Enterprise security attackers are one password away from your worst day

If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.

Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.

Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes, and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.

Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.

It’s all about the credentials

Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the mid-pandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.

It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.

Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.

#column, #computer-security, #credential-stuffing, #crime, #cyberattack, #cybercrime, #cyberwarfare, #data-breach, #ec-column, #ec-cybersecurity, #encryption, #enterprise, #fireeye, #national-security-agency, #phishing, #security, #solarwinds


US government strikes back at Kremlin for SolarWinds hack campaign

US government strikes back at Kremlin for SolarWinds hack campaign

Enlarge (credit: Matt Anderson Photography/Getty Images)

US officials on Thursday formally blamed Russia for backing one of the worst espionage hacks in recent US history and imposed sanctions designed to mete out punishments for that and other recent actions.

In a joint advisory, the National Security Agency, FBI, and Cybersecurity and Information Security Agency said that Russia’s Foreign Intelligence Service, abbreviated as the SVR, carried out the supply-chain attack on customers of the network management software from Austin, Texas-based SolarWinds.

The operation infected SolarWinds’ software build and distribution system and used it to push backdoored updates to about 18,000 customers. The hackers then sent follow-up payloads to about 10 US federal agencies and about 100 private organizations. Besides the SolarWinds supply-chain attack, the hackers also used password guessing and other techniques to breach networks.

Read 15 remaining paragraphs | Comments

#biz-it, #hacking, #policy, #russia, #sanctions, #solarwinds, #tech, #treasury-department


Biden Administration to Impose Tough Sanctions on Russia

Administration officials were determined to draft a response that would impose real costs on Moscow, as many previous rounds of sanctions have been shrugged off.

#biden-joseph-r-jr, #cyberwarfare-and-defense, #elections, #embargoes-and-sanctions, #espionage-and-intelligence-services, #putin-vladimir-v, #russia, #solarwinds, #united-states-international-relations, #united-states-politics-and-government, #us-federal-government-data-breach-2020


Biden Names Chris Inglis to Be First National Cyber Director

Chris Inglis will be nominated to the new post as the president fills out his cybersecurity team and the U.S. considers responses to recent attacks.

#biden-joseph-r-jr, #computer-security, #computers-and-the-internet, #cybersecurity-and-infrastructure-security-agency, #cyberwarfare-and-defense, #easterly-jen, #homeland-security-department, #inglis-chris, #national-security-agency, #silvers-robert, #solarwinds, #united-states-cyber-command, #united-states-defense-and-military-forces, #united-states-politics-and-government, #us-federal-government-data-breach-2020


Biden’s cybersecurity dream team takes shape

President Biden has named two former National Security Agency veterans to senior government cybersecurity positions, including the first national cyber director.

The appointments, announced Monday, land after the discovery of two cyberattacks linked to foreign governments earlier this year — the Russian espionage campaign that planed backdoors in U.S. technology giant SolarWinds’ technology to hack into at least nine federal agencies, and the mass exploitation of Microsoft Exchange servers linked to hackers backed by China.

Jen Easterly, a former NSA official under the Obama administration who helped to launch U.S. Cyber Command, has been nominated as the new head of CISA, the cybersecurity advisory unit housed under Homeland Security. CISA has been without a head for six months after then-President Trump fired former director Chris Krebs, who Trump appointed to lead the agency in 2018, for disputing Trump’s false claims of election hacking.

Biden has also named former NSA deputy director John “Chris” Inglis as national cyber director, a new position created by Congress late last year to be housed in the White House, charged with overseeing the defense and cybersecurity budgets of civilian agencies.

Inglis is expected to work closely with Anne Neuberger, who in January was appointed as the deputy national security adviser for cyber on the National Security Council. Neuberger, a former NSA executive and its first director of cybersecurity, was tasked with leading the government’s response to the SolarWinds attack and Exchange hacks.

Biden has also nominated Rob Silvers, a former Obama-era assistant secretary for cybersecurity policy, to serve as undersecretary for strategy, policy, and plans at Homeland Security. Silvers was recently floated for the top job at CISA.

Both Easterly and Silvers’ positions are subject to Senate confirmation. The appointments were first reported by The Washington Post.

Former CISA director Krebs praised the appointments as “brilliant picks.” Dmitri Alperovitch, a former CrowdStrike executive and chair of Silverado Policy Accelerator, called the appointments the “cyber equivalent of the dream team.” In a tweet, Alperovitch said: “The administration could not have picked three more capable and experienced people to run cyber operations, policy and strategy alongside Anne Neuberger.”

Neuberger is replaced by Rob Joyce, a former White House cybersecurity czar, who returned from a stint at the U.S. Embassy in London earlier this year to serve as NSA’s new cybersecurity director.

Last week, the White House asked Congress for $110 million in new funding for next year to help Homeland Security to improve its defenses and hire more cybersecurity talent. CISA hemorrhaged senior staff last year after several executives were fired by the Trump administration or left for the private sector.

#anne-neuberger, #biden, #chris-krebs, #cisa, #computer-security, #crowdstrike, #cybercrime, #government, #national-security-agency, #security, #solarwinds, #system-administration, #u-s-cyber-command


Bring CISOs into the C-suite to bake cybersecurity into company culture

When you think of the core members of the C-suite, you probably think of the usual characters: CEO, CFO, COO and maybe a CMO. Each of these roles is fairly well defined: The CEO controls strategy and ultimately answers to the board; the CFO manages budgets; the CMO gets people to buy more, more often; the COO keeps everything running smoothly. Regardless of the role, all share the same objective: maximize shareholder value.

But the information age is shaking up the C-suite’s composition. The cyber market is exploding in an attempt to secure the modern enterprise: multicloud environments, data generated and stored faster than anyone can keep up with and SaaS applications powering virtually every function across the org, in addition to new types of security postures that coincide with that trend. Whatever the driver, though, this all adds up to the fact that cyber strategy and company strategy are inextricably linked. Consequently, chief information security officers (CISOs) in the C-Suite will be just as common and influential as CFOs in maximizing shareholder value.

As investors seek outsized returns, they need to be more engaged with the CISO beyond the traditional security topics.

It’s the early ’90s. A bank heist. A hacker. St. Petersburg and New York City. Offshore bank accounts. Though it sounds like the synopsis of the latest psychological thriller, this is the context for the appointment of the first CISO in 1994.

A hacker in Russia stole $10 million from Citi clients’ accounts by typing away at a keyboard in a dimly lit apartment across the Atlantic. Steve Katz, a security executive, was poached from JP Morgan to join Citi as part of the C-suite to respond to the crisis. His title? CISO.

After he joined, he was told two critical things: First, he would have a blank check to set up a security program to prevent this from happening again, and second, Citi would publicize the hack one month after he started. Katz flew over 200,000 miles during the next few months, visiting corporate treasurers and heads of finance to reassure them their funds were secure. While the impetus for the first CISO was a literal bank heist, the $10 million stolen pales in comparison to what CISOs are responsible for protecting today.

