Thought leadership. Threat analysis. Cybersecurity news and alerts.
Western Digital (WD) Hard Drives Remotely Wiped Clean Worldwide
Users worldwide of Western Digital (WD) hard drives, specifically My Book Live and My Book Live Duo devices, found their hard drives being wiped clean remotely last June 23.
Last June 24, a WD user named “sunpeak” started a thread on WD Community forum stating that all the data on his WD My Book Live device is gone. “Previously the 2T volume was almost full but now it shows full capacity,” sunpeak said.
Hundreds of WD My Book Live and My Book Live Duo devices echoed sunpeak, stating that their devices have been wiped clean remotely as well.
“It is very scary that someone can do factory restore the drive without any permission granted from the end user,” sunpeak said. The tread started said he found this user.log in the affected device:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
Another WD user added this message to the thread: “All my data is gone too. Message in GUI says it was ‘Factory reset’ today! 06/23. I am totally screwed without that data … years of it.”
Western Digital Statement
Last June 25, US-based company Western Digital recommended to users to disconnect their My Book Live and My Book Live Duo devices from the internet to protect their data on these devices. My Book Live and My Book Live Duo devices were introduced to the market in 2010 and these devices received their final firmware update in 2015.
“Western Digital has determined that some My Book Live devices are being compromised by malicious software,” Western Digital said. “In some cases, this compromise has led to a factory reset that appears to erase all data on the device.”
According to Western Digital, the log files that they’ve reviewed show that the attackers directly connected to the affected My Book Live and My Book Live Duo devices from a variety of IP addresses in different countries. The company said this shows that the affected devices were directly accessible from the internet, via direct connection or port forwarding that was enabled either manually or automatically via UPnP.
“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” Western Digital said.
The specific remote command execution vulnerability referred to by Western Digital is CVE-2018-18472 – in which all versions of Western Digital (WD) My Book Live has a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. This security vulnerability can be triggered by anyone who knows the IP address of the affected device. A proof-of-concept on how to exploit CVE-2018-18472 is publicly available.
As the last firmware update of WD My Book Live and My Book Live Duo devices was in 2015, CVE-2018-18472 vulnerability, therefore, wasn’t answered by WD developers in 2015.
Other Cyberattacks Affecting Hard Drives/Backups
WD My Book Live and My Book Live Duo devices can be attached to the network, as such, they’re known as network-attached storage (NAS) devices. Other examples of NAS devices are those made by Taiwanese corporation QNAP Systems, Inc.
In the past few years, QNAP NAS devices have been the target of malicious actors. In 2019, researchers at Intezer detected the malicious software known as QNAPCrypt.
"QNAP is a well-known vendor for selling NAS servers, which the malware was intended to infect and encrypt the containing files for ransom,” researchers at Intezer said. “NAS servers normally store large amounts of important data and files, which make them a valuable target for attackers and especially a viable target for ransomware campaigns.”
In 2014, researchers at FireEye observed cyberattackers attempting to exploit the BASH remote code injection vulnerability against QNAP NAS devices.
"These attacks result in the hackers having a root level remote shell, gaining full access to the contents of the NAS,” FireEye researchers said. “NAS systems are used by enterprises to store large volumes of files and house databases, as well as by consumers for personal storage. This makes NAS an attractive target for attackers given the broad types of data they handle. In this case, the attackers can gain full access the NAS contents as well as execute other commands.”
Cybersecurity Best Practices
The deletion of enormous data in WD My Book Live and My Book Live Duo devices is a lesson learned for many users.
Network-attached storage (NAS) devices, including WD My Book Live and My Book Live Duo devices and QNAP devices are becoming the target of cyberattackers due to the wealth of data that these devices hold.
It is important to practice the time-honored 3-2-1 backup rule. This rule states that your organization needs to have 3 copies of critical data (one production data and 2 backup copies), with two copies in different media, and one copy kept offsite for disaster recovery.
Living off the land has become the standard in today’s cyberattacks intent on evading security solutions.
Living off the land attack takes its name from the “living off the land” way of life, that is, living by eating only the food that one produces from the land.
In the cybersecurity context, living off the land cyberattack refers to turning legitimate programs and processes to perform nefarious activities. Living off the land enables cyberattackers to blend into victims’ networks and hide among the legitimate programs and processes to carry out a stealth attack. Traditional security solutions often ignore living off the land attacks as these activities are considered legitimate activities coming from legitimate programs and processes.
Astaroth: Example of a Malware that Lives Off the Land
Astaroth is an example of a malicious software (malware) that completely lived off the land to avoid detection. Astaroth is an info-stealing malware that abuses various legitimate Windows processes in an attempt to run undetected on computers using Windows operating system.
In the blog post "Latest Astaroth living-off-the-land attacks are even more invisible but not less observable," Microsoft Defender Security Research Team said they started seeing the updated attack chain of Astaroth in late 2019. In mid-2019, Microsoft Defender Security Research Team observed an unusual spike in activities related to Windows Management Instrumentation Command-line (WMIC), prompting the team to investigate it and found out that the unusual spike in activities related to WMIC was part of the Astaroth attack chain.
WMIC provides a command-line interface for Windows Management Instrumentation (WMI) – referring to the infrastructure for management data and operations on Windows operating systems.
