U.S. Treasury, Commerce Depts Hacked by Group Tied to 'Foreign Government’

"SolarWinds has hired ex-CISA chief Chris Krebs and Facebook's former security lead Alex Stamos...

Krebs and Stamos both told The Financial Times they expect to uncover a lot more damage done by the hack than has been reported already.

Krebs headed up the Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) until November, when he was fired by President Trump..."

https://www.businessinsider.com/solarwinds-hires-chris-krebs-and-alex-stamos-2021-1

 

"Chris Krebs and Alex Stamos have started a cyber consulting firm

Former U.S. cybersecurity official Chris Krebs and former Facebook chief security officer Alex Stamos have founded a new cybersecurity consultancy firm, which already has its first client: SolarWinds ..."

https://techcrunch.com/2021/01/08/chris-krebs-and-alex-stamos-have-started-a-cyber-consulting-firm/

 

"CISA Alert (AA21-008A):

Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments

This Alert is a companion alert to AA20-252A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA20-252A primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies, critical infrastructure entities, and private network organizations. As noted in AA20-252A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products..."

https://us-cert.cisa.gov/ncas/alerts/aa21-008a

 

"SolarWinds hackers linked to known Russian spying tools, investigators say

LONDON (Reuters) - The group behind a global cyber-espionage campaign discovered last month deployed malicious computer code with links to spying tools previously used by suspected Russian hackers, researchers said on Monday.

Investigators at Moscow-based cybersecurity firm Kaspersky said the "backdoor" used to compromise up to 18,000 customers of U.S. software maker SolarWinds closely resembled malware tied to a hacking group known as "Turla," which Estonian authorities have said operates on behalf of Russia's FSB security service..."

https://kfgo.com/2021/01/11/solarwi...known-russian-spying-tools-investigators-say/

 

"FBI probes Russian-linked postcard sent to FireEye CEO after cybersecurity firm uncovered hack...

(Reuters) - The FBI is investigating a mysterious postcard sent to the home of cybersecurity firm FireEye’s chief executive days after it found initial evidence of a suspected Russian hacking operation on dozens of U.S. government agencies and private American companies...

U.S. officials familiar with the postcard are investigating whether it was sent by people associated with a Russian intelligence service due its timing and content, which suggests internal knowledge of last year’s hack well before it was publicly disclosed in December...

The postcard carries FireEye’s logo, is addressed to CEO Kevin Mandia, and calls into question the ability of the Milpitas, California-based firm to accurately attribute cyber operations to the Russian government.

It shows a cartoon with the text: 'Hey look Russians' and 'Putin did it!'..."

https://www.reuters.com/article/us-...ity-firm-uncovered-hack-sources-idUSKBN29G2IG

 

"New Sunspot malware found while investigating SolarWinds hack

Cybersecurity firm CrowdStrike has discovered the malware used by the SolarWinds hackers to inject backdoors in Orion platform builds during the supply-chain attack that led to the compromise of several companies and government agencies.
Sunspot, as it was dubbed by CrowdStrike, was dropped by the attackers in the development environment of SolarWinds' Orion IT management software.

After being executed, the malware would monitor and automatically injecting a Sunburst backdoor by replacing the company's legitimate source code with malicious code...

'The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers,' CrowdStrike found..."

https://www.bleepingcomputer.com/ne...re-found-while-investigating-solarwinds-hack/

 

FWIW

"SolarLeaks site claims to sell data stolen in SolarWinds attacks

Today, a solarleaks[.]net website was launched that claims to be selling the stolen data from Microsoft, Cisco, FireEye, and SolarWinds. All of these companies are known to have been breached during the supply chain attack.

The website claims to be selling Microsoft source code and repositories for $600,000. Microsoft confirmed that threat actors accessed their source code during their SolarWinds breach...

The threat actors also claim to be selling the source code for multiple Cisco products, even more concerning, the company's internal bug tracker...

The website also claims to be selling the private red team tools, and source code that FireEye disclosed were stolen during their attack for $50,000...

... the website sells SolarWinds source code and a dump of the customer portal for $250,000...

