CyberWire Daily - CISA updates its alerts and directives concerning Solorigate as the investigation expands. Rioting, social media, and cybersecurity.
Episode Date: January 7, 2021CISA updates its guidance on Solorigate, and issues an alert that the threat actor may have used attack vectors other than the much-discussed SolarWinds backdoor. Some reports suggest that a widely us...ed development tool produced by a Czech firm may have been compromised. The cyberespionage campaign is now known to have extended to the Department of Justice and the US Federal Courts. Robert M. Lee shares lessons learned from a recent power grid incident in Mumbai. Our guest is Yassir Abousselham from Splunk on how attackers find new ways to exploit emerging technologies. Cyber implications of the Capitol Hill riot. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/4 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA updates its guidance on Soloragate
and issues an alert that the threat actor may have used attack vectors other than the much-discussed SolarWinds backdoor.
Some reports suggest that a widely used development tool produced by a Czech firm may have been compromised.
The cyber espionage campaign is now known to have extended to the Department of Justice and the U.S. federal courts.
Robert M. Lee shares lessons learned
from a recent power grid incident in Mumbai.
Our guest is Yasir Abusulham from Splunk
on how attackers find new ways to exploit emerging technologies
and the cyber implications of the Capitol Hill riot.
From the Cyber Wireire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, January 7th, 2021. CISA said late yesterday that it had determined that the threat actor behind the Soloragate incident used additional SAML attack vectors beyond the now well-known SolarWinds supply chain approach.
Alert AA20-352A reported that, quote,
CISA has evidence that there are initial access vectors other than the
SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors.
Specifically, we are investigating incidents in which activity indicating abuse of security
assertion markup language, that's SAML, tokens consistent with this adversary's behavior is present,
yet where impacted SolarWinds instances have not been identified, end quote.
We read the ambiguous phrase legitimate account abuse as meaning abuse of legitimate accounts.
It's the compromised accounts that are legitimate, not the abuse, which of course is never legitimate.
Yesterday's alert also addresses the finding
security firm Veloxity reported last month. Veloxity has also reported publicly that they
observed the APT using a secret key that the APT previously stole in order to generate a cookie to
bypass the Duo multi-factor authentication protecting access to Outlook web app.
Veloxity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise,
and the TTPs are consistent between the two.
This observation indicates that there are other initial access vectors
beyond SolarWinds Orion, and there may still be others that are not yet known.
End quote. So the campaign has long been regarded as complicated and sophisticated,
but the care and complexity of the threat actor's approach continue to come to light.
CISA has also updated Emergency Directive 21-01 to reflect what's now known about the campaign
and offering new guidance on effective remediation.
That guidance includes both forensic analysis and reporting requirements.
First, if there's no evidence of follow-on activity by the threat actor, it's time to rebuild.
As the directive puts it, quote,
Federal agencies without evidence of adversary follow-on activity on their networks NSA has examined this version and determined that, quote, it eliminates the previously identified malicious code, end quote. NSA has examined this version and determined that, quote, it eliminates the
previously identified malicious code, end quote, and the upgraded version also includes other fixes
important to security going forward. Second, if an organization has evidence that the threat actor
has been back or has never left, they are to check in with CISA. Quote, federal agencies with evidence of follow-on threat actor activity on their networks should
keep their affected versions disconnected, conduct forensic analysis, and consult with
CISA before rebuilding or re-imaging affected platforms and host operating systems.
End quote.
It's an ongoing threat, of course, but it's also an opportunity to learn more about the adversary.
CISA didn't say so in yesterday's statements,
but the New York Times reports that both government investigators and private security firms
are now looking into the possibility that JetBrains, a Czech firm with researchers in Russia,
may have been an approach for the Solargate attackers.
firm with researchers in Russia may have been an approach for the Solargate attackers.
JetBrains would appear to be the Eastern European software company mentioned in reports earlier this week as possibly implicated in further supply chain compromises. The company makes
tools for developers, and those are used by developers in several large companies,
including SolarWinds. The tool of interest is JetBrains' TeamCity,
which developers use to test and exchange software code before releasing it.
TeamCity is widely used. JetBrains counts among its customers not only SolarWinds,
but also Google, Hewlett-Packard, Citibank, Siemens, VMware, and a great many Android developers.
JetBrains said in its blog that it hasn't been contacted by investigators.
