CISA updates its alerts and directives concerning Solorigate as the investigation expands. Rioting, social media, and cybersecurity.
Dave Bittner: CISA updates its guidance on Solorigate and issues an alert that the threat actor may have used attack vectors other than the much-discussed SolarWinds backdoor. Some reports suggest that a widely used development tool produced by a Czech firm may have been compromised. The cyberespionage campaign is now known to have extended to the Department of Justice and the U.S. federal courts. Robert M. Lee shares lessons learned from a recent power grid incident in Mumbai. Our guest is Yassir Abousselham from Splunk on how attackers find new ways to exploit emerging technologies. And the cyber implications of the Capitol Hill riot.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 7, 2021.
Dave Bittner: CISA said late yesterday that it had determined that the threat actor behind the Solorigate incident used additional SAML attack vectors beyond the now well-known SolarWinds supply chain approach. Alert AA20-352A reported that, quote, "CISA has evidence that there are initial access vectors other than the SolarWinds Orion Platform and has identified legitimate account abuse as one of these vectors. Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language - that's SAML - tokens consistent with this adversary's behavior is present, yet where impacted SolarWinds instances have not been identified," end quote. We read the ambiguous phrase legitimate account abuse as meaning abuse of legitimate accounts. It's the compromised accounts that are legitimate, not the abuse, which, of course, is never legitimate.
Dave Bittner: Yesterday's alert also addresses the finding security firm Volexity reported last month. Quote, "Volexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multifactor authentication protecting access to Outlook web app. Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known," end quote. So the campaign has long been regarded as complicated and sophisticated, but the care and complexity of the threat actors' approach continue to come to light.
Dave Bittner: CISA has also updated Emergency Directive 21-01 to reflect what's now known about the campaign and offering new guidance on effective remediation. That guidance includes both forensic analysis and reporting requirements. First, if there's no evidence of follow-on activity by the threat actor, it's time to rebuild. As the directive puts it, quote, "federal agencies without evidence of adversary follow-on activity on their networks that accept the risk of running SolarWinds Orion in their enterprises should rebuild or upgrade in compliance with hardening steps outlined in the supplemental guidance to at least SolarWinds Orion Platform version 2020.2.1 HF2," end quote. NSA has examined this version and determined that, quote, "it eliminates the previously identified malicious code," end quote. And the upgraded version also includes other fixes important to security going forward.
Dave Bittner: Second, if an organization has evidence that the threat actor has been back or has never left, they're to check in with CISA. Quote, "federal agencies with evidence of follow-on threat actor activity on their networks should keep their affected versions disconnected, conduct forensic analysis and consult with CISA before rebuilding or reimaging affected platforms and host operating systems," end quote. It's an ongoing threat, of course, but it's also an opportunity to learn more about the adversary.
Dave Bittner: CISA didn't say so in yesterday's statements, but The New York Times reports that both government investigators and private security firms are now looking into the possibility that JetBrains, a Czech firm with researchers in Russia, may have been an approach for the Solorigate attackers. JetBrains would appear to be the Eastern European software company mentioned in reports earlier this week as possibly implicated in further supply chain compromises. The company makes tools for developers, and those are used by developers in several large companies, including solar SolarWinds.
Dave Bittner: The tool of interest is JetBrains' TeamCity, which developers use to test and exchange software code before releasing it. TeamCity is widely used. JetBrains counts among its customers not only SolarWinds but also Google, Hewlett-Packard, Citibank, Siemens, VMware and a great many Android developers. JetBrains said in its blog that it hasn't been contacted by investigators. It also says that it wasn't involved in any attack and that its customers, including SolarWinds, hadn't complained of security issues. The company does note that TeamCity is a complex product that requires proper certification for secure and effective use.
Dave Bittner: The AP reports that the US Department of Justice has confirmed that some of its systems, although none that handle classified information, were compromised in Solorigate. The compromise also extended to U.S. federal courts. The Administrative Office of the US Courts says an apparent compromise of the US judiciary's case management and electronic case file system is under investigation.
