topic Re: Developing Story - Treasury reportedly breached by hackers backed by foreign government in Industry News

FireEye Hacked

AlecTrevelyan — Tue, 08 Dec 2020 22:16:58 GMT

https://www.scmagazine.com/home/security-news/apts-cyberespionage/fireeye-hacked-red-team-tools-stolen/

Re: FireEye Hacked

AppDefects — Wed, 09 Dec 2020 02:50:06 GMT

The incident is more of a "statement against FireEye than a catastrophe". Check out their "defensive tools" (yawn) released here https://github.com/fireeye/red_team_tool_countermeasures Seriously? They are nothing compared to the Shadow Brokers leak...

Re: FireEye Hacked

tmekelburg1 — Wed, 09 Dec 2020 13:57:39 GMT

This was my initial suspicion when the story first broke, the threat actors trying to gain access to FireEye's client vulnerability scans, network layout, etc. The red team tools are important but their customer data is even more valuable.

"Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly."

FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community

Re: FireEye Hacked

tmekelburg1 — Thu, 10 Dec 2020 14:05:41 GMT

According to the Washington Post article, APT 29 Cozy Bear, are the ones responsible. It'll be interesting to find out if any client data was breached and from who.

MITRE ATT&CK APT29

Spies with Russia’s foreign intelligence service believed to have hacked a top American cybersecurity firm and stolen its sensitive tools

"The breach was disclosed by FireEye on Tuesday, though the firm did not attribute it to Russia’s foreign intelligence service. It was detected in recent weeks, said one of the people, who like others interviewed for this story spoke on the condition of anonymity because the investigation is ongoing."

Russia's FireEye Hack Is a Statement—but Not a Catastrophe

“The most important data that a company like FireEye has is data about its customers. The second most important data they have are the sources and methods they use to protect their customers,” like threat intelligence data, says Richard Bejtlich, former chief security officer of Mandiant, the incident response division of FireEye, and principal security strategist at the network analysis firm Corelight. “Farther down the line are the red team tools, where they’re emulating adversaries.”

Re: FireEye Hacked

JKWiniger — Thu, 10 Dec 2020 16:21:09 GMT

OK, I'll go there... to me this sounds like things being exaggerated to try to make the company look good. I would much sooner believe someone made a dumb mistake and it got exploited than this massive force they make the attack out to be. It seems like their way of trying to save credibility with their clients and admitting that even then best of us make dumb mistakes sometimes.

Just my .02

John-

Re: FireEye Hacked

tmekelburg1 — Thu, 10 Dec 2020 18:17:42 GMT

@JKWiniger wrote:
OK, I'll go there...

LOL, someone had to! It's hard to know what's true unless more information is released to the public. I'd wager you're onto something though.

Re: FireEye Hacked

AlecTrevelyan — Mon, 14 Dec 2020 09:48:10 GMT

Seems it was a supply chain attack that affected a number of other organisations:

https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html

SolarWinds users better get patching:

https://www.solarwinds.com/securityadvisory

Re: FireEye Hacked

tmekelburg1 — Mon, 14 Dec 2020 13:29:02 GMT

Here's a breakdown from FireEye on the SUNBURST back door.

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor

Developing Story - Treasury reportedly breached by hackers backed by foreign government

AndreaMoore — Mon, 14 Dec 2020 15:11:09 GMT

Community,

We’re sure you’re watching the developing headlines that are emerging about a reported intrusion at the Commerce and Treasury departments that potentially involve compromised vendor software updates.

What are your key takeaways so far? When announcements like these occur, what are the first steps you take to determine if your organization is at risk? How do you stay alert and informed?

While being widely reported, here are a few sources:

Re: Developing Story - Treasury reportedly breached by hackers backed by foreign government

tmekelburg1 — Mon, 14 Dec 2020 16:04:07 GMT

@AndreaMoore wrote:
Community,

We’re sure you’re watching the developing headlines that are emerging about a reported intrusion at the Commerce and Treasury departments that potentially involve compromised vendor software updates.

What are your key takeaways so far? When announcements like these occur, what are the first steps you take to determine if your organization is at risk? How do you stay alert and informed?

