By the CyberWire staff
Tech executives testify in Solorigate hearing.
Representatives from SolarWinds, Microsoft, FireEye, and CrowdStrike testified before the US Senate Select Committee on Intelligence regarding the Solorigate cyberespionage campaign. According to the Wall Street Journal, SolarWinds CEO Sudhakar Ramakrishna emphasized that the compromise of the company's Orion product was only one aspect of a wide-ranging campaign, and said SolarWinds is still investigating how the attackers gained initial access to its servers.
Microsoft president Brad Smith said there should be an investigation into other companies that may have been used as initial access vectors, stating, "There may be other brand-name players that may have been penetrated that not have been as forthcoming…leaving policy makers and potentially customers in the dark."
CrowdStrike CEO George Kurtz blamed Microsoft's "antiquated" architecture for the failed attack against CrowdStrike. Seeking Alpha quotes Kurtz as saying, "The threat actor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move laterally within the network. Should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world’s most widely used authentication platforms."
FireEye CEO Kevin Mandia said most of the victims targeted in the campaign "were government, consulting, technology, and telecommunications entities in North America."
Amazon was invited to the hearing but declined to attend, stating that it wasn't affected by the hack, according to Business Insider. Amazon Web Services' vice president of public policy Shannon Kellogg stated in a letter, "AWS does not use the SolarWinds Orion software and our services were not compromised in any way, which is why we did not provide formal testimony on the panel yesterday. However, we look forward to continuing our ongoing engagement with you and your committee on cyber security issues. When we learned of SolarWinds, we immediately investigated, ensured we weren’t affected, and provided mitigation measures to help our customers who were. We promptly shared what we learned with the FBI. We’ve also provided detailed briefings to government officials, including Members of Congress and, specifically, to your committee."
Senator Susan Collins (Republican of Maine) said the Committee should "should look at next steps" if Amazon declines to participate in the future.
Are you interested in the security of space and communications?
If so, take a look at the Cosmic AES Signals & Space, where aerospace meets outer space. This monthly briefing on the cyber security of the space and SIGINT sectors covers technology, policy, market news and more. Our new issue comes out on Monday, March 1, 2021.
Accellion breach updates.
Cloud solutions provider Accellion has sustained a data breach that's affected dozens of the company's clients, including Kroger, Singtel, Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), the Office of the Washington State Auditor, and the University of Colorado. BleepingComputer reports that the breach was carried out by the Clop ransomware gang and the FIN11 threat actor, but the attackers didn't deploy their ransomware and instead simply threatened to release the stolen data. The attackers exploited zero-day vulnerabilities in Accellion's legacy File Transfer Appliance (FTA) product, which have since been patched. The vulnerabilities involved are tracked as CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104. Accellion stated, "Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack. Within this group, fewer than 25 appear to have suffered significant data theft."
FireEye's Mandiant unit investigated the attack and says the attackers, which Mandiant tracks as UNC2546, installed a web shell dubbed "DEWMODE" to exfiltrate the data. FireEye states, "Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the “CL0P^_- LEAKS" .onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell."
The company adds, "We are currently tracking the exploitation of the zero-day Accellion FTA vulnerabilities and data theft from companies running the legacy FTA product as UNC2546, and the subsequent extortion activity as UNC2582. We have identified overlaps between UNC2582, UNC2546, and prior FIN11 operations, and we will continue to evaluate the relationships between these clusters of activity."
Canadian jet manufacturer Bombardier disclosed on Tuesday that it was affected by the breach, stating, "Forensic analysis revealed that personal and other confidential information relating to employees, customers and suppliers was compromised. Approximately 130 employees located in Costa Rica were impacted. Bombardier has been proactively contacting customers and other external stakeholders whose data was potentially compromised." ZDNet says some of the company's data has been posted, including "design documents for various Bombardier airplanes and plane parts."
A joint advisory from authorities in Australia, New Zealand, Singapore, the UK, and the US outlines the risks of the Accellion FTA compromise and recommends risk mitigation measures. The advisory states, "This activity has impacted organizations globally, including those in Australia, New Zealand, Singapore, the United Kingdom, and the United States. Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial (SLTT) government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors."
The alert, which is hosted on CISA's site, recommends that FTA users temporarily block internet access to and from any systems that host the software, check for evidence of malicious activity and especially for the indicators of compromise included in the alert, consider auditing FTA user accounts for unauthorized changes, reset security tokens on the system and upgrade to the latest version of the Accellion product.
For more, see the CyberWire Pro Privacy Briefing.
Oh, and did we mention that we have great deals on CyberWire Pro for your entire enterprise too?
From front-line staff to the Board room, making your entire staff more situationally aware makes them more prepared to tackle their roles. Be the office hero and keep your staff informed with CyberWire Pro for your enterprise. Find out more.