#chief-information-security-officer, #column, #cyber-security, #cyberattack, #cybercrime, #data-breach, #ec-column, #ec-cybersecurity, #solarwinds, #tc


The ‘Frankencloud’ model is our biggest security risk

Recent testimony before Congress on the massive SolarWinds attacks served as a wake-up call for many. What I saw emerge from the testimony was a debate on whether the public cloud is a more secure option than a hybrid cloud approach.

The debate shouldn’t surround which cloud approach is more secure, but rather which one we need to design security for. We — enterprise technology providers — should be designing security around the way our modern systems work, rather than pigeonholing our customers into securing one computing model over the other.

An organization’s security needs to be designed with one single point of control that provides a holistic view of threats and mitigates complexity.

The SolarWinds attack was successful because it took advantage of a vast, intermixed supply chain of technology vendors. While there are fundamental lessons to be learned on how to protect the code supply chain, I think the bigger lesson is that complexity is the enemy of security.

The “Frankencloud” model

We’ve seen our information technology environments evolve into what I call a “Frankenstein” approach. Firms scrambled to take advantage of the cloud while maintaining their systems of record. Similar to how Frankenstein was assembled, this led to systems riddled with complexity and disconnected parts put together.

Security teams cite this complexity as one of their largest challenges. Forced to rely on dozens of vendors and disconnected security products, the average security team is using 25 to 49 tools from up to 10 different vendors. This disconnect is creating blind spots we can no longer afford to avoid. Security systems shouldn’t be piecemealed together; an organization’s security needs to be designed with one single point of control that provides a holistic view of threats and mitigates complexity.

Hybrid cloud innovations

We’re seeing hybrid cloud environments emerging as the dominant technology design point for governments, as well as public and private enterprises. In fact, a recent study from Forrester Research found that 85% of technology decision-makers agree that on-premise infrastructure is critical to their hybrid cloud strategies.

A hybrid cloud model combines part of a company’s existing on-premise systems with a mix of public cloud resources and as-a-service resources and treats them as one.

How does this benefit your security? In a disconnected environment, the most common path for cybercriminals to compromise cloud environments is via cloud-based applications, representing 45% of cloud-related incidents analyzed by our IBM X-Force team.

Take, for instance, your cloud-based systems that authenticate that someone is authorized to access systems. A login from an employee’s device is detected in the middle of the night. At the same time, there may be an attempt from that same device, seemingly in a different time zone, to access sensitive data from your on-premise data centers. A unified security system knows the risky behavior patterns to watch for and automatically hinders both actions. If these incidents were detected in two separate systems, that action never takes place and data is lost.

Many of these issues arise due to the mishandling of data through cloud data storage. The fastest-growing innovations to address this gap are called Confidential Computing. Right now, most cloud providers promise that they won’t access your data. (They could, of course, be compelled to break that promise by a court order or other means.) Conversely, it also means malicious actors could use that same access for their own nefarious purposes. Confidential Computing ensures that the cloud technology provider is technically incapable of accessing data, making it equally difficult for cybercriminals to gain access to it.

Creating a more secure future

Cloud computing has brought critical innovations to the world, from the distribution of workloads to moving with speed. At the same time, it also brought to light the essentials of delivering IT with integrity.

Cloud’s need for speed has pushed aside the compliance and controls that technology companies historically ensured for their clients. Now, those requirements are often put back on the customer to manage. I’d urge you to think of security first and foremost in your cloud strategy and choose a partner you can trust to securely advance your organization forward.

We need to stop bolting security and privacy onto the “Frankencloud” environment that operates so many businesses and governments. SolarWinds taught us that our dependence on a diverse set of technologies can be a point of weakness.

Fortunately, it can also become our greatest strength, as long as we embrace a future where security and privacy are designed in the very fabric of that diversity.

#cloud-infrastructure, #column, #cybersecurity, #information-technology, #security, #solarwinds, #tc


Mimecast says SolarWinds hackers breached its network and spied on customers

A chain and a padlock sit on a laptop keyboard.

Enlarge / Breaking in the computer. (credit: Getty Images)

Email-management provider Mimecast has confirmed that a network intrusion used to spy on its customers was conducted by the same advanced hackers responsible for the SolarWinds supply chain attack.

The hackers, which US intelligence agencies have said likely have Russian origins, used a backdoored update for SolarWinds Orion software to target a small number of Mimecast customers. Exploiting the Sunburst malware sneaked into the update, the attackers first gained access to part of the Mimecast production-grid environment. They then accessed a Mimecast-issued certificate that some customers use to authenticate various Microsoft 365 Exchange web services.

Tapping Microsoft 365 connections

Working with Microsoft, which first discovered the breach and reported it to Mimecast, company investigators found that the threat actors then used the certificate to “connect to a low single-digit number of our mutual customers’ M365 tenants from non-Mimecast IP address ranges.”

Read 7 remaining paragraphs | Comments

#biz-it, #certificate, #microsoft-365, #mimecast, #solarwinds, #supply-chain-attack, #tech


White House Weighs New Cybersecurity Approach After Failure to Detect Hacks

The intelligence agencies missed massive intrusions by Russia and China, forcing the administration and Congress to look for solutions, including closer partnership with private industry.

#biden-joseph-r-jr, #central-intelligence-agency, #china, #cyberwarfare-and-defense, #espionage-and-intelligence-services, #federal-bureau-of-investigation, #fireeye-inc, #house-of-representatives, #industrial-espionage, #microsoft-corp, #national-security-agency, #public-private-sector-cooperation, #russia, #senate, #solarwinds, #united-states-cyber-command, #united-states-defense-and-military-forces, #united-states-politics-and-government, #us-federal-government-data-breach-2020


Why ‘blaming the intern’ won’t save startups from cybersecurity liability

SolarWinds is back in hot water after a shareholder lawsuit accused the company of poor security practices, which they say allowed hackers to break into at least nine U.S. government agencies and hundreds of companies.

The lawsuit said SolarWinds used an easily guessable password “solarwinds123” on an update server, which was subsequently breached by hackers “likely Russian in origin.” Former SolarWinds chief executive Sudhakar Ramakrishna, speaking at a congressional hearing in March, blamed the poor password on an intern.

There are countless cases of companies bearing the brunt from breaches caused by vendors and contractors across the supply chain.

Experts are still trying to understand just how the hackers broke into SolarWinds servers. But the weak password does reveal wider issues about the company’s security practices — including how the easily guessable password was allowed to be set to begin with.

Even if the intern is held culpable, SolarWinds still faces what’s known as vicarious liability — and that can lead to hefty penalties.

#cybersecurity, #ec-cybersecurity, #ec-how-to, #liability, #security, #solarwinds, #startups


Chinese hackers targeted SolarWinds customers in parallel with Russian op

Chinese hackers targeted SolarWinds customers in parallel with Russian op

Enlarge (credit: Getty Images)

By now, most people know that hackers tied to the Russian government compromised the SolarWinds software build system and used it to push a malicious update to some 18,000 of the company’s customers. On Monday, researchers published evidence that hackers from China also targeted SolarWinds customers in what security analysts have said was a distinctly different operation.