Microsoft Defender Security Research Team said that after the WMIC abuses were exposed, Astaroth now completely avoids the use of WMIC and instead introduced new living off the land techniques that make the attack chain even stealthier such as abusing Alternate Data Streams (ADS) and abusing the legitimate process ExtExport.exe.
Alternate Data Streams (ADS) is a feature in Windows operating system that contains metadata for locating a specific file by title or author. ExtExport.exe, meanwhile, is a feature that ships with Internet Explorer to run a file. Microsoft Defender Security Research Team said that Astaroth uses ExtExport.exe to load malicious payload, while ADS is used to hide malicious payloads.
Other Examples of Living Off the Land Attacks
In the report “The Active Adversary Playbook 2021,” Sophos found that PowerShell and PsExec are among the top 3 legitimate tools used by cyberattackers in 2020 and early 2021. PowerShell and PsExec are legitimate Windows operating system tools used by system administrators.
PowerShell is an interactive command-line interface and scripting environment included in the Windows operating system, while PsExec is a Windows tool that can be used to execute a program on another computer. Microsoft said, “PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.”
According to Mitre, PowerShell commands and scripts have been known to execute malicious payloads, create new tasks on remote machines, identify configuration settings, evade defenses, exfiltrate data, pull Active Directory information from the target environment, issue interactive commands over a network connection, and access credential data.
Mitre reported that PsExec has been abused to download or upload a file over a network share, write programs to the ADMIN$ network share to execute commands on remote systems, and execute binaries on remote systems using a temporary Windows service.
Windows legitimate features aren’t the only programs abused by attackers in living off the land attacks. Third-party programs are also abused by living off the land attackers.
In 2017, the Petya, also known as NotPetya, malware spread worldwide via a tainted accounting software of the Ukrainian-based company MeDoc. In 2020, researchers at Sophos reported that the group behind the ransomware called "RobbinHood" used the signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte as a means so that the threat group could load a second, unsigned driver into Windows.
“This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference,” Sophos said.
Living off the land attackers recently tainted SolarWinds software affecting thousands of the customers of SolarWinds that downloaded the tainted version of SolarWinds software.
Cybersecurity Best Practices
Here are some of the cybersecurity best practices in preventing and mitigating the effects of living off the land attacks:
Switch off or remove unneeded programs
Top 3 Tools Used by Cyberattackers in 2020 and Early 2021
Three legitimate pentesting tools – PowerShell, Cobalt Strike, and PsExec – topped the list of tools used by cyberattackers in breaking into victims’ networks in 2020 and early 2021, according to Sophos’ report based from frontline threat hunters and incident responders.
In the report “The Active Adversary Playbook 2021,” Sophos found that PowerShell, followed by Cobalt Strike, and PsExec are the top 3 tools used by cyberattackers in 2020 and early 2021.
PowerShell, Cobalt Strike, and PsExec are legitimate tools used by IT administrators and security professionals for penetration testing, also known as pentesting – an authorized simulated cyberattack against an organization’s computer system to examine exploitable vulnerabilities. Threat actors, however, have been using these same pentesting tools to break into victims’ networks.
According to Sophos report, correlations emerge among the top 3 tools found in victims’ networks. The report added that when PowerShell is used in an attack, Cobalt Strike was seen in 58% of cases, and PsExec in 49% of cases; Cobalt Strike and PsExec were used together in 27% of attacks; and the combination of Cobalt Strike, PowerShell, and PsExec occurs in 12% of all attacks.
PowerShell is a task-based command-line shell and scripting language designed for system administration in the Windows operating system. Attackers use PowerShell to conduct a number of malicious activities, including executing malicious code, creating new tasks on remote machines, identifying configuration settings, pulling Active Directory information from the target environment, evading defenses, exfiltrating data, and executing other commands.
The malicious software called “Emotet” has used PowerShell to retrieve the malicious payload and download additional resources like Mimikatz – ranked fourth in the tools used by cyberattackers in 2020 and early 2021 in the Sophos report. Mimikatz is capable of obtaining plaintext Windows account logins and passwords.
PsExec is a free Microsoft tool that is used by IT administrators to execute a program on another computer. This tool has been used by attackers to download or upload a file over a network share.
Cobalt Strike is a commercially available pentesting tool that’s marketed as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors."
This commercial pentesting tool was developed by researcher Raphael Mudge in 2012. This tool was recently acquired by HelpSystems. In 2020, the source code of Cobalt Strike version 4.0 was leaked to the public. Adversaries often use the purchased and pirated/cracked versions of Cobalt Strike.
This tool is capable of executing a payload on a remote host with PowerShell and using PsExec to execute a payload on a remote host. Cobalt Strike’s Beacon is used to perform actions such as collecting information on process details, reaching out to the command-and-control server on an arbitrary and random interval, breaking large data sets into smaller chunks for exfiltration, and capturing screenshots.
The tools PowerShell and Cobalt Strike were used in the recently unraveled supply chain attack on SolarWinds.
In the SolarWinds supply chain attack, attackers compromised the code update of SolarWinds’s product Orion, which gave the attackers the opportunity to attack customers that applied the compromised SolarWinds Orion update. The SolarWinds supply chain attack victims include cybersecurity firm FireEye and Microsoft.
