<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. Fri, 15 Jan 2021 00:00:00 -0500 en-us info@decipher.sc (Amy Vazquez) Copyright 2021 3600 <![CDATA[Attackers Eyeing Cloud Platforms]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/attackers-eyeing-cloud-platforms https://duo.com/decipher/attackers-eyeing-cloud-platforms Fri, 15 Jan 2021 00:00:00 -0500

Some well-resourced attack groups have recently been seen taking advantage of common cloud services and platforms as part of their operations, both for initial access and for data exfiltration and storage.

Researchers at Fox-IT have been tracking an attack group for the last couple years that has targeted companies in the semiconductor and aviation industries through a number of different techniques. The group is almost entirely focused on intellectual property theft and has spent as long as three years dwelling inside a victim’s network, patiently collecting data and gradually exfiltrating it. Known publicly as Chimera, the group seems to operate in support of the interests of the Chinese government, Fox-IT said, and typically starts its operations by collecting usernames and passwords from public credential dumps. The group uses those credentials in password-spraying and credential-stuffing attacks against cloud email services as an initial entry point.

“After obtaining a valid account, they use this account to access the victim’s VPN, Citrix or another remote service that allows access to the network of the victim. Information regarding these remotes services is taken from the mailbox, cloud drive, or other cloud resources accessible by the compromised account,” a report from Fox-IT says.

“As soon as they have a foothold on a system (also known as patient zero or index case), they check the permissions of the account on that system, and attempt to obtain a list of accounts with administrator privileges. With this list of administrator-accounts, the adversary performs another password spraying attack until a valid admin account is compromised.”

Once they gain access to an admin account, the Chimera attackers load a Cobalt Strike beacon into memory on the machine, and the beacon then becomes the adversary’s means of remote access. The next step is lateral movement and exploration of the network, which is business as usual for most groups of this kind. During that process, the attackers install more Cobalt Strike beacons as needed and identify information of interest for collection and exfiltration. For smaller pieces of data, the attackers use the Cobalt Strike C2 channel, but for larger dumps they compress it and exfiltrate it to a Microsoft OneDrive account.

Enterprises have been moving their apps and infrastructure to the cloud en masse in recent years, and the advantages of those services and platforms have not been lost on attackers, either.

“We are seeing more APT actors and cybercrime groups doing the same because the IT industry is making that move. My gut feeling is it’s following the industry. The cloud offers some new opportunities for attackers. Cloud infrastructure is the same for all organizations, so if you’re attacking Office 365, it’s a standardized method with tools standardization across the landscape. Sometimes it lets you be more stealthy because the level of visibility and awareness organizations have in cloud environments is not as much as on premises,” said Christo Butcher, global lead for threat intelligence at Fox-IT said.

“We believe they are still active but we don’t know what they’re working on now."

Among the victims that Chimera has targeted are a semiconductor company in Europe as well as some airlines. The techniques and tactics in the intrusions are similar, and the group has a custom piece of malware that it uses to exfiltrate stolen data to one of several cloud storage services, including OneDrive, Dropbox, and Google Drive. The malware also is designed to stay hidden on various servers for months or years at a time inside a victim network and identify sensitive data.

“Its sits on servers that have good information to keep an eye on things and carves data out of memory, does DLL sideloading, and uses legitimate processes to hide,” Butcher said. “These are the signs of someone who wants to sit there quietly and exfiltrate data for as long as possible.”

Chimera is not the only adversary targeting cloud platforms and services, and earlier this week the Cybersecurity Infrastructure and Security Agency (CISA) warned of a rash of recent attacks on enterprise cloud services. Those attacks, which CISA has helped investigate, have involved similar tactics and techniques to the Chimera operations, including password spraying, phishing, and brute-force attempts.

“The cyber actors designed emails that included a link to what appeared to be a secure message and also emails that looked like a legitimate file hosting service account login. After a targeted recipient provided their credentials, the threat actors then used the stolen credentials to gain Initial Access to the user’s cloud service account. The actors then sent emails from the user’s account to phish other accounts within the organization. In some cases, these emails included links to documents within what appeared to be the organization’s file hosting service,” the CISA advisory says.

In some instances, the Chimera group was able to bypass MFA protection on some accounts by registering an additional mobile phone on the account to receive the SMS messages with one-time passwords. Other attack groups have used this method, and the CISA advisory said that attackers are using other techniques to access accounts protected by MFA.

“CISA verified that the threat actors successfully signed into one user’s account with proper multi-factor authentication (MFA). In this case, CISA believes the threat actors may have used browser cookies to defeat MFA with a ‘pass-the-cookie’ attack,” CISA said.

Fox-IT”s Butcher said the Chimera group seems to work on long-term assignments, gathering information over an extended period of time.

“We believe they are still active but we don’t know what they’re working on now,” he said.

]]>
<![CDATA[Decipher Podcast: Amanda Berlin]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-amanda-berlin https://duo.com/decipher/decipher-podcast-amanda-berlin Thu, 14 Jan 2021 00:00:00 -0500

]]>
<![CDATA[Mimecast Says Attackers Stole Certificate, Targeted Customers' Email]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/mimecast-says-attackers-stole-certificate-targeted-customers-email https://duo.com/decipher/mimecast-says-attackers-stole-certificate-targeted-customers-email Wed, 13 Jan 2021 00:00:00 -0500

Mimecast, an email security firm whose products are deployed widely in enterprises, said an attacker was able to steal a certificate that the company issued and customers use to authenticate to Microsoft 365 Exchange Web Services.

The attack gave the adversary the ability to impersonate customers that use that connection method, which Mimecast said is about 10 percent of its customer base. Mimecast officials said the attacker, which they did not identify, then used that access to specifically target a “low single digit” number of the company’s customers. The intrusion came to light when MIcrosoft notified Mimecast about the stolen certificate.

“Microsoft recently informed us that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor,” the company said in an announcement Tuesday.

“Approximately 10 percent of our customers use this connection. Of those that do, there are indications that a low single digit number of our customers’ M365 tenants were targeted. We have already contacted these customers to remediate the issue.”

The attack bears the hallmarks of a high-level adversary, targeting not just a specific customer, but going after the certificate that customers use to secure their connections to the Microsoft 365 service. Attackers often use forged or stolen certificates to gain access to sensitive resources without triggering typical security alerts. Mimecast officials said that in response to the incident, they’ve revoked the stolen certificate.

“As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available. Taking this action does not impact inbound or outbound mail flow or associated security scanning,” the announcement says.

The incident follows several weeks of revelations about the breach that began at SolarWinds and has spread to affect many private enterprises and government agencies that employ the SolarWinds Orion platform. One of the techniques used by the adversary behind that operation is to steal certificates used to sign SAML tokens. The attacker then used those tokens to access services that accept the SAML tokens for authentication, which often includes email services.

The Mimecast incident appears to be far more contained and focused than the SolarWinds intrusion, though. The company said that it has hired an outside forensics expert to investigate the intrusion.

]]>
<![CDATA[New Rule May Require Banks to Report Incidents Sooner]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/new-rule-may-require-banks-to-report-incidents-sooner https://duo.com/decipher/new-rule-may-require-banks-to-report-incidents-sooner Tue, 12 Jan 2021 00:00:00 -0500

A proposed rule from a trio of federal financial regulatory agencies aims to change current reporting requirements so that financial service organizations have to notify federal regulators of a security incident within 36 hours.

The new rule expands the current requirements banking organizations and bank service providers have to follow when a security incident rises to the level of a “notification incident.” A security incident refers to any event that violates security policies, procedures, or acceptable use policies, or results in actual or potential harm to the confidentiality, integrity, or availability of an information system. A notification incident refers to any event that impairs the organization’s ability to deliver services to a material portion of its customer base, results in a material loss of revenue, profit, or franchise value, or impacts the stability of the country’s financial sector.

A notification incident may include “major computer-system failures, cyber-related interruptions, such as coordinated denial of service and ransomware attacks, or other types of significant operational interruptions.” The notification can happen orally or in writing.

If the proposed rule gets adopted, organizations would need to report incidents that are disruptive, regardless of the type or quantity of information affected. Under the new rule, large-scale distributed denial of service attacks that prevent a significant number of customers from logging into banking applications and accessing their accounts would need to be reported to the regulators. Failed system upgrades that resulted in a service outage and triggered a disaster recovery place would need to be reported. Ransomware attacks holding systems hostage would also be considered notification incidents.

The proposed rule was announced by the Department of Treasury’s Office of the Comptroller of Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation on Dec. 18. The Notice of Proposed Rulemaking for the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers has been posted on the Federal Register and the comment period will be open for 90 days, until April 12.

Current regulations, as defined by the Bank Secrecy Act and the Gramm-Leach-Bliley Act, are “too narrow in scope to address all relevant computer-security incidents.” Organizations currently are not required to disclose incidents where sensitive customer information was not impacted. The regulators aren’t notified in a timely manner under existing rules. The Gramm-Leach Bliley Act says organizations need to notify federal regulators “as soon as possible” once aware of an incident that involved sensitive customer information. The Bank Secrecy Act requires organizations to file reports within 30 days, which is too late for agencies to do anything.

