By the CyberWire staff
Mimecast warns of certificate theft.
Mimecast, a company that offers email security services for Microsoft Office 365 accounts, warned on Tuesday that "a sophisticated threat actor" had compromised one of its certificates used to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services. The certificate would have allowed the actors to intercept inbound and outbound email traffic, Threatpost explains.
Mimecast stated, "Approximately 10 percent of our customers use this connection. Of those that do, there are indications that a low single digit number of our customers’ M365 tenants were targeted." (Reuters notes that Mimecast has upwards of 36,000 customers.) Mimecast adds, "As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available. Taking this action does not impact inbound or outbound mail flow or associated security scanning."
Reuters cites anonymous sources in the security industry to the effect that they suspect the hackers who compromised Mimecast's certificates are the same threat actors that were behind the Solarigate incident. The Wall Street Journal says the Mimecast hackers "used tools and techniques" that tie them to the SolarWinds breach.
Dragos Perspective on SolarWinds Compromise – On Demand Webinar
Listen to the Dragos team share their assessment of the recent SolarWinds compromise and its impact on ICS and OT networks. You’ll hear our recommendations for identifying industrial environments with SolarWinds and suggested remediation actions. Listen to the webinar recording here.
Possible ties between Sunburst and Turla backdoor.
Researchers at Kaspersky have identified possible links between the Sunburst malware used in the Solarigate incident and the Kazuar backdoor used by the Russian APT Turla. Reuters points out that Estonian intelligence services have long attributed Turla activity to Russia's FSB. Kazuar is a .NET backdoor first identified by Palo Alto Networks' Unit 42 in 2017. Its most recent version was spotted by Kaspersky on December 29th, 2020. Its similarities to Sunburst involve "the victim UID generation algorithm, the sleeping algorithm, and the extensive usage of the FNV-1a hash."
Both strains of malware create unique victim identifiers by generating an MD5 hash from a given string, then performing an XOR operation on the hash, although Kazuar and Sunburst each use slightly different methods to achieve this. Kazuar and Sunburst also use "exactly the same formula" to delay an initial connection to their command-and-control server, although Sunburst's code for this sleeping algorithm is slightly more simplified. Finally, both strains of malware use modified 64-bit FNV-1a hashing algorithms to conceal plaintext strings throughout their code.
Kaspersky notes that while these features are unusual, they aren't unique to these two strains of malware. As a result, the researchers are careful to avoid attributing Sunburst to Turla based on this evidence, noting that the group behind Sunburst displayed outstanding operational security and could have included these features as false flags. The researchers lay out the following possibilities:
- "Sunburst was developed by the same group as Kazuar.
- "The Sunburst developers adopted some ideas or code from Kazuar, without having a direct connection (they used Kazuar as an inspiration point).
- "Both groups, DarkHalo/UNC2452 and the group using Kazuar, obtained their malware from the same source.
- "Some of the Kazuar developers moved to another team, taking knowledge and tools with them.
- "The Sunburst developers introduced these subtle links as a form of false flag, in order to shift blame to another group."
Kaspersky concludes, "At the moment, we do not know which one of these options is true. While Kazuar and Sunburst may be related, the nature of this relation is still not clear. Through further analysis, it is possible that evidence confirming one or several of these points might arise."
For more, see the CyberWire Pro Research Briefing.
Want to get your message to leaders in cyber?
Security leaders across the globe trust the CyberWire and depend on us every day to deliver the news and analysis they need to do their jobs. That’s also why so many top security companies and hot startups trust us to help get the word out about their brand and fill their sales funnels. We have lots of great sponsorship opportunities that can help you get the word out too. Learn more at thecyberwire.com/sponsorship.
A look at the malware used to insert Sunburst.
CrowdStrike describes Sunspot, an implant that was used by the SolarWinds hackers to insert their Sunburst malware into SolarWinds' Orion software. The malware was placed on the company's software build servers, where it would monitor "running processes for those involved in compilation of the Orion product and [replace] one of the source files to include the SUNBURST backdoor code." Sunspot seems to have been compiled on February 20, 2020, according to its build timestamp, which CrowdStrike says "is consistent with the currently assessed StellarParticle supply chain attack timeline." (StellarParticle is CrowdStrike's name for the activity cluster associated with this cyberespionage campaign.)
SolarLeaks looks like misdirection.
A leak site calling itself "SolarLeaks" is purporting to offer data stolen from various companies during the Solarigate campaign. BankInfoSecurity says the SolarLeaks goons have added Microsoft and Cisco code offerings to their menu, where they join SolarWinds and FireEye swag. Here’s the current list:
- Stolen from Microsoft, "Microsoft Windows (partial) source code and various Microsoft repositories,” price $600,000.
- Taken, they say, from Cisco, "Multiple products' source code and internal bugtracker dump" going rate $500,000.
- From SolarWinds, “Source code for all products - including Orion - as well as a ‘customer portal dump’” for $250,000.
