Go to listing page

Live Updates: SolarWinds / Solorigate (SUNBURST) Supply-Chain Attack

Live Updates: SolarWinds / Solorigate (SUNBURST) Supply-Chain Attack

Share Blog Post

An alleged Russia-backed hacking group is believed to have targeted and breached the U.S. Departments of Treasury and Commerce. According to Reuters, the breach originated from a supply chain attack that leveraged Orion - the widely-used network monitoring tool from SolarWinds, an IT company that supports several federal agencies and the U.S. military. Last week, cybersecurity company FireEye had reported a similar attack carried out via the SolarWinds platform that led to the compromise of its “red teaming” tools. It is believed that a large number of organizations that use this software might be at risk. The malware used in this widespread "UNC2452" campaign is being tracked by several names including Solorigate and SUNBURST.

Cyware has created this resource to collect and share live alerts on this campaign, impacted organizations as reported in the media, indicators of compromise (IOCs), and other relevant threat intelligence. We are actively working to keep this page updated and accurate in order to ensure that it is timely and relevant to as many people as possible.

Solutions and Countermeasures


Advisories

Indicators of Compromise (IOCs)

Threat Response Workflow

Killswitch 

Network Auditing Tool

_______________________________________________________________________________________

(June 14, 2021)


How to ensure third parties don't compromise the organizational supply chain

Organizations can probably count many third-party vendors in their IT environment vital in storing, securing, and analyzing their data. Most times, however, companies only assess the security of these third-party products when they’re onboarded. There’s no continuous security analysis or assessment. They should demand a monthly security risk assessment report from all third-party vendors to glean details on all known issues in their product and infrastructure.


_______________________________________________________________________________________

(June 14, 2021)


Codecov to retire the Bash script responsible for supply chain attack wave

Codecov has introduced a new uploader that relies on NodeJS to replace and remove a Bash script responsible for a recent supply chain attack. The new uploader will be shipped as a static binary executable suitable for Windows, Linux, Alpine Linux, and macOS. Codecov's Bash uploader was the source of a string of supply chain attacks taking place around January 31, 2021, made public on April 15.

Ref - ZDNet 

_______________________________________________________________________________________

(June 13, 2021)


SolarWinds hack emboldened cyberattackers for ransomware attack spree

When a cyberattack successfully occurs on the scale of SolarWinds, history suggests hackers are emboldened to come back for more money, valuable data, and fame. The SolarWinds hackers' tactics and techniques worked so remarkably well last year that there was an incentive for them and others like them to keep going.

Ref - Yahoo 

_______________________________________________________________________________________

(June 11, 2021)


Monumental supply-chain attack on Airlines traced to APT41

A monster cyberattack on SITA, a global IT provider for 90 percent of the world’s airline industry, is slowly unfolding to reveal the largest supply-chain attack on the airline industry in history. After Air India revealed the details of its security breach, it became clear that the carriers were most likely dealing with one of the biggest supply-chain attacks in the airline industry’s history, potentially traced back to the Chinese state-sponsored threat actor APT41.

 
_______________________________________________________________________________________

(June 10, 2021)


Mitigating third-party risks with effective cyber risk management

When it comes to cybersecurity, all sides involved in a business have to hold up their end of the bargain. A customer organization has to understand that it retains responsibility for the data it shares with third parties and that the third parties that hold and use that data, are effectively an extension of the customer’s business.


_______________________________________________________________________________________

(June 10, 2021)


What SolarWinds taught enterprises about data protection

The SolarWinds breach has forced businesses worldwide to reconsider their approach to data protection and overall security. The event highlighted the level of potential devastation had the SolarWinds’ hackers chosen to encrypt the data and hold it for ransom. A recent report found the number of ransomware attacks grew by more than 150% in 2020, as cybercriminals took advantage of work-from-home vulnerabilities.


_______________________________________________________________________________________

(June 9, 2021)


Hardening the physical security supply chain to mitigate the cyber-risk

A recent report by Genetec found that 67% of physical security professionals, including Genetec's end users, integrators, and partners, are planning to prioritize their cybersecurity strategy in 2021. IP security cameras and other security devices are by their very nature connected to the internet. When not secured properly, any camera or access control device in the so-called IoT can be accessed remotely by just about anyone.

 
_______________________________________________________________________________________

(June 9, 2021)


How to stop SolarWinds-like hacks

Researchers from Ohio State University and Potomac Research LLC, led by Noeloikeau Charlot, published a paper on the idea of using “physically unclonable functions (PUFs).” At a microscopic level, even mass-produced computer chips have tiny differences from one chip to the next. For example, an online bank can check a device’s PUF to make sure that only someone with the right device is accessing a bank account. This can help detect the attacks involving bypass two-factor authentication,  which SolarWinds attackers exploited.

Ref - Nautil.us 

_______________________________________________________________________________________

(June 9, 2021)


Stealthy Gelsemium cyberspies linked to NoxPlayer supply-chain attack

ESET researchers have linked a stealthy cyberespionage group known as Gelsemium to the NoxPlayer Android emulator supply-chain attack that targeted gamers earlier this year. According to reports from G DATA and Verint Systems, the cyberspies used spear-phishing emails with document attachments exploiting the CVE-2012-0158 Microsoft Office vulnerability to deliver the malware.


_______________________________________________________________________________________

(June 8, 2021)


Protecting Industrial Control Systems against cyberattacks

ICS infrastructures are challenged to confirm the security of the supply chain for the OT system devices and sensors they rely on. There is no requirement to comply with the ISO 27001-2013 standard, which means ICS operators must often verify the security of their suppliers themselves. For multiple reasons, supply chains cannot be assumed to be a trusted method of software deliveries.


_______________________________________________________________________________________

(June 8, 2021)


The next phase of software supply chain security

The recent executive order by President Joe Biden does several important things related to software supply chain security. It requires the NIST to develop baseline security standards for software used by government agencies. Those standards are required to encompass secure software development environments, including such actions as using administratively separate build environments; auditing trust relationships.


_______________________________________________________________________________________

(June 8, 2021)


The rise and rise of supply chain attacks

There are some driving forces behind the rising popularity of supply chain attacks. The cyber defenses of many high-value targets are in much better shape than before. Direct attacks against target systems may take a lot of effort and yield few results. Hence, it is more effective for cybercriminals to move up the software supply chain to exploit weak links outside their target’s cyber defenses.


 _______________________________________________________________________________________

(June 8, 2021)


Supply chain security awareness - Key risk factors

As the SolarWinds breach was underway, global supply chains elsewhere were pelted with an ongoing barrage of volatility: the COVID-19 pandemic dramatically shifted demand while pushing employees out of traditional office infrastructures and into their homes, growing trade conflicts rendered supply chain hardware and software at risk of weaponization, and significant changes in industrial regulation heaped expensive penalties and restrictions on already-stressed businesses.


_______________________________________________________________________________________

(June 7, 2021)


Defending against Software supply chain attacks: Recommendations from NIST

Given the sparsity of rapid mitigation options in the event of a software supply chain attack (because the victim organization doesn’t have the authority to command a timely response from their software vendor), it’s far more beneficial to invest in preventive measures. Experts recommend using a risk management lens when purchasing software and ask prospective vendors for compliance verifications.


_______________________________________________________________________________________

(June 6, 2021)


Why are supply chain attacks scary?

Supply chain attacks are scary because they're really hard to deal with, and because they make it clear you're trusting a whole ecology. You're trusting every vendor whose code is on your machine, and you're trusting every vendor's vendor. The rise in supply chain attacks, Berkeley's Weaver argues, may be due in part to improved defenses against more rudimentary assaults.

 
_______________________________________________________________________________________

(June 5, 2021)


CEO of Mandiant talks about SolarWinds hack

Kevin Mandia, CEO of Mandiant, pointed out in an interview at the WSJ Cybersecurity about the ongoing attempt to define what is and is not considered cyberwar and grounds for retaliation by the US government. He commented that “apparently supply chain attacks are fair game.”

Ref - Medium 

_______________________________________________________________________________________

(June 4, 2021)


Strengthening US cybersecurity: Impacts of the Executive Order

Even though the specifics of the executive order are not available today, compliance officers can start to anticipate the changes the business will need to make. First, they can expect to perform a fresh assessment of compliance risks under these new cybersecurity requirements. Second, they need to consider the new policies and procedures your business might need to implement.

Ref - JD Supra 

_______________________________________________________________________________________

(June 4, 2021)


As cyberattacks surge, Biden seeks to mount a better defense

As the cyber breaches pile up, cyber experts say it's important to note the country is facing two distinct threats. On one side is the SolarWinds attack, which was primarily an intelligence-gathering operation carried out by Russia's foreign intelligence service, the SVR, which was quietly stealing U.S. government secrets for months. On the other side is ransomware, which is surging. Russian criminal gangs are blamed for both the Colonial Pipeline attack and the hack that briefly shut down the world's largest meat supplier, JBS.

Ref - NPR

 _______________________________________________________________________________________

(June 3, 2021)


Dependency confusion: Compromising the supply chain

Researchers demonstrated that if a bad actor registers the private names on public package repositories and upload public libraries that contain malicious code, the code could be pushed from internal applications and results in data exfiltration or remote code execution. The researcher details how he successfully exploited this vector to infiltrate code and secure large bug bounties from Apple, Shopify, Microsoft, and PayPal among others.


_______________________________________________________________________________________

(June 3, 2021)


Organizations are still wondering about Dependency Confusion attacks

In early February of 2021, a vulnerability was revealed in the npm repository, infiltrating major technology companies, including Microsoft, Tesla, and Netflix. Although 35 companies were named, the issue affected many more, with hundreds of similar copycat efforts appearing on the npm repository. While routing rules can manage some of the issues around this for internal repositories, these require manual adjustment and quickly go out of date, so automation is necessary to keep on top of this issue.

Ref - Sonatype 

_______________________________________________________________________________________

(June 3, 2021)


Challenges with protecting the Supply Chain

With regards to protecting the supply chain, first businesses should take the steps to identify key assets, identify partners, and what access these partners have to the key assets. Industry frameworks like NIST, OWASP, CISSP Controls, etc, all stipulate the understanding of where critical assets are, be it hardware, software, endpoints, or applications. However, compiling these lists is a struggle for most. 

Ref - Toolbox 

_______________________________________________________________________________________

(June 3, 2021)


Japanese government agencies suffered supply chain attack exposing proprietary data

Several Japanese government agencies reportedly suffered data breaches originating from Fujitsu’s “ProjectWEB” information sharing tool. Fujitsu had earlier disclosed that hackers gained unauthorized access to the system and stole customer data. Investigators said that the cyber attack affected the Japanese Ministry of Land, Infrastructure, Transport, Tourism, the Cabinet Secretariat, and the Narita International Airport.

Ref -  CPO Magazine 

_______________________________________________________________________________________

(June 2, 2021)


Proactive security key to combating supply chain attacks

Threat actors are becoming more sophisticated and are constantly evolving their capabilities to remain effective in their operations. To this end, organizations need to invest in the people, processes, and technology they deploy across their network in order to stand the best chance of preventing an attack. This will result in the development of capabilities and processes that will help to remediate any attacks as efficiently as possible, reducing the potential impact to both the organization and its customers.


_______________________________________________________________________________________

(June 1, 2021)


NobleBaron poisoned installers could be used in supply chain attacks

The latest wave of attacks being attributed to APT29/Nobelium threat actors includes a custom downloader that is part of a “poisoned update installer” for electronic keys used by the Ukrainian government. The latest iteration of malware activity linked to Nobelium uses a convoluted multi-stage infection chain that runs five to six layers deep. This includes the use of ‘DLL_stageless’ downloaders, called NativeZone.

Ref - SentinelOne 

_______________________________________________________________________________________

(June 1, 2021)


SolarWinds attack was an attack on trust

The SolarWinds hack last year offered some valuable insights into the true cost of a cyberattack, said Charl van der Walt, head of security research at Orange Cyberdefense, delivering one of the opening keynote addresses at the ITWeb Security Summit 2021. The impact is an attack on trust, and the consequence of this is fear, uncertainty, and doubt, which can be expensive and highly damaging.

Ref - IT Web 

_______________________________________________________________________________________

(June 1, 2021)


The U.S. seizes domains used by SolarWinds hackers

The U.S. Department of Justice (DoJ) disclosed that it intervened to take control of two command-and-control (C2) and malware distribution domains used in the recent attack campaign. The court-authorized domain seizure took place on May 28, the DoJ said, adding the action was aimed at disrupting the threat actors' follow-on exploitation of victims as well as block their ability to compromise new systems.


_______________________________________________________________________________________

(June 1, 2021)


Defining linchpins: An industry perspective on remediating Sunburst

The Atlantic Council’s latest report “Broken Trust: Lessons from Sunburst” introduces the concept of “linchpins,” which it defines as widely used software with significant permissions ... on which every other security program or critical resource depends, and which were a key factor in the Sunburst event. The report identifies challenges to identifying, securing, and triaging this linchpin software. 

Ref - CSO Online 

_______________________________________________________________________________________

(May 31, 2021)


CISA-FBI Alert: 350 organizations targeted in attack abusing email marketing service

According to the FBI and CISA, the attackers actually sent spear-phishing emails to over 7,000 accounts at 350 organizations, including government, non-governmental and intergovernmental organizations. The initial estimates said that the attack had targeted roughly 3,000 accounts across more than 150 organizations.


_______________________________________________________________________________________

(May 31, 2021)


Why are supply chain attacks so dangerous?

By compromising a single supplier, spies or saboteurs can hijack its distribution systems to turn any application they sell, any software update they push out, even the physical equipment they ship to customers, into Trojan horses. With one well-placed intrusion, they can create a springboard to the networks of a supplier's customers—sometimes numbering hundreds or even thousands of victims.

Ref - Wired

 _______________________________________________________________________________________

(May 31, 2021)


SolarWinds and Colonial Pipeline crisis showed 7 ways to respond to cyberattacks

The federal government and other agencies have demonstrated several crisis management best practices in response to the recent cyberattacks against SolarWinds and Colonial Pipeline. Business leaders should keep these best practices in mind when they have to deal with cyberattacks—and other crisis situations—at their companies and organizations.

Ref - Forbes

_______________________________________________________________________________________

(May 30, 2021)


Defending and deterring the Nobelium attacks

Microsoft provided several recommendations for protection against attacks like SolarWinds. The first step is to opt for better defense. The best defense, according to Microsoft, is to move to the cloud, where the most secure technology from any cloud provider is always up to date, and where the fastest security innovations are occurring. The second step is to deter damaging attacks. Clearer rules for nation-state conduct need to be defined and agreed to by the international community.

Ref - Microsoft 

_______________________________________________________________________________________

(May 29, 2021)


Biden budget sets aside $750 million for SolarWinds response

U.S. President Joe Biden's proposed budget includes $750 million for the government agencies hit by the SolarWinds hack to pay for cybersecurity improvements to prevent another attack. The money comes on top of a $500 million fund for federal cybersecurity as the U.S. government recovers from the cyberattack that hit nine agencies including the State Department and Treasury.

Ref - Yahoo
 
_______________________________________________________________________________________

(May 28, 2021)


Breaking down Nobelium’s latest early-stage toolset

Each of the NOBELIUM tools is designed for flexibility, enabling the actor to adapt to operational challenges over time. Microsoft Threat Intelligence Center (MSTIC) has released an appendix of indicators of compromise (IOCs) for the community to better investigate and understand NOBELIUM’s most recent operations.

Ref - Microsoft 

_______________________________________________________________________________________

(May 28, 2021)


Sophisticated spear-phishing campaign targets Government organizations, IGOs, and NGOs

CISA and FBI acknowledge open-source reporting attributing the activity discussed in the report to APT29 (also known as Nobelium, The Dukes, and Cozy Bear). However, CISA and FBI are investigating this activity and have not attributed it to any threat actor at this time. CISA and FBI urge governmental and international affairs organizations and individuals to adopt a heightened state of awareness and implement the recommendations specified in its advisory.

Ref - CISA 

_______________________________________________________________________________________

(May 28, 2021)


The key lesson from the SolarWinds hack is visibility

The SolarWinds attack has laid bare the interconnectedness of IT infrastructure: if most of the government and business infrastructure uses overlapping software packages, they are clearly not as separate from one another as they would like to think. Vulnerabilities could be anywhere throughout the supply chain. Why would hackers attack a single end-user when they can backdoor their way into all of them at once via a single service platform?

Ref - CIO 

_______________________________________________________________________________________

(May 28, 2021)


How Nobelium leveraged Constant Contact in the Phishing campaign

The May 25 phishing campaign included several iterations of emails sent from the Constant Contact account of USAID. In one example, the emails appear to originate from USAID. The emails posed as an “alert” from USAID dated May 25, 2021. If the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service and then redirects to a Nobelium “controlled infrastructure.” A “malicious ISO” file was then delivered to the system.

Ref - CRN

 _______________________________________________________________________________________

(May 28, 2021)


Almost 3,000 emails targeted by Nobelium attack

The threat actor behind last year’s major SolarWinds hack has led a new targeted campaign spanning nearly 3,000 emails. According to reports, hackers accessed the Constant Contact account of USAID, the service used for email marketing. From there, Nobelium distributed phishing emails that, when clicked, inserted a malicious file used to distribute a backdoor called NativeZone. 

Ref - ARNNet 

_______________________________________________________________________________________

(May 28, 2021)


The group behind SolarWinds hack now targeting government agencies, NGOs - Microsoft

The group behind the SolarWinds cyberattack is now targeting government agencies, think tanks, consultants, and non-governmental organizations, Microsoft Corp said late on Thursday. While organizations in the United States received the largest share of attacks, targeted victims came from at least 24 countries, Microsoft said.

Ref - Reuters 

_______________________________________________________________________________________

(May 28, 2021)


Russia appears to carry out a hack through the system used by the U.S. Aid Agency

By breaching the systems of a supplier used by the federal government, the hackers sent out emails as recently as this week from more than 3,000 genuine-looking accounts. The email was implanted with code that would give the hackers unlimited access to the computer systems of the recipients, from stealing data to infecting other computers on a network.


 _______________________________________________________________________________________

(May 27, 2021)


Another Nobelium Cyberattack

Microsoft has observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations. This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.

Ref - Microsoft 

_______________________________________________________________________________________

(May 27, 2021)


Attack on Fujitsu’s ProjectWEB SaaS platform may be the next big supply chain attack

While still early, some researchers view the reported hacking into Fujitsu’s ProjectWEB software-as-a-service (SaaS) platform as a nation-state attack, not unlike the one that targeted the SolarWinds supply chain. Impacted agencies include the Ministry of Land, Infrastructure, Transport, and Tourism; the Ministry of Foreign Affairs; the Cabinet Secretariat; and Narita Airport in Tokyo.

Ref - SC Magazine 

_______________________________________________________________________________________

(May 27, 2021)


Canada Post falls victim to a third-party hack

Canada Post is the latest victim of a supply chain attack that allowed hackers to capture the names and addresses of almost one million senders and receivers of packages over a three-year period. This was the result of a cyberattack on its electronic data interchange (EDI) solution supplier, Commport Communications, which manages the shipping manifest data of large parcel business customers.


_______________________________________________________________________________________

(May 26, 2021)


The EU’s response to SolarWinds

Unofficial reports indicate that a number of EU member states are toying with the idea of introducing sanctions against Russian citizens who were allegedly involved in the SolarWinds campaign. Also, given the steady deterioration of EU-Russia relations in recent months, member states could be tempted to demonstrate their collective determination to push back against Russia and their commitment to the transatlantic alliance.

Ref - CFR 

_______________________________________________________________________________________

(May 26, 2021)


Newly discovered bugs in VSCode extensions could lead to supply chain attacks

Severe security flaws uncovered in popular Visual Studio Code extensions could enable attackers to compromise local machines as well as build and deployment systems through a developer's integrated development environment (IDE). The vulnerable extensions could be exploited to run arbitrary code on a developer's system remotely, in what could ultimately pave the way for supply chain attacks.


 _______________________________________________________________________________________

(May 26, 2021)


How SolarWinds changed cybersecurity leadership's priorities

The recent Scale survey showed that in wake of SolarWinds attacks, security leaders are retooling their security operations in response to the changing threat environment. For instance, 36% said that they expected third-party risks to rise over the next 12 months. Around 47% said third-party risks are a top factor affecting the C-suite's understanding of the business impact of security, behind data breaches at 57% and remote work at 54%.


_______________________________________________________________________________________

(May 26, 2021)


Federal Agencies struggling with supply chain security

More than five months after the SolarWinds supply chain attack came to light, federal agencies continue to struggle with supply chain security, according to a Government Accountability Office official. In the absence of foundational risk management practices, malicious actors may continue to exploit vulnerabilities in the ICT supply chain, causing further disruption to mission operations, harm to individuals, or theft of intellectual property.


_______________________________________________________________________________________

(May 25, 2021)


Supply chain attacks: How to reduce open-source vulnerabilities

Organizations are increasingly turning to adversary simulation engagements to reduce the impact of supply chain attacks. In these tests, a ‘red’ team uses the same tactics, techniques, and procedures that threat actors employ. The ‘blue’ team responds to the attacks from the red team. They’ll gain valuable knowledge by combating the same tools threat actors are currently using.


_______________________________________________________________________________________

(May 25, 2021)


How to avoid web supply chain attacks

The simplest thing that you may expect for secure interaction with your suppliers is that your contractors should present you with a web vulnerability scanner compliance report, such as the OWASP Top-10 report offered by Acunetix. This type of report will immediately show you if the software that you are purchasing has any vulnerabilities and if these are the types of vulnerabilities that you should worry about.


_______________________________________________________________________________________

(May 25, 2021)


Three-quarters of CISOs predict another SolarWinds-style attack

Some 84% of global organizations have suffered a serious security incident over the past two years and a majority are expecting another SolarWinds-style supply chain attack, according to a new Splunk report.


_______________________________________________________________________________________

(May 25, 2021)


Tailor security training to developers to tackle software supply chain risks

A lack of cohesion between software development teams and cybersecurity functions compounds the software supply chain risks faced by organizations, making it all the more urgent for cybersecurity leaders and their teams to better engage with and educate developers. The training must be tailored to address the specific cyber risks surrounding the software development lifecycle.