The solarleaks.net domain is registered through NJALLA, a known registrar used by the Russian hacking groups Fancy Bear and Cozy Bear..."

https://www.bleepingcomputer.com/ne...ms-to-sell-data-stolen-in-solarwinds-attacks/

 

"SolarWinds Hackers’ Attack on Email Security Company Raises New Red Flags

Customers of Mimecast were targeted in cyberattack, showing the multiple layers of potential victims at risk in massive hack

A breach at email security provider Mimecast Inc. underscores that Russia-linked hackers appear to have targeted victims along multiple avenues of attack in what is shaping up to be one of the most successful cyber campaigns of U.S. government and corporate systems.

The attack potentially adds thousands of victims to the yearslong intelligence operation and likely aimed at gaining access to email systems, security experts say. Mimecast, in a Tuesday blog post, said the hackers were able to obtain a digital certificate used by the company to access its customers’ Microsoft 365 office productivity services.

The Mimecast hackers used tools and techniques that link them to the hackers who broke into Austin, Texas-based SolarWinds Corp., according to people familiar with the investigation..."

[Paywall]

https://www.wsj.com/articles/solarw...rity-company-raises-new-red-flags-11610510375

 

"Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach.

Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments...

While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production..."

https://blog.malwarebytes.com/malwa...-microsoft-office-365-and-azure-environments/

 

SolarWinds hackers used 7-Zip code to hide Raindrop Cobalt Strike loader

https://www.bleepingcomputer.com/ne...p-code-to-hide-raindrop-cobalt-strike-loader/

 

FireEye publishes details of SolarWinds hacking techniques, gives out free tool to detect signs of intrusion

Instructions for spotting and keeping suspected Russians out of systems:

"Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452..."

https://www.fireeye.com/blog/threat...-microsoft-365-to-defend-against-unc2452.html

https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf

 

"Trump Signs Order to Restrict Foreign Use of Cloud Companies

(Bloomberg) -- On his last full day in office, President Donald Trump signed an executive order the White House said was aimed at preventing foreign malicious cyber-actors from using U.S. online infrastructure to carry out their activities.

The order, which provides the Commerce Department with the authority to impose record-keeping obligations on foreign transactions, is viewed as a response to the recent hacking campaign that infected software from SolarWinds Corp. and targeted organizations including government agencies...

The order also grants powers to ban or impose conditions on foreigners opening or maintaining accounts with American firms within the U.S. if they are found to be involved in malicious cyber-activity..."

https://www.bnnbloomberg.ca/trump-signs-order-to-restrict-foreign-use-of-cloud-companies-1.1551041

 

"Microsoft shares how SolarWinds hackers evaded detection

Microsoft today shared details on how the SolarWinds hackers were able to remain undetected by hiding their malicious activity inside the networks of breached companies.

This previously unknown information was disclosed by security experts part of the Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), and Microsoft Cyber Defense Operations Center (CDOC).

The report they published earlier today shares new details regarding the Solorigate second-stage activation — the steps and tools used to deploy custom Cobalt Strike loaders (Teardrop, Raindrop, and others) after dropping the Solorigate (Sunburst) DLL backdoor..."

Details at link:

https://www.bleepingcomputer.com/ne...ares-how-solarwinds-hackers-evaded-detection/

 

"Biden Orders Sweeping Assessment of Russian Hacking...

WASHINGTON — President Biden ordered a sweeping review on Thursday of American intelligence about Russia’s role in a highly sophisticated hacking of government and corporate computer networks...

Mr. Biden’s aides have privately cautioned that his options for retaliation in response to the attack on the “supply chain” of software used by the government and private industry are limited. In part because the evidence amassed so far suggested the Russians used their covert access chiefly to conduct espionage — something that all nations engage in and that the United States conducts against Russia all of the time, often through software manipulation...

Mr. Biden’s order for a study of the SolarWinds hacking...comes as intelligence officials have quietly concluded that more than a thousand Russian software engineers were most likely involved in it...That suggests it was a far larger and stealthier operation than first known — and raises anew questions about why the National Security Agency and its military counterpart, United States Cyber Command, missed it...

