Summary:
The US government's Departments of Commerce and Treasury are reeling from the discovery that thousands of their email accounts were subject to surveillance by an unknown party. The malware was introduced by a corrupted version of the SolarWinds network monitoring software. Many other non-government customers also downloaded the software.

The Guardian article says that:

FireEye described the malware's dizzying capabilities - from initially lying dormant up to two weeks to hiding in plain sight by masquerading its reconnaissance forays as Orion activity. SolarWinds is working with FireEye as well as the FBI, the intelligence community, and other law enforcement to investigate the breach, said Kevin Thompson, the CEO and president of SolarWinds.

"We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation-state," SolarWind's Thompson said. The key component of the vulnerability was a bogus DLL in the binary distribution of the software. How did that DLL get there? No one is saying, but if it is similar to the technique described below, it happened with SolarWinds and was included in its trusted binary distribution.

Summary: The command and control server for the SolarWinds attack masqueraded as a DNS server, and it sent encoded instructions in the CNAME field. Microsoft took control of the server and watched incoming traffic in order to identify infected sites. Further examination of the malware revealed that the server could return an IP address that served as a "drop dead" signal to the malware. That has been implemented, and attack seems to be vanquished.

Summary:
Starting in 2017, security experts began noticing that some software distributions included code to contact mysterious remote servers by using network communication packets that were ostensibly for Domain Name Service (DNS) lookups. If fact, they were the tip of a dangerous iceberg of malware.

Games, network management tools, space management utilities, and a computer manufacturer's software updates were some of the six applications that appeared to have had backdoors installed by the same malicious hackers. Those backdoors were used sparingly as the hackers seemed bent on spying on a few selected users. The investigators did not feel that they had access to the full scope of the exploit because various stages of infiltration were used sparingly, probably in order to evade detection.

Given the scope and variety of the attack, one would guess that the hackers were trying to get footholds into various software distributions in order to work their way up into a major distributor with customers considered to be high value targets by the hackers. Perhaps that step-at-time approach was the pathway into the SolarWinds software distribution.

Summary:
The exploitation of the vulnerability introduced in the SolarWinds software was a campaign of stealth and evasion. Rather than greedily grabbing control of user accounts and files, the software relayed network data and waited for instructions to load modules that would penetrate further into the network. The loader kept its connection to the SolarWinds software obscure. Even if the loader were detected, the security administrators might not realize how it got onto their systems.

Summary:
There is a free tool on GitHub for detecting traces of the SolarWinds Orion exploit. Produced by investigators at FireEye, the tool is based on the techniques that they originally used to reveal the existence of the malware. Similar tools to the one FireEye released today have also been released by the US Cybersecurity and Infrastructure Security Agency (called Sparrow) and CrowdStrike (called CRT). For more depth, see FireEye Whitepaper: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452

Summary:
This is a fairly comprehensive description of the mechanics of the software of the SolarWinds compromise. The build process for the Orion product had been modified by hackers to include their DLL for communicating with a command and control server, for installing additional packages, and for network monitoring. The hackers seem to have installed the add-ons only when they believed that high value targets were on the network. Only a few examples of the add-ons were found, and in some cases the method for their installation remains unknown.

Summary: Mimecast provides email security services, but its product was manipulated to allow a third party to spy on its customers. Somehow, their certificate that authenticates the connection to Microsoft Cloud services was compromised. The compromise may have originated with the SolarWinds hack. As in that case, only a few customer accounts were targeted by the invaders.

Summary:
Johns Hopkins cryptographer Matthew Green has done extensive research to understand how encryption protects smartphones, and he reached an epiphany: "Now I've come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?" His team found that the strongest protections for the phones are only available under circumstances that the user might not fully appreciate. For example, an iPhone must be powered down in order to erase the access keys from memory.

Summary:
The report examines public information about law enforcement's use of tools for obtaining total access to the data in a cellphone. In the past 5 years, this has been done hundreds of thousands of times. From the report:

Every day, law enforcement agencies across the country search thousands of cellphones, typically incident to arrest. To search phones, law enforcement agencies use mobile device forensic tools (MDFTs), a powerful technology that allows police to extract a full copy of data from a cellphone - all emails, texts, photos, location, app data, and more - which can then be programmatically searched. As one expert puts it, with the amount of sensitive information stored on smartphones today, the tools provide a "window into the soul."

Summary:
Although using TLS to encrypt DNS lookups seems to offer greater privacy, in practice it has the disadvantage of bypassing network security tools. The technique might rely on a server that does not value the privacy of the requesters, thus undermining the advantages of using TLS in the first place.

In light of the use of DNS to establish command and control communication for the SolarWinds malware, this warning from NSA is timely.

Summary:
Joe Biden may be the oldest person to become US President, but he doesn't want to be the least fit. His morning exercise includes use of a Peloton bike that is normally connected to an online Internet class. Will the President disconnect and use the Peloton as an ordinary stationary bike, or will the White House cybersecurity team batten it down with firewalls? An anxious nation awaits the answer.