Solorigate cyberespionage updates.
Microsoft at the end of December updated its account of Solorigate, the large cyberespionage campaign generally attributed to Russia's SVR. Redmond said it detected and removed malicious SolarWinds software within its environment, and the investigation led the company to discover that a threat actor had used an employee account to view source code in several repositories. Microsoft emphasizes that the actor wasn't able to modify any code, adding that "we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code."
The New York Times reports that US intelligence agencies are looking into the possibility that JetBrains, a Czech firm that offers widely used IDEs and other software development tools, may have been compromised as part of the cyberespionage campaign. The JetBrains product in question is TeamCity, a software build management tool, although the tool's potential role in the hack is still unclear. The Times quotes Dmitri Alperovitch as saying that such a breach could greatly expand the scope of the incident, since "[i]t can allow an adversary to have thousands of SolarWinds-style back doors in all sorts of products in use by victims all over the world." The Times notes that JetBrains products are used by 300,000 organizations, including seventy-nine of the Fortune 100 companies.
JetBrains said in a blog post that it learned of the investigation from the news reports, and that it currently has no knowledge of any compromise:
"First and foremost, JetBrains has not taken part or been involved in this attack in any way. SolarWinds is one of our customers and uses TeamCity, which is a Continuous Integration and Deployment System, used as part of building software. SolarWinds has not contacted us with any details regarding the breach and the only information we have is what has been made publicly available. It’s important to stress that TeamCity is a complex product that requires proper configuration. If TeamCity has somehow been used in this process, it could very well be due to misconfiguration, and not a specific vulnerability. Furthermore, security is our top concern and we notify and manage updates transparently in our Security Bulletin.
"Secondly, we have not been contacted by any government or security agency regarding this matter, nor are we aware of being under any investigation. If such an investigation is undertaken, the authorities can count on our full cooperation."
JetBrains also cites a SolarWinds spokesperson as saying, "SolarWinds, like many companies, uses a product by JetBrains called TeamCity to assist with the development of its software. We are reviewing all internal and external tools as part of our investigations, which are still ongoing. The Company hasn’t seen any evidence linking the security incident to a compromise of the TeamCity product."
US Department of Justice confirms breach.
The AP reports that the US Department of Justice has confirmed that some of its systems, although none that handle classified information, were compromised in Solorigate. A spokesperson said around 3% of the Department's Office 365 email accounts may have been accessed. BleepingComputer estimates (based on the size of the DOJ's workforce) that this would amount to roughly 3,000 or more potentially compromised mailboxes.
The compromise also extended to US Federal Courts. The Administrative Office of the US Courts says "an apparent compromise" of the US judiciary’s case management and electronic case file system is under investigation. The AP notes that this "potentially gave the hackers access to sealed court documents, whose contents are highly sensitive."
On Tuesday, the Cyber Unified Coordination Group (UCG), the task force established by the US President and his National Security Council to investigate the Solorigate incident, released a statement on their findings so far:
"This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.
"The UCG believes that, of the approximately 18,000 affected public and private sector customers of SolarWinds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems. We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted."
The US Cybersecurity and Infrastructure Security Agency (CISA) also released version 3 of its Emergency Directive 21-01 to offer new guidance:
- "Federal agencies without evidence of adversary follow-on activity on their networks that accept the risk of running SolarWinds Orion in their enterprises should rebuild or upgrade, in compliance with hardening steps outlined in the Supplemental Guidance, to at least SolarWinds Orion Platform version 2020.2.1 HF2. The National Security Agency (NSA) examined this version and verified it eliminates the previously identified malicious code. This version also includes updates to fix un-related vulnerabilities, including vulnerabilities that SolarWinds has publicly disclosed.
- "Federal agencies with evidence of follow-on threat actor activity on their networks should keep their affected versions disconnected, conduct forensic analysis, and consult with CISA before rebuilding or reimaging affected platforms and host operating systems."
Cybersecurity ramifications of the US Capitol riot.
