In the past two months alone, attacks against the sector soared 45% - more than double the rate of other sectors, Check Point says. Hospitals and other healthcare organizations bore the brunt of cyberattacks last year, all the while struggling to cope with the challenges posed by the COVID-19 pandemic. According to a new report this week from Check Point Software, attacks on healthcare entities worldwide jumped 45% in the past two months as attackers tried to take advantage of the pandemic by disrupting operations and extorting ransoms from organizations under tremendous pressure to provide uninterrupted services. The increase in attacks was, in fact, double the increase in cyberattacks on all other industries, Check Point says. On average, healthcare organizations experienced 626 attacks per week in November, compared with 430 attacks on average in the previous months. The most common attack vectors were ransomware, distributed denial-of-service (DDoS), botnets, and remote code execution attacks. Health organizations in Central Europe were hit particularly hard, Check Point's data shows. Attacks there increased 145% in November and December, followed by attacks on organizations in East Asia (137% increase), Latin America (112% increase), and Europe (67% increase). Attacks on North American healthcare organizations increased by 37%. At a country-specific level, Canada topped the list with a 200% increase in cyberattacks against hospitals and other healthcare entities. Check Point's latest statistics pertain to attacks the company detected and blocked specifically on networks belonging to its healthcare customers. But the trend is consistent with the alarming number of cyberattacks others have reported in recent months against the healthcare industry. According to Mimecast, for instance, 90% of healthcare organizations experienced e-mail borne attacks — the most common vector for phishing scams — last year. The activity was especially heavy during the first 100 days of the COVID-19 outbreak, causing significant downtime for almost three-quarters of impacted organizations. Zscaler, meanwhile, counted a staggering 1.6 billion SSL-based attacks that targeted organizations in the healthcare sector between January and September 2020. That number represents 25.5% of all attacks delivered over encrypted channels during that time frame. Eighty-four percent of all encrypted threats blocked for the healthcare sector were malicious web content, says Deepen Desai, CISO and vice president of security threat research at Zscaler. Another major attack trend for the healthcare sector was a significant increase in the use of cloud storage service providers like Amazon Web Services, Google, Azure, and Dropbox to host malicious content used in attacks, he says. Attacks against the healthcare industry originating from cloud storage providers skyrocketed from around 55 million in April 2020 to some 396 million in September, according to Zscaler. Healthcare organizations were also among the most targeted in ransomware attacks last year. Researchers from Zscaler's ThreatLabZ observed a 500% increase in ransomware attacks delivered over encrypted channels between March and September 2020, with the healthcare sector being the second most targeted after the communication sector. Check Point reported a 71% increase in ransomware attacks against healthcare entities last October, making it the most heavily targeted sector for the month. Seventy-five percent of the attacks involved Ryuk — a ransomware family typically associated with targeted attacks. The surge in ransomware attacks against hospitals and other healthcare organizations last fall prompted the FBI, the Department of Health & Human Services, and the US Department of Homeland Security's US Cybersecurity and Infrastructure Security Agency to issue a joint advisory urging them to take immediate precautionary measures.The advisory warned healthcare entities about adversaries using Trickbot and BazarLoader malware to distribute ransomware to disrupt operations and to carry out data theft. "Malicious attacks across the healthcare sector throughout 2020 caused significant downtime for organizations, which resulted in productivity, data, and financial losses," says Matthew Gardiner, principal security strategist at Mimecast. There were many reports of disrupted operations and the delay of nonemergency services, which are both key to ongoing patient health and the financial health of providers, he notes. Multiple Factors Drive Increase in Healthcare CyberattacksSecurity experts point to multiple factors for the recent surge in attacks against healthcare organizations. For cybercriminals — especially ransomware operators — healthcare entities are a perfect target not just for their sensitive data, but also for the fact that most organizations in the sector cannot afford any operational disruptions, especially in the middle of a pandemic. Security experts say cybercriminals perceive hospitals and other healthcare entities as generally more willing to accede to ransom demands because of the critical nature of their services. The pandemic and the general stress it has placed on provider organizations was a starting point for a lot of the increased attacker focus on healthcare entities, Gardiner says. "It is hard to prioritize IT and security when your ICU beds are filling up and planning around emergency expansions are taking priority," he says. The shift to a remote work model for a lot of non-healthcare professionals, including IT and security personnel, also likely disrupted certain IT and security programs and operations, leaving organizations more vulnerable. The situation was likely exacerbated by the fact that the healthcare industry traditionally has lagged behind many other industries in IT. Zscaler's Desai says healthcare organizations often lack security controls that others have deployed and are often vulnerable to known issues. Prolonged FDA approvals also can hinder the adoption of more secure technology, making it harder for healthcare entities to implement new security controls. "For example, security in the healthcare sector is often hindered by legacy technology, with updates often delayed by prolonged FDA approvals," Desai says. They also face the challenge of preserving compliance with the security and privacy provisions of HIPAA while looking to migrate to potential more secure channels for operation, he says. "Without unified controls and centralized visibility and policy enforcement, the healthcare industry will continue to face gaps in their security controls that will always draw the attention of cybercriminals," Desai notes. Other problems include the many years of underinvestment in modern security systems and IT applications and the huge variability in the size and scale of healthcare providers, Gardiner adds. "Small, regional healthcare providers lack the economies of scale of billion-dollar healthcare providers that help to afford the best security related people, technology, and processes," he says. Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio Recommended Reading: More Insights
About Jai Vijayan Contributing WriterThis author has not yet filled in any details.
