IEEE Cipher --- Items from security-related news (E159)

    Editor's note: There are several articles here about now the SolarWinds product Orion was used for backdoor access on customer networks. The actors behind the malware and its use have not been identified. Although the extent of the direct damage has not been revealed, the sophistication and pervasiveness of the attack signal a new era in software corruption and new challenges to protection of the software supply chain.

  • When SolarWinds Are Ill Winds

    What you need to know about the biggest hack of the US government in years.
    Russian agents are suspected in the Orion breach, which affected the treasury and commerce departments - and perhaps others.
    Publisher: The Guardian
    Date: 15 Dec 2020
    By: Kari Paul

    The US government's Departments of Commerce and Treasury are reeling from the discovery that thousands of their email accounts were subject to surveillance by an unknown party. The malware was introduced by a corrupted version of the SolarWinds network monitoring software. Many other non-government customers also downloaded the software.

    The Guardian article says that:

    FireEye described the malware's dizzying capabilities - from initially lying dormant up to two weeks to hiding in plain sight by masquerading its reconnaissance forays as Orion activity. SolarWinds is working with FireEye as well as the FBI, the intelligence community, and other law enforcement to investigate the breach, said Kevin Thompson, the CEO and president of SolarWinds.

    "We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation-state," SolarWind's Thompson said. The key component of the vulnerability was a bogus DLL in the binary distribution of the software. How did that DLL get there? No one is saying, but if it is similar to the technique described below, it happened with SolarWinds and was included in its trusted binary distribution.

  • SolarWinds Hack Becalmed
    Microsoft and industry partners seize key domain used in SolarWinds hack
    UPDATED: The seized domain has been turned into a killswitch to prevent the SolarWinds hackers to escalate infections and make new victims.
    Publisher: Zero Day
    By Catalin Cimpanu
    December 15, 2020

    Summary: The command and control server for the SolarWinds attack masqueraded as a DNS server, and it sent encoded instructions in the CNAME field. Microsoft took control of the server and watched incoming traffic in order to identify infected sites. Further examination of the malware revealed that the server could return an IP address that served as a "drop dead" signal to the malware. That has been implemented, and attack seems to be vanquished.

    Editor's Note: This next article is interesting in that it seems to presage the type of attack perpetrated on SolarWinds software. Also note that the following article about evading detection mentions a known attack in September of 2019.
  • Supply Chain Hacking in 2019
    A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree
    A group of likely Chinese hackers has poisoned the software of at least six companies in just the past three years.
    By: Andy Greenberg
    Publisher: Wired
    Date: 05.03.2019

    Starting in 2017, security experts began noticing that some software distributions included code to contact mysterious remote servers by using network communication packets that were ostensibly for Domain Name Service (DNS) lookups. If fact, they were the tip of a dangerous iceberg of malware.

    Games, network management tools, space management utilities, and a computer manufacturer's software updates were some of the six applications that appeared to have had backdoors installed by the same malicious hackers. Those backdoors were used sparingly as the hackers seemed bent on spying on a few selected users. The investigators did not feel that they had access to the full scope of the exploit because various stages of infiltration were used sparingly, probably in order to evade detection.

    Given the scope and variety of the attack, one would guess that the hackers were trying to get footholds into various software distributions in order to work their way up into a major distributor with customers considered to be high value targets by the hackers. Perhaps that step-at-time approach was the pathway into the SolarWinds software distribution.

  • Covert Solar Ops
    Microsoft: This is how the sneaky SolarWinds hackers hid their onward attacks for so long
    The SolarWinds hackers put in "painstaking planning" to avoid being detected on the networks of hand-picked targets.
    Publisher: ZDNet
    By: Liam Tung
    Date: January 21, 2021

    The exploitation of the vulnerability introduced in the SolarWinds software was a campaign of stealth and evasion. Rather than greedily grabbing control of user accounts and files, the software relayed network data and waited for instructions to load modules that would penetrate further into the network. The loader kept its connection to the SolarWinds software obscure. Even if the loader were detected, the security administrators might not realize how it got onto their systems.

