servers. Private keys should be kept in a FIPS 140-2 validated HSM
- "Segregate duties between who is authorized to sign code, who can approve the request, and who can monitor and enforce compliance with signing policies.
- "Maintain an active inventory of all certificates, where they are installed, who they were issued from, and who owns them (and your domains).
- "Control certificate issuance and approval workflows to ensure that every certificate is trusted, compliant with policy, and up-to-date.
- Test your certificate re-issuance and revocation capabilities to ensure you can respond effectively to a compromise."
NIST drafts IoT guidelines.
As directed by the US IoT Cybersecurity Improvement Act, the National Institute of Standards and Technology has published for public critique provisional rules governing Federal agency devices. One of the five complementary documents released helps departments think through what they need from equipment and vendors to mitigate organizational risk. Supporting documents flesh out previous recommendations, detailing manufacturer guidelines, customer requirements, and processes for evaluating compliance with various sets of rules.
CMMC update.
The Pentagon announced that it’s considering the US Navy, Air Force, and Missile Defense Agency, among other contenders, for lower level Cybersecurity Maturity Model Certification rollout contracts next year. The rollout period will span 2021 to 2025. Winners must attain certification in advance, but their subcontractors will have an additional grace period.
Nextgov says the SolarWinds event accentuates the urgency of supply chain security. In past justifications for the CMMC initiative, Defense representatives worried over Beijing spying, marking examples like China’s F-35 copycat.