Go to listing page

Live Updates: SolarWinds / Solorigate (SUNBURST) Supply-Chain Attack

Live Updates: SolarWinds / Solorigate (SUNBURST) Supply-Chain Attack

Share Blog Post

An alleged Russia-backed hacking group is believed to have targeted and breached the U.S. Departments of Treasury and Commerce. According to Reuters, the breach originated from a supply chain attack that leveraged Orion - the widely-used network monitoring tool from SolarWinds, an IT company that supports several federal agencies and the U.S. military. Last week, cybersecurity company FireEye had reported a similar attack carried out via the SolarWinds platform that led to the compromise of its “red teaming” tools. It is believed that a large number of organizations that use this software might be at risk. The malware used in this widespread "UNC2452" campaign is being tracked by several names including Solorigate and SUNBURST.

Cyware has created this resource to collect and share live alerts on this campaign, impacted organizations as reported in the media, indicators of compromise (IOCs), and other relevant threat intelligence. We are actively working to keep this page updated and accurate in order to ensure that it is timely and relevant to as many people as possible.

Solutions and Countermeasures


Advisories

Indicators of Compromise (IOCs)

Threat Response Workflow

Killswitch 

Network Auditing Tool

_______________________________________________________________________________________

(April 12, 2021)


SolarWinds hack underscores the need for moving to the cloud

According to Microsoft CEO Satya Nadella, the SolarWinds attack underscores the importance of implementing zero trust architecture and migrating to the cloud. Nadella sees the SolarWinds hack as a wake-up call for all companies to take security as a first-class priority.

Ref - CRN

_______________________________________________________________________________________

(April 12, 2021)


Biden names former top NSA officials to two key cyber roles

President Biden has appointed former National Security Agency (NSA) deputy director Chris Inglis and former deputy for counterterrorism at the NSA Jen Easterly to two top cyber roles in the administration. The appointments come as the White House is still dealing with the fallout over the SolarWinds cyber attack, which infiltrated multiple federal agencies.

Ref - Axios
 
_______________________________________________________________________________________

(April 10, 2021)


APKPure users targeted via a supply chain attack

APKPure, one of the largest alternative app stores, was the victim of a supply chain attack, threat actors compromised client version 3.17.18 to deliver malware. The app store is available only on devices that use Google Mobile Services (GMS) and are firmly tied to Google’s infrastructure. The tainted client downloads and installs various apps, including other malicious payloads.


_______________________________________________________________________________________

(April 9, 2021)


Stopping or preventing the next SolarWinds breach 

Mitigating the next SolarWinds breach will require more cyber-savvy people to assess and recognize those threats, explain their potential impact and advocate for enterprise-wide investment in the appropriate levels of protection. Additionally, it will require more boots on the ground in a field that has evolved to encompass a growing array of sub-areas and rapidly changing technologies.


_______________________________________________________________________________________

(April 9, 2021)


Gigaset devices laced with malware in a latest supply chain attack 

Cybercriminals managed to sneak several malicious apps onto Gigaset Android devices by compromising a server belonging to an external update service provider. The models affected, according to Malwarebytes, including the Gigaset GS270 and GS160, Siemens GS270 and GS160, all running Android 8, as well as the Alps P40pro, running Android 9, and S20 pro+, running Android 10.

Ref - IT Pro

_______________________________________________________________________________________

(April 9, 2021)


Supply chain disruptions lead to the loss of trillions of dollars

Supply chain disruptions in 2020 had a real impact on the bottom line, as companies lost trillions of dollars in revenue, according to the report, with 64% of respondents reporting revenue losses between 6% and 20%. The recent survey indicated that the disruptions caused a big hit in brand reputation, with 38% of respondents reporting that their brands had been impacted. Many respondents said that their struggles to maintain supplies of goods and services left customers frustrated.


_______________________________________________________________________________________

(April 9, 2021)


What the Titans of Industry Reveal about SolarWinds Attack

During the testimony, it was outlined how the SolarWinds software was hijacked and used to break into a host of other organizations, and that the hackers had been able to read Microsoft’s source code for user authentication. Unfortunately for Microsoft, and strongly pointed out by CrowdStrike, the data hackers took advantage of well-known vulnerabilities in their Windows authentication and active directory federation services.


 _______________________________________________________________________________________

(April 9, 2021)


How to protect against software supply-chain attacks

Organizations can protect themselves against supply-chain attacks with some simple tips. They should avoid the use of third-party modules, watch for threats when using modules by unknown authors, and perform automated scans of code submitted in repositories. They can also Have a plan for external services and develop an on-premises and cloud strategy.

Ref - SCMagazine 

_______________________________________________________________________________________

(April 8, 2021)


CISA releases tool to review Microsoft 365 post-compromise activity

CISA has released a new tool, dubbed Aviary, that can help security teams visualize and analyze data outputs generated using Sparrow, an open-source PowerShell-based tool for detecting potentially compromised applications and accounts in Azure and Microsoft 365. Sparrow was created to help defenders hunt down threat activity after the SolarWinds supply-chain attack.


_______________________________________________________________________________________

(April 8, 2021)


How to minimize cyberattacks on supply and value chains

Organizations can mitigate access-related third-party risk in several ways. This includes providing an identity to anything connecting to the enterprise, including people, systems, and things. Another way is taking advantage of identity broker technology to verify credentials and enrich authentication requirements. Accessing governance for third-party identities and centrally managing all third-party access can also help minimize the risks.


_______________________________________________________________________________________

(April 8, 2021)


Biden administration sets the stage for retaliation against Russia over SolarWinds attack

The Biden administration completed an intelligence review of alleged Russian meddling in the SolarWinds cybersecurity attack and interference in US elections. The review could set the stage for possible retaliatory actions like enacting sanctions or expulsion of Russian intel officers in the US.

Ref - Yahoo 

_______________________________________________________________________________________

(April 7, 2021)


In another supply chain incident, Gigaset injects malware into victims' phones

Android smartphones from Gigaset have been infected by malware directly from the manufacturer in what appears to be a supply-chain attack. The Trojan, once downloaded and installed on a victim's device via a poisoned software update from the vendor, is capable of opening browser windows, fetching more malicious apps, and sending people text messages to further spread the malware.

Ref - The Register 

_______________________________________________________________________________________

(April 7, 2021)


Supply?chain attacks - When trust goes wrong

Minimizing the risk of a supply-chain attack involves a never-ending loop of risk and compliance management. In the SolarWinds hack, the post-attack in-depth inspection of the third-party vendor’s product identified the exploit buried deep in the code. As a preventive measure, organizations need to have visibility into all of their suppliers and the components they deliver, which includes the policies and procedures that the company has in place.


_______________________________________________________________________________________

(April 6, 2021)


Senators press for more on SolarWinds hack after AP report

Key lawmakers said they're concerned they've been kept in the dark about what suspected Russian hackers stole from the federal government and they pressed Biden administration officials for more details about the scope of what's known as the SolarWinds hack.


 _______________________________________________________________________________________

(April 6, 2021)


RSA Conference 2021 will have a keynote from SolarWinds’s president

RSA Conference announced that Sudhakar Ramakrishna, President of SolarWinds, has joined the keynote line-up for RSA Conference 2021. He will be joined by Laura Koetzle to explore the technical elements of the breach and will provide a deep understanding of the sophistication of the overall operation of the nation-state attack.


_______________________________________________________________________________________

(April 5, 2021)


SolarWinds type attacks need a serious approach toward cybersecurity 

The federal government has to take cybersecurity more seriously, both from a funding and a legislation standpoint after the SolarWinds breach. There is some hope that this will happen with the new administration, but it remains to be seen if talk will turn into action and real change. Only with a concerted effort across all levels of government, big to small, national/state to local, will we be able to overcome this cyber assault and keep our citizens safe and secure.

Ref - GovTech

_______________________________________________________________________________________

(April 5, 2021)


The cybersecurity warning system in the U.S.

Many vulnerabilities and threats aren’t discovered by the government but are regularly uncovered by hackers who find bugs, notify companies, and often work with them to develop fixes. In turn, CISA can immediately issue directives, as it did during SolarWinds and the Microsoft Exchange compromise, that mandate action for federal agencies and sound the clarion call for others to heed.


_______________________________________________________________________________________

(April 2, 2021)


The importance of supply chain risk management

With cloud and digital technology allowing companies to flourish and succeed globally, the world has never been more interconnected. However, this comes with elevated risk. Partners, vendors, and third parties can expose companies and malicious hackers are known to target organizations through their supply chain. As a result, supply chain risk management has become a critical component of any company’s risk management and cybersecurity strategy.

Ref - Varonis

_______________________________________________________________________________________

(April 2, 2021)


The positive outcome from the SolarWinds breach

The SolarWinds compromise may have some positive outcomes by shining an even harsher light on the complacency that still exists when it comes to security. It is important especially for the different security standards that are applied to development/supplier systems compared to in-house production systems. Now, securing the supply chain has become a hot topic, and organizations can do better to protect their infrastructure.

Ref - BMC

_______________________________________________________________________________________

(April 2, 2021)


How Russian hackers targeted US cyber first responders in SolarWinds breach

After infiltrating US government computer networks early last year as part of the SolarWinds data breach, Russian hackers then turned their attention to the very people whose job was to track them down. The hackers identified a handful of key cybersecurity officials and analysts who would be among the first to respond once the hack was detected, so-called 'threat hunters,' and attempted to access their email accounts.

Ref - CNN 

_______________________________________________________________________________________

(April 1, 2021)


After the hack, officials draw attention to supply chain threats

The National Counterintelligence and Security Center warned that foreign hackers are increasingly targeting vendors and suppliers that work with the government to compromise their products in an effort to steal intellectual property and carry out espionage. The NCSC said it is working with other agencies, including the CISA to raise awareness of the supply chain issue.
Ref - AP News 

_______________________________________________________________________________________

(April 1, 2021)


Learnings from the SolarWinds supply chain attack

The recent SolarWinds attack (known as Sunburst) has shone a light on the controls required after a breach, with affected organizations laser-focused on what happened and what next. But the same controls that can help remediate the risks posed by this serious supply chain threat can also help prevent or limit the effect of this and other attacks before they happen.

Ref - Accenture

_______________________________________________________________________________________

(April 1, 2021)


The U.S. officials are drawing attention to the supply chain attacks

The U.S. government is working to draw attention to supply chain vulnerabilities, an issue that received particular attention late last year after suspected Russian hackers gained access to federal agencies and private corporations by sneaking malicious code into widely used software. The NCSC said it plans to issue guidance throughout the month about how specific sectors, like health care and energy, can protect themselves.


_______________________________________________________________________________________

(April 1, 2021)


The SolarWinds hack severity perception increased over time

(ISC)² has published the results of an online survey of 303 cybersecurity professionals on the SolarWinds Orion software breach. In which, 86% of respondents rated the breach “very” or “extremely severe” when they first learned about it. However, roughly six weeks after the incident was reported, as more details emerged, the number of respondents who indicated that the breach was “severe” increased from 51% to 55%.


_______________________________________________________________________________________

(April 1, 2021)


A report with detailed analysis of SolarWinds hacking tools

US Cyber Command and the Department of Homeland Security (DHS) are preparing to release a detailed analysis of the hacking tools used in the SolarWinds attack, which targeted multiple federal agencies and private firms last year. The report was originally scheduled to be released on Wednesday, but the DHS delayed it without explanation. However, it's still expected to be published soon.

Ref - Computing

_______________________________________________________________________________________

(April 1, 2021)


DHS chief announces cybersecurity plan in wake of SolarWinds attacks

Homeland Security Secretary Alejandro Mayorkas warned that cyber threats are coming dangerously close to threatening people’s lives as he announced a series of sprints designed to counter online attacks. The series includes 60-day sprints, each focused on the most important and most urgent priorities needed to achieve goals.

Ref - Yahoo

_______________________________________________________________________________________

(March 31, 2021)


The SolarWinds breach is a wake-up call for the security community

The next time a SolarWinds-class attack occurs, the steps toward a successful response are already defined. As it includes, understanding potential concentration risks may involve delving into third-party liabilities and obligations, or categorizing vendors, and understanding the scope of the larger supplier ecosystem. By defining potential sources of this risk, it becomes possible to build mitigation strategies into incident response plans. 

Ref - Deloitte

_______________________________________________________________________________________

(March 30, 2021)


Executive order with 'a dozen' actions forthcoming after SolarWinds, Microsoft breaches

The Biden administration is working on “close to a dozen” action items to be included in an upcoming executive order meant to strengthen federal cybersecurity in the wake of two major breaches. The comments were made as the Biden administration continues to grapple with the fallout from both the recent attacks.

Ref - TheHill 

_______________________________________________________________________________________

(March 30, 2021)


Infosec community is concerned about SolarWinds hack

The severity of a data breach typically jumps in the short term and decreases as time progresses. But, according to a survey by International Information System Security Certification Consortium, or (ISC)2, the 2020 SolarWinds incident bucked that trend in the eyes of cybersecurity professionals. A month and a half after the incident was reported, the number of respondents who indicated the breach was “severe” increased from 51% to 55%.


_______________________________________________________________________________________

(March 30, 2021)


Details about the second elusive attack targeting SolarWinds software

Details about the scope and victims of Supernova, which exploited a flaw in SolarWinds' Orion network management software, so far have been scarce. Less than a handful of victims have been known to be targeted, and an investigation into the breach of one of those victims led to researchers at Secureworks tying the Supernova attacks to a previously unknown Chinese nation-state group they dubbed "Spiral."


_______________________________________________________________________________________

(March 30, 2021)


SolarWinds breach lead to distrust of software in use 

Security experts say because enterprises can't inspect the inner workings of the software they buy, they're at the mercy of software companies' security practices. In SolarWind attacks, attackers infected the software that is trusted by organizations. And that software became a way to steal confidential information. This breach of trust of software is huge because software is driving everything around tech firms.


_______________________________________________________________________________________

(March 30, 2021)


Trump administration emails were compromised in SolarWinds breach

An Associated Press report found that the head of DHS and the department's cyber-security staff were among the accounts exposed during the SolarWinds hack. Email accounts belonging to members of the Trump administration's Department of Homeland Security, including the head of the department, were reportedly compromised by suspected Russian hackers, according to the report.

Ref - Yahoo

_______________________________________________________________________________________

(March 29, 2021)


Key lessons from Sunburst

The cyber domain is a realm of intense interconnectivity that underpins much of daily life and national security. The discovery late in 2020 that Sunburst malware had infected not only thousands of private networks but also US government agencies, led some spectators to embrace alarmist views of this event as the first step in a full-fledged cyberwar.


_______________________________________________________________________________________

(March 29, 2021)


PHP's Git server hacked in a recent supply chain attack

In the latest software supply chain attack, the official PHP Git repository was hacked and the code base tampered with. Two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server. The threat actors had signed off on these commits as if these were made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov.


_______________________________________________________________________________________

(March 29, 2021)


SolarWinds breach got emails of top DHS officials

Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries. The intelligence value of the hacking of then-acting Secretary Chad Wolf and his staff are not publicly known.

Ref - AP News

_______________________________________________________________________________________

(March 29, 2021)


Need of a new alert system for cybersecurity

America needs a national cyber vulnerability early warning center after the recent SolarWinds breach. Just as a meteorologist is constantly on the lookout for storm systems, an early warning center would search widely used software and hardware components for vulnerabilities. It would discover new weaknesses before opponents, fortifying defenses and increasing the costs of mounting an attack.


_______________________________________________________________________________________

(March 29, 2021)


SolarWinds patches four new vulnerabilities in the Orion platform

SolarWinds released fixes for four new vulnerabilities in their Orion platform, the most severe of which is an authenticated remote code execution flaw due to a JSON deserialization weakness. Fixes for these weaknesses are in Orion Platform 2020.2.5.

Ref - Rapid7 

_______________________________________________________________________________________

(March 26, 2021)


SolarWinds hackers copied a limited number of source code repositories - Mimecast

A forensic investigation conducted by Mimecast and FireEye Mandiant incident response division found that SolarWinds hackers downloaded a limited number of the company’s source code repositories.

Ref - CPO Magazine 

_______________________________________________________________________________________

(March 26, 2021)


Software security is the top priority - SolarWinds CEO

SolarWinds has launched a Secure by Design initiative in response to the recent cybersecurity attack. This project is designed to build security into the design phase of software development and to make security an ongoing priority instead of an after-the-fact priority. The company is testing a design process that uses several parallel build chains simultaneously to create software instead of just one. 

Ref - TechRepublic 

_______________________________________________________________________________________

(March 26, 2021)


Lessons learned from the SolarWinds breach

A system like SolarWinds should have security checks built in from the start and the use of software signing keys should always be closely monitored. In addition, organizations need to adopt a zero-trust policy, stay vigilant, and create a security culture to prevent complex attacks like this.

Ref - Forbes

_______________________________________________________________________________________

(March 25, 2021)


Strategies to guard against email fraud in supply chain

Proofpoint has provided six recommendations to protect supply chain relationships: knowing who the suppliers are, considering the "spider web," creating more vendor accountability, being responsive to security-conscious users, relying more on automation, and finally implementing DMARC at the gateway.


_______________________________________________________________________________________

(March 25, 2021)


SolarWinds breach - Key learnings

Security experts identified several critical learnings from SolarWinds breach: Threat hunting and threat intelligence built on artificial intelligence and machine learning; Comprehensive detection with real-time continuous monitoring; Simplified incident response infrastructure that is capable of detecting attacks, containing the damage, and restoring systems and data; Agile, integrated, and automated security technology; Dynamic remediation strategies designed to quickly return business operations to a trusted state

Ref - OpenText

_______________________________________________________________________________________

(March 25, 2021)


Fed breach disclosure rule after SolarWinds breach

An executive order in the wake of the SolarWinds hack will require software vendors and service providers to notify their U.S. government clients if they experience a security breach. Major software companies like Microsoft and Salesforce that sell to the government would be affected by the executive order.

Ref - CRN

_______________________________________________________________________________________

(March 25, 2021)


Fresh code execution flaws in the Solarwinds Orion platform

Solarwinds has shipped a major security update to fix at least four documented security vulnerabilities, including a pair of bugs that are exploited for remote code execution attacks. The patches were pushed out as part of a minor security makeover of the Orion Platform, the same compromised Solarwinds product that was exploited in recent nation-state software supply chain attacks.


_______________________________________________________________________________________

(March 25, 2021)


SolarWinds making changes in the build process after the hack

SolarWinds’ chief executive said the software provider made a series of changes to its build process and board room reporting structure in an effort to prevent another supply chain attack like the one experienced by the company. The company is also taking a series of actions designed to boost the profile of cybersecurity in business decisions and increase the autonomy of its chief information security officer and CIO shops.

Ref - SC Media

_______________________________________________________________________________________

(March 25, 2021)


Some powerful tactics to prevent supply chain attacks

Upguard recommends some defense tactics that organizations can implement to significantly decrease the chances of a supply chain attack. This includes implementing Honeytokens, securing privileged access management, implementing a Zero-Trust architecture, and assuming a breach mindset when preparing the security strategy.

Ref - Upguard 

_______________________________________________________________________________________

(March 25, 2021)


‘Trust no one’ becomes cyber mantra after massive hacking attacks

In the wake of two massive cyberattacks that exposed glaring deficiencies in U.S. defenses, government officials and cybersecurity practitioners are saying zero-trust may be the way to stop the cyber mayhem. Zero-trust reduces or prevents lateral movement and privilege escalation.

Ref - JapanTimes 

_______________________________________________________________________________________

(March 24, 2021)


Securing the software development build using secure design

SolarWinds SVP, Engineering Lee McClendon, KPMG Director of Cyber Security Services Caleb Queern, and Head Geek Thomas LaRock provide insights on how SolarWinds is prioritizing security in its software build environment, and what the entire industry can learn about next-generation software development.

Ref - SolarWinds 

_______________________________________________________________________________________

(March 24, 2021)


SolarWinds attack and other threats indicate increased nation-state activity

Cyber attacks launched by nation-states are becoming more proficient and aggressive. This was the message from Admiral (ret.) Michael S. Rogers at the NetDiligence Cyber War Webinar Series. He said that the breadth of activity has now changed with the SolarWinds attack in December 2020 and the attack on Microsoft Exchange this month, both arguable evidence of increased nation-state activity.