I immediately reach out to our MSP to make sure they were aware and a discovery on my part to see if they used SolarWinds to help protect their network. Us being breached through our MSP is what I worry about the most in these types of situations.

Re: Developing Story - Treasury reportedly breached by hackers backed by foreign government

JKWiniger — Mon, 14 Dec 2020 16:32:15 GMT

My first question of course would be do we use the product and if so shut it down! Second step would be to apply the rules provided on GitHub to block any infection if we do use the product. Then have everyone being vigilant about looking for suspect activities and reporting what is seen.

I do believe this might mark a turning point in the information security industry. When private companies are attacked that's one thing, but now that the government has been attacked we may see new laws coming out to help prevent this from happening in the future. I can't even imagine what kind of slip ups and checks did not occur for a piece of malware to get into an update and be digitally signed? Are there no scans or checks in place? This goes back to where I believe that companies and programers need to start being held accountable for releasing poor code. To make matter worse the creation of bug country programs to counter their own bad programing breeds and environment for people to learn and be encouraged to find ways to compromise things. From there it is only a fine ethical line from good intention to bad intention.

My .02

John-

Re: Developing Story - Treasury reportedly breached by hackers backed by foreign government

tmekelburg1 — Mon, 14 Dec 2020 16:50:43 GMT

@JKWiniger wrote:
I can't even imagine what kind of slip ups and checks did not occur for a piece of malware to get into an update and be digitally signed? Are there no scans or checks in place?

With the sophistication behind this attack, it kind of sounds like this specific tool was targeted because of it's penetration into fortune 500 and Government clients. They did have their biggest clients very brazenly listed on their webpage and recently took down. Anything specifically you can discuss about how your company or clients are handling this or thoughts on the matter? @Caute_cautim @dcontesti

https://www.solarwinds.com/company/customers

Re: Developing Story - Treasury reportedly breached by hackers backed by foreign government

JKWiniger — Mon, 14 Dec 2020 16:55:42 GMT

@tmekelburg1 You bring up a good point, when companies display their clients so openly they make it easy for attacker to know who to go after. This is like how on LinkedIn profiles and looking at job descriptions you often get a pretty good idea of the technology that is being used inside a company so it make it much easier to craft attacks. I believe there should be a general rule that this type of disclosure should probably not be allow.

John-

Re: Developing Story - Treasury reportedly breached by hackers backed by foreign government

ericgeater — Mon, 14 Dec 2020 19:37:43 GMT

I can only think, "how do you establish defense-in-depth when something so central and this critical goes horribly wrong?".

Written for 2020, "Did anyone have 'Premier monitoring and maintenance tool for managed services providers and governments alike becomes unwitting CozyBear agent for six months' on their bingo card?"

Re: Developing Story - Treasury reportedly breached by hackers backed by foreign government

Caute_cautim — Mon, 14 Dec 2020 20:01:04 GMT

HI John, Yes, specifically Whitelisting and Characterisation has been around for some time.

Some governments insist upon both whitelisting and Characterisation to put in place - it is difficult but not impossible. It is part of the Australian Government Essential 8: https://www.sans.org/reading-room/whitepapers/critical/paper/38575

NIST also have a paper on how to implement it too: Some vendors i.e. Juniper for instance actually build into their products from the outset to identify malware or manipulation of the updates or source code. There are systems such as Carbon Black who provide good support, but it takes time - it frustrates Unix, Linux and Microsoft delivery teams having to deal with this, so they attempt to override it, but in fact as per the recent events, bypassing it can be extremely costly. However, it is an important factor, trust nothing until proven it has not been manipulated or altered etc.

Ensure secure source of software updates, normally a secure proxy pointing to the known and confirmed vendor web site or portal etc. Then validate current state, apply integrity checking of source and verify i.e. hashing, test and apply - it all takes time. Automation and orchestration is a way forward, manual approach is extremely frustrating for support staff.

https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Some apply Tripwire or NTT Change Tracker R2 for instance which includes AI and is reasonably charged, whereas the Tripwire needs constant technical support from the internal staff from experience. A lot of banks tend to use it, but they do train their internal staff very well too.