The parallel hack campaigns have been public knowledge since December, when researchers revealed that, in addition to the supply chain attack, hackers exploited a vulnerability in SolarWinds software called Orion. Hackers in the latter campaign used the exploit to install a malicious web shell dubbed Supernova on the network of a customer who used the network management tool. Researchers, however, had few if any clues as to who carried out that attack.

On Monday, researchers said the attack was likely carried out by a China-based hacking group they’ve dubbed “Spiral.” The finding, laid out in a report published on Monday by Secureworks’ Counter Threat Unit, is based on techniques, tactics, and procedures in the hack that were either identical or very similar to an earlier compromise the researchers discovered in the same network.

Read 9 remaining paragraphs | Comments

#china, #hackers, #russia, #solarwinds, #tech, #uncategorized


Preparing for Cyberstrike on Russia, U.S. Confronts Hacking by China

The proliferation of cyberattacks by rivals is presenting a challenge to the Biden administration as it seeks to deter intrusions on government and corporate systems.

#biden-joseph-r-jr, #china, #cyberwarfare-and-defense, #defense-and-military-forces, #espionage-and-intelligence-services, #microsoft-corp, #neuberger-anne, #russia, #russian-interference-in-2016-us-elections-and-ties-to-trump-associates, #solarwinds, #sullivan-jacob-j-1976, #united-states-cyber-command, #united-states-international-relations, #united-states-politics-and-government, #us-federal-government-data-breach-2020


Thousands of Microsoft Customers May Have Been Victims of Hack Tied to China

The hackers started their attack in January but escalated their efforts in recent weeks, security experts say. Business and government agencies affected.

#computer-security, #computers-and-the-internet, #cyberwarfare-and-defense, #e-mail, #krebs-brian, #krebs-christopher-c, #microsoft-corp, #solarwinds, #us-federal-government-data-breach-2020


China’s and Russia’s spying spree will take years to unpack

China’s and Russia’s spying spree will take years to unpack


First it was SolarWinds, a reportedly Russian hacking campaign that stretches back almost a year and has felled at least nine US government agencies and countless private companies. Now it’s Hafnium, a Chinese group that’s been attacking a vulnerability in Microsoft Exchange Server to sneak into victims’ email inboxes and beyond. The collective toll of these espionage sprees is still being uncovered. It may never be fully known.

Countries spy on each other, everywhere, all the time. They always have. But the extent and sophistication of Russia’s and China’s latest efforts still manage to shock. And the near-term fallout of both underscores just how tricky it can be to take the full measure of a campaign even after you’ve sniffed it out.

Read 2 remaining paragraphs | Comments

#biz-it, #cyberwar, #exchange, #hafnium, #solarwinds


For Biden, Deliberation and Caution, Maybe Overcaution, on the World Stage

But decisions come more quickly than they did in the Obama administration, when Mr. Biden, as vice president, complained about the endless meetings.

#afghanistan-war-2001, #biden-joseph-r-jr, #blinken-antony-j, #cyberwarfare-and-defense, #khashoggi-jamal, #mohammed-bin-salman-1985, #solarwinds, #sullivan-jacob-j-1976, #united-states-international-relations, #united-states-politics-and-government


Microsoft says China-backed hackers are exploiting Exchange zero-days

Microsoft is warning customers that a new China state-sponsored threat actor is exploiting four previously undisclosed security flaws in Exchange Server, an enterprise email product built by the software giant.

The technology company said Tuesday that it believes the hacking group, which it calls Hafnium, tries to steal information from a broad range of U.S.-based organizations, including law firms and defense contractors, but also infectious disease researchers and policy think tanks.

Microsoft said Hafnium used the four newly discovered security vulnerabilities to break into Exchange email servers running on company networks, granting the attackers to steal data from a victim’s organization — such as email accounts and address books — and the ability to plant malware. When used together, the four vulnerabilities create an attack chain that can compromise vulnerable servers running on-premise Exchange 2013 and later.

Hafnium operates out of China, but uses servers located in the U.S. to launch its attacks, the company said. Microsoft said that Hafnium was the only threat group it has detected using these four new vulnerabilities.

Microsoft declined to say how many successful attacks it had seen, but described the number as “limited.”

Patches to fix those four security vulnerabilities are now out, a week earlier than the company’s typical patching schedule, usually reserved for the second Tuesday in each month.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” said Tom Burt, Microsoft’s vice president for customer security.

The company said it has also briefed U.S. government agencies on its findings, but that the Hafnium attacks are not related to the SolarWinds-related espionage campaign against U.S. federal agencies. In the last days of the Trump administration, the National Security Agency and the FBI said that the SolarWinds campaign was “likely Russian in origin.”

#china, #computer-security, #computing, #cryptography, #cyberattack, #cybercrime, #cyberwarfare, #defense-contractors, #federal-bureau-of-investigation, #internet-security, #law-firms, #microsoft, #national-security-agency, #security, #software, #solarwinds, #technology, #threat, #trump-administration, #u-s-government, #united-states, #vulnerability


After Russian Cyberattack, Looking for Answers and Debating Retaliation

Key senators and corporate executives warned at a hearing on Tuesday that the “scope and scale” of the hacking of government agencies and companies, the most sophisticated in history, were still unclear.

#amazon-com-inc, #biden-joseph-r-jr, #computer-security, #computers-and-the-internet, #cyberattacks-and-hackers, #defense-department, #espionage-and-intelligence-services, #fireeye-inc, #microsoft-corp, #russia, #senate-committee-on-intelligence, #solarwinds, #united-states-politics-and-government


SolarWinds hackers targeted NASA, Federal Aviation Administration networks

Hackers are said to have broken into the networks of U.S. space agency NASA and the Federal Aviation Administration as part of a wider espionage campaign targeting U.S. government agencies and private companies.

The two agencies were named by the Washington Post on Tuesday, hours ahead of a Senate Intelligence Committee hearing tasked with investigating the widespread cyberattack, which the previous Trump administration said was “likely Russian in origin.”

Spokespeople for the agencies did not immediately respond to a request for comment, but did not deny the breach in remarks to the Post.

It’s believed NASA and the FAA are the two remaining unnamed agencies of the nine government agencies confirmed to have been breached by the attack. The other seven include the Departments of Commerce, Energy, Homeland Security, Justice, and State, the Treasury, and the National Institutes of Health, though it’s not believed the attackers breached their classified networks.

FireEye, Microsoft, and Malwarebytes were among a number of cybersecurity companies also breached as part of the attacks.

The Biden administration is reportedly preparing sanctions against Russia, in large part because of the hacking campaign, the Post also reported.