Ref - Yahoo

_______________________________________________________________________________________

(March 23, 2021)


Attackers can abuse OAuth authentication apps used in the SolarWinds breach

Given the broad permissions they can have to your core cloud applications, OAuth apps have become a growing attack surface and vector. Attackers use various methods to abuse OAuth apps, including compromising app certificates, which was also used in the SolarWinds / Solorigate campaign. Attackers can use OAuth access to compromise and take over cloud accounts. Until the OAuth token is explicitly revoked, the attacker has persistent access to the user’s account and data. 


_______________________________________________________________________________________

(March 23, 2021)


SolarWinds breach is one of the most challenging hacking incidents

The recent SolarWinds Senate hearing and a flurry of subsequent briefings have unearthed new questions around the attack. The acting director of the U.S. Cybersecurity and Infrastructure Agency (CISA) Brandon Wales has called it the most complex and challenging hacking incident the agency has come up against.

Ref - CyberArk

_______________________________________________________________________________________

(March 23, 2021)


Microsoft proposes incentivizing digital solutions to mitigate supply chain risk

The first step in strengthening supply chain security is to carefully identify the risks. Once those risks are identified, the industry can then work with the government to define risk-mitigating best practices and tailored technology-enabled solutions. Technology may not eliminate the need for more traditional restrictive measures in all contexts. But in many areas, technology-enabled solutions can both strengthen security and sustain tech leadership.

Ref - Microsoft  

_______________________________________________________________________________________

(March 22, 2021)


The ‘Frankencloud’ model is the biggest security risk

According to a researcher, the information technology environments evolve into the “Frankenstein” approach. Firms scrambled to take advantage of the cloud while maintaining their systems of record. This led to systems riddled with complexity and disconnected parts put together.

Ref - TechCrunch

_______________________________________________________________________________________

(March 22, 2021)


The SolarWinds victims are now solidified

Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, said that the list of victims from the attack on SolarWinds Orion has "solidified" and he is not expecting many more organizations to come forward. CISA is continuing to work with federal agencies to understand if any have been compromised.

Ref - FCW

_______________________________________________________________________________________

(March 22, 2021)


A report about SilverFish cyber-espionage group

The PRODAFT Threat Intelligence Team has published a report that gives an unusually clear look at the size and structure of organized cybercrime. It uncovered a global cybercrime campaign that uses modern management methods, sophisticated tools including its own malware testing sandbox. It has strong ties with the SolarWinds attack, the EvilCorp group, and some other well-known malware campaigns.


_______________________________________________________________________________________

(March 22, 2021)


Shell is another victim of the Accellion supply chain hack

Energy giant Shell has disclosed a data breach (via Supply Chain attack) after attackers compromised the company's secure file-sharing system powered by Accellion's File Transfer Appliance (FTA). Upon learning of the incident, the firm - Shell - addressed the vulnerabilities with its service provider and cybersecurity team, and started an investigation to better understand the nature and extent of the incident.


_______________________________________________________________________________________

(March 22, 2021)


The new insider threat of compromised partners

The current rash of financial fraud and supply chain attacks exploit a seemingly unsolvable vulnerability in security strategy. Attackers exploit the fact that a firm must communicate with its outside partners and vendors to thrive as a company or an institution. As they interact with partners, the door to exploitation opens, specifically in the form of supply chain attacks. These attacks are tremendously hard to detect since malware and malicious links are not necessary for successful exfiltration.


_______________________________________________________________________________________

(March 22, 2021)


Three vulnerabilities exposed during SolarWinds attack

SolarWinds attackers leveraged three key vulnerabilities in the current IT ecosystem. They leveraged the supply chain weakness, injecting malware in the supplier network to gain access to the core network. Besides, they took advantage of single sign-on systems, and also exploited the traditional multifactor authentication systems.

Ref - CPO Magazine 

_______________________________________________________________________________________

(March 22, 2021)


In wake of SolarWinds, Exchange attacks, the U.S. government calls for better information sharing

The new cybersecurity leadership in the Biden White House is brainstorming methods to establish new early warning systems that combine traditional intelligence agency methods with private sector expertise. Reportedly chief among the new approaches is establishing more profound information-sharing methods with the private sector.

Ref - CSO Online 

_______________________________________________________________________________________

(March 22, 2021)


KPMG advisory on SolarWinds attack

According to the recent KPMG advisory, each malware used during SolarWinds had a tactical purpose. SUNSPOT was designed by the threat actor(s) to function specifically within SolarWinds’ software build environment to insert a malicious backdoor called SUNBURST. TEARDROP and RAINDROP were designed to be used by the threat actor(s) to deploy a modified version of Cobalt Strike. Further, SUNSHUTTLE/GoldMax, GoldFinder, and Sibot are malicious tools reported to have been used by threat actor(s) in an environment where there was a pre-existing SUNBURST compromise.

Ref - KPMG

_______________________________________________________________________________________

(March 21, 2021)

How to prevent supply chain attacks?

The key to mitigating supply chain security risks is to ensure each of your third-party vendors is compliant with the strictest of cybersecurity standards, whether or not regulatory requirements are enforced. Complacency is the primary impetus to supply chain attack vulnerability. To keep third-party vendors compliant, security questionnaires should be sent to each of them on a regular basis to continuously scrutinize their security posture.

Ref - UpGuard

_______________________________________________________________________________________

(March 21, 2021)


CISA releases a tool to detect SolarWinds malicious activity

The U.S. CISA has released a new tool (CISA Hunt and Incident Response Program or CHIRP) that allows detecting malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise environments. It is a forensics collection tool that CISA developed to help network defenders find IOCs associated with activity detailed in the following CISA Alerts.


_______________________________________________________________________________________

(March 20, 2021)


SolarWinds is a major disaster in the modern era of computing

Researcher Davi Ottenheimer has compared the SolarWinds attack with a Dust Bowl disaster. According to him, Microsoft for so many years worked on an extremely expedited model with minimal security or ecosystem investment inviting a predictable disaster.


_______________________________________________________________________________________

(March 20, 2021)


A Swiss firm has accessed servers of a SolarWinds hacker

A Swiss cybersecurity firm says it has accessed servers used by a hacking group (Silverfish) tied to the SolarWinds breach, revealing details about who the attackers targeted and how they carried out their operation. The firm, PRODAFT, also said the hackers have continued with their campaign through this month.

Ref - ProDaft

_______________________________________________________________________________________

(March 18, 2021)


Xcode Project spreading MacOS malware to Apple developers

Cybercriminals are targeting Apple developers with a trojanized Xcode project, which once launched installs a backdoor that has spying and data exfiltration capabilities. The malicious Xcode project, which researchers call XcodeSpy, installs a variant of the known EggShell backdoor on the developer’s macOS computer. 


_______________________________________________________________________________________

(March 18, 2021)


CISA releases detection tool for SolarWinds malicious activity 

The Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to detect post-compromise malicious activity associated with the SolarWinds hackers in on-premises enterprise environments. CISA Hunt and Incident Response Program (CHIRP), the new forensics collection tool, is a Python-based tool that helps detect SolarWinds malicious activity IOCs on Windows operating systems.


_______________________________________________________________________________________

(March 18, 2021)

SolarWinds-linked threat group SilverFish took advantage of enterprise victims

A Swiss cybersecurity firm Prodaft said that SilverFish, a threat group, has been responsible for intrusions at over 4,720 private and government organizations including Fortune 500 companies, ministries, airlines, defense contractors, audit and consultancy companies, and automotive manufacturers. SilverFish has been connected to the recent SolarWinds breach as "one of many" threat groups taking advantage of the situation.

Ref - ZDNet

_______________________________________________________________________________________

(March 18, 2021)


Beware the Package Typosquatting Supply Chain Attack

Attackers are mimicking the names of existing packages on public registries in hopes that users or developers will accidentally download these malicious packages instead of legitimate ones. In this attack, the attacker tries to mimic the name of an existing package on a public registry in hopes that users or developers will accidentally download the malicious package instead of the legitimate one.


_______________________________________________________________________________________

(March 18, 2021)


XcodeSpy malware can target iOS devs in a supply chain attack

A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply chain attack to install a macOS backdoor on the developer's computer. Like other development environments, it is common for developers to create projects that perform specific functions and share them online so that other developers can add them to their own applications.


_______________________________________________________________________________________

(March 18, 2021)


NSA, Homeland Security push service to mitigate cyber-attacks

The National Security Agency and the Department of Homeland Security are encouraging government agencies and high-risk companies to embrace a system known as Protective DNS, in which a private security firm would monitor and filter web traffic. PDNS blocked connections to malicious websites millions of times in a recent test involving five U.S. defense contractors.

Ref - Bloomberg
 
_______________________________________________________________________________________

(March 18, 2021)


Will the U.S. never be safe from cyberattacks?

While Washington grapples with how to prevent another attack of this scale (SolarWinds breach), the hard truth is this: There’s no such thing as a foolproof cybersecurity defense. Because human beings write computer code. And despite being incredibly smart, those people make mistakes. And each minuscule error creates one more pathway for hackers to launch cyberattacks.

Ref - Yahoo

_______________________________________________________________________________________

(March 18, 2021)


Rethinking Patch management after SolarWinds breach

The SolarWinds breach, in which hackers inserted malware into software updates sent to thousands of customers and created a backdoor to their IT systems, suggests organizations need to rethink patch management. To identify known and potential vulnerabilities, security leaders need a software bill of materials (SBOM) for software and devices deployed into their environment, as well as for new updates and patches.


_______________________________________________________________________________________

(March 17, 2021)


Zero-trust helped Splunk dodge supply chain attack

Events like the SolarWinds breach are reminders of how important it is for organizations, especially high-profile organizations in industry and government to have a zero-trust architecture in place. A lot of organizations are building out a very in-depth set of data analytics capabilities, as a part of a broader zero-trust strategy. And then taking advantage of those things to improve visibility and security operations.


_______________________________________________________________________________________

(March 17, 2021)


SolarWinds attackers gained access to Mimecast’s production environment

Mimecast acknowledged that the threat actor responsible for the SolarWinds attack used the supply chain compromise to gain entry to a part of Mimecast’s production grid environment, accessing certain Mimecast-issued certificates and related customer-server-connection information.

Ref - SC Media

_______________________________________________________________________________________

(March 17, 2021)


Lawmakers drilled multiple agencies for SolarWinds attack

The bipartisan leaders of a House panel drilled multiple agencies for updates on the SolarWinds hack, a mass cyber campaign that compromised at least nine federal agencies and 100 private sector groups. Members of the Energy and Commerce Committee sent letters demanding answers to the leaders of the departments of Commerce, Energy, Health and Human Services, as well as the Environmental Protection Agency.

Ref - The Hill

_______________________________________________________________________________________

(March 17, 2021)


Spotting APT Activity associated with SolarWinds and Active Directory/M365 Compromise

CISA has released a table of tactics, techniques, and procedures used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTP and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity.

Ref - CISA

_______________________________________________________________________________________

(March 17, 2021)


Key takeaways for security admins from SolarWinds attacks

Security and IT admins can take note of several key points regarding supply chain attacks. It can be said that potential supply chain attack victims lack access to the right tools. The golden SAML attack allowed attackers to jump from on-premises systems to cloud systems effectively bypassing MFA, thus showing the weaknesses in current authentication systems.

Ref - CSO Online 

_______________________________________________________________________________________

(March 17, 2021)


How the Linux Foundation’s software signing combats supply chain attacks

The Linux Foundation is launching sigstore, a free service jointly developed with Google, Red Hat, and Purdue University, that software developers can use to digitally sign their software releases. sigstore protects open source consumers from such attacks as dependency confusion attacks. These attacks dupe package managers into installing a remotely-hosted malicious version of a locally-available resource such as a library file.


_______________________________________________________________________________________

(March 16, 2021)


Biden's supply chain EO may uncover these cyber risks

While the government continues to assess the scope and scale of that breach, the White House is now directing various executive departments to assess the risks in their respective supply chains. The executive order calls for both 100-day immediate reviews of certain products, as well as year-long sectoral supply chain reviews of the defense, health, transportation, and agriculture industries, among others.

Ref - FCW 

_______________________________________________________________________________________

(March 16, 2021)


Mimecast decommissioned SolarWinds Orion after hack

The Lexington, Mass.-based email security vendor - Mimecast - became one of the first SolarWinds hack victims to publicly announce they’re dumping the industry-leading Orion network monitoring platform for a competing product. Industry experts had considered it unlikely that the hack would lead to many customers getting rid of SolarWinds due to the unique visibility and monitoring features Orion offers.

Ref - CRN

_______________________________________________________________________________________

(March 16, 2021)


SolarWinds underestimated network’s role in security

According to Juniper Networks VP of Security Business and Strategy Samantha Madrid, the SolarWinds hack has put a fine point on the importance of network security. While the full scope of the supply chain attack remains under investigation, it brought network visibility and the need for security enforcement at every point of connection into sharper focus.


_______________________________________________________________________________________

(March 16, 2021)


Using CodeQL to spot traces of Solorigate

If a build server is backdoored with the build hijacking component of the Solorigate malware campaign, the malware will inject additional source code at compilation time. If CodeQL is observing the build process on the infected server, it will extract the injected malicious source code together with the genuine source code. The resulting CodeQL database will therefore contain traces of the malicious Solorigate source code.

Ref - GitHub

_______________________________________________________________________________________

(March 16, 2021)


Mimecast confirms that SolarWinds hackers used Sunburst malware for initial intrusion

Mimecast has confirmed that the state-sponsored SolarWinds hackers who breached its network earlier this year used the Sunburst backdoor during the initial intrusion. Using this entry point, the threat actor accessed certain Mimecast-issued certificates and related customer server connection information.


_______________________________________________________________________________________

(March 16, 2021)


How to prevent supply chain attacks?

Here are 11 cybersecurity strategies that could help prevent supply chain attacks - implement honeytokens, secure privileged access management, implement a Zero trust architecture, assume about suffering a data breach, identify all potential insider threats and protect vulnerable resources, minimize access to sensitive data, implement strict shadow IT rules, send regular third-party risk assessments, monitor vendor network for vulnerabilities, and identify all vendor data leaks.

Ref - UpGuard

_______________________________________________________________________________________

(March 16, 2021)


Software supply chain attacks are not easy to tackle

As companies scramble to investigate whether their own systems and data were potentially impacted by the SolarWinds compromise, executives, boards, and customers are discovering that the threat of supply chain attacks expands beyond this one single incident and that mitigating the risks associated with them is not straightforward.


_______________________________________________________________________________________

(March 15, 2021)


Security ratings could raise the bar on cyber hygiene

Plans from the Biden administration to release a product security rating system could raise the bar for security overall but won’t likely prevent the next SolarWinds or Microsoft hacks. Experts say the simplicity of that concept is both its strength and its weakness: it’s a concept that is easy to understand and could drive compliance with a set of standards, but it won’t prevent more sophisticated attacks.


_______________________________________________________________________________________

(March 15, 2021)


Better security approach against supply chain attacks 

An effective procurement language should be developed, which is designed to hold a supplier or other third party contractually liable for the statements they make about the quality, reliability, and security of the software they are providing. Organizations need to consider the software and service provider processes when discussing a partnership and defining what security measures will be implemented.

Ref - Medium

_______________________________________________________________________________________

(March 15, 2021)


TIA reveals new global supply chain security standard - SCS 9001

The Telecommunications Industry Association (TIA) has published a new white paper on SCS 9001, the first process-based supply chain security standard for the information communications technology (ICT) industry. Scheduled to release later this year, the new standard will be measurable and verifiable as a means for service providers, manufacturers, and vendors to ensure that their supply chains meet the critical requirements needed to mitigate the risk of cybersecurity breaches and attacks.

Ref - Yahoo 

_______________________________________________________________________________________

(March 15, 2021)


SolarWinds attacks recovery could take the U.S. government 18 months

Brandon Wales, acting director of CISA, said that the U.S. government’s recovery effort from the SolarWinds supply chain attack could take well into 2022. This prediction reflects the complex nature of the breach and the length of time during which the attackers hid in their victims’ networks.


_______________________________________________________________________________________

(March 14, 2021)


White House seeks new cybersecurity approach after failing to detect hacks

The sophisticated hacks pulled off by Russia and China against a broad array of government and industrial targets in the United States and the failure of the intelligence agencies to detect them are driving the Biden administration and Congress to rethink how the nation should protect itself from growing cyber threats. Both attacks were run from inside the USA’s domestic servers, putting them out of reach of the NSA’s early warning system.


_______________________________________________________________________________________

(March 14, 2021)

Software Bill Of Materials: an efficient mitigation strategy for supply chain attacks

There is an efficient mitigation strategy for supply chain attacks: the bill of materials, or “BOM”. In its simplest form, the BOM is similar to a long list of ingredients, in which all materials and quantities needed to manufacture an end product are listed. If the “BOM” is done with great precision, it is possible to provide deep insight into the product and all its parts and its corresponding supply chain vulnerabilities.

Ref - Medium

_______________________________________________________________________________________

(March 13, 2021)


Security best practices after SolarWinds supply chain attack

Implementing the supply chain security best practices can help mitigate third-party risk and meet the needs of the changing enterprise ecosystem. Users are recommended to conduct asset and access inventories, elevate third-party risk management and ensure third-party relationships are collaborative.


_______________________________________________________________________________________

(March 12, 2021)


A senior administration official on the response to the Microsoft and SolarWinds intrusions

According to a senior administration official, they are in week three of four-week remediation across the federal government. The compromised agencies were all tasked to do a particular set of activities and then were tasked to have an independent review of their work to ensure the adversary had been eradicated. Most of the agencies have completed that independent review and the rest will complete it by the end of March.


_______________________________________________________________________________________

(March 12, 2021)


SolarWinds and Microsoft hacks spark debate over western retaliation

Cyber experts have cautioned that retaliation steps against SolarWinds and Microsoft hacks may not be justified. The SolarWinds and Microsoft hacks are not incidences of conflict in any sort of conventional sense, they’re espionage, so they’re part of continual interaction between these states.


_______________________________________________________________________________________

(March 12, 2021)


The first-ever U.S. national cyber director after SolarWinds breach

The new national cyber director will be responsible for crafting a national cyber strategy as well as driving more consistency across civilian government networks. If disaster strikes, the director will serve as the point person in coordinating the government’s nonmilitary response. 

Ref - Fortune

_______________________________________________________________________________________

(March 11, 2021)


Risks of supply chain attacks for organizations

Supply chain security risks are not new, but recent headlines are a reminder for consumers to re-examine their security practices. The SolarWinds/Orion cyberattack had impacted more than 18,000 organizations, and it might serve as the major point of attention for dealing with digital supply chain risks.

Ref - Synopsys

_______________________________________________________________________________________

(March 11, 2021)


Managing supply chain security risk 

After the SolarWinds attack, it is important that information security and risk management teams need to think beyond third-party and vendor risk management. Supply chain risk management should be built on existing standardized practices across many existing risk practices and disciplines. It also requires cooperation and collaborative relationships within all areas of the organization.


_______________________________________________________________________________________

(March 11, 2021)


Embedded devices are a blind spot in the SolarWinds attack

The SolarWinds attackers accessed the network, be it Office 365 or VMware, and a separate campaign that exploited a bug in SolarWinds. However, the industry is overlooking a more nefarious but equally plausible objective: Attackers may have used SolarWinds as a pathway into key networks where they could access and burrow deep into the embedded devices in industrial control systems.

Ref - The Hill

_______________________________________________________________________________________

(March 11, 2021)


Nation-state hackers exploited the U.S. Internet security gap

U.S. lawmakers and security experts are voicing concern that foreign governments are staging cyberattacks using servers in the U.S., in an apparent effort to avoid detection by America’s principal cyberintelligence organization. When hackers recently targeted servers running Microsoft Corp.’s Exchange software, they employed U.S.-based computers from at least four service providers to mount their attack, according to an analysis by the threat intelligence company DomainTools LLC.


_______________________________________________________________________________________

(March 10, 2021)


Risks of integrating technology vulnerabilities into the foundational technology

SolarWinds attacks and other events in 2020 spotlight a new burden to manage for C-Suites/Boards: The malicious supply chain influences of nation-state intelligence services. In recent supply chain attacks, the adversaries are not just finding & exploiting technology vulnerabilities, but actually creating & integrating them into the foundational technology. 

Ref - Forbes

_______________________________________________________________________________________

(March 10, 2021)


Hacker group claims access to internal video feeds by compromising supplier

Hackers said they accessed internal video feeds at several companies, including Tesla Inc., and at public agencies by breaching the network of security-camera vendor Verkada Inc., the latest cybersecurity incident in which a supplier unwittingly opened a back door into client networks. The group found a username and password for a Verkada administrative account on the internet, permitting them to obtain the footage.


