Hunt for Earliest Artifacts of Compromise

Three of Microsoft’s cyber defense teams recently published their collective findings on how threat actors got away in viewing the company’s crown jewel: Microsoft source code.

In the blog post "Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop," three of Microsoft’s cyber defense teams, Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center, and Microsoft Cyber Defense Operations Center revealed new details on how threat actors were able to view the company’s source code.

Last December 31st, Microsoft admitted that one internal account had been compromised and used to view source code in a number of source code repositories. "The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made," Microsoft said.

Background

Microsoft earlier admitted that it was one of the victims of the Solarwinds supply chain attack. Microsoft is one of the thousands of Solarwinds’ clients that unwittingly downloaded the Solarwinds update that was maliciously modified with attached malicious software (malware) called "Solorigate" to further compromise the networks of those that downloaded the poisoned update.

In a report to the U.S. Securities and Exchange Commission, Solarwinds said, "SolarWinds currently believes the actual number of customers that may have had an installation of the [SolarWinds] Orion products that contained this vulnerability to be fewer than 18,000."

Microsoft provided the following timeline in which the attackers were able to compromise SolarWinds update:

Sept. 4, 2019: Attackers start assessing SolarWinds

Sept. 12, 2019: Attackers start injecting test code

Nov. 4, 2019: Attackers stop injecting test code

Feb. 20, 2020: Solorigate malware backdoor is compiled and deployed

March 2020: Estimated start of distribution of Solorigate malware backdoor

May 2020: Estimated start of actual hands-on-keyboard attacks

June 4, 2020: Attackers remove malware from SolarWinds build environment

Dec. 12, 2020: Solorigate malware supply chain attack disclosed

How the Attack Transpired

According to FireEye, one of the victims of the SolarWinds supply chain attack, the supply chain attack on SolarWinds enabled the attackers to execute a customized Cobalt Strike.

Cobalt Strike is a publicly available penetration testing tool that’s marketed as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike’s post-exploit capabilities include tools such as Mimikatz and Metasploit.

Mimikatz is a tool that’s capable of obtaining plaintext Windows account logins and passwords. Mimikatz also comes with many other features that test the security of networks.

Metasploit, meanwhile, is another penetration testing tool popularly used by both attackers and defenders. With Metasploit, attackers just pick a target, pick an exploit, and pick a payload to drop.

"One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader," Microsoft’s cyber defense teams said.

According to Microsoft’s cyber defense teams, the following tactics allowed the attackers to hid their malware and malicious actions:

1. Avoidance of Shared Indicators for Each Compromised Host

Each Cobalt Strike implant was assembled to be unique for every compromised computer and avoided any overlap and reuse of file name, folder name, export function names, HTTP requests, C2 domain/IP, file metadata, and timestamp.

2. Camouflage and Blending into the Environment

Tools used by the attackers, including the legitimate tool called "ADFIND" (a search utility that can be used to query the Active Directory), were always renamed and placed in folders that imitated existing programs and files already present on the compromised computer. 

3. Disabling of Event Logging

Event logging captures network activities such as login sessions, account lockouts, and failed password attempts. Prior to conducting hands-on keyboard activity, the attackers disabled event logging through the use of a tool called "AUDITPOL." The attackers enabled event logging after conducting hands-on keyboard activity.

4. Firewall Rules Modifications

Prior to running network enumeration activities, the attackers prepared special firewall rules to lessen outgoing packets for certain protocols. After running network enumeration activities, the attackers removed the special firewall rules.

5. Disabling of Certain Security Services

Prior to conducting lateral movement activities, the attackers first disabled certain security services. Lateral movement refers to activities that are conducted by attackers after gaining access to the victim’s network.

Attackers, in this case, gained initial access to the victims’ networks via the poisoned Solarwinds update. Post initial access activities are typically done in search of sensitive data and other high-value assets.

6. Timestomping

Microsoft’s cyber defense teams believed that the attackers used timestomping. In timestomping, attackers change the timestamps of a file – referring to the access, create, and change times of a file. The goal of timestomping is to derail forensic investigators or file analysis tools.

If All Else Fails

To date, the identities of the attackers behind the Solarwinds supply chain attack that spiraled into the compromise of other networks such as Microsoft and FireEye remain inconclusive.

One takeaway from this supply chain attack is the need for network segmentation. If all else fails, one way to protect your organization’s crown jewels is to implement network segmentation.

In network segmentation, your organization’s network is divided into sub-networks so that in case one sub-network is compromised, the other sub-networks won’t be affected.

Weak Cyber Hygiene Practices Behind Successful Cloud Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert detailing the weak cyber hygiene practices behind successful cyberattacks against various organizations’ cloud environments.