The attacks were discovered last year after FireEye raised the alarm about the hacking campaign after its own network was breached. Each victim was a customer of the U.S. software firm SolarWinds, whose network management tools are used across the federal government and Fortune 500 companies. The hackers broke into SolarWinds’ network, planted a backdoor in its software, and pushed the backdoor to customer networks with a tainted software update.

It wasn’t the only way in. The hackers are also said to have targeted other companies by breaking into other devices and appliances on their victims’ networks, as well as targeting Microsoft vendors to breach other customers’ networks.

Last week, Anne Neuberger, the former NSA cybersecurity director who last month was elevated to the White House’s National Security Council to serve as the deputy national security adviser for cyber and emerging technology, said that the attack took “months to plan and execute,” and will “take us some time to uncover this layer by layer.”

#anne-neuberger, #biden-administration, #computer-security, #computing, #cyberattacks, #cybercrime, #cyberwarfare, #director, #federal-aviation-administration, #federal-government, #fireeye, #government, #information-technology, #malwarebytes, #microsoft, #russia, #security, #senate-intelligence-committee, #software, #solarwinds, #supply-chain-attack, #the-washington-post, #trump-administration, #u-s-government, #united-states


Why Was SolarWinds So Vulnerable to a Hack?

It’s the economy, stupid.

#computer-security, #computers-and-the-internet, #regulation-and-deregulation-of-industry, #solarwinds, #us-federal-government-data-breach-2020


Biden Tells Allies ‘America Is Back,’ but Macron and Merkel Push Back

All three leaders seemed to recognize, though, that their first virtual encounter was a moment to celebrate the end of the “America First” era.

#biden-joseph-r-jr, #china, #europe, #macron-emmanuel-1977, #merkel-angela, #munich-security-conference, #north-atlantic-treaty-organization, #solarwinds, #united-states-international-relations, #united-states-politics-and-government


Microsoft says SolarWinds hackers stole source code for 3 products

Shadowy figures stand beneath a Microsoft logo on a faux wood wall.

Enlarge (credit: Drew Angerer | Getty Images)

The hackers behind one of the worst breaches in US history read and downloaded some Microsoft source code, but there’s no evidence they were able to access production servers or customer data, Microsoft said on Thursday. The software maker also said it found no evidence the hackers used the Microsoft compromise to attack customers.

Microsoft released those findings after completing an investigation begun in December, after learning its network had been compromised. The breach was part of a wide-ranging hack that compromised the distribution system for the widely used Orion network-management software from SolarWinds and pushed out malicious updates to Microsoft and roughly 18,000 other customers.

The hackers then used the updates to compromise nine federal agencies and about 100 private-sector companies, the White House said on Wednesday. The federal government has said that the hackers were likely backed by the Kremlin.

Read 7 remaining paragraphs | Comments

#biz-it, #microsoft, #solarwinds, #supply-chain-attack, #tech


Does the U.S. Need a Cyberdefense Czar?

Recent attacks on government and infrastructure networks reveal the inadequacy of America’s digital defenses.

#biden-joseph-r-jr, #cyberattacks-and-hackers, #cyberwarfare-and-defense, #espionage-and-intelligence-services, #russia, #solarwinds, #us-federal-government-data-breach-2020


White House Announces Senior Official Is Leading Inquiry Into SolarWinds Hacking

The announcement comes after the bipartisan leaders of the Senate Intelligence Committee criticized the administration for its disjointed response.

#computer-security, #espionage-and-intelligence-services, #office-of-the-director-of-national-intelligence, #senate-committee-on-intelligence, #solarwinds, #tiktok-bytedance


Bonus: Kara and Nicole Perlroth Debrief on Brad Smith

They also discuss U.S. cybersecurity priorities and where TikTok fits in.

#china, #computer-security, #cyberwarfare-and-defense, #perlroth-nicole, #russia, #smith-bradford-l, #solarwinds, #united-states, #us-federal-government-data-breach-2020


On ‘Sway,’ Kara Swisher Talks to Microsoft’s Brad Smith

The president of Microsoft says “absolutely not” — at least when it comes to his company.

#antitrust-laws-and-competition-issues, #computers-and-the-internet, #politics-and-government, #smith-bradford-l, #solarwinds, #storming-of-the-us-capitol-jan-2021


How the US Lost to Hackers

America’s biggest vulnerability in cyberwarfare is hubris.

#computer-security, #computers-and-the-internet, #cyberpoint-international-llc, #cyberwarfare-and-defense, #espionage-and-intelligence-services, #fireeye-inc, #gosler-james-r, #national-security-agency, #qatar, #russia, #solarwinds, #united-arab-emirates, #united-states, #united-states-politics-and-government, #us-federal-government-data-breach-2020


SolarWinds patches vulnerabilities that could allow full system control

SolarWinds patches vulnerabilities that could allow full system control

Enlarge (credit: Getty Images)

SolarWinds, the previously little-known company whose network-monitoring tool Orion was a primary vector for one of the most serious breaches in US history, has pushed out fixes for three severe vulnerabilities.

Martin Rakhmanov, a researcher with Trustwave SpiderLabs, said in a blog post on Wednesday that he began analyzing SolarWinds products shortly after FireEye and Microsoft reported that hackers had taken control of SolarWinds’ software development system and used it to distribute backdoored updates to Orion customers. It didn’t take long for him to find three vulnerabilities, two in Orion and a third in a product known as the Serv-U FTP for Windows. There’s no evidence any of the vulnerabilities have been exploited in the wild.

The most serious flaw allows unprivileged users to remotely execute code that takes complete control of the underlying operating system. Tracked as CVE-2021-25274 the vulnerability stems from Orion’s use of the Microsoft Message Queue, a tool that has existed for more than 20 years but is no longer installed by default on Windows machines.

Read 9 remaining paragraphs | Comments

#biz-it, #exploits, #orion, #patches, #solarwinds, #tech, #vulnerabilities


Best practices as a service is a key investment theme to watch in 2021

Enterprise IT has been completely transformed by SaaS the past decade. Okta last week published a report that showed that the largest companies now use 175 apps, a doubling over the past few years. More professionals have more tools to do their jobs than ever before. It’s an explosion of creativity and expressiveness and operational latitude — but also a recipe for disaster.

It’s one thing to give people and businesses tools — and something else to train them to use those tools effectively. Worse, as the number and complexity of software has skyrocketed the past decade, it’s only become harder for end users to grapple with offering their customers the best possible experience.

That’s the opportunity for a range of new tools that are designed to guide — sometimes forcefully — people to use the software they have in the best possible way, in what you might dub “best practices as a service.” It’s software that is opinionated on what “best” looks like within its domain, and ensures that as many people follow that model as possible with minimal dissension. It’s simplicity-in-a-box for a complex world.

Let me give some examples from a few major fields of startups in e-commerce, security, web development and finally, in my chosen profession, writing to illustrate what I mean.