“The rule proposed by the agencies today provides appropriate balance — avoiding unnecessarily difficult or time-consuming reporting obligations while ensuring that regulatory agencies are in a position to provide assistance to a bank or the broader financial system when significant computer-security incidents occur,” FDIC Chairman Jelena McWilliams said in a statement.

The proposed rule follows the model set by the New York Department of Financial Services Cybersecurity Regulation, which requires financial services institutions to report within 72 hours any security event that can result in material harm to normal operations.

If the regulators are notified soon enough, they would be able to provide assistance through the U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection and help coordinate incident response and recovery efforts in cases where the incident is an isolated event. If similar incidents are occurring across multiple organizations, timely notification could allow regulators to release appropriate guidance and provide information that would allow organizations to protect themselves.

The expanded requirements would apply to “supervised banking organizations and bank service providers,” which would include national banks, federal savings associations, and federal branches and agencies; U.S. bank holding companies and savings and loan holding companies, state member banks, and the U.S. operations of foreign banking organizations; and all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations. Bank service providers are companies providing services such as bookkeeping, accounting, and preparing and mailing checks, statements, and notices.

With financial services organizations increasingly relying on third-party service providers to handle many of the banks operations, extending the notification requirement to these suppliers is necessary. Bank service providers have to notify “at least two individuals” at the affected bank if they experience an incident which could “disrupt, degrade, or impair” services for four hours or more.

Any information provided would be subject to the agencies’ existing confidentiality rules. Many organizations hesitate to report incidents over concerns they will be held liable for lapses in their security practices, or delay the report to have as much information as possible. The confidentiality clause may help encourage reporting.

The regulators “do not expect that a banking organization would typically be able to determine that a notification incident has occurred immediately upon becoming aware of a computer-security incident.” An organization would take a “reasonable amount of time” to determine that a security incident should be considered a notification incident, and notify federal regulators within 36 hours after making that decision. That means regulators could be notified well past 36 hours after the incident occured—or was detected.

“This notification requirement is intended to serve as an early alert to a banking organization’s primary federal regulator and is not intended to provide an assessment of the incident,” the proposal said.

]]>
<![CDATA[Intel vPro Chips Include Ransomware Detection]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/intel-vpro-chips-include-ransomware-detection https://duo.com/decipher/intel-vpro-chips-include-ransomware-detection Mon, 11 Jan 2021 00:00:00 -0500

The latest Intel vPro processor for business-class laptops will include built-in protections to detect and block ransomware attacks, Intel said.

Intel added hardware-based ransomware detection to the new 11th Gen Core vPro processors as part of its ongoing efforts to use virtualization security to embed security features right into the silicon. The processor's security technology, namely Intel Hardware Shield and Intel Threat Detection Technology, makes it possible to detect unauthorized modifications to the hardware. By putting security protections right into the silicon, the chip can protect the device from firmware attacks even if the operating system or security software is compromised.

Intel Hardware Shield runs on the CPU underneath the operating system and applications such as security software, so it can detect malicious activity that the operating system may not be able to detect. Hardware Shield locks down UEFI/BIOS and prevents the firmware from being modified during boot. By verifying the operating system is running on legitimate hardware and that the firmware has not been modified by an unauthorized process, Hardware Shield protects against firmware attacks.

Intel’s Threat Detection Technology relies on CPU-based telemetry and machine learning heuristics to detect fileless malware, cryptomining, polymorphic malware. Intel said TDT can detect threats that "leave a footprint" on the CPU performance monitoring unit.

Ransomware strains have recently evolved to bypass security tools and also to spawn copies of itself which could hide inside virtual machines. Anything happening on the device, regardless of layer, would be visible to the CPU. On laptops with the new vPro processor, Hardware Shield would be able to detect ransomware, even if it attempted to hide inside virtual machines or from the operating system, the company said. Intel TDT would then sends a high-fidelity signal that can trigger remediation workflows in the security vendor's code.

"Ransomware was a top security threat in 2020, software alone is not enough to protect against ongoing threats," Stephanie Hallford, Client Computing Group Vice President and General Manager of Business Client Platforms at Intel, said in a statement.

Intel made Hardware Shield--which uses artificial intelligence for threat detection, detecting ransomware, and stopping crypto-mining attacks--mandatory for 10th Gen Core vPro chips in mid-2020. The company also added Control Flow Enforcement Technology to CPUs to help protect systems against malware that uses Return Oriented Programming (ROP), Jump Oriented Programming (JOP), and Call Oriented Programming (COP) techniques to infect devices and hijack applications.

The 11th Gen Core vPro platform would be among the first ones to offer “silicon-enabled threat detection capability,” Hallford said. Intel plans to launch more than 60 business-oriented laptops with the new vPro processors in 2021.

As part of Intel's announcement, security company Cybereason said it will add support for the chips’ features to its security software this year. The layered protection will give businesses “full-stack visibility from CPU telemetry” to prevent ransomware. The company will integrate Intel TDT capabilities into the Cybereason Defense Platform.

"The joint solution represents the first instance where PC hardware plays a direct role in ransomware defenses to better protect enterprise endpoints from costly attacks," Cybereason's Yonatan Striem-Amit said. The collaboration enables "full-stack visibility" to detect and block ransomware before they can cause damage.

A similar partnership with BlackBerry (announced June 2020) added vPro support to Blackberry Optics, a cryptomining and cryptojacking detection tool.

]]>
<![CDATA[No Easy Path to Cyber Norms]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/no-easy-path-to-cyber-norms https://duo.com/decipher/no-easy-path-to-cyber-norms Mon, 11 Jan 2021 00:00:00 -0500

The recent revelation of a massive intrusion campaign that has been attributed to Russia and has affected government agencies, tech companies, and many other organizations has renewed calls for the establishment of international norms for cyber operations. The concept has been floating around for years, but security and policy experts say that the process of developing and enforcing norms is fraught with potential problems, and it may already be too late.

The scope of the attacks, which first emerged in December when FireEye revealed that an adversary had gained access to its network and made off with its red team tools, quickly expanded to include SolarWinds, Microsoft, several federal government agencies, and a number of other technology providers. Some of the victims were compromised via a malicious update for the SolarWinds Orion IT monitoring platform that thousands of customers downloaded. But others were hit by the same adversary through one of several other initial access vectors, such as password guessing or spraying. The United States government said the operation was likely the work of Russian actors, but stopped short of identifying which group specifically.

Security researchers and government officials have said that the main goal of the adversary was espionage, gathering intelligence, and stealing sensitive data, not destructive actions inside the compromised networks. While espionage is as old as civilization itself and has some relatively established parameters and norms, cyberespionage is a much newer phenomenon and the same kind of guidelines don’t really exist. There have been discussions both nationally and internationally about the need for cyber norms, and some countries have come to agreements in recent years, but establishing one overarching framework may not be a realistic objective.

“The idea of setting norms in cyber is one that’s thrown around a lot. I have this growing feeling, and I have for several years, that the idea of setting norms feels to me like we’re in the decline of the digital Roman empire and we’re telling people it’s not ok to use elephants to cross the Alps and they’re using elephants to cross the Alps, and we will be overrun,” said Katie Moussouris, CEO of Luta Security, during a panel discussion sponsored by Aspen Institute.

“Every country with the capability will preserve their right to gather intelligence. When it comes to cyber weapons, this isn’t something that we can appropriately define or regulate.”

“I want to make sure that the conversations about cyber norms take into account that nuance."

Part of the problem with the concept of cyber norms is that the lines between cyberespionage and other types of intrusions are blurry at best, and in some cases non-existent, with some actors conducting operations across the spectrum at various points. Intelligence agencies maintain teams that conduct offensive cyber operations against foreign targets, which is generally considered business as usual. But some governments also either sponsor or tacitly tolerate organized groups that run cybercrime operations, ransomware campaigns, and other types of attacks. Moussouris, who has helped develop international standards for vulnerability disclosure and cyber arms control, said that any discussions about cyber norms need to take into account the complexity of the issue.

“I want to make sure that the conversations about cyber norms take into account that nuance,” she said. “It’s the behavior that helps preserve order in the world.”

The easy availability of the technology and knowledge necessary to build out a competent offensive team makes cyber operations much more practical and attainable than traditional military or intelligence operations for many countries. That makes the field of adversaries much broader.

“In espionage there’s too much asymmetry, because there are too many countries that can’t compete with us militarily that can compete with us in cyber,” said Kevin Mandia, CEO of FireEye, during the panel discussion.

The lack of international norms for cyberespionage or other related operations has left the floor open for individual countries to set their own ground rules and perhaps dictate those for other nations.

“We’re seeing a country like China that wants to set all of these rules and standards and that ought to scare the heck out of all of us,” said Sen. Mark Warner (D-Va.)