In the blog post "Raindrop: New Malware Discovered in SolarWinds Investigation," security researchers at Symantec reported that the malicious software (malware) called "Raindrop" enabled the delivery of Cobalt Strike into the victims’ networks. Security researchers at Symantec reported that in the victim’s computer where the Raindrop malware was found, it was observed that several days later, PowerShell commands were executed on that computer, attempting to execute further instances of Raindrop malware on additional computers in the organization.
The top 3 tools, PowerShell, Cobalt Strike, and PsExec, used by cyberattackers in 2020 and early 2021 were all used by the group behind the ransomware called “DoppelPaymer.” Similar to modern-day ransomware, DoppelPaymer encrypts victims’ files, locking these victims out from accessing their files, and demands from victims to pay ransom in exchange for the decryption tool that would unlock the encrypted files.
Similar to other modern ransomware, the group behind DoppelPaymer threatens victims with the publication of their stolen files on the data leak site as part of the ransomware’s extortion scheme. In DoppelPaymer ransomware, PowerShell, Cobalt Strike, PsExec, and Mimikatz – ranked fourth in the tools used by cyberattackers in 2020 and early 2021 in the Sophos report – were used to stealing credentials, moving laterally inside the network, and executing different commands.
In the blog post "Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk," Microsoft 365 Defender Threat Intelligence Team said that defenders should pay attention to malicious “PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities.”
“Security teams can defend their organization by monitoring and investigating suspicious activity,” Sophos in the “The Active Adversary Playbook 2021” said. “The difference between benign and malicious is not always easy to spot. Technology in any environment, whether cyber or physical, can do a great deal but it is not enough by itself. Human experience and the ability to respond are a vital part of any security solution.”
How to Catch Golden SAML-Type Attacks
The supply chain attack on SolarWinds exposes the effectiveness of a cyberattack method called “Golden SAML.”
SolarWinds Supply Chain Attack Background
In December 2020, FireEye disclosed its discovery of the supply chain attack on SolarWinds product Orion – monitoring and management platform designed to simplify IT administration.
In the supply chain attack on SolarWinds Orion, attackers gained access to the source code of Orion; maliciously changed the code; and said malicious code was made part of the official updates released to the customers of SolarWinds. The malicious updates allowed the SolarWinds attackers to gain initial access to the networks of the customers of SolarWinds Orion. The attack affected nearly 18,000 customers of SolarWinds Orion.
Among the companies that admitted that they’ve been impacted by the SolarWinds supply chain attack are FireEye and Microsoft. As a result of the SolarWinds supply chain attack, FireEye disclosed that the attackers stole its Red Team assessment tools which leverage known Common Vulnerabilities and Exposures (CVEs) to test and validate clients’ cybersecurity posture. Microsoft, meanwhile, admitted that attackers were able to view the company’s “source code in a number of source code repositories.”
What Is Golden SAML?
Golden SAML is an attack vector that was discovered back in 2017 by CyberArk Labs. One of the attack methods used by the attackers after gaining initial access to the networks of SolarWinds Orion customers is the Golden SAML. The use of Golden SAML in the SolarWinds supply chain attack is the first documented use of Golden SAML since the 2017 discovery.
Golden SAML allows attackers who gained initial access to a victim’s network such as in the case of SolarWinds supply chain attack to maintain persistence and gain access to the different services used by the victim in a convenient and stealth manner. “Golden SAML is a technique that allows attackers, once they got privileged access to the victim’s network, to impersonate almost any identity in the organization and acquire any type of privilege across almost all services of the organization (this depends on what services in the organization use SAML as their authentication protocol),” CyberArk Labs said in the latest blog post "Golden SAML Revisited: The Solorigate Connection .”
As described by CyberArk Labs, Golden SAML is basically a forged SAML. Short for Security Assertion Markup Language, SAML enables web browser Single Sign-On (SSO). SAML 2.0, first introduced in 2005, is the current standard version of the SAML protocol.
With SSO, a user only has to enter their login credentials once and the user is then given access to cloud services that support SAML authentication such as Microsoft Azure or Amazon Web Services (AWS). “In a golden SAML attack, attackers can gain access to any application that supports SAML authentication (e.g. Azure, AWS, vSphere, etc.) with any privileges they desire and be any user on the targeted application (even one that is non-existent in the application in some cases),” CyberArk Labs said.
On the part of an attacker, CyberArk Labs said, Golden SAML has the following advantages:
To perform the Golden SAML attack, CyberArk Labs said, the following requirements are needed: token-signing private key, IdP public certificate, IdP name, and Role name (role to assume). CyberArk Labs added that in order to get the private key, tools such as Mimikatz can be used.
According to FireEye, the supply chain attack on SolarWinds enabled the attackers to execute a customized Cobalt Strike – a commercial penetration testing tool that’s marketed as a “software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors." One of the tools included in Cobalt Strike is Mimikatz, a tool that’s capable of exploiting Windows Single Sign-On (SSO) functionality to harvest credentials.
Even though the Golden SAML has been a known attack vector since 2017, this hasn’t been addressed by the concerned vendors using the SAML 2.0 protocol as Golden SAML isn’t treated as a security vulnerability as an attacker needs to have domain admin access in order to perform it. The case in point is the SolarWinds supply chain attack in which the attackers already gained domain admin access.
According to FireEye, the SolarWinds supply chain attackers were observed targeting on-premises Active Directory Federation Services servers with the goal of obtaining the token-signing certificate to forge SAML tokens. Active Directory Federation Services is a software component developed by Microsoft that runs on Windows Server operating systems to provide users with Single Sign-On access to systems and applications.