#checkout-com, #enterprise, #fast, #grammarly, #rapyd, #saas, #security-scorecard, #solarwinds, #textio, #venture-capital


Talent and capital are shifting cybersecurity investors’ focus away from Silicon Valley

Just when we thought things couldn’t get worse in 2020, we received the news on the SolarWinds hack and its impact on more than 18,000 businesses and potentially dozens of U.S. government agencies — including the departments of CommerceEnergy and Treasury.

We’re just beginning to understand the extent of their infiltration, but this story brings to light what the cybersecurity industry has already known: Solving the cybersecurity problem will take more time and resources than we are currently allocating.

Solving the cybersecurity problem will take more time and resources than we are currently allocating.

Adding to the challenge, COVID-19 has created fertile ground for the acceleration of cyberattacks that are more sophisticated, dangerous and prevalent. In this dire setting, cybersecurity has become even more competitive and a national security imperative and created higher demand for new solutions.

This is something we all — enterprises, startups, government and investors — need to work together to solve. So, from the venture capital perspective, where are cybersecurity investments being made, and where is the talent coming from to help stem the onslaught of hacks?

California’s Silicon Valley has traditionally been the epicenter of cybersecurity innovation. It’s home to some of the largest cybersecurity companies including McAfee, Palo Alto Networks and FireEye, as well as more recent high flyers such as CrowdStrike and Okta, providing a robust talent base for many willing venture investors.

However, that’s rapidly changing. Cybersecurity expertise is now budding in new regions where there is talent and a hands-on recognition of the need for innovative solutions. In particular we are seeing growth in areas such as the East Coast of the U.S. and in Europe, led by the United Kingdom.

Investment in Silicon Valley cybersecurity startups remained flat in 2020 as we are seeing record venture funding of cybersecurity companies in these emerging regions. And the reasons why may mean better solutions to solve current and future cyber needs.

The emergence of a new cybersecurity ecosystem

A new generation of cyber-experienced practitioners coming from government and financial services are becoming the next generation of entrepreneurs. Fueling new innovation, this newest breed of cybersecurity startups in emerging in cities like New York, Washington, D.C. and London, and away from Silicon Valley. East Coast businesses like IronNet*, founded by former NSA director General Keith Alexander, is one example of this growing trend of new leaders coming from federal government backgrounds.

These new cybersecurity leaders with front-line experience are developing solutions that fix the problems they faced as customers and, thanks to COVID-19, are hiring the best talent to join them regardless of their location. The pandemic has accelerated remote-working trends, increasing more flexible-location working opportunities in the cybersecurity industry. These companies are creating advantages over their West Coast counterparts in the ability to recruit better talent, lower costs and have closer proximity to customers and prospects.

#column, #computer-security, #crowdstrike, #cyberwarfare, #security, #solarwinds, #startups, #venture-capital, #venture-capital-investments


Security firm Malwarebytes was infected by same hackers who hit SolarWinds

Security firm Malwarebytes was infected by same hackers who hit SolarWinds

Enlarge (credit: Getty Images)

Security firm Malwarebytes said it was breached by the same nation-state-sponsored hackers who compromised a dozen or more US government agencies and private companies.

The attackers are best known for first hacking into Austin, Texas-based SolarWinds, compromising its software-distribution system and using it to infect the networks of customers who used SolarWinds’ network management software. In an online notice, however, Malwarebytes said the attackers used a different vector.

“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor,” the notice stated. “We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.”

Read 9 remaining paragraphs | Comments

#biz-it, #malwarebytes, #microsoft, #solarwinds, #supply-chain-attacks, #tech


SolarWinds malware has “curious” ties to Russian-speaking hackers

A stylized skull and crossbones made out of ones and zeroes.

Enlarge (credit: Getty Images)

The malware used to hack Microsoft, security company FireEye, and at least a half-dozen federal agencies has “interesting similarities” to malicious software that has been circulating since at least 2015, researchers said on Monday.

Sunburst is the name security researchers have given to malware that infected about 18,000 organizations when they installed a malicious update for Orion, a network management tool sold by Austin, Texas-based SolarWinds. The unknown attackers who planted Sunburst in Orion used it to install additional malware that burrowed further into select networks of interest. With infections that hit the Departments of Justice, Commerce, Treasury, Energy, and Homeland Security, the hack campaign is among the worst in modern US history.

The National Security Agency, the FBI, and two other federal agencies last week said that the Russian government was “likely” behind the attack, which began no later than October 2019. While several news sources, citing unnamed officials, have reported the intrusions were the work of the Kremlin’s SVR, or Foreign Intelligence Service, researchers continue to look for evidence that definitively proves or disproves the statements.

Read 7 remaining paragraphs | Comments

#biz-it, #code, #malware, #policy, #solarwinds, #tech, #turla


Chris Krebs and Alex Stamos have started a cyber consulting firm

Former U.S. cybersecurity official Chris Krebs and former Facebook chief security officer Alex Stamos have founded a new cybersecurity consultancy firm, which already has its first client: SolarWinds .

The two have been hired as consultants to help the Texas-based software maker recover from a devastating breach by suspected Russian hackers, which used the company’s software to set backdoors in thousands of organizations and to infiltrate at least 10 U.S. federal agencies and several Fortune 500 businesses.

At least the Treasury, State and the Department of Energy have been confirmed breached, in what has been described as likely the most significant espionage campaign against the U.S. government in years. And while the U.S. government has already pinned the blame on Russia, the scale of the intrusions are not likely to be known for some time.

Krebs was one of the most senior cybersecurity officials in the U.S. government, most recently serving as the director of Homeland Security’s CISA cybersecurity advisory agency from 2018, until he was fired by President Trump for his efforts to debunk false election claims — many of which came from the president himself. Stamos, meanwhile, joined the Stanford Internet Observatory after holding senior cybersecurity positions at Facebook and Yahoo. He also consulted for Zoom amid a spate of security problems.

In an interview with the Financial Times, which broke the story, Krebs said it could take years before the hackers are ejected from infiltrated systems.

SolarWinds chief executive Sudhakar Ramakrishna acknowledged in a blog post that it had brought on the consultants to help the embattled company to be “transparent with our customers, our government partners, and the general public in both the near-term and long-term about our security enhancements.”

#chris-krebs, #computer-security, #cybercrime, #cyberwarfare, #data-security, #department-of-energy, #president, #russia, #security, #solarwinds, #startups, #texas, #the-financial-times, #trump, #u-s-government, #united-states


Decrypted: How bad was the US Capitol breach for cybersecurity?

It’s the image that’s been seen around the world. One of hundreds of pro-Trump supporters in the private office of House Speaker Nancy Pelosi after storming the Capitol and breaching security in protest of the certification of the election results for President-elect Joe Biden. Police were overrun (when they weren’t posing for selfies) and some lawmakers’ offices were trashed and looted.

As politicians and their staffs were told to evacuate or shelter in place, one photo of a congressional computer left unlocked still with an evacuation notice on the screen spread quickly around the internet. At least one computer was stolen from Sen. Jeff Merkley’s office, reports say.