Rioters protesting the results of the 2020 US Presidential election rampaged through the US Capitol on Wednesday to protest the certification of the electoral votes that (now certified) have confirmed the victory of President-elect Biden. The physical ransacking of a place where there were computers presents the possibility of physical destruction, theft, or compromise. TechCrunch observes that, while classified information is unlikely to have been breached, the intruders' physical access to regular IT systems was extensive. Some staffers evacuated their offices in such haste that machines were left on, with emails and other material up on the screens. Forbes says one individual tweeted a (now-deleted) photo of House Speaker Nancy Pelosi's open email inbox. And at least one Senator reported the theft of a computer. Reuters reports that Senator Jeff Merkley, Democrat of Oregon, said that rioters took a laptop from a desk in his office.
For more, see the CyberWire Pro Disinformation Briefing.
APT27 tied to ransomware attacks.
Researchers at Profero and Security Joes report that the state-sponsored Chinese threat actor APT27 (also known as "Emissary Panda") seems to be responsible for several ransomware attacks alongside its cyberespionage campaigns. The researchers told Threatpost that the actor deployed ransomware against five unnamed gaming companies, two of which are "among the largest in the world."
The researchers explain, "What stood out in this incident was the encryption of core servers using BitLocker, which is a drive encryption tool built into Windows. This was particularly interesting, as in many cases threat actors will drop ransomware to the machines, rather than use local tools. Previously, APT27 was not necessarily focused on financial gain, and so employing ransomware actor tactics is highly unusual, however this incident occurred at a time where COVID-19 was rampant across China, with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising."
For more, see the CyberWire Pro Research Briefing.
Emotet resurfaces.
Cofense says the Emotet botnet began churning out phishing emails laden with malicious documents just before Christmas, following a two-month hiatus. The newest version malware has some improvements and changes, as is customary following Emotet's periods of inactivity. As Deep Instinct's Shimon Oren explained on today's Research Saturday, "I think the way they're operating...with those periods of going under, in the long run, is...what makes their operation more lucrative and more profitable. They have that understanding that wasting all your ammunition and being exposed and transparent for a long period of time will actually make you less evasive, less infectious, and will allow the cybersecurity industry more time to learn to adapt to your operations and to your specific techniques and procedures...That understanding that one needs to go under for a little while in order to come back better and stronger is what makes them as successful, and again, over time."
Oren added that organizations should ensure that their defenses can address the current versions of Emotet, and that their employees are taught to never enable macros in a document.
Mergers and acquisitions.
Irvine, California-based data security company Netwrix has merged with New Jersey-headquartered data access governance provider Stealthbits. Netwrix's press release states, "The combined entity will continue to offer its complete portfolio of more than a half dozen security solutions aimed at identifying and detecting data security risk as well as protecting, responding and recovering from cybersecurity attacks....With over 500 employees and customers from more than 50 countries, the combined company will operate as Netwrix with Steve Dickson continuing to serve as its chief executive officer and on the company's Board of Directors. Steve Cochran, founder and chairman of Stealthbits, will be an investor in Netwrix and will serve on its Board of Directors." The company adds, "For the foreseeable future, customers, prospects and partners of each company will continue to interact with each company as they do today for sales, support and partner activity."
White Ops, a bot mitigation and ad fraud prevention firm based in New York, has been acquired by Goldman Sachs Merchant Banking Division, in partnership with ClearSky Security and NightDragon. The company says "The acquisition will support White Ops in its next phase of growth and further accelerate its expansion into new markets." Their press release adds, "In addition to representatives from Goldman Sachs, Jay Leek will join the Board of Directors representing ClearSky and Dave DeWalt will join the Board of Directors representing NightDragon and serve as Vice Chairman of the Company."
Arizona-based cybersecurity consultancy Cerberus Sentinel has acquired Alpine Security, a cybersecurity services firm headquartered in Missouri. The company's press release states, "Alpine will continue to be based in St. Louis, and its compliance team will add to the experienced Cerberus Sentinel team led by chief compliance officer Baan Alsinawi. The penetration testing team will be integrated into the existing capabilities crew at Cerberus Sentinel, and it will continue to specialize in medical devices, addressing the expanding demand from healthcare clients."
For more business news, see the CyberWire Pro Business Briefing.
Patch news.