Cybersecurity Best Practices
One of the cybersecurity measures to prevent a Golden SAML attack is by deploying a Privileged Access Management (PAM) solution – referring to a solution that helps manage, monitor, and secure privileged access to critical assets. It’s also important to monitor for suspicious SAML tokens such as those with an unusually long life.
In case there’s enough evidence that attackers have already accessed your organization’s Active Directory Federation Services servers, the following steps need to be done:
Hunt for Earliest Artifacts of Compromise
Three of Microsoft’s cyber defense teams recently published their collective findings on how threat actors got away in viewing the company’s crown jewel: Microsoft source code.
In the blog post "Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop," three of Microsoft’s cyber defense teams, Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center, and Microsoft Cyber Defense Operations Center revealed new details on how threat actors were able to view the company’s source code.
Last December 31st, Microsoft admitted that one internal account had been compromised and used to view source code in a number of source code repositories. "The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made," Microsoft said.
Microsoft earlier admitted that it was one of the victims of the Solarwinds supply chain attack. Microsoft is one of the thousands of Solarwinds’ clients that unwittingly downloaded the Solarwinds update that was maliciously modified with attached malicious software (malware) called "Solorigate" to further compromise the networks of those that downloaded the poisoned update.
In a report to the U.S. Securities and Exchange Commission, Solarwinds said, "SolarWinds currently believes the actual number of customers that may have had an installation of the [SolarWinds] Orion products that contained this vulnerability to be fewer than 18,000."
Microsoft provided the following timeline in which the attackers were able to compromise SolarWinds update:
Sept. 4, 2019: Attackers start assessing SolarWinds
Sept. 12, 2019: Attackers start injecting test code
Nov. 4, 2019: Attackers stop injecting test code
Feb. 20, 2020: Solorigate malware backdoor is compiled and deployed
March 2020: Estimated start of distribution of Solorigate malware backdoor
May 2020: Estimated start of actual hands-on-keyboard attacks
June 4, 2020: Attackers remove malware from SolarWinds build environment
Dec. 12, 2020: Solorigate malware supply chain attack disclosed
How the Attack Transpired
According to FireEye, one of the victims of the SolarWinds supply chain attack, the supply chain attack on SolarWinds enabled the attackers to execute a customized Cobalt Strike.
Cobalt Strike is a publicly available penetration testing tool that’s marketed as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike’s post-exploit capabilities include tools such as Mimikatz and Metasploit.
Mimikatz is a tool that’s capable of obtaining plaintext Windows account logins and passwords. Mimikatz also comes with many other features that test the security of networks.
Metasploit, meanwhile, is another penetration testing tool popularly used by both attackers and defenders. With Metasploit, attackers just pick a target, pick an exploit, and pick a payload to drop.
"One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader," Microsoft’s cyber defense teams said.
According to Microsoft’s cyber defense teams, the following tactics allowed the attackers to hid their malware and malicious actions:
Each Cobalt Strike implant was assembled to be unique for every compromised computer and avoided any overlap and reuse of file name, folder name, export function names, HTTP requests, C2 domain/IP, file metadata, and timestamp.
Tools used by the attackers, including the legitimate tool called "ADFIND" (a search utility that can be used to query the Active Directory), were always renamed and placed in folders that imitated existing programs and files already present on the compromised computer.
Event logging captures network activities such as login sessions, account lockouts, and failed password attempts. Prior to conducting hands-on keyboard activity, the attackers disabled event logging through the use of a tool called "AUDITPOL." The attackers enabled event logging after conducting hands-on keyboard activity.
Prior to running network enumeration activities, the attackers prepared special firewall rules to lessen outgoing packets for certain protocols. After running network enumeration activities, the attackers removed the special firewall rules.
Prior to conducting lateral movement activities, the attackers first disabled certain security services. Lateral movement refers to activities that are conducted by attackers after gaining access to the victim’s network.
Attackers, in this case, gained initial access to the victims’ networks via the poisoned Solarwinds update. Post initial access activities are typically done in search of sensitive data and other high-value assets.
Microsoft’s cyber defense teams believed that the attackers used timestomping. In timestomping, attackers change the timestamps of a file – referring to the access, create, and change times of a file. The goal of timestomping is to derail forensic investigators or file analysis tools.
If All Else Fails
To date, the identities of the attackers behind the Solarwinds supply chain attack that spiraled into the compromise of other networks such as Microsoft and FireEye remain inconclusive.
One takeaway from this supply chain attack is the need for network segmentation. If all else fails, one way to protect your organization’s crown jewels is to implement network segmentation.
In network segmentation, your organization’s network is divided into sub-networks so that in case one sub-network is compromised, the other sub-networks won’t be affected.
Extent of the Supply Chain Attack on SolarWinds Orion Platform Software
In the past few days, details about the supply chain attack on the SolarWinds Orion Platform software have slowly unfolded, highlighting the dangers of this type of cyberattack.
What Is a Supply Chain Attack?
Supply chain attack is a type of cyberattack in which attackers maliciously change the source code of a software with the goal of compromising the end users of the said software.
