By the CyberWire staff
SolarWinds suffers severe supply chain attack.
Network monitoring and management platform provider SolarWinds disclosed over the weekend that it had become apprised of "a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020." The hack was discovered by FireEye as the source of the security firm's own breach. SolarWinds said in an SEC filing on Monday that 33,000 of its 300,000 customers were using its Orion product, and around 18,000 are believed to have installed the Trojanized update.
The Washington Post, citing anonymous sources, says APT29 (Cozy Bear), a threat actor associated with Russia's SVR, is believed to be responsible for the hack. The US government targets known to be affected so far include the Department of Defense, the Department of Homeland Security, the State Department, the Department of Energy, the Treasury Department, the Commerce Department, and the National Institutes of Health. FireEye says additional victims include "government, consulting, technology, telecom, and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals."
An op-ed by former US Homeland Security adviser Thomas Bossert probably has it right in saying that the gravity of the breach is "hard to overestimate":
"The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian SVR will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call persistent access, meaning the ability to infiltrate and control networks in a way that is hard to detect or remove. While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy. The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated, but it is unclear what the Russians intend to do next. The access the Russians now enjoy could be used for far more than simply spying."
Microsoft was also affected by the incident, stating, "Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others."
It's worth noting that the incident, while devastating, so far appears to be a case of traditional espionage, and not an act of war (as some have suggested). It's also worth emphasizing, as Bossert did, that just because an organization installed the malicious update doesn't mean they were actively prospected by the threat actor; the hackers presumably focused their efforts on the most valuable targets (of which there were many).
Earn a Master's in Cybersecurity Part-Time & Online at Georgetown
Looking to advance your cybersecurity career? Check out Georgetown University's graduate program in Cybersecurity Risk Management. Ideal for working professionals, our program offers flexible options to take classes online, on campus, or through a combination of both—so you don’t have to interrupt your career to earn your degree. You'll leave the program with the expertise you need to effectively manage risks and navigate today’s increasingly complex cyber threats. Explore the program.
Public- and private-sector response to the SolarWinds breach.
CyberScoop reports that the White House National Security Council has activated a Cyber Unified Coordination Group to coordinate the government's response to the incident. The FBI has the lead for threat response. It’s investigating for purposes of attribution, pursuit, and disruption of the threat actors. It’s presently doing so by engaging with "known and suspected victims." CISA has the lead for asset response activities. Emergency Directive 21-01, outlining immediate steps Federal agencies should take, was CISA's first step in helping contain and remediate the damage. And the Office of the Director of National Intelligence (ODNI) is coordinating the Intelligence Community’s collection and analysis of the incident.
The Wall Street Journal says White House national security adviser Robert O'Brien has cut short a trip to Europe and returned to the US to deal with the incident. The Telegraph reports that GCHQ is investigating the potential impact of the incident on the UK.
CISA also released an advisory on Thursday warning that SolarWinds isn't the only infection vector, stating, "CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed." A report from Volexity says the same threat actor had remained undetected for several years on the network of a US-based think tank. After being discovered and removed, the actor regained access by exploiting a vulnerability in Microsoft Exchange Control Panel. The attackers were again expelled, but returned a third time via the compromised SolarWinds update in June and July of 2020.
The US National Security Agency on Thursday released a Cybersecurity Advisory, "Detecting Abuse of Authentication Mechanisms." NSA is concerned to explain two post-compromise tactics the attackers used against US Government networks.
One was SAML forgery: on-premises components of a federated single-sign-on infrastructure were compromised to steal the credential or private key used to sign Security Assertion Markup Language (SAML) tokens. Trusted authentication tokens were then forged to gain access to cloud resources. A variation of this approach involved obtaining admin privileges in the cloud sufficient to permit the attackers to add a malicious certificate trust relationship that would in turn enable SAML token forging.
In the second tactic, "the actors leverage a compromised global administrator account to assign credentials to cloud application service principals." They're then able to invoke the application's credentials to gain automated access to such cloud resources as email. NSA recommends "locking down SSO configuration and service principal usage."
According to KrebsOnSecurity, FireEye, Microsoft, and GoDaddy cooperated on a response to the SolarWinds compromise by establishing a kill switch to disable Sunburst backdoor instances still beaconing to their original domain. While this will prevent the attackers from leveraging the initial backdoor, it won't affect instances in which the threat actor has already established persistence within networks. Seizing the domain will also help the companies identify additional victims.