- And from FireEye, “Red team tools," plus "source code, binaries and documentation," these at the low low price of $50,000.
There’s still no particular evidence that any of these offers are good, and emails to the SolarLeaks ProtonMail account are still bouncing. Cisco says it's had nothing stolen, and FireEye, which first detected the SolarWinds backdoor, says it’s found no evidence that SolarLeaks actually has anything at all. This looks increasingly like misdirection, something along the lines of Guccifer 2.0.
Operation Spalax targets Colombian entities.
ESET describes an ongoing campaign, dubbed "Operation Spalax," that's exclusively targeting government entities and private companies in Colombia. Most of the targeted companies are involved in energy or metallurgy. The campaign bears some similarities to operations described by QiAnXin and Trend Micro in 2019, but it also displays significant differences, namely in "the attachments used for phishing emails, the remote access trojans (RATs) used, and in most of the operator’s C&C infrastructure." The threat actors use phishing emails to deliver one of three commodity or open-source Trojans: Remcos, njRAT, and AsyncRAT. The emails are targeted at Colombians, but they generally aren't tailored to specific victims. ESET doesn't attribute the campaign to any particular threat actor.
WhatsApp delays changes to data sharing.
Messaging platform WhatsApp has delayed its recent decision to begin sharing user data with Facebook's family of companies, following user backlash, the Verge reports. The company cited widespread confusion about the details of the changes, noting that the messaging service still won't be able to read users' messages and won't log calls or share contact information with Facebook:
"[T]he update includes new options people will have to message a business on WhatsApp, and provides further transparency about how we collect and use data. While not everyone shops with a business on WhatsApp today, we think that more people will choose to do so in the future and it’s important people are aware of these services. This update does not expand our ability to share data with Facebook."
"We’re now moving back the date on which people will be asked to review and accept the terms. No one will have their account suspended or deleted on February 8. We're also going to do a lot more to clear up the misinformation around how privacy and security works on WhatsApp. We’ll then go to people gradually to review the policy at their own pace before new business options are available on May 15."
The Verge notes that the way WhatsApp initially presented the changes to the terms of service "gave people the idea they were being railroaded into new, more invasive terms." According to Reuters, Italy’s Data Protection Authority is alleging WhatsApp did not clearly communicate the new policies to users. The agency stated, "The authority believes it was not possible for users to understand what kind of changes were being introduced, nor how data would be treated after Feb. 8."
For more, see the CyberWire Pro Privacy Briefing.
Students and members of the military, don't be left out of CyberWire Pro! We've got you!
Due to your student or military status (active or reserve military status), you are able to subscribe to CyberWire Pro or CyberWire Pro+ at a significant discount. That means you can unlock access to our focus briefings, exclusive podcasts, quarterly analyst calls, premium articles and much more. To learn more, visit here and click on the Contact Us button in the Academic or Government & Military box.
Deplatforming in the wake of Capitol Hill rioting.
Many large Internet companies were quick to deplatform US President Trump and various supporters in response to the President’s encouragement of demonstrations earlier in the week. Axios lists Reddit, Twitch, Shopify, Twitter, Google, YouTube, Facebook, Instagram, Snapchat, TikTok, Apple, Discord, Pinterest, and Stripe.
The Wall Street Journal reports that both Apple and Amazon have taken action against Parler, a social platform whose declared mission is to provide a conservative alternative to what Parler characterizes as the general progressive bias of platforms like Twitter and so forth. Parler is suing Amazon in the US District Court for the Western District of Washington, seeking “injunctive relief, including a temporary restraining order and preliminary injunctive relief, and damages.” Parler is claiming an anti-competitive bias by Amazon. The company notes that Amazon provides equivalent services to both Twitter and Parler, yet only Parler was singled out for silencing on the grounds that it wasn’t filtering content that amounted to incitement to violence. The filing observes that “Friday night one of the top trending tweets on Twitter was “Hang Mike Pence.” But AWS has no plans nor has it made any threats to suspend Twitter’s account.”
Parler says it does have content moderation designed to stop incitement, but Amazon says that, whatever Parler's review boards were doing, it’s not enough.
An op-ed in the New York Times thinks the lesson to be drawn from the deplatforming is that tech companies hold a great deal of power over online discourse, and that power tends to be exercised from the top, on the basis of “gut decisions” by executives, and not in conformity with established “quasi due process” criteria. The American Civil Liberties Union says it understands the desire to ban President Trump from Big Tech’s platforms, “But it should concern everyone when companies like Facebook and Twitter wield the unchecked power to remove people from platforms that have become indispensable for the speech of billions — especially when political realities make those decisions easier.”
The implications of the controversy and the ban won’t be confined to the US. Computing reports, for example, that British Health Secretary Matt Hancock has said that it seems clear that social platforms are now acting much more like publishers than a public square. He took no position on the deplatforming, nor did he offer any prescriptions for the future, but he said the companies are "choosing who should and shouldn't have a voice on their platform," and that recognizing this should inform any regulations governments might enact.
