Tag Archives: Solar Winds

Security News for the Week Ending February 5, 2021

Are You the Victim of Covid Fraud?

As if Covid wasn’t bad enough, there are widespread stories of people getting tax forms for their Covid unemployment benefits -benefits they never applied for and never received, but which are considered taxable income. In California alone, crooks stole at least $11 billion in unemployment benefits by stealing people’s identities and getting the benefits deposited in accounts they control. But the victims will get the tax forms and have to deal with convincing their state and the IRS that they did not get those thousands in income. Credit: Brian Krebs

Paper – Now That’s Secure

Now that the Department of Justice has admitted that (likely) Russia hacked their confidential court filings, exposing search warrants, terrorism investigations and other stuff that should have remained sealed, they have a simple solution. Last week the federal court system issued an order that says that highly sensitive documents (likely those that the court would seal) must be filed on paper and any order or rule of any federal court or judge to the contrary is null and void. Problem solved. Credit: The Register

Billions of Emails/Passwords for Free

Someone has posted a file with 3.2 unique emails and passwords in clear text on a popular hacking forum. This data is a combination of many breaches but is a great input for password stuffing attacks since people love to reuse passwords. For users, this is one more reason to use two factor authentication. Credit: Cybernews

Voting Machine Vendor Smartmatic Sues Fox for $2.7 Bil

Voting machine vendor Smartmatic is suing the Fox network, its hosts individually and Trump lawyers Sidney Powell and Rudy Giuliani for $2.4 billion after these folks made unsubstantiated claims that Smartmatic’s software changed millions of votes from Trump to Biden. Smartmatic says that this is not about the money; they want vindication, so this could get more than a bit nasty. Credit: The Register

T-Mobile is Being Very Aggressive in Deploying 5G

T-Mobile plans to spend $40 billion in the next 3-4 years upgrading its network to 5G and faster 4G. Some of that will be recovered by decommissioning Sprint’s old network. But speed is the issue. Their “low band” 5G is slightly faster than 4G. Their “mid band” might give a couple hundred megabits per second which is quite respectable for cell phones and its “high band” will give you gigabit. But their president of technology says this will take decades to blanket the entire country. For the moment, they appear to be ahead of AT&T and Verizon. Credit: SDX Central

Security News for the Week Ending January 22, 2021

Parler Finds A New Home With Russian Hosting Provider in Belize

“Hello world, is this thing on? With that message Parler’s website is back online. Well at least a one page website is back online. The site is being hosted by Russian-owned DDoS-Guard, a company that apparently also hosts ISIS web sites. Whether the folks who invaded the Capitol earlier this month are going to be willing to post their content on a Russian hosted server is not clear. It is unlikely that their hosting provider would respond to a US subpoena, but whether they would steal the posts for their own purpose is a different question. Credit: Cybernews

Capitol Terrorist Who (Allegedly) Planned to Sell Pelosi’s Laptop to Russian Intelligence Arrested

The amazing amount of video footage from the storming of the Capitol is really making the cops’ lives a lot easier. Riley June Williams, 22, from Pennsylvania, was outed by her former boyfriend. She videoed herself committing the felony and then shared that video. She has now been arrested. She has not been charged with espionage, yet. After the events of January 6th, she changed her phone number, deleted her social media accounts and fled. Her public defender wants her released but the feds say that she is a flight risk. Given she disappeared even before she was charged, that doesn’t seem unreasonable. Credit: WaPo

Parler Data Is Available for Download

If you want to be an amateur detective and you have 70 terabytes or so of free disk space on your computer, you too, can download the data that was scraped from the site during its last few hours of its existence. It is chunked down to 4GB chunks and more of it is being uploaded in real time. This will be examined and reexamined for a long time. Details can be found here.

