Tag Archives: Russia

Solar Winds Breach Keeps Getting Better

Well, maybe better is not the right word.

Quick catch up for those of you who are not following this.

The Russians hacked the software update process for the high end network management software called Orion from Solar Winds. This software is typically used by large enterprises and government agencies. This hack gave them access to emails and other data inside these businesses and government agencies.

Initial reports were that the Russians had hacked the State Department, Treasury Department and part of the Commerce Department along with an unknown number of private companies. Solar Winds said the number of businesses affected might be as high as 18,000. Security consulting company FireEye was the first company that admitted they were hacked.

Then the government added the National Institutes of Health and DHS to the list of hacked organizations.

There are now reports that Microsoft was hacked, but Microsoft, is, for the moment, denying this.

The Department of Energy said that the National Nuclear Security Administration was hacked. The NNSA is responsible for the safety of the U.S. nuclear weapons stockpile. What could go wrong there? But, they say, not to worry. After the Russians had been rummaging around our stuff for 6-9 months, we took immediate action to mitigate the risk once we found out that we had been hacked.

Bloomberg says that three UNidentified states were also among the hacked, while the Intercept says that the Russians have been inside the City of Austin for months.

In the meantime, CISA, the security department inside Homeland Security, says that the attack poses a “grave risk” to the United States. They said the unnamed adversary, widely believed to be Russia, has demonstrated an ability to compromise software supply chains and that they likely had additional initial attack vectors besides Solar Winds.

This means that every company and not just the 18,000 Solar Winds customers need to be on high alert until we figure out the scope of the breach.

Tom Bossart, former national security advisor in the White House says this calls for immediate and decisive action by the President. But given that this White House seems incapable of saying anything bad about Putin, that is not likely to happen. CNN is reporting that the Department of Agriculture, Department of Defense and the US Postal Service were also invaded. At this point the White House has not said anything about this likely Russian hack.

But here is the scariest part.

How do you recover from this when you don’t know what is compromised and what is safe.

The only sure way to deal with this is to build an entirely new network with entirely new servers and other equipment side by side to the old network. Then you have to figure out if anything in the old network is salvageable. What is not repairable needs to be melted down.

This cannot be done cheaply and it cannot be done quickly.

The good news is that most of the companies and organizations that were affected were large and hence will be able to swallow the millions of dollars this will cost each organization. The government, of course, both prints money and taxes us, so they have no shortage of funds to repair this problem.

But lets assume that this is only the tip of the ice berg – that there were multiple attacks using multiple attack vectors. Then what?

I predict that most private industry companies do not know if their networks are currently compromised.

On top of this, it is unlikely that most organizations will ever be able to figure out what the Russians looked at. In part, this is due to the fact that logs are not tracking everything and also because it took so long to detect, many older log files have been erased.

This is, unfortunately, just the beginning. We will continue to update as this unfolds.

Security News for the Week Ending October 23, 2020

Iran or Russia – Who Should We Worry About?

The FBI and the US government’s Cybersecurity and Infrastructure Security Agency on Thursday issued a joint warning that a Kremlin hacking crew is probing or breaking into systems belonging to the US government and aviation industry.

The joint advisory states that the team, known as Energetic Bear among other monikers, has been specifically going after US state, local, territorial, and tribal (SLTT) government networks, as well as aviation, since at least September 2020. We’re told:

It appears the goal of the Russians is to obtain the necessary inside information or access to systems to ultimately stir up civil unrest and distrust in the results of the November 3 US elections. Credit: The Register

Snowden Granted Permanent Residency in Russia

The AP is reporting that Russia has granted Edward Snowden permanent residency status. Basically, Putin poked Trump in the eye with a sharp stick two weeks before the election. In what is clearly a calculated political move by former KGB operative Putin, he decided to do this right before the U.S. Presidential election, rather than wait a couple of weeks. Is this an effort by Putin to affect the election? Don’t know, but I am pretty sure it is not a coincidence. Credit: AP

WordPress Forced Updates to Entire Base of Site Due to Plug-in Bug

A critical bug in the Loginizer plug-in which would allow a hacker to bypass the login process caused WordPress to force an emergency update to its entire user base. While some admins whined about the forced update, Loginizer says that 89% of its installations have been updated. Forced updates have been used, rarely, by every major software vendor – inclusing Apple and Microsoft on a more frequent basis – because users just don’t deal with patches quickly, much of the time. Credit: ZDNet

MicroChipping Humans – Its a Thing and Soft of Illegal in a Few States

Apparently, embedding microchips in humans is a thing in some places. Some employers are doing that to employees – voluntarily at this point, to act as a replacement for badge. But a badge you can leave at home if you are off work. A microchip is on 24×7.

As a result, 7 states have passed laws making MANDATORY chipping of humans illegal. And it is a variety of states. You would expect California to ban that, but also Utah. Maryland, New Hampshire, North Dakota, Oklahoma and Wisconsin round out the list. Michigan is working on becoming number 8. Interesting.

Security News for the Week Ending September 25, 2020

GAO Tells Treasury: Track Cyber Risk in Financial Sector

The GAO told Treasury to work with Homeland Security to better track cyber risk in the financial sector.

