Home / Robin's Newsletter

Robin’s Newsletter #140

Microsoft source code stolen by Russia in Solorigate attack. France uncovers campaign targeting IT providers. SIEM & ATT&CK. And Citibank's $500M UI gaff.

 Vol. 4  Iss. 8  21/02/2021, last updated 26/02/2021   Robin Oldham  ~7 Minutes

Subscribe to Robin's Newsletter

This week

Microsoft source code stolen by Russia in Solorigate attack

Microsoft has completed its investigation into the Solorigate breach and concluded that no production services were accessed from their network. However, Redmond added that a “small” number of repositories were accessed, with source code downloaded for:

  • a small subset of Azure components (subsets of service, security, identity)
  • a small subset of Intune components
  • a small subset of Exchange components

Microsoft says that, based on the search terms the attackers used, they appear to have been searching for keys used in production services (something that their development policy prohibits).
 The focus on Azure authentication makes sense, as the group seeks to understand more about, and find weaknesses in, how Microsoft authenticates access to its cloud. The shift ‘to the cloud’ isn’t just the location of data and processing power, it’s a fundamental shift in the security model for most organisations: for many, it’s no longer about looking for adversaries ‘in the network’ but about how they secure their staff’s identities. That source code may help more identity-based attacks in the future.
 Accessing Intune (Microsoft’s device management solution) is another interesting angle: It may provide insight into how security keys that identify devices are managed, or devices administered more broadly. In my 2020 retrospective (vol. 3, iss. 52) I talk about how this year may see a greater focus on mobile device management in gaining access to information and conducting malicious activity.

While SolarWinds took a lot of heat for the attack, in reality, they were a vector for the SVR looking to gain access to company networks, and steal the cryptographic keys used to authorise and sync their on-prem Active Directory servers with the cloud. Once they had those, they could access the organisation’s data from the cloud remotely. Have a listen to the Risky Business primer, linked below for more.

microsoft.com, zdnet.com, arstechnica.com, risky.biz

Interesting stats

18,000 vulnerabilities were published and given a ‘CVE’ number in 2019, just 2.6% (473) of them were actually exploited in the wild, according to Kenna Security, and 6% (~28) of those are ever exploited on a widespread basis. And some more good news… 80% of CVE publications coincide with patches being available from the vendor theregister.com

1,000 developers were involved in the SolarWinds hack, according to Microsoft… theregister.com I’m dubious myself, given that the U.S. intelligence community was blind-sided by the attack. Research from the University of Oxford in 2016 reckons that a secret known by 1,000 people would be publicly outed within 5 years phys.org

Other newsy bits

France uncovers three-year campaign targeting IT providers

French cyber security agency, Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), has published details of a campaign targeting IT service providers. The attacks appear to have exploited a vulnerability in the open-source version of software developed by Centreon to monitor IT systems and been carried out over the last three years. That’s led some to compare it to the Solorigate campaign, but the attacks share few similarities. After exploiting the vulnerable software exposed to the Internet, the group implanted a web shell and installed the Exaramel backdoor. That backdoor, and the command and control servers it communicates with, overlaps with attacks that have previously been attributed to Sandworm, or Russia’s GRU military intelligence. The concentration of access that IT providers have makes them an attractive target for cyber-espionage groups. Centreon is working with customers to ensure they have not been a victim and are running the most recent versions of their software. wired.com, theregister.com, gouv.fr

SIEM coverage of ATT&CK framework

SC Magazine has a read on SIEM coverage of ATT&CK framework. Security information and event management (SIEM) platforms aggregate and correlate security logs and compare them to rules to alert on suspicious behaviour. Many pre-date the ATT&CK framework, which enumerates adversary techniques and tactics, and so widespread adoption is perhaps unsurprising. The underlying message is what I find interesting: where does the burden rest? With SIEM it is often with the user to generate rules tailored to their environments. That ‘content development’ has been one of the ‘hidden costs’ if you’re planning to build your SOC’s tech stack in-house. That can result in better results (as you’d expect) though for many organisations alternate approaches, like MDR/EDR, may provide “good enough” coverage across a sufficient spectrum of adversary behaviour to satisfy security monitoring needs. Kim Jones, professor at Arizona State University, hits the nail on the head “focusing on [the most relevant] scenarios and building from there is an appropriate risk-balanced approach to implementation.” scmagazine.com

