Tag Archives: Russia

The Russians Are Still Cyber-Attacking Us

This is probably not a surprise to anyone who is past elementary school – and probably not to many who are still in elementary school, but the group that was behind last year’s SolarWinds attack is still at it.

Just like with SolarWinds, they are going after the global supply chain.

140 managed service providers and cloud service providers were attacked since May and at least 14 were breached. according to Microsoft.

Russia is doing that because, like with SolarWinds, compromising one of these companies may allow Russian hackers entry into hundreds or thousands (or more) of their customers.

Unfortunately, the attackers are using a variety of tactics, so there is not a one size fits all solution.

So, what to do?

First, if you are a service provider, make sure you are doing everything you can to protect yourself. And your customers.

Second, if you use service providers – and who does not – make sure you understand where the provider’s responsibility for security ends and yours begins and also make sure that are reviewing the provider’s cyber risk protection practices as part of your vendor cyber risk program.

Remember, you can outsource the task, but if you are breached, your customer will blame you, no matter what. Credit: Bleeping Computer

Security News for the Week Ending July 16, 2021

Supply Chain Attacks Roll On

The Accellion File Transfer Appliance vulnerabilities have been the source of many breach notifcations over the last several months. For whatever reason, they seem to be dribbling out. The newest one is Morgan Stanley. In this case, it was a Morgan Stanley VENDOR that was using Accellion, so instead of the third party attacks we talk about all the time, this is a fourth party attack. Of course, Morgan Stanley will take the heat, fines and lawsuits. Are you sure your vendors have your back? What about their vendors? Credit: Data Breach Today

Senate Finally Confirms Jen Easterly as Head of DHS/CISA

After CISA has not had an official chief for 8 months and after one Senator pulled a pre-July 4th political stunt that delayed her confirmation, the Senate unanimously confirmed Easterly this week. Easterly, who retired from the Army in 2011, was the deputy director for counterterrorism at the NSA, was on the National Security Council staff at the White House and is a two time Bronze Star recipient, is an outstanding person to lead CISA after Chris Krebs was fired last year for not following the party line. Credit: CNN

Did Russia Get the Message?

Remember the Revil ransomware gang? The folks that hacked Kaseya and JBS, among others? Well their web sites are no more. Did the U.S. take them down? Did Putin decide he didn’t like the heat? Will they come back later under a different name? Not clear. But what is clear is that people who were trying to get their files decrypted by paying the ransom – they have a bit of a problem as in kinda out of luck. My guess is Biden told Putin to fix the problem or we would fix it for him and he probably would not like the collateral damage. Credit: MSN

Hackers are Hard to Kill Off

Last year around election time the Pentagon was all full of press releases that they took down a Russian hacking operation called Trickbot. They have millions of victims around the globe. Bitdefender found that they are resurrecting their tools; updating them, etc. While Bitdefender found this particular tool using a honeypot, it doesn’t that was their only tool and it certainly does not mean they will shut down. It does mean that hacker networks are so profitable, that they will come back from the dead. Credit: The Daily Beast

Want a $10 Million Prize?

The feds are offering a reward of up to $10 million for information on operations conducted by actors working for a foreign government. On Thursday, the U.S. Department of State announced that its Rewards for Justice (RFJ) program now incentivizes reports of foreign malicious activity against U.S. critical infrastructure. The actions may include extortion as part of a ransomware attack, stealing information from protected systems, “and knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer.” The feds set up a Tor site to report information confidentially. Credit: Bleeping Computer

What is the U.S. Going to do About Putin?

The last presidential administration went hard after China – applying sanction after sanction, but with minimal success. They also seemed to give Russia a free pass.

Many of the very public recent hacks are being attributed to Russia, including SolarWinds and Kaseya.

When Biden met with Putin in Helsinki last month, the two agreed to form a committee to address the problem.

Since it is popular understanding that Putin is directing the attacks – or at least approving them (and probably taking a cut) – it is not clear that a committee will do much.

Still, that is the step that this administration is willing to take at this time.

However, there are some hints that this administration might be willing to do more.

When Biden was specifically asked if it made sense to attack back, he responded, somewhat cryptically, with a simple YES.

When Biden was asked what he expected Putin to do, he declined to say. He did say “we’ll see”.

We need to both defend and offend.