]]>
<![CDATA[Data Shows More Exploits Are Being Published on GitHub]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/data-shows-more-exploits-are-being-published-on-github https://duo.com/decipher/data-shows-more-exploits-are-being-published-on-github Fri, 08 Jan 2021 00:00:00 -0500

From a vulnerability management perspective, it makes sense for defenders to be aware of which vulnerabilities have publicly available exploit code. Increasingly, much of that code is beginning to appear on GitHub.

Exploit DB was a “prominent source” in early research and among academic circles, but the number of exploits being posted to this database has been declining since 2017, Cyentia Institute’s Jay Jacobs wrote. In contrast, the number of exploits published on GitHub each month has been steadily increasing.

When vulnerabilities are published, the clock starts ticking on when exploit code would become available. Vulnerabilities with published exploit code are as much as seven times as likely to be exploited in the wild, past research has shown. There are clues where the code is published can affect whether it will be exploited. Cyentia also found that how the code is published has an impact: “weaponized” exploit code, such as in the form of a Metasploit module, increases the odds of that vulnerability being exploited in the wild from about 3.7 percent to 37.1 percent, Jacobs said.

The overall trend for the three major sites for exploit code (a larger chart from Cyentiais pretty striking. The number of exploits published on Exploit DB shows it is still a good source of keeping track of different vulnerabilities, but the number published monthly has been declining since 2018. The number of exploits published on Exploit DB ranged from more than 120 per month to around 60 over the course of 2018, but in 2020, that range was more than 20 to fewer than 60. Contrast that to GitHub, where the monthly numbers have been steadily increasingly each month, each year. The number of exploits published on GitHub ranged from 20 to 40 for most of 2018, but ranged from 60 to over 120 in 2020.

The number of exploit codes — the modules — published on Metasploit has been constant.

That Metasploit chart is pretty interesting. Metasploit modules help defenders find holes that need attention, and also help confirm that the mitigations are working correctly. However, because the framework makes it easier to execute the exploits, there is an undeserved impression that Metasploit encourages attacks. But the fact that the numbers on Metasploit is pretty constant may suggest that attack groups aren’t waiting with bated breath for the next Metasploit module to be available before starting their campaigns.

But, back to vulnerability management. The thing about exploits on Exploit DB is that it was clear what it was. As Jaccobs noted, however, publishing of exploits is largely adhoc and unstructured. Proofs-of-concept and ready-to-weaponize exploit code can be published in various forms outside of dedicated forums and databases—they can appear as blog posts, or even on Twitter. The shift towards publishing exploits on GitHub exacerbates the situation even more, since it would be difficult to regularly look through various repositories to find published code. (Don't worry, Cyentia is working on a classifier for this.)

“Anyone can create a GitHub repository and there are no rules, limitations or standards for what a working exploit will look like once published to github,” Jacobs said.

]]>
<![CDATA[CISA Identifies Multiple Vectors Used by SolarWinds Attackers]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/cisa-identifies-multiple-vectors-used-by-solarwinds-attackers https://duo.com/decipher/cisa-identifies-multiple-vectors-used-by-solarwinds-attackers Thu, 07 Jan 2021 00:00:00 -0500

Investigators at the Cybersecurity and Infrastructure Security Agency (CISA) have found evidence that the adversary responsible for the SolarWinds breach and subsequent compromises of other organizations has used other initial access methods in its attacks, including abusing legitimate accounts, sometimes through the use of forged SAML tokens.

In an updated advisory issued Wednesday, CISA said that in some of the incidents its experts have investigated related to the SolarWinds breach they have discovered that the attackers have used methods other than the compromised SolarWinds Orion update to gain a foothold in target networks.

“CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors. Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified,” the advisory says.

When the SolarWinds breach was first disclosed in mid-December, Microsoft officials said that they had seen the adversary use stolen SAML signing certificates to forge SAML tokens. That would allow the attackers to access any internal network resource that trusts those SAML tokens. But that activity was seen as something that happened after the adversary already had access to the network by using the backdoor inserted into the Orion update. CISA’s response teams, which help investigate incidents at federal agencies, have found that this activity can also be a way in, along with other methods.

“CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. CISA incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services,” the CISA advisory says.

"It is likely that the adversary has additional initial access vectors and TTPs that have not yet been discovered."

Once inside a victim network, the attackers have focused on finding and exfiltrating confidential information. CISA said in its new advisory that the attackers have in some cases specifically targeted the email accounts of incident responders and IT staff members. CISA has released a free tool called Sparrow to help IR teams identify compromised accounts and apps in Microsoft Azure or 365 environments.

Earlier this week, CISA, the FBI, the NSA, and the Office of the Director of National Intelligence issued an advisory on the SolarWinds breach and said the activity was “likely Russian in origin”. The agencies have not attributed the attacks to any specific group in Russia, although security researchers have pointed the finger at APT29, a group known as Cozy Bear. That team is linked to Russian intelligence agencies and has been tied to many high-profile operations in the past, including attacks on U.S. and foreign government agencies, the Democratic National Committee, and a number of non-profits.

Both federal agencies and private companies have been identified as victims of the adversary behind the SolarWinds breach, including the Department of Justice, Department of Commerce, Department of the Treasury, Microsoft, and FireEye. CISA officials emphasized that remediating the incidents caused by this attacker would be a difficult task.

“This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and TTPs that have not yet been discovered,” the CISA advisory says.

]]>
<![CDATA[Number of SolarWinds Orion Servers Online Rising Post-Breach]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/number-of-solarwinds-orion-servers-online-rising-post-breach https://duo.com/decipher/number-of-solarwinds-orion-servers-online-rising-post-breach Wed, 06 Jan 2021 00:00:00 -0500

One of the first things that happened when the SolarWinds breach was disclosed in mid-December is that enterprises began taking their Orion servers offline. This was predictable. But what wasn’t expected is that more Orion servers would be online now than before the disclosure.

Data compiled by Censys, a firm that continuously monitors the Internet, shows that on Dec. 15, two days the breach was made public, there were about 1,400 Orion servers exposed to the Internet. That number began to drop steadily a few days later and hit a low of about 1,220 on Dec. 28., but as the new year approached, the numbers began to rise quickly. By Monday, there were 1,551 Orion servers online, 10 percent more than there had been at the time of the breach disclosure.

That’s concerning for several reasons, not the least of which is the fact that Orion is an internal IT monitoring tool that’s not necessarily meant to be exposed to the Internet. The reason for the uptick in Orion servers online is not immediately obvious, but Censys researchers hypothesized that it could be the result of simple operator error.

“If we look at all of 2020 we could think that maybe there were fewer servers online before COVID, and once that happened people needed remote access, so they put it online. But after the breach, we would’ve expected it to return to the pre-breach baseline, not to shoot up past it,” said Derek Abdine, CTO of Censys.

“This could just be misconfigurations, people taking the servers offline, patching them, maybe changing the port, and then putting them back up.”

“That lends more credence to the idea that these are probably misconfigurations."

Interestingly, Abdine said the data shows a broad distribution of ports on which Orion is running, showing that enterprises may be trying to use non-standard ports as a small bit of camouflage. Censys’s data showed 62 individual ports hosting Orion instances on Monday.

“That lends more credence to the idea that these are probably misconfigurations,” Abdine said.

SolarWinds has tens of thousands of customers, and the company said after the breach that around 18,000 of them had downloaded a malicious update for Orion that was created by attackers who had compromised the company’s internal systems. That update contained a backdoor that enabled the attackers to gain access to customers’ networks, as well. On Tuesday, several federal government agencies, including the FBI and CISA, said that the adversary behind this operation was “likely Russian in origin”. The agencies have formed a task force known as the Cyber Unified Coordination Group, which is handling the response and remediation of the attacks for government agencies.

“The UCG believes that, of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems. We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted,” the statement says.

On Wednesday, the Department of Justice released a statement saying that it was among the federal agencies involved in the SolarWinds compromise. Other known government victims include the Department of the Treasury and the Department of Commerce. The Justice statement said it detected malicious activity related to the SolarWinds update on Dec. 24.

“This activity involved access to the Department’s Microsoft O365 email environment. After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the O365 email environment. At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted,” the statement says.

]]>
<![CDATA[Citrix Releases Mitigations for DDoS Attacks on ADC, Gateway Appliances]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/citrix-releases-mitigations-for-ddos-attacks-on-adc-gateway-appliances https://duo.com/decipher/citrix-releases-mitigations-for-ddos-attacks-on-adc-gateway-appliances Tue, 05 Jan 2021 00:00:00 -0500

Attackers have been targeting Citrix ADC and Gateway appliances in recent weeks to use them as part of DDoS attacks. The attacks don’t take advantage of any flaws in the appliances, but instead uses them as amplification points.

The DDoS attacks first surfaced toward the end of December when some customers noticed a large volume of UDP traffic targeting port 443 on the appliances. The attacks specifically target appliances with the Datagram TLS (DTLS) protocol enabled.

“Citrix is aware of a DDoS attack pattern impacting Citrix ADC and Citrix Gateway. As part of this attack, an attacker or bots can overwhelm the Citrix ADC DTLS network throughput, potentially leading to outbound bandwidth exhaustion. The effect of this attack appears to be more prominent on connections with limited bandwidth.” the Citrix advisory says.

