DHS Cyber Warriors Issue Warning About Massive Hacking Campaign, Disclose They've Been Hacked A Day Later
from the holy-shit-this-is-bad dept
Welp. Everything is compromised. Again.
Reuters was the first to report suspected Russian hackers had gained access to hundreds of SolarWinds customers, including US government agencies.
Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments, according to people familiar with the matter, adding they feared the hacks uncovered so far may be the tip of the iceberg.
The cyber spies are believed to have gotten in by surreptitiously tampering with updates released by IT company SolarWinds, which serves government customers across the executive branch, the military, and the intelligence services, according to two people familiar with the matter. The trick - often referred to as a “supply chain attack” - works by hiding malicious code in the body of legitimate software updates provided to targets by third parties.
A full report by FireEye (which was also a victim of this hacking) details the process used to gain illicit access, which involved leveraging bogus signed components crafted by the hackers and distributed by an unaware SolarWinds.
The widespread hacking campaign may have begun as early as March of this year. That it was only discovered now means the fallout from this will continue for months to come.
We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.
Here's how the backdoor works, according to FireEye:
SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.
After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.
SolarWinds boasts over 300,000 customers, including 425 Fortune 500 companies, all ten of the top ten telcos, the Pentagon, State Department, NSA, DOJ, and the White House. Its long list of customers (which now returns a 404 error) all but ensures every passing hour will add another victim to the list.
-------------------------------------------------------------------------------------------------------------------------------
Mitigate SolarWinds Orion Code Compromise
dhs.gov
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise”.
SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors. This tactic permits an attacker to gain access to network traffic management systems. Disconnecting affected devices, as described below in Required Action 2, is the only known mitigation measure currently available.
CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action
------------------------------------------------------------------------------------------------------------------------------
According to SolarWinds' post-attack-discovery SEC filing, it believes only a small percentage of its customers are affected. But even a fraction of its users is still a gobsmacking number of potential victims.
On December 13, 2020, SolarWinds delivered a communication to approximately 33,000 Orion product customers that were active maintenance customers during and after the Relevant Period. SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.
The attack is serious and widespread enough that the DHS's cybersecurity arm has issued a warning -- one that says the only proven way to mitigate damage at this point is to disconnect affected hardware from the internet and pull the plug on Orion software. The CISA (Cybersecurity and Infrastructure Security Agency) Emergency Directive says this is a persistent threat -- one not easily patched away
In addition to CISA, government officials also suspect breaches at the US Postal Service and the Department of Agriculture. And the Defense Department is in the process of assessing its own exposure, if any. If any of its components have been breached, it has yet to be publicly reported.
The Russian government is denying involvement, but the evidence seems to point to "Cozy Bear," the offensive hacking wing of Russia's intelligence services. Unfortunately, SolarWinds' dominance in the network management field made it that much easier for the attack to scale. And with CISA compromised, the government's attempts to mitigate damage will be slowed as its own cybersecurity wing attempts to rid itself of a persistent threat.
Filed Under: cisa, commerce department, hacking, russia, treasury, vulnerability
Companies: fireeye, solarwinds
Microsoft to quarantine SolarWinds apps linked to recent hack starting tomorrow
After only showing detection alerts, Microsoft moves to block trojanized SolarWinds apps from running, opening the door for some IT issues for some of its customers
No comments:
Post a Comment