Pete Recommends – Weekly highlights on cyber security issues, January 10, 2021

Subject: Investor launches class-action lawsuit against SolarWinds over hack
Source: FCW
https://fcw.com/articles/2021/01/04/solarwinds-hack-investor-lawsuit.aspx

An investor in SolarWinds today filed a class-action lawsuit against the company and two top executives claiming SolarWinds made “materially false and misleading statements” about their security measures. The plaintiff, Timothy Bremer, who filed the suit in a district court in Texas, cites reporting by Reuters that stated a security researcher alerted the company that its update server could be breached using the password “solarwinds123.” The story also quotes a separate cybersecurity executive saying, “days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.”

Despite this, the lawsuit claims, SolarWinds executives did not disclose the vulnerability to the public or its customers.

other articles in this topic: https://fcw.com/portals/security.aspx


Subject: SolarWinds Hackers Got Into More Than 3,000 DOJ Email Accounts
Source: Gizmodo
https://gizmodo.com/solarwinds-hackers-accessed-more-than-3-000-doj-email-a-1846001981

While authorities said it doesn’t appear that classified information was viewed during the course of the DOJ breach, the news is still another startling example of just how massive this hack is—and how much is still unknown about its true extent. The news broke soon after o a discovery made by security researchers and reported by Forbes that the servers of some 1,500 SolarWinds customers are still exposed to the internet, meaning they are vulnerable to hacking.

“At this point, the number of potentially accessed [Microsoft Office] mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted,” DOJ spokesperson Marc Raimondi said in a statement. The DOJ has some 115,000 employees, meaning approximately 3,500 email accounts were breached, Politico calculated.

The hack was discovered on Christmas Eve, when the agency’s Office of the Chief Information Officer (OCIO) “learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. After discovering the intrusions into its Office 365 accounts, the OCIO subsequently “eliminated the identified method by which” the hackers had gained entry, according to officials.

filed to: SolarWinds


Subject: CISA: Hackers access to federal networks without SolarWinds
Source: FCW
https://fcw.com/articles/2021/01/07/cisa-usg-hack-new-vector.aspx

The Cybersecurity and Infrastructure Security Agency says it has evidence that hackers are breaching the federal government’s networks by other paths than the recently discovered vulnerabilities in SolarWinds Orion.

“Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified,” according to updated guidance published Wednesday. “CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs).”

Characteristics such as a SAML tokens having a 24-hour validity periods or not containing multi-factor authentication details where expected are red flags.

CISA’s new guidance appears to confirm that suspicion, stating Microsoft, which is helping the federal government investigate the hack, reported the hackers are tampering with the trust protocols in Azure/Microsoft 365.

“Microsoft reported that the actor has added new federation trusts to existing on premises infrastructure,” according to the agency’s guidance. “Where this technique is used, it is possible that authentication can occur outside of an organization’s known infrastructure and may not be visible to the legitimate system owner.”


Subject: State Department Approves Creation of Cyber Bureau
Source: Nextgov
https://www.nextgov.com/cybersecurity/2021/01/state-department-approves-creation-cyber-bureau/171276/

Secretary of State Mike Pompeo approved the creation of a new bureau within the department to lead diplomatic efforts on cybersecurity and emerging technology issues.According to a State Department announcement Thursday, the bureau stems from a “need to reorganize and resource America’s cyberspace and emerging technology security diplomacy” in response to national security threats posed by China, Russia, Iran, North Korea and other actors.

Secretary of State Mike Pompeo approved the creation of a new bureau within the department to lead diplomatic efforts on cybersecurity and emerging technology issues.

According to a State Department announcement Thursday, the bureau stems from a “need to reorganize and resource America’s cyberspace and emerging technology security diplomacy” in response to national security threats posed by China, Russia, Iran, North Korea and other actors.

The bureau came under scrutiny in September 2020 following an investigation by the Government Accountability Office. The audit found the State Department didn’t consult with other agencies, including the Department of Homeland Security, in developing plans for the new bureau. In addition, the audit found poor cyber coordination across government.

Topics:


Subject: Report Details Space Force Success in Foiling Iranian Missile Attack
Source: Washington Free Beacon
https://freebeacon.com/national-security/report-details-space-force-success-in-foiling-iranian-missile-attack/

A review of the events of January 7, 2020, reported by C4ISRNET indicates that the newly created Space Force’s early warning system allowed hundreds of Americans to quickly shelter in bunkers as Iran fired over a dozen ballistic missiles at U.S. military installations.

The missile attacks came days after a U.S. drone strike killed Iranian general Qassem Soleimani. A Space Force early warning team at Buckley Air Force Base in Aurora, Colo., picked up unusual readings from advanced satellite missile-detection technology and informed military officials in Iraq within minutes. The early warning potentially saved lives, as U.S. forces reported zero deaths after the night’s action despite personnel suffering 110 injuries.

This entry was posted in National Security and tagged Iran, Satellites, Space Force.


Subject: CISA:Hackers access to federal networks without SolarWinds
Sources: FCW.com
https://fcw.com/articles/2021/01/07/cisa-usg-hack-new-vector.aspx

“The Cybersecurity and Infrastructure Security Agency says it has evidence that hackers are breaching the federal government’s networks by other paths than the recently discovered vulnerabilities in SolarWinds Orion. “Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified,” according to updated guidance published Wednesday. “CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs).”

Characteristics such as a SAML tokens having a 24-hour validity periods or not containing multi-factor authentication details where expected are red flags. As details of the SolarWinds Orion breach have surfaced, analysts and lawmakers have repeatedly commented on how difficult it will be to remove hackers from the government’s networks because their access is probably no longer predicated on flaws in SolarWinds Orion, an IT management software…”

Subject Sealed U.S. Court Records Exposed in SolarWinds Breach
Sources: Krebs on Security
https://fcw.com/articles/2021/01/07/cisa-usg-hack-new-vector.aspx
“The ongoing breach affecting thousands of organizations that relied on backdoored products by network software firm SolarWinds may have jeopardized the privacy of countless sealed court documents on file with the U.S. federal court system, according to a memo released Wednesday by the Administrative Office (AO) of the U.S. Courts. The judicial branch agency said it will be deploying more stringent controls for receiving and storing sensitive documents filed with the federal courts, following a discovery that its own systems were compromised as part of the SolarWinds supply chain attack.
That intrusion involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for some 18,000 users of its Orion network management software as far back as March 2020. “The AO is working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings,” the agency said in a statement published Jan. 6. “An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation,” the statement continues. “Due to the nature of the attacks, the review of this matter and its impact is ongoing.” The AO declined to comment on specific questions about their breach disclosure. But a source close to the investigation told KrebsOnSecurity that the federal court document system was “hit hard,” by the SolarWinds attackers, which multiple U.S. intelligence and law enforcement agencies have attributed as “likely Russian in origin.”
The source said the intruders behind the SolarWinds compromise seeded the AO’s network with a second stage “Teardrop” malware that went beyond the “Sunburst” malicious software update that was opportunistically pushed out to all 18,000 customers using the compromised Orion software. This suggests the attackers were targeting the agency for deeper access to its networks and communications…”
Posted in: Computer Security, Criminal Law, Cybercrime, Cybersecurity, E-Government, Email Security, KM, Legal Research, Privacy, Software, Spyware, Technology Trends