So far Jai Vijayan Contributing Writer has created 46 blog entries.
Global pandemic and the easy availability of for-hire services and inexpensive tool sets gave adversaries more opportunities to attack. The large-scale shift to remote work and the increased reliance on online services as the result of the global pandemic this year gave threat actors new opportunities to use distributed denial-of-service (DDoS) attacks to harass and extort organizations. Providers of DDoS mitigation services reported an overall increase in attack volumes, attack sophistication, and attack complexity in 2020 compared with prior years. Adversaries went after more organizations in more industries than ever before, and the motives for launching attacks became as varied as the attacks themselves. Tom Emmons, principal architect at Akamai, says the increased dependency on remote connectivity as a result of COVID-19 drove up risk levels overall and provided bad actors with more opportunities to monetize DDoS attacks. The barriers to entry for DDoS attacks also became extremely low, driven by tool-set improvements and the easy availability of for-hire services that allowed attackers to launch bigger and more consequential attacks, Emmons says. The combination of the two trends led not only to an increase in attacks but also, more interestingly, to a change in targets, he says. The evolving nature of DDoS attacks heightened the need for formal mitigation strategies at many organizations. "DDoS is a relatively simple attack to orchestrate since all public Internet-facing websites and services are sitting ducks," says Mark Kedgley, CTO at New Net Technologies (NNT). The best mitigation approaches continue to be the use of content distribution networks or Web application firewall technology to filter out malicious traffic. "The only real defense is using a reverse-proxy, content-distributed Web infrastructure that multiplies your Web presence and distributes access geographically while a mitigation process takes place to filter out the attack traffic," Kedgley says. Here are the major DDoS trends for 2020, according to Kedgley and other experts. 1) The Global Pandemic Drove a Sharp Increase in DDoS AttacksThreat actors launched more DDoS attacks this year than ever before. Much of the increase was tied to the large-scale shift to remote work as a result of the global pandemic. Adversaries perceived more opportunities to attack organizations that suddenly were forced to support large distributed workforces and employees logging in from weakly protected home networks. "As a result of the pandemic, we saw an unprecedented number of systems going online, with corporate resources now in less-secure home environments, and a massive increase in the use of VPN technology," says Richard Hummel, threat intelligence lead at Netscout. Netscout's current projections forecast more than 10 million DDoS attacks in 2020, the most ever in a single year. In May 2020 alone, Netscout observed some 929,000 DDoS attacks, the largest ever in a 31-day period. During the height of the pandemic-related lockdown between March and June, the frequency of DDoS attacks increased 25% compared with the previous three-month period. The attacks consumed huge amounts of network throughput and bandwidth and increased costs for both Internet service providers and enterprises. Other vendors reported a similar increase in DDoS attack volumes. Nexusguard observed a 287% increase in attack volumes in the third quarter of 2020, with the online gaming and gambling community bearing the brunt of the attacks. "Most recently, and as we headed into the holiday season primed with pent-up shopping demand driven by COVID restrictions, we again observed a significant uptick in both the number of DDoS attacks, up 65%, and the number of customers attacked, up 57%," says Roger Barranco, vice president of global security operations at Akamai. Contributing to the growth in attack volumes was the relatively easy availability of DDoS-for-hire services that allowed even novice threat actors to launch denial-of-service attacks. In many cases, it's likely that low-level threat actors carried out DDoS attacks because of low entry-barriers and the potential for monetary gain, says Stefano De Blasi, threat researcher at Digital Shadows. "In 2017, the average cost of a DDoS service was around $25," De Blasi says. "In our recent analysis, similar services are available for an average of just less than $7," he says. 2) Extortion DDoS Attacks Increased in NumberFor the most part, threat actors continued to use DDoS attacks for diversionary purposes more so than anything else. In many cases, DDoS attacks were used as a diversion for data exfiltration attempts, or for distributing malware on networks while defenders were busy mitigating a DDoS flood. At the same time, providers of DDoS mitigation services reported an increase in incidents where adversaries used large DDoS attacks — or threats of them — to try to extort organizations in multiple sectors. One example was a large, and still ongoing, campaign that Akamai and others first reported in August involving threat actors who identified themselves as belonging to previously known nation-state-backed groups: Fancy Bear, Lazarus Group, and the Armada Collective. The campaign targeted thousands of organizations in the financial services, e-commerce, and travel sectors and involved multivector DDoS floods, some of which peaked at around 200 Gbps. Before the attacks began, the threat actors typically sent intended victims a ransom denial-of-service extortion email in which they claimed they would conduct a small DoS attack as proof of their capabilities. The email warned targets of substantially larger attacks if they weren't paid a ransom in six days. Most organizations that received the threatening emails crossed the six-day mark without further incident. A few, though — including some very prominent ones —experienced substantial operational issues as a result of follow-on attacks, according to an FBI advisory on the campaign. "At the end of the day, criminal actors are about one thing: money, money, and more money," says Akamai's Barranco. For DDoS in particular, adversaries are highly motivated to try extortion attempts to drive profits, he says. The fact that the DDoS extortion campaign that started in August is still ongoing indicates that threat actors are making money and that some victim organizations are paying the ransom, he says. "It's easy to foresee the problem continuing into 2021 unless arrests are made," he says. "Paying the threat actors just emboldens them and incentivizes their criminal endeavors." 