U.S. businesses need to harden their systems to attack and redesign them to mitigate the losses. While Russia is certainly a player in the attack business, it is not the only one and even if a miracle happened and Putin shut down his revenue stream, that will only reduce the number of attacks. AND, I don’t anticipate a miracle.

At the same time the U.S. government needs to make hackers face consequences. Having the DoJ indict people that will never be arrested, like the last administration did, is not terribly effective. Every now and then we catch a stupid one who crosses into friendly territory, but all that does is teach the smart ones not to do that.

This is a hard problem, but continuing to do what we have done in the past is not going to work. Credit: The White House

Security News for the Week Ending July 2, 2021

WD NAS Devices Are Being Wiped Worldwide

The downside of using computers beyond their end of support is that you can get hacked and all of your data can get wiped. This is what has happened to many WD My Book owners. Western Digital stopped patching them in 2015 and hackers have figured out how to remotely execute a factory reset, wiping all the data. The second thing not to do is to not have offline backups, which, apparently, a lot of these Western Digital owners also did not have. The result is many sad Western Digital owners. It does not appear that Western Digital’s own servers were hacked. Users, at this point, are just outta luck if they did not make backups. Credit: Bleeping Computer

As if this wasn’t bad enough, there is now a second zero-day way to wipe the devices. Credit: Metacurity

Pentagon Official Accused of Disclosing Classified Information

Katie Arrington, a political appointee in the DoD’s office of acquisition and sustainment and who acted as A&S’s CISO was suspended and her security clearance deactivated after being accused of unauthorized disclosure of classified information. Rumors had been that she was walked out of the Pentagon several months ago, but no announcement was made until this week. If true, she could wind up in jail. Credit: Newsweek

Politics ‘R’ Us – CISA Don’t Need No Stinkin’ Director

CISA, the Cybersecurity and Infrastructure Security Agency, part of DHS, has been without a director since ex-president Trump fired Chris Krebs last year for saying that there was no massive election fraud. President Biden nominated Jen Easterly, a graduate of West Point and Oxford, an Army Lt. Colonel and long time intelligence and NSA official, however the Senate has not voted on her confirmation. The arcane Senate rules allow any Senator to put a hold on anything for any reason. In this case, Senator Rick Scott decided that since Kamala Harris had not visited the southern border, something he thinks is important, that the Senate should not vote on the nomination of Easterly to head DHS. This has nothing to do with Easterly or security, just some Senator on a power trip. It appears that maybe next week, after DHS has not had a director for more than 6 months, during which time a major oil pipeline was shut down due to a ransomware attack, the Russians compromised a number of federal agencies twice – once via SolarWinds and again using Microsoft Exchange, and numerous other attacks, Scott may decide to stop being a dictator and allow the Senate to vote on Easterly’s appointment. The political process is very messy. Credit: ZDNet

Microsoft Testifies it Gets 10 Info Demands a Day from the Feds

Microsoft testified this week that it gets 7-10 secrecy orders every single day from the feds, demanding that they turn over customer information and not notify the customer that their information has been targeted. Since these orders are secret and often stay that way forever, cloud service customers have no way of knowing if their personal and/or sensitive information is in the hands of the government, for some unknown purpose, under likely poor security (the FBI just told Congress that it needs millions and millions of more dollars in order to protect their systems, so it is reasonable to assume that at least some FBI systems have been compromised and data stolen. We know, for example, that the Department of Justice was a victim of the SolarWinds attack). This may mean that companies that use the cloud (which is almost everyone) may need to take more security measures than they are taking – at least for sensitive data. Credit: The Register

Is Russia More Tech-Savvy Than the US?

Russia’s main military intelligence unit, called, among other names, APT28, Fancy Bear and Iron Twilight, is using cloud containers (Kubernetes) to massively scale brute force attacks against American and European businesses targeting government, military, defense contractors, energy companies, education, logistics, law firms, media, politics and think tanks. Does that leave anyone out? After they use these brute force attacks to get login information, they use those credentials to move around inside the company and steal information, often undetected. The feds (NSA, CISA, FBI and the UK’s NCSC) publicly warned businesses this week. That means that businesses need to up their security game if they want to protect their systems and information. Credit: The Hacker News

NSA/FBI/CISA Issue Alert – Russia SVR

While China is a serious threat and the last administration pushed on that hard, that administration ignored Russia.

