Home / Robin's Newsletter

Robin’s Newsletter #133

Microsoft source code accessed in Solorigate attack. Plus advice on buying and selling second-hand devices from NCSC. And how much does cybercrime cost Russia?

 Vol. 4  Iss. 1  03/01/2021, last updated 10/01/2021   Robin Oldham  ~5 Minutes

Subscribe to Robin's Newsletter

This week

Solorigate attackers accessed Microsoft source code

In their first blog post on the Sunburst/Solorigate attack (vol. 3, iss. 51) Microsoft was quick to state there was no evidence of access “to production services or customer data.” That left the door open to the confirmation on New Year’s Eve that development environments were compromised and source code accessed.

That, in itself, isn’t a directly ‘bad thing’. Microsoft regularly shares its source code with governments seeking to assure themselves that it is secure for use in sensitive military and intelligence systems. It may give the perpetrators a short cut of sorts in any searches for vulnerabilities to use in future operations. Though there are easier ways to compel Microsoft to turn over their source code.

”[We] do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk,” said Microsoft in an update to their investigation where they also explained that the accounts used to view the source code were read-only and did not have permission to make changes.

Because Microsoft regularly shares its source code it also makes it unlikely that there are any hardcoded credentials, cryptographic material or other security keys that you sometimes read about when companies push code to public repositories.

According to Microsoft, the on-premises portion of the attack (against SolarWinds Orion) was to gain access to ‘SAML’ authentication tokens needed to access off-premises cloud-based resources. The U.S. Cybersecurity and Infrastructure Agency (CISA) has released a tool, dubbed Sparrow, to detect this type of suspicious activity.

The New York Times has a broader update on what is known about the attack and the leadership of outgoing SolarWinds CEO Kevin Thompson.

Thompson comes from a financial background and, while almost tripling profit margins over nine years, did so by pursuing cost-savings and eschewing expensive security programmes. SolarWinds only appointed an individual to be responsible for security in 2017, in response to potential GDPR penalties.

Over 250 federal agencies are now thought to have been compromised. It may be ‘years’ until the U.S. is confident of completely having removed the attackers from its networks.

reuters.com, microsoft.com (investigation update), microsoft.com (TTPs and use of Defender), github.com (Sparrow tool), nytimes.com

Interesting stats

500% increase in bank card fraud during 2020, according to Russia’s interior ministry, as the government encourages a shift from cash to cards to crack down on ‘shadow economies,’ while… 3.6 trillion RUB ($49B USD) is the cost estimated by Sberbank of cyber attacks on Russian companies and citizens reuters.com

Other newsy bits

Protecting your personal data on second-hand devices

Some timely guidance from the U.K. National Cyber Security Centre (NCSC) providing advice on how to protect your personal data when buying and selling second-hand phones, tablets and other connected devices. So if Santa brought you a new gadget over Christmas and are selling an old device, or are looking to pick up a second-hand bargain, then take a read about why you should erase your personal data before any sale, and equally perform a factory reset on any devices you buy to help keep your data secure. ncsc.gov.uk

Global crime transformation

During the first lockdown, crime in Lancashire was down 40%, though that may be in part to it taking on different forms. Cybercrime covers the full gamut of offences that are either conducted in or facilitated by, cyberspace and often across borders. This long-read from The Guardian takes a look at how the Coronavirus pandemic has changed crime - online and offline - through 2020 and how different groups are adapting. theguardian.com

In brief

Attacks, incidents & breaches

  • Home appliance company Whirlpool suffers Nefilim ransomware attack, now fully recovered, however files stolen during incident bleepingcomputer.com
  • Internal email system of the Finnish Parliament compromised in autumn 2020, shares timeline and characteristics with similar attack on Norwegian Parliament zdnet.com
  • Vietnam Government Certificate Authority had PhantomNet trojan inserted into their client app used by businesses and citizens to digitally sign documents sent to government zdnet.com

Threat intel

  • New card skimming operation targets Shopify, WooCommerce and other e-commerce platforms, injects fake payment page before checkout to capture card details bleepingcomputer.com
  • Good summary of how the ransomware threat has developed from a decades-old threat, to a professionalised criminal ecosystem wired.com
  • Crypto-currency mining worm quietly brute forcing Windows and Linux servers running MySQL, Tomcat, WebLogic, Jenkins bleepingcomputer.com

Vulnerabilities

  • Hardcoded, admin-level account found in Zyxel firewalls, VPN gateways and access point controllers, intended for firmware update purposes the poor security engineering decision presents a ‘backdoor’ to devices zdnet.com

Security engineering

  • Look firms look for who is to blame in Sunburst/Solorigate attack, but more interesting question is what is the harm? Either way, legal costs on the horizon for SolarWinds cyberscoop.com

Privacy

  • Brexit deal grants six months for ‘adequacy decisions’ to be made about the appropriateness of the UK’s data protection regime; ICO urges businesses to use this to establish ‘alternative transfer mechanisms’ ico.org.uk

Law enforcement

  • National Crime Agency pays visit to 69 U.K. ‘customers’ of the seized site WeLeakInfo that are ‘on the verge of breaking the law’ to discourage criminal activity and arrest a further 21 for offences cyberscoop.com
  • Tickmaster settles ‘computer intrusion and fraud offences’ for $10M, must also maintain a compliance and ethics programme. The firm used stolen credentials to login to the internal systems and spy on business activities of a competitor during the 2010’s cyberscoop.com

And finally

Party like it’s 1997: Brexit deal mandates use of Netscape 4

Thank you to loads of you who got in touch with this one: The Brexit deal and its rather… antiquated technology specifications! The EU and the UK should use “modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x.” with the last release of the latter being in 1997. The encryption schemes proposed to protect the transmission of fingerprint, DNA and vehicle registration data are out of date. Those at least are being exchanged across a private network. bbc.co.uk