‘SolarWinds’ breach of U.S. government networks is huge, also nothing new
If you work in information security you’ve probably not been able to escape the ‘SUNBURST’ aka ’Solorigate’ news this week that popular network management tool SolarWinds Orion has been compromised and a backdoor included within its code.
A sophisticated state actor gained access to the SolarWinds sometime between October 2019 and March 2020 to implant a backdoor into their software. As the code was altered within SolarWinds development lifecycle it ultimately was compiled and signed by the company as legitimate software, and then distributed to customers along with other bug fixes and feature updates.
The malicious code allows the attackers to collect and upload system information, run tasks, manipulate files and alter the system registry. It is believed to have been discovered during the investigation into the FireEye breach, announced last week (vol. 3, iss. 50).
While the deployment via updates may have an automated element to it, the next stage was a highly manual process and very ‘low and slow’ to avoid detection. SolarWinds has about 300,000 customers, and of those around 18,000 are reported to be running compromised versions of the software. Only 40 (0.2%) of those 18,000 are believed to have been compromised. That’s because the purpose of the attack is almost certainly espionage: those victims are mostly U.S. government organisations and political think tanks. So far the U.S. Treasury, Commerce, State, Defence, Homeland Security and Energy departments are all believed to have been compromised in the attack. U.S. Secretary of State, Mike Pompeo, has attributed Russian intelligence services as the source of the attack.
This is both huge news - it undoubtedly marks a significant national security incident for the United States - however, it is also largely inconsequential for the vast majority of people and, in many ways, absolutely nothing new.
It’s not the first software supply chain attack. Neither is it the first time state-sponsored attackers have targeted supply chains and managed service providers to gain access to their customers’ networks. Three years ago CCLeaner, a disk utility, that had racked up over 2 million installs was pinned on Chinese intelligence. Chinese actors are also believed to be behind the ‘CloudHopper’ breaches discovered by PwC and BAE Systems that targeted IT out-source companies to gain privileged access onto the customer networks they managed. And who can forget 2016’s NotPetya outbreak, linked to Russia’s Main Intelligence Unit (GRU aka Fancy Bear) that is estimated to have caused over $10 billion in damages after it spread beyond the intended targets in Ukraine.
Nation-states have been busy in cyberspace and the collateral damage has been significant. Not least of which is equally attributable to Western governments.
Data leaked by Edward Snowdon cast a light on the massive, the highly automated scale of intelligence operations conducted by the U.S. National Security Agency and U.K. GCHQ. Leaked NSA files purported to show NSA operatives installing hardware backdoors in Cisco networking equipment destined for overseas customers.
The U.S. also has a published doctrine of ‘defending forward’ in cyberspace. Proactively compromising foreign critical infrastructure so that it is in a position to cause impact when required, instead of starting operations from scratch. In June last year, the New York Times reported that the U.S. had stepped up ‘digital incursions’ into Russia’ electricity grid to deploy “potentially crippling malware”.
Harvard law professor Jack Goldsmith suggests that this may be the potential response to Defend Forward. “It requires the United States to do the very thing it is trying in part to prevent—massive spying inside government networks” (The Dispatch).
This is a significant win for a U.S. adversary, and certainly one of the more high-profile, public national security breaches, though no national power is innocent here. Spies are gonna spy.
Microsoft, who have also been caught up in the compromise, has been busy rolling out new detection content to Defender, seizing control of a domain name used for command and control, and quarantining the offending compromised software. This proactivity gives some comfort that they are ‘on it’ though, at this stage, you’d expect them to be: while they have denied being used to compromise customers, more worrisome is the potential access to the Windows, Office or Azure codebases.
Redmond is also calling this a ‘moment of reckoning’ and calling for creating threat intelligence sharing, strengthening of international rules, and increased accountability for those that break them. ‘Cyber norms’ are proving elusive and not helped by the U.S. and Russia having competing proposals (vol. 2, iss. 39). In the meantime, it seems SolarWinds may have been compromised by more than one group. Reports quickly surfaced that the password on their update server was “solarwinds123” and that access had been for sale on criminal marketplaces for a couple of years (The Register). Microsoft’s technical write-up also indicates that in an ‘interesting turn of events’ they discovered additional, albeit less sophisticated, malware bundled in the Orion product. For now, you can expect supply chain security vendors to be knocking down your door. They’re not wrong: we do need to work out how to build better trust throughout supply chains, though given the care taken compromising SolarWindows, I doubt quizzing them against your preferred security controls framework is going to be preventing a SUNBURST style breach. When speaking to key suppliers about cyber security, make sure you cover how they secure their product, or production services, as well as their company IT infrastructure. The scale and consequences of this attack will likely unfold over many years. In the meantime please, please, don’t turn off auto-updates.
If you’re a SolarWinds Orion user, then NCSC has some great, straightforward guidance for you on what to do to protect your organisation ncsc.gov.uk.
