Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.
SolarWinds investigations have continued at pace, giving us lots of new developments. Haven’t heard about this attack? Here’s a quick recap from the last issue:
Attackers gained access to SolarWind’s network and were able to insert vulnerable code into their Orion IT monitoring platform. About 18,000 SolarWinds customers received this vulnerable version of Orion which gave the attackers a backdoor to their systems. These customers in the U.S. included the Treasury, Commerce, and Homeland Security Departments. With the attack being traced to Russian state-backed hackers, it certainly isn’t a good look for the US.
What we learned this week
- FireEye, a large cybersecurity company, was the first organization to detect that they’d been targetted by the SolarWinds attack. This week they released a report detailing how they were compromised and what steps organizations needed to take to defend themselves. They also released a tool to help others detect any of the techniques used by hackers to help others figure out if they have been targeted.
- There’s a lot to take away from the report but the main thing we learned is that there’s another piece of malware called Raindrop that the attackers used. Once the attackers had a backdoor to SolarWinds customers they targetted a small subset of those customers with Raindrop. Raindrop installed a tool called Cobalt Strike; this is a legitimate tool used frequently by security testers that gives the user access to a large variety of attack capabilities. Attackers used this tool to breach the target’s Microsoft 365 architecture, enabling them to read emails, send emails as arbitrary users, and access users’ calendars.
Microsoft detailed the evasion tactics used by SolarWinds hackers. These tactics enabled attackers to remain undetected on SolarWind’s network for over a year. My highlights were:
- Disabling security services on their targetted systems
- Adding custom firewall rules that minimized any outgoing network packets. This meant that nothing abnormal was detected when attackers carried out actions that required lots of network activity.
- Malwarebytes, a provider of anti-malware software, confirmed that they were targetted by the SolarWinds attackers after finding evidence of the techniques described by FireEye.
Some terminology that might be handy
Security professionals love coming up with catchy names for malware, so here’s a guide to all the malware that we know was involved in the attack:
- Sunspot: The malware used to insert a backdoor into the SolarWinds Orion IT monitoring platform. Sunspot monitored processes involved with building new versions of Orion and replaced files to insert the backdoor.
- Sunburst: The name of the backdoor that was inserted into the Orion platform. This gave attackers access to 18,000 SolarWinds customers who were using a version of Orion infected with Sunburst.
- Raindrop: The malware used to install Cobalt Strike on targetted systems, enabling attackers to breach the organization’s Microsoft 365 architecture.
🔒 The US Makes Cybersecurity a Priority
The Biden administration’s proposed $1.9 trillion Covid-19 relief package includes $10 billion for improving federal cybersecurity. Funds would be used to modernize IT systems, pilot secure cloud-computing services and hire additional security experts. This level of investment is great for the industry, but whether the relief package manages to pass through the US congress without that $10 billion figure being significantly reduced remains to be seen.
The Russian government also issued a security alert on Thursday warning of potential cyberattacks being launched by the US in response to SolarWinds.
🌐 Browser Updates
Chrome has officially ended support for Adobe Flash Player. Flash Player was used for viewing multimedia content online and at its peak was used on the websites of approximately 70 percent of Fortune 100 companies. However, due to advancing technologies and endless security problems, Adobe discontinued the product in December 2020. Apple and Mozilla have already stopped supporting flash, with Microsoft’s Edge following later this month.
Other notable updates in Chrome 88 are that it stops users from accessing FTP (File Transfer Protocol) links. FTP has been used for decades to help users send files over the internet. However, its use has declined as other sharing methods such as cloud storage have become increasingly common. Google says that ending support will help prevent downloads that may come from insecure locations.
The final security update in chrome is the addition of new password features. Chrome will now allow users to easily check if any of their saved passwords are weak or have been breached. Users can do this through settings and will also be prompted after logging into a site.
Edge doesn’t like to be left out of the fun and is also introducing new password features, notably the Password Monitor feature Microsoft announced in March 2020. It will notify users if the credentials they've saved to autofill have been detected on the dark web and, if so, provide a notification inside the browser suggesting users take action.
📸 Not On Fleek
Fleek is an x-rated social media app that shutdown in 2019. Any pictures shared on fleek were supposed to be deleted after they were sent, but researchers from vpnMentor found more than 300,000 explicit user photographs from the defunct platform publicly accessible online. The pictures were found on a misconfigured Amazon Web Services S3 bucket, a widely used cloud storage solution.
💾 Intel Introduces Threat Detection Technology
Intel announced that its 11th Gen mobile processors will be sold with threat detection technology. Some malware impacts the performance of the CPU, ransomware being one example. Ransomware blocks access to a computer system until a sum of money is paid. It does this by encrypting all of the victim’s files - which requires very heavy CPU usage. Intel is planning to use machine learning to detect suspicious or abnormal behavior like this.
