3rd Party Risk Management , Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks
SolarWinds: Flawed Updates in Orion Platform May be Source of Attacks
Network intrusions at the U.S. Commerce department, the U.S. Treasury and FireEye may be linked to flawed updates in a network monitoring product called Orion, made by SolarWinds.
See Also: The SASE Model: A New Approach to Security
On Sunday, the U.S. Commerce Department confirmed it had been targeted by hackers, and the U.S. Treasury has also reportedly been struck.
Reuters first reported the incidents, with the Washington Post suggesting that a Russian group known as Cozy Bear, or APT29, is the source.
The Post reported last week the same group was behind an attack against computer security firm FireEye (see FireEye Says Nation-State Attackers Stole Pen Test Tools).
The Commerce Department says "we can confirm there has been a breach in one of our bureaus. We have asked CISA [Cybersecurity Infrastructure and Security Agency] and the FBI to investigate, and we cannot comment further at this time."
The Post reports that the National Telecommunications and Information Administration (NTIA), which advises the president on telecommunications issues, was also attacked. Reuters reports the attacks are considered so serious that the National Security Council held an emergency meeting on Saturday.
SolarWinds Connection
Aspects of the attacks are unclear, such as exactly what the attackers stole and the immediate impacts to U.S. national security. The New York Times reports that the attackers had access the Treasury and Commerce department's email systems.
Washington Post reporter Ellen Nakashima tweeted that sources indicated to her that Commerce, Treasury and Fireye were compromised via software called SolarWinds, which is an IT management platform. The Guardian writes that its sources indicated the hackers "have been able to trick the Microsoft platform's authentication controls."
On Sunday, SolarWinds disclosed that it is investigating a "potential vulnerability" that may be linked to software patches for its Orion network monitoring platform. The patches were released between March and June, according to a statement. It also mentioned FireEye.
"We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state," SolarWinds says. "We are acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community and other law enforcement to investigate these matters. As such, we are limited as to what we can share at this time."
SolarWinds' Orion platform is a way for IT shops to pull data from various systems and display it one console. They're also used to control those systems.
If the vulnerability is confirmed, it could mean big problems for thousands of organizations. SolarWinds is a popular managed service provider that provides a range of tools and services for organizations to manage their IT infrastructure. Information security experts often warn of the danger and power of supply-chain attacks that employ flaws in widely-used software components or products.
According to its website, SolarWinds customers include the five branches of the U.S. military, the Pentagon, State Department, NASA, NSA, Postal Service, NOAA, the Justice Department and the White House. It also serves hundreds of other large companies, including 425 of the Fortune 500 companies.
SolarWinds' products have administrative access to organization's networks, tweets Dmitri Alperovitch, the co-founder and former CTO of the computer security company CrowdStrike.
"Monday may be a bad day for lots of security teams," Alperovitch writes.
Network management systems such as Orion are prime targets for attackers since they may have access to all systems on a network, writes Jake Williams, a former operator with the National Security Agency and founder of the Atlanta-based security company Rendition Infosec, in a Twitter thread.
If you have East/West netflow, consider doing some analysis of NMS traffic and looking for outliers. That won't be easy in most cases.
I'll close by reiterating that hitting an NMS like SolarWinds often gives attackers keys to the kingdom. It's like domain admin++. 11/
— Jake Williams (@MalwareJake) December 14, 2020
Even if a network management system only has read access, attackers that control one can still use it "to read configurations, which often include enough information for attackers to laterally move to those systems," he writes.
Williams advises that companies using network management software should closely monitor access to administrator interfaces and traffic going into the system. Indicators-of-compromise, which are forensic clues about attacks, should be released for the latest attacks within a few weeks. He warned that illicit access is serious.
"I'll close by reiterating that hitting an NMS like SolarWinds often gives attackers keys to the kingdom," Williams writes. "It's like domain admin++."
Investigation Underway
CISA says in a statement "we have been working closely with our agency partners regarding recently discovered activity on government networks."
"CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises," it says.
The intrusions come at a fragile and unstable time for the U.S., which is facing a dangerous surge in coronavirus cases and navigating a rocky presidential transition.
President Donald Trump's efforts to overturn the election on unverified claims of fraud have met repeated defeat in the court. A lawsuit by Texas against four other states that aimed to throw out election results was unanimously rejected by the Supreme Court on Friday.
Further, Trump fired former CISA Director Christopher Krebs in November after claiming Krebs made false statements regarding the election. Krebs, as well as other government agencies and election officials, said the U.S. election was the most secure one ever held (see Analysis: Does Krebs' Firing Leave US Vulnerable to Attack?).
The election was free from successful cyberattacks, but experts have long kept a close on Cozy Bear. Cozy Bear is believed to be affiliated with Russia's SVR intelligence service. A long list of intrusions have been linked to Cozy Bear, including against Democratic National Committee officials in 2016.
In July, the U.S., U.K. and Canada also accused the group of targeting agencies and companies involved in Covid-19 research (see APT Groups Target Firms Working on COVID-19 Vaccines).
"network" - Google News
December 14, 2020 at 10:33AM
https://ift.tt/3mfSr6v
US Commerce, Treasury Hit in Network Intrusions - BankInfoSecurity.com
"network" - Google News
https://ift.tt/2v9ojEM
https://ift.tt/2KVQLik
Bagikan Berita Ini
0 Response to "US Commerce, Treasury Hit in Network Intrusions - BankInfoSecurity.com"
Post a Comment