The GAO says that Treasury does not track efforts or prioritize them. The “sector specific” security plan was last updated in 2016 and, of course, most of the tens of trillions of dollars of assets belong to private companies.

Not only that but Treasury has not implemented the recommendations from the last audit. Credit: Meritalk

Trump Campaign Spent $4 Million to Buy Your Location Data

The Trump campaign spent $4 million buying data on voters, including location, from a data broker named Phunware. The company makes a software development kit that developers can use to collect your data, including location, and sell it to data brokers. Nothing illegal, but lucrative for the app developers and useful for political campaigns and others. Credit: Vice

Google and Amazon – Both Can Be Un-Secure

We always talk about Amazon S3 storage buckets being configured in an un-secure manner, leaking data. Researchers say that 6 percent of a sample of Google storage buckets are also configured so that the wrong people can read from or write to it. Documents they were able to read include passports and birth certificates. Just like with Amazon, Google will disavow any responsibility if you mis-configure your storage. Bottom line – test your security regularly and do not assume that anything is secure. Credit: Threatpost

Russia and China, Oh, My! (Hacking)

While the current occupant of 1600 Pennsylvania Avenue continues to put pressure on China, he is not putting pressure on Russia and they are definitely going after us.

The Russian government hacking group known as APT28 or Fancy Bear is sending out fake NATO training materials laced with hard to detect Zebrocy Delphi malware. The email attachment has a zipx file extension. At the time researchers got a copy of the malware only 3 virus products detected it. It seems like with this campaign, the Ruskies are going after government computers, but there is always collateral damage. Credit: Bleeping Computer

At the same time, the FBI says that the Chinese are still actively going after Covid-19 research, including vaccines. After all, it is easier to steal a vaccine than to develop and test one. The Chinese read the newspapers, see who is claiming interesting stuff, and then try to hack them and steal their information. They are not alone. Russia and Iran are also trying to steal research and vaccine info. Credit: MSN

Security News for the Week Ending September 11, 2020

Pioneer Kitten Sells Compromised Corporate Credentials

Pioneer Kitten, an Advanced Persistent Threat group backed by Iran, is compromising corporate systems and then selling those credentials to the highest bidder. Like all large organizations, they want to diversify from just ransomware and stealing credit cards. Now they have a new and apparently very lucrative revenue stream. Credit: Threat Post

Ireland Unfriends Facebook

In the aftermath of the Schrems II decision, Ireland has told Facebook to stop sharing data from the EU to the US. Of course Zucky says that they have a right to do that using standard contract clauses (and they could possibly be right), but there will be a fight. Stay tuned. Credit: The Register

Pentagon has a New Way to Protect Their Browsing

In case you thought I was going to diss DISA, the Pentagon’s IT department, nope, not this time. Actually, I really like what they are doing and hope some enterprising company offers it as a service.

The Pentagon plans to roll it out to 1.5 million users in the first year. What they are doing is instead of opening a browser on your computer, you open a window to a browser in the cloud from your computer. You then surf in that sandbox, containing any explosive debris from malware. When you drop the connection, the sandbox goes away, along with any malware. In addition, since these sandboxes live in the data center, the amount of data bandwidth required at the user’s location goes down dramatically. It is a brilliant idea. Credit: Government Computer News

After Microsoft Outs Russian Election Hacking White House Sanctions 4 Russians

The same day that Microsoft published details of Russians who are trying to hack the 2020 US Elections, the White House added 4 Russians to the Treasury’s equivalent of the do not fly list called OFAC. This is also after the whistleblower at DHS came out saying he was told by the head of DHS not to say anything about Russian hacking. Maybe the three events are not related. Maybe the Republican administration was forced to do something to look like it was being tough on Russia. The hacking includes publishing fake news designed to spark false corruption investigations in an effort to affect the election outcome. Other Russians stole US citizens’ identities to open fake bank and cryptocurrency exchange accounts. Microsoft said that it detected attacks targeting both the Biden and Trump campaigns. The Russians also used traditional attacks like phishing and brute force password attacks. Credit: Dark Reading

Army Cyber Command Moves to Fort Gordon

While the move of Cybercom to Fort Gordon in and of itself may not be exciting, it may be an indication of how serious the Army is taking cyber. The Army built a new 336,000 SF building for them, consolidating folks who were at Forts Belvoire and Meade. More importantly, consider who else is at Gordon. This move puts Cybercom at the same garrison as the Army Cyber Center of Excellence, Army Cyber Corps and Army Signal Corps. It also houses Homeland Security training, Naval Information Ops Command and Joint Strategic Intelligence Command, among others. Putting all these cyber and information folks within walking distance has to allow them to better coordinate and cooperate. Credit: Security Week

Security News for the Week Ending August 14, 2020

China and Russia Continue to Interfere with the Elections

According the the White House, China has been targeting the US election infrastructure ahead of the election and Russia has been trying to undercut Democratic candidate Joe Biden, much like their did with Clinton in 2016. Could it be that Russia thinks that the Republican Administrations are distracted by China and are ignoring the damage that Russia is doing? After all, Its not like Russia doesn’t want to do damage. Credit: South China Morning Post