_______________________________________________________________________________________

(March 10, 2021)


How to beat the new breed of Supply Chain attacks

The plethora of new malware strains (e.g., SUNBURST, SUPERNOVA, GoldMax, Sibot, and GoldFinder) that have emerged in the wake of the SolarWinds breach should force all enterprises to take the supply chain attack vector seriously. Comparing traditional supply chain attacks with the recent SolarWinds and Microsoft hacks, it is clear that attackers have upped their game to a whole new level, both in sophistication and tactics.

Ref - SentinelOne 

_______________________________________________________________________________________

(March 10, 2021)


Monitoring the software supply chain in Microsoft environment

Microsoft has described ways to monitor the software development, build, and release process via Azure Sentinel, specifically to detect any NOBELIUM-related activity. The blog uses Microsoft’s security monitoring solution Azure Sentinel, and Microsoft’s cloud CI/CD solution Azure DevOps as the focus point, however, the monitoring principles and approaches could also be applied to other technology stacks.

Ref - Microsoft 

_______________________________________________________________________________________

(March 10, 2021)


SolarWinds is not an isolated event going forward - VMware Report

The 2021 Global Cybersecurity Outlook report from VMware Security Business Unit suggests that “island-hopping” attacks are on a rise, in which attackers jump from one network to another along a supply chain, as occurred in the SolarWinds attack. Organizations have to realize that it’s no longer simply about whether breaches along their supply chains can be leveraged to attack them, but whether they themselves can be used to attack their customers.


_______________________________________________________________________________________

(March 9, 2021)


The inside story of the stealthy SolarWinds SUNBURST attack

The SolarWinds attack was performed without weaponizing a (yet known) zero-day vulnerability. The attackers were able to make their malicious version of the SolarWinds Orion DLL look like a normal version of the software. It was virtually impossible to detect because everything looked official. But as they begin to move through a network by accessing new accounts, a lack of normal behavior of all these targeted users and devices they’re operating opens a new window of opportunity for detection.

Ref - Varonis 


_______________________________________________________________________________________

(March 9, 2021)


The separate SolarWinds attack described by researchers

Russian hackers apparently weren't the only ones targeting SolarWinds customers. Researchers from Secureworks discovered the ‘Spiral’ attack on one organization in November 2020, when they spotted hackers exploiting a SolarWinds Orion API vulnerability on an internet-facing SolarWinds server during an incident response effort. Spiral's activities are separate from the SolarWinds supply chain compromise first reported in December 2020


_______________________________________________________________________________________

(March 9, 2021)


Microsoft released a patch for older versions of Exchange

Microsoft has released security updates for unsupported versions of Exchange email servers following widespread attacks exploiting four newly discovered security vulnerabilities. The security updates for older versions of Exchange only address the four newly disclosed flaws that are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The issues affect on-premise Exchange servers.

Ref - ZDNet

_______________________________________________________________________________________

(March 9, 2021)


Implications of recent supply chain attacks

The implications of SolarWinds have made all CSOs rethink their approach to cybersecurity. For decades, manufacturing equipment would operate in isolation from public networks to keep adversarial agents from gaining access and potentially disrupting operations. However, as supply chains became more intertwined with operations, third parties were granted access to those systems in order to automate the ordering and fulfillment of maintenance and materials.

Ref - Forbes

 _______________________________________________________________________________________

(March 9, 2021)


Analysis of the biggest Python supply chain attack ever

On March 1st, 2021, a newly created account on the Python Package Index PyPI uploaded 3591 new packages. Each package had a name that closely resembled the name of another popular package. However, the script is only signaling to someone that it was successfully downloaded and installed but does nothing beyond that. This could be the work of a security researcher who wanted to raise awareness about typosquatting supply chain attacks, by publishing a lot of fake packages and collecting statistics about how many times each one was downloaded.

Ref - Sogeti

_______________________________________________________________________________________

(March 9, 2021)


More clues appear to link Supernova web shell activity to China

According to Secureworks' new report, the authentication bypass vulnerability in SolarWinds Orion API, tracked as CVE-2020-10148, that can lead to remote execution of API commands, has been actively exploited by Spiral. When vulnerable servers are detected and exploited, a script capable of writing the Supernova web shell to disk is deployed using a PowerShell command.

Ref - TechRadar 

_______________________________________________________________________________________

(March 8, 2021)


‘Retaliation’ for Russia's SolarWinds spying might not be a good idea for the US

Before the US mounts a saber-rattling counterattack, it should pin down exactly what line Russia crossed. Any rule that could justify SolarWinds' retaliation is one that the US also violates with its own cyberespionage. And there's still no evidence that Russia's hacking, in this case, went beyond stealthy intelligence gathering of the sort the US performs routinely around the world.

Ref - Wired 

_______________________________________________________________________________________

(March 8, 2021)


Hackers who hid Supernova malware in SolarWinds Orion linked to China

Intrusion activity related to the Supernova malware, that was planted on compromised SolarWinds Orion installations exposed on the public internet, points to an espionage threat actor based in China. Security researchers named this hacker group ‘Spiral’ and correlated findings from two intrusions in 2020 on the same victim network to determine activity from the same intruder.


_______________________________________________________________________________________

(March 8, 2021)


SolarWinds Breach: Supernova malware linked to a China-based threat group

Secureworks' counter-threat unit (CTU) said that during late 2020, a compromised Internet-facing SolarWinds server was used as a springboard to deploy Supernova, a .NET web shell. Similar intrusions on the same network suggest that the Spiral threat group, suspected of a Chinese origin, is to blame for both cases. According to the researchers, CVE-2020-10148 has been actively exploited by Spiral.

Ref - ZDNet

_______________________________________________________________________________________

(March 8, 2021)


A supply chain attack is targeting the Python community with 4000 fake modules

A user has uploaded 3951 utterly bogus PyPI packages, the names of which resemble the near-miss domain names of several genuine Python Packages. None of these fake packages contained outright malware, or indeed any permanent package code at all. However, some of them (if not all) included a Python command that was intended to run when the package was installed, rather than when it was used.

Ref - Sophos

_______________________________________________________________________________________

(March 6, 2021)


This new type of supply-chain attack has serious consequences 

A new type of supply chain attack (dubbed Dependency Confusion) unveiled last month is targeting more and more companies, with new rounds this week taking aim at Microsoft, Amazon, Slack, Lyft, Zillow, and an unknown number of others. In weeks past, Apple, Microsoft, Tesla, and 32 other companies were targeted by a similar attack that allowed a security researcher to execute unauthorized code inside their networks.


_______________________________________________________________________________________

(March 5, 2021)


A supply chain attack has breached multiple airlines

A communications and IT vendor for 90 percent of the world’s airlines, SITA, has been breached, compromising passenger data stored on the company’s U.S. servers in what the company is calling a highly sophisticated attack. The affected servers are in Atlanta and belong to the SITA Passenger Service System (SITA PSS).


_______________________________________________________________________________________

(March 5, 2021)


Singapore is the latest victim of supply chain attack

An aviation IT company, that says it serves 90% of the world's airlines, has been breached in what appears to be a coordinated supply chain attack. Customers of at least four companies - Malaysia Airlines, Singapore Airlines, Finnair Airlines, and Air New Zealand - may have been affected by the incident.


_______________________________________________________________________________________

(March 5, 2021)


Microsoft is now adopting an aggressive strategy for sharing SolarWinds hack intel

Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance, explains the company's approach to keeping its customers and the industry apprised and updated on its findings from the now-infamous SolarWinds attack. In the wake of a widespread cyberattack, enterprise IT providers can play a key role in how businesses learn about and mitigate the security threat.


_______________________________________________________________________________________

(March 5, 2021)


SolarWinds: 30,000 organizations' email hacked via Microsoft Exchange Server vulnerabilities 

Four exploits found in Microsoft’s Exchange Server software have reportedly led to over 30,000 US governmental and commercial organizations having their emails hacked, according to a report by KrebsOnSecurity. The vulnerabilities allowed hackers to gain access to email accounts, and also gave them the ability to install malware that might let them back into those servers at a later time.

Ref - The Verge

_______________________________________________________________________________________

(March 4, 2021)


Researchers disclosed additional malware linked to SolarWinds attackers

Researchers with Microsoft and FireEye found three new malware families (named as GoldMax, Sibot, and GoldFinder), which they said are used by the threat group behind the SolarWinds attack. Researchers have uncovered more custom malware that is being used by the threat group behind the SolarWinds attack.


_______________________________________________________________________________________

(March 3, 2021)


Malicious code bombs are targeting Amazon, Lyft, Slack, Zillow via supply chain attacks

Attackers have weaponized code dependency confusion to target internal apps at tech giants. Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack, and Zillow (among others) inside the npm public code repository — all of which exfiltrate sensitive information.


_______________________________________________________________________________________

(March 3, 2021)


SolarWinds breach showed increased sophistication of advanced threat actors

Microsoft has highlighted the increasingly sophisticated cyber-threat landscape, particularly as a result of the rise in nation-state attacks. During a session at the Microsoft Ignite event, the company outlined some of the trends it is seeing and actions it is taking to help mitigate them in the future.


_______________________________________________________________________________________

(March 2, 2021)


SolarWinds breach cost $3.5 million in expenses 

SolarWinds has reported expenses of $3.5 million from last year's supply-chain attack, including costs related to incident investigation and remediation. Further expenses were recorded by SolarWinds after paying for legal, consulting, and other professional services related to the December hack and provided to customers for free.


_______________________________________________________________________________________

(March 1, 2021)


Dependency Confusion is being used to create copycat packages

Sonatype has identified new “dependency confusion” packages published to the npm ecosystem that are malicious in nature. These squatted packages are named after repositories, namespaces, or components used by popular companies such as Amazon, Zillow, Lyft, and Slack.

Ref - Sonatype

_______________________________________________________________________________________

(March 2, 2021)


The SolarWinds hack compromised NASA and FAA

In addition to infiltrating the unclassified networks of seven other US government agencies, the suspected Russian hackers who compromised the IT services firm SolarWinds as a jumping-off point also penetrated NASA and the Federal Aviation Administration. The seven other breached agencies are the Departments of Commerce, Homeland Security, Energy, and State, the US Treasury, the National Institutes of Health, and the Justice Department. The White House said earlier this month that hackers also compromised 100 companies in the spree.

Ref - Wired

_______________________________________________________________________________________

(February 25, 2021)

Microsoft now sharing CodeQL queries for scanning SolarWinds-like implants code

Microsoft has open-source CodeQL queries that developers can use to scan source code for malicious implants matching the SolarWinds supply-chain attack. To make sure the attackers did not modify their code, Microsoft created CodeQL queries that were used to scan their codebase for malicious implants matching the SolarWinds IOCs.


_______________________________________________________________________________________

(February 25, 2021)


Security experts were blindsided by the SolarWinds attack

The SolarWinds cyberattack on U.S. government agencies and private organizations was and is frightening in its scale and success. It proved no match for the government agencies charged with defending against such things and brought into sharp focus the fact that the government’s current model for responding to cyber threats is lacking. In a sense, the SolarWinds attack seemed designed to exploit a lack of communication and cooperation between government and private-sector security experts.

Ref - Medium

_______________________________________________________________________________________

(February 25, 2021)


SolarWinds hackers take advantage of Amazon Elastic Compute Cloud

Amazon Web Services admitted that hackers used its systems in the SolarWinds campaign but reiterated the cloud computing giant wasn’t itself infected with malware. The actors used EC2 [Amazon Elastic Compute Cloud] just like they would use any server they could buy or use anywhere (on-premises or in the cloud). And, in fact, the actors did use several different service providers in this manner.

Ref - CRN

_______________________________________________________________________________________

(February 24, 2021)


SolarWinds breach is one of the biggest attacks ever - US Senate committee

The United States Senate's select committee on intelligence met to hear evidence from tech executives regarding the historic hack on Texas-based company SolarWinds. The committee heard that both the scale and sophistication of the attack were greater than had been previously thought.


_______________________________________________________________________________________

(February 24, 2021)


More SolarWinds breach victims could still be undisclosed

Microsoft believes that the SolarWinds hackers may have used up to a dozen different means of getting into victims’ networks over the past year, a higher estimate than previously understood. It is likely that more brand-name players may have been penetrated by the SolarWinds breach. They are not forthcoming as other victims did, thus leaving policymakers and potential customers in the dark.

Ref - WSJ

_______________________________________________________________________________________

(February 24, 2021)


Important takeaways from the US Senate's hearing of SolarWinds breach

The Senate Intelligence Committee held its first public hearing on the SolarWinds hack and there are five key takeaways- fingers pointed to Russia as the hack's perpetrator and companies want the US to hold Russia accountable. Amazon was a no-show despite being invited, and lawmakers weren't happy about it. Lawmakers and tech leaders agreed that there should be more robust information-sharing around cyber threats. A new law setting standards for breached companies could be on the horizon. In addition, the hearings showed cooperation between the government and industry.


_______________________________________________________________________________________

(February 24, 2021)


SolarWinds hackers targeted NASA and Federal Aviation Administration networks

Hackers are said to have broken into the networks of U.S. space agency NASA and the Federal Aviation Administration as part of a wider espionage campaign targeting U.S. government agencies and private companies. The two agencies were named by the Washington Post, hours ahead of a Senate Intelligence Committee hearing tasked with investigating the widespread cyberattack.


_______________________________________________________________________________________

(February 24, 2021)


There is substantial evidence of Russian involvement in SolarWinds breach

Microsoft directly blamed Russia's foreign intelligence service for the devastating security breach of at least nine federal agencies and dozens of private businesses, going further than US government officials have to date in their public attribution for the hack. Microsoft President Brad Smith said it would likely take time for the US government to formally reach the same conclusion.

Ref - CNN

_______________________________________________________________________________________

(February 23, 2021)


SolarWinds attackers stayed for several months in FireEye's network

The attackers who infiltrated SolarWinds Orion's software build and updates had spent several months embedded in FireEye's network. The attacker wasn't alive every single day on their network, Kevin Mandia, CEO of FireEye told the US Senate Intelligence Committee in response to a question about the attack time frame on FireEye's network.


_______________________________________________________________________________________

(February 23, 2021)


Finding answers on the SolarWinds breach

Key senators and corporate executives warned at a hearing on SolarWinds breach that the “scope and scale” of the recent hacking of government agencies and companies, the most sophisticated in history, were still unclear. The National Security Agency, despite spending billions of dollars planting sensors in networks around the world, missed the evidence for more than a year.


_______________________________________________________________________________________

(February 23, 2021)


AWS infrastructure was used in SolarWinds hack

Senators slammed Amazon Web Services for refusing to testify at a hearing about the SolarWinds intrusion given the public cloud giant’s infrastructure was used in the attack. Specifically, Amazon Web Services hosted most of the secondary command and control nodes in the SolarWinds attack.

Ref - CRN

_______________________________________________________________________________________

(February 23, 2021)


Mandatory breach disclosure in wake of SolarWinds breach

Lawmakers and witnesses at the Senate Intelligence Committee’s hearing on SolarWinds emphasized the possibility of legislation mandating certain businesses to disclose some breaches to the federal government. Currently, there is no rule mandating a company like FireEye to disclose a breach to the federal government, even when national security is a concern.

Ref - SCMagazine

_______________________________________________________________________________________

(February 23, 2021)


There could be more tech firms besides SolarWinds - used to hack targets

The hackers used a variety of legitimate software and cloud hosting services to access the systems of nine federal agencies and 100 private companies. They used Amazon Web Services cloud hosting to disguise their intrusions as benign network traffic. Additionally, the hackers didn't use the malware planted in SolarWinds' Orion products to breach nearly a third of the victims. Instead, they had access to other hacking techniques, all of which investigators are still unraveling.

Ref - CNET

_______________________________________________________________________________________

(February 23, 2021)


Reasons why SolarWinds was so vulnerable to a hack

SolarWinds outsourced much of its software engineering to cheaper programmers overseas, even though that typically increases the risk of security vulnerabilities. For a while, in 2019, the update server’s password for SolarWinds network management software was reported to be “solarwinds123.” Russian hackers were able to breach SolarWinds own email system and lurk there for months.


_______________________________________________________________________________________

(February 23, 2021)


Biden administration preparing to sanction Russia for SolarWinds hacks

The Biden administration is preparing sanctions and other measures to punish Moscow for actions that go beyond the sprawling SolarWinds cyber espionage campaign to include a range of malign cyber activity and the near-fatal poisoning of a Russian opposition leader, said U.S. officials familiar with the matter.


_______________________________________________________________________________________

(February 23, 2021)


SolarWinds hack grabs senate spotlight 

The Senate Intelligence Committee, led by Senator Mark Warner, will convene for the first public hearing on the attack, which was disclosed in December. It will hear testimony from Sudhakar Ramakrishna, the president, and chief executive officer of SolarWinds, and Microsoft Corp. President Brad Smith, in addition to Crowdstrike Holdings Inc. CEO George Kurtz and Kevin Mandia, CEO of FireEye Inc.

Ref - Bloomberg 

_______________________________________________________________________________________

(February 23, 2021)


The Anatomy of the SolarWinds attack chain

The compromise of identity and manipulation of privileged access was instrumental in the success of the SolarWinds attack. Researchers are trying to deconstruct the attack so organizations can better understand what they’re up against and prioritize efforts to reduce the most risk.

Ref - CyberArk 

_______________________________________________________________________________________

(February 23, 2021)


Top executives from SolarWinds, Microsoft, FireEye, CrowdStrike face Senate grilling

Top executives at Texas-based software company SolarWinds, digital giant Microsoft and cybersecurity firms FireEye and CrowdStrike are expected to defend their companies’ responses to a sprawling series of breaches blamed on Russian hackers when they face the U.S. Senate’s Select Committee on Intelligence.

Ref - Reuters 

_______________________________________________________________________________________

(February 22, 2021)


The U.S. House committee hearing on 'SolarWinds' hack

The U.S. House of Representatives’ Oversight and Homeland Security Committees will hold a joint hearing on 26 February on cybersecurity incidents including the attack targeting SolarWinds Orion Software. Top executives from SolarWinds Corp, FireEye Inc, and Microsoft Corp will testify at the hearing.

Ref - Reuters

_______________________________________________________________________________________

(February 22, 2021)


SolarWinds-like breach could have happened to anyone

In the first of several public appearances, the CEO of SolarWinds is publicly discussing the breach of his company's software two months after reports surfaced that multiple government agencies may have been breached through a backdoor vulnerability. His message to others: this could have happened to anyone.

Ref - FCW

_______________________________________________________________________________________

(February 22, 2021)


Lessons learned from SolarWinds breach 

According to the CEO of SolarWinds, there are three lessons from the recent attack - the first one is how to improve the infrastructure security within the enterprise. The second is how to improve the build infrastructure within the enterprise. The third is, how to improve software development processes and life cycles to the point where they essentially evolve to become secure development lifecycle processes.

Ref - CSIS.org

_______________________________________________________________________________________

(February 22, 2021)


SolarWinds hackers continued attacking Microsoft until January

The SolarWinds hackers continued efforts to infiltrate Microsoft until early January, keeping up the assault even after Microsoft revealed its source code had been compromised. The hackers lost source repository access after Microsoft secured its compromised accounts, but the threat actor kept making unsuccessful attempts to regain access all the way until early January.

Ref - CRN 

_______________________________________________________________________________________

(February 22, 2021)


Researchers expecting another SolarWinds attack

People are too reliant on technology like email to protect themselves with digital walls they’ve long outgrown. There will certainly be another SolarWinds until we remember the more fundamental question of “what does the attacker want?” and work to apply it on all possible platforms.

Ref - SC Mag 

_______________________________________________________________________________________

(February 21, 2021)


National security adviser talks about vows for a quick response to SolarWinds hack

White House national security adviser Jake Sullivan said the White House has asked the intelligence community to do more work to sharpen the attribution made by the Trump administration. This includes details about how the hack occurred, the extent of the damage, and the scope and scale of the breach.

Ref - CBS News 

_______________________________________________________________________________________

(February 20, 2021)


Within weeks, the US will be prepared to take the first steps to respond to SolarWinds attacks

National security adviser Jake Sullivan has said that the US will be taking a series of steps to respond to the devastating SolarWinds cyber hack and hold accountable those responsible within a few weeks instead of months, as anticipated earlier. The Biden administration is focused on identifying more precisely the culprit behind the suspected Russian spying campaign that targeted at least nine federal agencies and at least 100 private-sector businesses.