"The scope of attack is limited to a small number of customers around the world, and further, there are no known Citrix vulnerabilities associated with this event.”

DTLS is a transport-layer protocol designed to provide security for datagram applications. The attacks referenced in the Citrix advisory are affecting the Application Delivery Controller (ADC), Citrix Gateway, and NetScaler ADC and Gateway appliances.

Citrix has released some guidance for enterprises with those products deployed, encouraging customers to disable DTLS if it’s not needed. The company also released some software enhancements for the affected appliances.

“Citrix has added a feature enhancement for DTLS which, when enabled, addresses the susceptibility to this attack pattern. Customers who do not use DTLS do not need to upgrade to the enhancement build. Instead, customers are recommended to disable DTLS,” the advisory says.

]]>
<![CDATA[SolarWinds Attackers Accessed, But Did Not Modify, Microsoft Source Code]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/solarwinds-attackers-accessed-but-did-not-modify-microsoft-source-code https://duo.com/decipher/solarwinds-attackers-accessed-but-did-not-modify-microsoft-source-code Mon, 04 Jan 2021 00:00:00 -0500

As the organizations hit by the SolarWinds attackers have continued to assess the damage to their internal systems, some interesting details have emerged. At the top of that list is the fact that the attackers were able to access some of Microsoft’s source code repositories.

MIcrosoft was one of the first few companies to disclose publicly that it had been a victim of the group that compromised SolarWinds several months ago. The attack on SolarWinds led to the compromise of an update for the company’s Orion IT monitoring platform, which thousands of customers then downloaded and installed in their environments. When the breach was disclosed late last month by FireEye, Microsoft officials said the company was affected and that the attackers had accessed some of the company’s internal systems. Although SolarWinds officials said somewhere around 18,000 customers had downloaded the malicious update, the number of organizations that the attackers exploited afterward is likely a tiny fraction of that number. Some of the known victims include federal government agencies, tech companies, and financial services firms.

But none of those organizations has been as forthcoming about the details of what happened as Microsoft and FireEye. Microsoft said initially that it had discovered the trojaned SolarWinds updates in its network and later expanded on that, saying that the attackers did not have access to customer data or production systems. The company also said that it has not found any evidence that the attackers were able to forge SAML tokens for internal domains, a technique that the attackers used in other victim organizations. But Microsoft officials said Friday that the SolarWinds attackers accessed some of the company’s source code.

“Having investigated further, we can now report that we have not found evidence of the common TTPs (tools, techniques and procedures) related to the abuse of forged SAML tokens against our corporate domains,” the Microsoft Security Response Center said.

“Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor. We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories.”

Although the adversaries had access to some unnamed source code repositories, the account that they used to view them did not have the ability to make any changes to the source code, and the MSRC found that no changes had been made to the code. The MSRC said that it had also found evidence of other attempted movements by the attackers inside the corporate network, but those activities were stopped by Microsoft’s defense.

“At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk,” the MSRC said.

]]>
<![CDATA[Torvalds Favors Memory Protections in AMD Chips]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/torvalds-favors-memory-protections-in-amd-chips https://duo.com/decipher/torvalds-favors-memory-protections-in-amd-chips Mon, 04 Jan 2021 00:00:00 -0500

Personal computers using AMD Ryzen processors can protect memory from various attacks, which isn’t the case for comparable machines from Intel. Linus Torvalds, the creator of Linux, criticized Intel for not supporting the security feature on its non-server processors and noted that AMD offers the feature (unofficially) on its consumer platform.

Memory can be corrupted if a bit is flipped, and there are various attack techniques that change data in memory to collect leaked information or to manipulate calculations. Rowhammer, for example, is a technique that relies on rapid repeated reads of the same memory location to cause changes in adjacent locations. Rowhammer can be used in privilege escalation exploits and other network-based attacks.

ECC, or error_correcting code, is a way to fix these types of memory issues, as additional parity bits are used to verify that the data read from memory is the same as the data was written. Unfortunately, ECC memory is extremely difficult to find—and when found, tend to be expensive. In a discussion on Real World Tech forum, Torvalds blamed the scarcity on the fact that Intel supported ECC only for Xeon processors, which are aimed at servers and high-end workstations. Intel touts how Xeon processors work with ECC memory “to automatically find and fix soft memory errors” in its promotional materials.

But not including ECC support on mainstream platforms, including the Core processors, Intel “made the market for ECC memory go away,” Torvalds wrote.

ECC memory used to be standard and accessible in the past, Torvalds said, but the fact that Intel supported ECC only on high-end platforms reinforced the idea that consumers didn’t need ECC. ECC memory needs to work with the motherboard and the CPU—so the fact that the processors used for consumer computers didn’t support ECC meant there was no incentive for manufacturers to create ECC memory for consumers.

“The ‘modern DRAM is so reliable that it doesn't need ECC’ was always a bedtime story for children that had been dropped on their heads a bit too many times,” Torvalds wrote.

Torvalds is hyper-focused on memory issues because it impacts the work he does for the Linux kernel, and has been publicly critical about the lack of ECC memory for years. “We have decades of odd random kernel oopses that could never be explained and were likely due to bad memory. And if it causes a kernel oops, I can guarantee that there are several orders of magnitude more cases where it just caused a bit-flip that just never ended up being so critical,” he wrote. Kernel errors that were the result of a hardware issue and not a code issue could have been fixed with ECC.

“I want this fixed, and I want ECC,” Torvalds wrote. “And AMD did it. Intel didn't.”

Even though AMD’s support for ECC in Ryzen (and Threadripper) is unofficial, Torvalds said it is still a better alternative since consumers are able to pay for mainstream platforms and get the option to use ECC. If they were looking for ECC from Intel, their only choice would be to pay for server-class hardware. There are some challenges with unofficial support since some motherboards may not be able to work with ECC at all, and the fact that it works may not be clearly documented.

“And the fact that it's ‘unofficial’ for AMD doesn't matter. It works. And it allows the markets to - admittedly probably very slowly - start fixing themselves,” Torvalds said.

Torvalds noted that memory manufacturers are beginning to incorporate ECC internally because “they finally owned up to the fact that they absolutely have to." Even Intel’s own promotional materials acknowledge that faster CPUs and processors means that “soft memory errors occur more and more frequently,” and that “1 in 3 systems experience one or more correctable memory errors a year.”

“Just look at multiple generations of rowhammer, where each time Intel and memory manufacturers bleated about how it's going to be fixed next time. Narrator: ‘No it wasn't,’” Torvalds said.

Restricting ECC memory to just Xeon processors also priced out people who were willing to pay for the feature. The Intel’s Xeon CPUs were too expensive—”twice the CPU for five times the price”—and users (Torvalds included) ended up using consumer CPUs because they were sufficient for most workloads. But there was clearly a demand for alternatives—and Torvalds was “was more than happy to switch away from them [Intel],” once prices dropped. AMD’s Ryzen Threadripper was ”much closer to ‘twice the price for twice the CPU,” which means users could beef up their processors without paying server prices.

"I used to look at the Xeon CPU's, and I could never really make the math work,” Torvalds said.

]]>
<![CDATA[Emotet Back in Circulation]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/emotet-back-in-circulation https://duo.com/decipher/emotet-back-in-circulation Tue, 22 Dec 2020 00:00:00 -0500

After a two-month hiatus, the Emotet group has revved up its operations again, making one last push before the end of the year.

Security researchers began seeing a fresh spam run carrying Emotet-laced attachments this week, the first such campaign since October. The new campaign is using a variety of subject lines in the malicious emails, including Christmas-themed ones and others related to COVID-19. The Emotet group utilizes three discrete botnets to send out spam, known as Epoch 1, 2, and 3. In the new campaign, each botnet is focusing on different types of lures, according to telemetry from the Cryptolaemus group, a cadre of researchers who track Emotet.

“Emotet is back spamming you some XMas cards and Covid Reports again. Operation Zip Lock (Password Protected Zips) strong on E1. E2 was mostly links & E3 was attachments,” the group said in a tweet Monday.

The Emotet group is well-known for taking periodic breaks in its operations, sometimes for a few weeks, and other times for a few months at a time. It’s not exactly clear what the purpose of the shutdowns is, but researchers say it could be a chance for the operators to retool and update their infrastructure and malware. Often, when the malware operation restarts it comes back with new lures, tactics, and other features. Last year, Emotet came back in September from a short break with a new technique that involved stealing the contents of a victim’s email inbox and then using those messages to insert malicious messages into existing threads to add legitimacy. This tactic has been quite successful for the operators since its introduction.

Emotet on its own is highly dangerous, but the malware is often just the first stage of a much more complex and nasty attack chain that involves the Trickbot trojan and the Ryuk ransomware. Those three have been associated with one another for about two years, and many of the ugliest Ryuk incidents have started with an Emotet infection.

Researchers and law enforcement agencies have focused quite a lot of attention on the Emotet operators, with some notable successes. Earlier this year researchers at Binary Defense noticed a change in an update to Emotet that enabled them to develop a method to stop the malware from executing on newly infected machines. The method, known as EmoCrash, prevented the spread of Emotet for more than six months before the operators pushed another update that disabled it.