3) Multivector Attacks Became More CommonDDoS attacks became faster and a lot more complex this year. Adversaries tried to overwhelm enterprises defenses with campaigns that combined multiple different attack vectors at the network, application, and data layers. An analysis of network data that Netscout conducted in 2020 found a 2,815% increase over 2017 in DDoS attacks using 15 or more attack vectors. The most common among them were attacks that abused protocols such as CLDAP and DNS as well as TCP, Chargen, MTP, OpenVPN, SNMP, SSDP, and BitTorrent. Other commonly used attack vectors included HTML, TFTP, Quake, NetBIOS, and IPMI. Netscout found that even as multivector attacks increased sharply, the number of single-vector DDoS attacks dropped 43% in the first half of 2020. The average duration of DDoS attacks, too, was down 51% in the first half of 2020 compared with the same period the prior year, shortening the window for mitigation response. All of this equated to increased complexity for organizations and heightened risk of service downtime, customer churn, and increased network transit and mitigation costs, says Netscout's Hummel. "Cybercriminals pounced on pandemic-driven vulnerabilities, launching an unprecedented number of shorter, faster, more-complex attacks designed to increase ROI," Hummel says. According to Akamai, multivector attacks became so common in 2020 that some 33% of the attacks the company mitigated in the first half of the year involved three or more vectors. 4) DDoS Attacks Became BiggerMost DDoS attacks in 2020 were relatively small in size, as they have been in recent years. Some 99% of the DDoS attacks that AWS mitigated on its network, for instance, were about 43 Gbps in size. However, at the same time, big attacks got bigger in 2020. In February, AWS reported blocking a CLDAP reflection attack with a peak volume of 2.3 Tbps, which was about 44% larger than any other attack the company had previously blocked. Before that incident, the largest DDoS attacks on AWS networks were less than 1 Tbps. In late May and continuing into June, Akamai reported mitigating a 1.44 Tbps attack that at its peak involved a staggering 809 million packets per second. The company described it as the largest and most sophisticated DDoS attack it had helped mitigate. "During the first half of 2020, it was all about large, complex attacks against customers in the financial services and hosting spaces," Barranco says. UDP reflection was by far the most commonly observed vector in large DDoS attacks, according to AWS. This included attacks such as NTP reflection, DNS reflection, and SSDP reflection attacks. "Each of these vectors is similar in that an attacker spoofs the source IP of the victim application and floods legitimate UDP services on the Internet," AWS said in its threat landscape report for the first quarter of 2020. "Many of these services will unwittingly respond with one or more larger packets, resulting in a larger flood of traffic to the victim application." Hummel says the main factors that drove the bandwidth and throughput of DDoS attacks were attacker innovation and the continued development and deployment of insecure servers, services, and applications across the global Internet. Also contributing to the growing scale of DDoS attacks were the attempts by attackers to make use of both compromised servers and a group of reflectors located topologically near their targets, whenever possible, in order to get as much attack traffic as possible on target. 5) DDoS Attacks Targeted More Organizations Across More Industries Than EverOrganizations within the online gaming and gambling communities once again tended to be the most frequently targeted in DDoS attacks. Seventy-seven percent of the DDoS attacks that Nexusguard observed in the third quarter were aimed at the gaming and gambling communities. However, in 2020 attackers also broadened their range of targets to include organizations in verticals such as e-commerce, healthcare, and educational services. With more people working, shopping, and studying online as a result of pandemic-related social distancing measures, attackers also turned their attention to websites belonging to delivery services firms, retailers, and organizations providing distance learning services. The attacker activity reflects the broader trend of threat actors moving beyond high-risk sectors commonly associated with DDoS attacks to a much wider set of industries and verticals to target for disruption, Barranco says. "There was a major shift in DDoS trends where attacks were being spread out amongst multiple verticals versus, for example, last year the games vertical was targeted comparatively at a much higher level," he says. According to Akamai, the industries that experienced the biggest spike in DDoS attacks included the financial services sector, which saw a 222% year-over-year increase; the education sector, with a 178% jump; and the Internet and telecom sector, which experienced a 210% increase over 2019. In the week following Thanksgiving, financial services firms were more heavily targeted in DDoS attacks than even the online gaming companies, Barranco says. "Throughout 2020, DDoS threat actors [went] wider and deeper among a diverse array of industries than ever before," he notes. Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio Recommended Reading: More Insights
Adversaries that successfully execute attack can achieve persistent anytime, anywhere access to a victim network, security researchers say. The recently disclosed compromise at SolarWinds and the subsequent targeting of numerous other organizations have focused attention on a dangerous Active Directory Federation Services (ADFS) bypass technique dubbed "Golden SAML," which cybersecurity vendor CyberArk first warned about in 2017. The attack gives threat actors a way to maintain persistent access to all of an enterprise's ADFS federated services. This includes hosted email services, file storage services such as SharePoint, and hosted business intelligence apps, time-card systems, and travel systems, according to a blog post from Israel-based Sygnia. The attention that the SolarWinds campaign has drawn to the attack technique significantly raises the likelihood of adversaries leveraging it in future attacks, Sygnia said. "It is therefore highly advised that organizations move swiftly in taking the necessary