Ref - CNN 

_______________________________________________________________________________________

(February 19, 2021)


SolarWinds hackers had access to Microsoft source code

The hackers behind the worst intrusion of U.S. government agencies in years won access to Microsoft’s secret source code for authenticating customers, potentially aiding one of their main attack methods. Microsoft had said before that the hackers had accessed some source code, but had not said which parts, or that any had been copied.

Ref - Reuters

_______________________________________________________________________________________

(February 19, 2021)


The scale of the SolarWinds breach is now visible

In a recent interview with CBS News’ 60 Minutes, Microsoft president Brad Smith answered many questions as to the scale of the attack and Microsoft’s unprecedented response to the incident. As to the scale, Smith and many others believe that the attack may have been the largest and most sophisticated the world has seen. Other reports estimate that 18,000 organizations may have been impacted by the attack.

Ref - PCrisk

_______________________________________________________________________________________

(February 18, 2021)


Microsoft recommends zero-trust architecture after SolarWinds attacks

The Microsoft Security Research Center, which has shared learnings and guidance throughout the Solorigate incident, confirmed that following the completion of their internal investigation they found no evidence that Microsoft systems were used to attack others. However, the tech firm recommended that organizations should deploy zero-trust architecture and defense-in-depth protection. 

Ref - Microsoft

_______________________________________________________________________________________

(February 19, 2021)


SolarWinds hackers had access to Microsoft’s secret source code

The hackers behind the intrusion of U.S. government agencies had access to Microsoft’s secret source code for authenticating customers. Some of the code was downloaded, the company said, which would have allowed the hackers even more freedom to hunt for security vulnerabilities, create copies with new flaws, or examine the logic for ways to exploit customer installations.

Ref - Reuters

_______________________________________________________________________________________

(February 18, 2021)


Need of contact tracing approach after SolarWinds breach

According to researchers, the recent SolarWinds breach shows a need for a contact tracing approach for organizations to strengthen their own internal investigations. It can dramatically reduce the time it takes to discover how far an attacker has penetrated into their networks, and identify if other related systems in their supply chains, customers, and partner networks have also been compromised.

Ref - Fortune

_______________________________________________________________________________________

(February 18, 2021)


Microsoft pushes companies toward zero trusts after SolarWinds breach

Vasu Jakkal, Microsoft corporate vice president of security, compliance and identity, has said that none of Microsoft’s internal systems were used to attack others because of the zero trust approach followed by the company. The probe also found no evidence of access to Microsoft’s production services or customer data.

Ref - SC Media

_______________________________________________________________________________________

(February 18, 2021)


SolarWinds attackers downloaded Azure and Exchange source code

Microsoft announced that the SolarWinds hackers gained access to source code for a limited number of Azure, Intune, and Exchange components. For a small number of repositories, there was additional access, and downloading of component source code. These repositories contained code for a small subset of Azure components, Intune components, and Exchange components.


_______________________________________________________________________________________

(February 18, 2021)


SolarWinds breach targeted 100 companies and took months of preparation

A White House team leading the investigation into the SolarWinds hack is worried that the breach of 100 US companies has the potential to make the initial compromise much more serious threat in the future. Anne Neuberger, deputy national security advisor for Cyber and Emerging Technology at the White House, said in a press briefing that nine government agencies were breached while many of the 100 private sector US organizations that were breached were technology companies.

Ref - ZDNet

_______________________________________________________________________________________

(February 18, 2021)


Efficacy of SolarWinds attack 

The sheer sophistication of the SolarWinds incident is fascinating. At a technical level, it is a multilayered infiltration involving custom malicious tooling, backdoors, and cloaked code, far beyond the skill of script kiddies so often seen exploiting more obvious errors. In addition, it was carried out with code that looked completely benign.


_______________________________________________________________________________________

(February 18, 2021)


White House planning for an executive action after SolarWinds hack

In an update on the investigation into the SolarWinds supply chain attack, Deputy National Security Adviser Anne Neuberger said that the Biden administration is preparing "executive action" to address security shortcomings that have come to light. Neuberger, who was recently named coordinator of the investigation into the attack, made her comments at a White House press briefing.


_______________________________________________________________________________________

(February 18, 2021)


SolarWinds attackers studied Azure’s secret source code

The hackers behind the worst intrusion of U.S. government agencies in years gained access to Microsoft's secret source code for authenticating customers, one of the biggest vectors used in the attacks. Microsoft revealed that its internal investigation had found that the hackers studied parts of the source code instructions for its Azure cloud programs related to identity and security, its Exchange email programs, and Intune management for mobile devices and applications.

Ref - Dell

_______________________________________________________________________________________

(February 18, 2021)


Learnings for the financial services sector from the SolarWinds attacks

The SolarWinds cyber-attack includes some important lessons for financial services institutions of all sizes. A key factor in avoiding a SolarWinds-style breach is operational resilience, which itself depends on having the right strategy. It is crucial to validate the security controls in place and test how effective they are. For this, the financial firms need a SOC that understands the system and monitors the threats, including what type of cyber-attack would be a disaster for the business.


_______________________________________________________________________________________

(February 18, 2020)


The debate on retaliation to SolarWinds breach

Reports came under fire from many infosec professionals, who criticized arguments in favor of launching offensive cyberattacks, also known as hacking back, against SolarWinds breach adversaries. Many infosec experts have warned that hacking back carries enormous risk and should not be part of U.S. cybersecurity policy.


_______________________________________________________________________________________

(February 18, 2021)


Did SolarWinds hack include voice, video, and messaging platforms?

While investigations regarding SolarWinds are ongoing and new information is being revealed on a near-daily basis, there are some concerns regarding any role of an advanced persistent threat to Voice, Video, and Messaging Platforms in SolarWinds attacks. These platforms usually include SIP traffic, APIs Remote Access, and RTC, and are in heavy use since the advent of COVID-19 epidemic. So any threats to these platforms may lead to another level of catastrophe.

Ref - Medium

_______________________________________________________________________________________

(February 18, 2021)


Hacker behind SolarWinds used U.S. networks

A sprawling cyber-attack that compromised popular software created by Texas-based SolarWinds Corp. was executed from within the U.S, according to a top White House official. The hackers launched the hack from inside the United States which further made it difficult for the U.S. government to observe their activity.

Ref - Bloomberg

_______________________________________________________________________________________

(February 17, 2021)


An 82% increase observed in SolarWinds-style vendor email compromise attack

Abnormal Security, a next-generation cloud email security company, released a new threat research report that reveals an 82% increase in the chance of companies getting attacked through SolarWinds-style vendor email compromise (VEC) during any given week. The company also found that these attacks can be very costly as it recently detected and stopped a $1.6M VEC attack.

Ref - Yahoo

_______________________________________________________________________________________

(February 17, 2021)


There could be 1,000 developers who had written malicious code used in the SolarWinds breach

Microsoft discovered that the SolarWinds breach was not a job of a small group of threat actors, instead, 1,000+ developers had worked on developing the malicious code in the first place. This implied that the attack was not just widespread but was developed and executed by a larger group.

Ref - CISOMAG

_______________________________________________________________________________________

(February 17, 2021)


Around 100 private organizations hit by SolarWinds attack

The deputy national security advisor for cyber and emerging technology confirmed that so far nine federal agencies and 100 private industry organizations have been compromised in the SolarWinds attacks. In addition, the attackers waged the attack from inside the US, making it difficult for the US government to observe their activity.


_______________________________________________________________________________________

(February 17, 2021)


Risk of SolarWinds-style attacks through vendor email compromise increased 82%

Abnormal Security has released a new threat research report that reveals an 82% increase in the chance of companies getting attacked through SolarWinds-style vendor email compromise (VEC) during any given week. The company also found that these attacks can be very costly as it recently detected and stopped a $1.6M VEC attack.

Ref - Yahoo 

_______________________________________________________________________________________

(February 16, 2021)


Importance of DNS security after SolarWinds breach

The SolarWinds attack underscores the importance of securing DNS traffic. DNS tunneling, where data is transmitted by appending it to recursive DNS queries, was chosen as the medium to steal customer data. Queries were sent to DNS command and control servers within the same region of breached enterprise networks to evade detection. 

Ref - Akamai

_______________________________________________________________________________________

(February 16, 2021)


Webroot recommendations after the SolarWinds attack

Webroot is advising tips to their MSP and small business customers after the SolarWinds hack. It includes the use of security technology that includes threat intelligence for URLs, IP addresses, and files as a layered cybersecurity approach. Organizations should make sure to follow best practices within policies, and ensure devices are set to block high-risk and suspicious objects based on real-time intelligence criteria. Also, consider adding DNS Protection to your technology stack to deepen your protection around malicious IP addresses and URLs that are frequently used in attacks.

Ref - Webroot 
 
_______________________________________________________________________________________

(February 16, 2021)


Analysis of SUNBURST malware

The analysis of SUNBURST malware by FireEye disclosed that: attackers hid malicious code within thousands of lines of legitimate code, compiled inside of digitally signed binaries. Attackers took advantage of a platform SolarWinds Orion for lateral movement traffic. They disabled dozens of endpoint security tools, including FireEye, and used DNS for Stage 1 and 2 C2 communications. They also introduced minimal custom malware into the environment post-exploitation, often “living off the land” via native Windows tools.

Ref - FireEye

_______________________________________________________________________________________

(February 16, 2021)


A new type of supply-chain attack hit MNCs including Apple and Microsoft

Security researcher Alex Birsan has unveiled a new technique called Dependency Confusion or namespace confusion attack, that can execute counterfeit code on networks belonging to some of the popular enterprise giants, including Apple, Microsoft, and Tesla. By giving the submissions the same package name as dependencies used by companies, Birsan was able to get these companies to download and install the counterfeit code, which could result in a SolarWinds-type supply chain attack.

Ref - Arstechnica 

_______________________________________________________________________________________

(February 16, 2021)


A SolarWinds-like cyberattack targeted Centreon, French researchers disclose

French cybersecurity authorities have disclosed a SolarWinds-like supply-chain attack targeting several major organizations by hackers by compromising the Centreon enterprise IT platform. The first evidence of the intrusion campaign dates back to 2017 with the attack lasting until 2020. This mostly affected IT providers, in particular, web hosting providers.

Ref - ITPro 

_______________________________________________________________________________________

(February 16, 2021)


Microsoft reveals new details about sophisticated mega-breach

Microsoft has made some new revelations regarding SolarWinds attacks, which is calling the cyber-attack the most sophisticated of all time. According to Brad Smith, Microsoft has hired 500 engineers to dig into the attack. Cyjax CISO Ian Thornton-Trump points out that attackers had one chance to get the malware into place to do its thing without revealing their compromise. Because if a build failed because of the malicious code, their sinister plot to infect Orion would be revealed.

Ref - Forbes 

_______________________________________________________________________________________

(February 15, 2021)


Many SolarWinds customers failed to secure even after the breach came to light 

Many companies still expose SolarWinds Orion to the internet and have failed to take action following the disclosure of the massive SolarWinds breach. RiskRecon, a firm specialized in risk assessment, observed 1,785 organizations exposing Orion to the internet on December 13, 2020, shortly after the breach came to light, and the number dropped to 1,330 by February 1, 2021. However, only 8% of these companies have applied the Orion update (2020.2.4) in response to the breach.


_______________________________________________________________________________________

(February 15, 2021)


Microsoft found 1,000-plus developers' fingerprints on the SolarWinds hack

Microsoft president Brad Smith says that their analysis of the SolarWinds hack suggests the code behind the crack was the work of a thousand or more developers. Smith didn’t say who those 1,000 developers worked for but compared the SolarWinds hack to attacks on Ukraine that had been widely attributed to Russia.


_______________________________________________________________________________________

(February 15, 2021)


SolarWinds hack is the largest and most sophisticated attack ever - Microsoft’s President

A hacking campaign that used a U.S. tech company as a springboard to compromise a raft of U.S. government agencies is the largest and most sophisticated attack the world has ever seen, according to Microsoft Corp’s president Brad Smith. The SolarWinds breach could have compromised up to 18,000 SolarWinds customers that used the company’s Orion network monitoring software. It could take months to identify the compromised systems and expel the hackers.

Ref - Reuters

_______________________________________________________________________________________

(February 14, 2021)


How Russian spies hacked the US federal agencies during SolarWinds attacks

Brad Smith, the president of Microsoft, has said that by looking at the sophistication of the SolarWinds attacks, it can be said that the attacker had an asymmetric advantage for somebody playing offense. And it is almost certainly possible that these attacks are still continuing. Kevin Mandia, CEO of FireEye, disclosed that intruders impersonated its employees snooping around inside their network, stealing FireEye's proprietary tools to test its client’s defenses and intelligence reports on active cyber threats.

Ref - CBS News 

_______________________________________________________________________________________

(February 14, 2021)


The SolarWinds attack could be still ongoing

The SolarWinds attack was unprecedented in audacity and scope and the Russian spies went rummaging through the digital files of the U.S. departments of Justice, State, Treasury, Energy, and Commerce. For nine months, they had unfettered access to top-level communications, court documents, even nuclear secrets. And by all accounts, it's still going on and hackers could still be stealing information.

Ref - CBS News

_______________________________________________________________________________________

(February 14, 2021)


The U.S. must strike back after SolarWinds breach

James Lewis, a director at the Center for Strategic and International Studies, said fear of escalation has held the U.S. back from punishing Russia, and other nation-states when they step out of line. He suggested the U.S. experiment with tactics to find creative ways of inflicting revenge on Russia.

Ref - CBS News

_______________________________________________________________________________________

(February 12, 2021)


CISOs' 2021 priorities after SolarWinds attack 

After the SolarWinds attack, CISOs will need to redraw contracts with third-party providers for software, hardware, and services to explicitly demand that the providers have a commitment to securing their own environments. This includes ensuring they use third-party static code analysis, regular security scanning of local and cloud-based environments, DevSecOps, and integrity check of codes. In addition, they must adopt the latest encryption and authentication technologies.


_______________________________________________________________________________________

(February 12, 2021)

US Court system is demanding a change into court documents storage after SolarWinds breach

Multiple U.S. senators have demanded a hearing on what court officials know about the hackers' access to sensitive filings. A number of courthouses are now uploading documents to a single computer. All 13 of the country's federal circuit courts have separate measures and rules they take to protect the security of documents filed, but now everything may need to change due to the attack.


_______________________________________________________________________________________

(February 12, 2021)


Orion servers exposed to Internet drop by 25% since SolarWinds breaches

One in four SolarWinds Orion servers exposed to the internet at the time of an era-defining espionage campaign has been taken off the internet. This could mean different things to different companies. Some may have put the servers inside of a firewall. Others may have found a replacement for SolarWinds. Yet others may have deactivated the servers during remediation.

Ref - SC Media 

_______________________________________________________________________________________

(February 12, 2021)


Russians outsmarted DHS cyberattack detection program in SolarWinds hack

From a software engineering perspective, the SolarWinds attack is probably the largest and most sophisticated attack the world has ever seen. The alleged Russian attackers had huge resources at their disposal, and probably more than 1,000 engineers worked on these attacks.

Ref - CBS News 

_______________________________________________________________________________________

(February 11, 2021)


Unanswered questions about SolarWinds breach

There is a considerable fear that the attackers behind the SolarWinds breach may have gained deep, persistent, and almost undetectable access on networks belonging to numerous organizations in sectors including manufacturing, industrial, construction, and logistics. The incident also resurfaced old concerns over supply chain vulnerabilities and some new ones over the ability of even the best security tools and controls to detect highly targeted attacks.


_______________________________________________________________________________________

(February 11, 2021)


New stats about suspicious network activity during peak of SUNBURST attack

ExtraHop threat researchers have found that between late March 2020 and early October 2020, detections of probable malicious activity increased by approximately 150 percent. Activity patterns outlined in the report indicate that the SUNBURST attackers were successful in flying under the radar of these detection methods either by disabling them or by redirecting their approach before they could be detected.

Ref - Yahoo 

_______________________________________________________________________________________

(February 11, 2021)


How suspected Chinese hackers compromised USDA’s National Finance Center

Chinese hackers exploited a disparate SolarWinds hack from the one exploited by Russian hackers to compromise the National Finance center under the U.S. Department of Agriculture (USDA). It is said that the suspected Chinese hacking incident affected only a single customer and that a security update was released in December 2020.

Ref - CPO Magazine 

_______________________________________________________________________________________

(February 10, 2021)


Maritime facilities using SolarWinds are ordered to report breaches

The U.S. Coast Guard (USCG) has ordered MTSA-regulated facilities and vessels using SolarWinds software for critical functions to report security breaches in case of suspicions of being affected by the SolarWinds supply-chain attack. USCG's order was delivered through a Marine Safety Information Bulletin published on continued awareness regarding the ongoing exploitation of SolarWinds software.


_______________________________________________________________________________________

(February 10, 2021)


A senior official is leading the inquiry into SolarWinds breach

The White House has announced that it has put a senior national security official in charge of the response to the broad Russian breach of government computers, only hours after the Democratic chairman of the Senate Intelligence Committee criticized the disjointed and disorganized response in the opening weeks of the Biden administration.


_______________________________________________________________________________________

(February 10, 2021)


SolarWinds breach showed that the U.S. is most targeted and vulnerable

The U.S. is one of the most advanced, if not the most advanced cyber superpower in the world, but it’s also most targeted and it’s most vulnerable. Part of the problem is that the U.S. has spent more energy on hacking other countries than on defending itself. This attack has hit the Department of Homeland Security — the very agency charged with keeping the US safe.

Ref - NPR

_______________________________________________________________________________________

(February 10, 2021)


More cyberattacks like SolarWinds could be expected from Russia

The federal government's former top cybersecurity official warned lawmakers that the SolarWinds Orion hack is likely not the worst attack the United States may see from Russia. The federal agencies investigating the attack as well as third-party cybersecurity experts have largely concurred the breach appears to be espionage.

Ref - FCW

_______________________________________________________________________________________

(February 10, 2021)


SolarWinds breach put the spotlight on supply chain attacks

The recent SolarWinds breach has proved how devastating a well-executed supply chain attack could be. The thing that sets this apart from other cases, is its peculiar victim profiling and validation scheme. Through the SolarWinds Orion IT packages, the attackers reached around 18,000 customers and stayed inside targeted victim’s networks for months without raising any alarms.

Ref - CSO

_______________________________________________________________________________________

(February 10, 2021)


Security of supply chains is actually worse than everyone thinks

There are several reasons that indicate that the security of supply chains is a worse state. Several enterprise networks consist of an untold number of disparate products, duct-taped together through poorly documented interfaces. Most have no clue they're sitting ducks for average attackers of moderate skill, much less nation state-backed adversaries with unlimited resources.

Ref - ZDNet

 _______________________________________________________________________________________

(February 9, 2021)


The encryption backdoor from 2015 could be behind the SolarWinds attacks

While it is still not clearly known how hackers altered the code of SolarWinds software, many point to the Juniper Networks 2015 incident as a precursor to the recent hack. In a letter addressed to the NSA, members of Congress questioned whether the agency knew about the encryption backdoor in the Juniper Networks products.

Ref - NordVPN 

_______________________________________________________________________________________

(February 9, 2021)


Lessons from SolarWinds attack for federal agencies

There are several lessons for the Federal agencies to take away from the recent SolarWinds attacks. This includes making sure of response that actually reduces risk (turning off security updates and patches won’t). It also makes sense to choose reputable, responsive suppliers that adhere to security standards and best practices. In addition, follow the least privilege and Zero Trust policy and protect sensitive data with adequate protection.

Ref - Varonis

_______________________________________________________________________________________

(February 9, 2021)


The U.S. must prioritize cybersecurity after the SolarWinds breach

The SolarWinds hack is considered an egregious act of espionage, stealing data, and establishing unauthorized access to information technology. Thus, nations must move past jurisdictional grandstanding to develop a national cybersecurity strategy. There must be a comprehensive approach to cybersecurity that keeps the United States a step ahead of its adversaries.

Ref - CNBC

_______________________________________________________________________________________

(February 9, 2021)


What could be the purpose behind the SolarWinds hack?

The purpose of the SolarWinds hack remains largely unknown. Still, there are many reasons hackers would want to get into an organization's system, including having access to future product plans or employee and customer information held for ransom. It is also not yet clear what information, if any, hackers stole from government agencies. But the level of access appears to be deep and broad.