Malware Bytes Joins Club of Those Hacked by SolarWinds Hacking Team

Malware Bytes joins the long and getting longer list of those folks sucked in by the Solar Winds attackers. In their case, they did not use Solar Winds but were compromised by other techniques used by the Solar Winds attackers. They said the damage was minor and limited to some of their emails. Credit: Cyber News

Trump Pardons Google Engineer Who Stole Self Driving Car Trade Secrets and Took Them to Uber

Anthony Levandowski, the Google Engineer who went to work for Uber’s self driving car division, was pardoned by Trump after being sentenced to 18 months for his theft. I am not sure if the pardon relieves him of the obligation to pay Google the $179 million fine, but it probably does. He took 141,000 files with him and likely advanced Uber’s progress by years. Google settled it’s lawsuit against Waymo in 2018 and paid a multi-hundred-million dollar fine. Curiously, Google is an investor in Uber, so they probably don’t want to hurt them too much. Credit: Cyber News

Breaches Down; Record Count Up

According to Risk Based Security, the NUMBER of breaches reported fell 48% in 2020 compared to 2019, but the number of records exposed was UP by 141% to an amazing 37 BILLION records. We don’t believe that the number of breaches was actually down; likely it is just that a lot of breaches are not being reported. Part of it may be that with other important events like the election and Covid, the media is not covering breaches. In addition, we are seeing some really large breaches. Hacking group Shiny Hunters disclosed 129 million hacked records in just five weeks. Credit: Tech Republic

Security News for the Week Ending Jan 1, 2021

Happy New Year. May 2021 be more sane than 2020.

Microsoft Says Goal of Solar Winds Attack Was Your Cloud Data

Microsoft says that the objective of the Solar Winds Hackers was to get into a number of organizations and then pick and choose which ones to attack, leaving the back door in place at the others for future operations. One way to do that was to generate SAML login tokens from inside the network and then use those tokens to gain access to cloud resources, including, but not limited to email. The article also provides more information on how to detect if the hackers did compromise your cloud resources. Credit: Bleeping Computer

“Swatting” Moves to the Next Level

Swatting, the practice of calling in a fake 911 call so that SWAT teams are deployed to the victim’s location based on, say, a fake kidnapping, are moving to the next level. As if having the police show up unexpected with lots of guns and breaking down your door isn’t bad enough, now the perpetrators are taking advantage of the fact that people choose crappy passwords and are watching and listening to the police assault on the victim’s own smart devices. On occasion, the situation becomes deadly when the police, not really knowing what to believe, shoot the victim. On rare occasions, the swatters, as they are called, are caught and prosecuted. Credit: Bleeping Computer

I Think The Wasabi Got a Little Too Hot

Wasabi, the cloud storage competitor to Amazon S3 that claims that it is significantly cheaper than Amazon and 99.999999999% reliable just got a little less reliable. Their domain registrar notified them of some malware hosted on one of their domains. Only they sent the email to the wrong email address. The registrar, following normal procedures, suspended their domain for not responding to an email they never got, knocking many of their customers offline.

After Wasabi discovered they had been DDoSed by their domain registrar, they suspended the offending customer and asked to get their domain back. That process took over 13 hours. Are you ready for this kind of attack from your suppliers?

That attack probably knocked several of those 9’s off their reliability, depending on how the mess with the data.

Credit: Bleeping Computer

Solar Winds Troubles Are Not Over

A second piece of malware called SUPERNOVA and a zero-day vulnerability that it exploited makes it look like there may have been a second attack against Solar Winds. This appears to be a separate attack from the Russian attack. The attack vector is different too – this is not an attack against Solar Winds code base. This spells additional trouble for Solar Winds. Credit: Security Week

Solar Winds Breach Keeps Getting Better

Well, maybe better is not the right word.

Quick catch up for those of you who are not following this.

The Russians hacked the software update process for the high end network management software called Orion from Solar Winds. This software is typically used by large enterprises and government agencies. This hack gave them access to emails and other data inside these businesses and government agencies.

Initial reports were that the Russians had hacked the State Department, Treasury Department and part of the Commerce Department along with an unknown number of private companies. Solar Winds said the number of businesses affected might be as high as 18,000. Security consulting company FireEye was the first company that admitted they were hacked.

Then the government added the National Institutes of Health and DHS to the list of hacked organizations.

There are now reports that Microsoft was hacked, but Microsoft, is, for the moment, denying this.

The Department of Energy said that the National Nuclear Security Administration was hacked. The NNSA is responsible for the safety of the U.S. nuclear weapons stockpile. What could go wrong there? But, they say, not to worry. After the Russians had been rummaging around our stuff for 6-9 months, we took immediate action to mitigate the risk once we found out that we had been hacked.