A key question...is whether the operation was limited to espionage, or whether “back doors” placed in government and corporate systems give Russia new abilities to alter data or shut down computer networks entirely..."

https://www.msn.com/en-us/news/poli...wing-nuclear-treaty/ar-BB1cYEC1?ocid=msedgdhp

 

"SolarWinds: How Sunburst Sends Data Back to the Attackers

In the fourth of a series of follow-up analysis on the SolarWinds attacks, we detail how data is sent to the attackers..."

https://symantec-enterprise-blogs.s...intelligence/solarwinds-sunburst-sending-data

 

"Mimecast Breach Linked To SolarWinds Hack, Allowed Cloud Services Access...

Mimecast’s certificate compromise was carried out by the same threat actor behind the SolarWinds attack and gave hackers access to customers’ on-premises and cloud services...

The Lexington, Mass.-based email security vendor said the SolarWinds hackers accessed and potentially exfiltrated encrypted customer service account credentials that established a connection from their Mimecast tenants to on-premises and cloud services.

The compromised service account credentials were created by Mimecast customers hosted in the U.S. and U.K., the company said, and gave hackers access to LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling and SMTP-authenticated delivery routes of Mimecast customers..."

https://www.crn.com/news/security/m...solarwinds-hack-allowed-cloud-services-access

 

"CISA
Malware Analysis Report (AR21-027A)
MAR-10319053-1.v1 - Supernova...

This report provides detailed analysis of several malicious artifacts, affecting the SolarWinds Orion product, which have been identified by the security company FireEye as SUPERNOVA. According to a SolarWinds advisory, SUPERNOVA is not embedded within the Orion platform as a supply chain attack; rather, it is placed by an attacker directly on a system that hosts SolarWinds Orion and is designed to appear as part of the SolarWinds product. CISA's assessment is that SUPERNOVA is not part of the SolarWinds supply chain attack described in Alert AA20-352A. See the section in Microsoft’s blog titled “Additional malware discovered” for more information.

This report describes the analysis of a PowerShell script that decodes and installs SUPERNOVA, a malicious webshell backdoor..."

https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a

 

Here's How SolarWinds Hackers Stayed Undetected for Long Enough

https://thehackernews.com/2021/01/heres-how-solarwinds-hackers-stayed.html

 

"Suspected Russian Hack Extends Far Beyond SolarWinds Software, Investigators Say

Roughly 30% of victims are said to have no connection to the network-management company’s tainted software

Investigators probing a massive hack of the U.S. government and businesses say they have found concrete evidence the suspected Russian espionage operation went far beyond the compromise of the small software vendor publicly linked to the attack.

Close to a third of the victims didn’t run the SolarWinds Corp. software initially considered the main avenue of attack for the hackers, according to investigators and the government agency digging into the incident. The revelation is fueling concern that the episode exploited vulnerabilities in business software used daily by millions.

Hackers linked to the attack have broken into these systems by exploiting known bugs in software products, by guessing online passwords and by capitalizing on a variety of issues in the way Microsoft Corp.’s cloud-based software is configured, investigators said..."

[Paywall]

https://www.wsj.com/articles/suspec...estigators-say-11611921601?mod=rss_Technology

 

"US court system ditches electronic filing, goes paper-only for sensitive documents following SolarWinds hack...

The US court system has banned the electronic submission of legal documents in sensitive cases out of concern that Russian hackers have compromised the filing system.

In an extraordinary memo [PDF] handed down to all courts late last week, any documents that 'contain information that is likely to be of interest to the intelligence service of a foreign government' will now have to be physically printed out and provided in a physical format...

The new rules don’t apply to whole cases but to any documents that would be viewed as HSDs within any case. They typically involve 'national security, foreign sovereign interests, criminal activity related to cybersecurity or terrorism, investigation of public officials, the reputational interests of the United States, and extremely sensitive commercial information likely to be of interest to foreign powers.'...

Typically those documents are filed through the court system’s electronic filing system but are sealed, requiring specific login access..."

https://www.theregister.com/2021/02/01/us_court_papers/

 

"The U.S. Spent $2.2 Million on a Cybersecurity System That Wasn’t Implemented — and Might Have Stopped [Solarwinds] a Major Hack...

As America struggles to assess the damage from the devastating SolarWinds cyberattack discovered in December, ProPublica has learned of a promising defense that could shore up the vulnerability the hackers exploited: a system the federal government funded but has never required its vendors to use...