_______________________________________________________________________________________

(February 9, 2021)


SolarWinds breach has created disturbances for security worldwide

While the scope of Solorigate attack is substantial, the scale of sophisticated deception employed by malicious actors is even more significant. The SolarWinds security breach highlights the need to actively scan, monitor, and manage all software updates for organizations at the end of the digital development and supply pipeline, no matter where they come from or where they exist in the application stack.

Ref - Forbes 

_______________________________________________________________________________________

(February 9, 2021)


The SolarWinds hack was not inevitable

The SolarWinds hack was a major breach of national security that revealed gaps in U.S. cyber defenses. The larger question is why SolarWinds, an American company, had to turn to foreign providers for software development. A Department of Defense report about supply chains characterizes the lack of software engineers as a crisis. There’s also a shortage of cybersecurity talent in the U.S. Engineers, software developers and network engineers are among the most needed skills across the U.S.

Ref - Yahoo 

_______________________________________________________________________________________

(February 9, 2021)


SolarWinds attack highlights the importance of the principle of least privilege

The advanced persistent threat (APT) behind the SolarWinds attack used forged authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. This attack method has reinforced the importance of implementing least privilege, which is one of the 33 IT security principles outlined by NIST.


 _______________________________________________________________________________________

(February 8, 2021)


Microsoft and SolarWinds having disputes over nation-state attacks

The latest investigation updates from SolarWinds and Microsoft offer differing views on how nation-state threat actors compromised SolarWinds' environment. The SolarWinds CEO claimed that threat actors got into SolarWinds' Office 365 environment first before moving to the Orion development environment. However, Microsoft said its investigation found no evidence it was attacked via the email software.


_______________________________________________________________________________________

(February 8, 2021)


US response to SolarWinds breach

In a formal joint statement, four U.S. agencies in charge of intelligence and cybersecurity affirmed that an advanced hacking group, likely Russian in origin, is responsible for the SolarWinds Orion software compromise. The Computer Fraud and Abuse Act (CFAA) could be used to indict Russian state hackers for trespassing in government computers or obtaining national security information. Sanctioning or indicting Russian state actors for cyber espionage, however, could set a dangerous precedent to be used against individual NSA or CIA hackers.

Ref - CFR

_______________________________________________________________________________________

(February 8, 2021)


SolarWinds' breach can lead to a larger attack 

Cybersecurity experts fear the SolarWinds hack has laid the groundwork for a larger attack that the federal government is not prepared to handle. After attackers exploited vulnerabilities in SolarWinds’ computer network management software to breach federal systems, a race began to fortify cyber defenses before additional attacks damage critical infrastructure and cause economic instability.


_______________________________________________________________________________________

(February 8, 2021)


SolarWinds attack is a wake-up call

SolarWinds attacks represent a shift in tactics for a supply chain attack where a nation-state has employed a new weapon for cyber-espionage. The impact of this attack shows how a high-volume commercial software product can impact many organizations simultaneously. From a US national security perspective, this attack enables the nation’s enemies to steal all manner of information, from inter-governmental communications to national secrets.

Ref - ITWeb 

_______________________________________________________________________________________

(February 5, 2021)


NIST offers tools to defend against nation-state cyber threats

NIST's new publications provide a "roadmap" for how agencies of any size should counter increasingly advanced tradecraft from nation-state actors. Tightening access controls for non-federal agencies would improve the confidentiality of sensitive information but can also prevent the initial access for advanced persistent threats targeting government agencies.

Ref - FCW

 _______________________________________________________________________________________

(February 5, 2021)


Software supply chains are at risk of more attacks like SolarWinds attack

Revelations of its full breadth and depth continue to escalate, as do the alarm bells ringing throughout government and industry. The next SolarWinds attack is a matter of when, not if - and the next breach could be far more damaging than just infiltration and espionage. SolarWinds is a wake-up call for leaders to secure their end-to-end software supply chain.  

Ref - Forbes 

_______________________________________________________________________________________

(February 5, 2021)


SolarWinds plans for safer customer community

SolarWinds President and CEO Sudhakar Ramakrishna and cybersecurity expert and Krebs Stamos Group Founding Partner Alex Stamos revealed a plan for a safer SolarWinds and customer community. The principles for the secure enterprise includes further securing the internal environment, enhancing the product development environment, and ensuring the security and integrity of software.

_______________________________________________________________________________________

(February 5, 2021)


Microsoft: Microsoft services not used as an entry point by SolarWinds attackers

Microsoft has said that there was no indication that SolarWinds was attacked via Office 365. While data hosted in Microsoft email and other services were targeted by the hackers “post-compromise,” it had found no evidence that its services were used as an initial entry point into the systems of organizations, claiming that the attackers apparently gained privileged credentials “in some other way.”


_______________________________________________________________________________________

(February 5, 2021)


A deeper look into the massive 2020 cyberattack on the United States

Dmitri Alperovitch, the executive chair of the Silverado Policy Accelerator think tank, and co-founder and former CTO of CrowdStrike, has revealed the many ways somebody can perpetuate a cyberattack. According to him, the most surprising thing about the SolarWinds attack is the scale of it, and he estimates that it’s going to take months, potentially even years to get to all the different networks that these guys have infiltrated.

Ref - Fortune 

_______________________________________________________________________________________

(February 4, 2021)

Government-funded cybersecurity system In-toto could have prevented SolarWinds attacks

The cyber-security system named in-toto is aimed at providing end-to-end protection for the entire software supply pipeline. This project, already available for free, is supported by $2.2 million in grants from US federal agencies. If widely deployed, this could have blocked or minimized the damage from the SolarWinds attack.

Ref - Medium 

_______________________________________________________________________________________

(February 4, 2021)


Importance of zero-trust mindset after SolarWinds breach

The recent SolarWinds attack has reinforced two key points that the industry has been advocating for a while now, defense-in-depth protections and embracing a zero-trust mindset. Defense-in-depth protections and best practices are really important because each layer of defense provides an extra opportunity to detect an attack and take action before they get closer to valuable assets. A zero-trust philosophy is also important to provide protection even when an attacker gains unauthorized access.

Ref - Microsoft

_______________________________________________________________________________________

(February 4, 2021)


Organizations should be wary of third-party providers after SolarWinds breach

Recent SolarWinds breach has proved that any company that produces software or hardware for other organizations is a potential target of supply chain attack by attackers. Nation-state actors have deep resources and the skills to penetrate even the most security-conscious firms. Even security vendors can be targets.

Ref - CSO

_______________________________________________________________________________________

(February 4, 2021)


The SolarWinds attack proves that an on-premise Active Directory is still an effective attack vector

New evidence points to attackers using well-established methods to gain initial access the old-fashioned way, through on-premises Active Directory (AD). Attackers used methods such as password guessing, password spraying, and exploiting poorly secured administrative or service credentials. They then used native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the certificate-signing capability of Microsoft Active Directory Federated Services (AD FS) and forge authentication tokens.


_______________________________________________________________________________________

(February 4, 2021)


SolarWinds chases multiple leads in the breach investigation

According to new intelligence shared by SolarWinds, UNC2452, the Russia-linked advanced persistent threat (APT) group behind the December 2020 SolarWinds cyber attacks, probably accessed SolarWinds’ systems both through a zero-day vulnerability in Microsoft Office 365 and through a compromise of user credentials.


_______________________________________________________________________________________

(February 4, 2021)


SolarWinds confirms that Office 365 email compromise played role in recent massive cyber attacks

SolarWinds CEO Sudhakar Ramakrishna has verified suspicious activity in its Office 365 environment, with a company email account compromised and used to access accounts of targeted SolarWinds staff in the business and technical roles. Hackers most likely entered SolarWinds’s environment through compromised credentials and/or a third-party application that capitalized on a zero-day vulnerability.

Ref - CRN 

_______________________________________________________________________________________

(February 3, 2021)


Impact of SolarWinds attacks on security managers 

With the increasing sophistication of attacks, there is a call for security managers to reduce the time of detection and response to threats. Having an incident response plan and playbook is key in protecting important customer or organizational data. Conducting assessments, having a strong communication structure with your board, and implementing strong security solutions are critical.

Ref - Aurora  

_______________________________________________________________________________________

(February 3, 2021)


SolarWinds CEO: Office 365 environment was compromised in SolarWinds breach

In new details on the SolarWinds breach, it has been disclosed that nation-state threat actors first compromised a single email account and later gained access to the company's Orion platform environment. From there, the threat actors compromised the credentials of the employees, got privileged access to the Orion build environment, and then added the backdoor to software updates for the platform.


_______________________________________________________________________________________

(February 3, 2021)


The path of becoming secure by design after SolarWinds breach

SolarWinds breach taught several lessons to be more secure by upgrading to stronger and deeper endpoint protections, enhancing Data Loss Prevention solution, expanding Security Operations Center, and tightening firewall policies. Along with these tips, adopting zero trusts and least privilege access and addressing the possible risks associated with third-party application access are also very important.


_______________________________________________________________________________________

(February 3, 2021)


Use of a backdoor implant in a SolarWinds Orion server

In early-2020, the Sophos Managed Threat Response (MTR) team was brought in to help an organization that had fallen victim to a Ragnar Locker attack. The C2s, web shell, and DLL used in that attack may not be directly related to recent SolarWinds attacks, but carries several similarities. The threat actor gained access to the webserver and installed a web shell to send commands and orchestrate the rest of the attack. A backdoored version of OrionWeb.dll was downloaded from their C2 server. Additional logic was added to authenticate the username “_system” with a dynamic password that would change every day and the digital signature of the file removed.

Ref - Sophos

_______________________________________________________________________________________

(February 3, 2021)


Findings from SolarWinds ongoing investigations

According to SolarWinds, their email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising the credentials of SolarWinds employees, the threat actors were able to gain access to and exploit their Orion development environment.


_______________________________________________________________________________________

(February 3, 2021)


Additional details on vulnerabilities in SolarWinds Orion and SonicWall appliances

Details have been revealed on two vulnerabilities (CVE-2021-25274 and CVE-2021-25275) in the SolarWinds Orion platform and a single vulnerability in the SolarWinds Serv-U FTP server for Windows. SolarWinds Orion Platform users can upgrade to version 2020.2.4. SolarWinds ServU-FTP users can upgrade to version 15.2.2 Hotfix 1. Similarly, for the zero-day vulnerability found in SonicWall SMA 100 Series appliances, the company has released a patch to firmware version SMA 10.2.0.5-29sv.

Ref - Rapid7

_______________________________________________________________________________________

(February 3, 2021)


Unfolding the SolarWinds breach

Pushkar Tiwari, Director Development at Symantec Enterprise Division of Broadcom Inc., has revealed the entire episode about what, when, why, and how of the SolarWinds hack. Tiwari has closely followed and analyzed the modus operandi of the hack.

Ref - CISO MAG

_______________________________________________________________________________________

(February 3, 2021)


Three new severe security vulnerabilities identified impacting SolarWinds products

Three severe security vulnerabilities have been identified impacting SolarWinds products. Two of the flaws (CVE-2021-25274 and CVE-2021-25275) were identified in the SolarWinds Orion Platform, while a third separate weakness (CVE-2021-25276) was found in the company's Serv-U FTP server for Windows.


_______________________________________________________________________________________

(February 3, 2021)


‘Severe’ SolarWinds vulnerabilities allow hackers to take over servers

A new set of three “severe” vulnerabilities have been discovered in the SolarWinds Orion platform. These issues could allow an attacker full remote code execution, access to credentials for recovery, and the ability to read, write to or delete any file on the system.

Ref - Forbes 

_______________________________________________________________________________________

(February 3, 2021)


Chinese hackers suspected to be involved in SolarWinds breach

It is suspected that Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers last year, marking a new twist in a sprawling cybersecurity breach that U.S. lawmakers have labeled a national security emergency. It has been found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture was among the affected organizations.

Ref - Reuters

_______________________________________________________________________________________

(February 3, 2021)


Suspected Chinese hackers used SolarWinds bug to attack additional federal agencies

Suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into US government computers last year. The attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies. SolarWinds said it was aware of a single customer that was compromised by the second set of hackers but cannot say conclusively who was responsible.


_______________________________________________________________________________________

(February 2, 2021)


New revelations deepen the fears related to third-party software use

The new revelation about the involvement of Chinese hackers underscores the seemingly impossible task that organizations face in dealing with not only their own security issues but also potential exposure from the countless third-party companies they partner with. It is said that the Chinese hackers exploited the vulnerability only after already breaking into a network by some other means. They then used the flaw to bore deeper.

Ref - Wired

_______________________________________________________________________________________

(February 2, 2021)


Hackers stayed inside SolarWinds email system for almost 9 months

The newly appointed chief executive of SolarWinds Corp. is still trying to unravel how his company became a primary vector for hackers in a massive attack revealed last year. According to him, pieces of evidence are emerging that they were lurking in the company’s Office 365 email system for months. The company is still trying to understand how the hackers first got into the company’s network and when exactly that happened.


_______________________________________________________________________________________

(February 2, 2021)


Learnings from SolarWinds breach - Singapore CERT

Singapore CERT has provided several key takeaways and guidelines to prevent future supply-chain attacks like SolarWinds. First, it is likely that supply-chain attacks will continue to occur, therefore organizations should make every effort to improve visibility. Second, the breach demonstrates the asymmetric nature of the cybersecurity threat, which demands a continuous need to enhance and develop their cybersecurity capabilities. The breach also highlights the importance of the international community’s efforts in establishing clear rules and norms to promote responsible behavior in cyberspace.

Ref - CSA

_______________________________________________________________________________________

(February 2, 2021)


A U.S. federal payroll agency breached by exploiting SolarWinds flaw

The FBI has discovered that the National Finance Center, a U.S. Department of Agriculture (USDA) federal payroll agency was compromised by exploiting a SolarWinds Orion software flaw. Even though both the FBI and the USDA declined to provide further comment, the latter confirmed that it had suffered a data breach.


_______________________________________________________________________________________

(February 1, 2021)


U.S. court system goes paper for sensitive documents after SolarWinds hack

The US court system has banned the electronic submission of legal documents in sensitive cases out of concern that Russian hackers have compromised the filing system. In an extraordinary order handed down to all federal courts, any documents that contain information that is likely to be of interest to the intelligence service of a foreign government will now have to be physically printed out and provided in a physical format.


_______________________________________________________________________________________

(February 1, 2021)


SolarWinds breach put light on an old supply-chain incident

In the wake of the recent SolarWinds attacks, Members of Congress are demanding the U.S. National Security Agency (NSA) reveal information about an old (2015) Juniper Networks supply-chain delivery breach. A chief bone of contention among lawmakers is the allegation that the NSA’s “Dual_EC_DRBG” algorithm, submitted to the National Institute of Standards and Technology (NIST), contained an encryption backdoor for the spy agency.


_______________________________________________________________________________________

(February 1, 2021)


How to prevent the next SolarWinds-kind attack?

First cybersecurity professionals should take care of the “easy” stuff, such as keeping their software updated and, where necessary, adding patches. Second, companies must build a culture of security within their product design. Finally, any robust third-party security program must involve a high level of automation, and the only practical way to do this is through implementing automation.


_______________________________________________________________________________________

(January 31, 2021)


A third of victims were not using SolarWinds software

Almost a third of the victims of the recent wave of massive attack did not use the SolarWinds software, which was previously thought to be the main gateway for the attackers. The serious cyberattack on government institutions and companies in the USA is drawing ever wider circles. Investigators have found evidence that the alleged espionage operation went well beyond the compromise of the small software provider SolarWinds.


_______________________________________________________________________________________

(January 29, 2021)

A fifth of Sunburst backdoor victims are from the manufacturing sector 

Nearly a fifth of organizations hit by the Sunburst backdoor emanating from the SolarWinds supply chain attack is from the manufacturing sector, a new analysis from Kaspersky has revealed. While researchers have already uncovered technical details of the Sunburst backdoor that was embedded in the SolarWinds incident late last year, information on the full impact of the attack is still being investigated.


_______________________________________________________________________________________

(January 29, 2021)


SolarWinds' implications for IoT and OT

In the new episode of Talos Takes, experts from Cisco Talos provide details about how the SolarWinds attack has wide-reaching consequences in the internet-of-things (IoT) and operational technology (OT) spaces.


_______________________________________________________________________________________

(January 29, 2021)


Lessons learned from SolarWinds breach 

SolarWinds attacks have left several important learnings behind, such as new binaries should be checked and verified, even once they are signed; audit, monitor, and segregate the app/service accounts for cloud environments as much as possible; deploy a secure System Development Life Cycle (SDLC) process to catch the attackers in real-time and prevent the damage, and use stronger passwords on code management platforms.


_______________________________________________________________________________________

(January 29, 2021)


Life after the SolarWinds supply chain attack

After the disclosure of the SolarWinds attack, the first step to be taken by any organization should be to eliminate the immediate risk. If they use the affected software, they should have already followed the CyberSecurity Infrastructure Security Agency (CISA)’s directions to disconnect and decommission any instances of SolarWinds Orion software. Even after a complete reset of all accounts, do an additional top-to-bottom security review. In addition, examine all of the relationships, both between internal servers and external third parties who might have access to the networks and systems.


_______________________________________________________________________________________

(January 29, 2021)


SolarWinds breach spooks tech firms into rechecking code

Haunted by the far-reaching implications of the SolarWinds supply chain attack, software company executives have ordered sweeping new assessments of their products, looking for any signs of suspicious activity, code anomalies, or exploits. If or when more attacks are uncovered, end-user organizations will need to apply the lessons learned from SolarWinds and prepare to take swift and decisive action.

Ref - SC Media

_______________________________________________________________________________________

(January 29, 2021)

SolarWinds breach raises questions about the appropriate response to such attacks

The sprawling reach of the SolarWinds malware attack inspires new questions about the appropriate response from private sector organizations to cyberattacks from nation-state hackers. Many enterprises, particularly those in tech and security, have tremendous insight into the workings of their own systems, which some believe puts them in a particularly unique position to hack back at attackers.

Ref - SC Media

_______________________________________________________________________________________

(January 29, 2021)


Suspected Russian hack extends far beyond SolarWinds software

Investigators examining the massive attack on the U.S. government and businesses claim that they have found concrete evidence the suspected Russian espionage operation went far beyond the compromise of the small software vendor publicly linked to the attack. Close to a third of the victims didn’t run the SolarWinds Corp. software. The revelation is fueling concern that the episode exploited vulnerabilities in business software used daily by millions.


_______________________________________________________________________________________

(January 29, 2021)


The SolarWinds hack is even worse than anyone thought

The SolarWinds hackers didn't go for the usual credit card numbers and email addresses that most cyberthieves seek. Instead, the hackers went for much higher-value internal information: emails with corporate and government secrets, the source code underlying Microsoft software, and the like. The attack also undermines the entire structure of cybersecurity in the United States, with its patchwork of government agencies, big-name security firms, thousands of smaller outside vendors, and internal IT department security efforts.

Ref - Fortune

_______________________________________________________________________________________

(January 29, 2021)


What went wrong during SolarWinds attacks, and how can we fix it

When FireEye went public with its SolarWinds news, neither the NSA, the Pentagon’s Cyber Command, nor any other U.S. intelligence or cyber agency had detected the attack, although it had likely been underway for months. FireEye wasn’t legally obligated to inform anyone - publicly or privately - about its discovery. The U.S. does not require independent research firms to share their findings of cyberthreats with government agencies, even if they constitute a potential national security threat.

Ref - Fortune 

_______________________________________________________________________________________

(January 29, 2021)


SolarWinds attackers hit several strategic targets including cyber and tech firms

For hackers, cybersecurity companies represent the gatekeepers guarding the computer networks they so desperately wish to exploit. Also, cybersecurity and technology companies often have remote access to customers’ computer networks, potentially giving hackers entry to their clients and partners. Such digital supply chain hacks are an efficient method to corral hundreds, if not thousands, of potential victims.

Ref - Bloomberg 

_______________________________________________________________________________________

(January 29, 2021)


Web Supply Chain may be next in the line for State-sponsored attacks

Industry experts have pointed out that blind trust and long, complex chains are two key ingredients for any successful supply chain attack like the SolarWinds attack. These two are available in nearly every Web application and website that is online right now. Any breach in one of the ‘maintainer’ accounts can trigger a global Web supply chain attack and affect millions of organizations.