How FedEx, UPS & DHL Clients were Tricked by an Advanced Phishing Campaign
In 2020, Votiro discovered a cleverly disguised, multi-stage phishing campaign targeting UPS, FedEx, and DHL customers. Download the case study to view the emails & Excel attachments from the phishing campaign, learn how the hackers obfuscated their macro code to evade detection, and see what made these attacks so sophisticated that even cybersecurity-aware users could be tricked.
Technical details of the breach.
It's still unclear how the threat actor initially gained access to SolarWinds's environment. ReversingLabs says the actor first made changes to the Orion software in October 2019, when they added an empty .NET class that would later host the backdoor. The backdoor itself was added in March 2020, according to FireEye's analysis:
"SolarWinds.Orion.Core.BusinessLayer.dll (b91ce2fa41029f6955bff20079468448) is a SolarWinds-signed plugin component of the Orion software framework that contains an obfuscated backdoor which communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it retrieves and executes commands, called 'Jobs', that include the ability to transfer and execute files, profile the system, and disable system services. The backdoor’s behavior and network protocol blend in with legitimate SolarWinds activity, such as by masquerading as the Orion Improvement Program (OIP) protocol and storing reconnaissance results within plugin configuration files. The backdoor uses multiple blocklists to identify forensic and anti-virus tools via processes, services, and drivers."
FireEye and others have emphasized the APT's top-notch operational security, which allowed it to remain undetected for up to nine months. ReversingLabs explains, "While this type of attack on the software supply chain is by no means novel, what is different this time is the level of stealth the attackers used to remain undetected for as long as possible. The attackers blended in with the affected code base, mimicking the software developers’ coding style and naming standards. This was consistently demonstrated through a significant number of functions they added to turn Orion software into a backdoor for any organization that uses it."
SolarWinds incident could spark insider trading investigation.
The Washington Post reports that SolarWinds investors Silver Lake and Thoma Bravo could possibly face an insider trading investigation after it was revealed that the firms sold a combined total of $280 million in SolarWinds stock days before the company disclosed the breach. Former SEC enforcement official Jacob Frenkel told the Post, "Of course the SEC is going to look into that. Large trades in advance of a major announcement, then an announcement: That is a formula for an insider trading investigation." Representatives from both firms told the Post they were unaware of the breach when the deals took place.
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.
Ever wish you could pick the brain of a cyber security expert? Well, we did it for you!
We have a special treat for you over the holidays. While our team takes a break over the upcoming holiday, we are going to spoil you with special presentations of our CSO Perspectives podcast. Join Rick and the Hash Table of experts as they discuss SOAR, SOCs, and DevSecOps. These episodes, usually available only to CyberWire Pro subscribers, are our gift to you. Tune in on the CyberWire Daily Podcast feed and to learn more about CyberWire Pro and see all the CSO Perspectives episodes, visit us at thecyberwire.com/pro.
Facebook removes inauthentic networks.
Facebook has taken down competing inauthentic networks that primarily focused on African countries. One of the operations originated in France, while two were based in Russia. Interestingly, Facebook says this is the first time it's seen two opposing information operations "actively engage with one another, including by befriending, commenting and criticizing the opposing side for being fake." The social network credits research by Graphika with an assist in the takedown.
The French operation posted primarily in French and Arabic about news and current events, including France's policies in Francophone Africa, the security situation in various African countries, claims of potential Russian interference in the election in the Central African Republic, supportive commentary about French military and criticism of Russia's involvement in CAR. Facebook tied this campaign to individuals associated with the French military. Graphika says, "To judge by its timing, content and methods, the French operation was, in part, a direct reaction to the exposure of Prigozhin's troll operations in Africa in 2019 by Facebook."
French officials did not acknowledge responsibility for the campaign, but did indicate that they were aware that such things were going on. The Washington Post quotes an official statement to the effect that, "We are not surprised by the conclusions of the report published by Graphika, which we are studying, without being at this stage in a position to attribute possible responsibilities. Indeed, the multiplicity of actors in this informational struggle, state or not, makes such a designation difficult.”
The Russian campaigns posted primarily in French, English, Portuguese, and Arabic about news and current events, including COVID-19 and the Russian vaccine against the virus, the upcoming election in the Central African Republic, terrorism, Russia's presence in sub-Saharan Africa, supportive commentary about the CAR government, criticism of the French foreign policy and a fictitious coup d'etat in Equatorial Guinea. Facebook attributes this campaign to individuals previously associated with Russia's Internet Research Agency.
