Cyberespionage and supply chain compromise. NIST's draft IoT security guidelines. CMMC updates.

By the CyberWire staff

At a glance.

Updates on the SVR's cyberespionage campaign.
NIST's draft IoT guidelines.
CMMC updates (with some additional urgency driven by the SolarWinds incident).

Russian intelligence infiltrates nuclear, energy agencies.

A US Energy Department representative said Cozy Bear’s foray through SolarWinds’ backdoor into the National Nuclear Security Administration (NNSA) was confined to “business networks” as far as investigators know, and did not touch mission critical systems, according to Politico. The NNSA oversees the country’s nuclear arsenal and receives a very large share of Energy’s budget. Nuclear weapons research facilities in two states were hit, along with the NNSA Office of Secure Transportation, the body responsible for ferrying materials like enriched uranium.

The Federal Energy Regulatory Commission (FERC) also found “evidence of highly malicious activity.” CISA apparently told FERC it didn’t have resources to spare, so the Department of Energy is stepping up to the plate. An official said compromised software has been removed, but as we’ve seen, the APT swiftly dug further footholds. Politico speculates the FERC attack could lay the groundwork for an electric grid assault, since the agency maintains information “that could be used to identify the most disruptive locations for future attacks.” The total scope of the breaches may not be evident for some time.

Third-party risk, and counting the costs of the Sunburst compromise.

It turns out that what we’ve come to call the SolarWinds compromise isn’t confined to SolarWinds. CISA advises that it has evidence, still under investigation, of other access vectors the threat actors used. It’s a very serious problem whose extent is still being determined. CISA says the hostile campaign poses a “grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.” CISA offers four major takeaways:

First, “this is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.”
Second, “the SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.”
Third, “not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.”
And fourth, “organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.”

NSA has also weighed in. The US National Security Agency yesterday released a Cybersecurity Advisory, “Detecting Abuse of Authentication Mechanisms.” NSA is concerned to explain two tactics the attackers used to compromise US Government networks.

One was SAML forgery: on-premises components of a federated single-sign-on infrastructure were compromised to steal the credential or private key used to sign Security Assertion Markup Language (SAML) tokens. Trusted authentication tokens were then forged to gain access to cloud resources. A variation of this approach involved obtaining admin privileges in the cloud sufficient to permit the attackers to add a malicious certificate trust relationship that would in turn enable SAML token forging.

In the second tactic, “the actors leverage a compromised global administrator account to assign credentials to cloud application service principals.” They’re then able to invoke the application’s credentials to gain automated access to such cloud resources as email. NSA advises “locking down SSO configuration and service principal usage.”

Lamar Bailey, senior director of security research at Tripwire, offered some explanation of NSA's Advisory:

“Organizations need to extend the same security best practices use for on-premise assets to cloud assets. All too often we see organizations that assume the cloud provider is taking care of security and in many instances that is not the case. Checking assets and services for vulnerabilities is still required. And while many times the provider is hosting the service or asset, the customer may still need to initiate and upgrade from a marketplace to get the new version with security fixes. Access and Change Control along with File Integrity Monitoring are also extremely important. Compromised accounts and unsecured storage account for a large portion of the cloud data breaches. Even though the assets or services are not in the physical data center, they need to be protected with the same controls the tools may look different but the security controls are the same.”

We've heard from some other industry experts on the incident. Ekaterina Khrustaleva, COO at ImmuniWeb wrote about the need for a new awareness of software supply chain integrity:

"'SolarWinds-gate' illustrates the emerging trend of sophisticated supply chain attacks. Very few, if any, organizations ever cared to verify an update's integrity till today. The question is how many other software products from different vendors were silently compromised without triggering an alert so far? How many vendors were breached and backdoored to release a malicious update upon a signal from organized crime or a nation-state cybercrime actor?

"Most organizations narrow down their Third Party Risk Management program to questionnaires with boilerplate questions about obsolete, irrelevant or one-size-fits-all security controls. Such an approach may be because of budgetary restraints, however, an organization should at least tailor risk and threat assessments for their trusted third parties, such as IT and cybersecurity vendors. Furthermore, an independent risk assessment of a vendor’s attack surface and Dark Web exposure should complement the questionnaires at least on the annual basis.”

Mark Carrigan, COO at PAS Global, sees one part of the challenge as a lack of visibility. "Given the massive global scale of installations, the stakes are high with the SolarWinds hack. Many of these installations are across highly-sensitive industrial operations where network visibility is traditionally weaker. In fact, just today the ESCC, whose members include some of the largest U.S. power utility companies, gathered to discuss the emerging threat and how to respond."