In a statement, SolarWinds said it was a victim of a supply chain attack in which a still unknown attacker inserted a malicious software (malware) dubbed as “Sunburst” within SolarWinds Orion Platform software. According to SolarWinds, versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 of its Orion Platform software were compromised with the Sunburst malware.
Customers of SolarWinds that downloaded and installed the company’s Orion Platform software versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are at risk. If present and activated, the Sunburst malware, according to SolarWinds, “could potentially allow an attacker to compromise the server on which the Orion products run.”
The effects of a compromised server hosting the Sunburst malware is far and wide as SolarWinds Orion Platform software is specifically meant as a centralized monitoring and management software to keep track of all IT resources, including servers, workstations, mobile devices, and IoT devices.
Cybersecurity firm FireEye first discovered the Sunburst malware. The company is also responsible for naming this malware as “Sunburst.” Microsoft, meanwhile, refers to this malware as “Solorigate.” FireEye and Microsoft both admitted that they have been part of the victims of the supply chain attack on SolarWinds Orion Platform software.
Microsoft, in a statement, said: “Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
In the case of FireEye, the attacker stole the company’s “Red Team assessment tools.” According to FireEye, the stolen Red Team assessment tools are used to test its customers’ security.
“These tools [Red Team assessment tools] mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” FireEye said. “None of the tools contain zero-day exploits.”
According to FireEye, the Sunburst malware campaign may have started as early as Spring 2020 and is currently ongoing. In analyzing the Sunburst malware, FireEye said that after this malware is installed on the victim’s server, it stays dormant for up to two weeks. After this dormant period, the malware retrieves and executes commands, called “Jobs,” enabling transfer files, execute files, profile the system, reboot the machine, and disable system services.
FireEye added that the Sunburst malware hides its network traffic as the Orion Improvement Program (OIP) protocol “stores reconnaissance results within legitimate plugin configuration files,” allowing this malware to blend in with legitimate SolarWinds activity.
According to FireEye, victims of Sunburst malware include government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. “We anticipate there are additional victims in other countries and verticals,” FireEye said.
In analyzing the Solorigate malware, Microsoft said that the malicious code inserted into SolarWinds Orion Platform software consists of nearly 4,000 lines of code. “The fact that the compromised file is digitally signed suggests the attackers were able to access the company’s software development or distribution pipeline,” said Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center in the blog post "Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers."
“Evidence suggests that as early as October 2019, these attackers have been testing their ability to insert code by adding empty classes,” Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center added. “Therefore, insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build, which would include digitally signing the compiled code. As a result, the DLL containing the malicious code is also digitally signed, which enhances its ability to run privileged actions – and keep a low profile.”
Mitigating Measures Against Supply Chain Attack
In the case of the SolarWinds Orion Platform software supply chain attack, it’s important to apply the update released by SolarWinds. The company offers more details on how to apply the update here.
In case the Sunburst/Solorigate malware is suspected to be inside your organization’s network, it’s important to isolate and block internet access to IT infrastructure where SolarWinds software was installed for further review and investigation.
If isolation isn’t possible, the following mitigating measures should be taken:
Cyberattack Surface Widens As World Sees Increase in Remote Work
With much of the world now working remotely and likely to remain this way after the COVID-19 pandemic, the attack surface that could be exploited by cyberattackers has widened, a new study showed.
A new study by RiskIQ showed that with much of the global economy being run from homes, attackers now have far more access points to probe and exploit. Attack surface, as defined in the study, refers to everything that needs defending, starting from inside the corporate network and extending all the way to the internet and into the homes of workers working from home. RiskIQ identified the following attack areas:
Web-Based Attack Surface
Across the internet in just over two weeks, RiskIQ observed 2,959,498 new domains (equivalent to 211,392 per day) and 772,786,941 new unique hosts to the web (equivalent to 55,199,067 per day). New domains, also known as new websites, and new unique hosts to the web, according to RiskIQ, represent as possible targets for threat actors.
RiskIQ found that 2,480 of the Alexa top 10,000 domains were running at least one potentially vulnerable web component, and 8,121 potentially vulnerable web components in total were found in the Alexa top 10,000.
To highlight the attack surface faced by organizations, RiskIQ conducted a study on the companies that comprise the FTSE-30 – a group of 30 large-cap organizations in the UK. RiskIQ found that on average, each FTSE-30 organization has 324 expired certs, 25 SHA-1 certs, 743, potential test sites, 28 insecure login forms, 385 total insecure forms, 46 web frameworks with known vulnerabilities, 80 PHP 5.x instances with end of life (EOL) end of the year, and 664 web servers at release levels with known vulnerabilities.
In addition, last March, with the spike of online shopping due to COVID-1, RiskIQ reported that it detected a 30% increase in Magecart skimmers – a type of cyberattack that involves digital credit card theft by skimming online payment forms.
Modern websites are made up of common features such as underlying operating systems, frameworks, third-party applications, plugins, and trackers. "This commonality of approach is attractive to malicious actors, as a successful exploit written for a vulnerability or exposure on one site can be reused across many sites," RiskIQ said.
A recent report from Verizon Data Breach Report, showed that external-facing web applications, in which network security tools have no visibility, were exploited the most by cyberattackers.
Remote Access Attack Surface
According to RiskIQ, the rush to stand up new systems outside the firewall to enable a remote workforce has expanded attack surfaces quicker, with virtual private network (VPN) usage surged 112% over just six weeks, and a 26.11% increase in Microsoft Remote Access Gateway instances, peaking around March 20 when stay-at-home orders took full effect.