EU draft adequacy decision would allow continued free-flow of data between UK and EU

The European Commission has launched the process to recognise data protection legislation in the UK is sufficiently ‘adequate’ and that continued data transfers can be permitted. The Commission noted that “EU law has shaped the UK’s data protection regime for decades” however concerns and focus remain on how to ‘future proof’ potential future divergences from that developed under GDPR. A review may take place after four years. The next step is for member states to give the ‘green light’ for the decision. The UK is covered until the end of June 2021 by the EU-UK Trade and Cooperation Agreement. europa.eu

In brief

Attacks, incidents & breaches

  • Kia Motors American subsidiary is suffering prolonger IT outage affecting dealerships, phone systems, denies it has fallen victim to DoppelPaymer ransomware, despite $20M ransom demand to decrypt devices and not leak data bleepingcomputer.com
  • Contractor to Jamaican government exposed copies of 425,000 immigration papers and 70,000 COVID-19 test results left in public AWS bucket.
  • RIPE NCC, company that administers EMEA IP address space, reports credential stuffing attack, asks members to enable MFA zdnet.com

Threat intel

  • In-memory Masslogger trojan targets credentials in Chrome, Outlook, Firefox and Discord theregister.com
  • ‘WatchDog’ crypto-mining campaign targets Windows, Linux servers through out-of-date enterprise apps, has operated for two years, according to Palo Alto paloaltonetworks.com
  • Malware native to Apple’s M1 architecture found on VT arstechnica.com, including…
  • ‘Silver Sparrow’ malware that has infected 30,000 Macs, but isn’t doing anything (yet) arstechnica.com

Security engineering

  • LastPass (who helped me celebrate the first year of this newsletter by giving away 100 free Premium subscriptions) are making changes to their free tier, forcing users to chose if they want to sync with just desktop, or just mobile devices. Sigh. vice.com
  • Cloud platform ‘marketplaces’ for machine images and apps are growing in popularity, but consider what info may be shared with the vendors when you spin an image up zdnet.com

Internet of Things

  • Footfallcam Ltd’s Nurserycam platform send admin creds in source code of webpages used by parents, appear to be common across devices theregister.com

Privacy

  • Zuckerberg: “we need to inflict pain” as Apple and Facebook continue on privacy collision-course arstechnica.com
  • DNS provider Quad9 to move headquarters to Switzerland in privacy move scmagazine.com

Law enforcement

  • One of the gangs operating the Egregor ransomware arrested in Ukraine zdnet.com
  • Nigerian national, Obinwanne Okeke, sentenced to 10 years in prison for $11M business email compromise scam cyberscoop.com
  • U.S. charges two more North Korean nationals for roles $1.3BN cyberattacks by Lazarus group, American-Canadian man pleads guilty to laundering proceeds theguardian.com, cyberscoop.com

Mergers, acquisitions and investments

  • Palo Alto acquires Bridgecrew for $156M to boost DevOps security capabilities techcrunch.com
  • Log management outfit Humio to be acquired by CrowdStrike for $400M zdnet.com

And finally

Poor UI cost may cost Citibank $500M

The $500M UI

Citibank’s $500M UI (Judge Jesse Furman / Ars Technica)

Not strictly infosec… Poor user interface design on an internal application at Citibank led to the firm transferring almost $1 billion prematurely back to lenders. The transaction involved three people, who all thought they were doing the correct thing. While the bank noticed the error the following day, some of the lenders involved are refusing to return the early repayment, totalling more than $500 million. It’s an important lesson in usability and human behaviours: make it clear and straightforward for users to achieve what’s safely required of their jobs! arstechnica.com