steps to protect their [single sign-on] infrastructure and establish effective monitoring to detect and respond to such attacks." According to Sygnia, the Golden SAML technique involves the attackers first gaining administrative access to an organization's ADFS server and stealing the necessary private key and signing certificate. When a user at the victim organization attempts to access a federated service such as AWS or Microsoft 365, the service redirects the request to ADFS for authentication. Normally, the user would authenticate with ADFS, and ADFS would return a signed SAML response or token to the app or federated service via the user system. The app or federated service would check the response and allows the user to log in. In a Golden SAML attack, when the user attempts to access a service and when the service redirects the request to ADFS for authentication, the attacker would forge a SAML response using the stolen key to gain unauthorized access. The attack vector allows adversaries to gain access to critical and infrastructure without requiring any additional access on the victim environment. Importantly, attackers will continue to have that access until the ADFS private key is invalidated and replaced — a task that would require altering or terminating connectivity to all federated systems, according to Sygnia. Arie Zilberstein, vice president of incident response at Sygnia, says ADFS servers are considered "tier-zero" infrastructure and are therefore usually well protected, requiring high privileges for access. "However, the threat actors in this case had a major advantage — the attack originated from SolarWinds," he says. "As SolarWinds Orion is an IT monitoring solution, it usually has access to high-privileged accounts and most servers in any environment, including ADFS." Zilberstein says the threat actors used Golden SAML in the post-exploitation phase after compromising the internal network and getting access to the ADFS environment on target victim networks. The goal was to establish persistent access to critical resources such as Microsoft 365. Stealing the signing certificate and private key from the ADFS servers gave the attackers anytime, anywhere access to the victim network regardless of additional access to the environment, he says. An advanced persistent threat (APT) group called Dark Halo (aka UNC2452), believed to be based in Russia, breached SolarWinds' software build system and injected a backdoor called Sunburst into updates of the company's Orion network management software. The updates were sent out to some 33,000 organizations worldwide, about 18,000 of which installed it on their systems. With a small subset of those organizations, the attackers used the Sunburst Trojan to download other malware for stealing data and conducting other forms of cyber espionage. A majority of the victims are believed to be technology companies, government organizations, contractors, and think tanks. Among the known victims are the US Treasury Department, Microsoft, and security vendor FireEye. SolarWinds has said the attackers managed to poison Orion software updates that the company pushed out between March and June 2020. However, SecurityScorecard says its investigation shows evidence of a Trojanized backdoor in SolarWinds products as far back as October 2019, which means the breach was undetected for a significantly longer time than previously reported. Initially, it was believed that SolarWinds' Orion platform was the only initial access vector. However, late last week, the US Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) warned that it had evidence the APT group behind the SolarWinds attack had gained access to some networks using other methods than the tainted updates. The CISA, National Security Agency, and Microsoft also warned about the attackers bypassing multifactor authentication (MFA) on victim networks by stealing private keys for single sign-on and forging SAML tokens. In a rare emergency directive, the CISA said one of the ways the adversary was gathering information from victim networks after it had gained initial was by gaining privileged access to Active Directory environments, compromising the SAML signing certificate, and then creating unauthorized authentication tokens for accessing federated services. The CISA has instructed all federal civilian agencies to disconnect their SolarWinds instances and not install any of the patches the company has issued, until further notice. It has also warned all federal civilian agencies not to configure SolarWinds software to implement SAML-based authentication using ADFS. "This configuration is currently being exploited by the threat actor associated with this activity," the CISA noted in its advisory. CyberArk, which in 2017 released a tool that demonstrates how the attack works, has described Golden SAML as an attack vector that gives adversaries a way to gain persistent access with any privileges they desire to any application that supports SAML authentication, including AWS and Azure. The vendor has stressed that the attack vector does not rely on a security bug in SAML or with ADFS or any identity provider. Since it is an adversary with administrative access to the authentication environment that executes the attack, defenders can have a very difficult time spotting them, the security vendor has noted. "I do think this tactic will become more commonly used," says Shaked Reiner, principal cyber researcher at CyberArk Labs. "With more and more services being ported to the cloud, SAML has become the de facto authentication standard to establish trust between the cloud and on-premises services." Instead of settling on getting the domain's Kerberos local default account and forging any identity within that domain, attackers can steal the SAML token signing certificate and forge almost any identity across the entire organization. "After getting this certificate, it's a matter of signing a token for whatever identity the attackers desire, which is a rather easy process," Reiner says. The attack vector is problematic for defenders because it makes the use of MFA obsolete. Since users get a valid SAML token only after they've authenticated using MFA, attackers using Golden SAML can simply bypass that stage entirely, he says. "It allows them to go straight to forging an identity using the stolen certificate, without having to know the user password or have other authentication factors." Attackers can grant themselves any identity and permission they desire, he says. "No changes in users' credentials can help remediate this attack vector," Reiner notes. "Once attackers get a hold of the organization's SAML token signing certificate, this certificate must be changed in order to completely revoke the attackers' ability to use a Golden SAML." In its blog post, Sygnia described some measures that organizations can take to detect a Golden SAML attack. The detection measures are targeted at organizations with an on-premises ADFS environment. They include correlating login events with corresponding ADFS authentication events and identifying events involving the export of signing certificate from the ADFS server. Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio Recommended Reading: More Insights