It also says that it wasn't involved in any attack
and that its customers, including SolarWinds, hadn't complained of security issues.
The company does note that TeamCity is a complex product
that requires proper certification for secure and effective use.
The AP reports that the U.S. Department of Justice has confirmed that some of its systems,
although none that handle classified information, were compromised in Solaragate.
The compromise also extended to U.S. federal courts.
The Administrative Office of the U.S. Court says an apparent compromise
of the U.S. Judiciary's case management and electronic case file system is under investigation.
Rioters protesting the results of the 2020 U.S. presidential election rampaged through the U.S.
Capitol yesterday evening to protest the certification of the electoral votes that
now certified have confirmed the victory of President-elect Biden. Three aspects of the electoral votes that, now certified, have confirmed the victory of President-elect Biden.
Three aspects of the riot are of significance to cybersecurity.
First, there's the use of social media to incite the rioting. In this respect, President Trump has
come in for considerable criticism, as he has for weeks not only contested the fairness and
legitimacy of the election, as he's entitled to
do within reason, but also more recently encouraged demonstrators to come to Washington and express
their displeasure with the outcome. His last tweet yesterday urged demonstrators to be peaceful,
but that unfortunately seemed to have had little effect. The Wall Street Journal reports that
Twitter has suspended the president for the next few days,
and that Facebook has kicked him off its platforms, at least until he leaves office.
Second, there was apparently some use of social media to organize the riot,
including messages directing protesters down streets where they'd be less likely to be interdicted by police.
And finally, the physical ransacking of a place where there were computers
presents the possibility of physical destruction, theft, or compromise.
Some staffers evacuated their offices in such haste that machines were left on,
with emails and other material up on their screens.
And at least one senator reported the theft of a computer.
Reuters reports that Senator Jeff Merkley, Democrat of Oregon,
said that rioters took a laptop from a desk in his office.
Lest it be forgotten that riots are kinetic acts in the physical world, remember this.
In addition to the physical destruction at the Capitol itself,
one of the rioters was shot dead by police.
One of the rioters was shot dead by police. life. You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Yassir Abusulham. He's Chief Information Security Officer at Splunk.
And he joins us today with some thoughts on what has his attention as 2021 is upon us.
Yassir, welcome to the show.
Thank you, David. Good to be here.
So 2021, first of all, I guess there's a lot of us who can probably agree that we're looking forward to having 2020 in our rearview mirror for many, many reasons. But as we are heading
into 2021 here, what sort of things have your attention?
What's caught your eye?
What do you think we need to be focused on?
Yeah, there's a few things, actually.
So if we think about this year, 2020, and extrapolate into 2021,
I think one thing that definitely catches my attention is the fact that remote work is here
to stay. That is one safe prediction that we can make. The second thing that is somewhat related
is the fact that hackers will continue capitalizing on the latest social and political issues.
Another thing that in terms of predictions that I think we will see continue to rise is the
tax on the supply chain. And then lastly, digital transformation. I think what we have seen and
which will continue most likely into 2021 is this acceleration of digital transformation as a way for organizations to provide their employees
and customers with the services that they need to be effective.
So in terms of what we might expect from the attackers themselves, what sort of things
are on your radar there?
Yeah, I think the attackers will continue pursuing the shortest path to compromise.
And typically, that consists of using what I call the standard techniques to achieve that compromise.
And by standard techniques, I mean things like social engineering, i.e. phishing, fraud, and so on.
You have ransomware going after misconfigured or vulnerable infrastructure,
application layer attacks, and things like password spraying and credential stuffing.
So those are what I would call the standard attacks.
And that's what's being used on a day-to-day basis.
Typically, you put any kind of device or system on the internet,
and it will get scanned within minutes.
And then you have the more advanced attacks.
And that's what's being used by the well-funded, in some cases, nation state actors.
And they typically focus on or target supply chain.
They're able to acquire, weaponize and use zero days.
they're able to acquire, weaponize, and use zero days,
you see a rampant also use of either physical attacks,
extortion techniques, and so on.
That is not something that we see on a day-to-day basis,
but just some of these techniques that we should be aware of.
All right.
Yassir Abusulham, Chief Information Security Officer at Splunk.
Thanks so much for joining us.
Thank you for having me, Dave. Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Robert M. Lee.