Ref - CSO Online 

_______________________________________________________________________________________

(May 24, 2021)


Recent cyberattacks signal alarm for better supply chain security

There are three important lessons from the fallout of recent major cyber incidents, including SolarWinds attacks. Any organization leveraging third-party software must not take its convenience and claims of being secure at face value but pay attention to the integrity of the services they use. There must be a focus on container security. Before integrating a third-party service, organizations need to ensure that these vendors’ security standards are up-to-par.

 
_______________________________________________________________________________________

(May 24, 2021)


SolarWinds, Exchange attacks revive calls for mandatory breach notification

On the heels of three major cybersecurity incidents over the past six months—the SolarWinds and Microsoft Exchange supply chain attacks and the Colonial Pipeline ransomware attack—government officials and some in the private sector are reviving calls for better information sharing and national breach notification requirements.

Ref - CSO Online 

_______________________________________________________________________________________

(May 21, 2021)


E-commerce giant Mercari suffers major data breach in Codecov incident

E-commerce platform Mercari has disclosed a major data breach incident that occurred due to exposure from the Codecov supply-chain attack. The company has confirmed that tens of thousands of customer records, including financial information, were exposed to external actors due to the Codecov breach.


_______________________________________________________________________________________

(May 21, 2021)


Department of Veterans Affairs not a victim of SolarWinds hack

The Department of Veterans Affairs (VA) was not a victim of the sweeping SolarWinds hacking campaign, the department’s top cyber official told lawmakers. Paul Cunningham, chief information security officer of VA, said there was no evidence of compromise across its wide-ranging and complex networks. He told lawmakers this finding was reaffirmed in separate investigations by the CISA and the intelligence community.

Ref - Fed Scoop
 
_______________________________________________________________________________________

(May 20, 2021)


12 lessons learned from the SolarWinds breach

CRN spoke with 12 prominent C-suite executives at RSA Conference 2021 about the biggest lessons learned from one of the most infamous cyberattacks of all time. They compiled 12 major takeaways from the SolarWinds breach, from applying far greater scrutiny to technology suppliers and code used during the application development process to eliminating the use of on-premise Microsoft Active Directory.

Ref - CRN 

_______________________________________________________________________________________

(May 20, 2021)


SolarWinds attack dates back to at least January 2019

Hackers were present in SolarWinds' systems as early as January 2019, months earlier than previously reported, SolarWinds President and CEO Sudhakar Ramakrishna revealed during an appearance at the 2021 RSA Conference (RSAC). The entry point was the SolarWinds Orion software. Attackers compromised the SolarWinds system for distributing software updates and used that to spread malware to its customers.

Ref - PCMag 

_______________________________________________________________________________________

(May 19, 2021)


SentinelOne: More supply chain attacks are coming

Large-scale supply chain attacks are here to stay, according to Marco Figueroa, the principal threat researcher at SentinelOne. During an RSA Conference 2021 session, Figueroa dissected Sunburst, the malware used to compromise SolarWinds' Orion platform that led to an extensive supply chain attack on dozens of organizations.

Ref - TechTarget 

_______________________________________________________________________________________

(May 19, 2021)


SolarWinds CEO provides new details into attack and response

New details into the notorious SolarWinds nation-state attack and its fallout were provided by Sudhakar Ramakrishna, CEO of SolarWinds, during a keynote session on Day 3 of the virtual RSA Conference 2021. This included the revelation that the attackers may have accessed the system as early as January 2019 and an expression of remorse for comments made during his congressional appearance about the attack in February 2021.


_______________________________________________________________________________________

(May 19, 2021)


monday.com source code has been accessed by Codecov threat actors

monday.com has revealed it had suffered a Codecov supply-chain attack that recently impacted several organizations. During the cyberattack, threat actors accessed a read-only copy of its source code. The cyberattack occurred around January 31 2021 when cybercriminals obtained private access to hundreds of networks belonging to Codecov’s users.


_______________________________________________________________________________________

(May 19, 2021)


How CISA limited the impact of the SolarWinds attack

Soon after the specifics about the SolarWinds attack came to light, the DHS went to work to limit the damage. Among the first things it did was put the attack signatures into the EINSTEIN toolset that is used by nearly every agency. EINSTEIN was extremely useful in terms of identifying suspicious network traffic from a handful of federal civilian agencies that upon further investigation by those agencies helped identify additional victims of this campaign.


_______________________________________________________________________________________

(May 19, 2021)


Pentagon’s CMMC compliance may block a SolarWinds-style attack

The Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program is designed to be one key line of defense. The program sets out five maturity models applicable to defense industrial base contractors based on the level of sensitivity of information stored in their systems. Under the program, obtaining a certification of compliance at the appropriate risk level is an allowable cost. However, the extent to which contractors may have to dig into their own pockets to obtain certification is a running concern.

Ref - FCW 

_______________________________________________________________________________________

(May 19, 2021)


SolarWinds CEO apologizes for blaming an intern

Sudhakar Ramakrishna, the former CEO of Pulse Secure who took the top job at SolarWinds, apologized for the way the company blamed an intern for using a weak password - solarwinds123 - during early testimony before congress. When asked about the password, former SolarWinds CEO Kevin Thompson said the password was a mistake that an intern made. Ramakrishna also told lawmakers that the password was from an intern’s Github account.

Ref - The Record 

_______________________________________________________________________________________

(May 19, 2021)


SolarWinds - a harbinger for a national data breach reporting law

As the SolarWinds attack exemplified, the conversation around federal data breach reporting legislation is becoming increasingly relevant. FireEye’s public disclosure of the SolarWinds attack exemplified the benefits of proactive partnerships between the government and private sector, which have been strengthened over the years by routine information sharing and other initiatives.

Ref - Duo 

_______________________________________________________________________________________


(May 18, 2021)


Government eyes new rules to tighten security against supply chain attacks

The Department for Digital, Culture, Media, and Sport (DCMS) has put out a call for views on the new rules, which may require IT service providers and managed services providers (MSPs) to undergo the same cybersecurity assessments that critical national infrastructure providers do.

Ref - ZDNet 

_______________________________________________________________________________________

(May 18, 2021)


Russian denial regarding SolarWinds hack is 'unconvincing'

Russia's denial of involvement in the SolarWinds hack is "unconvincing", the former head of GCHQ's National Cyber Security Centre has said. And Prof Ciaran Martin said there was evidence the tactics, techniques, and tools used by the hackers matched many years of SVR activity.

Ref - BBC 

_______________________________________________________________________________________

(May 18, 2021)


Russian spy chief denies SolarWinds attack

Russia's spy chief denied responsibility for the SolarWinds cyber attack but said he was "flattered" by the accusations from the U.S. and Britain that Russian foreign intelligence was behind such a sophisticated hack. Naryshkin said he did not want to accuse the U.S. of being behind the attack but quoted from documents leaked by former NSA contractor Edward Snowden to suggest that the tactics of the attack were similar to those used by U.S. and British intelligence agencies.

Ref - Reuters 

_______________________________________________________________________________________

(May 17, 2021)


Disconnect Internet for 3-5 days to evict SolarWinds hackers from the network

The newly published analysis report, AR21-134A, details resource-intensive and highly complex steps that will require disconnecting the enterprise network from the internet for three to five days. It is tailored for federal agencies that used affected versions of SolarWinds Orion and which discovered adversary activity within their environments (Category 3 agencies).


_______________________________________________________________________________________

(May 16, 2021)


SolarWinds breach exposes hybrid multi-cloud security weaknesses

Exposing severe security weaknesses in hybrid cloud, authentication, and least privileged access configurations, the high-profile SolarWinds breach laid bare just how vulnerable every business is. Enterprise leaders must see beyond the much-hyped baseline levels of identity and access management (IAM) and privileged access management (PAM) now offered by cloud providers.

Ref - VentureBeat 

_______________________________________________________________________________________

(May 14, 2021)


Supplemental direction (v4) on the implementation of CISA Emergency Directive (ED) 21-01

Agencies that have or had networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity, such as binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address, including networks hosted by third parties on behalf of federal agencies, must comply with the applicable requirements for each network meeting respective conditions.

Ref - DHS

_______________________________________________________________________________________

(May 14, 2021)


Guidance for networks affected by the SolarWinds and Active Directory/M365 Compromise

Remediation plans for dealing with malicious compromises are necessarily unique to every organization, and success requires careful consideration. There are three phases for evicting the actor: Pre-Eviction (actions to detect and identify APT activity and prepare the network for eviction); Eviction (actions to remove the APT actor from on-premises and cloud environments); and Post-Eviction (actions to ensure eviction was successful and the network has good cyber posture).

Ref - CISA 

_______________________________________________________________________________________

(May 14, 2021)


Effective tactics to prevent supply chain attacks

Upguard recommends several strategies to have the highest chances of preventing supply chain attacks. This includes implementing Honeytokens, having a secure Privileged Access Management, and implementing a Zero Trust Architecture. In addition, it recommends identifying all potential insider threats, protecting vulnerable resources, and minimizing access to sensitive data.

Ref - Upguard 

_______________________________________________________________________________________

(May 14, 2021)


Rapid7 source code, alert data accessed in Codecov supply chain attack

Rapid7 has disclosed the compromise of customer data and partial source code due to the Codecov supply chain attack. The cybersecurity firm said it was one of the victims of the incident, in which an attacker obtained access to the Codecov Bash uploader script.

Ref - ZDNet
 
_______________________________________________________________________________________

(May 13, 2021)


Addressing SolarWinds through executive action

The Executive Order (EO) on cybersecurity is a much-needed step toward shoring up the nation’s cyber posture. On the heels of last week’s damaging ransomware attack on Colonial Pipeline, this EO is a necessary step forward. While the EO will not solve all of the security problems or prevent the next SolarWinds attack – and the truth is no single policy, government initiative, or technology will – it is a great start. 

Ref - Forbes 

_______________________________________________________________________________________

(May 13, 2021)


Third-party software may leave you vulnerable to cyberattacks

Leaders need new ways to reduce supply chain cybersecurity risks, whether they’re buying digital products and or producing them. The data showed that managers often fall prey to counterproductive and possibly dangerous mindsets that get in the way of securing supply chains and leave their companies exposed — and that they’re often taking cues from the top.

Ref - HBR 

_______________________________________________________________________________________

(May 13, 2021)


Some implicitly trusted infrastructure areas can lead to supply chain compromises

Supply chains are vast, and this is by no means a comprehensive list of potential problems. A threat modeling exercise within the organization can give a more robust view of vulnerable infrastructure that is often overlooked. Users should take a concentrated look at the implicit trust relationships that they have with vendors and open-source software used in their build or manufacturing process and they will likely find many areas where trust supersedes security.


_______________________________________________________________________________________

(May 12, 2021)


How Biden’s new executive order plans to prevent another SolarWinds attack

The Biden administration has been drafting the order over the last few months and is designed less to address an incident like the one experienced by Colonial Pipeline, a privately-owned critical infrastructure operator that is believed to have been hit by a criminal gang than it is aimed at preventing a future SolarWinds-like incident.

 
_______________________________________________________________________________________

(May 12, 2021)


Senate hearing raises questions about SolarWinds backdoors

The U.S. Department of Commerce's CISO said during a Senate committee hearing Tuesday that his agency was one of the first to identify a SolarWinds-related compromise, raising questions about when the U.S. government initially detected the supply chain attacks.

 
_______________________________________________________________________________________

(May 12, 2021)


Supply chain penetration: Here’s how to protect from them

Effective protection of the supply chain means the adoption of a different mindset, one that assumes a breach will happen at some point. Because the supply chain represents a critical attack vector, an attack in this area could be a critical one, so cyber measures must be stepped up accordingly. Securing access to sensitive data and systems means organizations can reduce the risks significantly, thereby making it more difficult for attackers to achieve their end goals.


_______________________________________________________________________________________

(May 11, 2021)


Senators discuss federal cybersecurity following SolarWinds hack

Government officials say the 2020 SolarWinds cyber hack by the Russian government should have been a wake-up call. The U.S. is instead dealing with another cyber attack, this time on the largest fuel pipeline in the country. The SolarWinds and Pulse Secure VPN attacks targeted federal agencies and yet it was private sector companies that discovered them.

Ref - News10 

_______________________________________________________________________________________

(May 11, 2021)


Key challenges with modern AppSec and supply chain attacks

The OWASP API project has enumerated 10 critical API level threats that are substantially more important in the era of modern, cloud-native applications. The three key trends – microservice proliferation, application change, and porous perimeters – create an environment where attacks can flourish and where IT and security teams need to consider revisiting their application security practices and controls.

Ref - DevOps 

_______________________________________________________________________________________

(May 11, 2021)


SolarWinds CEO calls for collective action against state attacks

SolarWinds CEO Sudhakar Ramakrishna has revealed he is talking with his peers in the industry to form a consortium of like-minded, mid-market firms that could take collective action to defend themselves against nation state-backed malicious actors, such as Russia’s APT29, or Cozy Bear. Ramakrishna called for the industry to adopt a model of mutual responsibility and mutual accountability among smaller firms, noting that size alone is not an indicator of a company’s ability to protect itself from cyber attacks.


_______________________________________________________________________________________

(May 10, 2021)


Twilio, HashiCorp among Codecov supply chain hack victims

The stealth software supply chain compromise of the Codecov Bash Uploader went undetected since January. The first company to publicly acknowledge exposure was HashiCorp when a post-breach investigation found a subset of its CI pipelines used the affected Codecov component. Following HashiCorp’s statement, San Francisco-based Twilio issued an advisory to confirm it used the compromised Bash Uploader component in a small number of projects and CI pipelines.


_______________________________________________________________________________________

(May 10, 2021)


All you need to know about supply chain attacks and cloud-native

There are several characteristics of cloud-native application development environments that make them a lucrative target for attackers looking to embed malicious code into the supply chain. Cloud-native application development is characterized by the widespread use of open source components, often obtained from public registries. Additionally, container images, functions, and packages are updated frequently using CI/CD pipelines, creating multiple opportunities for attackers to embed themselves into the process.

Ref - TheNewStack 

_______________________________________________________________________________________

(May 10, 2021)


Cisco Threat Explainer: Supply Chain Attacks

There is a general pattern in supply chain attacks. First, the bad actors gather what information they can find about the primary target. Next, the bad actors attempt to compromise the secondary target. Once in, the attackers move laterally, their objective often being to compromise the secondary target’s software build system, where the source code for their software is stored, updated, and compiled.

Ref - Cisco 

_______________________________________________________________________________________

(May 10, 2021)


NIST and CISA release guidelines for defense against software supply chain attacks

The CISA and the NIST have released new guidelines on defending against various software supply chain risks. The agencies listed update hijacking, tampering with code signing, and the compromise of open-source code as the popular methods used by hackers to compromise software. Threat actors hijack update channels, like in the Russian NotPetya attack on Ukraine via tax accounting software. The SolarWinds Orion software supply chain attack employed similar tactics.

Ref - CPO Magazine 

_______________________________________________________________________________________

(May 10, 2021)


Ransomware attack on CaptureRx exposes multiple providers across the U.S.

Multiple healthcare providers across the United States are reporting being impacted by a ransomware attack on CaptureRx, a San Antonio-based company providing drug-related administrative services. The CaptureRx attack highlights the impact of the software supply chain, and Faxton St. Luke’s Healthcare in New York, Randolph, VT-based Gifford Health Care, and Thrifty Drug Stores are just a few of the victims.

Ref - ZDNet 

_______________________________________________________________________________________

(May 10, 2021)


The Colonial Pipeline ransomware attack and the SolarWinds hack were all but inevitable

Software supply chains and private sector infrastructure companies are vulnerable to hackers. Many U.S. companies outsource software development because of a talent shortage, and some of that outsourcing goes to companies in Eastern Europe that are vulnerable to Russian operatives.

Ref - Yahoo 

_______________________________________________________________________________________

(May 10, 2021)


SolarWinds shares more information on cyberattack impact, initial access vector

Texas-based IT management company SolarWinds shared more information on the impact of the significant breach disclosed late last year, and claimed that less than 100 of its customers were actually hacked. The company said the attacker only targeted its build system for the Orion product, but did not actually modify any source code repository, and the SUNBURST malware has not been found in any other product.


_______________________________________________________________________________________

(May 8, 2021)


Best practices to reduce supply chain cyber exposure

Cyber-attacks against the supply chain continue to grow — and some are simply impossible to eliminate. With that in mind, consider an approach rooted in cyber risk management. Whereas a traditional cybersecurity approach focuses primarily on mitigation, cyber risk management understands that not all risks can be removed and not all attacks can be prevented, especially when it comes to the supply chain.

Ref - Marsh
 
_______________________________________________________________________________________

(May 8, 2021)


SolarWinds says Russian Group likely took data during the cyberattack

While SolarWinds doesn’t know how the Russia-backed group broke into its networks, the company believes the hackers may have used an unknown vulnerability, a brute-force cyber attack, or through social engineering -- such as a phishing operation. The hackers then conducted “research and surveillance” on the company, including its Microsoft Office 365 environment, for at least nine months prior to October 2019, when they moved to the “test run” phase of the attack.

Ref - Bloomberg 

_______________________________________________________________________________________

(May 8, 2021)


SolarWinds says Russian group likely took data during cyber-attack

The Russia-linked hackers that compromised popular software by the Texas-based firm SolarWinds last year broke into email accounts and likely took data from the firm. SolarWinds said it found evidence that causes us to believe the threat actor exfiltrated certain information as part of its research and surveillance.


_______________________________________________________________________________________

(May 7, 2021)


Hackers accessed SolarWinds’ Office 365 since early 2019

Hackers persistently accessed SolarWinds’ internal systems, Microsoft Office 365 environment, and software development environment for months before carrying out their vicious cyberattack. Hackers compromised SolarWinds’ credentials and conducted research and surveillance via persistent access for at least nine months prior to their October 2019 trial run.
Ref - CRN 

_______________________________________________________________________________________

(May 7, 2021)


US-UK Government warns about SolarWinds attackers adding a new tool to its arsenal

Agencies in the U.S. and the U.K. published a joint report providing more details on the activities of the Russian cyberspy group that is believed to be behind the attack on IT management company SolarWinds. The report reveals that the hackers started using the open-source adversary simulation framework Sliver after some of their operations were exposed.

Ref - SecurityWeek 

_______________________________________________________________________________________

(May 7, 2021)


An investigative update of the cyberattack

SolarWinds has revealed that it has found evidence that the threat actor exfiltrated certain information as part of its research and surveillance. The threat actor created and moved files that contained source code for both Orion Platform software and non-Orion products. The threat actor created and moved additional files, including a file that may have contained data supporting SolarWinds’ customer portal application. The threat actor accessed email accounts of certain personnel, and also moved files to a jump server, which was possibly intended to facilitate exfiltration of the files out of the environment.

Ref - SolarWinds 

_______________________________________________________________________________________

(May 7, 2021)


FBI, NSA, CISA & NCSC Issue Joint Advisory on Russian SVR Activity

Government agencies from the United States and the United Kingdom have teamed up to issue a new joint advisory detailing TTPss of Russia's Foreign Intelligence Service (SVR) after the group was publicly attributed to the SolarWinds supply chain attack. Agencies provided more details on SVR activity, including the exploitation that followed the SolarWinds Orion software compromise.


_______________________________________________________________________________________

(May 7, 2021)


Ransomware, supply chain attacks show no sign of abating

Ransomware and supply chain attacks are two of the most common attack vectors that offer high returns for threat actors. In the aftermath of the SolarWinds attack that had affected prominent companies like Microsoft, the panelists noted that more supply chain attacks have been enabled by the growing dependencies between systems that have become more interconnected than ever.


_______________________________________________________________________________________

(May 7, 2021)


Further TTPs associated with SVR cyber actors

Organizations are advised to follow the mitigation advice and guidance below, as well as the detection rules in the appendix to help protect against this activity. Organizations should also follow the advice and guidance in the recently published NSA advisory and the FBI and CISA alert, which detail further TTPs linked to SVR cyber actors.


_______________________________________________________________________________________

(May 6, 2021)


Following SolarWinds hack, US spy agencies review software suppliers' ties to Russia

U.S. intelligence agencies have begun a review of supply chain risks emanating from Russia in light of the far-reaching hacking campaign that exploited software made by SolarWinds and other vendors. The review will focus on any supply chain vulnerabilities stemming from Russian companies, or the U.S. companies that do business in Russia.

Ref - CyberScoop 

_______________________________________________________________________________________

(May 5, 2021)


Twilio discloses breach caused by Codecov supply chain hack

Twilio posted a blog disclosing that a small number of customer emails had likely been exfiltrated by an unknown attacker who cloned Twilio's code repositories on GitHub in mid-April. The company further connected the activity to the Codecov breach disclosed last month.

Ref - TechTarget 

_______________________________________________________________________________________

(May 3, 2021)


New Hampshire pushes pause on creating supply chain authority

To reduce cybersecurity risks, a New Hampshire lawmaker has proposed legislation to create an Information Technology Supply Chain Risk Authority to oversee all purchases and acquisitions of software, hardware, and telecommunication services used within state agencies.

Ref - GovTech

_______________________________________________________________________________________

(May 3, 2021)


Stopping the next SolarWinds requires doing something different

The SolarWinds breach is not the first major supply chain breach, but previous similar breaches failed to prompt effective regulatory action. The SolarWinds breach came in via a trusted vendor, which means even the most diligent cyber hygiene and immediate patching would not have helped. Likewise, information sharing is important, but it took nine months to detect the SolarWinds attack — so by the time there was information to share, it was too late.

Ref - DarkReading 

_______________________________________________________________________________________

(May 3, 2021)


Key indicators that the supply chain vendor has been breached

If a vendor does not provide clear and substantial responses to risk assessments, they could be concealing gaping holes in their information security program. If a vendor's website or mobile app is behaving suspiciously, a cyberattack could be taking place. If system tracking can monitor network activity between internal resources and vendors, establish a baseline for normal interaction and keep an eye out for login attempts outside of normal hours.

Ref - Upguard 

_______________________________________________________________________________________

(May 1, 2021)


More US agencies potentially hacked, this time with Pulse Secure exploits

At least five US federal agencies may have experienced cyberattacks that targeted recently discovered security flaws that give hackers free rein over vulnerable networks, the US CISA said. The zero-day vulnerability, tracked as CVE-2021-22893, was under active exploitation.
Ref - ARS Technica 

______________________________________________________________________________________

(April 30, 2021)


Key questions to consider to help mitigate against supply chain attacks

With the recent SolarWinds SunBurst exploit, many security professionals are reassessing standard threat models and national cyber-defense strategies. How can organizations and system owners increase trust while still maintaining their own IT systems now? Enterprises can begin by rethinking their definition of access control, developing a patch management strategy that promotes research and testing, and monitoring their network for malicious behavior in collaboration with cyber threat intelligence.