Attack on thousands of other companies as "moment of reckoning" for governments and industry, company president says. Microsoft confirmed on Friday that its network was among the thousands infected with tainted software updates from SolarWinds, even as new data the company has released suggest the likely Russian actors behind the campaign were focused on a smaller set of targets than originally thought. Microsoft on Friday said that it had detected malicious SolarWinds binaries in its environment, which the company isolated and removed. However, the software giant denied a Reuters report on Thursday that claimed Microsoft's own products were then used to distribute malware to other organizations in much the same way SolarWinds' Orion network product management technology was abused. "We have not found evidence of access to production services or customer data," a Microsoft spokesman says. "Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others." The spokesman says the sources for the Reuters report were likely misinformed or were misinterpreting their information. SolarWinds on Monday disclosed that attackers had infiltrated its software build system and inserted malicious code into software updates that the company subsequently sent out to 33,000 organizations worldwide — about 18,000 of whom actually installed it. The company has said that updates it released between March and June 2020 were tainted. However, Cisco Talos on Friday said its investigation shows the attack appears to have been initiated as far back as February. "Compromised binaries appear to have been available on the SolarWinds website until very recently," the company said. Suspected victims include US Treasury Department, the Justice Department, the Energy Department, and the National Nuclear Security Administration. Security vendor FireEye and now Microsoft are two technology vendors that have confirmed they were breached via the tainted SolarWinds updates. FireEye discovered the intrusion and has attributed it to UNC2452, an advanced persistent threat (APT) actor that the company says it has not encountered previously. According to the vendor, the threat actor hid a Trojan dubbed SUNBURST in a digitally signed component in SolarWinds' Orion network management product that was then sent out to thousands of SolarWinds customers worldwide. Security vendor Volexity, meanwhile, has said the tactics, techniques, and procedures involved in the SolarWinds attacks are similar to those used by another threat actor it is tracking as Dark Halo. Microsoft president Brad Smith on Thursday said his company's analysis of the massive cyberattack shows the installation of SUNBURST gave the attackers an opportunity to exploit more than 17,000 organizations. However, the company's investigations so far show just 40 customers were "targeted more precisely and compromised through additional and sophisticated measures." "Act of Recklessness"About 80% of those compromised organizations are located in the United States, with the rest being scattered across seven additional countries: Canada, Mexico, Belgium, Spain, Israel, and the UAE. "It's certain that the number and location of victims will keep growing," Smith said in a company blog post. The initial list of victims includes organizations in the information technology sector, government, think tanks, and government contractors. Source: Microsoft Smith described the attack as a "moment of reckoning" for the government and industry. "The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the US government and the tech tools used by firms to protect them," he said. Though there has been no confirmed attribution yet, many security experts and government officials have noted the attacks as being the work of an APT group with ties to Russia's intelligence apparatus. Indeed, a map that Smith posted identifying Windows Defender's customers that had installed the tainted versions of SolarWinds' Orion software showed victims scattered across many countries, but not one in Russia. "This is not 'espionage as usual,' even in the digital age," Smith warned. "Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world." Source: Microsoft An analysis of the attack that security vendor Kaspersky released Friday also suggested that the threat actors behind the campaign may really have been after only a relatively small subset of the thousands of organizations they had breached. Kaspersky said it had discovered the poisoned SolarWinds binaries on networks belonging to some 100 of the company's customers. In each case, the SUNBURST malware was designed to communicate information about the infected computer back to the attacker. Only if the attacker found the information interesting enough did they respond to the infected computer with a CNAME record pointing to a different second-level command and control server, the vendor said. "At the moment, what the actors were interested in remains one of the biggest mysteries," says Costin Raiu, head of Kaspersky's global research and analysis team. Available telemetry shows that the attackers are for sure interested in what appear to the high-profile government victims in various countries. They also appear to be interested in telecommunication companies, he says. "At the moment, we don't have enough data to fully comprehend the purpose of this operation and the goals, although more data becomes available every day, so the overall picture might improve as well." Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio Recommended Reading: More Insights