Dave Bittner: Rioters protesting the results of the 2020 US presidential election rampaged through the US Capitol yesterday evening to protest the certification of the electoral votes that, now certified, have confirmed the victory of President-elect Biden. Three aspects of the riot are of significance to cybersecurity.
Dave Bittner: First, there's the use of social media to incite the rioting. In this respect, President Trump has come in for considerable criticism, as he has for weeks not only contested the fairness and legitimacy of the election - as he's entitled to do within reason - but also more recently encouraged demonstrators to come to Washington and express their displeasure with the outcome. His last tweet yesterday urged demonstrators to be peaceful, but that, unfortunately, seemed to have had little effect. The Wall Street Journal reports that Twitter has suspended the president for the next few days and that Facebook has kicked him off its platforms, at least until he leaves office.
Dave Bittner: Second, there was apparently some use of social media to organize the riot, including messages directing protesters down streets where they'd be less likely to be interdicted by police. And finally, the physical ransacking of a place where there were computers presents the possibility of physical destruction, theft or compromise. Some staffers evacuated their offices in such haste that machines were left on, with emails and other material up on their screens. And at least one senator reported the theft of a computer. Reuters reports that Senator Jeff Merkley, Democrat of Oregon, said that rioters took a laptop from a desk in his office.
Dave Bittner: Lest it be forgotten that riots are kinetic acts in the physical world, remember this - in addition to the physical destruction at the Capitol itself, one of the rioters was shot dead by police.
Dave Bittner: My guest today is Yassir Abousselham. He's chief information security officer at Splunk. And he joins us today with some thoughts on what has his attention as 2021 is upon us. Yassir, welcome to the show.
Yassir Abousselham: Thank you, David. Good to be here.
Dave Bittner: So 2021 - first of all, I guess there's a lot of us who can probably agree that it's - we're looking forward to having 2020 in our rearview mirror...
Yassir Abousselham: Absolutely.
Dave Bittner: ...For many, many reasons. But as we are heading into 2021 here, what sort of things have your attention? What's caught your eye? What do you think we need to be focused on?
Yassir Abousselham: Yeah, there's a few things actually. So if we think about this year, 2020, and extrapolate into 2021, I think one thing that definitely catches my attention is the fact that remote work is here to stay. That is one safe prediction that we can make. The second thing that is somewhat related is the fact that hackers will continue capitalizing on the latest social and political issues. Another thing that - in terms of predictions that I think we will see continue to rise is the attacks on the supply chain. And then lastly, digital transformation. I think what we have seen and which will continue most likely into 2021 is this acceleration of digital transformation as a way for an organization to provide their employees and customers with the services that they need to be effective.
Dave Bittner: So in terms of what we might expect from the attackers themselves, what sort of things are on your radar there?
Yassir Abousselham: Yeah. I think the attackers will continue pursuing the shortest path to compromise. And typically, that consists of using the - what I call the standard technique to achieve that compromise. And by standard techniques, I mean things like social engineering - i.e., phishing, fraud and so on. You have ransomware going after misconfigured or vulnerable infrastructure, application layer attacks and things like password spraying and credential stuffing. So those are the - what I would call the standard attacks. And that's what's being used on the day-to-day basis. Typically, you put any kind of device or system on the internet, and it will get scanned within minutes.
Yassir Abousselham: And then you have the more advanced attacks, and that's what's being used by the well-funded, in some cases, nation state actors. And they typically focus on or target supply chain. They're able to acquire, weaponize and use zero-days. You see a rampant, also, use of either physical attacks, extortion techniques and so on. That is not something that we see on a day-to-day basis but just some of these techniques that we should be aware of.
Dave Bittner: All right. Yassir Abousselham, chief information security officer at Splunk, thanks so much for joining us.
Yassir Abousselham: Thank you for having me, Dave.
Dave Bittner: And joining me once again is Robert M. Lee. He's the CEO at Dragos. Rob, it's always great to have you back. We recently had this story about a sizable power outage in Mumbai. And I wanted to get your take on this because, as is always the case when these sorts of things happen, there is a certain group of people who want to point the finger at cyber. I wanted to get your take. Where do you think we stand here?
