Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security. Earlier this week, several major US government agencies — including the Departments of Homeland Security, Commerce, Treasury, and State — discovered that their digital systems had been breached by hackers in what’s fast turning out to be a highly sophisticated supply chain attack. Such attacks often work by first compromising a third-party vendor with a connection to the true target. Infiltrating a third-party provider that has access to their customers’ networks also vastly increases the scale of an attack, as a successful break-in opens up access to all those businesses that rely on it, making them all vulnerable at once. In this case, the attackers turned out to SolarWinds, a Texas-based IT infrastructure provider, to inject malicious code into its monitoring tool that was then pushed to nearly 18,000 of its customers as software updates. SolarWinds counts several US federal agencies and Fortune 500 firms among its clients. According to cybersecurity firm FireEye, which also appears to have been a victim of the same attack, called it a meticulously planned espionage campaign that may have been ongoing at least since March 2020. FireEye was the first to expose the widespread supply chain attack on December 8 after discovering that the threat actor had stolen its arsenal of Red Team penetration testing tools. Its own investigation, per the Wall Street Journal, was spurred in part by an automated security alert sent to an employee of the company warning of a suspicious login from an unrecognized device, resulting in a full-blown scrutiny of its defenses. How the hackers gained access to SolarWinds systems to introduce the malicious code is still uncertain, but indications are that the campaign had been executed with “top-tier operational tradecraft” bearing all the hallmarks of a state-sponsored threat actor. Although there hasn’t been any concrete evidence tying the attacks to a specific threat actor, multiple media reports have pinned the intrusions on APT29 (aka Cozy Bear), a hacker group associated with Russia’s foreign intelligence service. With no clues linking the attack infrastructure to previous campaigns or other well-known threat groups, it’s being suspected the campaign was perpetrated by a hacking group never seen before. Volexity calls them “Dark Halo.” It may take months to fully understand the breadth and depth of the hack, but the SolarWinds incident once again highlights the severe consequences of compromising a supply chain. The complexity and broad success of the SolarWinds hack is alarming, sure, but the technique of using a trusted software provider as a Trojan Horse to break into corporate networks has been employed before. NotPetya, CCleaner, and the list goes on. What’s more concerning here is how little has been done since then to prevent them from happening again.
What’s trending in security?
Signal added support for encrypted group calls, the Zodiac Killer cipher was cracked after 51 long years, and a former Cisco engineer was sentenced to 24 months in prison for deleting 16,000 Webex accounts without authorization.
The Zodiac Killer cipher was cracked after 51 years. “It was an exciting project to work on, and it was on many people’s ‘top unsolved ciphers of all time lists,’” said Dave Oranchak, one of the three men who cracked the encoded message. [Ars Technica] Hackers are getting creative with web skimmers designed to steal payment info from users when they visit a compromised shopping website. Researchers found criminal gangs experimenting with storing the malicious code in CSS style sheetsand social media buttons. [ZDNet] GitHub found that security vulnerabilities in open-source projects often go undetected for more than four years before being disclosed. What’s more, 17% of all vulnerabilities in software were intentionally planted for malicious purposes. As they say, open-source does not equal secure. [GitHub] Apple and Cloudflare joined hands for a new initiative called Oblivious DNS-over-HTTPS (ODoH) that hides the websites you visit from your ISP. [Ars Technica / Gizmodo] Former Cisco engineer Sudhish Kasaba Ramesh, 31, was sentenced to 24 months in prison for deleting 16,000 Webex accounts without authorization, costing the company more than $2.4 million, with $1,400,000 in employee time and $1,000,000 in customer refunds. [ZDNet] Secure messaging app Signal added support for encrypted group video calls with up to five participants. [Signal] A German court forced encrypted email provider Tutanota to create a backdoor that allows it to monitor an individual’s inbox in connection with a blackmail case. [CyberScoop] Just a couple of weeks ago, we learned that the company behind the X-Mode SDK had been selling customer location data to government contractors. Now Forbes’ Thomas Brewster has reported how surveillance vendors like Rayzone and Bsightful are siphoning location data from smartphones with the help of tools used to serve mobile ads on third-party apps. [Forbes] Operatives with an Arabic-speaking hacking group, known as MoleRATs, used mainstream technology services like Facebook and Dropbox to obscure their malicious activity and exfiltrate data from targets across the Middle East. [Cybereason] Critical flaws discovered in dozens of GE Healthcare radiological devices could allow an attacker to gain access to sensitive personal health information, alter data, and even compromise the machines’ availability. Worse, these devices are secured with hardcoded default passwords that could be exploited to access sensitive patient scans. [CyberMDX] Apple, Google, Microsoft, and Mozilla banned a digital certificate being used by the Kazakhstan government to intercept and decrypt HTTPS traffic, after the country began requiring citizens in its capital of Nur-Sultan to install the certificate on their devices to access foreign internet services as part of a cybersecurity exercise. [ZDNet] The past fortnight in data breaches, leaks, and ransomware: European Medicines Agency, Foxconn, Intel’s Habana Labs, Kmart, Kopter, Netgain, Randstand, Spotify, Vancouver’s TransLink, UiPath, 45 million images of X-rays and other medical scans, and the personal data of 243 million Brazilian citizens.
Data Point
According to latest stats from the National Vulnerability Database, 2020 saw a record number of reported flaws, with as many as 17,537 bugs recorded during the year, slightly up from 17,306 in 2019. Over the past 12 months, 4,177 high-severity vulnerabilities, 10,767 medium-severity vulnerabilities, and 2,593 low-severity vulnerabilities were reported. In 2019, there were 17,306 flaws published: 4,337 high-severity, 10,956 medium-severity, and 2,013 low-severity vulnerabilities. That’s it. See you all in two weeks. Stay safe! Ravie x TNW (ravie[at]thenextweb[dot]com)