New details continue to emerge each day, and there may be many more lessons to learn from what could be among the largest cyberattacks ever. 1 of 6 Image Credit: doe.gov Anxiety over the recent SolarWinds and US government cyberattack went up a notch Thursday when the DHS' Cybersecurity and Infrastructure Security Agency (CISA) warned the advanced persistent group behind the incident might be using multiple tactics to gain initial access into target networks. It was first widely thought that the likely Russia-backed threat actor was distributing malware to thousands of organizations worldwide by hiding it in legitimate updates to SolarWinds' Orion network management software. On Thursday, CISA said its analysis showed attackers may have also used another initial vector: a multifactor authentication bypass, done by accessing the secret key from the Outlook Web App (OWA) server. CISA pointed to an alert that Volexity issued earlier in the week, in which the security vendor noted this MFA bypass tactic was used in another attack involving the same intruder responsible for the SolarWinds campaign. News of at least one additional attack vector, and likely more, came as organizations and the industry as a whole struggled to come to terms with what is arguably among the most significant cyber incidents in recent years. The attackers who breached SolarWinds used the company's software updates — and now, according to CISA, other methods — to install a backdoor called SUNBURST on systems belonging to governments, defense and military entities, and numerous private sector companies. Victims of the campaign are thought to include the US Treasury Department, Department of Homeland Security, Justice Department, State Department, entities from all five branches of the US military, and several Fortune 500 companies. There were reports Thursday that the National Nuclear Security Administration and the Energy Department had also been breached in the campaign. The breathtaking scope of this incident and remarkable stealth with which it was executed have sparked considerable worry about the level of access the attackers may still have on target networks. With details around the attack still emerging, it is far too early to say with certainty what organizations should learn from the whole incident. Read on to learn five immediate issues the attacks have highlighted so far. Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio 1 of 6 More Insights
White House National Security Council establishes unified group to coordinate response across federal agencies to the threat.
Enterprises running company's Orion network management software should assume compromise and respond accordingly, security experts say. News this week about a likely Russia-based threat actor infecting thousands of organizations with malware delivered via seemingly legitimate software updates of their Orion network management product from SolarWinds has stoked broad concerns across many fronts. The concerns are particularly high because victims of the campaign reportedly include the US Treasury Department, the Department of Homeland Security, the State Department, the Justice Department, and potentially entities from all five branches of the US military. Among others believed affected are numerous Fortune 500 companies — SolarWinds counts 499 of them as its customers. Security vendor FireEye uncovered the SolarWinds campaign when investigating a breach of its own network recently that resulted in several of its offensive hacking tools being stolen. As expected, the targeted attack has once again focused attention on the long-standing issue of supply chain and third-party security. It has also raised alarm about the extent to which Russian advanced persistent threat (APT) actors and threat actors from other countries may have insinuated themselves into, and are lurking on, US critical infrastructure and networks, ready to activate at a moment's notice. Broad ImpactNetwork management products like Orion "have wide-ranging visibility and permissions across networked devices," says Mark Carrigan, chief operating officer at industrial security vendor PAS Global. In the industrial sector, hackers may be able to leverage the technology to gain access to business-critical industrial control system environments and move laterally across networked systems in order to steal data on industrial processes, chemical formulas, and other sensitive data. Attackers could use their access to disrupt operations, causing production stoppages or, worse, safety and environmental incidents, Carrigan says. "Given the attribution of the attack to an advanced persistent threat backed by a major nation-state, it is likely that the hackers would have access to the necessary knowledge of industrial control system environments to exploit common 'insecure by design' practices," he warns. FireEye says its investigation shows the threat actor, which it's tracking as UNC2452, inserted a backdoor dubbed SUNBURST into a digitally signed component of SolarWind's Orion network management product. The malware was concealed in legitimate updates to Orion that SolarWinds distributed between March and June of this year. SolarWinds says its investigation shows the updates were sent to about 33,000 of its approximately 300,000 customers worldwide. Some 18,000 of them downloaded the software, but it remains unclear how many of those organizations were actually targeted. The vendor released a patched version of its affected software on Monday and said an additional hotfix would be released on Dec. 15. However, as of late afternoon Dec. 15, that hotfix doesn't appear to have been released. FireEye's analysis of post-compromise activity showed that the SUNBURST malware lays dormant on victim systems for two weeks while it profiles the network and looks for malware detection mechanisms. Once active, the malware — which is actually a dropper — reaches out to remote, attacker-controlled systems to download additional payloads, one of which is Cobalt Strike's Beacon agent. Malware traffic is designed to blend in with legitimate SolarWinds activity, and the code itself hides in plain sight by using fake names and tying into legitimate components, FireEye says. The Unknown Threat ActorThe security vendor has described UNC2452 as a threat actor that it has not encountered previously. FireEye has released indicators of compromise (IoCs) and signatures so organizations can detect the threat. But so far it has not publicly, at least, attributed the attack to any specific nation-state sponsor. Numerous media reports, however, have pinned the campaign on APT29, or Cozy Bear, a group thought to be associated with Russia's intelligence apparatus. Paul Prudhomme, cyber-threat intelligence analyst at