The most recent Emotet campaign is ramping up slowly but steadily. Researchers at Proofpoint have seen more than 100,000 Emotet-laden spam messages in several languages, and Abuse.ch, which tracks malware URLs and C2 activity, identified 300 new URLs on Monday.

]]>
<![CDATA[Ransomware Task Force to Figure Out How To Fight Ransomware]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/ransomware-task-force-to-figure-out-how-to-fight-ransomware https://duo.com/decipher/ransomware-task-force-to-figure-out-how-to-fight-ransomware Tue, 22 Dec 2020 00:00:00 -0500

A group of security and technology vendors, non-profit groups, and other organizations have formed a coalition to tackle the impact of ransomware on various industry sectors such as government, education, healthcare, and other critical verticals .

The Ransomware Task Force will develop a “standardized framework” that will help organizations across industry verticals defends themselves from ransomware attacks, said the Institute for Security and Technology, who created the task force. The coalition plans to tackle the thorny question of how organizations should fight ransomware by assessing existing technical solutions to ransomware attacks, identifying gaps in those solutions, and develop a “common roadmap” with “clear recommendations for both public and private action that will significantly reduce the threat posed by this criminal enterprise,” IST said.

“The RTF’s founding members understand that ransomware is too large of a threat for any one entity to address, and have come together to provide clear recommendations for both public and private action that will significantly reduce the threat posed by this criminal enterprise,” IST wrote in its announcement.

The difference between this framework and other, prior, efforts is that the framework would be based on industry consensus rather than the advice of individual groups dealing with the problem separately, IST said.

“Ransomware is a scourge on society and disgusting and it’s past time we figured out how to beat this together.”

There are 19 founding members, including security and technology vendors, think-tanks, industry groups, and academic institutions: security vendors Cybereason, McAfee, Rapid7, SecurityScorecard, Stratigos Security, and Team Cymru; technology vendors Citrix and Microsoft; think-tanks Aspen Digital and Third Way; industry groups Cyber Threat Alliance, CyberPeace Institute, Cybersecurity Coalition, Global Cyber Alliance; non-profit Shadowserver Foundation; academic institution UT Austin Stauss Center; insurance company Resilience; and law firm Venable LLP.

The member organizations intend to meet over the first quarter of 2021 to develop the roadmap with concrete objectives and actionable milestones, said Philip Reiner, a former National Security Council official and chief executive of the Institute for Security and Technology. The website with full membership details and leadership roles will launch January 2021 and the goal is to finalize the task force’s report “soon after” the RTF concludes in March or April 2021.

Cyber-insurance is “an important factor in moderating risk and incentives with ransomware attacks,” Reiner said, noting that insurance company Resilience is one of the founding members.

This is the kind of effort that doesn’t need to be done through government because the private sector can do it on a voluntary basis, said Ari Schwartz, executive coordinator at the Cybersecurity Coalition. Success would depend on participation from all stakeholders, including technologists, security experts, policy leaders, lawyers, and former government officials. The task force is the right approach for developing solutions for fighting ransomware because many of the “potential solutions involve cooperation and critical mass,” such as finding ways to share information about incidents and actors without embarrassing or punishing victims.

The framework will “have a major impact with recommendations for policymakers in the private sector and at all levels of government,” Schwartz said.

Task Force Goals

“Ransomware is a scourge on society and disgusting and it’s past time we figured out how to beat this together,” said Sam Curry, chief security officer of Cybereason.

Reducing hackers’ attempts to amplify the impact of ransomware attacks will driving down ransomware costs for the victim and decrease the victim’s inclination to pay ransom demands, Curry said.

Organizations already have access to several tools and services to combat ransomware, such as decryption keys from the No More Ransom project, toolkits for businesses to evaluate their cybersecurity posture, information sharing-repositories such as ID Ransomware, and incident response teams from the Cybercrime Support Network, said Reiner. However, there are organizations who may not even know about the tools, many of which are available for free, or even how other organizations have handled the problem. The task force will not be creating a product to advice organizations on how to respond, Reiner said. The focus will be on bringing awareness and resources by having different groups across industry sectors speak open with each other and develop common strategies.

Typically, when an organization realizes it has been hit by a ransomware attack, it brings in a security expert—an incident response team, for example—to advise the organization on what to do. That may mean buying cryptocurrency and paying the ransom. It may mean giving the insurance company a call. It may mean looking back at disaster recovery plans. It will differ from organization to organization, from consultant to consultant. The task force’s recommendations would it possible for victims across industry sectors to respond similarly—using optimal methods—to ransomware attacks.

Ransomware has been a challenge for organizations, regardless of size. Just being a larger organization——such as the City of Baltimore or the largest electronics manufacturing company in the world Foxconn——doesn't mean they are magically prepared to handle the attack. A small organization has less resources, and may not even know what to do or in what order. A framework can be useful in this context. The key is to avoid a framework that is so high-level and generic that organizations can't work with it.

While the task force recommendations will address mitigating the attack, Reiner said the coalition plans to look at every step of the kill chain, including prevention and deterrence.

“What we are missing is a national plan not just to respond on a case-by-case basis, but to combat the use of ransomware at all levels of the kill chain,” Reiner said.

]]>
<![CDATA[Decipher Library: Holiday Edition]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/decipher-library-holiday-edition https://duo.com/decipher/decipher-library-holiday-edition Mon, 21 Dec 2020 00:00:00 -0500

As the year comes to a close, we hope you will have some well-deserved time off to rest and maybe catch up on some reading. We've asked some of our friends and colleagues to recommend a favorite book, new or old, fiction or non-fiction, to help give you a few good options. Enjoy.

The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, by Shoshana Zuboff

Remember that silly movie line, “if you build it, they will come”? Well it applies in spades when it comes to the erosion of privacy and security in the case of mega corporations like Google, Facebook, and Amazon. Except for it’s more like, “if they build it, they will abuse it regardless of what they say now.” We all know “we are the product” by now. But if you really dig into it, it’s worse than you think. How bad? Well---machine learning algorithms that learn to maximize your eyeball time regardless of how awful you may feel---bad. Read this book. Then despair. --Gary McGraw, Ph.D., author of Software Security, Building Secure Software, and many other books

Skunk Works: A Personal Memoir of My Years at Lockheed, by Ben R. Rich

Skunk Works is worth reading because everyone should see how stealth technology was born, but also because the book contains a number of gems for any organization (or person) wanting to bring new technology into the world. One of the stand-out lessons for me, is seeing how the mighty skunk works, which redefined modern fighter aviation, was not an organization cut free from constraints. At its peak, it was encumbered by almost crippling government bureaucracy. They triumphed despite this. It’s a useful reminder that great technology isn’t created because of open cheque-books and a completely free-hand. Creativity seems to crave constraints and always demands its measure of toil. --Haroon Meer, founder, Thinkst

Infrastructure: The Book of Everything for the Industrial Landscape, by Brian Hayes

If you ever look out at our industrial/urban/rural/transportive/built environment and wonder “what the hell does that do?” then this is the book for you. A field guide for the industrial ephemera of our landscape; from railroads to power plants to power, pit mines, dams, and recycling. It’s 500 pages of explanation of the network of technology that we all take for granted. It’s not just a fascinating look at what it takes to maintain this civilization we’ve constructed around ourselves, it’s also somewhat humbling in the realization of how tenuous and precious it all is. Makes you appreciate those people in the reflective vests keeping it all together for us. --Peter Baker, founding designer, Duo Security

Forward: A Memoir, by Abby Wambach

Wambach's career has so many analogies to the infosec industry, I kept thinking of all the CSO/CISOs I've advised over the years while reading her book. First, I was struck by her evolution from a player to a leader. She spends a great deal of time chronicling how selfish she was as team captain until breaking her leg five days before the Olympic game against China in 2008, when she was forced to re-evaluate her role on the team and what they truly needed from her. For anyone in transitioning from IC to management, the letter Wambach sends her teammates in China is a must-read.

Second analogy that caught my attention was the evolution of Wambach's relationship with validation. For most of her life, she admits she used soccer and her career to fill that void, eventually leading to the erosion of personal relationships and her physical health. But as she matures in her relationships with others, she finds less destructive, more meaningful, and even uplifting sources of validation beyond her career. This book is both a warning and a cause of hope for workaholics and high achievers. --Melanie Ensign, CEO, Discernible Communications

So You Want to Talk About Race, by Ijeoma Oluo Americanah, by Chimamanda Ngozi Adichie Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, by Kim Zetter

I believe information security is fundamentally about how people and organisations work: a social science with a small technical component. I therefore think that reading fiction and non-fiction unrelated to security prepares one better for a security job than we may think.

The relevance in 2020 of So You Want to Talk About Race, Ijeoma Oluo’s book on race and racism in America, is obvious, yet the book is far more than just about that. It is, to put it in security terms, about understanding the threat models of people with less privileges than you have and thus relevant to anyone who wants to understand their fellow human beings.