He's the CEO at Dragos.
Rob, it's always great to have you back.
We recently had this story about a sizable power outage in Mumbai.
And I wanted to get your take on this because as is always the case when these sorts of things happen, there is a certain
group of people who want to point the finger at cyber. I wanted to get your take. Where do you
think we stand here? Sure. So I'll say so far that the folks that have seemed to have pointed the
finger toward cyber have actually been those involved in the government, the state government in that region in India. So it always raises the level of discussion when you have alleged government-involved
personnel.
Now, that being said, we have also seen before where government personnel have come out and
claimed cyber attacks as a relation to outages, and they were either wrong or they were purposely
misleading.
So a good example of folks that have been wrong before, and not to in any way make them feel bad,
but just for the purpose of education here, we've seen a good example is one of the Israeli energy ministers
came out at a conference they had and said, right now we have the worst cyber attack in history taking place
and it is taking place on the Israeli power grid.
What he actually meant to say was there was a phishing email to a PC
in a regulatory office completely disconnected from the electric grid
that somebody opened the email and it had ransomware on it.
Those two things are very different.
So capturing the nuance of things like electric power outages and cyber attacks can be difficult
for folks.
We've also had the malicious before, or I would say at least the intentionally misleading,
where we had government officials in Venezuela come out and blame the United States for cyber
attacks taking down portions of their electric infrastructure when it was actually their
mismanagement and under-resourcing of maintenance as related to some of their electric infrastructure when it was actually their mismanagement and under-resourcing of maintenance
as related to some of their dam infrastructure.
So government being involved is interesting,
but not necessarily convincing.
So at the highest level, what I will say is
the individuals supposedly involved have said
there's going to be a government report coming out.
That's when people should look at it and take it for consideration and start digging into the details.
Prior to that report, there's nothing to dig into.
Anything at this point would just be speculation.
There's folks that could very reasonably try to argue that there's been conflict between China and India in the region.
We do expect to see cyber attacks on infrastructure in geopolitical tense times.
Saw that between Russia and Ukraine, Russia and Georgia, Russia and others.
We've seen it before around the world.
You also do accept, though, that India has had a number of maintenance issues on portions of their infrastructure before, and outages are pretty common.
portions of their infrastructure before, and outages are pretty common.
Also, there's reason to take credit, or play the victim card, if you will, related to cyber attacks,
as we saw in Venezuela, versus admitting infrastructure problems.
So basically what I'm saying is everybody needs to dial it down.
There's nothing here that raises suspicion that there was a cyber attack.
There's nothing here that disperses the there was a cyber attack. There's nothing here that
disperses the idea that there could have been. So there's not a whole lot of details to this.
Everyone just needs to wait. But until further information, I would put this in the camp of
not very likely, but something to watch. Now, a point that I've seen you make is that when
these sorts of things happen, you know, people go looking through their systems.
They go looking and almost looking for trouble.
And so it's not unusual to find some malware in a system somewhere.
But that doesn't necessarily mean that that bit of found malware was the thing responsible for this outage.
Absolutely. I guarantee if they go looking in their systems,
they will absolutely find malicious software somewhere
or scans from Chinese IP addresses
or something along those lines.
And the reality is, to exactly the point you just made,
incident responders, when they get involved,
are usually taking a much deeper look than day-to-day
security efforts. And that's obvious because day-to-day security efforts, you have so much
going on, you can't look deeply at everything. There's not enough time in the day. And when you
get sort of called in and told, here is a network segment, here are some key systems, look for
everything, you are going to find things that get missed. And we've seen this before, time and time again.
We've dealt with it in my firm in incident response cases
where folks will start to see artifacts of previous pen tests,
previous adversaries, random malware, etc.,
and start trying to correlate these to events they've had.
Oh, I remember there was something weird going on in the relay,
or there was an outage here that we couldn't really explain.
And I will challenge the community by saying,
we don't do good enough forensics and ICS or industrial control systems
to really prove those things very often.
That's a gap we have.
But also, we can't go the other direction and then correlate
things together just because they exist in the network. And too often, we see the opposite,
which is what I think might be happening here because the government personnel explicitly
mentioned that they did find malware on some of those systems. And the pure presence of malware
means absolutely nothing. Alright, interesting perspective
for sure. Robert M. Lee, thanks for
joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
The art of engineering.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.