IEEE Cipher --- Items from security-related news (E159)
Editor's note: There are several articles here about now the SolarWinds product Orion was used for backdoor access on customer networks. The actors behind the malware and its use have not been identified. Although the extent of the direct damage has not been revealed, the sophistication and pervasiveness of the attack signal a new era in software corruption and new challenges to protection of the software supply chain.
Summary:
The US government's Departments of Commerce and Treasury are reeling
from the discovery that thousands of their email accounts were subject
to surveillance by an unknown party. The malware was introduced
by a corrupted version of the SolarWinds network monitoring software. Many
other non-government customers also downloaded the software.
The Guardian article says that:
FireEye described the malware's dizzying capabilities - from initially lying dormant up to two weeks to hiding in plain sight by masquerading its reconnaissance forays as Orion activity. SolarWinds is working with FireEye as well as the FBI, the intelligence community, and other law enforcement to investigate the breach, said Kevin Thompson, the CEO and president of SolarWinds.
"We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation-state," SolarWind's Thompson said. The key component of the vulnerability was a bogus DLL in the binary distribution of the software. How did that DLL get there? No one is saying, but if it is similar to the technique described below, it happened with SolarWinds and was included in its trusted binary distribution.
Summary: The command and control server for the SolarWinds attack masqueraded as a DNS server, and it sent encoded instructions in the CNAME field. Microsoft took control of the server and watched incoming traffic in order to identify infected sites. Further examination of the malware revealed that the server could return an IP address that served as a "drop dead" signal to the malware. That has been implemented, and attack seems to be vanquished.
Summary:
Starting in 2017, security experts began noticing that some software
distributions included code to contact mysterious remote servers by
using network communication packets that were ostensibly for Domain
Name Service (DNS) lookups. If fact, they were the tip of a dangerous
iceberg of malware.
Games, network management tools, space management utilities, and a computer manufacturer's software updates were some of the six applications that appeared to have had backdoors installed by the same malicious hackers. Those backdoors were used sparingly as the hackers seemed bent on spying on a few selected users. The investigators did not feel that they had access to the full scope of the exploit because various stages of infiltration were used sparingly, probably in order to evade detection.
Given the scope and variety of the attack, one would guess that the hackers were trying to get footholds into various software distributions in order to work their way up into a major distributor with customers considered to be high value targets by the hackers. Perhaps that step-at-time approach was the pathway into the SolarWinds software distribution.
Summary:
The exploitation of the vulnerability introduced in the SolarWinds
software was a campaign of stealth and evasion. Rather than greedily
grabbing control of user accounts and files, the software relayed
network data and waited for instructions to load modules that would
penetrate further into the network. The loader kept its connection
to the SolarWinds software obscure. Even if the loader were detected,
the security administrators might not realize how it got onto their
systems.
Summary:
There is a free tool on GitHub for detecting traces of the SolarWinds
Orion exploit. Produced by investigators at FireEye, the tool is
based on the techniques that they originally used to reveal the existence
of the malware.
Similar tools to the one FireEye released today have also been
released by the US Cybersecurity and Infrastructure Security Agency
(called Sparrow) and CrowdStrike (called
CRT).
For more depth, see
FireEye Whitepaper: Remediation and Hardening Strategies
for Microsoft 365 to Defend Against UNC2452
Summary:
This is a fairly comprehensive description of the mechanics of the
software of the SolarWinds compromise. The build process for the
Orion product had been modified by hackers to include their DLL
for communicating with a command and control server, for installing
additional packages, and for network monitoring. The hackers seem
to have installed the add-ons only when they believed that high value
targets were on the network. Only a few examples of the add-ons were
found, and in some cases the method for their installation remains
unknown.
Summary: Mimecast provides email security services, but its product was manipulated to allow a third party to spy on its customers. Somehow, their certificate that authenticates the connection to Microsoft Cloud services was compromised. The compromise may have originated with the SolarWinds hack. As in that case, only a few customer accounts were targeted by the invaders.
Summary:
Johns Hopkins cryptographer Matthew Green has done extensive research
to understand how encryption protects smartphones, and he reached an
epiphany: "Now I've come out of the project thinking almost nothing is
protected as much as it could be. So why do we need a backdoor for law
enforcement when the protections that these phones actually offer are
so bad?" His team found that the strongest protections for the phones
are only available under circumstances that the user might not
fully appreciate. For example, an iPhone must be powered down in
order to erase the access keys from memory.
Summary:
The report examines public information about law enforcement's
use of tools for obtaining total access to the data in a cellphone.
In the past 5 years, this has been done hundreds of thousands of times.
From the report:
Every day, law enforcement agencies across the country search thousands of cellphones, typically incident to arrest. To search phones, law enforcement agencies use mobile device forensic tools (MDFTs), a powerful technology that allows police to extract a full copy of data from a cellphone - all emails, texts, photos, location, app data, and more - which can then be programmatically searched. As one expert puts it, with the amount of sensitive information stored on smartphones today, the tools provide a "window into the soul."
Summary:
Although using TLS to encrypt DNS lookups seems to offer
greater privacy, in practice it has the disadvantage of bypassing
network security tools. The technique might rely on a server that
does not value the privacy of the requesters, thus undermining the
advantages of using TLS in the first place.
In light of the use of DNS to establish command and control communication for the SolarWinds malware, this warning from NSA is timely.
Summary:
Joe Biden may be the oldest person to become US President, but he
doesn't want to be the least fit. His morning exercise includes
use of a Peloton bike that is normally connected to an online Internet
class. Will the President disconnect and use the Peloton as an
ordinary stationary bike, or will the White House cybersecurity
team batten it down with firewalls? An anxious nation awaits the answer.