Welcome to another weekly cybersecurity news wrap-up – and WHAT a week it has been.
Reuters News Service uncovered what is clearly the most dangerous hack not only in years, but one of the worst ever: an attack impacting the US Treasury, commerce departments and making matters worse, several parts of the defense department. As a result, major corporations worldwide are scrambling to see if they, too, are victims of the global cyberespionage campaign.
The company at the center is Austin, TX-based SolarWinds, which provides network-monitoring and other technical services to hundreds of thousands of organizations around the world. Its compromised product, Orion, is a centralized monitoring tool that looks for problems in an organization’s computer networks, which means that breaking in gave the attackers a very deep look inside those networks.
The timing of the attack comes right on the heels of last week’s highly publicized attack at FireEye – and it appears to be no coincidence. Both attacks were likely conducted by the same group. Several sources in the cybersecurity community have told ZDNet that the Russian-backed group APT29 – also sometimes known as CozyBear – is most likely responsible (based on current evidence.) But Russia is denying involvement.
The hack began as early as March when malicious code was snuck into updates to popular software that monitors computer networks of businesses and governments. It wasn’t discovered until FireEye determined it had been hacked.
Due to the nature of the attack Microsoft has stepped in to do what it can to limit the ramifications. A story below in GeekWire has the details. Check out this and numerous other articles below on this evolving story for the different aspects of it, from the IT community, federal, and the IT supply chain.
Top global security news
GeekWire (December 16, 2020) Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach
"This week Microsoft took a series of dramatic steps against the recent SolarWinds supply chain attack. In the size, speed and scope of its actions, Microsoft has reminded the world that it can still muster firepower like no one else as a nearly-overwhelming force for good.
Through four steps over four days, Microsoft flexed the muscle of its legal team and its control of the Windows operating system to nearly obliterate the actions of some of the most sophisticated offensive hackers out there. In this case, the adversary is believed to be APT29, aka Cozy Bear, the group many believe to be associated with Russian intelligence, and best known for carrying out the 2016 hack against the Democratic National Committee (DNC).
While details are continuing to emerge, the SolarWinds supply chain attack is already the most significant attack in recent memory. According to SolarWinds, Microsoft, FireEye, and the Cybersecurity and Infrastructure Security Agency (CISA) the attackers compromised a server used to build updates for the SolarWinds Orion Platform, a product used for IT infrastructure management. The attackers used this compromised build server to insert backdoor malware into the product (called Solorigate by Microsoft or SUNBURST by FireEye)."
Krebs on Security (December 16, 2020) Malicious Domain in SolarWinds Hack Turned into ‘Killswitch’
"A key malicious domain name used to control potentially thousands of computer systems compromised via the months-long breach at network monitoring software vendor SolarWinds was commandeered by security experts and used as a “killswitch” designed to turn the sprawling cybercrime operation against itself, KrebsOnSecurity has learned.
On December 13, cyber incident response firm FireEye published a detailed writeup on the malware infrastructure used in the SolarWinds compromise, presenting evidence that the Orion software was first compromised back in March 2020. FireEye said hacked networks were seen communicating with a malicious domain name — avsvmcloud[.]com — one of several domains the attackers had set up to control affected systems.
As first reported here on Tuesday, there were signs over the past few days that control over the domain had been transferred to Microsoft. Asked about the changeover, Microsoft referred questions to FireEye and to GoDaddy, the current domain name registrar for the malicious site.
Today, FireEye responded that the domain seizure was part of a collaborative effort to prevent networks that may have been affected by the compromised SolarWinds software update from communicating with the attackers. What’s more, the company said the domain was reconfigured to act as a 'killswitch' that would prevent the malware from continuing to operate in some circumstances."
CRN (December 15, 2020) Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny
"Microsoft has become ensnared in probes surrounding the recently disclosed colossal U.S. government hack, with media reports and company messages focusing on Office 365, Azure Active Directory and a key domain name.
Two key victims in the massive nation-state hacking campaign reportedly had their Microsoft Office 365 accounts broken into. The Russian intelligence service hackers for months monitored staff emails sent via Office 365 at the Commerce Department’s National Telecommunications and Information Administration (NTIA) after breaking into the NTIA’s office software, Reuters reported Sunday.
As for Azure, the hackers were able to forge a token which claims to represent a highly privileged account in Azure Active Directory (AD), the Microsoft Security Research Center wrote in a blog Sunday. The hackers could also gain administrative Azure AD privileges with compromised credentials. Microsoft said this was particularly likely if the account in question is not protected by multi-factor authentication."
Associated Press (December 14, 2020) EXPLAINER: How bad is the hack that targeted US agencies?
"The hack began as early as March when malicious code was snuck into updates to popular software that monitors computer networks of businesses and governments. The malware, affecting a product made by U.S. company SolarWinds, gave elite hackers remote access into an organization’s networks so they could steal information. It wasn’t discovered until the prominent cybersecurity company FireEye determined it had been hacked. Whoever broke into FireEye was seeking data on its government clients, the company said — and made off with hacking tools it uses to probe its customers’ defenses.
'There’s no evidence that this was meant to be destructive,' said Ben Buchanan, Georgetown University cyberespionage expert and author of 'The Hacker and The State.' He called the campaign’s scope, 'impressive, surprising and alarming.'
Its apparent months’ long timeline gave the hackers ample time to extract information from a lot of different targets. Buchanan compared its magnitude to the 2015 Chinese hack of the U.S. Office of Personnel Management, in which the records of 22 million federal employees and government job applicants were stolen."
The Hill (December 14, 2020) Lawmakers call for action after 'devastating' nation state cyberattack on federal government
“'While many details are still unknown, the attack emphasizes the importance of strong cybersecurity protections and rapid incident responses across all federal agencies,' Senate Commerce Committee Chairman Roger Wicker (R-Miss.) and Sens. John Thune (R-S.D.) and Jerry Moran (R-Kan.) said in a joint statement Monday following a briefing on the attack from the Commerce Department.
'Cyberattacks by nation states like Russia and China threaten our economy and national security. Our response should be swift and clear,' they added."
Other Top Global Security Stories
Like what you’re reading? Head to the Subscriber form in the sidebar to get insightful GlobalSign content delivered directly to your inbox.