Silver Sparrow targets Macs.
Researchers at Red Canary, with help from Malwarebytes and VMware Carbon Black, uncovered a malware downloader dubbed "Silver Sparrow" that's designed to run on Apple's new M1 chips. According to Malwarebytes, the malware has been detected on just under 40,000 Macs, although its purpose is unclear since it currently lacks a payload. The researchers also aren't sure how the malware is delivered. Red Canary's researchers say they "suspect that malicious search engine results direct victims to download the PKGs based on network connections from a victim’s browser shortly before download. In this case we can’t be certain because we don’t have the visibility to determine exactly what caused the download."
Red Canary concludes, "[T]he ultimate goal of this malware is a mystery. We have no way of knowing with certainty what payload would be distributed by the malware, if a payload has already been delivered and removed, or if the adversary has a future timeline for distribution....Finally, the purpose of the Mach-O binary included inside the PKG files is also a mystery. Based on the data from script execution, the binary would only run if a victim intentionally sought it out and launched it. The messages we observed of 'Hello, World!' or 'You did it!' could indicate the threat is under development in a proof-of-concept stage or that the adversary just needed an application bundle to make the package look legitimate."
AppleInsider reports that Apple has revoked the developer certificates used by Silver Sparrow's author, which will prevent new infections.
For more, see the CyberWire Pro Research Briefing.
Want to get your message to leaders in cyber?
Security leaders across the globe trust the CyberWire and depend on us every day to deliver the news and analysis they need to do their jobs. That’s also why so many top security companies and hot startups trust us to help get the word out about their brand and fill their sales funnels. We have lots of great sponsorship opportunities that can help you get the word out too. Learn more at thecyberwire.com/sponsorship.
Twitter takes down coordinated inauthentic accounts.
SecurityWeek reports that Twitter has taken down three sets of coordinated, inauthentic accounts that separately pushed narratives in the service of Iranian, Armenian, and Russian interest. Twitter characterized the takedowns as "disclosing networks of state-linked information operations."
The Iranian influence operation was principally interested in issues surrounding the US Presidential election. Based on tips Twitter began receiving from the US FBI in October, the platform "suspended a total of 238 accounts operating from Iran for various violations of our platform manipulation policies. As previously stated, the accounts had low engagement and did not make an impact on the public conversation. Today, we’re adding these accounts to the archive to empower independent research and analysis."
Thirty-five accounts linked to the government of Armenia were also suspended. Those had a more narrowly regional interest, and pretended to represent political figures and government officials in neighboring Azerbaijan. Some of them also misrepresented themselves as Azerbaijan news agencies. These, too, Twitter took down for violation of its platform manipulation policy. (As a bonus, these bogus accounts also "engaged in spammy activity to gain followers and further amplify this narrative" unfavorable to Armenia's rival, Azerbaijan.)
Finally, Twitter took down two distinct networks run by Russian operators. Sixty-nine fake accounts were "reliably tied to Russian state actors." This crew had two interests: boosting the Russian government and undermining confidence in NATO. The second takedown addressed thirty-one accounts from two distinct networks that were assessed as being run by the Internet Research Agency, a notorious troll farm based in St. Petersburg.
For more, see the CyberWire Pro Disinformation Briefing.
Students and members of the military, don't be left out of CyberWire Pro! We've got you!
Due to your student or military status (active or reserve military status), you are able to subscribe to CyberWire Pro or CyberWire Pro+ at a significant discount. That means you can unlock access to our focus briefings, exclusive podcasts, quarterly analyst calls, premium articles and much more. To learn more, visit here and click on the Contact Us button in the Academic or Government & Military box.
Mergers and acquisitions.
Sunnyvale, California-based email security firm Proofpoint will acquire Colorado-headquartered data protection company InteliSecure for $62.5 million in cash, with the acquisition expected to close in March 2021. Proofpoint stated, "The acquisition of InteliSecure will add approximately 150 employees to Proofpoint’s growing global team and will boost Proofpoint’s ability to support its robust channel partner ecosystem’s service delivery and increase partners’ competitiveness by providing processes and experience from working with multiple vendors."
Texas-based cloud identity management company SailPoint has acquired Intello, an SaaS management startup headquartered in New York City. Intello's CEO and co-founder Barak Kaufman stated, "As part of the SailPoint crew, we’ll help to build the future of identity security, combining Intello’s SaaS discovery and insights with SailPoint’s leading identity security platform."
French IT consulting company Atos has acquired Netherlands-based managed security services provider Motiv ICT Security. Atos stated, "This move reinforces Atos’s position as the 3rd worldwide Managed Security Services provider1 by strengthening the Group’s local capabilities and bringing its recent investment in the Managed Detection and Response (MDR) platform, AIsaac, to Dutch customers. In addition, Motiv’s sovereign Security Operations Center (SOC), independently certified at the highest levels of maturity, further expands Atos’s extensive network of global SOCs, a pivotal component of the Atos Prescriptive Security approach."