🔥 Rapid Fire
Some shorter stories…
- DuckDuckGo, a privacy-focused search engine that doesn’t collect user data, recorded more than 100 million daily search queries for the first time this week. Although this growth is significant, it’s still a small piece of the pie when compared to google’s 5 billion daily search queries. Link.
- Twitter has introduced a new policy called the civic integrity policy. The policy sets out a framework for handling manipulation or interference with civic processes (e.g. elections and referendums) on the platform. Link.
- 23,000 computers provided to schoolkids by the UK government were infected with malware. The computers were provided to help children learn under lockdown. The malware (Gamarue) enabled remote access to affected systems. However, the malware is well known to anti-virus software, so running an up-to-date anti-virus scan should remove it. It is also suspected that the malware is now inactive as it hasn’t been widely detected since 2011. Link.
- The CHwapi hospital in Belgium was hit by a ransomware attack, continuing the trend of hospitals being targetted by ransomware gangs. About 20% of the hospital’s data, 100TB, was encrypted. Link.
- A simple google search has exposed more than 1000 stolen credentials. Attackers stored the credentials online without realizing that if they can access them on the public web, then Google can too. This also shows how easy it can be to leave something publically accessible that shouldn’t be. Link.
- A database of user data from clothing brand Bonobos was posted online. Attackers weren’t able to gain access to Bonobos’ internal systems but found a backup file that was stored externally on a cloud storage service. Link.
Linux devices have been under attack by malware known as FreakOut. The malware aims to add infected devices to a botnet used for DDoS attacks and cryptocurrency mining. The malware has been targetting data storage, web portal, and website applications. Link.
- DDoS Attack: Distributed denial-of-service attacks target websites and online services. The aim is to overwhelm them with more traffic than the server or network can accommodate, denying service to their legitimate users.
- Botnet: a network of private computers infected with malicious software and controlled as a group without the owners' knowledge. One of the main uses of botnets is to carry out DDoS attacks, where all infected computers will send network traffic to the same target.
🎯 New Vulnerabilities
The most interesting new vulnerabilities disclosed this week.
Seven Dnsmasq vulnerabilities, collectively known as DNSpooq were disclosed by the JSOF research lab. DNSmasq has many functions but is most widely used to store responses to previously asked DNS queries in what’s known as a cache.
- The DNS is the Domain Name System and can be thought of as the phonebook of the internet. It converts human-readable domain names like google.com into their numerical equivalents.These vulnerabilities could enable lots of different attacks, most interestingly DNS cache poisoning. In this attack, the address of a popular website in the cache could be replaced with an incorrect one, redirecting users to a malicious website. Link.
- Cisco patches 8 vulnerabilities in their SD-WAN software. The most serious vulnerability was in Cisco’s vManage software used by organizations to manage the health and security of their network. The vulnerability allowed an attacker to gain access to the system then issue their own commands as an administrator (commonly referred to as root user). Link.
SonicWall (a networking device maker) reported a security breach on Friday. Their statement said that their systems were targeted by exploiting probable zero-day vulnerabilities in certain SonicWall products. Patches for these vulnerabilities are not currently available and SonicWall has advised users of its products of steps they can take until patches are available. Link.
- Zero-day vulnerabilities are vulnerabilities that are unknown to the parties responsible for patching or fixing them. In this case, the vulnerabilities were unknown to SonicWall.
💭 Anything Else?
Other news, ideas, and insights from around the web that you might enjoy.
Benedict Evans on Online Speech and Publishing. Social media companies aren’t platforms, but they aren’t publishers… Ben argues that if we’re going to get anywhere, we need to start considering them as their own entity; rather than assigning one of our existing labels. Link.
Cybersecurity Market Insights is a newsletter simplifying the complexity of cybersecurity products for buyers and investors. Link.
Troy Hunt discusses disabling paste on password fields. If you disable pasting in password fields most password managers no longer work… A great example of security theatre, where organizations claim to not allow pasting to “keep you more secure” but in fact just make their users more vulnerable. Link.
I did the unthinkable and looked back to 2020. Here’s a webcast on The Register by Sophos about the state of ransomware last year. My biggest takeaway was that very few companies are paying the ransoms, and if they did pay, it’s actually their cyber insurance company that’s paying (94%). This is why we’re seeing companies with ransomware insurance increasingly appear as targets. Link.
❤ Liked what you read?
Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!
If you’re that friend… Sign up here to receive CyberLite every week!
🎁 Wrapping Up
Thanks for reading, I’ll catch you next week!