_______________________________________________________________________________________

(April 30, 2021)


A tale of two hacks: from SolarWinds to Microsoft Exchange

The past four months have exposed two high-profile attacks, which both had pundits declaring them the “worst-ever” and “unprecedented.” They shared other similarities – both attacked businesses rather than individuals and affected tens of thousands of organizations. Both hacks involved nation-states. And in either case, no affected organization could be fully certain of finding and evicting any adversary.

Ref - ThreatPost 

_______________________________________________________________________________________

(April 29, 2021)


Finding the weakest link in the supply chain

An organization's cybersecurity defenses are only as strong as its weakest link. Successful supply chain attacks are considered especially dangerous because of their high potential for widespread contagion. With just one successful breach of a single vendor component, hackers could gain access to all of the organizations that make use of that vendor's supply chain.

Ref - Forbes 

_______________________________________________________________________________________

(April 29, 2021)


A new PHP composer bug could enable widespread supply-chain attacks

The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "backdoor every PHP package," resulting in a supply-chain attack. Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from SonarSource, following which a hotfix was deployed less than 12 hours later.


_______________________________________________________________________________________

(April 29, 2021)


Biden preparing cybersecurity executive order in response to SolarWinds attack

President Biden is preparing a cybersecurity executive order focused on helping the country protect itself from future cyberattacks following the sophisticated SolarWinds hack that was discovered in December. The order, as it is written now, includes a spate of requirements that companies who conduct business with the government will be instructed to follow.

Ref - The Hill 

_______________________________________________________________________________________

(April 28, 2021)


Minimizing the risk of supply chain attacks – best practice guidelines

Sophos provides several recommendations to minimize the risk of supply chain attacks. It recommends switching from a reactive to a proactive approach to cybersecurity, monitor for early signs of compromise, audit the supply chain, assess the security posture of all suppliers and business partners, and have a constant review of IT security operation hygiene.

Ref - Sophos 

_______________________________________________________________________________________

(April 28, 2021)


Lawmakers want to create a reserve corps to respond to the next SolarWinds

A bipartisan group of lawmakers wants to create a National Guard-like program to address growing cybersecurity vulnerabilities faced by the U.S. government. Legislation introduced today would pilot two separate reserves of trained cybersecurity professionals for the Department of Homeland Security and the Defense Department.


_______________________________________________________________________________________

(April 28, 2021)


CISA issues guidance on defending against software supply chain attacks

The CISA has issued guidance following the compromise of the SolarWinds software that affected thousands of entities across the US and beyond. The guidance took the form of a primer for companies, explaining the nature of the software supply chain and the various access points where supply chain vulnerabilities exist. It concludes with concrete recommendations for both vendors and their customers with a discussion on the Secure Software Development Framework (SSDF) and Cyber Supply Chain Risk Management (C-SCRM).


 _______________________________________________________________________________________

(April 28, 2021)


5 ways to protect software supply-chains from malicious attackers

Users can protect their organization against supply-chain attackers by avoiding the use of third-party modules; checking for threats when using modules created by unknown authors; performing automated scans of code submitted in repositories; having a plan made for external services; and creating an on-premises and cloud strategy.

Ref - Radware

_______________________________________________________________________________________

(April 27, 2021)


Another SolarWinds lesson: hackers are targeting Microsoft authentication servers

During SolarWinds, hackers directly targeted the AD FS servers to obtain certifications. Mandiant’s new attack does not require direct access to the AD FS server. Rather, hackers would spoof one AD FS server communicating with another to obtain its keys. This is not trivial, as it still requires credentials from an extremely privileged account to pull off. But given the capacity of the hackers involved in SolarWinds, chief information security officers should begin to see these kinds of attacks as part of the threat landscape.

Ref - SC Magazine 

_______________________________________________________________________________________

(April 27, 2021)


Software supply chain may get you by exploiting Open-Source libraries

Nearly all software programs developed today contain open-source components. Unfortunately, open-source packages have the same challenges as any other software (i.e. they contain security bugs). Worse, once included in an application they can become rapidly out of date, lacking the most recent bug fixes. On top of that, open-source code is freely available to everyone, so bad actors can study and experiment with it without fear of exposing their next wave of attacks.


_______________________________________________________________________________________

(April 27, 2021)


Defending against software supply chain attacks

The consequences of a software supply chain attack can be severe. First, threat actors use the compromised software vendor to gain privileged and persistent access to a victim network. By compromising a software vendor, they bypass perimeter security measures like border routers, firewalls, etc., and gain initial access. If a threat actor loses network access, they may re-enter a network using the compromised software vendor.

Ref - CISA 

_______________________________________________________________________________________

(April 27, 2021)


DFS report identifies key cybersecurity measures to reduce supply chain risk

The New York State Department of Financial Services (DFS) released a report on the Department’s investigation of the New York’s financial services industry’s response to the supply chain attack of the IT company SolarWinds. During the SolarWinds Attack, hackers corrupted routine software updates that were downloaded onto thousands of organizations’ information systems. 


_______________________________________________________________________________________

(April 26, 2021)


SolarWinds, Microsoft hacks prompt focus on Zero-Trust security

Analysis of the breaches, which exploited vulnerabilities in software from SolarWinds Corp. and Microsoft Corp., from the CISA, the NSA, and the FBI found that the hackers were often able to gain broad systems access. In many cases, the hackers moved through networks unfettered to set up back doors and administrator accounts. To prevent such attacks, zero-trust models should be more widely adopted by the public and private sectors.


_______________________________________________________________________________________

(April 26, 2021)


CISA and NIST release new interagency resource to defend against supply chain attacks

To help software vendors and customers defend against these attacks, CISA and the NIST have released Defending Against Software Supply Chain Attacks. This new interagency resource provides an overview of software supply chain risks and recommendations. The publication also provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.

Ref - CERT-CISA 

_______________________________________________________________________________________

(April 26, 2021)


Another top VPN is reportedly being used to spread SolarWinds hack

Threat actors used the Pulse Secure VPN appliance to install the Supernova webshell in a victim’s SolarWinds Orion server and collect user credentials without permission, a new warning has said. This appears to be the first observed instance of a threat actor injecting the Supernova webshell directly into a victim’s SolarWinds installation.

Ref - TechRadar 

_______________________________________________________________________________________

(April 25, 2021)


Stopping SolarWinds’ style mega hacks, but preserving democracy

The SolarWinds and Shirbit hacks announced last December, along with a variety of other major cyberattacks, have convinced the US and Israeli governments that leaps forward are needed to keep up with the new frenetic pace of digital warfare. And taking countermeasures involves several challenges. One of the challenges is that the NSA is more limited by law from counter-hacking a US computer already hacked by a foreign adversary than it is going against foreign computers.


_______________________________________________________________________________________

(April 24, 2021)


HashiCorp is the latest victim of the Codecov supply-chain attack

Open-source software tools and Vault maker HashiCorp has disclosed a security incident that occurred due to the recent Codecov attack. HashiCorp, a Codecov customer, has stated that the recent Codecov supply-chain attack aimed at collecting developer credentials led to the exposure of HashiCorp's GPG signing key.


_______________________________________________________________________________________

(April 23, 2021)


Senators introduce legislation to protect critical infrastructure against attack

Sens. Maggie Hassan (D-N.H.) and Ben Sasse (R-Neb.) on Friday introduced legislation intended to protect critical infrastructure from cyberattacks and other national security threats. The National Risk Management Act would require the CISA to conduct a five-year national risk management cycle.
 
Ref - The Hill 

_______________________________________________________________________________________

(April 23, 2021)


Passwordstate password manager hacked in a supply chain attack

Click Studios, the company behind the Passwordstate enterprise password manager, notified its customers that attackers compromised the app's update mechanism to deliver malware in a supply-chain attack after breaching its networks. Malicious upgrades leading to the supply chain compromise were potentially downloaded by customers between April 20 and April 22.


_______________________________________________________________________________________

(April 23, 2021)


Supply chain attack risk looms over three million mobile app users of CocoaPods

A remote code execution (RCE) vulnerability in the central CocoaPods server could have potentially impacted up to three million mobile apps that relied on the open-source package manager. CocoaPods maintainer Orta Therox likened the potential impact of the flaw to that caused by XcodeGhost, a counterfeit version of macOS development environment Xcode.

Ref - PortSwigger 

_______________________________________________________________________________________

(April 23, 2021)


The new analysis uncovers extensive SolarWinds attack infrastructure

Cybersecurity researchers that have been tracking the infrastructure footprint of SolarWinds threat actors claim the network of servers used in the attack is "significantly larger than previously identified". RiskIQ has identified an additional 18 command and control (C&C) servers that communicated with the malicious payloads that were dropped as part of the cyberattack.

Ref - TechRadar 

_______________________________________________________________________________________

(April 22, 2021)


SUPERNOVA redux, with a portion of masquerading

The SolarWinds attack has a few interesting traits. The first is that the adversary is using residential IP addresses based in the US to make them appear as US-based employees and then leveraging valid accounts to gain access via the VPN. From there, the adversary used a VM and obfuscated PowerShell scripts to move laterally to the SolarWinds server. At this point, the SUPERNOVA webshell is installed. 

Ref - Splunk 

_______________________________________________________________________________________

(April 22, 2021)


CISA identifies Supernova malware during incident response

CISA has revealed that the SolarWinds attackers connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET webshell), and collected credentials. CISA has released a report providing TTPs observed during an incident response engagement.
Ref - CISA 

_______________________________________________________________________________________

(April 22, 2021)


SolarWinds hack analysis reveals 56% boost in command server footprint

The Sunburst/Solorigate backdoor was designed to identify, avoid, or disable different security products, with a particular focus on circumventing antivirus software developed by FireEye, CrowdStrike, Microsoft, ESET, and F-Secure in the first stage of infection. The second and third stages included custom droppers (Teardrop/Raindrop) and the deployment of additional malware alongside Cobalt Strike. Implants for persistence with components dubbed Goldmax/GoldFinder/Sibot, as well as Sunshuttle, have also been connected to these stages. 

Ref - ZDNet 

_______________________________________________________________________________________

(April 22, 2021)


Software supply chain may get you by exploiting third-party applications

Attacks targeting “zero-days,” or unpatched security bugs, in commonly used third-party applications are another example of the risks from the software supply chain. The recent attacks on the Microsoft Exchange Server are just the latest examples of this type of software supply chain attack. In this case, bugs in Exchange Server allowed attackers to read emails and install a web shell.


_______________________________________________________________________________________

(April 22, 2021)


Supernova threat actors masqueraded as remote workers to access breached network

Members of an APT group, masquerading as teleworking employees with legitimate credentials, accessed a U.S. organization's network and planted a backdoor called Supernova on its SolarWinds Orion server for conducting reconnaissance, domain mapping, and data theft. The attackers had access to the network for nearly one year, from March 2020 to February 2021, before they were discovered and blocked.

Ref - DarkReading 

_______________________________________________________________________________________

(April 21, 2021)


White House shares learnings from the SolarWinds and Microsoft Exchange server cyber incidents

Lessons learned from the recent attacks include 'integrating private sector partners at the executive and tactical levels'. It also includes involving private sector organizations in the response in order to help deliver fixes smoothly, like Microsoft's one-click tool to simplify and accelerate victims' patching and clean-up efforts, as well as sharing relevant information between firms.

Ref - ZDNet 

_______________________________________________________________________________________

(April 20, 2021)


A software supply chain may take you down via vendor compromise

Arguably the most sophisticated of the supply chain attack methods, a Vendor Compromise typically starts with a reconnaissance phase to understand which organizations use the vendor’s software, and other relevant details. Next, the bad actor attempts to gain valid vendor employee credentials via social engineering, phishing, or other more technical means. The malicious operator then attempts to laterally move to the software build environment in order to modify the source code of the application that the vendor provides to its users.


_______________________________________________________________________________________

(April 20, 2021)


The wide web of nation-state hackers attacking the US

Both the SolarWinds supply chain and Microsoft Exchange Server attacks have shown, the targets are no longer limited to federal agencies and the largest companies. Enterprises of all sizes are now at risk, whether it's ransomware or a data breach. In terms of attacks on the U.S., nation-state threat actors typically (but not always) come from the "big four": China, Russia, North Korea, and Iran.

Ref - TechTarget 

_______________________________________________________________________________________

(April 20, 2021)

Codecov supply chain attack has echoes of SolarWinds

To date, Codecov says that it has detected periodic alterations of the Bash uploader script going back as far as 31 January, which ultimately could have allowed whoever was behind the attack to export information stored in its users’ continuous integration (CI) environments. Among Codecov’s larger customers, both HPE and IBM confirmed to Reuters that they were now probing their own systems for signs of intrusion.


_______________________________________________________________________________________

(April 20, 2021)


Hundreds of networks reportedly hacked in Codecov supply-chain attack

In new reporting by Reuters, investigators have stated that hundreds of customer networks have been breached in the incident, expanding the scope of this system breach beyond just Codecov's systems. Codecov had suffered a supply-chain attack that went undetected for over 2-months.


_______________________________________________________________________________________

(April 19, 2021)


White House stands down SolarWinds, Microsoft Exchange cyber response groups

Stepped up patching for the SolarWinds and Microsoft Exchange vulnerabilities has allowed the White House to stand down the two Unified Coordination Groups (UCGs) tasked with tackling the government's response to the cybersecurity threats. They were activated shortly after each incident was discovered.

Ref - GCN 

_______________________________________________________________________________________

(April 19, 2021)


SolarWinds backdoor was downloaded by 1/4th of Electric Utilities - US Utility Regulator

North American Electric Reliability Corp. (NERC), a non-profit regulatory authority that oversees utilities in the United States and Canada, revealed this week that about 25% of the electric utilities on the North American power grid downloaded the SolarWinds backdoor.

Ref - CPO Magazine 

_______________________________________________________________________________________

(April 19, 2021)


Positive Technologies denies involvement in SolarWinds attack

Responding to sanctions imposed by the US government, Russia-headquartered cybersecurity company Positive Technologies (PT) has denied any wrongdoing, and dismissed the claims as “groundless accusation”. Last week, the US Department of the Treasury imposed sanctions on several Russian technology firms, including PT, accusing them of helping Russian state actors to conduct cyberattacks against the West.

Ref - TechRadar 

_______________________________________________________________________________________

(April 19, 2021)


XCSSET malware now targeting Apple's M1-based Macs

A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET continues to abuse the development version of the Safari browser to plant JavaScript backdoors to websites via Universal Cross-site Scripting (UXSS) attacks.


_______________________________________________________________________________________

(April 19, 2021)


Codecov hack could be another SolarWinds-type attack

US federal authorities are investigating a security breach suffered by software auditing company Codecov. According to a statement put out by the San Francisco-based firm, an unscrupulous user broke through its digital defenses and modified its Bash Uploader script. While Codecov has emailed all affected users, the nature of the changes to the script potentially puts thousands of customers at risk.

Ref - Techradar

_______________________________________________________________________________________

(April 19, 2021)


Zero-trust is the best defense against third-party attacks

Adopting a zero-trust security strategy can better safeguard organizations against third-party attacks, where suppliers should not simply be entrusted to do the right thing. The Acronis CEO believed third-party attacks such as those involving Accellion and Singapore Airlines (SIA) could have been prevented with a zero-trust architecture. Zero trust isn't just about not trusting anyone, it's about personal cyber hygiene.

Ref - ZDNet

_______________________________________________________________________________________

(April 19, 2021)


Next SolarWinds crisis could happen very soon

The SolarWinds cyber attack, which saw around 100 companies and 9 US federal agencies compromised, isn’t one to be treated as an isolated incident. It is rather a stark warning of what is about to come if decisive action isn’t taken. The vice-president and chief information security officer at Hitachi Vantara discuss how companies can avoid a similar supply-chain crisis.


_______________________________________________________________________________________

(April 17, 2021)


SolarWinds hacking campaign puts Microsoft in the hot seat

Microsoft has offered all federal agencies a year of “advanced” security features at no extra charge. Microsoft also removed names of several Russian IT companies, including Positive Technologies, from a list to whom Microsoft supplied the early access to data on vulnerabilities detected in its products.

Ref - Yahoo 

_______________________________________________________________________________________

(April 17, 2021)


Six out of 11 EU agencies running Solarwinds Orion software were hacked

CERT-EU confirmed that 14 EU agencies were running the SolarWinds Orion monitoring software, and six of them were breached. Anyway, the CERT-EU did not reveal the name of the EU agencies that installed the tainted Orion updates. CERT-EU said that some agencies sent limited details on the attacks, and, while in other reports, network logs, used to hunt for clues about the hackers’ actions, were often not available.


_______________________________________________________________________________________

(April 17, 2021)


Biden upends U.S. convention on cyber espionage

President Biden’s decision to punish Russia for the SolarWinds hack broke with years of U.S. foreign policy that has tolerated cyber espionage as an acceptable form of 21st-century spycraft. It also said U.S. intelligence had “high confidence” that Russia’s foreign intelligence service, the SVR, was behind last year’s SolarWinds hack, which compromised at least nine federal agencies and about 100 private-sector organizations.


_______________________________________________________________________________________

(April 16, 2021)


Commerce Dept. may have found SolarWinds backdoor in Aug. 2020

Last month, Microsoft and FireEye identified that file as a newly-discovered fourth malware backdoor used in the sprawling SolarWinds supply chain hack. FireEye refers to the backdoor as “Sunshuttle,” whereas Microsoft calls it “GoldMax.” A search in VirusTotal’s malware repository shows that on Aug. 13, 2020, someone from the National Telecommunications and Information Administration (NTIA), a division of the U.S. Commerce Department, had
 uploaded a file with that same name and file hashes.


_______________________________________________________________________________________

(April 16, 2021)


More countries officially blame Russia for SolarWinds attack

The United Kingdom, Canada, the European Union, and NATO have expressed support for the United States in blaming Russia for the cyberattack on IT management company SolarWinds, which impacted organizations worldwide. The announcements were made the same day that the United States expelled 10 Russian diplomats and sanctioned dozens of companies and people.


_______________________________________________________________________________________

(April 16, 2021)


The untold story of the SolarWinds hack

Hackers believed to be directed by the Russian intelligence service, the SVR, used the routine software update to slip malicious code into Orion's software and then used it as a vehicle for a massive cyberattack against America. The concern is that the same access that gives the Russians the ability to steal data could also allow them to alter or destroy it.

Ref - NPR 

_______________________________________________________________________________________

(April 15, 2021)


The U.S. imposes sanctions on Russia over cyber-attacks

The US has announced sanctions against Russia in response to what it says are cyber-attacks and other hostile acts. The measures, which target dozens of Russian entities and officials, aiming to deter Russia's harmful foreign activities. The statement says Russian intelligence was behind last year's massive SolarWinds hack and accuses Moscow of interference in the 2020 election.
 
Ref - BBC

_______________________________________________________________________________________

(April 15, 2021)


Codecov Bash Uploader tool compromised in supply chain hack

At the beginning of April, security professionals at Codecov learned that someone had gained unauthorized access to their Bash Uploader script and modified it without permission. The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify the Bash Uploader script.


_______________________________________________________________________________________

(April 15, 2021)


Biden unveiled Russia sanctions over SolarWinds hack 

Ten Russian diplomatic officials are to be expelled from the US and up to 30 entities will be blacklisted in the largest round of sanctions action against Russia of Joe Biden’s presidency. The US is set to announce new sanctions against Russia as soon as Thursday in retaliation for Moscow’s interference in elections, alleged bounties on US soldiers in Afghanistan, and cyber-espionage campaigns such as the SolarWinds hack, according to reports in US and international media.


_______________________________________________________________________________________

(April 14, 2021)


The misuse of X.509 certificates & keys in SolarWinds hack

A report described the misuse of X.509 certificates and keys in the SolarWinds attack and how Cryptomathic CKMS and CSG could help protect against such attacks. While multiple failures led to the attack, one of the most glaring failures was that the attackers could misuse X.509 certificates and keys to forge and undermine trust. 


_______________________________________________________________________________________

(April 14, 2021)


Advanced supply chain attacks need a strategic counter-defense policy

Enterprise CIOs and CISOs in government and the private sector are still assessing the full impact of the advanced supply chain attacks uncovered in recent months. The fact of the matter here is that cyber is where the new wars are being fought and supply chain attacks are a winning playbook for the state-sponsored attackers.


_______________________________________________________________________________________

(April 14, 2021) 


Sunburst hack costs SolarWinds at least $18M

SolarWinds disclosed that it took a hit of at least $18 million from the massive Russian malware attack that compromised its flagship Orion technology management software. In releasing preliminary first-quarter results, SolarWinds said it spent $18 million to $19 million to investigate and remediate the cyber incident, related legal and other professional services, and consulting services provided to customers at no charge.

Ref - CFO

_______________________________________________________________________________________

(April 13, 2021)


A macOS malware is hidden into the NPM package supply chain

A new malicious package has been spotted on the npm registry, which targets NodeJS developers using Linux and Apple macOS operating systems. The malicious package is called "web-browserify," and imitates the popular Browserify npm component downloaded over 160 million times over its lifetime.


_______________________________________________________________________________________
 
(April 13, 2021) 


U.S. intelligence community details growing influence threats in wake of SolarWinds attacks

The intelligence community made its most direct public attribution yet that Russia was behind weaving malicious code into a SolarWinds software update to facilitate a sweeping espionage operation, impacting hundreds of companies and U.S. federal agencies. The readout does not specify whether Biden specifically discussed SolarWinds with his Russian counterpart.

Ref - CyberScoop 

_______________________________________________________________________________________

(April 13, 2021) 


Spy Chiefs to warn of threats from SolarWinds to North Korea

Biden’s intelligence team -- including Director of National Intelligence Avril Haines and CIA Director William Burns -- is under increasing pressure to respond to a widening series of national security threats while defending the administration’s continuing reviews and policy approaches even as it nears the 100-day mark in office.

