U.S. Treasury, Commerce Depts Hacked by Group Tied to 'Foreign Government’

Here's last night's "CBS 60 Minutes" segment on Solarwinds referenced above:

https://www.cbsnews.com/news/solarwinds-hack-russia-cyberattack-60-minutes-2021-02-14/

 

For me, this was the "wake up call" for the cyber-world:

Also it is amazing the software update processing hasn't been subverted prior to these incidents. Well, actually it has been. It was just hushed up previously and not publicized.

 

"SolarWinds hackers studied Microsoft authentication, email source code
Before creating copies with new flaws.

The hackers behind the worst intrusion of US government agencies in years won access to Microsoft’s secret source code for authenticating customers, one of the biggest vectors used in the attacks.

Microsoft said in a blog post on Thursday that its internal investigation had found that the hackers studied parts of the source code instructions for its Azure cloud programs related to identity and security, its Exchange email programs, and Intune management for mobile devices and applications.

Some of the code was downloaded, the company said, which would have allowed the hackers more freedom to hunt for security vulnerabilities, create copies with new flaws, or examine the logic for ways to exploit customer installations...

Microsoft had said before that the hackers had accessed some source code, but had not said which parts, or that any had been copied..."

https://www.itnews.com.au/news/sola...osoft-authentication-email-source-code-561251

 

"The CEO of $53 billion CrowdStrike says its $400 million acquisition of the data-management firm Humio marks a way forward for cybersecurity after the SolarWinds attacks

[Humio tracks the "logs," files that record all the computer activity in operating systems and software – like data being uploaded, access being granted to new users, or software updates.]

CrowdStrike CEO George Kurtz said Humio's data will feed CrowdStrike's AI in a game-changing way.

Kurtz says data-fed AI tools paired with identity verification are a new cybersecurity approach.

'When you have that level of visibility, you can protect 'upstream,' in an email system, applications, or other entry points to your system,' he said.

'Now CrowdStrike can use Humio's data and systems to learn what kinds of attacks are happening globally, and how to block them.'..."

https://www.businessinsider.com/crowdstrike-humio-cybersecurity-data-400-million-acquisition-2021-2

 

SolarWinds Attackers Breached 100+ Private Firms

https://www.infosecurity-magazine.com/news/solarwinds-attackers-breached-100/

 

"White House says it will hold those responsible for SolarWinds hack accountable within weeks

The US will be taking a series of steps to respond to the devastating SolarWinds cyber hack and hold accountable those responsible in 'short order,' national security adviser Jake Sullivan told CNN's Christiane Amanpour on Friday...

'We are in the process now of working through, with the intelligence community and [President Joe Biden's] national security team, a series of steps to respond to Solar Winds, including steps that will hold who we believe is responsible for this and accountable, and you will be hearing about this in short order,' Sullivan said.'We're not talking about months from now, but weeks from now, that the United States will be prepared to take the first steps in response to solar winds.'..."

https://www.cnn.com/2021/02/19/politics/sullivan-solarwinds-khashoggi/index.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+rss/cnn_latest+(RSS:+CNN+-+Most+Recent)

 

FYI:

Senate Intelligence Hearing on SolarWinds Hacking

Watch LIVE today, February 23 | 2:30pm ET | C-SPAN.org

The heads of technology companies, including SolarWinds, Microsoft, FireEye, and Crowdstrike testify on foreign hacking and cyber attacks at a Senate Intelligence Committee hearing.

https://www.c-span.org/video/?509234-1/senate-intelligence-hearing-solarwinds-hacking

 

"Why Was SolarWinds So Vulnerable to a Hack?...

The U.S. government deserves considerable blame, of course, for its inadequate cyberdefense. But to see the problem only as a technical shortcoming is to miss the bigger picture. The modern market economy, which aggressively rewards corporations for short-term profits and aggressive cost-cutting, is also part of the problem: Its incentive structure all but ensures that successful tech companies will end up selling unsecure products and services...

[Solarwinds] is owned in large part by Silver Lake and Thoma Bravo, private-equity firms known for extreme cost-cutting...

SolarWinds certainly seems to have underspent on security. The company outsourced much of its software engineering to cheaper programmers overseas, even though that typically increases the risk of security vulnerabilities...

As the economics writer Matt Stoller has suggested, cybersecurity is a natural area for a technology company to cut costs because its customers won’t notice unless they are hacked — and if they are, they will have already paid for the product. In other words, the risk of a cyberattack can be transferred to the customers...

Companies need to pay the true costs of their insecurities, through a combination of laws, regulations and legal liability..."