Graphika states, "The operations showed significant differences, notably the Russian operation’s reliance on local nationals (wittingly or unwittingly) and the French operation’s avoidance of electoral topics. However, when they clashed in CAR, they resembled one another. Each side trolled the other with insulting videos and memes; each side made false accusations against the other; each side used doctored evidence to support their accusations. Some Russian assets posed as news outlets, while some French ones posed as fact-checkers. Both used stolen profile pictures (and in the case of the French network, AI-generated profile pictures) to create fake personas for their networks."
For more, see the CyberWire Pro Disinformation Briefing.
Cryptomining botnet uses controversial PostgreSQL feature.
Palo Alto Networks' Unit 42 describes a Linux-based cryptomining botnet dubbed "PGMiner" that makes use of a disputed CVE involving PostgreSQL's "copy from program" feature, which allows a database superuser to execute code on the underlying operating system. PostgreSQL contends that this isn't a vulnerability, but rather a feature that can be abused if database privileges aren't securely configured. Unit 42 explains the controversy surrounding this feature:
"The feature allows the local or remote superuser to run shell script directly on the server, which has raised wide security concerns. In 2019, a CVE-2019-9193 was assigned to this feature, naming it as a 'vulnerability.' However, the PostgreSQL community challenged this assignment, and the CVE has been labeled as 'disputed.' The main argument against defining the feature as a vulnerability is that the feature itself does not impose a risk as long as the superuser privilege is not granted to remote or untrusted users and the access control and authentication system works well. On the other side, security researchers worry that this feature indeed makes PostgreSQL a stepping stone for remote exploit and code execution directly on the server’s OS beyond the PostgreSQL software, if the attacker manages to own the superuser privilege by brute-forcing password or SQL injection."
Regardless of whether the feature should be classified as a vulnerability, Unit 42 says the attackers in this case have used it "to stay under the detection radar by making the attack payload fileless." The attackers scan for Internet-exposed PostgreSQL ports, then launch brute-force attacks against the default "postgres" user account. Once they gain access, they use "copy from program" to download and execute cryptomining malware. The researchers conclude that the malware is "rapidly evolving," and could be ported to Windows and MacOS in the future, since PostgreSQL runs on those platforms as well.
For more, see the CyberWire Pro Research Briefing.
How'd you like to be the office cybersecurity hero?
With a CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis, and trends across the evolving cybersecurity landscape, save some money, and look like a hero at the same time. To learn more, visit our CyberWire Pro page and click on the Contact Us link in the Enterprise box.
Patch news.
Hewlett Packard Enterprise has disclosed a zero-day remote code execution vulnerability in its Systems Insight Manager, according to BleepingComputer. The company is working on a patch, but in the meantime, has released mitigations for the Windows version of the software. It's tracked as CVE 2020-7200, and it affects HPE Systems Insight Manager 7.6.x. The mitigations HPE has published all involve disabling the software's federated search feature.
D-Link has released patches for five vulnerabilities discovered by Trustwave in the D-Link DSL-2888A router.
Crime and punishment.
CyberScoop reports that Interpol has disrupted parts of Joker’s Stash, a popular criminal marketplace, by seizing certain proxy servers used by the site. Intel 471 describes the move as "more annoying than crippling" for the criminal souk, since the marketplace has several other domains that remained operational. Interpol told CyberScoop, "This relates to a coordinated police operational activity that is ongoing, and at this time we are not in a position to comment." CyberScoop quotes Andrei Barysevich from Gemini Advisory to the effect that Interpol's move may have been a warning to Joker's Stash and other criminal markets.
Courts and torts.
Ireland's Data Protection Commission (DPC) has fined Twitter €450,000 (approximately US$547,000) under GDPR for its mishandling of a 2018 data breach, according to TechCrunch. The DPC called the fine "an effective, proportionate, and dissuasive measure." TechCrunch notes that this is the Irish DPC's first cross-border GDPR ruling.
Policies, procurements, and agency equities.
Roll Call says the execution of the U.S. Federal Communication Commission's rip-and-replace order for Chinese hardware will be the responsibility of the incoming Biden administration and the US Congress. The FCC estimates that the reimbursement costs to replace the equipment will be at least $1.6 billion. Outgoing FCC Chairman Ajit Pai noted that "we can't actually implement the reimbursement program unless and until Congress appropriates the necessary funding." The current top contenders to serve as Biden's FCC chair voted in favor of the rip-and-replace plan.
For more policy news, see the CyberWire Pro Policy Briefing.