Ref - Bloomberg

_______________________________________________________________________________________

(April 13, 2021) 


Detecting the next SolarWinds-Style cyberattack

Developing SIEM rules, using the SolarWinds attack as an example, can help in the detection of the next SolarWinds-like attack. Sigma rules can be used as a sort of a common language to create and share quality queries regardless of the SIEM any organization uses. This will enable Security Operations teams to build out the elements needed to detect future attacks. The same Sigma Rule can be used across multiple SIEM, including Splunk, Qradar, and Azure Sentinel.

_______________________________________________________________________________________

(April 12, 2021)


SolarWinds hack underscores the need for moving to the cloud

According to Microsoft CEO Satya Nadella, the SolarWinds attack underscores the importance of implementing zero trust architecture and migrating to the cloud. Nadella sees the SolarWinds hack as a wake-up call for all companies to take security as a first-class priority.

Ref - CRN

_______________________________________________________________________________________

(April 12, 2021)


Biden names former top NSA officials to two key cyber roles

President Biden has appointed former National Security Agency (NSA) deputy director Chris Inglis and former deputy for counterterrorism at the NSA Jen Easterly to two top cyber roles in the administration. The appointments come as the White House is still dealing with the fallout over the SolarWinds cyber attack, which infiltrated multiple federal agencies.

Ref - Axios
 
_______________________________________________________________________________________

(April 10, 2021)


APKPure users targeted via a supply chain attack

APKPure, one of the largest alternative app stores, was the victim of a supply chain attack, threat actors compromised client version 3.17.18 to deliver malware. The app store is available only on devices that use Google Mobile Services (GMS) and are firmly tied to Google’s infrastructure. The tainted client downloads and installs various apps, including other malicious payloads.


_______________________________________________________________________________________

(April 9, 2021)


Stopping or preventing the next SolarWinds breach 

Mitigating the next SolarWinds breach will require more cyber-savvy people to assess and recognize those threats, explain their potential impact and advocate for enterprise-wide investment in the appropriate levels of protection. Additionally, it will require more boots on the ground in a field that has evolved to encompass a growing array of sub-areas and rapidly changing technologies.


_______________________________________________________________________________________

(April 9, 2021)


Gigaset devices laced with malware in a latest supply chain attack 

Cybercriminals managed to sneak several malicious apps onto Gigaset Android devices by compromising a server belonging to an external update service provider. The models affected, according to Malwarebytes, including the Gigaset GS270 and GS160, Siemens GS270 and GS160, all running Android 8, as well as the Alps P40pro, running Android 9, and S20 pro+, running Android 10.

Ref - IT Pro

_______________________________________________________________________________________

(April 9, 2021)


Supply chain disruptions lead to the loss of trillions of dollars

Supply chain disruptions in 2020 had a real impact on the bottom line, as companies lost trillions of dollars in revenue, according to the report, with 64% of respondents reporting revenue losses between 6% and 20%. The recent survey indicated that the disruptions caused a big hit in brand reputation, with 38% of respondents reporting that their brands had been impacted. Many respondents said that their struggles to maintain supplies of goods and services left customers frustrated.


_______________________________________________________________________________________

(April 9, 2021)


What the Titans of Industry Reveal about SolarWinds Attack

During the testimony, it was outlined how the SolarWinds software was hijacked and used to break into a host of other organizations, and that the hackers had been able to read Microsoft’s source code for user authentication. Unfortunately for Microsoft, and strongly pointed out by CrowdStrike, the data hackers took advantage of well-known vulnerabilities in their Windows authentication and active directory federation services.


 _______________________________________________________________________________________

(April 9, 2021)


How to protect against software supply-chain attacks

Organizations can protect themselves against supply-chain attacks with some simple tips. They should avoid the use of third-party modules, watch for threats when using modules by unknown authors, and perform automated scans of code submitted in repositories. They can also Have a plan for external services and develop an on-premises and cloud strategy.

Ref - SCMagazine 

_______________________________________________________________________________________

(April 8, 2021)


CISA releases tool to review Microsoft 365 post-compromise activity

CISA has released a new tool, dubbed Aviary, that can help security teams visualize and analyze data outputs generated using Sparrow, an open-source PowerShell-based tool for detecting potentially compromised applications and accounts in Azure and Microsoft 365. Sparrow was created to help defenders hunt down threat activity after the SolarWinds supply-chain attack.


_______________________________________________________________________________________

(April 8, 2021)


How to minimize cyberattacks on supply and value chains

Organizations can mitigate access-related third-party risk in several ways. This includes providing an identity to anything connecting to the enterprise, including people, systems, and things. Another way is taking advantage of identity broker technology to verify credentials and enrich authentication requirements. Accessing governance for third-party identities and centrally managing all third-party access can also help minimize the risks.


_______________________________________________________________________________________

(April 8, 2021)


Biden administration sets the stage for retaliation against Russia over SolarWinds attack

The Biden administration completed an intelligence review of alleged Russian meddling in the SolarWinds cybersecurity attack and interference in US elections. The review could set the stage for possible retaliatory actions like enacting sanctions or expulsion of Russian intel officers in the US.

Ref - Yahoo 

_______________________________________________________________________________________

(April 7, 2021)


In another supply chain incident, Gigaset injects malware into victims' phones

Android smartphones from Gigaset have been infected by malware directly from the manufacturer in what appears to be a supply-chain attack. The Trojan, once downloaded and installed on a victim's device via a poisoned software update from the vendor, is capable of opening browser windows, fetching more malicious apps, and sending people text messages to further spread the malware.

Ref - The Register 

_______________________________________________________________________________________

(April 7, 2021)


Supply?chain attacks - When trust goes wrong

Minimizing the risk of a supply-chain attack involves a never-ending loop of risk and compliance management. In the SolarWinds hack, the post-attack in-depth inspection of the third-party vendor’s product identified the exploit buried deep in the code. As a preventive measure, organizations need to have visibility into all of their suppliers and the components they deliver, which includes the policies and procedures that the company has in place.


_______________________________________________________________________________________

(April 6, 2021)


Senators press for more on SolarWinds hack after AP report

Key lawmakers said they're concerned they've been kept in the dark about what suspected Russian hackers stole from the federal government and they pressed Biden administration officials for more details about the scope of what's known as the SolarWinds hack.


 _______________________________________________________________________________________

(April 6, 2021)


RSA Conference 2021 will have a keynote from SolarWinds’s president

RSA Conference announced that Sudhakar Ramakrishna, President of SolarWinds, has joined the keynote line-up for RSA Conference 2021. He will be joined by Laura Koetzle to explore the technical elements of the breach and will provide a deep understanding of the sophistication of the overall operation of the nation-state attack.


_______________________________________________________________________________________

(April 5, 2021)


SolarWinds type attacks need a serious approach toward cybersecurity 

The federal government has to take cybersecurity more seriously, both from a funding and a legislation standpoint after the SolarWinds breach. There is some hope that this will happen with the new administration, but it remains to be seen if talk will turn into action and real change. Only with a concerted effort across all levels of government, big to small, national/state to local, will we be able to overcome this cyber assault and keep our citizens safe and secure.

Ref - GovTech

_______________________________________________________________________________________

(April 5, 2021)


The cybersecurity warning system in the U.S.

Many vulnerabilities and threats aren’t discovered by the government but are regularly uncovered by hackers who find bugs, notify companies, and often work with them to develop fixes. In turn, CISA can immediately issue directives, as it did during SolarWinds and the Microsoft Exchange compromise, that mandate action for federal agencies and sound the clarion call for others to heed.


_______________________________________________________________________________________

(April 2, 2021)


The importance of supply chain risk management

With cloud and digital technology allowing companies to flourish and succeed globally, the world has never been more interconnected. However, this comes with elevated risk. Partners, vendors, and third parties can expose companies and malicious hackers are known to target organizations through their supply chain. As a result, supply chain risk management has become a critical component of any company’s risk management and cybersecurity strategy.

Ref - Varonis

_______________________________________________________________________________________

(April 2, 2021)


The positive outcome from the SolarWinds breach

The SolarWinds compromise may have some positive outcomes by shining an even harsher light on the complacency that still exists when it comes to security. It is important especially for the different security standards that are applied to development/supplier systems compared to in-house production systems. Now, securing the supply chain has become a hot topic, and organizations can do better to protect their infrastructure.

Ref - BMC

_______________________________________________________________________________________

(April 2, 2021)


How Russian hackers targeted US cyber first responders in SolarWinds breach

After infiltrating US government computer networks early last year as part of the SolarWinds data breach, Russian hackers then turned their attention to the very people whose job was to track them down. The hackers identified a handful of key cybersecurity officials and analysts who would be among the first to respond once the hack was detected, so-called 'threat hunters,' and attempted to access their email accounts.

Ref - CNN 

_______________________________________________________________________________________

(April 1, 2021)


After the hack, officials draw attention to supply chain threats

The National Counterintelligence and Security Center warned that foreign hackers are increasingly targeting vendors and suppliers that work with the government to compromise their products in an effort to steal intellectual property and carry out espionage. The NCSC said it is working with other agencies, including the CISA to raise awareness of the supply chain issue.
Ref - AP News 

_______________________________________________________________________________________

(April 1, 2021)


Learnings from the SolarWinds supply chain attack

The recent SolarWinds attack (known as Sunburst) has shone a light on the controls required after a breach, with affected organizations laser-focused on what happened and what next. But the same controls that can help remediate the risks posed by this serious supply chain threat can also help prevent or limit the effect of this and other attacks before they happen.

Ref - Accenture

_______________________________________________________________________________________

(April 1, 2021)


The U.S. officials are drawing attention to the supply chain attacks

The U.S. government is working to draw attention to supply chain vulnerabilities, an issue that received particular attention late last year after suspected Russian hackers gained access to federal agencies and private corporations by sneaking malicious code into widely used software. The NCSC said it plans to issue guidance throughout the month about how specific sectors, like health care and energy, can protect themselves.


_______________________________________________________________________________________

(April 1, 2021)


The SolarWinds hack severity perception increased over time

(ISC)² has published the results of an online survey of 303 cybersecurity professionals on the SolarWinds Orion software breach. In which, 86% of respondents rated the breach “very” or “extremely severe” when they first learned about it. However, roughly six weeks after the incident was reported, as more details emerged, the number of respondents who indicated that the breach was “severe” increased from 51% to 55%.


_______________________________________________________________________________________

(April 1, 2021)


A report with detailed analysis of SolarWinds hacking tools

US Cyber Command and the Department of Homeland Security (DHS) are preparing to release a detailed analysis of the hacking tools used in the SolarWinds attack, which targeted multiple federal agencies and private firms last year. The report was originally scheduled to be released on Wednesday, but the DHS delayed it without explanation. However, it's still expected to be published soon.

Ref - Computing

_______________________________________________________________________________________

(April 1, 2021)


DHS chief announces cybersecurity plan in wake of SolarWinds attacks

Homeland Security Secretary Alejandro Mayorkas warned that cyber threats are coming dangerously close to threatening people’s lives as he announced a series of sprints designed to counter online attacks. The series includes 60-day sprints, each focused on the most important and most urgent priorities needed to achieve goals.

Ref - Yahoo

_______________________________________________________________________________________

(March 31, 2021)


The SolarWinds breach is a wake-up call for the security community

The next time a SolarWinds-class attack occurs, the steps toward a successful response are already defined. As it includes, understanding potential concentration risks may involve delving into third-party liabilities and obligations, or categorizing vendors, and understanding the scope of the larger supplier ecosystem. By defining potential sources of this risk, it becomes possible to build mitigation strategies into incident response plans. 

Ref - Deloitte

_______________________________________________________________________________________

(March 30, 2021)


Executive order with 'a dozen' actions forthcoming after SolarWinds, Microsoft breaches

The Biden administration is working on “close to a dozen” action items to be included in an upcoming executive order meant to strengthen federal cybersecurity in the wake of two major breaches. The comments were made as the Biden administration continues to grapple with the fallout from both the recent attacks.

Ref - TheHill 

_______________________________________________________________________________________

(March 30, 2021)


Infosec community is concerned about SolarWinds hack

The severity of a data breach typically jumps in the short term and decreases as time progresses. But, according to a survey by International Information System Security Certification Consortium, or (ISC)2, the 2020 SolarWinds incident bucked that trend in the eyes of cybersecurity professionals. A month and a half after the incident was reported, the number of respondents who indicated the breach was “severe” increased from 51% to 55%.


_______________________________________________________________________________________

(March 30, 2021)


Details about the second elusive attack targeting SolarWinds software

Details about the scope and victims of Supernova, which exploited a flaw in SolarWinds' Orion network management software, so far have been scarce. Less than a handful of victims have been known to be targeted, and an investigation into the breach of one of those victims led to researchers at Secureworks tying the Supernova attacks to a previously unknown Chinese nation-state group they dubbed "Spiral."


_______________________________________________________________________________________

(March 30, 2021)


SolarWinds breach lead to distrust of software in use 

Security experts say because enterprises can't inspect the inner workings of the software they buy, they're at the mercy of software companies' security practices. In SolarWind attacks, attackers infected the software that is trusted by organizations. And that software became a way to steal confidential information. This breach of trust of software is huge because software is driving everything around tech firms.


_______________________________________________________________________________________

(March 30, 2021)


Trump administration emails were compromised in SolarWinds breach

An Associated Press report found that the head of DHS and the department's cyber-security staff were among the accounts exposed during the SolarWinds hack. Email accounts belonging to members of the Trump administration's Department of Homeland Security, including the head of the department, were reportedly compromised by suspected Russian hackers, according to the report.

Ref - Yahoo

_______________________________________________________________________________________

(March 29, 2021)


Key lessons from Sunburst

The cyber domain is a realm of intense interconnectivity that underpins much of daily life and national security. The discovery late in 2020 that Sunburst malware had infected not only thousands of private networks but also US government agencies, led some spectators to embrace alarmist views of this event as the first step in a full-fledged cyberwar.


_______________________________________________________________________________________

(March 29, 2021)


PHP's Git server hacked in a recent supply chain attack

In the latest software supply chain attack, the official PHP Git repository was hacked and the code base tampered with. Two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server. The threat actors had signed off on these commits as if these were made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov.


_______________________________________________________________________________________

(March 29, 2021)


SolarWinds breach got emails of top DHS officials

Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries. The intelligence value of the hacking of then-acting Secretary Chad Wolf and his staff are not publicly known.

Ref - AP News

_______________________________________________________________________________________

(March 29, 2021)


Need of a new alert system for cybersecurity

America needs a national cyber vulnerability early warning center after the recent SolarWinds breach. Just as a meteorologist is constantly on the lookout for storm systems, an early warning center would search widely used software and hardware components for vulnerabilities. It would discover new weaknesses before opponents, fortifying defenses and increasing the costs of mounting an attack.


_______________________________________________________________________________________

(March 29, 2021)


SolarWinds patches four new vulnerabilities in the Orion platform

SolarWinds released fixes for four new vulnerabilities in their Orion platform, the most severe of which is an authenticated remote code execution flaw due to a JSON deserialization weakness. Fixes for these weaknesses are in Orion Platform 2020.2.5.

Ref - Rapid7 

_______________________________________________________________________________________

(March 26, 2021)


SolarWinds hackers copied a limited number of source code repositories - Mimecast

A forensic investigation conducted by Mimecast and FireEye Mandiant incident response division found that SolarWinds hackers downloaded a limited number of the company’s source code repositories.

Ref - CPO Magazine 

_______________________________________________________________________________________

(March 26, 2021)


Software security is the top priority - SolarWinds CEO

SolarWinds has launched a Secure by Design initiative in response to the recent cybersecurity attack. This project is designed to build security into the design phase of software development and to make security an ongoing priority instead of an after-the-fact priority. The company is testing a design process that uses several parallel build chains simultaneously to create software instead of just one. 

Ref - TechRepublic 

_______________________________________________________________________________________

(March 26, 2021)


Lessons learned from the SolarWinds breach

A system like SolarWinds should have security checks built in from the start and the use of software signing keys should always be closely monitored. In addition, organizations need to adopt a zero-trust policy, stay vigilant, and create a security culture to prevent complex attacks like this.

Ref - Forbes

_______________________________________________________________________________________

(March 25, 2021)


Strategies to guard against email fraud in supply chain

Proofpoint has provided six recommendations to protect supply chain relationships: knowing who the suppliers are, considering the "spider web," creating more vendor accountability, being responsive to security-conscious users, relying more on automation, and finally implementing DMARC at the gateway.


_______________________________________________________________________________________

(March 25, 2021)


SolarWinds breach - Key learnings

Security experts identified several critical learnings from SolarWinds breach: Threat hunting and threat intelligence built on artificial intelligence and machine learning; Comprehensive detection with real-time continuous monitoring; Simplified incident response infrastructure that is capable of detecting attacks, containing the damage, and restoring systems and data; Agile, integrated, and automated security technology; Dynamic remediation strategies designed to quickly return business operations to a trusted state

Ref - OpenText

_______________________________________________________________________________________

(March 25, 2021)


Fed breach disclosure rule after SolarWinds breach

An executive order in the wake of the SolarWinds hack will require software vendors and service providers to notify their U.S. government clients if they experience a security breach. Major software companies like Microsoft and Salesforce that sell to the government would be affected by the executive order.

Ref - CRN

_______________________________________________________________________________________

(March 25, 2021)


Fresh code execution flaws in the Solarwinds Orion platform

Solarwinds has shipped a major security update to fix at least four documented security vulnerabilities, including a pair of bugs that are exploited for remote code execution attacks. The patches were pushed out as part of a minor security makeover of the Orion Platform, the same compromised Solarwinds product that was exploited in recent nation-state software supply chain attacks.


_______________________________________________________________________________________

(March 25, 2021)


SolarWinds making changes in the build process after the hack

SolarWinds’ chief executive said the software provider made a series of changes to its build process and board room reporting structure in an effort to prevent another supply chain attack like the one experienced by the company. The company is also taking a series of actions designed to boost the profile of cybersecurity in business decisions and increase the autonomy of its chief information security officer and CIO shops.

Ref - SC Media

_______________________________________________________________________________________

(March 25, 2021)


Some powerful tactics to prevent supply chain attacks

Upguard recommends some defense tactics that organizations can implement to significantly decrease the chances of a supply chain attack. This includes implementing Honeytokens, securing privileged access management, implementing a Zero-Trust architecture, and assuming a breach mindset when preparing the security strategy.

Ref - Upguard 

_______________________________________________________________________________________

(March 25, 2021)


‘Trust no one’ becomes cyber mantra after massive hacking attacks

In the wake of two massive cyberattacks that exposed glaring deficiencies in U.S. defenses, government officials and cybersecurity practitioners are saying zero-trust may be the way to stop the cyber mayhem. Zero-trust reduces or prevents lateral movement and privilege escalation.

Ref - JapanTimes 

_______________________________________________________________________________________

(March 24, 2021)


Securing the software development build using secure design

SolarWinds SVP, Engineering Lee McClendon, KPMG Director of Cyber Security Services Caleb Queern, and Head Geek Thomas LaRock provide insights on how SolarWinds is prioritizing security in its software build environment, and what the entire industry can learn about next-generation software development.

Ref - SolarWinds 

_______________________________________________________________________________________

(March 24, 2021)


SolarWinds attack and other threats indicate increased nation-state activity

Cyber attacks launched by nation-states are becoming more proficient and aggressive. This was the message from Admiral (ret.) Michael S. Rogers at the NetDiligence Cyber War Webinar Series. He said that the breadth of activity has now changed with the SolarWinds attack in December 2020 and the attack on Microsoft Exchange this month, both arguable evidence of increased nation-state activity.

Ref - Yahoo

_______________________________________________________________________________________

(March 23, 2021)


Attackers can abuse OAuth authentication apps used in the SolarWinds breach

Given the broad permissions they can have to your core cloud applications, OAuth apps have become a growing attack surface and vector. Attackers use various methods to abuse OAuth apps, including compromising app certificates, which was also used in the SolarWinds / Solorigate campaign. Attackers can use OAuth access to compromise and take over cloud accounts. Until the OAuth token is explicitly revoked, the attacker has persistent access to the user’s account and data. 


_______________________________________________________________________________________

(March 23, 2021)


SolarWinds breach is one of the most challenging hacking incidents

The recent SolarWinds Senate hearing and a flurry of subsequent briefings have unearthed new questions around the attack. The acting director of the U.S. Cybersecurity and Infrastructure Agency (CISA) Brandon Wales has called it the most complex and challenging hacking incident the agency has come up against.

Ref - CyberArk

_______________________________________________________________________________________

(March 23, 2021)


Microsoft proposes incentivizing digital solutions to mitigate supply chain risk

The first step in strengthening supply chain security is to carefully identify the risks. Once those risks are identified, the industry can then work with the government to define risk-mitigating best practices and tailored technology-enabled solutions. Technology may not eliminate the need for more traditional restrictive measures in all contexts. But in many areas, technology-enabled solutions can both strengthen security and sustain tech leadership.

Ref - Microsoft  

_______________________________________________________________________________________

(March 22, 2021)


The ‘Frankencloud’ model is the biggest security risk

According to a researcher, the information technology environments evolve into the “Frankenstein” approach. Firms scrambled to take advantage of the cloud while maintaining their systems of record. This led to systems riddled with complexity and disconnected parts put together.

Ref - TechCrunch

_______________________________________________________________________________________

(March 22, 2021)


The SolarWinds victims are now solidified

Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, said that the list of victims from the attack on SolarWinds Orion has "solidified" and he is not expecting many more organizations to come forward. CISA is continuing to work with federal agencies to understand if any have been compromised.

Ref - FCW

_______________________________________________________________________________________

(March 22, 2021)


A report about SilverFish cyber-espionage group

The PRODAFT Threat Intelligence Team has published a report that gives an unusually clear look at the size and structure of organized cybercrime. It uncovered a global cybercrime campaign that uses modern management methods, sophisticated tools including its own malware testing sandbox. It has strong ties with the SolarWinds attack, the EvilCorp group, and some other well-known malware campaigns.


_______________________________________________________________________________________

(March 22, 2021)


Shell is another victim of the Accellion supply chain hack

Energy giant Shell has disclosed a data breach (via Supply Chain attack) after attackers compromised the company's secure file-sharing system powered by Accellion's File Transfer Appliance (FTA). Upon learning of the incident, the firm - Shell - addressed the vulnerabilities with its service provider and cybersecurity team, and started an investigation to better understand the nature and extent of the incident.