In the alert "Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services," CISA said that based on data derived exclusively from several of its incident response engagements, it’s aware of several recent successful cyberattacks against various organizations’ cloud environments.

“Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” CISA said.

Weak Cyber Hygiene Practices

According to CISA, successful cyberattacks against various organizations’ cloud environments frequently occur when victim organizations’ allowed employees to work from home and used a mixture of personal devices and corporate laptops to access organizations’ cloud environments.

Here are some of the weak cyber hygiene practices behind successful cyberattacks against various organizations’ cloud environments based on CISA’s alert:

Phishing Attacks

CISA said threat actors are using phishing emails to harvest credentials for users’ cloud service accounts. In phishing emails, threat actors weaponize the traditional emails for cyberattacks.

These phishing emails, CISA said, contain malicious links that appear on a first glance as legitimate links to file hosting service account login. Login details entered on these malicious links were then stolen by threat actors and used to login to victims’ legitimate file hosting service accounts. From these hijacked legitimate file hosting service accounts, threat actors then sent emails from the victims’ accounts to steal login details for other accounts within the organization, CISA said. 

Open Port 80

The CISA alert found that threat actors are exploiting open port 80. According to the agency, open port 80 was exploited even though an organization’s terminal server was located within a firewall.

Due to remote work posture, CISA said the terminal server was configured with port 80 open to allow remote employees to access it, leaving the organization’s network vulnerable.

The agency added that this open port 80 was exploited by launching brute force attacks. In brute force attacks, threat actors use the trial-and-error method to guess the correct username and password combination.

MFA Bypass via Pass-the-Cookie Attack 

According to CISA, threat actors successfully signed into a cloud account with proper multi-factor authentication (MFA). “In this case, CISA believes the threat actors may have used browser cookies to defeat MFA with a ‘pass-the-cookie’ attack,” the agency said.

Authentication cookies are commonly used by cloud-based services to avoid frequently asking users to re-enter their credentials. Cookies are often valid for an extended period of time, even when the cloud-based service isn’t actively used.

“After the cookie is obtained through Steal Web Session Cookie, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active,” MITRE said. “Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.”

Taking Advantage of Keyword Search Rule and Email Forwarding Rule

After gaining access into victims’ cloud service accounts, CISA said threat actors take advantage of keyword search rule and email forwarding rule.

Keyword search and email forwarding are two features found in many cloud service accounts. These features can be applied manually or automatically. While these two features are handy, these two pose a security risk due to the potential disclosure of information.

According to CISA, threat actors modified existing automated keyword search rules to search victims’ email messages for several finance-related keywords. The agency added that threat actors modified existing automated email forwarding rules and forward the emails to the threat actors’ accounts.

Mitigating Measures to Strengthen Cloud Security Practices

Here are some of the recommended mitigating measures to strengthen cloud security practices:

Phishing Scams Education

Train employees about phishing emails by making them aware how these emails are being delivered.

Secure Over-all Network from Open Port 80 

One way to mitigate the adverse effect of an open port 80 is by implementing network segmentation. In network segmentation, your organization’s network is divided into sub-networks so that in case one sub-network is compromised the other sub-networks won’t be affected.

Mitigating Measures Against Pass-the-Cookie Attacks

Mitigating measures against pass-the-cookie attacks includes MFA that uses the target login domain as part of the negotiation protocol. Software configuration is another mitigating measure against pass-the-cookie attacks. In software configuration, browsers are configured to regularly delete persistent cookies.

Mitigating Measures Against Exploitation of Keyword Search Rule and Email Forwarding Rule

Mitigating measures against exploitation of keyword search rule and email forwarding rule include routinely reviewing these rules for any signs of malicious changes.

In the case of Microsoft 365, outbound spam filter policies are available to control automatic forwarding to external recipients. One of the available outbound spam filter policies is the “Off” option which disables automatic external forwarding and will result in a non-delivery report to the sender.

Implement Zero Trust Security Strategy

Zero Trust assumes that no one should be trusted by default within and outside the network. Zero trust security strategy includes the principle of least privilege and the principle of explicit verification.

In implementing the principle of least privilege, right access at the right time is only given to those who need it. Explicit verification, meanwhile, includes MFA that requires users using new devices and from new locations to respond to an MFA challenge.

Ransomware Attacks on Healthcare Organizations Globally Increase by 45%, Study Shows

A recent report from Check Point showed that since November 2020, ransomware attacks targeting healthcare organizations globally has increased by 45%.