RiskIQ found that on average, each FTSE-30 organization has 45 mail servers, 7,790 cloud-hosted apps (Amazon and Azure), 26 potentially vulnerable Citrix Netscaler instances, 8 potentially vulnerable Palo Alto GlobalProtect instances, 9 potentially vulnerable Pulse Connect instances, 25 potentially vulnerable Fortinet instances, and 1,464 remote access service instances.
Mobile Attack Surface
There's more to mobile apps than Apple and Google Play Mobile App Stores as there are hundreds of online stores in which threat actors sell their mobile apps. RiskIQ said malicious actors compromise legitimate apps and launch fake apps in other app store ecosystem and the open internet.
In 2019, RiskIQ found 170,796 blacklisted mobile apps across 120 mobile app stores and the open internet. Eighty-six percent of the blacklisted apps, RiskIQ said, claimed the READ_SMS permission, which allows the app to read messages and can be used for nefarious activities such as circumventing two-factor authentication.
Social Engineering Attack Surface
Social engineering refers to the impersonation of domains, subdomains, landing pages, websites, mobile apps, and social media profiles to trick employees and consumers in installing malicious software (malware) or into giving up login credentials and other personal information.
In the first quarter of 2020, RiskIQ identified 21,496 phishing domains impersonating 478 unique brands. For the same period, it also identified 720,188 instances of domain infringement across 170 unique brands. RiskIQ noted that 317,000 new websites related to “COVID-19” or “coronavirus” in the two weeks between March 9 and 23.
Cybersecurity Best Practices in Securing Your Organization's Attack Surface
Traditional cybersecurity measure uses a firewall that acts as a barrier between a trusted internal network and untrusted external network such as the internet. The COVID-19 pandemic and the resulting government-mandated stay-at-home measure leaving organizations no option but to allow workers to work from home, has widened the attack surface as the boundaries of what are inside the firewall and what are outside the firewall are no longer clear.
Here are some cybersecurity best practices in securing your organization's attack surface:
Whether it's for the web, mobile or operating systems, all software used for these platforms should be kept up to date. Failure to apply the latest software update leaves this attack surface vulnerable for attack.
Malicious actors can simply probe into your organization's vulnerable internet-connected assets by conducting a simple internet scan. It's important to conduct a regular full inventory of these internet-connected assets, determining, for instance, what assets need software update.
Early detection of social engineering attempts that impersonate your organization's domains, subdomains, landing pages, websites, mobile apps, and social media profiles that target your employees and customers and letting them know about these social engineering attempts is one of the effective measures in disrupting
Microsoft Reports Growing Web Shell Attacks
An average of 77,000 web shell attacks are detected each month on an average of 46,000 distinct computers, this according to the latest report released by Microsoft.
What Is a Web Shell?
Web shell is a malicious code that cybercriminals implant on internet-facing servers to remotely access server functions. This malicious code allows criminals to steal data on the compromised internet-facing server or used this compromised server as a stepping stone for further attacks against their victims.
China Chopper is an example of a web shell. It was first discovered in 2012. After nearly a decade after its discovery, China Chopper remains as the most widely used web shell. Researchers at Cisco Talos Intelligence Group said that as China Chopper is widely available, it’s nearly impossible to attribute this form of attack to a particular group.
Analysis of the China Chopper by researchers at Cisco Talos showed that this web shell allows attackers to retain access to an already compromised web server using a client-side application. This client-side application, the researchers said, contains all the logic needed to control the target, making it handy for threat actors to use. The researchers added that China Chopper only targets systems that run a web server application.
Web Shell Attacks
According to Microsoft, a victim of a web shell attack – an organization in the public sector that Microsoft refused to name – enlisted the services of Microsoft’s Detection and Response Team (DART) to conduct full incident response and remediate the said attack before it could cause further damage.
DART’s investigation showed that the unnamed organization’s attackers implanted a web shell in multiple folders of the organization’s web server. This implanted web shell allowed the attackers to compromise the service accounts and domain admin accounts. DART’s investigation also showed that the initial implanted web shell allowed the attackers to look for additional target systems and install web shells on these additional targeted systems.
Threat groups ZINC, KRYPTON, and GALLIUM are known to have used web shells in their cyber-attacks. According to Microsoft, web shell attackers exploit the security vulnerabilities in web applications or web servers, including the lack of the latest security updates, as well as the lack of antivirus tools, lack of network protection, lack of proper security configuration and lack of informed security monitoring. Attacks typically happen during off-hours or weekends, when attacks are likely not immediately spotted and responded to, Microsoft said.
Security vulnerabilities referred to as CVE-2019-16759 and CVE-2019-0604 are some of those exploited by attackers, Microsoft added. Both CVE-2019-16759 and CVE-2019-0604 had been patched by their respective software vendors.
CVE-2019-16759 is a security vulnerability in vBulletin, a proprietary forum software used by more than 100,000 websites, including websites used by major companies and organizations. CVE-2019-0604, meanwhile, is a security vulnerability in Microsoft SharePoint – a web-based platform that integrates with Microsoft Office. Successful exploitation of CVE-2019-0604 allows an attacker to run malicious code in the context of the SharePoint application pool and the SharePoint server farm account.