_______________________________________________________________________________________

(March 22, 2021)


The new insider threat of compromised partners

The current rash of financial fraud and supply chain attacks exploit a seemingly unsolvable vulnerability in security strategy. Attackers exploit the fact that a firm must communicate with its outside partners and vendors to thrive as a company or an institution. As they interact with partners, the door to exploitation opens, specifically in the form of supply chain attacks. These attacks are tremendously hard to detect since malware and malicious links are not necessary for successful exfiltration.


_______________________________________________________________________________________

(March 22, 2021)


Three vulnerabilities exposed during SolarWinds attack

SolarWinds attackers leveraged three key vulnerabilities in the current IT ecosystem. They leveraged the supply chain weakness, injecting malware in the supplier network to gain access to the core network. Besides, they took advantage of single sign-on systems, and also exploited the traditional multifactor authentication systems.

Ref - CPO Magazine 

_______________________________________________________________________________________

(March 22, 2021)


In wake of SolarWinds, Exchange attacks, the U.S. government calls for better information sharing

The new cybersecurity leadership in the Biden White House is brainstorming methods to establish new early warning systems that combine traditional intelligence agency methods with private sector expertise. Reportedly chief among the new approaches is establishing more profound information-sharing methods with the private sector.

Ref - CSO Online 

_______________________________________________________________________________________

(March 22, 2021)


KPMG advisory on SolarWinds attack

According to the recent KPMG advisory, each malware used during SolarWinds had a tactical purpose. SUNSPOT was designed by the threat actor(s) to function specifically within SolarWinds’ software build environment to insert a malicious backdoor called SUNBURST. TEARDROP and RAINDROP were designed to be used by the threat actor(s) to deploy a modified version of Cobalt Strike. Further, SUNSHUTTLE/GoldMax, GoldFinder, and Sibot are malicious tools reported to have been used by threat actor(s) in an environment where there was a pre-existing SUNBURST compromise.

Ref - KPMG

_______________________________________________________________________________________

(March 21, 2021)

How to prevent supply chain attacks?

The key to mitigating supply chain security risks is to ensure each of your third-party vendors is compliant with the strictest of cybersecurity standards, whether or not regulatory requirements are enforced. Complacency is the primary impetus to supply chain attack vulnerability. To keep third-party vendors compliant, security questionnaires should be sent to each of them on a regular basis to continuously scrutinize their security posture.

Ref - UpGuard

_______________________________________________________________________________________

(March 21, 2021)


CISA releases a tool to detect SolarWinds malicious activity

The U.S. CISA has released a new tool (CISA Hunt and Incident Response Program or CHIRP) that allows detecting malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise environments. It is a forensics collection tool that CISA developed to help network defenders find IOCs associated with activity detailed in the following CISA Alerts.


_______________________________________________________________________________________

(March 20, 2021)


SolarWinds is a major disaster in the modern era of computing

Researcher Davi Ottenheimer has compared the SolarWinds attack with a Dust Bowl disaster. According to him, Microsoft for so many years worked on an extremely expedited model with minimal security or ecosystem investment inviting a predictable disaster.


_______________________________________________________________________________________

(March 20, 2021)


A Swiss firm has accessed servers of a SolarWinds hacker

A Swiss cybersecurity firm says it has accessed servers used by a hacking group (Silverfish) tied to the SolarWinds breach, revealing details about who the attackers targeted and how they carried out their operation. The firm, PRODAFT, also said the hackers have continued with their campaign through this month.

Ref - ProDaft

_______________________________________________________________________________________

(March 18, 2021)


Xcode Project spreading MacOS malware to Apple developers

Cybercriminals are targeting Apple developers with a trojanized Xcode project, which once launched installs a backdoor that has spying and data exfiltration capabilities. The malicious Xcode project, which researchers call XcodeSpy, installs a variant of the known EggShell backdoor on the developer’s macOS computer. 


_______________________________________________________________________________________

(March 18, 2021)


CISA releases detection tool for SolarWinds malicious activity 

The Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to detect post-compromise malicious activity associated with the SolarWinds hackers in on-premises enterprise environments. CISA Hunt and Incident Response Program (CHIRP), the new forensics collection tool, is a Python-based tool that helps detect SolarWinds malicious activity IOCs on Windows operating systems.


_______________________________________________________________________________________

(March 18, 2021)

SolarWinds-linked threat group SilverFish took advantage of enterprise victims

A Swiss cybersecurity firm Prodaft said that SilverFish, a threat group, has been responsible for intrusions at over 4,720 private and government organizations including Fortune 500 companies, ministries, airlines, defense contractors, audit and consultancy companies, and automotive manufacturers. SilverFish has been connected to the recent SolarWinds breach as "one of many" threat groups taking advantage of the situation.

Ref - ZDNet

_______________________________________________________________________________________

(March 18, 2021)


Beware the Package Typosquatting Supply Chain Attack

Attackers are mimicking the names of existing packages on public registries in hopes that users or developers will accidentally download these malicious packages instead of legitimate ones. In this attack, the attacker tries to mimic the name of an existing package on a public registry in hopes that users or developers will accidentally download the malicious package instead of the legitimate one.


_______________________________________________________________________________________

(March 18, 2021)


XcodeSpy malware can target iOS devs in a supply chain attack

A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply chain attack to install a macOS backdoor on the developer's computer. Like other development environments, it is common for developers to create projects that perform specific functions and share them online so that other developers can add them to their own applications.


_______________________________________________________________________________________

(March 18, 2021)


NSA, Homeland Security push service to mitigate cyber-attacks

The National Security Agency and the Department of Homeland Security are encouraging government agencies and high-risk companies to embrace a system known as Protective DNS, in which a private security firm would monitor and filter web traffic. PDNS blocked connections to malicious websites millions of times in a recent test involving five U.S. defense contractors.

Ref - Bloomberg
 
_______________________________________________________________________________________

(March 18, 2021)


Will the U.S. never be safe from cyberattacks?

While Washington grapples with how to prevent another attack of this scale (SolarWinds breach), the hard truth is this: There’s no such thing as a foolproof cybersecurity defense. Because human beings write computer code. And despite being incredibly smart, those people make mistakes. And each minuscule error creates one more pathway for hackers to launch cyberattacks.

Ref - Yahoo

_______________________________________________________________________________________

(March 18, 2021)


Rethinking Patch management after SolarWinds breach

The SolarWinds breach, in which hackers inserted malware into software updates sent to thousands of customers and created a backdoor to their IT systems, suggests organizations need to rethink patch management. To identify known and potential vulnerabilities, security leaders need a software bill of materials (SBOM) for software and devices deployed into their environment, as well as for new updates and patches.


_______________________________________________________________________________________

(March 17, 2021)


Zero-trust helped Splunk dodge supply chain attack

Events like the SolarWinds breach are reminders of how important it is for organizations, especially high-profile organizations in industry and government to have a zero-trust architecture in place. A lot of organizations are building out a very in-depth set of data analytics capabilities, as a part of a broader zero-trust strategy. And then taking advantage of those things to improve visibility and security operations.


_______________________________________________________________________________________

(March 17, 2021)


SolarWinds attackers gained access to Mimecast’s production environment

Mimecast acknowledged that the threat actor responsible for the SolarWinds attack used the supply chain compromise to gain entry to a part of Mimecast’s production grid environment, accessing certain Mimecast-issued certificates and related customer-server-connection information.

Ref - SC Media

_______________________________________________________________________________________

(March 17, 2021)


Lawmakers drilled multiple agencies for SolarWinds attack

The bipartisan leaders of a House panel drilled multiple agencies for updates on the SolarWinds hack, a mass cyber campaign that compromised at least nine federal agencies and 100 private sector groups. Members of the Energy and Commerce Committee sent letters demanding answers to the leaders of the departments of Commerce, Energy, Health and Human Services, as well as the Environmental Protection Agency.

Ref - The Hill

_______________________________________________________________________________________

(March 17, 2021)


Spotting APT Activity associated with SolarWinds and Active Directory/M365 Compromise

CISA has released a table of tactics, techniques, and procedures used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTP and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity.

Ref - CISA

_______________________________________________________________________________________

(March 17, 2021)


Key takeaways for security admins from SolarWinds attacks

Security and IT admins can take note of several key points regarding supply chain attacks. It can be said that potential supply chain attack victims lack access to the right tools. The golden SAML attack allowed attackers to jump from on-premises systems to cloud systems effectively bypassing MFA, thus showing the weaknesses in current authentication systems.

Ref - CSO Online 

_______________________________________________________________________________________

(March 17, 2021)


How the Linux Foundation’s software signing combats supply chain attacks

The Linux Foundation is launching sigstore, a free service jointly developed with Google, Red Hat, and Purdue University, that software developers can use to digitally sign their software releases. sigstore protects open source consumers from such attacks as dependency confusion attacks. These attacks dupe package managers into installing a remotely-hosted malicious version of a locally-available resource such as a library file.


_______________________________________________________________________________________

(March 16, 2021)


Biden's supply chain EO may uncover these cyber risks

While the government continues to assess the scope and scale of that breach, the White House is now directing various executive departments to assess the risks in their respective supply chains. The executive order calls for both 100-day immediate reviews of certain products, as well as year-long sectoral supply chain reviews of the defense, health, transportation, and agriculture industries, among others.

Ref - FCW 

_______________________________________________________________________________________

(March 16, 2021)


Mimecast decommissioned SolarWinds Orion after hack

The Lexington, Mass.-based email security vendor - Mimecast - became one of the first SolarWinds hack victims to publicly announce they’re dumping the industry-leading Orion network monitoring platform for a competing product. Industry experts had considered it unlikely that the hack would lead to many customers getting rid of SolarWinds due to the unique visibility and monitoring features Orion offers.

Ref - CRN

_______________________________________________________________________________________

(March 16, 2021)


SolarWinds underestimated network’s role in security

According to Juniper Networks VP of Security Business and Strategy Samantha Madrid, the SolarWinds hack has put a fine point on the importance of network security. While the full scope of the supply chain attack remains under investigation, it brought network visibility and the need for security enforcement at every point of connection into sharper focus.


_______________________________________________________________________________________

(March 16, 2021)


Using CodeQL to spot traces of Solorigate

If a build server is backdoored with the build hijacking component of the Solorigate malware campaign, the malware will inject additional source code at compilation time. If CodeQL is observing the build process on the infected server, it will extract the injected malicious source code together with the genuine source code. The resulting CodeQL database will therefore contain traces of the malicious Solorigate source code.

Ref - GitHub

_______________________________________________________________________________________

(March 16, 2021)


Mimecast confirms that SolarWinds hackers used Sunburst malware for initial intrusion

Mimecast has confirmed that the state-sponsored SolarWinds hackers who breached its network earlier this year used the Sunburst backdoor during the initial intrusion. Using this entry point, the threat actor accessed certain Mimecast-issued certificates and related customer server connection information.


_______________________________________________________________________________________

(March 16, 2021)


How to prevent supply chain attacks?

Here are 11 cybersecurity strategies that could help prevent supply chain attacks - implement honeytokens, secure privileged access management, implement a Zero trust architecture, assume about suffering a data breach, identify all potential insider threats and protect vulnerable resources, minimize access to sensitive data, implement strict shadow IT rules, send regular third-party risk assessments, monitor vendor network for vulnerabilities, and identify all vendor data leaks.

Ref - UpGuard

_______________________________________________________________________________________

(March 16, 2021)


Software supply chain attacks are not easy to tackle

As companies scramble to investigate whether their own systems and data were potentially impacted by the SolarWinds compromise, executives, boards, and customers are discovering that the threat of supply chain attacks expands beyond this one single incident and that mitigating the risks associated with them is not straightforward.


_______________________________________________________________________________________

(March 15, 2021)


Security ratings could raise the bar on cyber hygiene

Plans from the Biden administration to release a product security rating system could raise the bar for security overall but won’t likely prevent the next SolarWinds or Microsoft hacks. Experts say the simplicity of that concept is both its strength and its weakness: it’s a concept that is easy to understand and could drive compliance with a set of standards, but it won’t prevent more sophisticated attacks.


_______________________________________________________________________________________

(March 15, 2021)


Better security approach against supply chain attacks 

An effective procurement language should be developed, which is designed to hold a supplier or other third party contractually liable for the statements they make about the quality, reliability, and security of the software they are providing. Organizations need to consider the software and service provider processes when discussing a partnership and defining what security measures will be implemented.

Ref - Medium

_______________________________________________________________________________________

(March 15, 2021)


TIA reveals new global supply chain security standard - SCS 9001

The Telecommunications Industry Association (TIA) has published a new white paper on SCS 9001, the first process-based supply chain security standard for the information communications technology (ICT) industry. Scheduled to release later this year, the new standard will be measurable and verifiable as a means for service providers, manufacturers, and vendors to ensure that their supply chains meet the critical requirements needed to mitigate the risk of cybersecurity breaches and attacks.

Ref - Yahoo 

_______________________________________________________________________________________

(March 15, 2021)


SolarWinds attacks recovery could take the U.S. government 18 months

Brandon Wales, acting director of CISA, said that the U.S. government’s recovery effort from the SolarWinds supply chain attack could take well into 2022. This prediction reflects the complex nature of the breach and the length of time during which the attackers hid in their victims’ networks.


_______________________________________________________________________________________

(March 14, 2021)


White House seeks new cybersecurity approach after failing to detect hacks

The sophisticated hacks pulled off by Russia and China against a broad array of government and industrial targets in the United States and the failure of the intelligence agencies to detect them are driving the Biden administration and Congress to rethink how the nation should protect itself from growing cyber threats. Both attacks were run from inside the USA’s domestic servers, putting them out of reach of the NSA’s early warning system.


_______________________________________________________________________________________

(March 14, 2021)

Software Bill Of Materials: an efficient mitigation strategy for supply chain attacks

There is an efficient mitigation strategy for supply chain attacks: the bill of materials, or “BOM”. In its simplest form, the BOM is similar to a long list of ingredients, in which all materials and quantities needed to manufacture an end product are listed. If the “BOM” is done with great precision, it is possible to provide deep insight into the product and all its parts and its corresponding supply chain vulnerabilities.

Ref - Medium

_______________________________________________________________________________________

(March 13, 2021)


Security best practices after SolarWinds supply chain attack

Implementing the supply chain security best practices can help mitigate third-party risk and meet the needs of the changing enterprise ecosystem. Users are recommended to conduct asset and access inventories, elevate third-party risk management and ensure third-party relationships are collaborative.


_______________________________________________________________________________________

(March 12, 2021)


A senior administration official on the response to the Microsoft and SolarWinds intrusions

According to a senior administration official, they are in week three of four-week remediation across the federal government. The compromised agencies were all tasked to do a particular set of activities and then were tasked to have an independent review of their work to ensure the adversary had been eradicated. Most of the agencies have completed that independent review and the rest will complete it by the end of March.


_______________________________________________________________________________________

(March 12, 2021)


SolarWinds and Microsoft hacks spark debate over western retaliation

Cyber experts have cautioned that retaliation steps against SolarWinds and Microsoft hacks may not be justified. The SolarWinds and Microsoft hacks are not incidences of conflict in any sort of conventional sense, they’re espionage, so they’re part of continual interaction between these states.


_______________________________________________________________________________________

(March 12, 2021)


The first-ever U.S. national cyber director after SolarWinds breach

The new national cyber director will be responsible for crafting a national cyber strategy as well as driving more consistency across civilian government networks. If disaster strikes, the director will serve as the point person in coordinating the government’s nonmilitary response. 

Ref - Fortune

_______________________________________________________________________________________

(March 11, 2021)


Risks of supply chain attacks for organizations

Supply chain security risks are not new, but recent headlines are a reminder for consumers to re-examine their security practices. The SolarWinds/Orion cyberattack had impacted more than 18,000 organizations, and it might serve as the major point of attention for dealing with digital supply chain risks.

Ref - Synopsys

_______________________________________________________________________________________

(March 11, 2021)


Managing supply chain security risk 

After the SolarWinds attack, it is important that information security and risk management teams need to think beyond third-party and vendor risk management. Supply chain risk management should be built on existing standardized practices across many existing risk practices and disciplines. It also requires cooperation and collaborative relationships within all areas of the organization.


_______________________________________________________________________________________

(March 11, 2021)


Embedded devices are a blind spot in the SolarWinds attack

The SolarWinds attackers accessed the network, be it Office 365 or VMware, and a separate campaign that exploited a bug in SolarWinds. However, the industry is overlooking a more nefarious but equally plausible objective: Attackers may have used SolarWinds as a pathway into key networks where they could access and burrow deep into the embedded devices in industrial control systems.

Ref - The Hill

_______________________________________________________________________________________

(March 11, 2021)


Nation-state hackers exploited the U.S. Internet security gap

U.S. lawmakers and security experts are voicing concern that foreign governments are staging cyberattacks using servers in the U.S., in an apparent effort to avoid detection by America’s principal cyberintelligence organization. When hackers recently targeted servers running Microsoft Corp.’s Exchange software, they employed U.S.-based computers from at least four service providers to mount their attack, according to an analysis by the threat intelligence company DomainTools LLC.


_______________________________________________________________________________________

(March 10, 2021)


Risks of integrating technology vulnerabilities into the foundational technology

SolarWinds attacks and other events in 2020 spotlight a new burden to manage for C-Suites/Boards: The malicious supply chain influences of nation-state intelligence services. In recent supply chain attacks, the adversaries are not just finding & exploiting technology vulnerabilities, but actually creating & integrating them into the foundational technology. 

Ref - Forbes

_______________________________________________________________________________________

(March 10, 2021)


Hacker group claims access to internal video feeds by compromising supplier

Hackers said they accessed internal video feeds at several companies, including Tesla Inc., and at public agencies by breaching the network of security-camera vendor Verkada Inc., the latest cybersecurity incident in which a supplier unwittingly opened a back door into client networks. The group found a username and password for a Verkada administrative account on the internet, permitting them to obtain the footage.


_______________________________________________________________________________________

(March 10, 2021)


How to beat the new breed of Supply Chain attacks

The plethora of new malware strains (e.g., SUNBURST, SUPERNOVA, GoldMax, Sibot, and GoldFinder) that have emerged in the wake of the SolarWinds breach should force all enterprises to take the supply chain attack vector seriously. Comparing traditional supply chain attacks with the recent SolarWinds and Microsoft hacks, it is clear that attackers have upped their game to a whole new level, both in sophistication and tactics.

Ref - SentinelOne 

_______________________________________________________________________________________

(March 10, 2021)


Monitoring the software supply chain in Microsoft environment

Microsoft has described ways to monitor the software development, build, and release process via Azure Sentinel, specifically to detect any NOBELIUM-related activity. The blog uses Microsoft’s security monitoring solution Azure Sentinel, and Microsoft’s cloud CI/CD solution Azure DevOps as the focus point, however, the monitoring principles and approaches could also be applied to other technology stacks.

Ref - Microsoft 

_______________________________________________________________________________________

(March 10, 2021)


SolarWinds is not an isolated event going forward - VMware Report

The 2021 Global Cybersecurity Outlook report from VMware Security Business Unit suggests that “island-hopping” attacks are on a rise, in which attackers jump from one network to another along a supply chain, as occurred in the SolarWinds attack. Organizations have to realize that it’s no longer simply about whether breaches along their supply chains can be leveraged to attack them, but whether they themselves can be used to attack their customers.


_______________________________________________________________________________________

(March 9, 2021)


The inside story of the stealthy SolarWinds SUNBURST attack

The SolarWinds attack was performed without weaponizing a (yet known) zero-day vulnerability. The attackers were able to make their malicious version of the SolarWinds Orion DLL look like a normal version of the software. It was virtually impossible to detect because everything looked official. But as they begin to move through a network by accessing new accounts, a lack of normal behavior of all these targeted users and devices they’re operating opens a new window of opportunity for detection.

Ref - Varonis 


_______________________________________________________________________________________

(March 9, 2021)


The separate SolarWinds attack described by researchers

Russian hackers apparently weren't the only ones targeting SolarWinds customers. Researchers from Secureworks discovered the ‘Spiral’ attack on one organization in November 2020, when they spotted hackers exploiting a SolarWinds Orion API vulnerability on an internet-facing SolarWinds server during an incident response effort. Spiral's activities are separate from the SolarWinds supply chain compromise first reported in December 2020


_______________________________________________________________________________________

(March 9, 2021)


Microsoft released a patch for older versions of Exchange

Microsoft has released security updates for unsupported versions of Exchange email servers following widespread attacks exploiting four newly discovered security vulnerabilities. The security updates for older versions of Exchange only address the four newly disclosed flaws that are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The issues affect on-premise Exchange servers.

Ref - ZDNet

_______________________________________________________________________________________

(March 9, 2021)


Implications of recent supply chain attacks

The implications of SolarWinds have made all CSOs rethink their approach to cybersecurity. For decades, manufacturing equipment would operate in isolation from public networks to keep adversarial agents from gaining access and potentially disrupting operations. However, as supply chains became more intertwined with operations, third parties were granted access to those systems in order to automate the ordering and fulfillment of maintenance and materials.

Ref - Forbes

 _______________________________________________________________________________________

(March 9, 2021)


Analysis of the biggest Python supply chain attack ever

On March 1st, 2021, a newly created account on the Python Package Index PyPI uploaded 3591 new packages. Each package had a name that closely resembled the name of another popular package. However, the script is only signaling to someone that it was successfully downloaded and installed but does nothing beyond that. This could be the work of a security researcher who wanted to raise awareness about typosquatting supply chain attacks, by publishing a lot of fake packages and collecting statistics about how many times each one was downloaded.

Ref - Sogeti

_______________________________________________________________________________________

(March 9, 2021)


More clues appear to link Supernova web shell activity to China

According to Secureworks' new report, the authentication bypass vulnerability in SolarWinds Orion API, tracked as CVE-2020-10148, that can lead to remote execution of API commands, has been actively exploited by Spiral. When vulnerable servers are detected and exploited, a script capable of writing the Supernova web shell to disk is deployed using a PowerShell command.

Ref - TechRadar 

_______________________________________________________________________________________

(March 8, 2021)


‘Retaliation’ for Russia's SolarWinds spying might not be a good idea for the US

Before the US mounts a saber-rattling counterattack, it should pin down exactly what line Russia crossed. Any rule that could justify SolarWinds' retaliation is one that the US also violates with its own cyberespionage. And there's still no evidence that Russia's hacking, in this case, went beyond stealthy intelligence gathering of the sort the US performs routinely around the world.