A supporter of U.S. President Donald Trump leaves a note in the office of U.S. Speaker of the House Nancy Pelosi as the protest inside the U.S. Capitol in Washington, D.C, January 6, 2021. Demonstrators breached security and entered the Capitol as Congress debated the 2020 presidential election Electoral Vote Certification. Image Credits: SAUL LOEB/AFP via Getty Images

Most lawmakers don’t have ready access to classified materials, unless it’s for their work sitting on sensitive committees, such as Judiciary or Intelligence. The classified computers are separate from the rest of the unclassified congressional network and in a designated sensitive compartmented information facility, or SCIFs, in locked-down areas of the Capitol building.

“No indication those [classified systems] were breached,” tweeted Mieke Eoyang, a former House Intelligence Committee staffer.

But the breach will likely present a major task for Congress’ IT departments, which will have to figure out what’s been stolen and what security risks could still pose a threat to the Capitol’s network. Kimber Dowsett, a former government security architect, said there was no plan in place to respond to a storming of the building.

The threat to Congress’ IT network is probably not as significant as the ongoing espionage campaign against U.S. federal networks. But the only saving grace is that so many congressional staffers were working from home during the assault due to the ongoing pandemic, which yesterday reported a daily record of almost 4,000 people dead from COVID-19 in one day.


U.S. blames “ongoing” federal agency breaches on Russia

#data-security, #decrypted, #fireeye, #government, #national-security, #policy, #security, #solarwinds


DoJ says SolarWinds hackers breached its Office 365 system and read email

DoJ says SolarWinds hackers breached its Office 365 system and read email

Enlarge (credit: Gregory Varnum)

The US Justice Department has become the latest federal agency to say its network was breached in a long and wide-ranging hack campaign that’s believed to have been backed by the Russian government.

In a terse statement issued Wednesday, Justice Department spokesman Marc Raimondi said that the breach wasn’t discovered until December 24, which is nine days after the the hack campaign came to light. The hackers, Raimondi said, took control of the department’s Office 365 system and accessed email sent or received from about 3 percent of accounts. The department has more than 100,000 employees.

Investigators believe the campaign started when the hackers took control of the software distribution platform of SolarWinds, an Austin, Texas-based maker of network management software that’s used by hundreds of thousands of organizations. The attackers then pushed out a malicious update that was installed by about 18,000 of those customers. Only a fraction of the 18,000 customers received a follow-on attack that used the backdoored SolarWinds software to view, delete, or alter data stored on those networks.

Read 5 remaining paragraphs | Comments

#biz-it, #doj, #hackers, #justice-department, #policy, #solarwinds, #tech


Russian-Owned Software Company May Be Entry Point for Huge U.S. Hacking

Russian hackers may have piggybacked on a tool developed by JetBrains, which is based in the Czech Republic, to gain access to federal government and private sector systems in the United States.

#computers-and-the-internet, #cyberattacks-and-hackers, #google-inc, #justice-department, #microsoft-corp, #national-security-agency, #russia, #solarwinds, #vmware-inc


Bucking Trump, NSA and FBI say Russia was “likely” behind SolarWinds hack

An Orthodox cathedral, complete with onion domes, looks magnificent on a sunny day.

Enlarge / Side view of colorful St. Basil’s Cathedral in Moscow on Red Square in front of the Kremlin, Russia. (credit: Getty Images)

Hackers working for the Russian government were “likely” behind the software supply chain attack that planted a backdoor in the networks of 180,000 private companies and governmental bodies, officials from the US National Security Agency and three other agencies said on Tuesday.

The assessment—made in a joint statement that also came from the FBI, the Cybersecurity and Infrastructure Security Agency, and the Office of the Director of National Intelligence—went on to say that the hacking campaign was a “serious compromise that will require a sustained and dedicated effort to remediate.”

Russia, Russia, Russia

The statement is at odds with tweets from US President Donald Trump disputing the Russian government’s involvement and downplaying the severity of the attack, which compromised the software distribution system of Austin, Texas-based SolarWinds and used it to push a malicious update to almost 200,000 of its customers.

Read 10 remaining paragraphs | Comments

#biz-it, #kremlin, #policy, #russia, #solarwinds, #supply-chain-attack, #tech


FBI, NSA say ongoing hacks at US federal agencies ‘likely Russian in origin’

The U.S. government says hackers “likely Russian in origin” are responsible for breaching the networks of at least 10 U.S. federal agencies and several major tech companies, including FireEye and Microsoft.

In a joint statement published Tuesday, the FBI, the NSA, and Homeland Security’s cybersecurity advisory unit, CISA, said that the government was “still working to understand the scope” of the breach, but that the breaches are likely an “intelligence gathering effort.”

The compromises are “ongoing,” the statement said.

The statement didn’t name the breached agencies, but the Treasury, State, and the Department of Energy are among those reported to be affected.

“This is a serious compromise that will require a sustained and dedicated effort to remediate,” the statement said. “The [joint agency effort] will continue taking every necessary action to investigate, remediate, and share information with our partners and the American people,”

News of the widespread espionage campaign emerged in early December after cybersecurity giant FireEye, normally the first company that cyberattack victims will call, discovered its own network had been breached. Soon after, it was reported that several government agencies had also been infiltrated.

All of the victims are customers of U.S. software firm SolarWinds, whose Orion network management tools are used across the U.S. government and Fortune 500 companies. FireEye said that hackers broke into SolarWinds’ network and pushed a tainted software update to its customers, allowing the hackers to easily break into any one of thousands of companies and agencies that installed the backdoored update.

Some 18,000 customers downloaded the backdoored software update, but the government’s joint statement said that it believes only a “much smaller number have been compromised by follow-on activity on their systems.”

Several news outlets have previously reported that the hacks were carried out by a Russian intelligence group known as APT 29, or Cozy Bear, which has been linked to several espionage-driven attacks, including attempting to steal coronavirus vaccine research.

Tuesday’s joint statement would be the first time the government acknowledged the likely culprit behind the campaign.

Russia had previously denied involvement with the hacks.


#computer-security, #computing, #cyberattack, #cybercrime, #cyberwarfare, #department-of-energy, #fireeye, #government, #information-technology, #network-management, #security, #software, #solarwinds, #u-s-government, #united-states


As Understanding of Russian Hacking Grows, So Does Alarm

Those behind the widespread intrusion into government and corporate networks exploited seams in U.S. defenses and gave away nothing to American monitoring of their systems.

#amazon-com-inc, #biden-joseph-r-jr, #computers-and-the-internet, #crowdstrike-inc, #cybersecurity-and-infrastructure-security-agency, #cyberwarfare-and-defense, #defense-department, #fireeye-inc, #foreign-intelligence-service-russia, #homeland-security-department, #microsoft-corp, #nakasone-paul-m, #national-security-agency, #solarwinds, #spaulding-suzanne-e, #state-department, #trump-donald-j, #united-states-international-relations, #us-federal-government-data-breach-2020, #warner-mark-r


Microsoft Says Russian Hackers Viewed Some of Its Source Code

The hackers gained more access than the company previously revealed, though the attackers were unable to modify code or access emails.