Chimamanda Ngozi Adichie’s novel Americanah is about love and friendships, but also about cultural differences between Nigeria, Britain and the United States. In doing so, this book too touches on the ever important subjects of race and privilege, while also telling one of the best and most compelling stories I have read in recent years.

And if you really, really insist on reading about security during the holidays, Kim Zetter’s 2014 book on Stuxnet remains an essential read for a good understanding of both the past and the present of infosec. --Martijn Grooten, person working in security

As You Wish: Inconceivable Tales From the Making of the Princess Bride, by Cary Elwes

About 15 years ago, I decided to manufacture a personal holiday tradition in the form of watching The Princess Bride every Christmas. The reasoning for this is simple: it is a flawless film, and making it an annual tradition results in enjoying it (at least) once a year. In a similar holiday spirit, I'll recommend "As You Wish", Cary Elwes' behind-the-scenes collection of anecdotes and interviews with most of the cast and production crew. Even better, treat yourself to the audiobook which has Robin Wright, Wallace Shawn, Ron Howard and many others read their own recollections. All the stories are delightful, but it would still be worthwhile if they only included the chapters where everyone shares their favorite Andre the Giant story. After a year that left many of us feeling mostly dead, pick up "As You Wish" if you'd like a concentrated dose of pure joy. --Zoe Lindsey, security strategist, Duo

Keep Calm and Log On, by Gillian Gus Andrews

My team conducts digital security training, much of it oriented to beginners, and it's hard to name any one book as an "onramp" into these topics. I often think, would I share this with my mom? Often, the answer is no, but I did manage to find one in Keep Calm and Log On. Gus Andrews is exceptional at framing thorny issues around information quality, trust, and digital security, in a friendly and accessible way. Even security professionals may find it affirming and therapeutic. --Dr. Martin Shelton, Principal Researcher at the Freedom of the Press Foundation, conducting user research and overseeing security editorial

Industry of Anonymity: Inside the Business of Cybercrime by Jonathan Lusthaus

A very unique book that is as interesting a read for anyone in the field of security, to investigators and to even to those outside the industry entirely. It is without doubt the most comprehensive study of the communities behind cybercrime that you can find. Lusthaus spent 7 years travelling the world and interviewing dozens of cyber criminals and researchers alike, and despite the thoroughness of the findings it reads like a novel in terms of how quickly the pages go by. It is filled with insights into the psyche, motivations and history of cybercrime and how it differs from culture to culture. No matter what part of the security industry you might sit on, it always helps to better understand the attacker mindset. Finally I guarantee that even the most experienced in this area will find themselves pausing for a “huh, did not think of that before” at least once per chapter. Everyone I’ve recommended it to so far has gone on to recommend it to others, so go grab a copy now, and you can join in on this fantastic knowledge sharing pyramid scheme! You most certainly won’t regret it. --Robert McArdle, director of the Forward Looking Threat Research team at Trend Micro

Scrum: The Art of Doing Twice the Work in Half the Time, by Jeffrey Victor Sutherland Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, by Kim Zetter

As an avid reader, it was hard to pick just two books that have stood out to me most over the years. In terms of program management and team building, ‘Scrum’, is a must read. It explores how the revolutionary approach to software development can help your organization optimize work processes and workflows. A page turner for the DevSecOps enthusiast. Countdown to Zero Day is another one of my personal favorites. The book exploring the 2010 Iranian Stuxnet attacks reads like a modern day Jason Bourne story, but with the cybersecurity implications akin to a new kind of warfare that has been on the rise in recent years. Stuxnet was the most sophisticated digital attack of its kind - and Kim tells the story impeccably.--Yassir Abousselham, CISO of Splunk

Dealers of Lightning: Xerox PARC and the Dawn of the Computer Age, by Michael Hiltzik

If you want to understand the true nature of the hacker mindset, Michael Hiltzik's painstaking account of the early days of Silicon Valley and the birth of PARC is invaluable. The legendary Palo Alto Research Center began in 1970 and functioned as a skunk works for Xerox, a company that was not necessarily known for agility and speed at the time. PARC was responsible for creating or helping to develop many of the technologies that became core components of PCs and other devices: the GUI, Ethernet, the mouse, a WYSIWYG text editor. The small but incredibly talented and driven group at PARC moved fast, broke things, and helped lay the groundwork for the technology industry as we know it today, for better and for worse. Sadly, Xerox didn't capitalize on many of the innovations developed at PARC, much to the annoyance of the engineers who saw the revolution that was coming. Hiltzik chronicles it all, the good, the bad, and the ugly, in a driving narrative that keeps the suspense intact, even when you know the ultimate outcome. --Dennis Fisher

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics, by Ben Buchanan

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics delves into the fascinating world of hackers and states that support and finance them through an international relations lens. Many countries now engage in hacking in the pursuit of their national interests and geopolitics is key to understanding the methods, targets, and motivations underlying those activities. Based on in-depth interviews, declassified files, and forensic analysis of company reports, The Hacker and the State looks at how cyberattacks are used for espionage, sabotage, and for destabilization activities. As reading material, it is extremely hefty (and a bit overwhelming). On a less grand scale, I like The Privacy Engineer's Manifesto: Getting from Policy to Code to QA to Value. This isn’t a technical nuts-to-bolts book, but one that outlines ideas on how to think about how data is collected and used in a way that enterprises can adapt to their specific circumstances. Privacy is often framed in terms of good and evil—companies that “care” and companies that don’t—that it is refreshing to see how engineering principles can be applied to how personal information is protected.——Fahmida Y Rashid

]]>
<![CDATA[Malicious Code Found in Package Repositories]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/malicious-code-found-in-package-repositories https://duo.com/decipher/malicious-code-found-in-package-repositories Mon, 21 Dec 2020 00:00:00 -0500

Over the past few months, attackers have increasingly targeted the software supply chain by populating package managers and code marketplaces with malicious code.

Most recently, RubyGems maintainers removed two malicious gems from the repository of Ruby code packages and libraries. The gems pretty_color and ruby-bitcoin contained code which replaced cryptocurrency wallet addresses present in the clipboard of the infected Windows machine with a wallet address belonging to the attacker. The victim is unlikely to notice that the wallet address copied is different from the one being pasted, allowing the attacker to intercept transactions and steal cryptocurrency funds.

Security firm Sonatype, which scans open source components, found that pretty_color was an “identical replica” of a known package colorize, except it also contained a file version.rb with obfuscated code to run the malicious script. A scrupulous developer checking the gem’s contents would have seen the code to set text color, background color, and text effects, but could have missed the implications of the obfuscated code.

The problem of malicious components is not limited to just RubyGems, as malicious packages have been found in repositories for Python (such as PyPl), JavaScript (npm) packages, and even Docker images. A dynamic analysis of publicly available Docker images on Docker Hub found about 6,500 malicious images out of the 4 million images hosted in the repository, security startup Prevasio said earlier this month. Images included cryptominers, malicious JavaScript packages, hacking tools, and Windows malware. Many of them didn’t contain malicious code, but had instructions to download the malware when the images are run.

npm Issues

Earlier this month, npm removed two JavaScript packages which contained code to install a remote access Trojan on developer machines. If the developer imported and installed either jdb.js and db-json.js, a script performed basic reconnaissance of the infected machine and attempted to download an executable file. Once downloaded, that executable whitelisted the command-and-control server in the local Windows firewall in order to download the njRAT (also known as Bladabindi) malware. This Trojan has been previously used in espionage and data theft operations since 2015.

"The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it," the npm team wrote in an advisory at the time. "All secrets and keys stored on that computer should be rotated immediately from a different computer.”

Both packages were downloaded more than 100 times before their malicious behavior was detected by Sonatype, which scans package repositories on a regular basis. That sounds like a small number, but these types of attacks don’t need a large number of downloads to be effective. These attacks involve tricking developers into downloading packages, and not injecting malicious code into legitimate components. It is relatively easy to keep tossing malicious libraries onto repositories and collecting victims a few at a time.

A quick rundown of npm advisories shows about a dozen JavaScript packages have been found and removed from the repository since August. A package claiming to provide an interface to the Fall Guys: Ultimate Knockout game API was removed in August because it was actually stealing sensitive files from the infected users' browsers and Discord applications (fallguys, 300 downloads). Four libraries tried to collect user details and upload stolen data to a public GitHub page (electorn, 255 downloads; lodashs, 78 downloads; loadyaml, 48 downloads; loadyml, 37 downloads) in September. Four npm packages were removed in October which opened reverse shells (backdoors) on infected computers (plutov-slack-client, nodetest199, nodetest1010, npmpubman: over 1000 downloads in all). A package removed in November tried to open backdoors on infected systems (twilio-npm, downloaded 370 times). Another package removed in November was an updated version of fallguys, Sonatype said (discord.dll, 100 downloads).

The plutov-slack-client removed in October pretended to provide a JavaScript Slack interface for Node.js applications. In actuality, it opened an external connection, giving attackers an entry point to the server running the application. It was downloaded only for a few weeks, but attackers potentially had access to data of hundreds of victims.