Ref - Wired 

_______________________________________________________________________________________

(March 8, 2021)


Hackers who hid Supernova malware in SolarWinds Orion linked to China

Intrusion activity related to the Supernova malware, that was planted on compromised SolarWinds Orion installations exposed on the public internet, points to an espionage threat actor based in China. Security researchers named this hacker group ‘Spiral’ and correlated findings from two intrusions in 2020 on the same victim network to determine activity from the same intruder.


_______________________________________________________________________________________

(March 8, 2021)


SolarWinds Breach: Supernova malware linked to a China-based threat group

Secureworks' counter-threat unit (CTU) said that during late 2020, a compromised Internet-facing SolarWinds server was used as a springboard to deploy Supernova, a .NET web shell. Similar intrusions on the same network suggest that the Spiral threat group, suspected of a Chinese origin, is to blame for both cases. According to the researchers, CVE-2020-10148 has been actively exploited by Spiral.

Ref - ZDNet

_______________________________________________________________________________________

(March 8, 2021)


A supply chain attack is targeting the Python community with 4000 fake modules

A user has uploaded 3951 utterly bogus PyPI packages, the names of which resemble the near-miss domain names of several genuine Python Packages. None of these fake packages contained outright malware, or indeed any permanent package code at all. However, some of them (if not all) included a Python command that was intended to run when the package was installed, rather than when it was used.

Ref - Sophos

_______________________________________________________________________________________

(March 6, 2021)


This new type of supply-chain attack has serious consequences 

A new type of supply chain attack (dubbed Dependency Confusion) unveiled last month is targeting more and more companies, with new rounds this week taking aim at Microsoft, Amazon, Slack, Lyft, Zillow, and an unknown number of others. In weeks past, Apple, Microsoft, Tesla, and 32 other companies were targeted by a similar attack that allowed a security researcher to execute unauthorized code inside their networks.


_______________________________________________________________________________________

(March 5, 2021)


A supply chain attack has breached multiple airlines

A communications and IT vendor for 90 percent of the world’s airlines, SITA, has been breached, compromising passenger data stored on the company’s U.S. servers in what the company is calling a highly sophisticated attack. The affected servers are in Atlanta and belong to the SITA Passenger Service System (SITA PSS).


_______________________________________________________________________________________

(March 5, 2021)


Singapore is the latest victim of supply chain attack

An aviation IT company, that says it serves 90% of the world's airlines, has been breached in what appears to be a coordinated supply chain attack. Customers of at least four companies - Malaysia Airlines, Singapore Airlines, Finnair Airlines, and Air New Zealand - may have been affected by the incident.


_______________________________________________________________________________________

(March 5, 2021)


Microsoft is now adopting an aggressive strategy for sharing SolarWinds hack intel

Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance, explains the company's approach to keeping its customers and the industry apprised and updated on its findings from the now-infamous SolarWinds attack. In the wake of a widespread cyberattack, enterprise IT providers can play a key role in how businesses learn about and mitigate the security threat.


_______________________________________________________________________________________

(March 5, 2021)


SolarWinds: 30,000 organizations' email hacked via Microsoft Exchange Server vulnerabilities 

Four exploits found in Microsoft’s Exchange Server software have reportedly led to over 30,000 US governmental and commercial organizations having their emails hacked, according to a report by KrebsOnSecurity. The vulnerabilities allowed hackers to gain access to email accounts, and also gave them the ability to install malware that might let them back into those servers at a later time.

Ref - The Verge

_______________________________________________________________________________________

(March 4, 2021)


Researchers disclosed additional malware linked to SolarWinds attackers

Researchers with Microsoft and FireEye found three new malware families (named as GoldMax, Sibot, and GoldFinder), which they said are used by the threat group behind the SolarWinds attack. Researchers have uncovered more custom malware that is being used by the threat group behind the SolarWinds attack.


_______________________________________________________________________________________

(March 3, 2021)


Malicious code bombs are targeting Amazon, Lyft, Slack, Zillow via supply chain attacks

Attackers have weaponized code dependency confusion to target internal apps at tech giants. Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack, and Zillow (among others) inside the npm public code repository — all of which exfiltrate sensitive information.


_______________________________________________________________________________________

(March 3, 2021)


SolarWinds breach showed increased sophistication of advanced threat actors

Microsoft has highlighted the increasingly sophisticated cyber-threat landscape, particularly as a result of the rise in nation-state attacks. During a session at the Microsoft Ignite event, the company outlined some of the trends it is seeing and actions it is taking to help mitigate them in the future.


_______________________________________________________________________________________

(March 2, 2021)


SolarWinds breach cost $3.5 million in expenses 

SolarWinds has reported expenses of $3.5 million from last year's supply-chain attack, including costs related to incident investigation and remediation. Further expenses were recorded by SolarWinds after paying for legal, consulting, and other professional services related to the December hack and provided to customers for free.


_______________________________________________________________________________________

(March 1, 2021)


Dependency Confusion is being used to create copycat packages

Sonatype has identified new “dependency confusion” packages published to the npm ecosystem that are malicious in nature. These squatted packages are named after repositories, namespaces, or components used by popular companies such as Amazon, Zillow, Lyft, and Slack.

Ref - Sonatype

_______________________________________________________________________________________

(March 2, 2021)


The SolarWinds hack compromised NASA and FAA

In addition to infiltrating the unclassified networks of seven other US government agencies, the suspected Russian hackers who compromised the IT services firm SolarWinds as a jumping-off point also penetrated NASA and the Federal Aviation Administration. The seven other breached agencies are the Departments of Commerce, Homeland Security, Energy, and State, the US Treasury, the National Institutes of Health, and the Justice Department. The White House said earlier this month that hackers also compromised 100 companies in the spree.

Ref - Wired

_______________________________________________________________________________________

(February 25, 2021)

Microsoft now sharing CodeQL queries for scanning SolarWinds-like implants code

Microsoft has open-source CodeQL queries that developers can use to scan source code for malicious implants matching the SolarWinds supply-chain attack. To make sure the attackers did not modify their code, Microsoft created CodeQL queries that were used to scan their codebase for malicious implants matching the SolarWinds IOCs.


_______________________________________________________________________________________

(February 25, 2021)


Security experts were blindsided by the SolarWinds attack

The SolarWinds cyberattack on U.S. government agencies and private organizations was and is frightening in its scale and success. It proved no match for the government agencies charged with defending against such things and brought into sharp focus the fact that the government’s current model for responding to cyber threats is lacking. In a sense, the SolarWinds attack seemed designed to exploit a lack of communication and cooperation between government and private-sector security experts.

Ref - Medium

_______________________________________________________________________________________

(February 25, 2021)


SolarWinds hackers take advantage of Amazon Elastic Compute Cloud

Amazon Web Services admitted that hackers used its systems in the SolarWinds campaign but reiterated the cloud computing giant wasn’t itself infected with malware. The actors used EC2 [Amazon Elastic Compute Cloud] just like they would use any server they could buy or use anywhere (on-premises or in the cloud). And, in fact, the actors did use several different service providers in this manner.

Ref - CRN

_______________________________________________________________________________________

(February 24, 2021)


SolarWinds breach is one of the biggest attacks ever - US Senate committee

The United States Senate's select committee on intelligence met to hear evidence from tech executives regarding the historic hack on Texas-based company SolarWinds. The committee heard that both the scale and sophistication of the attack were greater than had been previously thought.


_______________________________________________________________________________________

(February 24, 2021)


More SolarWinds breach victims could still be undisclosed

Microsoft believes that the SolarWinds hackers may have used up to a dozen different means of getting into victims’ networks over the past year, a higher estimate than previously understood. It is likely that more brand-name players may have been penetrated by the SolarWinds breach. They are not forthcoming as other victims did, thus leaving policymakers and potential customers in the dark.

Ref - WSJ

_______________________________________________________________________________________

(February 24, 2021)


Important takeaways from the US Senate's hearing of SolarWinds breach

The Senate Intelligence Committee held its first public hearing on the SolarWinds hack and there are five key takeaways- fingers pointed to Russia as the hack's perpetrator and companies want the US to hold Russia accountable. Amazon was a no-show despite being invited, and lawmakers weren't happy about it. Lawmakers and tech leaders agreed that there should be more robust information-sharing around cyber threats. A new law setting standards for breached companies could be on the horizon. In addition, the hearings showed cooperation between the government and industry.


_______________________________________________________________________________________

(February 24, 2021)


SolarWinds hackers targeted NASA and Federal Aviation Administration networks

Hackers are said to have broken into the networks of U.S. space agency NASA and the Federal Aviation Administration as part of a wider espionage campaign targeting U.S. government agencies and private companies. The two agencies were named by the Washington Post, hours ahead of a Senate Intelligence Committee hearing tasked with investigating the widespread cyberattack.


_______________________________________________________________________________________

(February 24, 2021)


There is substantial evidence of Russian involvement in SolarWinds breach

Microsoft directly blamed Russia's foreign intelligence service for the devastating security breach of at least nine federal agencies and dozens of private businesses, going further than US government officials have to date in their public attribution for the hack. Microsoft President Brad Smith said it would likely take time for the US government to formally reach the same conclusion.

Ref - CNN

_______________________________________________________________________________________

(February 23, 2021)


SolarWinds attackers stayed for several months in FireEye's network

The attackers who infiltrated SolarWinds Orion's software build and updates had spent several months embedded in FireEye's network. The attacker wasn't alive every single day on their network, Kevin Mandia, CEO of FireEye told the US Senate Intelligence Committee in response to a question about the attack time frame on FireEye's network.


_______________________________________________________________________________________

(February 23, 2021)


Finding answers on the SolarWinds breach

Key senators and corporate executives warned at a hearing on SolarWinds breach that the “scope and scale” of the recent hacking of government agencies and companies, the most sophisticated in history, were still unclear. The National Security Agency, despite spending billions of dollars planting sensors in networks around the world, missed the evidence for more than a year.


_______________________________________________________________________________________

(February 23, 2021)


AWS infrastructure was used in SolarWinds hack

Senators slammed Amazon Web Services for refusing to testify at a hearing about the SolarWinds intrusion given the public cloud giant’s infrastructure was used in the attack. Specifically, Amazon Web Services hosted most of the secondary command and control nodes in the SolarWinds attack.

Ref - CRN

_______________________________________________________________________________________

(February 23, 2021)


Mandatory breach disclosure in wake of SolarWinds breach

Lawmakers and witnesses at the Senate Intelligence Committee’s hearing on SolarWinds emphasized the possibility of legislation mandating certain businesses to disclose some breaches to the federal government. Currently, there is no rule mandating a company like FireEye to disclose a breach to the federal government, even when national security is a concern.

Ref - SCMagazine

_______________________________________________________________________________________

(February 23, 2021)


There could be more tech firms besides SolarWinds - used to hack targets

The hackers used a variety of legitimate software and cloud hosting services to access the systems of nine federal agencies and 100 private companies. They used Amazon Web Services cloud hosting to disguise their intrusions as benign network traffic. Additionally, the hackers didn't use the malware planted in SolarWinds' Orion products to breach nearly a third of the victims. Instead, they had access to other hacking techniques, all of which investigators are still unraveling.

Ref - CNET

_______________________________________________________________________________________

(February 23, 2021)


Reasons why SolarWinds was so vulnerable to a hack

SolarWinds outsourced much of its software engineering to cheaper programmers overseas, even though that typically increases the risk of security vulnerabilities. For a while, in 2019, the update server’s password for SolarWinds network management software was reported to be “solarwinds123.” Russian hackers were able to breach SolarWinds own email system and lurk there for months.


_______________________________________________________________________________________

(February 23, 2021)


Biden administration preparing to sanction Russia for SolarWinds hacks

The Biden administration is preparing sanctions and other measures to punish Moscow for actions that go beyond the sprawling SolarWinds cyber espionage campaign to include a range of malign cyber activity and the near-fatal poisoning of a Russian opposition leader, said U.S. officials familiar with the matter.


_______________________________________________________________________________________

(February 23, 2021)


SolarWinds hack grabs senate spotlight 

The Senate Intelligence Committee, led by Senator Mark Warner, will convene for the first public hearing on the attack, which was disclosed in December. It will hear testimony from Sudhakar Ramakrishna, the president, and chief executive officer of SolarWinds, and Microsoft Corp. President Brad Smith, in addition to Crowdstrike Holdings Inc. CEO George Kurtz and Kevin Mandia, CEO of FireEye Inc.

Ref - Bloomberg 

_______________________________________________________________________________________

(February 23, 2021)


The Anatomy of the SolarWinds attack chain

The compromise of identity and manipulation of privileged access was instrumental in the success of the SolarWinds attack. Researchers are trying to deconstruct the attack so organizations can better understand what they’re up against and prioritize efforts to reduce the most risk.

Ref - CyberArk 

_______________________________________________________________________________________

(February 23, 2021)


Top executives from SolarWinds, Microsoft, FireEye, CrowdStrike face Senate grilling

Top executives at Texas-based software company SolarWinds, digital giant Microsoft and cybersecurity firms FireEye and CrowdStrike are expected to defend their companies’ responses to a sprawling series of breaches blamed on Russian hackers when they face the U.S. Senate’s Select Committee on Intelligence.

Ref - Reuters 

_______________________________________________________________________________________

(February 22, 2021)


The U.S. House committee hearing on 'SolarWinds' hack

The U.S. House of Representatives’ Oversight and Homeland Security Committees will hold a joint hearing on 26 February on cybersecurity incidents including the attack targeting SolarWinds Orion Software. Top executives from SolarWinds Corp, FireEye Inc, and Microsoft Corp will testify at the hearing.

Ref - Reuters

_______________________________________________________________________________________

(February 22, 2021)


SolarWinds-like breach could have happened to anyone

In the first of several public appearances, the CEO of SolarWinds is publicly discussing the breach of his company's software two months after reports surfaced that multiple government agencies may have been breached through a backdoor vulnerability. His message to others: this could have happened to anyone.

Ref - FCW

_______________________________________________________________________________________

(February 22, 2021)


Lessons learned from SolarWinds breach 

According to the CEO of SolarWinds, there are three lessons from the recent attack - the first one is how to improve the infrastructure security within the enterprise. The second is how to improve the build infrastructure within the enterprise. The third is, how to improve software development processes and life cycles to the point where they essentially evolve to become secure development lifecycle processes.

Ref - CSIS.org

_______________________________________________________________________________________

(February 22, 2021)


SolarWinds hackers continued attacking Microsoft until January

The SolarWinds hackers continued efforts to infiltrate Microsoft until early January, keeping up the assault even after Microsoft revealed its source code had been compromised. The hackers lost source repository access after Microsoft secured its compromised accounts, but the threat actor kept making unsuccessful attempts to regain access all the way until early January.

Ref - CRN 

_______________________________________________________________________________________

(February 22, 2021)


Researchers expecting another SolarWinds attack

People are too reliant on technology like email to protect themselves with digital walls they’ve long outgrown. There will certainly be another SolarWinds until we remember the more fundamental question of “what does the attacker want?” and work to apply it on all possible platforms.

Ref - SC Mag 

_______________________________________________________________________________________

(February 21, 2021)


National security adviser talks about vows for a quick response to SolarWinds hack

White House national security adviser Jake Sullivan said the White House has asked the intelligence community to do more work to sharpen the attribution made by the Trump administration. This includes details about how the hack occurred, the extent of the damage, and the scope and scale of the breach.

Ref - CBS News 

_______________________________________________________________________________________

(February 20, 2021)


Within weeks, the US will be prepared to take the first steps to respond to SolarWinds attacks

National security adviser Jake Sullivan has said that the US will be taking a series of steps to respond to the devastating SolarWinds cyber hack and hold accountable those responsible within a few weeks instead of months, as anticipated earlier. The Biden administration is focused on identifying more precisely the culprit behind the suspected Russian spying campaign that targeted at least nine federal agencies and at least 100 private-sector businesses.

Ref - CNN 

_______________________________________________________________________________________

(February 19, 2021)


SolarWinds hackers had access to Microsoft source code

The hackers behind the worst intrusion of U.S. government agencies in years won access to Microsoft’s secret source code for authenticating customers, potentially aiding one of their main attack methods. Microsoft had said before that the hackers had accessed some source code, but had not said which parts, or that any had been copied.

Ref - Reuters

_______________________________________________________________________________________

(February 19, 2021)


The scale of the SolarWinds breach is now visible

In a recent interview with CBS News’ 60 Minutes, Microsoft president Brad Smith answered many questions as to the scale of the attack and Microsoft’s unprecedented response to the incident. As to the scale, Smith and many others believe that the attack may have been the largest and most sophisticated the world has seen. Other reports estimate that 18,000 organizations may have been impacted by the attack.

Ref - PCrisk

_______________________________________________________________________________________

(February 18, 2021)


Microsoft recommends zero-trust architecture after SolarWinds attacks

The Microsoft Security Research Center, which has shared learnings and guidance throughout the Solorigate incident, confirmed that following the completion of their internal investigation they found no evidence that Microsoft systems were used to attack others. However, the tech firm recommended that organizations should deploy zero-trust architecture and defense-in-depth protection. 

Ref - Microsoft

_______________________________________________________________________________________

(February 19, 2021)


SolarWinds hackers had access to Microsoft’s secret source code

The hackers behind the intrusion of U.S. government agencies had access to Microsoft’s secret source code for authenticating customers. Some of the code was downloaded, the company said, which would have allowed the hackers even more freedom to hunt for security vulnerabilities, create copies with new flaws, or examine the logic for ways to exploit customer installations.

Ref - Reuters

_______________________________________________________________________________________

(February 18, 2021)


Need of contact tracing approach after SolarWinds breach

According to researchers, the recent SolarWinds breach shows a need for a contact tracing approach for organizations to strengthen their own internal investigations. It can dramatically reduce the time it takes to discover how far an attacker has penetrated into their networks, and identify if other related systems in their supply chains, customers, and partner networks have also been compromised.

Ref - Fortune

_______________________________________________________________________________________

(February 18, 2021)


Microsoft pushes companies toward zero trusts after SolarWinds breach

Vasu Jakkal, Microsoft corporate vice president of security, compliance and identity, has said that none of Microsoft’s internal systems were used to attack others because of the zero trust approach followed by the company. The probe also found no evidence of access to Microsoft’s production services or customer data.

Ref - SC Media

_______________________________________________________________________________________

(February 18, 2021)


SolarWinds attackers downloaded Azure and Exchange source code

Microsoft announced that the SolarWinds hackers gained access to source code for a limited number of Azure, Intune, and Exchange components. For a small number of repositories, there was additional access, and downloading of component source code. These repositories contained code for a small subset of Azure components, Intune components, and Exchange components.


_______________________________________________________________________________________

(February 18, 2021)


SolarWinds breach targeted 100 companies and took months of preparation

A White House team leading the investigation into the SolarWinds hack is worried that the breach of 100 US companies has the potential to make the initial compromise much more serious threat in the future. Anne Neuberger, deputy national security advisor for Cyber and Emerging Technology at the White House, said in a press briefing that nine government agencies were breached while many of the 100 private sector US organizations that were breached were technology companies.

Ref - ZDNet

_______________________________________________________________________________________

(February 18, 2021)


Efficacy of SolarWinds attack 

The sheer sophistication of the SolarWinds incident is fascinating. At a technical level, it is a multilayered infiltration involving custom malicious tooling, backdoors, and cloaked code, far beyond the skill of script kiddies so often seen exploiting more obvious errors. In addition, it was carried out with code that looked completely benign.


_______________________________________________________________________________________

(February 18, 2021)


White House planning for an executive action after SolarWinds hack

In an update on the investigation into the SolarWinds supply chain attack, Deputy National Security Adviser Anne Neuberger said that the Biden administration is preparing "executive action" to address security shortcomings that have come to light. Neuberger, who was recently named coordinator of the investigation into the attack, made her comments at a White House press briefing.


_______________________________________________________________________________________

(February 18, 2021)


SolarWinds attackers studied Azure’s secret source code

The hackers behind the worst intrusion of U.S. government agencies in years gained access to Microsoft's secret source code for authenticating customers, one of the biggest vectors used in the attacks. Microsoft revealed that its internal investigation had found that the hackers studied parts of the source code instructions for its Azure cloud programs related to identity and security, its Exchange email programs, and Intune management for mobile devices and applications.

Ref - Dell

_______________________________________________________________________________________

(February 18, 2021)


Learnings for the financial services sector from the SolarWinds attacks

The SolarWinds cyber-attack includes some important lessons for financial services institutions of all sizes. A key factor in avoiding a SolarWinds-style breach is operational resilience, which itself depends on having the right strategy. It is crucial to validate the security controls in place and test how effective they are. For this, the financial firms need a SOC that understands the system and monitors the threats, including what type of cyber-attack would be a disaster for the business.


_______________________________________________________________________________________

(February 18, 2020)


The debate on retaliation to SolarWinds breach

Reports came under fire from many infosec professionals, who criticized arguments in favor of launching offensive cyberattacks, also known as hacking back, against SolarWinds breach adversaries. Many infosec experts have warned that hacking back carries enormous risk and should not be part of U.S. cybersecurity policy.


_______________________________________________________________________________________

(February 18, 2021)


Did SolarWinds hack include voice, video, and messaging platforms?

While investigations regarding SolarWinds are ongoing and new information is being revealed on a near-daily basis, there are some concerns regarding any role of an advanced persistent threat to Voice, Video, and Messaging Platforms in SolarWinds attacks. These platforms usually include SIP traffic, APIs Remote Access, and RTC, and are in heavy use since the advent of COVID-19 epidemic. So any threats to these platforms may lead to another level of catastrophe.

Ref - Medium

_______________________________________________________________________________________

(February 18, 2021)


Hacker behind SolarWinds used U.S. networks

A sprawling cyber-attack that compromised popular software created by Texas-based SolarWinds Corp. was executed from within the U.S, according to a top White House official. The hackers launched the hack from inside the United States which further made it difficult for the U.S. government to observe their activity.