In the report "Attacks targeting healthcare organizations spike globally as COVID-19 cases rise again," Check Point said that the spike in the ransomware attacks targeting healthcare organizations globally more than double the overall increase in cyberattacks across all industry sectors worldwide seen during the same period. According to Check Point, the main ransomware variant used in the ransomware attacks was Ryuk, followed by Sodinokibi.

What Is Ransomware?

Ransomware is a type of malicious software (malware) that blocks victims from assessing their computer systems or files and demands from the victims ransom payment for victims to re-gain access to the computer systems or files. Ransomware attackers also demand a separate ransom payment in exchange for the non-publication of data stolen in the course of the ransomware attack.

Ryuk and Sodinokibi Ransomware

Ryuk ransomware is a cyber threat that has been targeting organizations, specifically hospitals, businesses, and government institutions since 2018. This ransomware was first observed in the wild in August 2018.

Code comparison analysis of Ryuk ransomware and Hermes ransomware showed that both are generally equal, giving credence to the theory that the developer of Ryuk has access to the Hermes source code. Hermes ransomware was responsible for the money heist of a Taiwanese bank in October 2017.

Hermes is called a “pseudo-ransomware” – referring to ransomware that uses a ransomware attack as a cover to distract its main goal: stealing money. In the money heist of a Taiwanese bank in 2017, the Hermes ransomware attack was perfectly timed at the time when money was stolen from the bank.

The group behind Ryuk ransomware demands that the ransom payment should be in the form of the cryptocurrency bitcoin. After tracing bitcoin transactions for the known addresses attributable to Ryuk, researchers from HYAS and Advanced Intelligence reported that the group behind Ryuk earned more than $150,000,000.

“Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims,” researchers from HYAS and Advanced Intelligence said. “These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range.”

Sodinokibi, also known as REvil, meanwhile, is a type of ransomware that was first observed in April 2019. Code comparison analysis of Sodinokibi and another ransomware called “GandCrab” showed that the two shared a lot of similarities, indicating the developer of Sodinokibi had access to the GandCrab source code.

Ransomware Similarities

Both Ryuk and Sodinokibi encrypt important files in the compromised computer, locking out users from their files. These two demand a ransom to decrypt or unlock these files.

It’s now a known fact that during the course of the ransomware attack, Ryuk and Sodinokibi also steal victims’ files before encrypting them. Stolen data is then used for “double-extortion” attempt, that is, in addition to ransom payment to unlock the locked files, attackers demand from victims to pay another ransomware payment for the stolen files, threatening victims that failure to pay this second ransom payment would lead to the publication of the stolen files.

In November 2020, K12 Inc., now known as Stride, Inc., a company that provides online education, admitted that it was a victim of a ransomware attack. Open-sourced reports showed that Ryuk ransomware hit K12 Inc.

In a statement, K12 Inc. said, “We have already worked with our cyber insurance provider to make a payment to the ransomware attacker, as a proactive and preventive step to ensure that the information obtained by the attacker from our systems will not be released on the Internet or otherwise disclosed.”

Ryuk and Sodinokibi are part of the ransomware families called “Ransomware-as-a-Service (RaaS)”. In RaaS, one group maintains the ransomware code, and another group, known as affiliates, spreads the ransomware.

Cybersecurity Best Practices Against Ransomware Attacks

Both Ryuk and Sodinokibi are commonly spread via very targeted means such as RDP and spear phishing.

RDP, short for Remote Desktop Protocol, is a proprietary protocol developed by Microsoft which provides Windows user to connect to another Windows computer. In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks," Microsoft Defender Security Research Team said that RDP is an attractive target for threat actors as this presents a simple and effective way to gain access to a network, and conduct many follow-on activities such as ransomware attack.

Microsoft Defender Security Research Team said that threat actors often gain access to RDP through brute-force attack – referring to the trial-and-error method of guessing the correct username and password combination. Spear phishing, meanwhile, weaponizes an email against specific and well-researched targets. A spear-phishing email masquerades as coming from a trustworthy source.

Traditional spear-phishing emails attached malicious documents, for instance, a zip file. Modern-day spear-phishing emails come with malicious documents that are hosted on legitimate sites such as Dropbox, OneDrive, or Google Drive.

To protect RDP from brute-force attacks and ultimately ransomware attacks, use strong passwords, multi-factor authentication, virtual private networks (VPNs), and other security protections. Spear phishing prevention, meanwhile, includes phishing simulation tests, and an established process for users to report suspicious emails to the IT security team.

It’s also important to implement the 3-2-1 backup rule and network segmentation in case attackers breach your organization’s network.

The 3-2-1 backup rule means that at least 3 copies of critical data must be kept, with 2 copies in different media and one copy offsite. Network segmentation, meanwhile, refers to the practice of dividing your organization’s network into sub-networks so that in case something happens to one sub-network, the other sub-networks won’t be affected. 