4,000 lines of code added to SolarWinds.Orion.Core.BusinessLayer.dll, 300,000 SolarWinds customers, 18,000 installs of the compromised software, 40 currently identified victims, 80% are in the United States, in the Solorigate attack, according to Microsoft microsoft.com
There is no single, dominant attack vector being used by ransomware operators: 35% exploit remote services or public-facing applications… 39% rely on spear phishing links or attachments… 16% use valid accounts for access, according to MDR Cyber mishcon.com
3 million installs of 28 malicious Chrome and Edge extensions intended to intercept and redirect traffic for financial gain zdnet.com
Other newsy bits
Automation and misconfiguration lead to multiple outages at Google
Google experienced a series of outages this week. First up, on Monday morning, their authentication services started failing. This caused users to be unable to login, and some public sites (such as YouTube) to fail unless logged out or using private browsing. The issues were fixed within ’47 minutes’, and were caused when Google’s automated systems reduced the disk space quota for the authentication service. Without the ability to write new info the distributed systems soon started failing as authentication tokens expired and requests were unable to be validated. Two quota systems had been running in parallel, with one reporting zero usage, that allowed the limit to be reduced. The following day Gmail started rejecting some emails after a configuration error caused Google’s mail servers to reject emails intended for @gmail.com recipients. It sounds like an engineer typo’d the domain name as part of migration activity. theguardian.com, techcrunch.com, google.com
Emulating 16,000 devices to make off with millions of dollars
The research team at IBM Trusteer has a write up of a recently discovered mobile banking fraud operation. The criminal group use mobile device emulators and automation to rapidly iterate through captured banking credentials, empty bank accounts and make off with millions of dollars. In the case study they talk about 20 emulators being used to spoof over 16,000 mobile devices. Catching my eye was the section discussing how the emulators appeared to be generating environments to match the characteristics of the accounts they were targets: e.g. appearing to be Android if they victim used an Android smartphone, and so on. It’s an interesting dive into the industrialisation and automation behind scaled cybercrime and banking fraud. securityintelligence.com
Attacks, incidents & breaches
- Over 50GB of data stolen from Intel subsidiary Habana Labs by Pay2Key ransomware group (see Threat Intel below) theregister.com
- Spotify has notified a ‘small subset’ of customers under California Consumer Privacy Act over a vulnerability that may have ‘inadvertently exposed’ Spotify account information scmagazine.com
- Address, phone, email and other account info of 250,000 customers stolen from British energy supplier People’s Energy. Financial and password data was not accessed. theregister.com
- Pay2Key ransomware operation may be linked to APT33, aka Fox Kitten, group linked to Iranian state and provide cover for information theft, according to ClearSky bleepingcomputer.com
- Contact Form 7 plugin, used on over 5 million Wordpress sites, disclose details of critical vulnerability bleepingcomputer.com
- The Center for Threat-Informed Defense, a non-profit, privately funded research organisation operated by MITRE Engenuity, has released a mapping between the MITRE ATT&CK and NIST 800-53 Security and Privacy Controls frameworks mitre-engenuity.org, github.com
- Apple has launched ‘privacy nutrition labels’ across the AppStore. Developers self-report the permissions they ask of users and what actions they take with the data they collect. zdnet.com Facebook’s run to 10 screens-worth of disclosures @ianfogg42 You can also see the (stark!) difference between Signal, Telegram, WhatsApp and Messenger @themitchpollock
- Twitter has been fined €450K (~£408K, ~$551K) for failing to notify Ireland’s Data Protection Commission (DPC) within the 72 hours of a breach over the Christmas period in 2018. The DPC acts as the lead privacy regulator for the European operations for many Silicon Valley tech companies. The investigation has taken almost two years. techcrunch.com
- European Council has adopted a resolution seeking “security through encryption and security despite encryption” and calling for solutions to provide target, lawful access to encrypted data. It’s the usual arguments around needing ‘backdoor’ access to encrypted data, though notably and explicitly requires no single pan-European solution techcrunch.com
- FBI and Interpol seize four domains relating to Joker’s Stash carding marketplace zdnet.com
Air-Fi covertly exfiltrates data using RAM to emit wi-fi signals
The researchers at Israel’s Ben-Gurion University are no strangers to coming up with novel ways of jumping air-gapped networks. Previously they have flickered monitor brightness to transmit data (vol. 3, iss. 6) and even tweak the speeds of cooling fans to elite vibrations to be picked up by accelerometers in smartphones (vol. 3, iss. 16) to exfiltrate data from systems that don’t have wired or wireless connections to the outside world. In this research, they show that it is possible to manipulate the memory in a device to generate electromagnetic signals in the 2.4 Ghz wireless spectrum. This can then be picked up by a nearby device - such as a smartphone - running an app to listen for the weak signals. zdnet.com
It’s been an extraordinary year and the news of tougher restrictions mean that Christmas celebrations, for those that celebrate, will be very different for millions of people in the UK, and around the world. The final issue of 2020 will be a chance to reflect on Volume 3 of this newsletter covering the events of the last 12 months and a little bit of thinking for what 2021 may hold.
In the meantime, I hope you have a joyful and peaceful time and, whatever form it takes, wish you a Merry Christmas.