  • Tool for Discovering Malware in the Style of the SolarWinds Hack
    FireEye releases tool for auditing networks for techniques used by SolarWinds hackers
    New Azure AD Investigator is now available via GitHub.
    Publisher: Zero Day
    By: Catalin Cimpanu
    Date: January 19, 2021

    There is a free tool on GitHub for detecting traces of the SolarWinds Orion exploit. Produced by investigators at FireEye, the tool is based on the techniques that they originally used to reveal the existence of the malware. Similar tools to the one FireEye released today have also been released by the US Cybersecurity and Infrastructure Security Agency (called Sparrow) and CrowdStrike (called CRT). For more depth, see FireEye Whitepaper: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452

  • Shining in the Rain
    Fourth malware strain discovered in SolarWinds incident
    Symantec said it identified Raindrop, the fourth malware strain used in the SolarWinds breach, after Sunspot, Sunburst, and Teardrop.
    Publisher: Zero Day
    By: Catalin Cimpanu
    January 19, 2021

    This is a fairly comprehensive description of the mechanics of the software of the SolarWinds compromise. The build process for the Orion product had been modified by hackers to include their DLL for communicating with a command and control server, for installing additional packages, and for network monitoring. The hackers seem to have installed the add-ons only when they believed that high value targets were on the network. Only a few examples of the add-ons were found, and in some cases the method for their installation remains unknown.

  • Email Security Futility
    Email security firm Mimecast says hackers hijacked its products to spy on customers
    Publisher: Reuters
    By: Reuters Staff Date: January 12, 2021

    Summary: Mimecast provides email security services, but its product was manipulated to allow a third party to spy on its customers. Somehow, their certificate that authenticates the connection to Microsoft Cloud services was compromised. The compromise may have originated with the SolarWinds hack. As in that case, only a few customer accounts were targeted by the invaders.

  • Hacking Is Better Than Backdoors
    Not impregnable - How law enforcement gets around your smartphone's encryption
    Openings provided by iOS and Android security are there for those with the right tools.
    Publisher: Ars Technica
    Date: 1/15/2021 By: Lily Hay Newman

    Johns Hopkins cryptographer Matthew Green has done extensive research to understand how encryption protects smartphones, and he reached an epiphany: "Now I've come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?" His team found that the strongest protections for the phones are only available under circumstances that the user might not fully appreciate. For example, an iPhone must be powered down in order to erase the access keys from memory.

  • Law Enforcement's Forensic Searches of Mobile Phones
    Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones
    Publisher: Upturn
    By: Logan Koepke, Emma Weil, Urmila Janardan, Tinuola Dada, and Harlan Yu
    Date: October 2020

    The report examines public information about law enforcement's use of tools for obtaining total access to the data in a cellphone. In the past 5 years, this has been done hundreds of thousands of times. From the report:

    Every day, law enforcement agencies across the country search thousands of cellphones, typically incident to arrest. To search phones, law enforcement agencies use mobile device forensic tools (MDFTs), a powerful technology that allows police to extract a full copy of data from a cellphone - all emails, texts, photos, location, app data, and more - which can then be programmatically searched. As one expert puts it, with the amount of sensitive information stored on smartphones today, the tools provide a "window into the soul."

  • TLS + DNS < DNS
    The NSA warns enterprises to beware of third-party DNS resolvers
    Yes, plaintext DNS is insane, but encrypting it has its own tradeoffs.
    Publisher: Ars Technica
    By: Dan Goodin
    Date: 1/15/2021

    Although using TLS to encrypt DNS lookups seems to offer greater privacy, in practice it has the disadvantage of bypassing network security tools. The technique might rely on a server that does not value the privacy of the requesters, thus undermining the advantages of using TLS in the first place.

    In light of the use of DNS to establish command and control communication for the SolarWinds malware, this warning from NSA is timely.

  • Whoa, Joe!
    Joe Biden's Peloton bike may pose cybersecurity risk, experts warn
    President reportedly starts each day with workout on exercise bike, which streams virtual group classes
    Publisher: The Guardian
    By: Martin Belam
    21 Jan 2021

    Joe Biden may be the oldest person to become US President, but he doesn't want to be the least fit. His morning exercise includes use of a Peloton bike that is normally connected to an online Internet class. Will the President disconnect and use the Peloton as an ordinary stationary bike, or will the White House cybersecurity team batten it down with firewalls? An anxious nation awaits the answer.