About the author:

Bruce Schneier is a security technologist and the author of 14 books. He is a fellow at the Belfer Center at the Harvard Kennedy School and a fellow at the Berkman Klein Center for Internet and Society at Harvard University.

https://www.nytimes.com/2021/02/23/opinion/solarwinds-hack.html

 

"Google trying to put Microsoft on the spot at SolarWinds hearing

Microsoft has faced intense scrutiny in the two months since the revelation of the SolarWinds campaign over the role of its products in spreading the hackers’ net.

Google is lobbying Senate Intelligence Committee members to use a Tuesday hearing on the SolarWinds hack to press Microsoft on whether its products had cybersecurity failures that played a role in the sprawling compromise.

On Monday, Google offered up a list to lawmakers of more than a dozen questions that one Senate aide said were aimed at scrutinizing the security of Microsoft products, such as Windows 10, Azure and Office 365..."

https://www.politico.com/news/2021/02/23/google-microsoft-solarwinds-hearing-471168

[Senate Intelligence Hearing on SolarWinds Hacking

Watch LIVE today, February 23 | 2:30pm ET | C-SPAN.org

https://www.c-span.org/video/?509234-1/senate-intelligence-hearing-solarwinds-hacking

NB:

Video recording of hearing will remain available at the above link for viewing at a later time.]

 

Amazon Web Services (AWS) refused to appear at today's hearing.

hmmmm

 

"NASA and the FAA were also breached by the SolarWinds hackers..."

https://www.bleepingcomputer.com/ne...were-also-breached-by-the-solarwinds-hackers/

 

"Amazon’s Lack of Public Disclosure on SolarWinds Hack Angers Lawmakers

Tech giant says it wasn’t breached, but it is seen as having valuable data on the attack

As lawmakers and security researchers continue to unravel the SolarWinds hack, some are growing more frustrated with Amazon.com Inc., saying the cloud-computing giant should be more publicly forthcoming about its knowledge of the suspected Russian cyberattack...

There are no indications that Amazon ’s systems were directly breached, but hackers used its sprawling cloud-computing data centers to launch a key part of the attack, according to security researchers...

Amazon has shared this information privately with the U.S. government, but unlike other technology companies, it has balked at making it public..."

[Paywall]

https://www.wsj.com/articles/amazon...-solarwinds-hack-angers-lawmakers-11614258004

 

"Russia may have been using the same code from the massive SolarWinds hack to carry out undiscovered espionage attacks since 2017

Russian hackers have probably carried out espionage attacks for years with the malicious computer code used in the massive SolarWinds cyberattacks, researchers said in a new report that found some of the code dates to 2017...

In the new findings, the research team has traced the hackers' malicious computer code back to at least 2017, and say that it was likely not created for the SolarWinds attack. The code in question, which scouts networks and sends signals back to hackers, 'was not created primarily for use in the SolarWinds attack. Rather, it was likely used in unknown previous operations,'...

'The findings are important because they show the malware was a couple of years old before it was detected'..."

https://www.businessinsider.com/sol...ard-2017-researchers-espionage-hackers-2021-2

 

"Deepening Mystery — and Fear — Over the SolarWinds Hack

Tech leaders’ testimony to Congress suggests no one has been able to entirely figure out what happened.

Brad Smith, Microsoft Corp.’s president, made it clear in a Senate Intelligence Committee hearing this week that the federal government and leading members of the business community still don’t fully understand how digital burglars pulled off one of the most dangerous computer hacks in history..."

https://www.bloomberg.com/opinion/a...ing-mystery-and-fear-over-the-solarwinds-hack

 

"FireEye finds new malware likely linked to SolarWinds hackers...

FireEye discovered a new 'sophisticated second-stage backdoor' on the servers of an organization compromised by the threat actors behind the SolarWinds supply-chain attack.

The new malware is dubbed Sunshuttle...

The new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its "blend-in" traffic capabilities for C2 communications..."

https://www.bleepingcomputer.com/ne...-malware-likely-linked-to-solarwinds-hackers/

 

"Researchers uncover four more malware strains linked to SolarWinds hackers...

Microsoft and FireEye on Thursday revealed four more malware strains associated with the suspected Russian perpetrators who breached SolarWinds’ Orion software and used its update to infect federal agencies and major companies..."

https://www.cyberscoop.com/research...malware-strains-linked-to-solarwinds-hackers/

"Microsoft links new malware to SolarWinds hackers..."

https://www.scmagazine.com/home/sec...nks-new-malware-linked-to-solarwinds-hackers/

 

https://www.bleepingcomputer.com/ne...-malware-in-solarwinds-orion-linked-to-china/

 

FYI:

Acting CISA Director Testifies on SolarWinds and Federal Cybersecurity

Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Brandon Wales testifies on improving federal cybersecurity before the House Appropriations Subcommittee on Homeland Security.

Today, 3/10/21 -- 10:03 AM

https://www.c-span.org/video/?50972...stifies-solarwinds-federal-cybersecurity&live

Recorded Video of the hearing will also be available at the above link after the event.