Ref - Bloomberg

_______________________________________________________________________________________

(February 17, 2021)


An 82% increase observed in SolarWinds-style vendor email compromise attack

Abnormal Security, a next-generation cloud email security company, released a new threat research report that reveals an 82% increase in the chance of companies getting attacked through SolarWinds-style vendor email compromise (VEC) during any given week. The company also found that these attacks can be very costly as it recently detected and stopped a $1.6M VEC attack.

Ref - Yahoo

_______________________________________________________________________________________

(February 17, 2021)


There could be 1,000 developers who had written malicious code used in the SolarWinds breach

Microsoft discovered that the SolarWinds breach was not a job of a small group of threat actors, instead, 1,000+ developers had worked on developing the malicious code in the first place. This implied that the attack was not just widespread but was developed and executed by a larger group.

Ref - CISOMAG

_______________________________________________________________________________________

(February 17, 2021)


Around 100 private organizations hit by SolarWinds attack

The deputy national security advisor for cyber and emerging technology confirmed that so far nine federal agencies and 100 private industry organizations have been compromised in the SolarWinds attacks. In addition, the attackers waged the attack from inside the US, making it difficult for the US government to observe their activity.


_______________________________________________________________________________________

(February 17, 2021)


Risk of SolarWinds-style attacks through vendor email compromise increased 82%

Abnormal Security has released a new threat research report that reveals an 82% increase in the chance of companies getting attacked through SolarWinds-style vendor email compromise (VEC) during any given week. The company also found that these attacks can be very costly as it recently detected and stopped a $1.6M VEC attack.

Ref - Yahoo 

_______________________________________________________________________________________

(February 16, 2021)


Importance of DNS security after SolarWinds breach

The SolarWinds attack underscores the importance of securing DNS traffic. DNS tunneling, where data is transmitted by appending it to recursive DNS queries, was chosen as the medium to steal customer data. Queries were sent to DNS command and control servers within the same region of breached enterprise networks to evade detection. 

Ref - Akamai

_______________________________________________________________________________________

(February 16, 2021)


Webroot recommendations after the SolarWinds attack

Webroot is advising tips to their MSP and small business customers after the SolarWinds hack. It includes the use of security technology that includes threat intelligence for URLs, IP addresses, and files as a layered cybersecurity approach. Organizations should make sure to follow best practices within policies, and ensure devices are set to block high-risk and suspicious objects based on real-time intelligence criteria. Also, consider adding DNS Protection to your technology stack to deepen your protection around malicious IP addresses and URLs that are frequently used in attacks.

Ref - Webroot 
 
_______________________________________________________________________________________

(February 16, 2021)


Analysis of SUNBURST malware

The analysis of SUNBURST malware by FireEye disclosed that: attackers hid malicious code within thousands of lines of legitimate code, compiled inside of digitally signed binaries. Attackers took advantage of a platform SolarWinds Orion for lateral movement traffic. They disabled dozens of endpoint security tools, including FireEye, and used DNS for Stage 1 and 2 C2 communications. They also introduced minimal custom malware into the environment post-exploitation, often “living off the land” via native Windows tools.

Ref - FireEye

_______________________________________________________________________________________

(February 16, 2021)


A new type of supply-chain attack hit MNCs including Apple and Microsoft

Security researcher Alex Birsan has unveiled a new technique called Dependency Confusion or namespace confusion attack, that can execute counterfeit code on networks belonging to some of the popular enterprise giants, including Apple, Microsoft, and Tesla. By giving the submissions the same package name as dependencies used by companies, Birsan was able to get these companies to download and install the counterfeit code, which could result in a SolarWinds-type supply chain attack.

Ref - Arstechnica 

_______________________________________________________________________________________

(February 16, 2021)


A SolarWinds-like cyberattack targeted Centreon, French researchers disclose

French cybersecurity authorities have disclosed a SolarWinds-like supply-chain attack targeting several major organizations by hackers by compromising the Centreon enterprise IT platform. The first evidence of the intrusion campaign dates back to 2017 with the attack lasting until 2020. This mostly affected IT providers, in particular, web hosting providers.

Ref - ITPro 

_______________________________________________________________________________________

(February 16, 2021)


Microsoft reveals new details about sophisticated mega-breach

Microsoft has made some new revelations regarding SolarWinds attacks, which is calling the cyber-attack the most sophisticated of all time. According to Brad Smith, Microsoft has hired 500 engineers to dig into the attack. Cyjax CISO Ian Thornton-Trump points out that attackers had one chance to get the malware into place to do its thing without revealing their compromise. Because if a build failed because of the malicious code, their sinister plot to infect Orion would be revealed.

Ref - Forbes 

_______________________________________________________________________________________

(February 15, 2021)


Many SolarWinds customers failed to secure even after the breach came to light 

Many companies still expose SolarWinds Orion to the internet and have failed to take action following the disclosure of the massive SolarWinds breach. RiskRecon, a firm specialized in risk assessment, observed 1,785 organizations exposing Orion to the internet on December 13, 2020, shortly after the breach came to light, and the number dropped to 1,330 by February 1, 2021. However, only 8% of these companies have applied the Orion update (2020.2.4) in response to the breach.


_______________________________________________________________________________________

(February 15, 2021)


Microsoft found 1,000-plus developers' fingerprints on the SolarWinds hack

Microsoft president Brad Smith says that their analysis of the SolarWinds hack suggests the code behind the crack was the work of a thousand or more developers. Smith didn’t say who those 1,000 developers worked for but compared the SolarWinds hack to attacks on Ukraine that had been widely attributed to Russia.


_______________________________________________________________________________________

(February 15, 2021)


SolarWinds hack is the largest and most sophisticated attack ever - Microsoft’s President

A hacking campaign that used a U.S. tech company as a springboard to compromise a raft of U.S. government agencies is the largest and most sophisticated attack the world has ever seen, according to Microsoft Corp’s president Brad Smith. The SolarWinds breach could have compromised up to 18,000 SolarWinds customers that used the company’s Orion network monitoring software. It could take months to identify the compromised systems and expel the hackers.

Ref - Reuters

_______________________________________________________________________________________

(February 14, 2021)


How Russian spies hacked the US federal agencies during SolarWinds attacks

Brad Smith, the president of Microsoft, has said that by looking at the sophistication of the SolarWinds attacks, it can be said that the attacker had an asymmetric advantage for somebody playing offense. And it is almost certainly possible that these attacks are still continuing. Kevin Mandia, CEO of FireEye, disclosed that intruders impersonated its employees snooping around inside their network, stealing FireEye's proprietary tools to test its client’s defenses and intelligence reports on active cyber threats.

Ref - CBS News 

_______________________________________________________________________________________

(February 14, 2021)


The SolarWinds attack could be still ongoing

The SolarWinds attack was unprecedented in audacity and scope and the Russian spies went rummaging through the digital files of the U.S. departments of Justice, State, Treasury, Energy, and Commerce. For nine months, they had unfettered access to top-level communications, court documents, even nuclear secrets. And by all accounts, it's still going on and hackers could still be stealing information.

Ref - CBS News

_______________________________________________________________________________________

(February 14, 2021)


The U.S. must strike back after SolarWinds breach

James Lewis, a director at the Center for Strategic and International Studies, said fear of escalation has held the U.S. back from punishing Russia, and other nation-states when they step out of line. He suggested the U.S. experiment with tactics to find creative ways of inflicting revenge on Russia.

Ref - CBS News

_______________________________________________________________________________________

(February 12, 2021)


CISOs' 2021 priorities after SolarWinds attack 

After the SolarWinds attack, CISOs will need to redraw contracts with third-party providers for software, hardware, and services to explicitly demand that the providers have a commitment to securing their own environments. This includes ensuring they use third-party static code analysis, regular security scanning of local and cloud-based environments, DevSecOps, and integrity check of codes. In addition, they must adopt the latest encryption and authentication technologies.


_______________________________________________________________________________________

(February 12, 2021)

US Court system is demanding a change into court documents storage after SolarWinds breach

Multiple U.S. senators have demanded a hearing on what court officials know about the hackers' access to sensitive filings. A number of courthouses are now uploading documents to a single computer. All 13 of the country's federal circuit courts have separate measures and rules they take to protect the security of documents filed, but now everything may need to change due to the attack.


_______________________________________________________________________________________

(February 12, 2021)


Orion servers exposed to Internet drop by 25% since SolarWinds breaches

One in four SolarWinds Orion servers exposed to the internet at the time of an era-defining espionage campaign has been taken off the internet. This could mean different things to different companies. Some may have put the servers inside of a firewall. Others may have found a replacement for SolarWinds. Yet others may have deactivated the servers during remediation.

Ref - SC Media 

_______________________________________________________________________________________

(February 12, 2021)


Russians outsmarted DHS cyberattack detection program in SolarWinds hack

From a software engineering perspective, the SolarWinds attack is probably the largest and most sophisticated attack the world has ever seen. The alleged Russian attackers had huge resources at their disposal, and probably more than 1,000 engineers worked on these attacks.

Ref - CBS News 

_______________________________________________________________________________________

(February 11, 2021)


Unanswered questions about SolarWinds breach

There is a considerable fear that the attackers behind the SolarWinds breach may have gained deep, persistent, and almost undetectable access on networks belonging to numerous organizations in sectors including manufacturing, industrial, construction, and logistics. The incident also resurfaced old concerns over supply chain vulnerabilities and some new ones over the ability of even the best security tools and controls to detect highly targeted attacks.


_______________________________________________________________________________________

(February 11, 2021)


New stats about suspicious network activity during peak of SUNBURST attack

ExtraHop threat researchers have found that between late March 2020 and early October 2020, detections of probable malicious activity increased by approximately 150 percent. Activity patterns outlined in the report indicate that the SUNBURST attackers were successful in flying under the radar of these detection methods either by disabling them or by redirecting their approach before they could be detected.

Ref - Yahoo 

_______________________________________________________________________________________

(February 11, 2021)


How suspected Chinese hackers compromised USDA’s National Finance Center

Chinese hackers exploited a disparate SolarWinds hack from the one exploited by Russian hackers to compromise the National Finance center under the U.S. Department of Agriculture (USDA). It is said that the suspected Chinese hacking incident affected only a single customer and that a security update was released in December 2020.

Ref - CPO Magazine 

_______________________________________________________________________________________

(February 10, 2021)


Maritime facilities using SolarWinds are ordered to report breaches

The U.S. Coast Guard (USCG) has ordered MTSA-regulated facilities and vessels using SolarWinds software for critical functions to report security breaches in case of suspicions of being affected by the SolarWinds supply-chain attack. USCG's order was delivered through a Marine Safety Information Bulletin published on continued awareness regarding the ongoing exploitation of SolarWinds software.


_______________________________________________________________________________________

(February 10, 2021)


A senior official is leading the inquiry into SolarWinds breach

The White House has announced that it has put a senior national security official in charge of the response to the broad Russian breach of government computers, only hours after the Democratic chairman of the Senate Intelligence Committee criticized the disjointed and disorganized response in the opening weeks of the Biden administration.


_______________________________________________________________________________________

(February 10, 2021)


SolarWinds breach showed that the U.S. is most targeted and vulnerable

The U.S. is one of the most advanced, if not the most advanced cyber superpower in the world, but it’s also most targeted and it’s most vulnerable. Part of the problem is that the U.S. has spent more energy on hacking other countries than on defending itself. This attack has hit the Department of Homeland Security — the very agency charged with keeping the US safe.

Ref - NPR

_______________________________________________________________________________________

(February 10, 2021)


More cyberattacks like SolarWinds could be expected from Russia

The federal government's former top cybersecurity official warned lawmakers that the SolarWinds Orion hack is likely not the worst attack the United States may see from Russia. The federal agencies investigating the attack as well as third-party cybersecurity experts have largely concurred the breach appears to be espionage.

Ref - FCW

_______________________________________________________________________________________

(February 10, 2021)


SolarWinds breach put the spotlight on supply chain attacks

The recent SolarWinds breach has proved how devastating a well-executed supply chain attack could be. The thing that sets this apart from other cases, is its peculiar victim profiling and validation scheme. Through the SolarWinds Orion IT packages, the attackers reached around 18,000 customers and stayed inside targeted victim’s networks for months without raising any alarms.

Ref - CSO

_______________________________________________________________________________________

(February 10, 2021)


Security of supply chains is actually worse than everyone thinks

There are several reasons that indicate that the security of supply chains is a worse state. Several enterprise networks consist of an untold number of disparate products, duct-taped together through poorly documented interfaces. Most have no clue they're sitting ducks for average attackers of moderate skill, much less nation state-backed adversaries with unlimited resources.

Ref - ZDNet

 _______________________________________________________________________________________

(February 9, 2021)


The encryption backdoor from 2015 could be behind the SolarWinds attacks

While it is still not clearly known how hackers altered the code of SolarWinds software, many point to the Juniper Networks 2015 incident as a precursor to the recent hack. In a letter addressed to the NSA, members of Congress questioned whether the agency knew about the encryption backdoor in the Juniper Networks products.

Ref - NordVPN 

_______________________________________________________________________________________

(February 9, 2021)


Lessons from SolarWinds attack for federal agencies

There are several lessons for the Federal agencies to take away from the recent SolarWinds attacks. This includes making sure of response that actually reduces risk (turning off security updates and patches won’t). It also makes sense to choose reputable, responsive suppliers that adhere to security standards and best practices. In addition, follow the least privilege and Zero Trust policy and protect sensitive data with adequate protection.

Ref - Varonis

_______________________________________________________________________________________

(February 9, 2021)


The U.S. must prioritize cybersecurity after the SolarWinds breach

The SolarWinds hack is considered an egregious act of espionage, stealing data, and establishing unauthorized access to information technology. Thus, nations must move past jurisdictional grandstanding to develop a national cybersecurity strategy. There must be a comprehensive approach to cybersecurity that keeps the United States a step ahead of its adversaries.

Ref - CNBC

_______________________________________________________________________________________

(February 9, 2021)


What could be the purpose behind the SolarWinds hack?

The purpose of the SolarWinds hack remains largely unknown. Still, there are many reasons hackers would want to get into an organization's system, including having access to future product plans or employee and customer information held for ransom. It is also not yet clear what information, if any, hackers stole from government agencies. But the level of access appears to be deep and broad.


_______________________________________________________________________________________

(February 9, 2021)


SolarWinds breach has created disturbances for security worldwide

While the scope of Solorigate attack is substantial, the scale of sophisticated deception employed by malicious actors is even more significant. The SolarWinds security breach highlights the need to actively scan, monitor, and manage all software updates for organizations at the end of the digital development and supply pipeline, no matter where they come from or where they exist in the application stack.

Ref - Forbes 

_______________________________________________________________________________________

(February 9, 2021)


The SolarWinds hack was not inevitable

The SolarWinds hack was a major breach of national security that revealed gaps in U.S. cyber defenses. The larger question is why SolarWinds, an American company, had to turn to foreign providers for software development. A Department of Defense report about supply chains characterizes the lack of software engineers as a crisis. There’s also a shortage of cybersecurity talent in the U.S. Engineers, software developers and network engineers are among the most needed skills across the U.S.

Ref - Yahoo 

_______________________________________________________________________________________

(February 9, 2021)


SolarWinds attack highlights the importance of the principle of least privilege

The advanced persistent threat (APT) behind the SolarWinds attack used forged authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. This attack method has reinforced the importance of implementing least privilege, which is one of the 33 IT security principles outlined by NIST.


 _______________________________________________________________________________________

(February 8, 2021)


Microsoft and SolarWinds having disputes over nation-state attacks

The latest investigation updates from SolarWinds and Microsoft offer differing views on how nation-state threat actors compromised SolarWinds' environment. The SolarWinds CEO claimed that threat actors got into SolarWinds' Office 365 environment first before moving to the Orion development environment. However, Microsoft said its investigation found no evidence it was attacked via the email software.


_______________________________________________________________________________________

(February 8, 2021)


US response to SolarWinds breach

In a formal joint statement, four U.S. agencies in charge of intelligence and cybersecurity affirmed that an advanced hacking group, likely Russian in origin, is responsible for the SolarWinds Orion software compromise. The Computer Fraud and Abuse Act (CFAA) could be used to indict Russian state hackers for trespassing in government computers or obtaining national security information. Sanctioning or indicting Russian state actors for cyber espionage, however, could set a dangerous precedent to be used against individual NSA or CIA hackers.

Ref - CFR

_______________________________________________________________________________________

(February 8, 2021)


SolarWinds' breach can lead to a larger attack 

Cybersecurity experts fear the SolarWinds hack has laid the groundwork for a larger attack that the federal government is not prepared to handle. After attackers exploited vulnerabilities in SolarWinds’ computer network management software to breach federal systems, a race began to fortify cyber defenses before additional attacks damage critical infrastructure and cause economic instability.


_______________________________________________________________________________________

(February 8, 2021)


SolarWinds attack is a wake-up call

SolarWinds attacks represent a shift in tactics for a supply chain attack where a nation-state has employed a new weapon for cyber-espionage. The impact of this attack shows how a high-volume commercial software product can impact many organizations simultaneously. From a US national security perspective, this attack enables the nation’s enemies to steal all manner of information, from inter-governmental communications to national secrets.

Ref - ITWeb 

_______________________________________________________________________________________

(February 5, 2021)


NIST offers tools to defend against nation-state cyber threats

NIST's new publications provide a "roadmap" for how agencies of any size should counter increasingly advanced tradecraft from nation-state actors. Tightening access controls for non-federal agencies would improve the confidentiality of sensitive information but can also prevent the initial access for advanced persistent threats targeting government agencies.

Ref - FCW

 _______________________________________________________________________________________

(February 5, 2021)


Software supply chains are at risk of more attacks like SolarWinds attack

Revelations of its full breadth and depth continue to escalate, as do the alarm bells ringing throughout government and industry. The next SolarWinds attack is a matter of when, not if - and the next breach could be far more damaging than just infiltration and espionage. SolarWinds is a wake-up call for leaders to secure their end-to-end software supply chain.  

Ref - Forbes 

_______________________________________________________________________________________

(February 5, 2021)


SolarWinds plans for safer customer community

SolarWinds President and CEO Sudhakar Ramakrishna and cybersecurity expert and Krebs Stamos Group Founding Partner Alex Stamos revealed a plan for a safer SolarWinds and customer community. The principles for the secure enterprise includes further securing the internal environment, enhancing the product development environment, and ensuring the security and integrity of software.

_______________________________________________________________________________________

(February 5, 2021)


Microsoft: Microsoft services not used as an entry point by SolarWinds attackers

Microsoft has said that there was no indication that SolarWinds was attacked via Office 365. While data hosted in Microsoft email and other services were targeted by the hackers “post-compromise,” it had found no evidence that its services were used as an initial entry point into the systems of organizations, claiming that the attackers apparently gained privileged credentials “in some other way.”


_______________________________________________________________________________________

(February 5, 2021)


A deeper look into the massive 2020 cyberattack on the United States

Dmitri Alperovitch, the executive chair of the Silverado Policy Accelerator think tank, and co-founder and former CTO of CrowdStrike, has revealed the many ways somebody can perpetuate a cyberattack. According to him, the most surprising thing about the SolarWinds attack is the scale of it, and he estimates that it’s going to take months, potentially even years to get to all the different networks that these guys have infiltrated.

Ref - Fortune 

_______________________________________________________________________________________

(February 4, 2021)

Government-funded cybersecurity system In-toto could have prevented SolarWinds attacks

The cyber-security system named in-toto is aimed at providing end-to-end protection for the entire software supply pipeline. This project, already available for free, is supported by $2.2 million in grants from US federal agencies. If widely deployed, this could have blocked or minimized the damage from the SolarWinds attack.

Ref - Medium 

_______________________________________________________________________________________

(February 4, 2021)


Importance of zero-trust mindset after SolarWinds breach

The recent SolarWinds attack has reinforced two key points that the industry has been advocating for a while now, defense-in-depth protections and embracing a zero-trust mindset. Defense-in-depth protections and best practices are really important because each layer of defense provides an extra opportunity to detect an attack and take action before they get closer to valuable assets. A zero-trust philosophy is also important to provide protection even when an attacker gains unauthorized access.

Ref - Microsoft

_______________________________________________________________________________________

(February 4, 2021)


Organizations should be wary of third-party providers after SolarWinds breach

Recent SolarWinds breach has proved that any company that produces software or hardware for other organizations is a potential target of supply chain attack by attackers. Nation-state actors have deep resources and the skills to penetrate even the most security-conscious firms. Even security vendors can be targets.

Ref - CSO

_______________________________________________________________________________________

(February 4, 2021)


The SolarWinds attack proves that an on-premise Active Directory is still an effective attack vector

New evidence points to attackers using well-established methods to gain initial access the old-fashioned way, through on-premises Active Directory (AD). Attackers used methods such as password guessing, password spraying, and exploiting poorly secured administrative or service credentials. They then used native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the certificate-signing capability of Microsoft Active Directory Federated Services (AD FS) and forge authentication tokens.


_______________________________________________________________________________________

(February 4, 2021)


SolarWinds chases multiple leads in the breach investigation

According to new intelligence shared by SolarWinds, UNC2452, the Russia-linked advanced persistent threat (APT) group behind the December 2020 SolarWinds cyber attacks, probably accessed SolarWinds’ systems both through a zero-day vulnerability in Microsoft Office 365 and through a compromise of user credentials.


_______________________________________________________________________________________

(February 4, 2021)


SolarWinds confirms that Office 365 email compromise played role in recent massive cyber attacks

SolarWinds CEO Sudhakar Ramakrishna has verified suspicious activity in its Office 365 environment, with a company email account compromised and used to access accounts of targeted SolarWinds staff in the business and technical roles. Hackers most likely entered SolarWinds’s environment through compromised credentials and/or a third-party application that capitalized on a zero-day vulnerability.

Ref - CRN 

_______________________________________________________________________________________

(February 3, 2021)


Impact of SolarWinds attacks on security managers 

With the increasing sophistication of attacks, there is a call for security managers to reduce the time of detection and response to threats. Having an incident response plan and playbook is key in protecting important customer or organizational data. Conducting assessments, having a strong communication structure with your board, and implementing strong security solutions are critical.

Ref - Aurora  

_______________________________________________________________________________________

(February 3, 2021)


SolarWinds CEO: Office 365 environment was compromised in SolarWinds breach

In new details on the SolarWinds breach, it has been disclosed that nation-state threat actors first compromised a single email account and later gained access to the company's Orion platform environment. From there, the threat actors compromised the credentials of the employees, got privileged access to the Orion build environment, and then added the backdoor to software updates for the platform.