Ref - Dark Reading 

_______________________________________________________________________________________

(January 29, 2021)


Thirty percent of SolarWinds hack victims didn't run the software

Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, has recently revealed that around 30 percent of computers previously thought to be hacked via SolarWinds didn't even run the software. Hackers linked to the attack also seem to have broken into government and private accounts by guessing passwords and exploiting issues in Microsoft's cloud-based Office software used by millions of people.

Ref - The Week 

_______________________________________________________________________________________

(January 29, 2021)


A fifth of Sunburst backdoor victims belong to the Manufacturing industry

A new analysis from Kaspersky has revealed that nearly a fifth of organizations hit by the Sunburst backdoor are from the manufacturing sector. Based on a list of nearly 2000 readable and attributable domains, it was revealed that around a third (32.4%) of all victims were industrial organizations. The most impacted sector is manufacturing (18.11% of all victims), followed by utilities (3.24%), construction (3.03%), transportation and logistics (2.97%), and oil and gas (1.35%).


_______________________________________________________________________________________

(January 29, 2021)


More SolarWinds type of attacks are expected in future

More sophisticated and complicated attacks like SolarWinds or the same type can be expected sooner or later. Experts also said that these attacks are going to continue to get more sophisticated. SolarWinds is a moment of reckoning in the security industry, and this is going to be the new norm.

Ref - ZDNet

_______________________________________________________________________________________

(January 28, 2021)


Most tools that detected the SolarWinds malware also failed in some way

The actors behind the SolarWinds hack easily evaded all the major cybersecurity technologies available in the market. For endpoint detection and response (EDR), the threat actor seems to have tested its malware against all the major players. It knew which ones could detect it, which ones it could turn off, and which ones it could not evade. And the same can be said for automated threat hunting platforms, and internal network monitoring tools as well.

Ref - CFR 

_______________________________________________________________________________________

(January 28, 2021)

SolarWinds attackers abused weak access policies for infiltrating inside networks

Service accounts may have played a bigger role than originally anticipated in the SolarWinds hack that compromised the networks of a number of U.S. government agencies and private organizations. Attackers may have used SolarWinds’ service accounts with high-level privileges to conduct lateral movement across the SolarWinds network and thereby gain access to more enterprise resources.

Ref - Toolbox

_______________________________________________________________________________________

(January 28, 2021)


The technical attack flow of SunBurst malware

Using the MITRE ATT&CK framework, researchers have provided the most likely technical attack flow of SunBurst (the malware installed on SolarWinds’ Orion product) attack. The chain of events included initial access (On-Prem), discovery, credential access, privilege escalation, defense evasion, and lateral movement, and finally exfiltration. Check Point researchers have revealed the details of each of these steps.


_______________________________________________________________________________________

(January 28, 2021)


Why does the SolarWinds breach matter so much?

The SolarWinds breach was like no other of its kind. The breach is almost endless in scale due to the implementation and usage of the compromised SolarWinds product and code across many organizations. This makes it one of the most powerful and successful hacks in history.

Ref - RedBit  

_______________________________________________________________________________________

(January 28, 2021)


SolarWinds hack proves that there is no ‘Finish Line’ with security

Stephen Ayoub, president of the solution provider powerhouse Ahead, has insisted that the massive SolarWinds hack has proved that there is no “finish line” to any organization’s cybersecurity strategy. Several other IT leaders across the board are echoing similar strategies regarding the SolarWinds hack.

Ref - CRN 

_______________________________________________________________________________________

(January 28, 2021)

The Story of a SolarWinds Attack Victim

Marcin Kleczynski, the chief executive officer of Malwarebytes, sheds some light on the series of quick and consequential decisions that hundreds of company and agency heads across the country have been forced to make in the aftermath of the SolarWinds breach by suspected Russian hackers.

Ref - Bloomberg

_______________________________________________________________________________________

(January 27, 2021)

CISA Malware Analysis on Supernova

CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. Supernova is not part of the SolarWinds supply chain attack described in Alert AA20-352A.
 
Ref - US-CERT

_______________________________________________________________________________________

(January 27, 2021)


SolarWinds Attacks Highlight Advantage of Indicators of Behavior for Early Detection

The security community is not bound to protecting organizations using IOCs alone. They can turn to what’s known as Indicators of Behavior (IOBs). Because, the malicious actors uniquely compiled their code to make sure it doesn’t match with any known file hashes or malware signatures out there, rendering IOCs ineffective for detection and impossible for signature-based anti-malware solutions.


_______________________________________________________________________________________

(January 27, 2021)


Hardening active directory against SolarWinds-type attacks

The SolarWinds attackers took advantage of Active Directory to gain a foothold inside the targeted networks. There are several means with Microsoft’s Active Directory (AD) to identify these attack techniques used by SolarWinds attackers and prevent them from happening. This includes User account settings, Domain password policies, Active Directory backup policies, and a few take care areas around Old Group Policy Preferences credentials, etc.


_______________________________________________________________________________________

(January 27, 2021)


Hundreds of Industrial organizations received Sunburst malware

Kaspersky’s industrial cybersecurity researchers have analyzed a list of nearly 2,000 domains impacted by Sunburst and estimated that roughly 32% of them were associated with industrial organizations. A majority of them are organizations in the manufacturing sector, followed by utilities, construction, transportation and logistics, oil and gas, mining, and energy.

Ref - SecurityWeek 

_______________________________________________________________________________________

(January 27, 2021)


Fidelis targeted by SolarWinds hackers via Orion

Fidelis has disclosed and confirmed that hq[.]fidelis is included in the growing list of domains known to have been targeted by the SolarWinds attackers. Fidelis had installed an evaluation copy of the trojanized SolarWinds Orion software on one of their machines in May 2020 as part of a software evaluation.


_______________________________________________________________________________________

(January 26, 2021)


Kaspersky researchers reveal SunBurst industrial victims

Kaspersky researchers have analyzed all available decoded internal domain names obtained from DNS names generated by the SunBurst DomainName Generation Algorithm using some publicly available lists and third-party lists. The geographical distribution of the industrial organizations is broad and covers almost the entire world, from North America to APAC.

Ref - Kaspersky

 _______________________________________________________________________________________

(January 26, 2021)


Mimecast confirms SolarWinds' hackers breached company

Mimecast has confirmed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. Customers hosted in the United States and the United Kingdom have been advised to take precautionary steps to reset their credentials.

Ref - Mimecast 

_______________________________________________________________________________________

(January 26, 2021)


Four new victims disclosed in SolarWinds breach

As most experts predicted last month, the fallout from the SolarWinds supply chain attack is getting bigger as time passes by, and companies had the time to audit internal networks and DNS logs. Now, four new cyber-security vendors, Mimecast, Palo Alto Networks, Qualys, and Fidelis, have added their names to the list of companies that have installed trojanized versions of the SolarWinds Orion app.

Ref - ZDNet

_______________________________________________________________________________________

(January 26, 2021)


The SolarWinds breach can be called an act of war?

Members of Congress on both sides of the aisle have posed the question of whether the recent SolarWinds cyberattack was an act of war. Democratic Sen. Dick Durbin and Republican Sen. Mitt Romney shared these concerns. States must recognize such an aggressive act for what it is and be prepared to respond to such threats in accordance with international law.

Ref - Lawfare 

_______________________________________________________________________________________

(January 26, 2021)


SolarWinds breach exposed significant weaknesses of incident response

The massive SolarWinds breach exposed some significant weaknesses in companies’ incident response practices. Lack of traffic analysis and behavior logs hinders the incident response team's ability to track down the source of the attack and shut it down, cut off the attackers' communication channels, and determine how far the attack has spread.


_______________________________________________________________________________________

(January 26, 2021)


Important lessons of Solarwinds breach

The SolarWinds hack hasn’t really gotten the attention it deserves because it happened during the chaos after the presidential election, but it’s a big deal. And it raises a lot of questions about how to respond to such a massive attack and the responsibility of the private sector when it comes to national security.

Ref - The Verge

_______________________________________________________________________________________

(January 26, 2021)


SUNSPOT was used to inject the SUNBURST backdoor into the Orion app

An analysis revealed that threat actors leveraged SUNSPOT to automatically inject the SUNBURST backdoor into the Orion app build process after executing the manual supply chain attack. It is a software often used by developers to assemble smaller components to larger software applications. Besides, it was considered the third malware strain, followed by SUNBURST (Solorigate) & TEARDROP.


_______________________________________________________________________________________

(January 26, 2021)


How the massive SolarWinds hack went down

The SolarWinds hack was and really is and continues to be one of the biggest espionage campaigns recently discovered. Microsoft, Google and several U.S. government agencies were among those compromised by the intrusion, and the repercussions of the SolarWinds hack are still being unraveled.

Ref - CNBC 

_______________________________________________________________________________________

(January 26, 2021)


SonicWall warns customers about zero-day vulnerabilities, may be linked to SolarWinds attacks

SonicWall has identified a coordinated attack on its internal systems by highly sophisticated threat actors. The attackers exploited probable zero-day vulnerabilities on certain SonicWall secure remote access products. Although there is currently no link between the attack against SonicWall and the SolarWinds or the Azure attacks, however, SonicWall is the third cybersecurity vendor to recently announcing a security breach after FireEye and Malwarebytes.

Ref - CSO Online 

_______________________________________________________________________________________

(January 25, 2021)


How should affected businesses respond to the SolarWinds hack?

The first thing businesses should do is to make certain that their networks are as internally secure as possible. That means reconfiguring network assets to be as isolated as possible. Review employee security practices, procedures and conduct a limited security audit, and engage in defensive measures.


_______________________________________________________________________________________

(January 25, 2021)


Stage two of the SUNBURST backdoor revealed 23 more targets

According to researchers, the "STAGE2" flag in SUNBURST's DNS beacons can be used to reveal additional SUNBURST victims that were singled out as interesting targets by the threat actors. SUNBURST backdoors never made it past "Stage 1 operation", where the backdoor encoded the internal AD domain name and installed security products into DNS requests.

Ref - NETRESEC

_______________________________________________________________________________________

(January 25, 2021)


SolarWinds hack leaves security researchers clueless about future risks

The SolarWinds attackers have demonstrated sophistication and complex tradecraft in the intrusions. Out of hundreds of targeted organizations, it will take years to know for certain which networks the Russians control and which ones they just occupy. Although the consensus seems to be that the SolarWinds breach was straight-up reconnaissance, the truth is that it is yet not known if this was actually an attack or not.


_______________________________________________________________________________________

(January 25, 2021)


Qualys confirmed as one of the targets in SolarWinds attack

A researcher has released a list of 23 new, alleged targets of the unprecedented SolarWinds hacks that formed a huge espionage campaign first revealed in December. Amongst the confirmed newly-discovered targets are Qualys, a $5 billion market cap cybersecurity company on the Nasdaq, and the Virginia State Corporation Commission, which regulates businesses in the region.

Ref - Forbes

_______________________________________________________________________________________

(January 25, 2021)


Protecting businesses from Supply Chain attacks

SolarWinds attackers used a total of four malware strains: Sunspot, Sunburst (Solorigate), Teardrop, and Raindrop. These malware strains were used in a sophisticated sequence of escalated attacks. Security teams must scan their IT environments for all four of these strains of malware. In addition, organizations should take several additional security measures to reduce their exposure to risk.


_______________________________________________________________________________________

(January 25, 2021)


SolarWinds breach exposed supply chain weaknesses

The elite Russian hackers who gained access to computer systems of federal agencies last year didn't bother trying to break one by one into the networks of each department. Instead, they got inside by sneaking malicious code into a software update pushed out to thousands of government agencies and private companies.


_______________________________________________________________________________________

(January 25, 2021)


The Russian hack of US agencies exposed supply chain weaknesses

U.S. officials and cybersecurity experts have sounded the alarm for years about a problem that has caused the SolarWinds attack havoc, including billions of dollars in financial losses, while also defying easy solutions from the government and private sector. Part of the appeal of a supply chain attack for hackers is that it's a "low-hanging fruit". The U.S. organizations are often not appreciating or understanding how dispersed their networks actually are.

Ref - StarTribune 

_______________________________________________________________________________________

(January 25, 2021)


SolarWinds, Mimecast hacks highlights risks of third-party, supply-chain compromises

The Mimecast hack provides a glimpse of threat actors innovating to take full advantage of fresh opportunities to maliciously manipulate digital certificates. Mimecast supplies email security systems to some 36,100 companies, many of whom use Office 365 or G Suite. By either stealing or spoofing Mimecraft’s certificate, the threat actors could gain access to inbound and outbound mail flows, intercept that traffic, and possibly infiltrate Mimecast’s customers’ Microsoft 365 Exchange Web Services, as well.


_______________________________________________________________________________________

(January 24, 2021)


Lessons learned from SolarWinds breach

Three networking experts (Steve Garson, Tom Nolle, and Tom Hollingsworth) explored different lessons learned from SolarWinds. They provide guidance on how to shrink attack surfaces, overlooked management, and monitoring practices, and how something seemingly harmless could lead to trouble.


_______________________________________________________________________________________

(January 22, 2021)


Disaster recovery steps after SolarWinds breach

For organizations that were affected by the SolarWinds breach, the first step would be to get the latest updates of the Orion software that have been sanitized. Next, they need to identify all of the systems that were impacted as well as those systems that interacted with them. They should evaluate DR plans to see if there are contingencies for the impacted systems and if there are considerations enacting them. Finally, it would be prudent to rebuild all of the systems that were affected as well as any systems that were connected to them in order to ensure that any undetected presence of the malware is actually gone.

Ref - Petri

_______________________________________________________________________________________

(January 22, 2021)


The SolarWinds attack can affect control systems as well

Much of the initial discourse around the SolarWinds cyberattack focused on its impact on the affected Information Technology (IT) systems. However, this overlooks an equally destructive yet unexamined operational technology (OT) portion of the attack, and much of the OT impact may not be seen for months or longer. 

Ref - Lawfare

_______________________________________________________________________________________

(January 22, 2021)


SolarWinds hackers avoided reuse of attack infrastructures

The Sunburst espionage campaign that breached FireEye and several government agencies were devious about operational security. To protect useful attack vectors through SolarWinds, Microsoft, and VMWare, the hackers made every effort not to reuse infrastructures or settings or to tie one stage of the attack to another.

Ref - SC Media

_______________________________________________________________________________________

(January 22, 2021)


How Sunburst sent data back to its operators? 

Sunburst uses randomly generated URL paths for HTTP(S) POST requests that are different from HTTP(S) GET requests. Further, instead of sending the encrypted data directly, as when the data is greater than 10,000 bytes, the data is steganographically sent in a faux JSON blob. On receipt, the attacker will need to decode and concatenate all the Message chunks, skipping junk chunks where the Timestamp second bit is not set.

Ref - Symantec

_______________________________________________________________________________________

(January 22, 2021)


FSB alerted Russian businesses about retaliation for the SolarWinds hack

The Russian intelligence agency FSB has issued a security alert this week warning Russian organizations of potential cyberattacks launched by the United States in response to the SolarWinds supply chain attack. The alert was issued after officials of the new Biden administration declared that attacks like the SolarWinds ones could trigger a response from their government.


_______________________________________________________________________________________

(January 21, 2021)


The attack timeline of Solarwinds breach

According to the SolarWinds attack timeline, the attackers started accessing SolarWinds in September 2019, a week after they injected test code. Next month, they stopped infecting test code. In February 2020, the Solarihate backdoor was compiled and deployed. In March, the target profiling and distribution of SUNBURST started. In May, actual hands-on-keyboard attacks started and TEARDROP malware was activated. In June, attackers removed malware from the SolarWinds build environment. From this point to December, hands-on-keyboard attacks continued that is when the supply-chain attacks were discovered.


_______________________________________________________________________________________

(January 21, 2021)

How SolarWinds hackers remained undetected?

Microsoft's security researchers have outlined some of the operational security used by SolarWinds hackers that allowed them to remain undetected for long enough. Hackers renamed tools and binaries and put them in folders that looked like files and programs already present on a machine. They even prepared special firewall rules to minimize outgoing packers for certain protocols and then removed the rules after finishing reconnaissance

Ref - ZDNet

_______________________________________________________________________________________

(January 21, 2021)


The SolarWinds hackers had put in painstaking planning to avoid detection

Microsoft researchers estimate that the SolarWinds attackers spent a month or so in selecting victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure. The attackers also tried to separate the Cobalt Strike loader's execution from the SolarWinds process in order to protect the Cobalt Strike implant. Each Cobalt Strike DLL implant was prepared to be unique per machine and avoided any overlap and reuse of folder name, file name, and other details.

Ref - ZDNet 

_______________________________________________________________________________________

(January 20, 2021)


Building the threat context for the SolarWinds incident

Blueliv has identified two vulnerabilities that affected SolarWinds Orion and could have been leveraged by the attackers: CVE-2020-14005 and CVE-2020-13169. Several severe ATT&CK patterns were also noted, particularly via variations of Cross-Site Scripting (XSS) associated with the vulnerability.

Ref - Blueliv 

_______________________________________________________________________________________

(January 20, 2021)


Old-guard, ‘Cowboy IT’ caused the SolarWinds supply chain compromise

According to James Stanger, chief technology evangelist, CompTIA, most organizations continue to pursue traditional measures based on a firewall-first, signature-based, trusted-partner mindset. This mindset creates toxic IT solutions and leads to the practice of making IT and cybersecurity workers continually clean up after bad code, hastily implemented platforms, and poor business procedures.

Ref - SC Media

_______________________________________________________________________________________

(January 20, 2021)


Microsoft shares details on how hackers evaded detection in SolarWinds attack

Microsoft has shared details on how the SolarWinds hackers were able to remain undetected by hiding their malicious activity inside the networks of breached companies. The report shares new details regarding the Solorigate second-stage activation, including the steps and tools used to deploy custom Cobalt Strike loaders (Teardrop, Raindrop, and others) after dropping the Solorigate (Sunburst) DLL backdoor.


_______________________________________________________________________________________

(January 20, 2021)


More details regarding Solorigate second-stage activation revealed

Microsoft detailed the hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders, including the loader dubbed TEARDROP by FireEye and a variant named Raindrop by Symantec.

Ref - Microsoft

_______________________________________________________________________________________

(January 20, 2021)


Malwarebytes was targeted via Microsoft 365 API Calls

To target Malwarebytes, instead of using the SolarWinds Orion network-management system, the attackers had abused applications with privileged access to Microsoft Office 365 and Azure environments. The Microsoft Security Response Center flagged suspicious activity from a third-party email-security application used with Malwarebytes’ Microsoft Office 365 hosted service on Dec. 15.

Ref - Threatpost 

_______________________________________________________________________________________
 
(January 19, 2021)


SolarWinds attack has shown four separate paths to breach Microsoft 365 cloud

The perpetrators behind the SolarWinds supply-chain attack were observed leveraging four separate techniques to bypass identity and access management protections. These techniques include the Golden SAML attack using stolen ADFS token-signing certificates, adding a new attacker-controlled federated Identity Provider (IdP) capable of forging tokens, compromising the credentials of high-privileged on-prem accounts synced to Microsoft 365, and adding rogue credentials and exploiting their legitimate assigned permissions.

Ref - SC Media 

_______________________________________________________________________________________

(January 19, 2021)


SolarWinds hackers accessed internal emails of Malwarebytes 

Cybersecurity firm Malwarebytes confirmed that the threat actor behind the SolarWinds supply-chain attack was able to gain access to some company emails. The company did not find evidence of a compromise or unauthorized access to internal production or on-premises environments. The attackers exploited an Azure Active Directory weakness that allowed access to a limited subset of internal company emails.


_______________________________________________________________________________________

(January 19, 2021)


SolarWinds hackers used 7-Zip code to hide ‘Raindrop’

The ongoing analysis of the SolarWinds supply-chain attack uncovered a fourth malicious tool that researchers call Raindrop and was used for distribution across computers on the victim network. To hide the malicious functionality, the hackers used a modified version of the 7-Zip source code to compile Raindrop as a DLL file.


_______________________________________________________________________________________

(January 19, 2021)


SolarWinds attack showed a new dimension in cyber-espionage tactics

The epic SolarWinds attack signals a new normal for cyber espionage. The recent campaign illustrates how nation-state attackers are going after real-time information and how challenging it is for targeted organizations to detect it. It’s a new dimension of nation-state hacking with all of the Office 365 and Azure AD Cloud out there.


_______________________________________________________________________________________

(January 19, 2021)


Remediation and hardening strategies to defend against UNC2452

Recent research has disclosed the methodologies used by UNC2452 and other threat actors to move laterally from on-premises networks to the Microsoft 365 cloud. It also provides details about how organizations can proactively harden their environments and remediate environments where similar techniques have been observed.