For more, see the CyberWire Pro Disinformation Briefing.
Mergers and acquisitions.
Boulder, Colorado-based SIEM provider LogRhythm has acquired Mountain View, California-based threat detection and hunting company MistNet. LogRhythm's president and CEO Mark Logan stated, "MistNet complements our existing SIEM platform by enhancing deep network visibility, behavior analytics and threat detection capabilities and will accelerate LogRhythm's reach into the XDR market."
Equifax has acquired fraud prevention and digital identity solutions provider Kount (based in Boise, Idaho) for $640 million. Kount's full product suite will be integrated into the Equifax Luminate Platform.
Seattle-headquartered application delivery and security firm F5 Networks has acquired distributed cloud platform provider Volterra, of Santa Clara, California, for $500 million, SecurityWeek reports. F5 said, "With the addition of Volterra's technology platform, F5 is creating an edge platform built for enterprises and service providers that will be security-first and app-driven with unlimited scale."
North Carolina-based open source software company Red Hat will acquire StackRox, a Kubernetes-native security firm headquartered in Mountain View, California. Red Hat stated, "With this acquisition, Red Hat will further expand its security leadership, adding StackRox’s complementary capabilities to strengthen integrated security across its open hybrid cloud portfolio with greater simplicity and consistency."
Accenture has acquired Brazilian managed cybersecurity services provider Real Protect. Paulo Ossamu, Accenture Technology Lead for Latin America, stated, "Brazil is home to a variety of cybercriminal groups with specific tactics, which is a cyber threat that can be tackled with specialized Brazilian cyber defense and incident response specialists. Real Protect will bring this expertise to complement our teams all over the region and enhance our commitment to help secure our clients’ businesses across their entire ecosystems in Latin America."
For more business news, including executive moves, see the CyberWire Pro Business Briefing.
Patch news.
Patch Tuesday saw software updates from several companies, including SAP (which released ten security notes, seven of which represented updates to earlier fixes), Adobe (whose security bulletins addressed Adobe Photoshop (APSB21-01), Adobe Illustrator (APSB21-02), Adobe Animate (APSB21-03), Adobe Campaign Classic (APSB21-04), Adobe InCopy (APSB21-05), Adobe Captivate (APSB21-06) and Adobe Bridge (APSB21-07)), and Microsoft (which, according to SecurityWeek, dealt with eighty-three issues, ten of them critical, one of which is undergoing active exploitation). One of Microsoft's patches addresses a Windows Defender flaw, and the Zero Day Initiative speculates in its Patch Tuesday summary that this particular issue was exploited in the Solorigate cyberespionage campaign.
Crime and punishment.
Physical loss of devices remains the most serious concern for cybersecurity following last week’s riot in the US Capitol, Since the Wednesday unrest other members of Congress, including Speaker of the House Pelosi, have, Reuters says, also reported that laptops were taken from their offices.
Europol announced this week that an international law enforcement operation has taken down DarkMarket, generally held to have been the Internet's largest dark web contraband souk. German authorities took the lead in the investigation, with partners from Europol, Australia, Denmark, Moldova, Ukraine, the United Kingdom (the National Crime Agency), and the USA (DEA, FBI, and IRS). DarkMarket's wares consisted mostly of drugs, counterfeit currency, paycard information, and malware. Bravo to Europol and everyone else who cooperated in the takedown.
Threatpost reports that the former Ethics Officer for the City of Tallahassee has been arrested and charged with cyberstalking a former inamorato who also worked for the city. The arrest was made Monday, and the judge has ordered her to stay away from the sometime object of her affections and also to keep off the Internet until her trial is over. The former Ethics Officer, who had been responsible for, among other things, training Tallahassee civil servants and office holders in, well, ethics, should be considered innocent of the misdemeanor until proven guilty.
Courts and torts.
Ever, a now-shuttered photo storage app, has agreed to permanently delete biometric data collected from its users, Law360 reports. The US Federal Trade Commission had accused the company of deceiving users about how it used facial recognition technology.
Policies, procurements, and agency equities.
CyberScoop reports that the incoming Biden administration has filled some cybersecurity-related positions. David Recordon, a veteran of Facebook and the Obama administration, will serve as the White House Director of Technology, and former Department of Homeland Security infrastructure leader Caitlin Durkovich will be appointed Senior Director for Resilience and Response at the National Security Council. CyberScoop notes that the new director of CISA and the newly established White House national cyber director (or "cyber czar") have yet to be named.
SecurityWeek says Twitter, Google, and Amazon want the incoming Biden Administration to "enact a federal digital data law" to reduce regulatory "balkanization," as Twitter’s data privacy director Damien Kieran put it.
For more policy news, see the CyberWire Pro Policy Briefing.