Irish MSP security company Kaseya has acquired Dallas, Texas-based MDR and SOC provider RocketCyber. Kaseya stated, "RocketCyber will continue to operate as an independent business within Kaseya, led by Banzhof in Dallas, Texas. Kaseya’s state-of-the-art SOCs will be located in Dallas, TX, Miami, FL and Dublin, Ireland. Additional integrations across the IT Complete suite are in development between RocketCyber and ID Agent Dark Web ID, IT Glue, Graphus and RapidFire Tools."
More business news can be found in the CyberWire Pro Business Briefing.
Open-source web browser Brave has patched a privacy bug that was exposing users' browser histories, The Hacker News reports. The flaw impacted Brave’s privacy feature "Privacy Window with Tor," which, by relaying the user request through a network of Tor nodes, was intended to allow users to visit .onion websites without sharing the IP addresses. However, a vulnerability in the browser's CNAME ad blocker was revealing the addresses of the .onion sites to the user's ISP or DNS provider.
Crime and punishment.
The US Justice Department has indicted a Serbian man, Kristijan Krstic, for allegedly running cryptocurrency scams via phony online investment platforms called "Start Options" and "B2G," stating, "In truth, the money sent by investors in Start Options and B2G allegedly was never invested and instead was laundered internationally to a Phillippines-based financial account and digital-currency wallet, and diverted to a U.S.-based promoter of the fraud. Subsequently, as alleged, the promoter transferred to Krstic approximately $7 million in investor funds from B2G and Start Options, and Krstic thereafter stopped responding to all communications and absconded with those investors’ funds."
A 66-year-old Missouri man has been charged a second time for Internet stalking. The US Attorney’s Office for the Western District of Texas states, "Today’s indictment charges [Mark Joseph] Uhlenbrock with one count of internet stalking the same victim again. The indictment alleges that from May 2020 to September 2020, Uhlenbrock used the internet to cause substantial emotional distress to a person. The conduct in this indictment occurred while Uhlenbrock was still on supervised release for his first conviction of internet stalking."
Courts and torts.
US convenience store company Wawa reached a preliminary settlement of $12 million in a class-action lawsuit over its 2019 payment card breach, Law360 reports. The proposed settlement states, "(a) Class members who did not suffer attempted or actual fraud on their payment card are eligible to receive a $5 Wawa gift card; (b) Class members who can provide reasonable proof of an actual or attempted fraudulent charge on their card after a Wawa transaction are eligible to receive a $15 Wawa gift card; and (c) Class members who can provide reasonable documentary proof of money they lost or spent out-of-pocket in connection with an actual or attempted fraudulent transaction on their payment card are eligible to reimbursement of those costs up to $500."
The Wall Street Journal reports that TikTok's corporate parent has reached a settlement in a class action suit alleging misuse of children's and teenagers' personal data. In a settlement filed in the US District Court for the Northern District of Illinois, ByteDance has agreed to pay $95 million to establish a victims' compensation fund in response to class action suits alleging that the company's TikTok social media platform violated user privacy. The Journal quotes a TikTok representative as saying, "While we disagree with the assertions, rather than go through lengthy litigation, we'd like to focus our efforts on building a safe and joyful experience for the TikTok community."
Policies, procurements, and agency equities.
The Consumer Data Protection Act (CDPA) was passed by the Virginia house of representatives and senate last week and is expected to soon be signed into law by the governor, making it the second comprehensive privacy regulation in the US, AdExchanger reports. More stringent than the California Consumer Protection Act (CCPA), the CDPA is an opt-in law and requires clear consumer consent much like the EU’s General Data Protection Regulation (GDPR).
Facebook has reversed its decision to block news content for Australian users, the BBC reports. Campbell Brown, Facebook's vice president of global news partnerships, stated, "Going forward, the government has clarified we will retain the ability to decide if news appears on Facebook so that we won't automatically be subject to forced negotiation. We have come to an agreement that will allow us to support the publishers we choose to, including small and local publishers."
The US Department of Homeland Security summarized Secretary Mayorkas" cybersecurity agenda and upcoming cyber projects, which include international outreach, domestic speaking engagements, raising FEMA grants’ baseline cybersecurity spend, elevating CISA’s "Reduce the Risk of Ransomware" initiative, and promoting the Secret Service’s ransomware response capabilities. Public-private partnership, workforce development, and infrastructure renovation are additional priorities.
US President Biden signed an Executive Order directing a comprehensive review of the resilience of American supply chains. The order includes, but isn't limited to, software supply chains.
For more, see the CyberWire Pro Policy Briefing.