This problem [supply chain hacks] spurred development of a new approach, backed by $2.2 million in federal grants and available for free, aimed at providing end-to-end protection for the entire software supply pipeline. Named in-toto (Latin for “as a whole”), it is the work of a team of academics led by Justin Cappos, an associate computer science and engineering professor at New York University. Cappos, 43, has made securing the software supply chain his life’s work...

The in-toto system requires software vendors to map out their process for assembling computer code that will be sent to customers, and it records what’s done at each step along the way. It then verifies electronically that no hacker has inserted something in between steps. Immediately before installation, a pre-installed tool automatically runs a final check to make sure that what the customer received matches the final product the software vendor generated for delivery, confirming that it wasn’t tampered with in transit...

Cappos and his colleagues believe that the in-toto system, if widely deployed, could have blocked or minimized the damage from the SolarWinds attack. But that didn’t happen: The federal government has taken no steps to require its software vendors, such as SolarWinds, to adopt it. Indeed, no government agency has even inquired about it...

'It’s available to everyone for free, paid for by the government, and should be used by everyone,'said Cappos..."

https://www.propublica.org/article/solarwinds-cybersecurity-system

 

"SolarWinds patches critical vulnerabilities in the Orion platform

Even with the security updates prompted by the recent SolarWinds Orion supply-chain attack, researchers still found some glaring vulnerabilities affecting the platform, one of them allowing code execution with top privileges.

Three issues have been found, two of them exploitable by a local attacker. A third one, the most severe of all, allows a remote, unprivileged actor to take control of the Orion platform...

Administrators can get the fixes by installing Orion Platform 2020.2.4 and by applying Hotfix 1 for ServU-FTP 15.2.2."

https://www.bleepingcomputer.com/ne...itical-vulnerabilities-in-the-orion-platform/

 

"Hackers Lurked in SolarWinds Email System for at Least 9 Months, CEO Says

Investigators still don’t know how the company was breached in attack that will cost millions

The newly appointed chief executive of SolarWinds Corp. is still trying to unravel how his company became a primary vector for hackers in a massive attack revealed last year, but said evidence is emerging that they were lurking in the company’s Office 365 email system for months.

The hackers had accessed at least one of the company’s Office 365 accounts by December 2019, and then leapfrogged to other Office 365 accounts used by the company, Sudhakar Ramakrishna said in an interview Tuesday. 'Some email accounts were compromised. That led them to compromise other email accounts and as a result our broader [Office] 365 environment was compromised,'he said...

...SolarWinds, previously a little-known but critical maker of network-management software, is still trying to understand how the hackers first got into the company’s network and when exactly that happened.

One possibility is that the hackers may have compromised the company’s Office 365 accounts even earlier and then used that as the initial point of entry into the company, although that is one of several theories being pursued, Mr. Ramakrishna said..."

https://www.wsj.com/articles/hacker...em-for-at-least-9-months-ceo-says-11612317963

 

"Microsoft: No Evidence SolarWinds Was Hacked Via Office 365

Microsoft said its investigation hasn’t found any evidence that SolarWinds was attacked through Office 365, meaning the hackers gained privileged credentials in some other way.

The Redmond, Wash.-based software giant said a Dec. 14 regulatory filing by SolarWinds gave the impression that SolarWinds was investigating an attack vector related to Microsoft Office 365..."

https://www.crn.com/news/security/microsoft-no-evidence-solarwinds-was-hacked-via-office-365

 

"SolarWinds hack was the work of thousands, says Microsoft

The SolarWinds hack that affected hundreds of public and private networks across the globe may have been the work of thousands of cyberattackers.

Microsoft president Brad Smith told US news program 60 Minutes that an internal analysis of the attack found that 'certainly more than 1,000' software engineers had been involved...

In the same 60 Minutes segment, it was also revealed exactly how FireEye discovered the SolarWinds hack. Company CEO Kevin Mandia said that a security employee noticed that an individual had two phones registered under their name [Used for two-factor-authorization]. Further investigation revealed that the second device was not legitimate.

It was also disclosed that 4,032 lines of code were involved in the attack..."

https://www.techradar.com/news/solarwinds-hack-was-the-work-of-thousands-says-microsoft