Tag Archive for: SolarWinds

What the SolarWinds Hack Tells Us About IoT and Supply-Chain Security | 2021-03-15

/in


No matter the industry, cybersecurity breaches seem to be escalating in size and scale. 

The sprawling hacking campaign launched by Russia three months ago — which impacted as many as 18,000 customers of the Texas-based software maker SolarWinds Corp. — is an egregious example of the far reach of a potential supply-chain attack.

The term “supply-chain risk” is a large umbrella that covers lots of security threats and vulnerabilities. In the SolarWinds case, the threat actors, believed to be working on behalf of a foreign government, trojanized the software updates to a popular tool SolarWinds Orion. The attack left potential backdoor access points to hundreds of companies and nine federal agencies. And that’s only what we know — we will likely be uncovering the effects of this breach for years to come.

Other supply-chain risks may manifest as security flaws baked into electronic devices. Manufacturers of smartphones, printers, routers, internet-of-things devices and critical infrastructure systems buy components from third parties. These components are shipped with embedded firmware that may have existing security flaws. What’s more, some of that firmware wasn’t written by the manufacturer, but comes from open-source code maintained by volunteers in the I.T. community.

Here’s what the broader supply-chain industry needs to know about cyberattacks.

Veiled Software

There’s a growing movement of purchasers that are demanding comprehensive lists of the software within a device — but for now, it’s rare for manufacturers to provide it. That list, known as a software bill of material (SBOM) is key to supply-chain security, but it’s important to note that it’s not a cure-all. For example, an SBOM would not have caught the SolarWinds backdoor. What was needed was for a security team member to analyze the final software files themselves, before it was released to customers.

A Back Seat

Software developers and device manufacturers have shifted to rapid development processes. On the software side, this agile development framework pushes numerous and rapid updates, sometimes to add new features, occasionally to fix security flaws. There’s a similar push…

Source…

Exchange Server exploitation spreads. US CYBERCOM says SolarWinds exploitation thwarted. FIN8 is back. TA800’s new access tool.

/in


Microsoft Exchange Server vulnerabilities have been exploited against Norway’s parliament. BleepingComputer reports that the Storting yesterday disclosed that it had lost some data, but that investigation was incomplete, and the full extent of the damage was still unknown. The Storting thinks this attack is unconnected to the incursion by Fancy Bear, Russia’s GRU, that was discovered in December.

Many threat actors, both intelligence services and criminal gangs, have rushed to exploit these Exchange Server vulnerabilities. The FBI and CISA yesterday issued a joint advisory on the Microsoft Exchange Server compromise. It includes a summary of the methods the threat actors are using against their targets as well as a set of actions victims can take to mitigate the damage. The advisory remains coy about attribution (“nation-state actors and cyber criminals are likely among those exploiting these vulnerabilities”).

Reuters’ Chris Bing tweets that CISA expects to release, “soon,” more evidence attributing the SolarWinds compromise to Russia. In the meantime US Cyber Command has offered some reassurance about the dot mil domain. The Record reports that Cyber Command’s Executive Director told the Intelligence and National Security Alliance that “To date, there’s no evidence of a compromise in DoD networks because of the SolarWinds attack. That doesn’t mean we weren’t exposed… The layers of defense we had in place prevented the adversary from advancing from the toehold they had.”

Bitdefender warns that the FIN8 criminal group has resumed operation. 

Proofpoint reports that the TA800 gang is using a new initial access tool, Nimzaloader.

Source…

SolarWinds hack has lawmakers pushing for national breach notification law

/in


Lawmakers will push to pass a mandatory data breach notification law following the high-profile attack last year on SolarWinds, the network management and IT security company.

The compromise of the SolarWinds Orion IT monitoring and management software package, suspected to be the work of hackers affiliated with the Russian government, has compromised about 100 companies and nine U.S. agencies, including the departments of Homeland Security, State, and Justice. Up to 17,000 SolarWinds customers downloaded the malware.

Microsoft President Brad Smith called the SolarWinds hack “the largest and most sophisticated attack the world has ever seen” during a Feb. 26 hearing before two House committees.

During the hearing, several lawmakers promised to push a national data breach notification law this year. An upcoming bill would require companies to share information about breaches with the U.S. Cybersecurity and Infrastructure Security Agency but allow them to keep their names anonymous to the general public, said Rep. Michael McCaul.

The bill McCaul plans to introduce with Rep. Jim Langevin would presumably include penalties for failing to disclose breaches. All 50 states have their own data breach notification laws, some with significant fines for failure to disclose.

Lawmakers have for years tried to pass a federal breach notification law but have so far failed. Advocates of a national law say it would create a consistent breach notification standard with consistent penalties. However, some critics question whether federal law would water down tougher state laws.

In addition to a handful of lawmakers calling for a national breach notification law during the hearing, Smith also said it’s time for federal rules. Sharing threat information is “something that doesn’t happen broadly enough across the industry,” he said during the hearing.

Currently, reporting data breaches can open up companies to scrutiny from Congress and the public, Smith said. “A lot of companies choose to say as little as possible, and often, that’s nothing,” he added. “But silence is not going to make this country…

Source…

SolarWinds hack may lead to breach notification law and stronger cyber agency

/in


One of the lesser-known aspects of the SolarWinds hack that lawmakers and top U.S. cybersecurity officials are grappling with is figuring out how many American companies and federal agencies have been affected. 



a man wearing glasses and looking at the camera: From left, FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft CEO Brad Smith testify during a Senate Intelligence Committee hearing on Feb. 23, 2021.

© Provided by Roll Call
From left, FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft CEO Brad Smith testify during a Senate Intelligence Committee hearing on Feb. 23, 2021.

At present, no one knows.

This blind spot stems from the absence of a federal breach notification law that requires companies and federal agencies to notify the U.S. government if they have been hacked. That, however, may be about to change as congressional committees learn more about the SolarWinds hack and lawmakers in both chambers have signaled a bipartisan willingness to consider the idea. 

Last week, lawmakers summoned top tech company executives and the CEO of SolarWinds, the company whose software became the conduit for Russian intelligence agencies to access thousands of American companies and federal agencies. 

SolarWinds was hacked by Russian operatives who injected malware into routine software updates that went out to as many as 18,000 government entities and Fortune 500 companies that were clients of SolarWinds. Top U.S. government officials have said Russian intelligence services were behind the attack and that, as of now, nine federal agencies and about 100 companies were exposed but more victims are likely to be found as the probe continues.

Executives from FireEye, the cybersecurity company that found the Russian attack and made it public in December, Microsoft and SolarWinds told members of Congress that while they had come forward to share details of the attack, they were not obligated to do so and wanted Congress to address that gap. 

Without a law and clear guidance, companies don’t know whom to alert when they’re hacked, Brad Smith, president of Microsoft, said at a joint hearing of the House Oversight and Reform and House Homeland Security committees. 

Companies also face a legal barrier because contracts with federal agencies “restrict a company like Microsoft from sharing with others in the federal…

Source…