 

"Mimecast: SolarWinds hackers stole some of our source code

Email security company Mimecast has confirmed today that the state-sponsored SolarWinds hackers who breached its network earlier this year downloaded source code out of a limited number of repositories..."

https://www.bleepingcomputer.com/ne...rwinds-hackers-stole-some-of-our-source-code/

"Mimecast says SolarWinds hackers breached its network and spied on customers

Mimecast-issued certificate were used to connect to customers’ Microsoft 365 tenants..."

https://arstechnica.com/gadgets/202...-breached-its-network-and-spied-on-customers/

"Mimecast Axes SolarWinds Orion For Cisco NetFlow After Hack...

Mimecast has decommissioned its SolarWinds Orion software and replaced it with a Cisco NetFlow monitoring system after hackers compromised a Mimecast certificate used for Microsoft authentication."

https://www.crn.com/news/security/h...cast-certificate-for-microsoft-authentication

 

"CISA releases new SolarWinds malicious activity detection tool

The Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to detect post-compromise malicious activity associated with the SolarWinds hackers in on-premises enterprise environments.

CISA Hunt and Incident Response Program (CHIRP), the new forensics collection tool, is a Python-based tool that helps detect SolarWinds malicious activity IOCs on Windows operating systems..."

https://www.bleepingcomputer.com/ne...solarwinds-malicious-activity-detection-tool/

"CHIRP is available on CISA’s GitHub repository in two forms:

A compiled executable

A python script

CISA recommends using the compiled version to easily scan a system for APT activity. For instructions to run, read the README.md in the CHIRP GitHub repository..."

https://us-cert.cisa.gov/ncas/alerts/aa21-077a

 

"SolarWinds hack got emails of top DHS officials and cybersecurity staff [CISA]

Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries..."

https://apnews.com/article/rob-portman-hacking-email-russia-8bcd4a4eb3be1f8f98244766bae70395

 

"Biden administration imposes significant economic sanctions on Russia over cyberspying, efforts to influence presidential election

The Biden administration on Thursday imposed the first significant sanctions targeting the Russian economy in several years in order to punish the Kremlin for a cyberespionage campaign against the United States and efforts to influence the presidential election, according to senior U.S. officials.

The administration also sanctioned six Russian companies that support Russian spy services’ cyberhacking operations and will expel 10 intelligence officers working under diplomatic cover in the United States..."

https://www.washingtonpost.com/nati...c1d260-746e-11eb-948d-19472e683521_story.html

 

"SolarWinds hack was done by Kremlin's APT29 crew, say UK and US

Russia’s infamous APT 29, aka Cozy Bear, was behind the SolarWinds Orion attack, the US and UK governments said today as America slapped sanctions on Russian infosec companies as well as expelling diplomats from that country’s US embassy.

Formal attribution of the SolarWind hacks, echoing tentative findings made by Kaspersky Lab, came in a US Treasury Department statement issued this afternoon...

'The Russian Intelligence Services’ third arm, the SVR, is responsible for the 2020 exploit of the SolarWinds Orion platform and other information technology infrastructures. This intrusion compromised thousands of US government and private sector networks,' said the US Treasury..."

https://www.theregister.com/2021/04/15/solarwinds_hack_russia_apt29_positive_technologies_sanctions/

 

"The $1 billion Russian cyber company that the US says hacks for Moscow

Washington has sanctioned Russian cybersecurity firm Positive Technologies [and five others]. US intelligence reports claim it provides hacking tools and runs operations for the Kremlin...

The hackers at Positive Technologies are undeniably good at what they do. The Russian cybersecurity firm publishes highly regarded research, looks at cutting-edge computer security flaws, and has spotted vulnerabilities in networking equipment, telephone signals, and electric-car technology...

MIT Technology Review understands that US officials have privately concluded the company is a major provider of offensive hacking tools, knowledge, and even operations to Russian spies. Positive is believed to be part of a constellation of private-sector firms and cybercriminal groups that support Russia’s geopolitical goals, and the US increasingly views them as a direct threat...

US intelligence has concluded that Positive did not just discover and publicize flaws, but also developed offensive hacking capabilities to exploit security holes that it found..."

https://www.technologyreview.com/2021/04/15/1022895/us-sanctions-russia-positive-hacking/

Here's a few Wilders threads on Positive Technonologies' "positive" work:

"High-risk vulnerability in Android devices discovered by Positive Technologies"

https://www.wilderssecurity.com/thr...s-discovered-by-positive-technologies.414807/

"Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys"

https://www.wilderssecurity.com/thr...isclosure-of-intel-me-encryption-keys.408209/

BlackHat 2017 – Positive Technologies researcher claims ApplePay vulnerable to two distinct attacks

https://www.wilderssecurity.com/thr...ay-vulnerable-to-two-distinct-attacks.395770/