Robert M Lee: Sure. So I'll say so far that the folks that have seemed to have pointed the finger toward cyber have actually been those involved in the state government in that region in India. So it always raises the level of discussion when you have alleged, you know, government-involved personnel. Now, that being said, we have also seen before, where government personnel have come out and claimed cyberattacks as relation to outages, and they were either wrong, or they were purposely misleading.
Robert M Lee: So a good example of folks that have been wrong before - and not to, you know, in any way make them feel bad, but just for the purpose of education here - we've seen - a good example as one of the Israeli energy ministers came out at a conference they had and said, right now, we have the worst cyberattack in history taking place. It is taking place on the Israeli power grid. What he actually meant to say was there was a phishing email to a PC in a regulatory office completely disconnected from an electric grid, that somebody opened the email, and it had ransomware on it. You know, those two things are very different. So it's - you know, capturing the nuance of things like electric power outages and cyberattacks can be difficult for folks.
Robert M Lee: We've also had the malicious before - or I would say that at least the intentionally misleading - where we had government officials in Venezuela come out and blame the United States for cyberattacks taking down portions of their electric infrastructure when it was actually their mismanagement and under-resourcing of maintenance as it related to some of their dam infrastructure. So government being involved is interesting but not necessarily convincing. So at the highest level, what I will say is the individuals supposedly involved have said there's going to be a government report coming out. That's when people should look at it and take it for consideration and start digging into the details. Prior to that report, there's nothing to dig into. Anything at this point would just be speculation. There's folks that could very reasonably try to argue that there's been conflict between China and India in the region. We do expect to see cyberattacks on infrastructure in geopolitical-tense times. We saw that between Russia and Ukraine, Russia and Georgia, Russia and others. We've seen it before around the world.
Robert M Lee: You also do accept, though, that India has had a number of maintenance issues on portions of their infrastructure before. And outages are pretty common. Also, there's reason to take credit and sort of, you know, play the victim card, if you will, related to cyberattacks, again, as we saw in Venezuela versus admitting infrastructure problems. So basically, what I'm saying is everybody needs to dial it down. There's nothing here that raises suspicion that there was a cyberattack. There's nothing here that disperses the idea that there could have been. So there's not a whole lot of details to this. Everyone just needs to wait. But until further information, I would put this in the camp of not very likely but something to watch.
Dave Bittner: Now, a point that I've seen you make is that when these sorts of things happen, you know, people go looking through their systems. They go looking - almost looking for trouble. And so it's not unusual to find some malware in a system somewhere, but that doesn't necessarily mean that that bit of found malware was the thing responsible for this outage.
Robert M Lee: Absolutely. I guarantee if they go looking in their systems, they will absolutely find malicious software somewhere or scans from, you know, Chinese IP addresses or something along those lines. And the reality is - it's exactly the point you just made. Instant responders, when they get involved, are usually taking a much deeper look than day-to-day security efforts. And that's obvious because day-to-day security efforts - you have so much going on. You can't look deeply at everything. There's not enough time in the day. And when you get, you know, sort of called in and told, here is a network segment; here are some key systems; look for everything, you're going to find things that get missed.
Robert M Lee: And we've seen this before time and time again. We've dealt with it in my firm in incident response cases, where folks will start to see, you know, artifacts of previous pen tests, previous adversaries, random malware, et cetera, and start trying to correlate these to events they've had. Oh, I remember; it was something weird going on in the relay, or, oh, this - you know, there was an outage here that we couldn't really explain.
Robert M Lee: And I will challenge the community by saying, we don't do good enough forensics in ICS or industrial control systems to really prove those things very often. That's a gap we have. But also, we can't go the other direction and then correlate things together just because they exist in the network. And too often, we see the opposite, which is what I think might be happening here because the government personnel explicitly mentioned that they did find malware on some of the systems. And the pure presence of malware means absolutely nothing.
Dave Bittner: Yeah. All right - interesting perspective for sure. Robert M. Lee, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - the art of engineering. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.