Regards

Caute_cautim

Re: Developing Story - Treasury reportedly breached by hackers backed by foreign government

tmekelburg1 — Mon, 14 Dec 2020 20:37:24 GMT

@Caute_cautim wrote:
HI John, Yes, specifically Whitelisting and Characterisation has been around for some time.

Ensure secure source of software updates, normally a secure proxy pointing to the known and confirmed vendor web site or portal etc. Then validate current state, apply integrity checking of source and verify i.e. hashing, test and apply - it all takes time. Automation and orchestration is a way forward, manual approach is extremely frustrating for support staff.

Would those software update checking programs have caught it if it was digitally signed by the owner?

"SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020."

Re: Developing Story - Treasury reportedly breached by hackers backed by foreign government

JKWiniger — Mon, 14 Dec 2020 21:19:00 GMT

I guess having the mentality of do it right or don't do it at all leaves me a bit... I'm not sure what the right word would be... maybe annoyed. Far too often companies are just more concern with getting the product out and making money so they rely heavily on rapid application development and cut corners and I just don't agree with that. I feel like the burden gets put onto the end user / company to stay up on patch management when if the products where made better there wouldn't be such a high need. I just think places need to slow down and focus a bit more on the quality of the product and less about the quantity.

John-

Re: Developing Story - Treasury reportedly breached by hackers backed by foreign government

tmekelburg1 — Tue, 15 Dec 2020 16:54:08 GMT

Just listened to SANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack hosted by Rob Lee and presented by Jake Williams

It's free to view after making an account or logging in. Key takeaways:

If you have SolarWinds Orion, assume compromise
Check logs for C&C and Beacon domains released by FireEye
If you have other SolarWinds products, assume those could be compromised as well. We don't know how SolarWinds was breached and if they tampered with other products
Block your Network Management System (NMS) from the Internet or explicitly allow limited access to destinations (Zero Trust)
Segment access within your NMS. One set of credentials to read and another to make changes (this can be further segmented as well)
Attackers will retool, don't expect this group to use Sunburst malware going forward
Attribution is not important, it shouldn't affect how you respond or mitigate

Re: Developing Story - Treasury reportedly breached by hackers backed by foreign government

denbesten — Tue, 15 Dec 2020 17:07:26 GMT

This is a good opportunity to invoke "never let a perfectly good crisis go to waste".

CISA does have response recommendations, but as CISSPs, our focus belongs more on the bigger picture than running the incident. CISA's comment “Rebuild hosts monitored by the SolarWinds Orion monitoring software….” is a powerful statement from an influential organization, basically asking you to rebuild everything you truly think important to your business (in some scenarios). Coupled with the fact that your CIO is likely already asking if we are amongst their 300k customers creates a great opportunity for a "concentration of power" discussion.

Discussion points on the email I already sent to my colleagues:

Monitoring should be uncredentialled or read-only and any necessary accounts should have minimum privileges.
All High-privilege accounts should be stored in our secure privileged access vault with controls surrounding how they may be checked out, including by automated management systems such as Solar Winds.
Review controls surrounding our internal software packaging/distribution and our remote-admin tools, particularly those that work without user consent prior to each session.
Review our Solar winds architecture with respect to the CISA guidelines and to minimize its need for privileged access.
Ditto for all other system management tools, not just the monitoring tool.
Network segmentation/isolation for critical business applications (not just Solar winds)

Oh, also don't forget that the reading/research you do for this (such as the SANs video) are good for CPEs.

Finally, I do note that this attack comes at a particularly interesting time for the USA, politically speaking, and involves an fascinating set of actors, but the conspiracy theories surrounding that belong somewhere other than this community.

Fireeye and Solarwinds

Caute_cautim — Mon, 09 Oct 2023 09:43:55 GMT

Hi All

Those of you who have been asleep at the wheel focusing on other things, had best look at this over 18000 companies have been compromised using the tools stolen from Fireeye recently. Solarwinds is just one of those IT monitoring system many companies use. So patch now and be vigilant, this is not going away.

Look at the effect on their value in the market - excellent examples for your respective organisations.

https://seekingalpha-com.cdn.ampproject.org/c/s/seekingalpha.com/amp/article/4394717-solarwinds-hack-long-list-of-potential-victims

Regards

Caute_cautim