#computer-security, #cyberattacks-and-hackers, #cyberwarfare-and-defense, #microsoft-corp, #solarwinds, #us-federal-government-data-breach-2020


Russia Used Microsoft Resellers in Hacking

Evidence from the security firm CrowdStrike suggests that companies that sell software on behalf of Microsoft were used to break into Microsoft’s Office 365 customers.

#cloud-computing, #computer-security, #computers-and-the-internet, #crowdstrike-inc, #defense-department, #fireeye-inc, #microsoft-corp, #russia, #software, #solarwinds, #us-federal-government-data-breach-2020


With Hacking, the United States Needs to Stop Playing the Victim

The U.S. also uses cybertools to defend its interests. It’s the age of perpetual cyberconflict.

#central-intelligence-agency, #computer-security, #computers-and-the-internet, #cyberwarfare-and-defense, #espionage-and-intelligence-services, #national-security-agency, #russia, #solarwinds, #united-states-international-relations, #us-federal-government-data-breach-2020, #washington-dc


After the FireEye and SolarWinds breaches, what’s your failsafe?

The security industry is reverberating with news of the FireEye breach and the announcement that the U.S. Treasury Department, DHS and potentially several other government agencies, were hacked due (in part, at least) to a supply chain attack on SolarWinds.

These breaches are reminders that nobody is immune to risk or being hacked. I’ve no doubt that both FireEye and SolarWinds take security very seriously, but every company is subject to the same reality: Compromise is inevitable.

The way I judge these events is not by whether someone is hacked, but by how much effort the adversary needed to expend to turn a compromise into a meaningful breach. We’ve heard FireEye put effort and execution into the protection of sensitive tools and accesses, forcing the Russians to put stunning effort into a breach.

Run a red-team security program, see how well you stack up and learn from your mistakes.

More evidence of FireEye’s dedication to security can be seen by the speed with which its moved to publish countermeasure tools. While the Solarwinds breach has had stunning immediate fallout, I’ll reserve opining about SolarWinds until we learn details of the whole event, because while a breach that traverses the supply should be exceedingly rare, they’ll never be stopped entirely.

All this is to say, this news isn’t surprising to me. Security organizations are a top adversarial target, and I would expect a nation-state like Russia to go to great lengths to impede FireEye’s ability to protect its customers. FireEye has trusted relationships with many enterprise organizations, which makes it a juicy target for espionage activities. SolarWinds, with its lengthy list of government and large enterprise customers, is a desirable target for an adversary looking to maximize its efforts.

SolarWinds' hackers gained access to multiple federal agencies.

Image Credits: David Wolpoff

Hack Solarwinds once, and Russia gains access to many of its prized customers. This isn’t the first time a nation-state adversary has gone through the supply chain. Nor is it likely to be the last.

For security leaders, this is a good opportunity to reflect on their reliance and trust in technology solutions. These breaches are reminders of unseen risk debt: Organizations have a huge amount of potential harm built up through their providers that typically isn’t adequately hedged against.

People need to ask the question, “What happens when my MSSP, security vendor or any tech vendor is compromised?” Don’t look at the Solarwinds hack in isolation. Look at every one of your vendors that can push updates into your environment.

No single tool can be relied on to never fail.

You need to expect that FireEye, SolarWinds and every other vendor in your environment will eventually get compromised. When failures occur, you need to know: “Will the remainder of my plans be sufficient, and will my organization be resilient?”

What’s your backup plan when this fails? Will you even know?

If your security program is critically dependent on FireEye (Read: It’s the primary security platform), then your security program is dependent on FireEye implementing, executing and auditing its own program, and you and your management need to be okay with that.

Often, organizations purchase a single security solution to cover multiple functions, like their VPN, firewall, monitoring solution and network segmentation device. But then you have a single point of failure. If the box stops working (or is hacked), everything fails.

From a structural standpoint, it’s hard to have something like SolarWinds be a point of compromise and not have wide-reaching effects. But if you trusted Solarwind’s Orion platform to talk to and integrate with everything in your environment, then you took the risk that a breach like this wouldn’t happen. When I think about utilizing any tool (or service) one question I always ask is, “When this thing fails, or is hacked, how will I know and what will I do?”

Sometimes the answer might be as simple as, “That’s an insurance-level event,” but more often I’m thinking about other ways to get some signal to the defenders. In this case, when Solarwinds is the vector, will something else in my stack still give me an indication that my network is spewing traffic to Russia?

Architecting a resilient security program isn’t easy; in fact, it’s a really hard problem to solve. No product or vendor is perfect, that’s been proven time and again. You need to have controls layered on top of each other. Run through “what happens” scenarios. Organizations focusing on defense in depth, and defending forward, will be in a more resilient position. How many failures does it take for a hacker to get to the goods? It should take more than one mishap for critical data to end up in Russia’s hands.

It’s critical to think in terms of probability and likelihood and put controls in place to prevent accidental changes to baseline security. Least privilege should be the default, and lots of segmenting should prevent rapid lateral motion. Monitoring and alerting should trigger responses, and if any wild deviations occur, the fail safes should activate. Run a red-team security program, see how well you stack up and learn from your mistakes.

Much was made of the security impacts of the FireEye breach. In reality, Russia already has tools commensurate to those taken from FireEye. So while pundits might like to make a big story out of the tools themselves, this is not likely to be reminiscent of other leaks, such as those of NSA tools in 2017.

The exploits released from the NSA were remarkable and immediately useful for adversaries to use, and those exploits were responsible for temporarily increased risk the industry experienced after the Shadow Brokers hack  —  it wasn’t the rootkits and malware (which were what was stolen at FireEye). In the FireEye case, since it appears there were no zero-days or exploits taken, I don’t expect that breach to cause significant shockwaves.

Breaches of this magnitude are going to happen. If they’re something your organization needs to be resilient against, then it’s best to be prepared for them.

#collaborative-consumption, #column, #computer-security, #cybercrime, #cyberwarfare, #data-security, #fireeye, #opinion, #russia, #security, #solarwinds, #supply-chain-attack


Russia’s hacking frenzy is a reckoning

The attack hit multiple US agencies—and a full assessment of the damage may still be months away.

Enlarge / The attack hit multiple US agencies—and a full assessment of the damage may still be months away. (credit: Andrew Harrer | Bloomberg | Getty Images)

Last week, several major United States government agencies—including the Departments of Homeland Security, Commerce, Treasury, and State—discovered that their digital systems had been breached by Russian hackers in a months-long espionage operation. The breadth and depth of the attacks will take months, if not longer, to fully understand. But it’s already clear that they represent a moment of reckoning, both for the federal government and the IT industry that supplies it.