China Hacking Government Sites, Others

Just in case you thought I was saying that China is a bunch of good guys… China has been using malware called Taidoor to hack government sites, private sector and think tanks since 2008 according to Homeland Security and the Pentagon. They are using this malware to maintain a presence, undetected, on these servers. DoD’s Cyber Command has only been uploading samples of this malware to the virus engines since 2018, so it is not clear what happened during the first 10 years of the attacks. Credit: Cyberscoop

Anomaly Six Accused of Secretly Embedding Location Tracking in Hundreds of Apps

US Government contractor Anomaly Six, who has strong ties to various national security agencies, is accused of creating a software development kit that secretly tracks the user’s location and reports the data to them. Apparently hundreds of apps use this SDK as the company pays the developers for the data.

The company refuses to disclose which apps are using it and, in theory, the apps should disclose they are selling the data. Assuming the apps are not completely rogue, they would need to ask for the location permission. I suspect we will hear more now that this cat is out of the bag. Credit: Hackread

OOPS! This is Embarrassing

The SANS cybersecurity training company suffered a data breach because an employee fell victim to a phishing attack. While we can make some fun at their expense, the real point is that not falling for phishing attacks is hard and takes a strong program. If you don’t have a strong anti-phishing program, we have a great one. The attack was the result of a SINGLE phishing click. This allowed the attacker to install a malicious Office 365 add-on. The result was the hacker was able to forward over 500 emails representing the PII of 28,000 SANS members, before being detected. The good news is that they have some of the best forensics experts in the business on their staff. They are conducting an investigation. Credit: Bleeping Computer

Another NSA Advisory: Linux. Rootkit. Russia

I know China is a threat. It is. But Russia is just as big a threat – they just operate differently. The NSA released an alert that says that Russia’s intelligence arm, the GRU, has built and targeted Linux systems with Drovorub. It is a Linux rootkit that can steal files, run arbitrary commands and forward network traffic to sniff it. Other than that, not a big deal. It hooks into the Linux kernel making it hard, but not impossible, to detect. Given the nature of the GRU, they are likely to use it against high value targets like, perhaps, tech companies, defense contractors or Covid-19 researchers. Beware. Credit: The Register

Security News for the Week Ending August 7, 2020

Microsoft Considering Buying TikTok

In light of President Trump’s threats to ban TikTok, Microsoft says that it is considering buying the company from its Chinese owners. That would be a win-win-win for Microsoft. They would add another social media platform to their inventory. The can probably buy it at fire sale prices and they would be doing something nice for the Republican administration. Credit: NY Times

Republicans Say TikTok is a National Security Risk

The current Republican administration says that TikTok is a national security risk and it may well be, but not for any of the reasons that they are talking about. Secretary of State Pompeo says that the TikTok and other Chinese owned software might be feeding the Chinese your address, your facial image, phone number or friends. First of all, they likely have all of that already. Second, they can get all that information from Twitter or Facebook, so what is special about TikTok and third, they can buy or steal all of that and a whole lot more from any one of a thousand data brokers and it is all legal.

Why is this only a China problem and not, say, a Russia problem? One reason is that we don’t tend to use Russian software. But in the bigger picture, if the Republicans don’t think that Russia, North Korea, Iran, as well as friendly countries like France, Israel and Germany, among many others, they are wrong. After all, we are doing this, both to our citizens and theirs.

The bigger problem is that the TikTok software, along with a lot of other software running on your computers (PC or Mac) and phones (iPhone and Android) is horribly unsecure and is leaking WAY MORE data than just that. And that assumes that the software does not have malicious intent. *THAT* is a national security risk that the Republicans don’t want to talk about because it cost American businesses money to fix that problem. What if a malicious update to a piece of software vacuumed whatever data it could off your phone – contacts, texts, photos. It is probably more realistic than you think. Credit: Fox News

Papers Leaked Before UK Election Linked to Russia

Classified US-UK trade documents that were leaked before the recent UK election in an attempt to manipulate the elections are now being linked to Russia. They were stolen from former British trade minister Liam Fox. The Brits say that they have a “very robust” system to protect classified documents and are investigating how the Russians access Fox’s email multiple times between July and October of last year in spite of this so-called robust system. This is a classic technique that all intelligence services try to use – steal documents. Cherry pick which ones to leak. Use social media to generate outrage. Rinse and repeat. Score one for Russia. Credit: US News

Shocking News: Voting Machine Security Improves When you Work With Researchers

Voting machine maker ES&S has a horrible reputation when it comes to security. Organizers at Defcon bought used ES&S (and other) voting hardware and let people hack it. I don’t think any piece of their hardware lasted 5 minutes. What was ES&S’s response? They threatened to sue. Recently, they have begun to change that strategy. They are now going to offer a bug bounty program managed by an independent third party and are actually listening to the researchers. Did the gov threaten to blackball their machines? Who knows? Whatever they did, it is good for voting security. Credit: The Register