IntSights, says his firm has so far not been able to corroborate or independently verify the claimed attribution to state-sponsored Russian cyber-espionage groups. "But we do nonetheless find the claim credible and worthy of further consideration," he says. The campaign is consistent with what IntSights has observed with state-sponsored Russian actors, including the targeting of the US government, the tight operational security, and the generally high level of sophistication and tradecraft involved. At the same time, "technology supply chain compromises of this kind are more typical of Chinese cyber-espionage groups than their Russian counterparts," Prudhomme says. Meanwhile, security vendor Volexity said Monday that its analysis of the techniques, techniques, and procedures (TTPs) that FireEye released suggests the threat actor is a group that Volexity previously tracked as "Dark Halo." In a blog post, Volexity researchers described Dark Halo as a group they encountered while investigating three separate incidents at a US-based think tank in late 2019 and early this year. Volexity said it found multiple backdoors, malware implants, and tools that allowed Dark Halo to remain undetected on the think tank's network for multiple years. Recommended ResponseSecurity researchers this week stressed that just because an organization might have received tainted updates doesn't mean it was targeted. Even so, the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) has ordered all federal civilian agencies to forensically image system memory and analyze stored network traffic for IoCs. It has also ordered all agencies to disconnect and power down Orion instances, block traffic to and from hosts running any version of SolarWinds, and look for and remove threat actor-controlled accounts and persistence mechanisms. "Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed," CISA has noted. Ben Johnson, former National Security Agency analyst and CTO and co-founder of Obsidian Security, says evidence of persistence and lateral movement will vary based on an organization's specific network architecture and configuration of its SolarWinds environment. "But you should immediately be investigating any logs you have — authentication and access logs, network flow logs, and others — for the servers running the backdoored version of Orion software first." He recommends that organization look for evidence of the TTPs and IoCs published by other organizations that have done research into this issue such as FireEye, Volexity, and Microsoft. "Create new detection/prevention rules for these IoCs in your SIEM and other systems. Also, rotate any user or service account credentials related to SolarWinds." In addition to looking for suspicious outbound connections, organizations should also look for malicious activity happening internally, Infocyte researchers said Monday. "For instance, FireEye also released information on SUPERNOVA, which is a custom .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler," they noted. Unlike SUNBURST, which does outbound connections, SUPERNOVA allows inbound backdoor access to the SolarWinds management interfaces, they said. How Did SolarWinds Get Breached?With investigations still ongoing, there is some speculation around how threat actors managed to compromise SolarWinds' environment and poison the company's software updates. Details that SolarWinds has publicly released suggest that attackers gained access to the company's Orion software build system — or CI/CD development environment — using forged SAML authentication tokens that likely impersonated highly privileged accounts. Statements that SolarWinds and Microsoft have released suggest that the attackers were likely able to forge the tokens by first gaining access to the former's Microsoft 365 environment through a separate on-premises compromise. According to Volexity, its previous investigations of Dark Halo showed the group to be using a sophisticated method — involving the use of a secret Outlook Web Anywhere (OWA) key — to bypass multifactor authentication. Like other security vendors, Volexity has said its investigations have so far revealed no clues to Dark Halo's origin. The likelihood that the backdoor was inserted using a compromised build system is interesting and will be an attack vector to look out for next year, says Daniel Trauner, director of security at Axonius. "This is yet another case showing that failing to protect a modern build system — which often has its own keys, service accounts, and other sensitive features meant to allow for fully automated deployments — can lead to a severe compromise," Trauner says. Organizations should take extra care to protect and audit the usage of any software signing keys as well, especially within a build system, where security is not always a high priority, he says. Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio Recommended Reading: More Insights
Nation-state attackers used poisoned SolarWinds network management software updates to distribute malware; US government orders federal civilian agencies to immediately power down the technology. In what may well turn out to be one of the most significant supply-chain attacks in recent years, a likely nation-state backed group compromised systems at SolarWinds and inserted malware into updates of the company's widely used Orion network management products that were released between March and June 2020. In total, about 33,000 of SolarWinds' 300,000 customers — which include numerous government agencies, 499 of the Fortune 500 companies, and over 22,000 managed service providers — could have potentially received the compromised software updates. Some 18,000 organizations worldwide may have actually installed the poisoned software on their systems, SolarWinds said in a SEC filing Monday. The filing suggested that attackers might have initially broken into SolarWinds' systems by compromising the company's emails and using that to access other data in its Microsoft Office 365 environment. Victims of the massive breach are believed to include the US Treasury Department, the National Telecommunications and Infrastructure Administration, and security vendor FireEye, which last week disclosed a breach involving the theft of the company's red team tools. In a measure of the widespread concern the breach has stoked, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive Sunday urging all federal civilian agencies using SolarWinds' Orion products to immediately power down or disconnect the