Ref - FireEye

_______________________________________________________________________________________

(January 19, 2021)


Symantec researchers discover fourth malware strain used in SolarWinds attack

Researchers from cyber-security firm Symantec have identified another malware strain, dubbed Raindrop, that was used during the SolarWinds supply chain attack. The other already discovered malware are Sunspot, Sunburst (Solorigate), and Teardrop. Raindrop was used as a loader for the Cobalt Strike Beacon, which the intruders later used to escalate and broaden their access inside a hacked IT network.

Ref - ZDNet
 
_______________________________________________________________________________________

(January 19, 2021)


Tactics used by the SolarWinds hackers may be copied by other groups as well

After the SolarWinds attack, researchers are bracing for an increase in the popularity of supply chain attacks among other attackers. Other actors will obviously adapt these techniques because they go after what works. SAML token manipulation is a risk for virtually all cloud users, not just those on Azure, as happened in the case of SolarWinds attack.

Ref - Wired 

_______________________________________________________________________________________

(January 18, 2021)


Planned supply chain attacks may have devastating effects

Well planned supply chain attacks can have a devastating real-world impact on a large number of organizations within the blast radius of the original compromise, like the case of the recent SolarWinds attacks. Detecting the SUNBURST backdoor implanted in SolarWinds Orion is difficult to accomplish with existing automated capabilities because the backdoor was delivered through a legitimate software update to a known monitoring and management tool. Many organizations do not keep access logs long enough to determine whether or not a successful compromise occurred.

Ref - Zscaler 

_______________________________________________________________________________________

(January 18, 2021)


Symantec discovers new Raindrop malware in SolarWinds investigation

Symantec has uncovered an additional piece of malware used in the SolarWinds attacks, which was used against a select number of victims that were of interest to the attackers. Raindrop (Backdoor.Raindrop) is a loader that delivers a payload of Cobalt Strike. Symantec has seen no evidence of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst.

Ref - Symantec 

_______________________________________________________________________________________

(January 18, 2021)


Google Cloud: We do use some SolarWinds, but we weren't affected by mega hack

Google Cloud's first chief information security office (CISO) Phil Venables has said that Google's cloud venture does use software from vendor SolarWinds, but it is used in a limited and contained manner. Besides using security layers, such as Titan Chips for Google host machines and Shielded Virtual Machines, Google also verifies that software is built and signed in an approved isolated build environment from properly checked-in code that has been reviewed and tested.

Ref - ZDNet 

_______________________________________________________________________________________

(January 18, 2021)


SolarWinds hack is quickly reshaping Congress’s cybersecurity agenda

In the wake of the discovery of the SolarWinds breach, the incoming Biden administration committed to making cybersecurity a top priority. The Biden team has announced a Rescue Plan that calls for around $10 billion in cybersecurity spending, including $690 million for CISA to improve security monitoring and incident response at the agency.

Ref - CSO Online 

_______________________________________________________________________________________

(January 18, 2021)


New updates in Infinity SOC can pinpoint the presence of Sunburst infection

CheckPoint has updated its Infinity SOC offering, enabling it to pinpoint the presence of the Sunburst incident of compromise across the client’s network. According to CheckPoint, administrators can leverage the cloud-based platform to search for Sunburst indicators within network, cloud, and endpoint environments. The solution also provides event investigation tools to drill-down into findings to validate and plan remediation steps.

Ref - CheckPoint 

_______________________________________________________________________________________

(January 18, 2021)


Monetary Authority of Singapore (MAS) announces new rules for the financial sector after SolarWinds breach

All financial services and e-payment firms in Singapore must, from Jan 18, follow a new set of central banking rules to better mitigate technology risks in the wake of a recent cyberattack that impacted organizations around the world. MAS now requires all financial institutions to assess the suppliers of their technology vendors.


_______________________________________________________________________________________

(January 17, 2021)

Cyber threat intel analysis of SolarWinds' identified indicators of compromise

Owing to the scale of the SolarWinds breach, several cybersecurity organizations, principally FireEye, and other companies such as Open Source Context, released lists of indicators of compromise (IoCs). A majority of the IoCs, 14 out of 18 to be exact, were first registered more than five years ago.

Ref - CircleID

_______________________________________________________________________________________

(January 15, 2021)


Some UW campuses could have been exploited in Solarwinds breach

The national cyberattack that targeted the SolarWinds computer network monitoring software could have impacted some University of Wisconsin (UW) System campuses that use it. The UW system officials won't say which campuses use solar winds or whether they were impacted by a suspected Russian hack.

Ref - WPR

_______________________________________________________________________________________

(January 15, 2021)


Understanding third-party attacks after SolarWinds breach

The SolarWinds hack is just one example of a third-party, supply chain compromise. And while the scale of the SolarWinds hack is certainly novel, third-party compromises are not. In addition, third-party compromises are just 1-of-6 common root causes of breaches. The other root causes are phishing, malware, unencrypted data, software vulnerabilities, and inadvertent employee mistakes.


_______________________________________________________________________________________

(January 15, 2021)


SolarWinds Orion vulnerability - SonicWall product notification

SonicWall Capture Labs threat researchers have investigated the SolarWinds Orion vulnerability. They published four signatures that identify malicious activity against affected SolarWinds Orion versions, and two additional application notifications that detect if an organization has SolarWinds Orion deployed within its network. These signatures are applied automatically to SonicWall firewalls with active security subscriptions.

Ref - SonicWall 

_______________________________________________________________________________________

(January 15, 2021)


SolarWinds fallout making secure communications the first line of defense

After the SolarWinds breach, the Operational Security measures addressing sensitive communications are imperative as a critical first line of defense. This ensures that enterprises and government agencies can defend themselves against further compromise and to establish strong, resilient crisis response plans to prevent and mitigate future intrusions.

Ref - FCW

_______________________________________________________________________________________

(January 15, 2021)

SolarWinds close to figuring out how cyberattack occurred

Austin-based SolarWinds, the software company at the center of what is considered one of the most sophisticated cyberattacks in U.S. history, said it believes it is closer to understanding how the attack was carried out. The company has reverse-engineered the code used in the attack to better understand how it was deployed.

Ref - GT

_______________________________________________________________________________________

(January 15, 2021)


SUNBURST - No one saw it coming

The attack on SolarWinds, dubbed Sunburst, loaded a Trojan into the SolarWinds Orion Platforms, thus compromising the networks of SolarWinds’ clients. US-based organizations were targets of nearly 80% of the attacks, though organizations based in other countries including Belgium, Canada, Israel, Mexico, Spain, and the UAE were also affected. Now organizations must consider that more threat actors are likely to mimic the success of the Sunburst attack.

Ref - NTT 

_______________________________________________________________________________________

(January 15, 2021)


SolarWinds attack - What has been done right and what has gone wrong

The “good” thing about SUNBURST is that it is created in .NET language, making it relatively easy to decompile and know what the attacker has programmed. There have been reactions that have worked, such as Microsoft hijacking the domain under which the whole attack is based (avsavmcloud.com).


_______________________________________________________________________________________

(January 14, 2021)


Dell product response to SolarWinds

Dell has disclosed that the SolarWinds attack does not impact its products. In wake of the recent SolarWinds attacks, Dell has revealed that it does not embed or deliver the SolarWinds Orion software within any of its Dell or Dell EMC products.

Ref - Dell 

_______________________________________________________________________________________

(January 14, 2021)


SolarWinds SUNSPOT malware - Threat advisory

The developers of SUNSPOT were very careful in designing the malware. They made sure that the code would be properly inserted and remained undetected. Upon entering the system, SUNSPOT starts to spawn a new thread to determine if the Orion software is being built and, if so, hijack the build operation to inject SUNBURST.

Ref - Cyber Florida  

_______________________________________________________________________________________

(January 14, 2021)


The SolarWinds attack poses a challenge for contractors

The SolarWinds incident could just as easily have occurred with a construction management company or general contractor using the construction industry’s various project management software programs. Such digital attacks can intercept sensitive information, divert funds, and hold hostage a company’s computer systems.


_______________________________________________________________________________________

(January 14, 2021)


Key lessons from SolarWinds attacks

The most important learning from the SolarWinds attack is that all computer systems are vulnerable to hacking. The second important learning is that security is not just about technology, but also about governance, policies, processes, and people. Thirdly, security should be baked into the software development life cycle and not be bolted on after the fact.

Ref - Forbes

_______________________________________________________________________________________

(January 14, 2021)


Analyzing SolarWinds exposure with Cisco Endpoint Security Analytics

While digging out of the Solarwinds mess, Cisco researchers were able to connect local Windows processes to domains that were reported in the IOC lists. Cisco Endpoint Security Analytics (CESA) allows users to associate what endpoint accessed what domain, as well as what software processes and protocols were used

Ref - Cisco

_______________________________________________________________________________________

(January 14, 2021)


SolarWinds hack forces reckoning with supply-chain security

After working in recent weeks to assess their exposure to the attack on the software provider, businesses have turned to probing their other vendors’ security, re-evaluating vetting processes for partners, and even pausing updates to applications. The fallout from the SolarWinds hack is pressuring firms to more aggressively review their technology.

Ref - WSJ

_______________________________________________________________________________________

(January 14, 2021)


SolarWinds breach could cost cyber insurance firms around $90 million

Cyber insurance vendors are expected to spend $90 million on incident response and forensic services for clients who were compromised by the SolarWinds hackers. Although the SolarWinds attack is a cyber catastrophe from a national security perspective, insurers may have narrowly avoided a catastrophic financial incident to their businesses.

Ref - CRN

_______________________________________________________________________________________

(January 14, 2021)


How to avoid SolarWinds type attacks

The Linux Foundation has provided some suggestions on how to avoid SolarWinds type attacks. It includes hardening software build environments, moving towards verified reproducible builds, changing tools & interfaces so unintentional vulnerabilities are less likely, educating developers, using vulnerability detection tools when developing software, improving widely-used OSS, implementing OpenChain, and others.

Ref - ZDNet

_______________________________________________________________________________________

(January 14, 2021)


Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender

According to Microsoft, the 365 Defender, and Azure Defender can deliver unified, intelligent, and automated security across domains for end-to-end threat visibility for SolarWinds type of attacks. In addition, for having comprehensive visibility and rich investigation tools, Microsoft 365 Defender, and Azure Defender can help organizations continuously improve security posture.

Ref - Microsoft

_______________________________________________________________________________________

(January 14, 2021)


FireEye not ready to ascribe SolarWinds hack to Russia

The cybersecurity firm FireEye said Tuesday that it has not seen enough evidence to positively identify the hackers behind the ongoing SolarWinds Orion hack to Russian entities. FireEye is credited as the first to detect an intrusion in SolarWinds Orion, an IT management software. Although FireEye is not attributing the attack to Russia yet.

Ref - FCW

_______________________________________________________________________________________

(January 13, 2021)


SolarLeaks website offering files allegedly obtained from SolarWinds breach 

Someone has set up a website named SolarLeaks where they are offering to sell gigabytes of files allegedly obtained as a result of the recently disclosed SolarWinds breach. The SolarLeaks website offering source code allegedly obtained from Microsoft, Cisco, SolarWinds, and FireEye.


_______________________________________________________________________________________

(January 13, 2021)

More SolarWinds victims are expected

The number of federal agencies hit by the SolarWinds Orion breach will likely surpass the White House’s tally of 10, according to the director of the National Counterintelligence and Security Center. The number of organizations affected by the SolarWinds hack will likely rise as investigators continue to manage the fallout.

Ref - GCN

_______________________________________________________________________________________

(January 13, 2021)


SolarWinds attackers could have targeted Mimecast pursuing multiple paths

The discovery of a data breach at email service provider Mimecast could indicate attackers behind the massive SolarWinds incident may have pursued multiple paths to infiltrate target organizations. However, Mimecast no longer uses the SolarWinds Orion network management software.


_______________________________________________________________________________________

(January 13, 2021)

Microsoft President: SolarWinds attack violated ‘norms and rules’ of government activities

In a pre-recorded keynote address during the digital CES 2021 conference, Microsoft President Brad Smith has called on governments of the world to hold to a higher standard to prevent supply chain attacks similar to SolarWinds Orion. In addition, the tech industry will need to work with both government and non-governmental agencies to address such critical cybersecurity issues.

Ref - CRN

_______________________________________________________________________________________

(January 13, 2021)


SolarWinds hack followed years of warnings of weak cybersecurity

The Cyberspace Solarium Commission, which was created to develop strategies to thwart sizable cyber-attacks, had presented a set of recommendations to Congress in March that included additional safeguards to ensure more trusted supply chains. More than 75 of the highest priority recommendations were not fully addressed by the agencies.

Ref - Bloomberg

_______________________________________________________________________________________

(January 13, 2021)


SolarWinds risk assessment resources for Microsoft 365 and Azure

Several government and private organizations, including Microsoft, have released a wealth of information and tools to assess risk from SolarWinds-like attacks. These resources can help organizations prepare themselves to respond to SolarWinds attack-related appropriately.

Ref - CSO Online 

_______________________________________________________________________________________

(January 12, 2021)


SolarWinds claimed to have found the source of a massive cyberattack

Security software provider SolarWinds revealed that it has found the source of a highly sophisticated malicious code injection that it believes was used by the perpetrators of the recent cyberattack on the company and its clients, including federal government agencies. It was able to reverse engineer the code, allowing it to learn more about the tool that was developed and deployed into the built environment.


_______________________________________________________________________________________

(January 12, 2021)


SolarWinds attack - Involvement of Mimecast customers further escalate the risks

The Mimecast hackers used tools and techniques that link them to the hackers who broke into Austin, Texas-based SolarWinds Corp. This new revelation by Mimecast potentially adds thousands of victims to the years-long intelligence operation and likely aimed at gaining access to email systems.


_______________________________________________________________________________________

(January 12, 2021)


New findings in SolarWinds attack fills out the timeline of Russia-linked campaign

Based on a continuing investigation, SolarWinds Corp. has said that the Russia-linked hackers, who accessed U.S. government systems and corporate networks via SolarWinds Orion supply chain attacks, were accessing its systems since early September 2019. A month later, a version of the company’s Orion Platform software was found, that appears to have contained modifications designed to test the hacker’s ability to insert malicious code into the system.


_______________________________________________________________________________________

(January 12, 2021)


Cisco’s response towards the SolarWinds Orion platform attack

Cisco has provided updates on the investigation process, answers to common questions, available Indicators of Compromise (IOCs), and recommendations for its customers around the recent SolarWinds attacks. Cisco said that it was using Orion installations with a small number of Cisco assets.

Ref - Cisco 

_______________________________________________________________________________________

(January 12, 2021)


SUNSPOT and new malware family associations

In its recent update, Rapid7 talks about two recent developments regarding the SolarWinds attacks. First is about CrowdStrike’s technical analysis of the "SUNSPOT" malware that was used to insert the SUNBURST backdoor into SolarWinds Orion software builds. Another is the technical analysis from researchers at Kaspersky about their discovery of feature overlap between the SUNBURST malware code and the Kazuar backdoor.

Ref - Rapid7

_______________________________________________________________________________________

(January 12, 2021)


The perpetrators spent months inside SolarWinds’ software

New research into the SolarWinds attack shows the perpetrators spent months inside the company’s software development labs, honing their attack before inserting malicious code into updates that SolarWinds then shipped to thousands of customers. And such insidious methods could be repurposed against many other major software providers as well.


_______________________________________________________________________________________

(January 12, 2021)


'SolarLeaks' website claims to sell data stolen in SolarWinds attacks

A website named 'SolarLeaks' is selling data they claim was stolen from companies confirmed to have been breached in the SolarWinds attack. The website hosted on the domain solarleaks[.]net claims to be selling the stolen data from Microsoft, Cisco, FireEye, and SolarWinds.


_______________________________________________________________________________________

(January 12, 2021)


Mimecast certificate was compromised by hackers for Microsoft authentication

Mimecast has disclosed that a sophisticated threat actor had compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services.

Ref - CRN 

_______________________________________________________________________________________

(January 12, 2021)


New SolarWinds CEO sets out a recovery path to pull through the major attack

According to Sudhakar Ramakrishna, the new CEO of SolarWinds, the most crucial of the next steps will involve securing SolarWinds’ internal environment through deploying additional, robust threat protection and threat hunting software on its network, particularly across developer environments.

Ref - ARNnet 

_______________________________________________________________________________________

(January 12, 2021)


Kaspersky Lab reveals evidence on SolarWinds breach

Kaspersky Lab has said that the SolarWinds hackers may have hailed from the Turla malware group, which is linked to Russia's FSB security service. Referring to the hidden backdoor secretly implanted in SolarWinds' Orion product, several features are discovered that overlap with a previously identified backdoor known as Kazuar.


_______________________________________________________________________________________

(January 12, 2021)


Third malware strain identified in SolarWinds breach

Cyber-security firm CrowdStrike said that it has identified a third malware strain directly involved in the recent SolarWinds hack. Named Sunspot, this finding adds to the previously discovered SUNBURST (Solorigate) and Teardrop malware strains. Crowdstrike believes that SUNSPOT malware was actually the first one used.

Ref - ZDNet

_______________________________________________________________________________________

(January 12, 2021)


FBI investigating Russian-linked postcard sent to FireEye CEO after uncovering SolarWinds incident

The FBI is investigating a mysterious postcard sent to the home of cybersecurity firm FireEye’s chief executive. The postcard was sent just a few days after the organization had found initial evidence of a suspected Russian hacking operation on dozens of U.S. government agencies and private American companies. U.S. officials familiar with the postcard are investigating whether it was sent by people associated with a Russian intelligence service due to its timing and content. The sender was attempting to “troll” or push the company off the trail by intimidating a senior executive.

Ref - Reuters

_______________________________________________________________________________________

(January 11, 2021)


More details revealed about the SUNBURST attack

SolarWinds claims that it has found a highly sophisticated and novel malicious code injection source the perpetrators used to insert the SUNBURST malicious code into builds of our Orion Platform software. By managing the intrusion through multiple servers based in the US and mimicking legitimate network traffic, the attackers were able to circumvent threat detection techniques employed by both SolarWinds, other private companies, and the federal government.


_______________________________________________________________________________________

(January 11, 2021)


Indicators of Compromise for SUNBURST malware

Several of the SolarWinds attack-related IOCs published by researchers published so far indicate that a backdoored SolarWinds Orion update has been installed, but there is no way to check if that backdoor was used by attackers. The network-based events suggested by Netresec indicate that a client has been actively targeted and the SUNBURST backdoor has progressed beyond the initial mode of operation. According to this research, Palo Alto was also a targeted victim of the SUNBURST attack.

Ref - Netresec

_______________________________________________________________________________________

(January 11, 2021)


SolarWinds attack one of the most sophisticated and complex attack in history

The new CEO of SolarWinds has described the recent attacks on SolarWinds as one of the most complex and sophisticated cyberattacks in history. SolarWinds, KPMG, and CrowdStrike were able to locate the malicious code injection source, and reverse-engineer it to learn more about the tool that was developed and deployed into SolarWinds’ build environment.

Ref - CRN 

_______________________________________________________________________________________

(January 11, 2021)


SolarWinds attack may cost as much as $100 billion

According to recent research, American businesses and government agencies may need to spend more than $100 billion over many months to contain and fix the damage from the Russian hack against the SolarWinds software used by so many Fortune 500 companies and U.S. government departments.

Ref - Rollcall 

_______________________________________________________________________________________

(January 11, 2021)


A stealthy code was used to launch the SolarWinds hacking attack

SolarWinds says that it has identified the malicious code that attackers used to manipulate its software and remain undetected for months. The code was designed to inject another piece of custom malicious software into Orion without arousing the suspicion of our software development and build teams.


_______________________________________________________________________________________

(January 11, 2021)


SolarWinds breach could be linked to Turla APT

New details disclosed about the Sunburst backdoor, which was used in the sprawling SolarWinds supply-chain attack, potentially link it to previously known activity by the Turla APT group. Researchers at Kaspersky have uncovered several code similarities between Sunburst and the Kazuar backdoor.


_______________________________________________________________________________________

(January 11, 2021)


SolarWinds supply chain attack is a lesson to learn

After all the recent discoveries made about the SolarWinds hack, it is already clear that the scope is extensive, and the full impact will likely prove to be devastating. Organizations should attempt to create a "cyber kill chain" for supply chain compromises, in order to prevent, disrupt, or at least quickly detect such incidents before weaponized software has the opportunity to cause damage.