ZDNet reports that more than 100,000 Zyxel firewalls and VPN gateways were found to "contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel." Zyxel has released patches for affected products in its ATP, USG, USG Flex, and VPN series, with a fix for the NXC series expected in April.
Crime and punishment.
A UK judge has denied the US government's extradition request for Wikileaks founder Julian Assange, TechCrunch reports. Judge Vanessa Baraitser agreed with testimony that Mr. Assange is a suicide risk, and that he would be able to bypass measures intended to prevent him from taking his own life:
"I accept that oppression as a bar to extradition requires a high threshold. I also accept that there is a strong public interest in giving effect to treaty obligations and that this is an important factor to have in mind. However, I am satisfied that, in these harsh conditions, Mr. Assange’s mental health would deteriorate causing him to commit suicide with the 'single minded determination' of his autism spectrum disorder. I find that the mental condition of Mr. Assange is such that it would be oppressive to extradite him to the United States of America."
A spokesman for the US Justice Department told TechCrunch, "While we are extremely disappointed in the court’s ultimate decision, we are gratified that the United States prevailed on every point of law raised. In particular, the court rejected all of Mr. Assange’s arguments regarding political motivation, political offense, fair trial, and freedom of speech. We will continue to seek Mr. Assange’s extradition to the United States."
One criminal hacker, a Russian national who in September of 2019 copped a guilty plea to stealing information on more than a hundred thousand US "consumers" from a baker's dozen or so of companies, has now received his sentence. A US Federal Court has awarded Andrei Tyurin a twelve-year sabbatical with the Bureau of Prisons. Mr. Tyurin targeted mostly financial institutions, brokerages, and financial news outlets. Some eighty-million of his victims were culled from JPMorgan alone.
Mr. Tyurin was convicted of offenses related to computer intrusion, wire fraud, bank fraud, and illegal online gambling, the AP reports. Working from his home in Moscow, Mr. Tyurin is said by Federal prosecutors to have taken in about $19 million. In extenuation and mitigation he claimed to have only actually received $5 million, none of which was actually "stolen," the rest having gone to a collaborator who apparently stiffed him of the remainder. $5 million seems like a lot to us, and we’re vague on how his acquisition of it didn't constitute some form of theft. In any case, Mr. Tyurin told the judge in a letter that he feels "terribly ashamed" of what he did, and that he's concluded he'd "chosen a wrong path in life."
Policies, procurements, and agency equities.
Politico reports that the incoming Biden Administration has selected "widely respected" NSA Cybersecurity Directorate Director Anne Neuberger for a new cybersecurity position on the National Security Council. As Deputy National Security Adviser for Cybersecurity, she'll oversee Federal cybersecurity initiatives, most likely including the Solorigate response. Neuberger served as the NSA’s first cybersecurity director and brings over a decade of Agency experience, having formerly served as its first Chief Risk Officer, where she managed compromise, intelligence failure, disclosure, and compliance risks. The CyberWire has previously noted Neuberger's view of key concerns like public-private information sharing, quantum-resistant cryptography, abuses of anonymity and cryptocurrency, ransomware, and China.
Yesterday, NSA's Cybersecurity Directorate released its annual report, 2020 NSA Cybersecurity Year in Review. The year was a difficult one, but the Directorate points with justifiable satisfaction to some solid accomplishments, not the least of which was an much expanded program of public outreach. The Directorate is pleased to have:
- "Contributed to the whole-of-government approach securing the 2020 election by sharing insights on adversary cyber actors and activities, particularly regarding indicators of intent to interfere.
- "Supported Operation Warp Speed by providing cyber threat intelligence, cybersecurity assessments, and foundational cybersecurity guidance.
- "Provided 30 unique, timely and actionable cybersecurity products since the directorate’s standup, working with our partners across the U.S. Government and Five Eyes partners to share relevant information to secure our customer’s networks.
- "Supported the DoD’s transition to telework, releasing written products and providing Commercial Solutions for Classified Capability packages to enable approximately 100,000 users to telework securely.
- "Strengthened public-private partnerships through our Cybersecurity Collaboration Center and Center for Cybersecurity Standards.
- "Communicated directly with the cybersecurity community through our Twitter account, @NSAcyber."
For more policy news, see the CyberWire Pro Policy Briefing.