On April 23, 2019, the Canadian Centre for Cyber Security issued an alert, warning Canadian organizations of the on-going cyber-attacks that first exploit the security vulnerability of Microsoft SharePoint, in particular, CVE-2019-0604, leading to the deployment of the China Chopper web shell. The following unpatched versions of Microsoft SharePoint are known to be affected: Microsoft SharePoint Server 2019, Microsoft SharePoint Server 2010 SP2, Microsoft SharePoint Foundation 2013 SP1 and Microsoft SharePoint Enterprise Server 2016.
"The China Chopper web shell is extensively used by hostile actors to remotely access compromised web-servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device,” the Canadian Centre for Cyber Security said. “As China Chopper is just 4 Kb in size, and has an easily modifiable payload, detection and mitigation is difficult for network defenders.”
An internal confidential document from the United Nations (U.N.) dated September 20, 2019 and leaked to The New Humanitarianshowed that dozens of servers at the U.N. offices in Geneva and Vienna were illegally accessed starting in July 2019. The internal confidential document from the U.N., seen by the Associated Press, showed that the U.N. attackers were able to access the public organization’s servers by exploiting the security vulnerability of Microsoft’s SharePoint software, in particular, CVE-2019-0604 – a vulnerability that was patched by Microsoft in February and March 2019 but the U.N. failed to update its systems.
Preventive and Mitigating Measures Against Web Shell Attacks
It’s worthy to note that web shells are only deployed on the victims’ internet-facing servers after attackers find an initial loop-hole on the victims’ servers. As shown in the above-mentioned examples, initial entry of the attackers, include unpatched vBulletin (CVE-2019-16759) and unpatched SharePoint (CVE-2019-0604). It’s important, therefore, to patch all your organization’s software in a timely manner as attackers are quick to exploit unpatched software.
In the case of CVE-2019-0604 vulnerability, Microsoft’s March 12, 2019 update should be applied. In the case of CVE-2019-16759, vBulletin’s version 5.5.2/3/4 Patch Level 1 update should be applied. To mitigate vBulletin’s exposure, disable PHP, Static HTML, and Ad Module rendering setting in the administration panel.
It’s also important to practice network segmentation. In network segmentation, your organization’s network is divided into sub-networks. For instance, servers that housed your organization’s critical information and are strictly meant for on-premise use should be part of one sub-network and be kept offline. This way, if attackers manage to infect other sub-networks, this critical sub-network won’t be affected.
You don’t have to face cybercriminals alone. Our experts will help you assess the current state of your cybersecurity posture, and develop a plan to proactively mitigate cyber threats.
Contact us today and protect your most valuable digital assets and your brand’s reputation.
Latest to Admit Cyber-Attack: The UN
The United Nations (U.N.) recently admitted that it was a victim of a cyber-attack. The admission came months after the cyber incident.
U.N. spokesman Stephane Dujarric told reporters in New York that U.N. offices in Geneva and Vienna were targeted by an “apparently well-resourced” cyber-attack in the middle of 2019. In Geneva, Switzerland, several U.N. offices are based, including the World Health Organization (WHO), World Trade Organization (WTO), Human Rights Council (UNHRC), Office of the High Commissioner for Human Rights (OHCHR), the High Commissioner for Refugees (UNHCR). Vienna, Austria, meanwhile, is home to other U.N. offices, including the International Atomic Energy Agency (IAEA) and the Office on Drugs and Crime (UNODC).
“The attribution of any attack is very uncertain and fuzzy, but this was apparently a well-resourced attack,” Dujarric said. “The attack resulted in a compromise of core infrastructure components at both [Geneva] and [Vienna], and was determined to be serious.”
The cyber-attack admission of U.N. spokesman Dujarric came hours after The New Humanitarian exposed the 2019 cyber-attack at the U.N. The New Humanitarian reported that it obtained a confidential U.N. report, dated September 20, 2019, which found that dozens of servers at the U.N. offices in Geneva and Vienna were illegally accessed starting in July 2019.
According to The New Humanitarian, key findings of the confidential U.N. report revealed that staff records and commercial contract data were compromised by the attackers. The U.N. confidential report also revealed that the cyber-attack could have been avoided with a simple patch or update to fix a software security vulnerability.
Security Vulnerability CVE-2019-0604
The Associated Press said that it also viewed the confidential U.N. report. Based on the report, the Associated Press said that the attackers initially gained access to the U.N. networks by exploiting the security vulnerability in Microsoft’s SharePoint software. This security vulnerability designated as CVE-2019-0604 was patched in February 2019 but the U.N. reportedly didn’t update its systems.
"A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package,” Microsoft describes the security vulnerability CVE-2019-0604. “An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.”
On April 23, 2019, the Canadian Centre for Cyber Security issued an alert, saying that it’s aware of an ongoing campaign compromising several versions of Microsoft SharePoint Server in order to deploy the China Chopper web shell. The following versions of Microsoft SharePoint are known to be affected: Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 SP1, Microsoft SharePoint Server 2010 SP2 and Microsoft SharePoint Server 2019.
China Chopper is a publicly available web shell that was first discovered in 2012. "The China Chopper web shell is extensively used by hostile actors to remotely access compromised web-servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device,” the Canadian Centre for Cyber Security said. “As China Chopper is just 4 Kb in size, and has an easily modifiable payload, detection and mitigation is difficult for network defenders.”