_______________________________________________________________________________________

(January 11, 2021)


There could be more undisclosed federal victims of SolarWinds breach: CISA

Brandon Wales, CISA’s acting director, has said that the number of federal agencies breached in a suspected Russian espionage campaign will likely increase as the investigation continues. Though, the number will remain extremely small because of the highly targeted nature of this campaign. And that is going to be true for both government and private-sector entities compromised.


_______________________________________________________________________________________

(January 11, 2021)


New details emerged from an investigation of SUNBURST

Security experts are providing an update on the investigation thus far and an important development that could bring closer to understanding how this serious attack was carried out. The experts believe that they have found a highly sophisticated and novel malicious code injection source the perpetrators used to insert the SUNBURST malicious code into builds of the Orion Platform software.


_______________________________________________________________________________________

(January 11, 2021)


The attacker behind the SolarWinds breach also targeted O365 accounts

The threat actors behind the SolarWinds attack appear to have also compromised Microsoft 365 and Azure Applications accounts. Once the threat actor has impersonated a privileged Azure AD account, they are likely to further manipulate the Azure/M365 environment (action on objectives in the cloud).

Ref - Duo

_______________________________________________________________________________________

(January 11, 2021)


SUNBURST backdoor having shared feature with Russian APT malware

Kaspersky researchers have found that the Sunburst backdoor shows some feature overlaps with Kazuar, a .NET backdoor tentatively linked to the Russian Turla hacking group. The group is the main suspect behind attacks targeting the Pentagon and NASA, the U.S. Central Command, and the Finnish Foreign Ministry.


_______________________________________________________________________________________

(January 11, 2021)


The SolarWinds hack is different than previous breaches

What sets the SolarWinds attack apart from previous incidents is its sheer scale. The company has over 300,000 customers worldwide, according to filings made to the U.S. Securities and Exchange Commission. Throughout 2020, SolarWinds sent out software updates to roughly 18,000 of them.


_______________________________________________________________________________________

(January 11, 2021)


Technical analysis of SUNSPOT malware

CrowdStrike is providing a technical analysis of a malicious tool (SUNSPOT) that was deployed into the built environment to inject this backdoor into the SolarWinds Orion platform without arousing the suspicion of the development team charged with delivering the product. SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.


_______________________________________________________________________________________

(January 8, 2021)


Chris Krebs and Alex Stamos team up against SolarWinds attacks

SolarWinds, which has been embroiled in a recent, wide-scale hack, has called in two security powerhouses for help: Former director of the Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs, and former Facebook security executive Alex Stamos.

Ref - Threatpost

_______________________________________________________________________________________

(January 8, 2021)


Spotting post-compromise threat activity in Microsoft Cloud Environments

CISA released an alert, stating that it has observed an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations.

Ref - US-CERT

_______________________________________________________________________________________

(January 8, 2021)


The SolarWinds attacker used password guessing and password spraying attacks

The US Cybersecurity and Infrastructure Security Agency (CISA) has stated that the threat actor behind the SolarWinds hack also used password guessing and password spraying attacks to breach targets as part of its recent hacking campaign and didn't always rely on the trojanized updates as its initial access vector.

Ref - ZDNet

_______________________________________________________________________________________

(January 7, 2021)

US Judiciary adding safeguards and security procedures after SolarWinds hack

The Administrative Office of the U.S. Courts is investigating a potential compromise of the federal courts' case management and electronic case files system. The US Judiciary is also working on immediately adding extra safeguards and security procedures to protect the highly sensitive court documents (HSDs) filed with the courts, by having security audits related to vulnerabilities, and defining new rules for storing confidential documents.


_______________________________________________________________________________________

(January 7, 2021)


A 'Severity-Zero alert' led to the discovery of SolarWinds breach

FireEye CEO shared some insight on the cyberattack on the security firm that was the first clue to a massive and wide-ranging attack campaign. He described how his company first recognized the serious attack it had suffered, describing how a newly registered phone using a FireEye user account was the first indication of malicious activity.


_______________________________________________________________________________________

(January 7, 2021)


Sealed U.S. court records compromised in SolarWinds breach

Backdoored products by network software firm SolarWinds may have jeopardized the privacy of countless sealed court documents on file with the U.S. federal court system. An apparent compromise of the confidentiality of the Case Management/Electronic Case Files system due to some discovered vulnerabilities currently is under investigation. 


_______________________________________________________________________________________

(January 6, 2021)


SolarWinds hackers had access to Microsoft O365 email server

The US Department of Justice confirmed that the Russian state-sponsored hackers behind the SolarWinds supply chain attack targeted its IT systems, and potentially accessed the O365 mailboxes of some of the users. The number of impacted DOJ employees is currently believed to be around 3,000 to 3,450.

Ref - ZDNet

_______________________________________________________________________________________

(January 5, 2020)


Concerns over Microsoft’s source code exposure in the SolarWinds attack

Microsoft revealed that its investigation of SolarWinds breach had found no evidence of unauthorized access to its production services or customer data, but that effort did uncover another attack attempt. The tech giant has an “inner source approach” that makes source code viewable within Microsoft. Even so, such an attempt raises some important questions about the types of risks that Microsoft might still be facing as a result of this exposure.


_______________________________________________________________________________________

(January 5, 2020)


The U.S. now formally blames Russia for SolarWinds breach

Four US cyber-security agencies, including the FBI, CISA, ODNI, and the NSA, have released a joint statement today formally accusing the Russian government of orchestrating the SolarWinds supply chain attack. US officials said that an Advanced Persistent Threat (APT) actor, likely Russian in origin, was responsible for the SolarWinds hack.

Ref - ZDNet

_______________________________________________________________________________________

(January 5, 2021)


Critical infrastructure could join the list of potential targets 

Researchers have started to piece together a picture of the SolarWinds intrusion using the information found in the networks of U.S. agencies and companies. But there’s another potential group of victims who haven’t yet disclosed any attacks, in part because they may not yet know. That is America’s critical infrastructure, which includes everything from bridges and airports to the electrical grid and hydroelectric dams.

Ref - Bloomberg

_______________________________________________________________________________________

(January 5, 2021)


SolarWinds breach raises concerns over Windows updates

Recently, Microsoft announced that its Windows source code had been viewed by the Solarwinds attackers, raising concerns among Microsoft customers. The SolarWinds attack has raised serious questions about how safe companies (and government agencies) are when OS or software updates roll out.


_______________________________________________________________________________________

(January 4, 2021)


SolarWinds facing a class-action lawsuit for alleged securities violations

The first class-action lawsuit brought against SolarWinds following its breach accuses the company of making materially false and misleading statements about its security posture throughout 2020. The suit alleges that SolarWinds, outgoing CEO and CFO made false and/or misleading statements in regulatory filings with the U.S. Securities and Exchange Commission in February, May, August, and November of 2020.

Ref - CRN

_______________________________________________________________________________________

(January 4, 2021)


SolarWinds confirms malware targeted crocked Orion product

The extent and impact of the SolarWinds hack have become even more apparent and terrifying over the holiday break. SolarWinds identified the malware that exploited the flaws introduced to Orion products. The SUPERNOVA malware was separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.


_______________________________________________________________________________________

(January 4, 2021)


SolarWinds hack - Microsoft’s software blueprints acquired but not altered

The latest results of an ongoing investigation by Microsoft revealed that the sophisticated attackers behind the SolarWinds cyber-espionage operation were able to use compromised accounts to access the blueprints of Microsoft’s software. Attackers were able to acquire the blueprints, but they could not alter them, Microsoft said.


_______________________________________________________________________________________

(January 4, 2021)


The SolarWinds attack could be worse than expected

The SolarWinds attack may prove to be even more damaging to the U.S. national security and business prosperity. The latest reports reveal that Russians may even have accessed the crown-jewels of Microsoft software stack: Windows and Office. Though there were no explosions, no deaths, this incident was like the Pearl Harbor of American IT.

Ref - ZDNet

______________________________________________________________________________________

(January 4, 2021)


SolarWinds hack - A global attack

Recent evidence suggests that a number of cyber-defense missteps may have helped the attackers in their efforts. Early warning sensors placed by Cyber Command and the National Security Agency (NSA) evidently failed, and the attackers were using US-based servers to prevent getting caught.

Ref - TechRadar 

_______________________________________________________________________________________

(January 4, 2021)


UNC2452 hacker continues to tickle security researchers

The attack methods used by the SolarWinds attackers suggest their deep knowledge and understanding of the entire SDLC of SolarWinds. It is possible that the attackers were monitoring the version control server to prepare any necessary changes based on legitimate updates. Or, possibly, they had compromised the build process itself (e.g. a build script) and, during the build, substituted the legitimate SolarWinds.Orion.Core.BusinessLayer.dll with the malicious version.

Ref - Medium

_______________________________________________________________________________________

(January 4, 2021)


How SolarWinds hackers used Supernova malware to target Orion products

The SolarWinds hackers had trojanised versions 2019.4 HF 5 through 2020.2.1 of the SolarWinds Orion platform that was released between March and June 2020. These trojanised software updates were downloaded by as many as 18,000 private and public organizations. Hackers exploited Sunburst’s vulnerability and also used Supernova malware to target their victims.

Ref - TEISS 

_______________________________________________________________________________________

(January 4, 2021)


The massive Russian hack was waged inside the U.S.

Russian hackers staged their attacks from servers inside the U.S., sometimes using computers in the same town or city as the victims, according to cybersecurity company FireEye. The attack, attributed to Russia, began with the targeting of the software of IT contractor SolarWinds.

Ref - Axios

_______________________________________________________________________________________

(January 3, 2021)


SUPERNOVA forensic details by using Code Property Graph

The fallout of SolarWinds compromise has resulted in the identification of several new malware families, each with different characteristics and behaviors. Recently, security experts described how weaponized DLL was patched into the SolarWinds Software Development Life Cycle (SDLC) post infiltration. Further, the anti-evasion techniques employed by the APT actor behind this attack were also revealed. 


_______________________________________________________________________________________

(January 3, 2021)


SolarWinds was warned in 2017 about the risk of 'catastrophic' breach

A cybersecurity adviser says he had warned SolarWinds of a potential 'catastrophic' hacking attack if the company didn't amp up internal security measures three years before Russians compromised their software. The firm's moving of some operations to Eastern Europe may have exposed it to the massive Russian hack.

Ref - Dailymail

_______________________________________________________________________________________

(January 2, 2021)


The growing danger of Russia-based hack attacks

It now appears that the SolarWinds breach is far broader than first believed. Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks. And all the “Early warning” sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed.


_______________________________________________________________________________________

(December 31, 2020)


Microsoft’s source code was accessed by SolarWinds hackers 

The hacking group behind the SolarWinds compromise was able to break into Microsoft Corp and access some of its source code. It is not clear how much or what parts of Microsoft’s source code repositories the hackers were able to access. However, being able to review the code could offer hackers insight that might help them subvert Microsoft products or services.

Ref - Reuters

_______________________________________________________________________________________

(December 31, 2020)


The SolarWinds attack is a wake call for the U.S. 

The recent major SolarWinds hack compromised the Department of Homeland Security, the State Department, the US Treasury, and also impacted several IT giants including Microsoft, Cisco, VMware, FireEye, and many more. The huge investment made by the U.S. in technology, which is a key strength of the US economy, is also making it vulnerable to such attacks.

Ref - Forbes

_______________________________________________________________________________________

(December 30, 2020)


All U.S. federal agencies ordered to update the SolarWinds Orion platform

The CISA has ordered all US federal agencies to update the SolarWinds Orion platform to the latest version by the end of business hours on December 31, 2020. CISA's Supplemental Guidance to Emergency Directive 21-01 demands this from all agencies using Orion versions unaffected in the SolarWinds supply chain attack.


_______________________________________________________________________________________

(December 30, 2020)


The cyberattack on SolarWinds may have started earlier than current estimates

The vice-chairman of the Senate Intelligence Committee claims that the cyberattacks on U.S. government agencies reported in December may have begun earlier than previously believed. According to him, the initial burrowing may have started earlier, however, there is no evidence suggesting that classified government secrets were compromised.

Ref - The Hill

_______________________________________________________________________________________

(December 30, 2020)


It is too early to make attribution for SolarWinds attack

The recent expansive intrusion of the SolarWinds campaign affected over half a dozen government U.S. agencies. Several individuals and agencies, including members of the U.S. Congress, have publicly accused Russia. However, the lack of public evidence gives rise to claims that other actors, even perhaps other countries, may be responsible, a claim made by President Donald Trump as well.


_______________________________________________________________________________________

(December 30, 2020)


NSA validates the bug-free version of SolarWinds Orion Platform - CISA issues emergency directive

After the release of the latest version of SolarWinds Orion Platform version 2020.2.1HF2, the National Security Agency (NSA) has examined this latest version and verified that it eliminates the previously identified malicious code. CISA issued an emergency directive to help organizations mitigate the SolarWinds Orion code compromise.

Ref - DHS

_______________________________________________________________________________________

(December 29, 2020)


SolarWinds hackers were looking for victims' cloud data

According to Microsoft, the end goal of the SolarWinds supply chain compromise was to pivot to the victims' cloud assets after deploying the Sunburst/Solorigate backdoor on their local networks. After the initial widespread foothold, the attackers could pick and choose the specific organizations they want to continue operating within.


_______________________________________________________________________________________

(December 29, 2020)


Qualys researchers analyze over 7.54 million vulnerable instances related to FireEye Red Team tools

An analysis of the 7.54 million vulnerable instances indicated that about 99.84% (roughly 7.53 million) are from only eight vulnerabilities in Microsoft’s software. For all these eight vulnerabilities, including CVE-2020-1472 and CVE-2020-0688, Microsoft patches have been available for a while.

Ref - Qualys 

_______________________________________________________________________________________

(December 29, 2020)


UAE-based entities targeted in the SolarWinds breach

The National Cybersecurity Council has reported that UAE-based entities were targeted in the SolarWinds cyber-attack and that steps were taken to secure constituencies. In addition, the government body is also taking all precautions and procedures necessary to safeguard the UAE's digital infrastructure, stop cyber-attacks, and ensure quick recovery from such incidents.


_______________________________________________________________________________________

(December 29, 2020)


NETRESEC updates its tool to identify security products installed on Trojanized SolarWinds Orion deployments

NETRESEC’s free tool SunburstDomainDecoder (v1.7) can be used to identify the endpoint protection applications that are installed on trojanized SolarWinds Orion deployments. The security application info is extracted from DNS queries for "avsvmcloud[.]com" subdomains, which is used by SUNBURST as a beacon and C2 channel.

Ref - Netresec 

_______________________________________________________________________________________

(December 28, 2020)


Microsoft shares information for partners on using Microsoft 365 Defender to protect against Solorigate

Microsoft has published a comprehensive guide to provide information to customers and partners about securing their environment and answering their questions related to the recent SolarWinds attacks. It also provides additional links and information for Microsoft partners.


_______________________________________________________________________________________

(December 28, 2020)


More supply chain attacks like SolarWinds expected in 2021

SolarWinds, Vietnam Government Certification Authority, Able Desktop, GoldenSpy and Wizvera VeraPort are some of the prominent Supply chain attacks the world has observed in recent times. Now, almost all security researchers agree that more such supply-chain attacks will happen, especially attacks on the software development lifecycle and that security teams need to sharpen their strategies.


_______________________________________________________________________________________

(December 28, 2020)


CISA's PowerShell-based tool Sparrow can detect malicious activities related to SolarWinds attack

SolarWinds threat actors were found actively using stolen credentials and access tokens to target Azure customers. CISA's Cloud Forensics team has prepared a malicious activity detection tool dubbed Sparrow, which can check for compromised Azure accounts. This tool can check the unified Azure/M365 audit log for known IoCs, provide a list of Azure AD domains, and also check for Azure service principals and their Microsoft Graph API permissions to discover potential malicious activity. 


_______________________________________________________________________________________

(December 28, 2020)


A different threat actor may have used Supernova malware, exploiting a new zero-day vulnerability

It has been discovered that the Supernova malware is designed to exploit a previously unknown vulnerability, tracked as CVE-2020-10148, which can allow a remote attacker to execute API commands. This zero-day flaw may have been used by a second (unrelated to the previous) threat actor to target the SolarWinds Orion platform.

Ref - SecurityWeek 

_______________________________________________________________________________________

(December 28, 2020)


Using ShiftLeft’s Code Property Graph to explore SolarWinds Sunburst backdoor

By reversing the binaries for Sunburst malware, several rough edges were discovered in the SolarWinds espionage operation. It has been revealed that the attacker employed FNV-1a (Fowler Noll Vo) + XOR class of hash algorithms to obfuscate all of the hardcoded literals in the codebase. A navigation workflow of the Sunburst malware has also been disclosed.


_______________________________________________________________________________________

(December 28, 2020)


NGSAST policy for Sunburst backdoor detection

A code repository has been put up on GitHub, which provides information about the building blocks of NGSAST Policy for Sunburst backdoor detection. These code snippets can be used to detect the ShiftLeft backdoor patterns.

Ref - GitHub

_______________________________________________________________________________________

(December 28, 2020)


Microsoft shares information on using Microsoft 365 Defender to protect against Solorigate

Microsoft has published a comprehensive guide for security operations and incident response teams. This guide provides details about using Microsoft 365 Defender to identify, investigate, and respond to the recent Solorigate attack targeting the SolarWinds Orion platform.

Ref - Microsoft 

_______________________________________________________________________________________

(December 26, 2020)


SolarWinds releases updated advisory for new SUPERNOVA malware

SolarWinds has released an updated advisory for the additional SuperNova malware discovered to have been distributed through the company's network management platform.


_______________________________________________________________________________________

(December 26, 2020)


SolarWinds breach highlights several corporate governance gaps

The SolarWinds breach poses several urgent cybersecurity challenges for CIOs Boards. It highlights the Boards’ ability to monitor cyber risks, which is hampered by a lack of director expertise, outdated and incomplete committee charters, and highly diffused work responsibilities. Insufficient resources, weak oversight, and poor coordination makes the matter worse.

Ref - Forbes

_______________________________________________________________________________________

(December 26, 2020)


Security advisory to fix newly found remote command execution flaw in SolarWinds Orion platform

A security advisory has been released to fix a new vulnerability (CVE-2020-10148) that was probably targeted by a second hacker group to execute remote API commands on the targeted systems. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.

Ref - CERT

_______________________________________________________________________________________

(December 25, 2020)


CrowdStrike releases a free Azure security tool after SolarWinds attack

CrowdStrike has released a free CrowdStrike Reporting Tool for Azure (CRT) tool to help administrators analyze their Microsoft Azure environment and see what privileges are assigned to third-party resellers and partners. The company was recently notified by Microsoft that during SolarWinds attacks, threat actors had attempted to read the company's emails through compromised Microsoft Azure credentials.


_______________________________________________________________________________________

(December 25, 2020)


A deep forensics investigation of SolarWinds supply-chain attack

A deep forensics investigation regarding SolarWinds supply chain attack has revealed another set of new details. The attackers had breached the SolarWinds source code management system in October 2019, and since then they not only deeply learned and tampered with the source code of SolarWinds but also learned the topology of their networks and internal development domain names to minimize the risk of getting noticed by security teams.


_______________________________________________________________________________________

(December 25, 2020)


SolarWinds issues urgent security fix

SolarWinds has updated its flagship Orion software, 11 days after revealing a major breach. On 13 December, it disclosed that Orion had been compromised, and used by suspected Russian attackers as a means to penetrate US government networks and companies including Intel. It was later revealed that the product had also been compromised by malware from a suspected second perpetrator, adding a separate backdoor.

Ref - BBC

_______________________________________________________________________________________

(December 25, 2020)


Solorigate attack affected critical infrastructure, including the power industry

The recent SolarWinds hacking attack that infected numerous government agencies and tech companies with malicious SolarWinds software has also infected more than a dozen critical infrastructure companies in the electric, oil, and manufacturing industries that were also running the software.


_______________________________________________________________________________________

(December 25, 2020)


Experts who wrestled with SolarWinds hackers say cleanup could take months - or longer

The attackers had not only managed to break back in a common enough occurrence in the world of cyber incident response but they had sailed straight through to the client’s email system. They even managed to get past the recently refreshed password protections without any trouble. This indicates that hackers were smart and sophisticated in nature.

Ref - Reuters

_______________________________________________________________________________________

(December 24, 2020)