_______________________________________________________________________________________

(February 3, 2021)


The path of becoming secure by design after SolarWinds breach

SolarWinds breach taught several lessons to be more secure by upgrading to stronger and deeper endpoint protections, enhancing Data Loss Prevention solution, expanding Security Operations Center, and tightening firewall policies. Along with these tips, adopting zero trusts and least privilege access and addressing the possible risks associated with third-party application access are also very important.


_______________________________________________________________________________________

(February 3, 2021)


Use of a backdoor implant in a SolarWinds Orion server

In early-2020, the Sophos Managed Threat Response (MTR) team was brought in to help an organization that had fallen victim to a Ragnar Locker attack. The C2s, web shell, and DLL used in that attack may not be directly related to recent SolarWinds attacks, but carries several similarities. The threat actor gained access to the webserver and installed a web shell to send commands and orchestrate the rest of the attack. A backdoored version of OrionWeb.dll was downloaded from their C2 server. Additional logic was added to authenticate the username “_system” with a dynamic password that would change every day and the digital signature of the file removed.

Ref - Sophos

_______________________________________________________________________________________

(February 3, 2021)


Findings from SolarWinds ongoing investigations

According to SolarWinds, their email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising the credentials of SolarWinds employees, the threat actors were able to gain access to and exploit their Orion development environment.


_______________________________________________________________________________________

(February 3, 2021)


Additional details on vulnerabilities in SolarWinds Orion and SonicWall appliances

Details have been revealed on two vulnerabilities (CVE-2021-25274 and CVE-2021-25275) in the SolarWinds Orion platform and a single vulnerability in the SolarWinds Serv-U FTP server for Windows. SolarWinds Orion Platform users can upgrade to version 2020.2.4. SolarWinds ServU-FTP users can upgrade to version 15.2.2 Hotfix 1. Similarly, for the zero-day vulnerability found in SonicWall SMA 100 Series appliances, the company has released a patch to firmware version SMA 10.2.0.5-29sv.

Ref - Rapid7

_______________________________________________________________________________________

(February 3, 2021)


Unfolding the SolarWinds breach

Pushkar Tiwari, Director Development at Symantec Enterprise Division of Broadcom Inc., has revealed the entire episode about what, when, why, and how of the SolarWinds hack. Tiwari has closely followed and analyzed the modus operandi of the hack.

Ref - CISO MAG

_______________________________________________________________________________________

(February 3, 2021)


Three new severe security vulnerabilities identified impacting SolarWinds products

Three severe security vulnerabilities have been identified impacting SolarWinds products. Two of the flaws (CVE-2021-25274 and CVE-2021-25275) were identified in the SolarWinds Orion Platform, while a third separate weakness (CVE-2021-25276) was found in the company's Serv-U FTP server for Windows.


_______________________________________________________________________________________

(February 3, 2021)


‘Severe’ SolarWinds vulnerabilities allow hackers to take over servers

A new set of three “severe” vulnerabilities have been discovered in the SolarWinds Orion platform. These issues could allow an attacker full remote code execution, access to credentials for recovery, and the ability to read, write to or delete any file on the system.

Ref - Forbes 

_______________________________________________________________________________________

(February 3, 2021)


Chinese hackers suspected to be involved in SolarWinds breach

It is suspected that Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers last year, marking a new twist in a sprawling cybersecurity breach that U.S. lawmakers have labeled a national security emergency. It has been found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture was among the affected organizations.

Ref - Reuters

_______________________________________________________________________________________

(February 3, 2021)


Suspected Chinese hackers used SolarWinds bug to attack additional federal agencies

Suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into US government computers last year. The attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies. SolarWinds said it was aware of a single customer that was compromised by the second set of hackers but cannot say conclusively who was responsible.


_______________________________________________________________________________________

(February 2, 2021)


New revelations deepen the fears related to third-party software use

The new revelation about the involvement of Chinese hackers underscores the seemingly impossible task that organizations face in dealing with not only their own security issues but also potential exposure from the countless third-party companies they partner with. It is said that the Chinese hackers exploited the vulnerability only after already breaking into a network by some other means. They then used the flaw to bore deeper.

Ref - Wired

_______________________________________________________________________________________

(February 2, 2021)


Hackers stayed inside SolarWinds email system for almost 9 months

The newly appointed chief executive of SolarWinds Corp. is still trying to unravel how his company became a primary vector for hackers in a massive attack revealed last year. According to him, pieces of evidence are emerging that they were lurking in the company’s Office 365 email system for months. The company is still trying to understand how the hackers first got into the company’s network and when exactly that happened.


_______________________________________________________________________________________

(February 2, 2021)


Learnings from SolarWinds breach - Singapore CERT

Singapore CERT has provided several key takeaways and guidelines to prevent future supply-chain attacks like SolarWinds. First, it is likely that supply-chain attacks will continue to occur, therefore organizations should make every effort to improve visibility. Second, the breach demonstrates the asymmetric nature of the cybersecurity threat, which demands a continuous need to enhance and develop their cybersecurity capabilities. The breach also highlights the importance of the international community’s efforts in establishing clear rules and norms to promote responsible behavior in cyberspace.

Ref - CSA

_______________________________________________________________________________________

(February 2, 2021)


A U.S. federal payroll agency breached by exploiting SolarWinds flaw

The FBI has discovered that the National Finance Center, a U.S. Department of Agriculture (USDA) federal payroll agency was compromised by exploiting a SolarWinds Orion software flaw. Even though both the FBI and the USDA declined to provide further comment, the latter confirmed that it had suffered a data breach.


_______________________________________________________________________________________

(February 1, 2021)


U.S. court system goes paper for sensitive documents after SolarWinds hack

The US court system has banned the electronic submission of legal documents in sensitive cases out of concern that Russian hackers have compromised the filing system. In an extraordinary order handed down to all federal courts, any documents that contain information that is likely to be of interest to the intelligence service of a foreign government will now have to be physically printed out and provided in a physical format.


_______________________________________________________________________________________

(February 1, 2021)


SolarWinds breach put light on an old supply-chain incident

In the wake of the recent SolarWinds attacks, Members of Congress are demanding the U.S. National Security Agency (NSA) reveal information about an old (2015) Juniper Networks supply-chain delivery breach. A chief bone of contention among lawmakers is the allegation that the NSA’s “Dual_EC_DRBG” algorithm, submitted to the National Institute of Standards and Technology (NIST), contained an encryption backdoor for the spy agency.


_______________________________________________________________________________________

(February 1, 2021)


How to prevent the next SolarWinds-kind attack?

First cybersecurity professionals should take care of the “easy” stuff, such as keeping their software updated and, where necessary, adding patches. Second, companies must build a culture of security within their product design. Finally, any robust third-party security program must involve a high level of automation, and the only practical way to do this is through implementing automation.


_______________________________________________________________________________________

(January 31, 2021)


A third of victims were not using SolarWinds software

Almost a third of the victims of the recent wave of massive attack did not use the SolarWinds software, which was previously thought to be the main gateway for the attackers. The serious cyberattack on government institutions and companies in the USA is drawing ever wider circles. Investigators have found evidence that the alleged espionage operation went well beyond the compromise of the small software provider SolarWinds.


_______________________________________________________________________________________

(January 29, 2021)

A fifth of Sunburst backdoor victims are from the manufacturing sector 

Nearly a fifth of organizations hit by the Sunburst backdoor emanating from the SolarWinds supply chain attack is from the manufacturing sector, a new analysis from Kaspersky has revealed. While researchers have already uncovered technical details of the Sunburst backdoor that was embedded in the SolarWinds incident late last year, information on the full impact of the attack is still being investigated.


_______________________________________________________________________________________

(January 29, 2021)


SolarWinds' implications for IoT and OT

In the new episode of Talos Takes, experts from Cisco Talos provide details about how the SolarWinds attack has wide-reaching consequences in the internet-of-things (IoT) and operational technology (OT) spaces.


_______________________________________________________________________________________

(January 29, 2021)


Lessons learned from SolarWinds breach 

SolarWinds attacks have left several important learnings behind, such as new binaries should be checked and verified, even once they are signed; audit, monitor, and segregate the app/service accounts for cloud environments as much as possible; deploy a secure System Development Life Cycle (SDLC) process to catch the attackers in real-time and prevent the damage, and use stronger passwords on code management platforms.


_______________________________________________________________________________________

(January 29, 2021)


Life after the SolarWinds supply chain attack

After the disclosure of the SolarWinds attack, the first step to be taken by any organization should be to eliminate the immediate risk. If they use the affected software, they should have already followed the CyberSecurity Infrastructure Security Agency (CISA)’s directions to disconnect and decommission any instances of SolarWinds Orion software. Even after a complete reset of all accounts, do an additional top-to-bottom security review. In addition, examine all of the relationships, both between internal servers and external third parties who might have access to the networks and systems.


_______________________________________________________________________________________

(January 29, 2021)


SolarWinds breach spooks tech firms into rechecking code

Haunted by the far-reaching implications of the SolarWinds supply chain attack, software company executives have ordered sweeping new assessments of their products, looking for any signs of suspicious activity, code anomalies, or exploits. If or when more attacks are uncovered, end-user organizations will need to apply the lessons learned from SolarWinds and prepare to take swift and decisive action.

Ref - SC Media

_______________________________________________________________________________________

(January 29, 2021)

SolarWinds breach raises questions about the appropriate response to such attacks

The sprawling reach of the SolarWinds malware attack inspires new questions about the appropriate response from private sector organizations to cyberattacks from nation-state hackers. Many enterprises, particularly those in tech and security, have tremendous insight into the workings of their own systems, which some believe puts them in a particularly unique position to hack back at attackers.

Ref - SC Media

_______________________________________________________________________________________

(January 29, 2021)


Suspected Russian hack extends far beyond SolarWinds software

Investigators examining the massive attack on the U.S. government and businesses claim that they have found concrete evidence the suspected Russian espionage operation went far beyond the compromise of the small software vendor publicly linked to the attack. Close to a third of the victims didn’t run the SolarWinds Corp. software. The revelation is fueling concern that the episode exploited vulnerabilities in business software used daily by millions.


_______________________________________________________________________________________

(January 29, 2021)


The SolarWinds hack is even worse than anyone thought

The SolarWinds hackers didn't go for the usual credit card numbers and email addresses that most cyberthieves seek. Instead, the hackers went for much higher-value internal information: emails with corporate and government secrets, the source code underlying Microsoft software, and the like. The attack also undermines the entire structure of cybersecurity in the United States, with its patchwork of government agencies, big-name security firms, thousands of smaller outside vendors, and internal IT department security efforts.

Ref - Fortune

_______________________________________________________________________________________

(January 29, 2021)


What went wrong during SolarWinds attacks, and how can we fix it

When FireEye went public with its SolarWinds news, neither the NSA, the Pentagon’s Cyber Command, nor any other U.S. intelligence or cyber agency had detected the attack, although it had likely been underway for months. FireEye wasn’t legally obligated to inform anyone - publicly or privately - about its discovery. The U.S. does not require independent research firms to share their findings of cyberthreats with government agencies, even if they constitute a potential national security threat.

Ref - Fortune 

_______________________________________________________________________________________

(January 29, 2021)


SolarWinds attackers hit several strategic targets including cyber and tech firms

For hackers, cybersecurity companies represent the gatekeepers guarding the computer networks they so desperately wish to exploit. Also, cybersecurity and technology companies often have remote access to customers’ computer networks, potentially giving hackers entry to their clients and partners. Such digital supply chain hacks are an efficient method to corral hundreds, if not thousands, of potential victims.

Ref - Bloomberg 

_______________________________________________________________________________________

(January 29, 2021)


Web Supply Chain may be next in the line for State-sponsored attacks

Industry experts have pointed out that blind trust and long, complex chains are two key ingredients for any successful supply chain attack like the SolarWinds attack. These two are available in nearly every Web application and website that is online right now. Any breach in one of the ‘maintainer’ accounts can trigger a global Web supply chain attack and affect millions of organizations.

Ref - Dark Reading 

_______________________________________________________________________________________

(January 29, 2021)


Thirty percent of SolarWinds hack victims didn't run the software

Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, has recently revealed that around 30 percent of computers previously thought to be hacked via SolarWinds didn't even run the software. Hackers linked to the attack also seem to have broken into government and private accounts by guessing passwords and exploiting issues in Microsoft's cloud-based Office software used by millions of people.

Ref - The Week 

_______________________________________________________________________________________

(January 29, 2021)


A fifth of Sunburst backdoor victims belong to the Manufacturing industry

A new analysis from Kaspersky has revealed that nearly a fifth of organizations hit by the Sunburst backdoor are from the manufacturing sector. Based on a list of nearly 2000 readable and attributable domains, it was revealed that around a third (32.4%) of all victims were industrial organizations. The most impacted sector is manufacturing (18.11% of all victims), followed by utilities (3.24%), construction (3.03%), transportation and logistics (2.97%), and oil and gas (1.35%).


_______________________________________________________________________________________

(January 29, 2021)


More SolarWinds type of attacks are expected in future

More sophisticated and complicated attacks like SolarWinds or the same type can be expected sooner or later. Experts also said that these attacks are going to continue to get more sophisticated. SolarWinds is a moment of reckoning in the security industry, and this is going to be the new norm.

Ref - ZDNet

_______________________________________________________________________________________

(January 28, 2021)


Most tools that detected the SolarWinds malware also failed in some way

The actors behind the SolarWinds hack easily evaded all the major cybersecurity technologies available in the market. For endpoint detection and response (EDR), the threat actor seems to have tested its malware against all the major players. It knew which ones could detect it, which ones it could turn off, and which ones it could not evade. And the same can be said for automated threat hunting platforms, and internal network monitoring tools as well.

Ref - CFR 

_______________________________________________________________________________________

(January 28, 2021)

SolarWinds attackers abused weak access policies for infiltrating inside networks

Service accounts may have played a bigger role than originally anticipated in the SolarWinds hack that compromised the networks of a number of U.S. government agencies and private organizations. Attackers may have used SolarWinds’ service accounts with high-level privileges to conduct lateral movement across the SolarWinds network and thereby gain access to more enterprise resources.

Ref - Toolbox

_______________________________________________________________________________________

(January 28, 2021)


The technical attack flow of SunBurst malware

Using the MITRE ATT&CK framework, researchers have provided the most likely technical attack flow of SunBurst (the malware installed on SolarWinds’ Orion product) attack. The chain of events included initial access (On-Prem), discovery, credential access, privilege escalation, defense evasion, and lateral movement, and finally exfiltration. Check Point researchers have revealed the details of each of these steps.


_______________________________________________________________________________________

(January 28, 2021)


Why does the SolarWinds breach matter so much?

The SolarWinds breach was like no other of its kind. The breach is almost endless in scale due to the implementation and usage of the compromised SolarWinds product and code across many organizations. This makes it one of the most powerful and successful hacks in history.

Ref - RedBit  

_______________________________________________________________________________________

(January 28, 2021)


SolarWinds hack proves that there is no ‘Finish Line’ with security

Stephen Ayoub, president of the solution provider powerhouse Ahead, has insisted that the massive SolarWinds hack has proved that there is no “finish line” to any organization’s cybersecurity strategy. Several other IT leaders across the board are echoing similar strategies regarding the SolarWinds hack.

Ref - CRN 

_______________________________________________________________________________________

(January 28, 2021)

The Story of a SolarWinds Attack Victim

Marcin Kleczynski, the chief executive officer of Malwarebytes, sheds some light on the series of quick and consequential decisions that hundreds of company and agency heads across the country have been forced to make in the aftermath of the SolarWinds breach by suspected Russian hackers.

Ref - Bloomberg

_______________________________________________________________________________________

(January 27, 2021)

CISA Malware Analysis on Supernova

CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. Supernova is not part of the SolarWinds supply chain attack described in Alert AA20-352A.
 
Ref - US-CERT

_______________________________________________________________________________________

(January 27, 2021)


SolarWinds Attacks Highlight Advantage of Indicators of Behavior for Early Detection

The security community is not bound to protecting organizations using IOCs alone. They can turn to what’s known as Indicators of Behavior (IOBs). Because, the malicious actors uniquely compiled their code to make sure it doesn’t match with any known file hashes or malware signatures out there, rendering IOCs ineffective for detection and impossible for signature-based anti-malware solutions.


_______________________________________________________________________________________

(January 27, 2021)


Hardening active directory against SolarWinds-type attacks

The SolarWinds attackers took advantage of Active Directory to gain a foothold inside the targeted networks. There are several means with Microsoft’s Active Directory (AD) to identify these attack techniques used by SolarWinds attackers and prevent them from happening. This includes User account settings, Domain password policies, Active Directory backup policies, and a few take care areas around Old Group Policy Preferences credentials, etc.


_______________________________________________________________________________________

(January 27, 2021)


Hundreds of Industrial organizations received Sunburst malware

Kaspersky’s industrial cybersecurity researchers have analyzed a list of nearly 2,000 domains impacted by Sunburst and estimated that roughly 32% of them were associated with industrial organizations. A majority of them are organizations in the manufacturing sector, followed by utilities, construction, transportation and logistics, oil and gas, mining, and energy.

Ref - SecurityWeek 

_______________________________________________________________________________________

(January 27, 2021)


Fidelis targeted by SolarWinds hackers via Orion

Fidelis has disclosed and confirmed that hq[.]fidelis is included in the growing list of domains known to have been targeted by the SolarWinds attackers. Fidelis had installed an evaluation copy of the trojanized SolarWinds Orion software on one of their machines in May 2020 as part of a software evaluation.


_______________________________________________________________________________________

(January 26, 2021)


Kaspersky researchers reveal SunBurst industrial victims

Kaspersky researchers have analyzed all available decoded internal domain names obtained from DNS names generated by the SunBurst DomainName Generation Algorithm using some publicly available lists and third-party lists. The geographical distribution of the industrial organizations is broad and covers almost the entire world, from North America to APAC.

Ref - Kaspersky

 _______________________________________________________________________________________

(January 26, 2021)


Mimecast confirms SolarWinds' hackers breached company

Mimecast has confirmed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. Customers hosted in the United States and the United Kingdom have been advised to take precautionary steps to reset their credentials.

Ref - Mimecast 

_______________________________________________________________________________________

(January 26, 2021)


Four new victims disclosed in SolarWinds breach

As most experts predicted last month, the fallout from the SolarWinds supply chain attack is getting bigger as time passes by, and companies had the time to audit internal networks and DNS logs. Now, four new cyber-security vendors, Mimecast, Palo Alto Networks, Qualys, and Fidelis, have added their names to the list of companies that have installed trojanized versions of the SolarWinds Orion app.

Ref - ZDNet

_______________________________________________________________________________________

(January 26, 2021)


The SolarWinds breach can be called an act of war?

Members of Congress on both sides of the aisle have posed the question of whether the recent SolarWinds cyberattack was an act of war. Democratic Sen. Dick Durbin and Republican Sen. Mitt Romney shared these concerns. States must recognize such an aggressive act for what it is and be prepared to respond to such threats in accordance with international law.

Ref - Lawfare 

_______________________________________________________________________________________

(January 26, 2021)


SolarWinds breach exposed significant weaknesses of incident response

The massive SolarWinds breach exposed some significant weaknesses in companies’ incident response practices. Lack of traffic analysis and behavior logs hinders the incident response team's ability to track down the source of the attack and shut it down, cut off the attackers' communication channels, and determine how far the attack has spread.


_______________________________________________________________________________________

(January 26, 2021)


Important lessons of Solarwinds breach

The SolarWinds hack hasn’t really gotten the attention it deserves because it happened during the chaos after the presidential election, but it’s a big deal. And it raises a lot of questions about how to respond to such a massive attack and the responsibility of the private sector when it comes to national security.

Ref - The Verge

_______________________________________________________________________________________

(January 26, 2021)


SUNSPOT was used to inject the SUNBURST backdoor into the Orion app

An analysis revealed that threat actors leveraged SUNSPOT to automatically inject the SUNBURST backdoor into the Orion app build process after executing the manual supply chain attack. It is a software often used by developers to assemble smaller components to larger software applications. Besides, it was considered the third malware strain, followed by SUNBURST (Solorigate) & TEARDROP.


_______________________________________________________________________________________

(January 26, 2021)


How the massive SolarWinds hack went down

The SolarWinds hack was and really is and continues to be one of the biggest espionage campaigns recently discovered. Microsoft, Google and several U.S. government agencies were among those compromised by the intrusion, and the repercussions of the SolarWinds hack are still being unraveled.

Ref - CNBC 

_______________________________________________________________________________________

(January 26, 2021)


SonicWall warns customers about zero-day vulnerabilities, may be linked to SolarWinds attacks

SonicWall has identified a coordinated attack on its internal systems by highly sophisticated threat actors. The attackers exploited probable zero-day vulnerabilities on certain SonicWall secure remote access products. Although there is currently no link between the attack against SonicWall and the SolarWinds or the Azure attacks, however, SonicWall is the third cybersecurity vendor to recently announcing a security breach after FireEye and Malwarebytes.

Ref - CSO Online 

_______________________________________________________________________________________

(January 25, 2021)


How should affected businesses respond to the SolarWinds hack?

The first thing businesses should do is to make certain that their networks are as internally secure as possible. That means reconfiguring network assets to be as isolated as possible. Review employee security practices, procedures and conduct a limited security audit, and engage in defensive measures.


_______________________________________________________________________________________

(January 25, 2021)


Stage two of the SUNBURST backdoor revealed 23 more targets

According to researchers, the "STAGE2" flag in SUNBURST's DNS beacons can be used to reveal additional SUNBURST victims that were singled out as interesting targets by the threat actors. SUNBURST backdoors never made it past "Stage 1 operation", where the backdoor encoded the internal AD domain name and installed security products into DNS requests.

Ref - NETRESEC

_______________________________________________________________________________________

(January 25, 2021)


SolarWinds hack leaves security researchers clueless about future risks

The SolarWinds attackers have demonstrated sophistication and complex tradecraft in the intrusions. Out of hundreds of targeted organizations, it will take years to know for certain which networks the Russians control and which ones they just occupy. Although the consensus seems to be that the SolarWinds breach was straight-up reconnaissance, the truth is that it is yet not known if this was actually an attack or not.