And for those concerned about doing what they can to minimize risk in the near term, Chris Hickman, chief security officer at digital identity security vendor Keyfactor offers us some perspective on code signing:

"Code signing is one component of the SolarWinds breach, but not because of a stolen certificate. Attackers were able to inject malware into the build process, which is difficult to detect. They were able to compromise certificates allowing them to fabricate fake tokens for network access, transversing that to cloud access and subsequently manage network access and user permissions.

"This attack was highly sophisticated and the overarching theme here is not SolarWinds or FireEye. This is endemic of many organization's broad inability to track certificates within the business, know how those certificates are used and how to manage them effectively when something might be wrong. This kind of breach can happen to anyone and highlights the importance of certificate lifecycle management and having the processes and technology in place for visibility and certificate management.

He also shared some advice. "Here are some best practices to mitigate misuse of keys and certificates:

"Never store code-signing keys on developer workstations, web servers or build servers. Private keys should be kept in a FIPS 140-2 validated HSM
"Segregate duties between who is authorized to sign code, who can approve the request, and who can monitor and enforce compliance with signing policies.
"Maintain an active inventory of all certificates, where they are installed, who they were issued from, and who owns them (and your domains).
"Control certificate issuance and approval workflows to ensure that every certificate is trusted, compliant with policy, and up-to-date.
Test your certificate re-issuance and revocation capabilities to ensure you can respond effectively to a compromise."

NIST drafts IoT guidelines.

As directed by the US IoT Cybersecurity Improvement Act, the National Institute of Standards and Technology has published for public critique provisional rules governing Federal agency devices. One of the five complementary documents released helps departments think through what they need from equipment and vendors to mitigate organizational risk. Supporting documents flesh out previous recommendations, detailing manufacturer guidelines, customer requirements, and processes for evaluating compliance with various sets of rules.

CMMC update.

The Pentagon announced that it’s considering the US Navy, Air Force, and Missile Defense Agency, among other contenders, for lower level Cybersecurity Maturity Model Certification rollout contracts next year. The rollout period will span 2021 to 2025. Winners must attain certification in advance, but their subcontractors will have an additional grace period.

Nextgov says the SolarWinds event accentuates the urgency of supply chain security. In past justifications for the CMMC initiative, Defense representatives worried over Beijing spying, marking examples like China’s F-35 copycat.

FAST THINKING: Why the new Russian hacks are a game-changer (Atlantic Council) A suspected Russian hack targeted the US Department of Homeland Security in addition to the State, Treasury, and Commerce Departments.

Pay2Kitten – Fox Kitten 2 (ClearSky) During the past four months a wave of cyber-attacks has been targeting Israeli companies. The attacks are conducted by different means and target a range of sectors. We estimate with medium to high confidence that Pay2Key is a new operation conducted by Fox Kitten, an Iranian APT group that began a new wave of attacks in November-December 2020 that entailed dozens of Israeli companies.

Ukraine says faces almost daily hacker attacks (Reuters) Ukraine is facing almost daily hacker attacks on its government resources and intends to sharply strengthen its cyber security, Ukrainian state security service SBU said on Friday.

State-backed hacks of US, Israel herald new age of cyberwarfare (The Jerusalem Post) CYBER AFFAIRS: One lesson of these latest hacks is that hackers can be like the ancient demon hydra – you lop off one head, and multiple other heads sprout.

Russia’s massive hack demands a reckoning for U.S. cyber defenses (Washington Post) The disclosure from software vendor SolarWinds that “fewer than 18,000 customers” were compromised by a Russian hack announced this week was apparently meant to be reassuring — a sign of just how big and just how bad this attack is. Responsible officials must explain how it happened, as well as how they plan to prevent such a thing from happening again.

A moment of reckoning: the need for a strong and global cybersecurity response (Microsoft On the Issues) The recent spate of cyberattacks require the government and the tech sector in the United States to look with clear eyes at the growing threats we face. At Microsoft, we are committed to being at the forefront of these efforts.

Putin: Arms race with US ‘has already begun’ (Washington Examiner) An arms race between Washington and Moscow “has already begun,” according to Russian President Vladimir Putin.

India, EU reaffirm commitment to open, free, accessible cyberspace (Hindustan Times) According to an official release by Ministry of External Affairs (MEA), the Indian delegation was led by Dr S Janakiraman, Joint Secretary, Cyber Diplomacy Division, Ministry of External Affairs, while the EU delegation was led by Joanneke Balfoort, Director Security and Defence, EEAS.