A Lookback of the Cybersecurity Threats in 2020

The world dramatically changed in 2020. The abrupt work from home shift to anything online such as online shopping opened up a plethora of cybersecurity threats at a scale never seen before.

Most Notable Cybersecurity Threats in 2020

Here are some of the notable cybersecurity threats in 2020:

1. Threats Associated with Collaboration Apps

The work from home shift gave rise to the demand for collaboration tools such as Microsoft Teams, Slack, and Zoom. In 2020, threat actors turned their attention to these collaboration tools.

In 2020, the term “Zoombombing” was coined. This term refers to uninvited threat actors viewing Zoom meetings or sharing pornographic images and content.

Last year, threat actors leveraged association to Microsoft Teams – referring to the communication platform developed by Microsoft which features chat, videoconferencing, and file storage. In October 2020, Abnormal Security reported that up to 50,000 emails were observed spoofing employee emails and impersonating Microsoft Teams.

“The email pretends to be a Microsoft Teams notification email notifying the recipient that they have received messages and their teammates are trying to reach them,” Abnormal Security said. “The link landing page also looks convincingly like a Microsoft login page with the start of the URL containing ‘microsftteams’, lending further credence.”

2. Remote-Working Tools Exploitation

An IBM study released in June 2020 showed that 83% of employees were provided little to no ability to work from home prior to the sudden work from home shift. The IBM study further found that 53% of employees used their personal laptops and computers for business operations, while 61% also said their employer hasn't provided tools to properly secure those devices.

In 2020, threat actors actively exploited remote-working services such as virtual private network (VPN) services. In addition to masking internet protocol (IP) address so that online actions are virtually untraceable, VPN services promise secure and encrypted connections.

Security researchers, however, discovered security vulnerabilities in many VPN services. Even as VPN service vendors released patches fixing these security loopholes, many users delay the application of these patches, leading threat actors to exploit these unpatched security vulnerabilities.

In April 2020, the Canadian Centre for Cyber Security and U.S. Cybersecurity and Infrastructure Security Agency issued separate alerts warning organizations about the continued exploitation of the security vulnerability in Pulse Secure VPN, in particular, CVE-2019-11510 – a security vulnerability that allows a remote, unauthenticated attacker to compromise a vulnerable Pulse Secure VPN server, allowing an attacker to gain access to all active users and their plain-text credentials.

3. E-Commerce Threats

Among the effects of the lockdown measures in 2020 has been a huge spike in e-commerce business. Imperva reported that web traffic to retail sites spiked by as much as 28% on the weekly average. In “The State of Security within E-commerce,” Imperva reported that among the cyber threats faced by e-commerce businesses in 2020 were DDoS attacks and bad bots.

DDoS, short for distributed denial-of-service, refers to a cyberattack that attempts to disrupt the normal traffic of online resources such as websites, overwhelming the target or its surrounding infrastructure with a flood of internet traffic. DDoS attacks are launched by hijacking multiple computer systems, including Internet of Things (IoT), as sources of attack traffic.

According to Imperva, it monitored an average of eight application layer DDoS attacks a month against retail sites as lockdown measures led to an increase in demand for online shopping.

Bad bots, meanwhile, refer to software applications that run automated tasks over the internet for malicious purposes, for example, automatically scanning websites for software vulnerabilities and exploiting these vulnerabilities. According to Imperva, bad bots are the top threat to online retailers before and during the imposition of the lockdown measures.

4. Supply Chain Attack on SolarWinds

Year 2020 ends with one of the biggest cyberattacks: the supply chain attack on SolarWinds. On December 13, 2020, SolarWinds admitted that it fell victim to a supply chain attack.

In a supply chain attack, a threat actor gains access to your organization’s IT systems via an outside partner or third party that has access to your organization’s systems and data. According to SolarWinds, a threat actor gained access to its Orion Platform software source code and inserted the malicious software (malware) called “Sunburst.”

This malware ended up in the Orion Platform software update, specifically for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. According to SolarWinds, if present and activated, the Sunburst malware could potentially allow an attacker to compromise the server on which the Orion Platform software runs.

Open-source reports showed that the U.S. Treasury Department and other U.S. Government Departments had been compromised. Microsoft recently admitted that the SolarWinds supply chain attack also affected its own systems. Microsoft said that it found no evidence of access to production services or customer data, or its systems being used to attack others.

Microsoft, however, said that the SolarWinds attackers were able to view Microsoft's source code but had been unable to modify any code or engineering systems. “At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft,” the company said. “This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.”