As far back as March, Russian hackers apparently compromised otherwise mundane software updates for a widely used network monitoring tool, SolarWinds Orion. By gaining the ability to modify and control this trusted code, the attackers could distribute their malware to a vast array of customers without detection. Such “supply chain” attacks have been used in government espionage and destructive hacking before, including by Russia. But the SolarWinds incident underscores the impossibly high stakes of these incidents—and how little has been done to prevent them.

Read 13 remaining paragraphs | Comments

#biz-it, #fancy-bear, #hacking, #russia, #solarwinds


Bill That Trump Is Vowing to Veto Strengthens Hacking Defenses, Lawmakers Say

Additional powers to actively hunt down hackers across federal agencies could have given the government more of a chance to detect the recent Russia hack more quickly, they said.

#computer-security, #cybersecurity-and-infrastructure-security-agency, #cyberwarfare-and-defense, #espionage-and-intelligence-services, #gallagher-mike, #house-of-representatives, #king-angus-jr, #law-and-legislation, #senate, #solarwinds, #trump-donald-j, #united-states-politics-and-government, #us-federal-government-data-breach-2020, #vetoes-us


Microsoft is reportedly added to the growing list of victims in SolarWinds hack

A cartoonish padlock has been photoshopped onto glowing computer chips.

Enlarge (credit: Traitov | Getty Images)

Microsoft was hacked by the same group that compromised the networks of software maker SolarWinds and multiple federal agencies, Reuters reported, citing people familiar with the matter.

Microsoft categorically denied the report. “We have no indication of this,” company President Brad Smith told New York Times reporter Nicole Perlroth. Perlroth said the company stood by a statement it issued on Sunday saying it had no indication of a vulnerability in any Microsoft product or cloud service in its investigations of the hacking campaign.

Citing the same people, Reuters said that after the hackers breached Microsoft, they used Microsoft’s own products in follow-on hacks against others. It wasn’t immediately clear how many Microsoft users were affected or what Microsoft products were used. Microsoft representatives didn’t immediately return an email seeking comment.

Read 3 remaining paragraphs | Comments

#biz-it, #hackers, #microsoft, #policy, #solarwinds, #tech


SolarWinds hack that breached gov networks pose a “grave risk” to the nation

Stock photo of a glowing red emergency light

Enlarge (credit: Getty Images)

The supply chain attack used to breach federal agencies and at least one private company poses a “grave risk” to the United States, in part because the attackers likely used means other than the SolarWinds backdoor to penetrate networks of interest, federal officials said on Thursday. One of those networks belongs to the National Nuclear Security Administration, which is responsible for the Los Alamos and Sandia labs, according to a report from Politico.

“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” officials with the Cybersecurity Infrastructure and Security Agency wrote in an alert. “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered.” CISA, as the agency is abbreviated, is an arm of the Department of Homeland Security.

Elsewhere, officials wrote: “CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”

Read 12 remaining paragraphs | Comments

#biz-it, #breaches, #policy, #software-supply-chain-attack, #solarwinds, #tech


Just how bad is that hack that hit US government agencies?

It’s the nightmare scenario that has worried cybersecurity experts for years.

Since at least March, hackers likely working for Russian intelligence have embedded themselves without detection inside the unclassified networks of several U.S. government agencies and hundreds of companies. Sen. Richard Blumenthal appeared to confirm in a tweet that Russia was to blame, citing a classified congressional briefing.

It began Tuesday with news of a breach at cybersecurity giant FireEye, which confirmed it was hacked by a “sophisticated threat actor” using a “novel combination of techniques not witnessed by us or our partners in the past.” The hackers, FireEye said, were primarily interested in information on its government customers, but that they also stole its offensive hacking tools that it uses to stress test its customers’ systems against cyberattacks.

Since the hackers had several months of undetected access to several federal agencies, it’s going to be virtually impossible to know exactly what sensitive government information has been stolen.

The FireEye breach was nothing short of audacious; FireEye has a reputation for being the first company that corporate cyberattack victims will call. But then the news broke that the U.S. Treasury, State, Commerce, the National Institute of Health and Homeland Security — the agency tasked with protecting the government from cyberattacks — had all been infiltrated.

Each of the victims has one thing in common: All are customers of U.S. software firm SolarWinds, whose network management tools are used across the U.S. government and Fortune 500 companies. FireEye’s blog explaining the breach — which didn’t say how it discovered its own intrusion — said the hackers had broken into SolarWinds’ network and planted a backdoor in its Orion software, which helps companies monitor their networks and fleets of devices, and pushed it directly to customer networks with a tainted software update.

SolarWinds said up to 18,000 customers had downloaded the compromised Orion software update, giving the hackers unfettered access to their networks, but that it was unlikely all or even most had been actively infiltrated.

Jake Williams, a former NSA hacker and founder of Rendition Infosec, said hackers would have gone for the targets that got their “biggest bang for their buck,” referring to FireEye and government targets.

“I have no doubt in my mind that had the Russians not targeted FireEye we would not know about this,” Williams said, praising the security giant’s response to the attacks. “We’re going to find more government agencies that were breached. They’re not detecting it independently. This only got discovered because FireEye got hit,” he said.

The motives of the hackers aren’t known, nor do we know yet if any other major private companies or government departments had been hacked. Microsoft on Wednesday seized an important domain used by the attackers, which may give the company some visibility into other victims that have been actively infiltrated.

Russia, for its part, has denied any involvement.

A distant view of Russia's foreign intelligence service compound.

A far view of the Russian Foreign Intelligence Service (SVR) headquarters outside Moscow taken on June 29, 2010. Image Credits: Alexey SAZONOV/AFP via Getty Images

These kinds of so-called “supply chain attacks” are difficult to defend against and can be near impossible to detect. You might imagine someone sneaking a hardware implant into a device on the manufacturing line. In this case, hackers injected backdoor code in the software’s development process.

Supply chain attacks are rare but can have devastating consequences. Last year hackers broke into computer maker Asus’ network and similarly pushed a backdoor to “hundreds of thousands” of Asus computers through its own software update tool. The NotPetya ransomware attack that spread across the globe in 2017 spread by pushing malicious code through the update feature in a popular Ukrainian accounting software, used by almost everyone who files taxes in the country.

#computer-security, #fireeye, #government, #security, #solarwinds, #supply-chain-attack


How Many of Our Networks Do the Russians Control?

The magnitude of this national security hack is hard to overstate.

#computer-security, #computers-and-the-internet, #cybersecurity-and-infrastructure-security-agency, #defense-department, #espionage-and-intelligence-services, #falsification-of-data, #fireeye-inc, #politics-and-government, #russia, #solarwinds, #united-states, #united-states-politics-and-government


Hacked, Again

Undetected for months, a sophisticated hacking operation gave foreign agents access to the inner workings of American government. Who was behind it and why does it keep happening?

#computer-security, #computers-and-the-internet, #cyberattacks-and-hackers, #sanger-david-e, #solarwinds, #united-states