Saudi Arabia in partnership deal with UN agency to empower children in cyberspace (Arab News) Saudi Arabia on Thursday signed a cybersecurity cooperation deal with a specialist UN telecoms agency to help strengthen child online safety. The strategic partnership agreement was inked between the Saudi National Cybersecurity Authority (NCA) and the UN’s International Telecommunication Union (ITU) to coincide with the launch of a global program to create a safe and prosperous cyberspace for children.

Competition With China Could Be Short and Sharp (Foreign Affairs) The Risk of War Is Greatest in the Next Decade

As China Tracked Muslims, Alibaba Showed Customers How They Could, Too (New York Times) The website for the tech titan’s cloud business described facial recognition software that could detect members of a minority group whose persecution has drawn international condemnation.

Huawei's 5G is a threat to Brazil’s national security (Asia News) Brazilians are looking at legal ways to ban the use of China’s high-speed Internet technology. According to the son of the Brazilian president, Beijing wants to carry out cyber espionage operati

Germany sets high barriers for Huawei with new security bill (Light Reading) After years of wrangling, ministers agree on a bill that will not ban specific vendors but will make it much harder for them to meet security standards.

Germany all but says “Nein!” to Huawei (Telecoms.com) New IT security law proposed by Angela Merkel’s cabinet gives the country’s security authority more power to exclude suppliers it deems posing threat to Germany’s critical information systems.

U.S. Blacklists China’s Top Chip Maker, Escalating Tech Fight (Wall Street Journal) The Trump administration is adding SMIC, China’s largest manufacturer of computing chips, to an export blacklist, restricting the company’s access to high-end technology over its alleged links it to the Chinese military.

SolarWinds breach raises stakes for NDAA Trump still threatens to veto (Federal News Network) The Cyberspace Solarium Commission’s leadership said the SolarWinds breach has further raised the stakes for the National Defense Authorization Act that President Donald Trump has threatened to veto.

Trump repeats his vow to veto the defense budget bill, but won’t say when (Military Times) The $740.5 defense authorization bill contains thousands of Pentagon reforms, pay re-authorizations and new program starts for 2021.

Biden and lawmakers raise alarms over cybersecurity breach amid Trump’s silence (Washington Post) Democrats and some Republicans raised the alarm Thursday about a massive and growing cybersecurity breach that many experts blame on Russia, with President-elect Joe Biden implicitly criticizing the Trump administration for allowing the hacking attack to occur.

Joe Biden warns he will be tough on state sponsors of cyberattacks, as U.S. suffers massive hack (CNBC) President-elect Joe Biden says the U.S. will join with allies to impose “substantial costs” on adversaries who engage in cyberattacks.

Biden Could Use Obama-Era Tools To Counter Sprawling Hack (Law360) President-elect Joe Biden, who vowed Thursday to respond to a cyber espionage campaign that has breached U.S. federal agencies and that officials say poses a "grave" risk to businesses, may dip into a deterrence toolbox developed under President Barack Obama, former government attorneys say.

With Trump silent, reprisals for hacks may fall to Biden (AP NEWS) All fingers are pointing to Russia as the source of the worst-ever hack of U.S. government agencies. But President Donald Trump, long wary of blaming Moscow for cyberattacks, has...

Trump Takes Bipartisan Criticism For Silence On Massive Cyber Attack (Forbes) Sen. Mitt Romney slammed ‘inexcusable silence and inaction from the White House’ and compared the hack to ‘Russion bombers.’

Gray Areas Cloud NY's New Publicity And Digital Privacy Laws (Law360) Two new laws in New York that extend a post-mortem right of publicity to celebrities and prohibit dissemination of digitally manipulated pornographic videos are rife with various exceptions, potential procedural obstacles, and gray areas ripe for debate and future litigation, say attorneys at Davis Wright.

Letter to the Honorable Charles P. Rettig, Commissioner, Internal Revenue Service (United States Senate) Dear Commissioner Rettig, We write to express our deep concern about recent reports that several federal government agencies have been compromised by sophisticated hackers.

()

Memo to Blinken: Protect the brains of State Department employees | Federal News Network (Federal News Network) As new leadership arrives at the State and Commerce Departments, and the intelligence community, let’s hope they give real attention to weird and disturbing threats to certain career employees.

Texas Accuses Google and Facebook of an Illegal Conspiracy (Wired) A new antitrust case against Google alleges that the two companies made a deal to reduce competition in online advertising.

Google’s Legal Peril Grows in Face of Third Antitrust Suit (New York Times) More than 30 states said that the company downplayed websites that let users search for information in specialized areas.