Typosquatting Tricks

Attackers are utilizing different types of tricks to trick developers into using malicious software components into their applications, including typosquatting. Typosquatting refers to taking advantage of typing mistakes by using names that are similar to other packages. Typically, if someone makes a mistake typing the name of a component, then that person should get an error message because it doesn’t exist. Attackers are creating components using common variations, which means there are no error messages, and the person doesn’t know about the mistake.

The four JavaScript packages removed from npm in September are examples of typosquatting. The electorn package was a misspelling of electron, a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. were misspelled versions of popular packages and was a form of typosquatting attack.

Back in 2019, ReversingLabs found bb-builder, a JavaScript package which stole user credentials, and surmised it was likely trying to trick developers looking for the bb-build package, wrote Tomislav Peričin, the chief software architect and co-founder at ReversingLabs.

Attackers seeded RubyGems with more than 760 malicious gems using names just a bit different than the standard code libraries, researchers at ReversingLabs said back in April. The atlas-client gem, which was trying to do the same thing as pretty_color to swap out cryptomining wallet addresses in the clipboard, was a misspelling of the atlas_client gem, which is used to access an API. The malicious gem was downloaded over 2,000 times.

Polluted repositories cause significant damage to software security because the malicious components can have a cascading effect. Even if the developer doesn’t include those specific packages in the application, if those packages are included in some other package that the application is using, then that application becomes compromised. Dependency scanning tools, like what GitHub offers, help developers discover these problematic nested components.

Software repositories, package managers, and vulnerability databases are all necessary components of the software supply chain, as are the developers and end users who leverage them,” the Linux Foundation said in February. “Unless and until the weaknesses inherent within their current designs and procedures are addressed, however, they will continue to expose the companies and developers who rely upon them to significant risk.

]]>
<![CDATA[CISA: Attackers Used Vectors Other Than SolarWinds Backdoor]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/cisa-attackers-used-vectors-other-than-solarwinds-backdoor https://duo.com/decipher/cisa-attackers-used-vectors-other-than-solarwinds-backdoor Fri, 18 Dec 2020 00:00:00 -0500

As the myriad strings of the SolarWinds breach continue to unravel, the nation’s top cybersecurity agency is warning that the actors behind the intrusion had other initial vectors to gain access to some of the victim organizations and install its backdoor.

In an advisory published Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) said that during its investigation into the government and private sector compromises that followed the SolarWinds breach, it found additional methods that the actors used to access some victims’ networks.

“The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged,” CISA’s advisory says.

“CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed.”

Earlier this week FireEye and Microsoft released details of an operation by an unnamed actor who was able to compromise the corporate network of SolarWinds, a provider of IT monitoring and management software. The attackers were then able to gain access to an internal build server and load a malicious update for the company’s Orion platform, which was then published and downloaded by nearly 18,000 SolarWinds customers around the world. The update, which was signed by SolarWinds’ own code-signing certificate, contained a vulnerability that the attackers were able to leverage to install a backdoor known as Sunburst onn victim networks. The company’s customers include virtually all of the Fortune 500, government agencies, NGOs, and other organizations.

“The SolarWinds Orion supply chain compromise is not the only initial infection vector."

Although thousands of SolarWinds customers downloaded the malicious update, it’s important to note that likely only a small fraction of those organizations were targeted for further exploitation. The attackers used a couple of different mechanisms for maintaining persistence on systems that they chose to exploit, including the use of privileged accounts in the Windows Active Directory.

“CISA has observed the threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premise and hosted resources,” the CISA advisory says.

“Microsoft reported that the actor has added new federation trusts to existing infrastructure, a technique that CISA believes was utilized by a threat actor in an incident to which CISA has responded. Where this technique is used, it is possible that authentication can occur outside of an organization’s known infrastructure and may not be visible to the legitimate system owner.”

Similarly, the attackers behind this activity have also been seen forging SAML tokens, which are used for authentication to certain services inside a network. This technique is not novel or even unique to this operation, but it gives the attackers highly privileged access to a variety of services and applications on target networks. Those forged SAML tokens are incredibly valuable, allowing the attackers to gain access to systems such as email, business intelligence, and others that rely on SAML.

“The actors compromise on-premises components of a federated SSO infrastructure and steal the credential or private key that is used to sign Security Assertion Markup Language (SAML) tokens. Using the private keys, the actors then forge trusted authentication tokens to access cloud resources,” the NSA said in a separate advisory on attackers abusing federated identity systems.

]]>
<![CDATA[Stopping SolarWinds Backdoor with a Killswitch]]> fahmida@decipher.sc (Fahmida Y. Rashid) https://duo.com/decipher/stopping-solarwinds-backdoor-with-a-killswitch https://duo.com/decipher/stopping-solarwinds-backdoor-with-a-killswitch Thu, 17 Dec 2020 00:00:00 -0500

Security company FireEye has identified a killswitch that would stop the Sunburst malware from executing in infected networks.

Security operations teams investigating for signs that nation-state attackers had deployed the Sunburst malware into their networks using the SolarWinds' Orion network monitoring technology can use the killswitch to detect and mitigate the threat. However, if the attackers had already deployed other backdoors or mechanism to maintain persistence, they remain a threat in the network.

Defenders have been scrambling ever since news broke that nation-state attackers had compromised network monitoring company SolarWinds, added malicious code to a DLL file used by the Orion network monitoring technology, and pushed out the tampered file to SolarWinds customers via the auto-update mechanism. FireEye discovered the malicious DLL file—named Sunburst by FireEye and Solarigate by Microsoft—while investigating a breach of its own network.

Just having the malicious DLL alone does not mean the network has been compromised, SolarWinds said.

Sunburst connects to a command-and-control server at a subdomain avsvmcloud to receive "jobs," or commands, to execute, FireEye said in its analysis, which was released as part of a coordinated disclosure with Microsoft and SolarWinds. A first-stage Trojan, Sunburst drops additional payloads into the network to allow attackers to elevate privileges, move laterally through the network, and steal information. Under the right conditions, it would be possible to force the malware to terminate itself, FireEye said.

"Depending on the IP address returned when the malware resolves avsvmcloud dot com under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections," FireEye said. FireEye identified about a dozen IP address ranges, and if an IP address fell within any of those ranges, the malware would stop execution.

Killswitch Mechanism

The domain now resolves to an IP address owned by Microsoft and the current domain name registrar is GoDaddy, said Brian Krebs, of KrebsofSecurity. GoDaddy appears to have created a wildcard DNS resolution so that all subdomains resolve to the Microsoft-owned IP address, BleepingComputer reported. By taking over the subdomain, Microsoft, GoDaddy, and FireEye ensure that all malicious traffic is captured. The malware won't be able to receive any malicious commands, and the traffic data can be analyzed to identify victims.

Any infected machine trying to connect to the C&C server on the domain will be redirected to a Microsoft-owned server and not the actual malicious server. Since the Microsoft-owned IP address fell within one of the IP address ranges, the malware would terminate and prevent itself from executing again. While the infected machine would remain infected, it will no longer be at risk of the malware trying to execute commands or download any other payloads.

Microsoft has collaborated with other companies to create sinkholes to disrupt botnets in the past. The 2017 WannaCry ransomware outbreak was eventually stopped by registering a domain the ransomware relied on to divert malicious traffic. It seems likely that the attackers had put the Microsoft's IP address block in the malware's block list to prevent Microsoft's security operations and research teams from finding and analyzing the malware.

The killswitch is effective against new and previous Sunburst deployments that may be still beaming to the subdomain, FireEye said. If the attacker had already used Sunburst to deploy other backdoors, then it didn't matter if the malware couldn't get any more jobs from the C&C server. That is a likely scenario since FireEye said the threat actor "moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor."

Even though the killswitch would not remove the threat actor from the network, it could make it harder for the attack group to use Sunburst, FireEye said.

Victims Around the World

SolarWinds said a preliminary investigation suggested attackers had compromised its build system. For most organizations, this kind of a compromise would be difficult to detect, since very few of organizations verify the tool being used when compiling code and building applications. The organization's software development process may check that code is being modified by authorized parties and that it is properly signed using the organization's key. However, most organizations don't check the build system (unless they are using hermetic build systems, which verifies where the build tools came from and what changes have been made to it before building software), so it becomes even less likely that malware would be detected in this kind of a scenario.

The malware has infected the networks of several federal agencies, including the United States Treasury, the US National Telecommunications and Information Administration, and the Department of Homeland Security. SolarWinds has thousands of customers in both the public and private sectors--a list which includes most federal agencies, all five branches of the military, almost all Fortune 500 companies, and thousands of managed services providers--but the magnitude of the attack is unknown at this time. Perhaps the attackers were interested in any and all organizations that could access, or they may have been targeting a very specific list of victims.

Just having the malicious DLL alone does not mean the network has been compromised, SolarWinds said.

Chinese cybersecurity firm RedDrip Team said it had identified nearly a hundred suspected victims, including universities, governments, and high-tech companies, using its decoder tool.