technology. The Emergency Directive, only the fifth since 2015, described the SolarWinds compromise as posing an unacceptable risk to the security of federal networks. It ordered all federal civilian agencies to provide a report to CISA no later than 12:00 p.m. Eastern Standard Time Monday showing that they had shut down the SolarWinds Orion technology on their networks. In a security advisory, SolarWinds said software builds for versions 2019.4 HF 5 through 2020.1.1 of its Orion Platforms released between March and June this year were impacted in the breach. The company asked its customers to immediately upgrade to Orion Platform version 2020.2.1 HF 1 where possible. An additional hotfix released will likely be released on Dec 15, 2020, and the company released guidelines for organizations who cannot immediately apply the update. "Infecting the legitimate software updates of a widely used vendor can be an effective way to covertly inject malware into a large number of organizations," says Hank Schless, senior manager of security solutions at Lookout. "If successful, this form of supply chain attack can be used to attack an entire industry in one swoop." SolarWinds' recommendations for those who cannot immediately update are: ensure the Orion platform is installed behind firewalls, disable Internet access to the platform, and limit port access to only what is strictly necessary. In its security advisory, FireEye described several methods for detecting post compromise activity on their networks. These include querying Internet-wide scan data for malicious IP addresses that might be masquerading as an organization's legitimate IP addresses and geolocating IP addresses that are used for remote access. That will identify compromised accounts that are being used from different locations. The security vendor also recommended that organizations "use HX’s LogonTracker module to graph all logon activity and analyze systems displaying a one-to-many relationship between source systems and accounts." SUNBURST Malware FireEye, which discovered the breach, said the actors behind it, tracked as UNC2452, had trojanized SolarWinds' Orion business software updates to distribute malware FireEye has dubbed SUNBURST. Ben Read, senior manager analysis at FireEye's Mandiant group says UNC2452 is a distinct threat group that is not linked to any other tracked group at this time. The backdoor itself exists in a digitally signed component of the Orion software framework and is designed to communicate via HTTP to attacker-controlled servers. According to FireEye, once installed on a system via the SolarWinds update, the malware lies dormant for up to two weeks before it begins retrieving and executing commands. Its capabilities include the ability to transfer and execute files, profile systems, disable system services, and to reboot an inected system. "The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity," FireEye said. The malware uses multiple techniques to identify anti-virus and other malware detection tools. FireEye CEO Kevin Mandia described the campaign as likely the work of a sophisticated state-sponsored threat actor with top-tier resourcing and operational skills. Some within the industry have pointed to Russian intelligence agencies as being behind the attacks. The attackers appear to have gone to significant length to observe traffic on victim networks and to blend signs of their own activity into normal network activity, Mandia said in a blog. The security vendor has released indicators of compromise and signatures for detecting SUNBURST threat activity on its public GitHub page. Matt Walmsley, EMEA director at Vectra, says the attackers likely manipulated Security Assertion Mark-up Language (SAML) authentication tokens used in Single Sign On to try and escalate privileges in the early stages of the campaign. They could have then used the illicitly gained privileges to move to SolarWinds' Microsoft 365 instance and use the built-in tools there to set up new privileged accounts, define email routing rules, conduct reconnaissance, gather data from SharePoint and OneDrive repositiores, and set up automated workflows for running such malicious activities autonomously. "IT administrators and security teams have access to highly privileged credentials as part of their legitimate work," Walmsley says. "Attacking the digital supply chain of their software tools is an attempt to gain penetration and persistence right at the heart of their operations." The SolarWinds breach is the not the first time that attackers have broken into a technology vendor's software update servers and used it to distribute malware. In 2018, attackers belonging to a malware campaign dubbed Operation ShadowHammer, broke into one such server belonging to Taiwanese hardware maker ASUS and used their access to distribute malware disguised as legitimate software updates to ASUS customers that had enabled automatic updates. Security vendor Kaspersky disclosed the breach in March 2019 and described it as impacting hundreds of thousands of ASUS users though it actually targeted only a very small percentage of them. Security experts consider such attacks particularly dangerous because organizations often tend to treat patches, software updates, and other products from their technology vendors as trusted and secure. Very few actually go through the extra step of vetting updates or products from their trusted vendors for security issues, though experts have long cautioned they should. Ayal Yogev, CEO of Anjuna Security, says the targeting of SolarWinds' Orion technology is significant because hundreds of thousands of organizations in government, banking, healthcare, and other critical industries use it to monitor their network. "The technology is typically bought by network managers, and in many cases may be purchased online at a price that does not require standard software procurement practices," Yogev says. In fact, many organizations may not even realize they have it, he says. "The good news is that SolarWinds does not directly contain confidential information," he says. "The bad news is that it provides a map to many components in an enterprise that may have vulnerabilities." Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio Recommended Reading: More Insights
Think like an attacker if you want to understand your attack surface, says security researcher at Black Hat Europe.
Think like an attacker if you want to understand your attack surface, says security researcher at Black Hat Europe.