Bloomberg says that three UNidentified states were also among the hacked, while the Intercept says that the Russians have been inside the City of Austin for months.

In the meantime, CISA, the security department inside Homeland Security, says that the attack poses a “grave risk” to the United States. They said the unnamed adversary, widely believed to be Russia, has demonstrated an ability to compromise software supply chains and that they likely had additional initial attack vectors besides Solar Winds.

This means that every company and not just the 18,000 Solar Winds customers need to be on high alert until we figure out the scope of the breach.

Tom Bossart, former national security advisor in the White House says this calls for immediate and decisive action by the President. But given that this White House seems incapable of saying anything bad about Putin, that is not likely to happen. CNN is reporting that the Department of Agriculture, Department of Defense and the US Postal Service were also invaded. At this point the White House has not said anything about this likely Russian hack.

But here is the scariest part.

How do you recover from this when you don’t know what is compromised and what is safe.

The only sure way to deal with this is to build an entirely new network with entirely new servers and other equipment side by side to the old network. Then you have to figure out if anything in the old network is salvageable. What is not repairable needs to be melted down.

This cannot be done cheaply and it cannot be done quickly.

The good news is that most of the companies and organizations that were affected were large and hence will be able to swallow the millions of dollars this will cost each organization. The government, of course, both prints money and taxes us, so they have no shortage of funds to repair this problem.

But lets assume that this is only the tip of the ice berg – that there were multiple attacks using multiple attack vectors. Then what?

I predict that most private industry companies do not know if their networks are currently compromised.

On top of this, it is unlikely that most organizations will ever be able to figure out what the Russians looked at. In part, this is due to the fact that logs are not tracking everything and also because it took so long to detect, many older log files have been erased.

This is, unfortunately, just the beginning. We will continue to update as this unfolds.

Major Software Supply Chain Attack

Solar Winds Software Compromised – Potentially 18,000 Enterprises Affected

Last week FireEye filed a report with the SEC saying that they had been hacked – by Russia and not China – and that the hackers got away with FireEye’s entire suite of offensive hacking tools. This is not exactly what you would want your adversary to have, but I kind of filed that away in the “interesting” category.

Over the weekend, I heard that the National Security Council convened at the White House because, reports said, that hackers had compromised the email services (Office 365, but this is not Microsoft’s fault) at both Treasury and Commerce. Okay, this is getting a little more interesting.

Information came out late yesterday that the hackers had been inside the email and networks of these agencies for many months (6-9 months) undetected.

Then the bombshell hit. The CEO of Solar Winds, one of the biggest network monitoring tool companies in the industry, said that hackers had compromised their software update process and had, somehow, managed to get several malicious updates to the Solar Winds Orion software digitally signed and distributed to almost 20,000 companies including almost every federal government agency and 495 of the Fortune 500. Not a good thing.

Earlier today we sent out an alert to our customers giving them as many details as we had (the initial alert said the attack was tightly targeted and then the Solar Winds CEO blew up that theory).

Right now what we know is that multiple government agencies have been compromised and likely even more private companies have also been compromised. Now that this is public, likely more agencies and companies will admit that they have been compromised.

If you are running Solar Winds high end ORION product and you have support, meaning that you get software updates, or you downloaded a new version in 2020. YOU SHOULD ASSUME THAT YOU HAVE BEEN COMPROMISED.

Chris Krebs, former director of DHS’ CISA said “if you run this product, assume you have been compromised and stand up your incident response team”. Hopefully you have not been, but hope is not a strategy.

If you are running different Solar Winds products, at least based on what we know know, you are not at risk.

I have no evidence that the White House’s continuous downplaying of Russia as an adversary is the reason for this attack, but it likely made them more brazen. In a web briefing I just attended, the speaker said that the attack code did not even slightly try to hide itself, which is certainly an indication that they were not very worried. On the other hand, the communications from the infected systems to the command center, while not cloaked, was very minimal, indicating that the attacker was concerned that its communications could give it away.

I know I continue to harp on supply chain risk, but this is a perfect example of the problem and in this case, it likely caused major damage to the United States – both at the government level and the private industry level. If the Russians had months to wander through the files and email communications of more than 10,000 enterprises, that is a problem.

If you do not have supply chain risk on your radar, now would be a good time to add it.

If you have questions or concerns, please contact us.