Today the National Security Agency, the FBI and the Cybersecurity and Infrastructure Security Agencies issued a joint alert titled Russian SVR Targets U.S. and Allied Networks.

The NSA, FBI and CISA said that the Russian Foreign Intelligence Service or SVR is behind the exploitation of 5 publicly known vulnerabilities.

The Feds also announced that Russia and the SVR were the ones behind the SolarWinds attack and all the other attacks surrounding SolarWinds.

In addition to the SolarWinds attack, they are crediting/blaming Russia for:

  • Fortinet Fortigate VPN
  • Synacor Zimbra Collaboration Suite
  • Pulse VPN
  • Citrix Application Delivery Gateway
  • VMWare Workspace ONE Access

The advisory is available here.

The FBI and their cousins also provided some very specific actions to take, here.

Here is the problem. These actors are pros. These are not random attacks.

In the SolarWinds attack they went after heavily defended federal agencies as well as a lot of big companies.

The Feds are saying that you should assume a breach will happen. Note that they did not say assume a breach might happen.

They said to implement network segmentation.

Enable robust logging

Prepare for incident response.

It seems like they are saying that we are fighting a war.

The feds will do their part to try and identify them and slow them down, but this is more of an art than a science.

One bit of good news is that the NSA is sufficiently embarrassed for missing SolarWinds that they are on high alert. That should help. HELP, but not prevent.

Historically, the NSA spent 90% of their budget on offense and 10% on defense. While we don’t know what those numbers are today, the pendulum has definitely moved.

And this is good for every business in America.

Be prepared. Credit: NSA

Solar Winds Breach Keeps Getting Better

Well, maybe better is not the right word.

Quick catch up for those of you who are not following this.

The Russians hacked the software update process for the high end network management software called Orion from Solar Winds. This software is typically used by large enterprises and government agencies. This hack gave them access to emails and other data inside these businesses and government agencies.

Initial reports were that the Russians had hacked the State Department, Treasury Department and part of the Commerce Department along with an unknown number of private companies. Solar Winds said the number of businesses affected might be as high as 18,000. Security consulting company FireEye was the first company that admitted they were hacked.

Then the government added the National Institutes of Health and DHS to the list of hacked organizations.

There are now reports that Microsoft was hacked, but Microsoft, is, for the moment, denying this.

The Department of Energy said that the National Nuclear Security Administration was hacked. The NNSA is responsible for the safety of the U.S. nuclear weapons stockpile. What could go wrong there? But, they say, not to worry. After the Russians had been rummaging around our stuff for 6-9 months, we took immediate action to mitigate the risk once we found out that we had been hacked.

Bloomberg says that three UNidentified states were also among the hacked, while the Intercept says that the Russians have been inside the City of Austin for months.

In the meantime, CISA, the security department inside Homeland Security, says that the attack poses a “grave risk” to the United States. They said the unnamed adversary, widely believed to be Russia, has demonstrated an ability to compromise software supply chains and that they likely had additional initial attack vectors besides Solar Winds.

This means that every company and not just the 18,000 Solar Winds customers need to be on high alert until we figure out the scope of the breach.

Tom Bossart, former national security advisor in the White House says this calls for immediate and decisive action by the President. But given that this White House seems incapable of saying anything bad about Putin, that is not likely to happen. CNN is reporting that the Department of Agriculture, Department of Defense and the US Postal Service were also invaded. At this point the White House has not said anything about this likely Russian hack.

But here is the scariest part.

How do you recover from this when you don’t know what is compromised and what is safe.

The only sure way to deal with this is to build an entirely new network with entirely new servers and other equipment side by side to the old network. Then you have to figure out if anything in the old network is salvageable. What is not repairable needs to be melted down.

This cannot be done cheaply and it cannot be done quickly.

The good news is that most of the companies and organizations that were affected were large and hence will be able to swallow the millions of dollars this will cost each organization. The government, of course, both prints money and taxes us, so they have no shortage of funds to repair this problem.

But lets assume that this is only the tip of the ice berg – that there were multiple attacks using multiple attack vectors. Then what?

I predict that most private industry companies do not know if their networks are currently compromised.

On top of this, it is unlikely that most organizations will ever be able to figure out what the Russians looked at. In part, this is due to the fact that logs are not tracking everything and also because it took so long to detect, many older log files have been erased.

This is, unfortunately, just the beginning. We will continue to update as this unfolds.