SolarWinds has not yet disclosed how the attacker gained access to its system to insert malware into the company's software update process. Researchers at Intel471 said they had seen Russian-language actors trying to sell access to SolarWinds up to three years ago. The seller had “allegedly attempted to work his way deeper into the SolarWinds network and eventually to the source code of its products,” Intel471 said.

FireEye has released indicators of compromise and other data to help security teams check their networks for signs they were also compromised. Other security vendors, including Microsoft, have added signatures for the malicious DLL file to their malware detection tools. SolarWinds has also released a hotfix and other updates that would address the issue in all impacted versions of the technology.

]]>
<![CDATA[The Long Tail of the SolarWinds Breach]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/the-long-tail-of-the-solarwinds-breach https://duo.com/decipher/the-long-tail-of-the-solarwinds-breach Tue, 15 Dec 2020 00:00:00 -0500

For the thousands of SolarWinds customers who may have installed a trojaned update planted by attackers earlier this year, the next few days and weeks will be tense and stressful as the incident response teams work to determine what, if any, damage has been done. But, because of the way the intrusion happened and the way the SolarWinds platform works, it may be much longer before many organizations know the full scope of the problem.

On Sunday, FireEye and Microsoft published details of an operation in which an attacker was able to access the internal network of SolarWinds, an enterprise IT monitoring software maker, get to a build server, and plant a malicious update file on the server. When that update made its way onto customers’ networks, the attackers then had a mechanism to install a backdoor, giving them access to the SolarWinds Orion deployments on those networks, and potentially many other parts of the network. The actors behind the intrusion used the technique to compromise FireEye and several federal government agencies, but it’s unclear how many other customers may have been affected, too. SolarWinds said fewer than 18,000 customers had downloaded the malicious update, but the company’s customers include some of the larger companies in the world, spanning technology, finance, banking, aviation, and many other industries.

The challenge for the security and IR teams at those companies now is not only determining whether the attackers accessed and exfiltrated any sensitive data, but also whether any of the systems connected to their SolarWinds deployment can be trusted. SolarWinds’ Orion platform is used to monitor a wide range of enterprise IT systems, and many organizations store credentials for those systems in the Orion database. So an attacker with access to that database would then have the keys to many of a target company’s internal resources.

“If you have that latest patch installed for SolarWinds, then you have to assume you were breached. You have to rotate those credentials as soon as possible. But the problem is it’s very hard to know what credentials you have stored in there,” said Rob Fuller, a security researcher who has worked extensively on SolarWinds for several years.

“SolarWinds is a beast. It’s huge. There are parts of it that don’t change. The RSA key is generated per customer, but it never changes after that. If I get access to the SolarWinds box just once, it’s essentially like a golden ticket. I can go back and talk to the database anytime I want and dump any of the data and any new credentials.”

Fuller released a tool on Tuesday called SolarFlare that’s been in development for several years and can be used to find and dump any credentials stored in SolarWinds Orion. SolarFlare was designed as a red team tool and Fuller said he’s used on many engagements in the past, including a recent one in which the organization had more than 200 sets of credentials stored in the Orion database. One of the tool’s capabilities is finding and reading the value of a cookie for the Erlang distributed programming system that’s stored in the Orion database. That value does not change over time and an attacker who was able to gain access to it would have system-level access to the other machines in the cluster. Fuller debated releasing the tool, but said he wanted IR teams and red teams to have the same capabilities to assess their exposure as the attackers in the intrusions seem to possess.

“That cookie would be the key to SolarWinds anytime you want it, as long as you can access the port it’s running on. If they were able to get that cookie out, they can get back into the box whenever they want,” he said.

“IR teams need to dig in on any use of the credentials stored in there and look for any kind of anomalies.”

"This is going to haunt us for a while."

But the challenges don’t stop with finding and rotating credentials, which is no mean feat in and of itself. The next issue is trying to determine whether the attackers accessed any of the other systems connected to SolarWinds, and if so, how to handle remediation.

The problem is you end being able to not trust any single component in the company. These are flat networks with phones and security cameras and door access everything else on the same network. Any one of those things could have to be fully redone, keeping in mind you probably want a lot of the data on those machines to move to new machines. It’s an enormous undertaking to do it right,” said Robert Hansen, CTO of BitDiscovery and a longtime security researcher who has helped companies recover from this kind of intrusion.

“It doesn’t take much for a determined adversary on a juicy target to pivot to the next target and the next one. It’s not just the data on those machines that’s suspect, it’s everything they had access to: API keys, GitHub repos, Salesforce. Anything you had access to from those machines.”

Treating that much of a corporate infrastructure as suspect makes daily operations difficult, and there’s the extra layer of the Sunburst backdoor used by the attackers perhaps lying in wait for months or years. Some of the C2 servers used by the malware have been taken offline, but that is likely not the end of the story.

“We’re lucky FireEye found this. A traditional company is not going to find this kind of thing for the most part. But what else is out there? What else can this malware do now that the C2 is offline? I’m not positive that every compromised box had human hands on it, but at the very least I’m sure a foreign adversary somewhere was cataloging what organizations were vulnerable. This is going to haunt us for a while,” Hansen said.

]]>
<![CDATA[Broad Cyber Espionage Campaign Follows Supply Chain Attack on SolarWinds]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/broad-cyber-espionage-campaign-follows-supply-chain-attack-on-solarwinds https://duo.com/decipher/broad-cyber-espionage-campaign-follows-supply-chain-attack-on-solarwinds Mon, 14 Dec 2020 00:00:00 -0500

In one of the more audacious and potentially damaging intrusions in recent memory, attackers were able to create a malicious update for the widely deployed SolarWinds Orion enterprise monitoring platform that was then downloaded and installed by an untold number of customers, including government agencies, technology companies, financial firms, and others around the world.

The attack, disclosed Sunday, could have far-reaching effects for enterprises and government agencies alike, as the attackers had high-level access to many of the compromised organizations for several months. In an 8-K filing Monday, SolarWinds said it believes "fewer than 18,000" customers may have installed the malicious update.

“The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing,” FireEye said in its analysis of the attacks.

The first known-malicious update for Orion was deployed in March and the last one was released in June. SolarWinds has released a new update, and the Cybersecurity Infrastructure and Security Agency published an emergency directive requiring federal civilian agencies to take immediate action to disconnect hosts running the compromised software and report any incidents to CISA by noon Monday.

“Affected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain,” the CISA directive says.

The SolarWinds Orion IT monitoring platform is used widely in enterprise environments and the company’s customer list essentially reads like the Fortune 500. It also lists many federal agencies as customers, including NASA, NSA, the Department of State, and the Office of the President of the United States. How the attackers were able to build a malicious update for Orion and get it hosted on the company’s update server is the big question in this operation, which could have repercussions for months and years to come. In the 8-K filing with the Securities and Exchange Commission Monday, SolarWinds said the vulnerability "was introduced as a result of a compromise of the Orion software build system". Microsoft's analysis reached the same conclusion.

“Although we do not know how the backdoor code made it into the library, from the recent campaigns, research indicates that the attackers might have compromised internal build or distribution systems of SolarWinds, embedding backdoor code into a legitimate SolarWinds library with the file name SolarWinds.Orion.Core.BusinessLayer.dll. This backdoor can be distributed via automatic update platforms or systems in target networks seen globally since March 2020,” an analysis by the Microsoft Security Response Center says.

“Once the certificate has been acquired, the actor can forge SAML tokens with whatever claims and lifetime they choose."

“While updating the SolarWinds application, the embedded backdoor code loads before the legitimate code executes. Organizations are misled into believing that no malicious activity has occurred and that the program or application dependent on the libraries is behaving as expected. The attackers have compromised signed libraries that used the target companies’ own digital certificates, attempting to evade application control technologies. Microsoft already removed these certificates from its trusted list.”

This type of supply chain attack is not nearly as common as other forms of attack, mainly because it is quite difficult to accomplish. But when such an operation succeeds, the results can be devastating. The most well-known example is the attack on M.E. Doc, a software firm in Ukraine, in 2017. In that intrusion, the attackers had stolen administrator credentials and were able to load a trojanized update. That incident eventually led to the NotPetya attack that affected a large number of Ukrainian companies. The SolarWinds attack could have much broader effects, given the composition of the company’s customer base and the level of access the attackers had to the compromised organizations. Microsoft’s analysis found that the attackers were able to forge SAML tokens using stolen SAML signing certificates.

“Once the certificate has been acquired, the actor can forge SAML tokens with whatever claims and lifetime they choose, then sign it with the certificate that has been acquired. By doing this, they can access any resources configured to trust tokens signed with that SAML token signing certificate. This includes forging a token which claims to represent a highly privileged account in Azure AD,” Microsoft said.

Among the known victims of the intrusion are the Department of the Treasury and the Department of Commerce, and Reuters reported Sunday that the incident caused a meeting of the National Security Council over the weekend. For enterprises running the compromised versions of Orion, the recommendations in the CISA advisory are applicable in most cases. The agency recommends organizations forensically image the memory and OS of affected machines and look for new user or service accounts. Both FireEye and Microsoft have released indicators of compromise for these intrusions.

]]>