Analysis of the China Chopper Web Shell by researchers at FireEye found that this web shell is flexible enough to run on both Windows and Linux. "This OS and application flexibility makes this an even more dangerous Web shell,” researchers at FireEye said.
In the case of the U.N. cyber-attack, however, it wasn’t mentioned by The New Humanitarian and the Associated Press whether the China Chopper Web Shell was deployed on the compromised servers.
Active Directory Compromise
“As part of the compromised infrastructure, lists of user accounts would have been exposed,” Dujarric told The New Humanitarian.
The Office of the High Commissioner for Human Rights (OHCHR), for its part, in a statement, said, “The hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices.” The OHCHR added that the malicious actors didn’t succeed in accessing the passwords, preventing them in gaining access to other parts of OHCHR’s IT system.
Active Directory is built into most Windows Server operating systems and has become the popular approach in managing Windows domain networks. As Active Directory is used in connecting different computers within a network, this has become a prime target of attackers as well.
A senior U.N. IT official, meanwhile, told The New Humanitarian that approximately 400 GB of data was exfiltrated from the U.N. servers and part of the exfiltrated data was the “user lists”, a key component to the network, which, the source said “once you’ve got privileged access, you’ve got into everything”. The New Humanitarian added that the U.N. confidential report about the cyber-attack found that some administrator accounts were breached.
Lack of Transparency
It’s worthy to note that the cyber-attack at the U.N. in 2019 was only admitted by the organization a few hours after The New Humanitarian exposed the said attack.
The UN spokesperson Dujarric told The New Humanitarian that the reason for the lack of transparency is that the “exact nature and scope of the incident could not be determined, [the UN offices in Geneva and Vienna] decided not to publicly disclose the breach.”
In a data breach, the lack of transparency could have negative results as individuals and organizations affected aren’t made aware of the situation, preventing them to seek measures to lessen the impact of the data breach. In Canada, data breach reporting is mandatory under the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
LifeLabs Reveals It Paid Ransom in Exchange for Stolen Data
LifeLabs, the largest provider of general diagnostic and specialty laboratory testing services in Canada, has announced that it paid an undisclosed amount of ransom in exchange for the stolen data of 15 million customers.
Charles Brown, President and CEO of LifeLabs, in a statement, said that the company’s computer systems were illegally accessed resulting in the theft of data belonging to approximately 15 million customers. Stolen data includes name, address, email, login, passwords, date of birth and health card number. The vast majority of the affected customers are from Ontario and British Columbia.
Brown added that laboratory test results of 85,000 customers from Ontario for the period 2016 or earlier were part of the stolen data. The President and CEO of LifeLabs further said that health card information of customers for the period of 2016 or earlier was also stolen.
"Retrieving the data by making a payment,” Brown said was one of the measures that the company took in order to protect customer information. “Personally, I want to say I am sorry that this happened,” he said.
While the President and CEO of LifeLabs said that risk to customers in connection with this cyber attack is “low and that they have not seen any public disclosure of customer data,” he called on affected customers to avail of the company’s one free year of protection that includes dark web monitoring and identity theft insurance.
How the LifeLabs Data Breach Unfolded?
The President and CEO of LifeLabs said that the data breach was discovered as a result of "proactive surveillance” and added that the company “fixed the system issues” related to the cyber-attack.
In a joint statement, the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) said that LifeLabsinformed the two offices on November 1, 2019 about the data breach. The IPC and OIPC said that they will conduct a joint investigation into the data breach at LifeLabs. Among the things to be investigated, the two offices said, will include the scope of the breach and the circumstances leading to it.
“They advised us that cyber criminals penetrated the company's systems, extracting data and demanding a ransom,” IPC and OIPC said in a joint statement. “LifeLabs paid the ransom to secure the data.”
"An attack of this scale is extremely troubling,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant."
“I am deeply concerned about this matter,” said Michael McEvoy, Information, and Privacy Commissioner for British Columbia. “The breach of sensitive personal health information can be devastating to those who are affected."
While ransom or payment was made, there was no mention that the attack was due to a ransomware – a type of malicious software (malware) that encrypts data and the group or individual behind the malware then demands ransom payment in exchange for decryption key or keys that would unlock the encrypted files.
Cyber Attackers New Modus Operandi
While cyber attackers have been known to steal data from their victims, there’s a scarcity of information showing victims paying ransom in order to get back the stolen data. The latest cyber incident at LifeLabs shows an alarming cyber-attack trend, that is, penetrating the victim's systems, extracting data and then demanding a ransom.
Ransomware attackers, meanwhile, over the past few weeks have openly employed a new tactic in order to force their victims to pay ransom: threatening ransomware victims that failure to pay the ransom will result in the publication of stolen data. This latest modus operandi by ransomware attackers confirms what has been widely known in the cyber security community that ransomware attackers don’t merely encrypt data but they also have ways to snoop and even steal data prior to the data encryption.
In late November of this year, the group behind the ransomware called “Maze” published online the stolen data from one of its victims, Allied Universal after Allied failed to pay 300 bitcoins, then valued nearly $2.3 million USD, within the period set by the malicious group. The group behind the Maze ransomware told BleepingComputer, “We gave them time to think until this day, but it seems they [Allied Universal] abandoned payment process.”
The group behind the Maze ransomware further said that before encrypting any of the victims’ files, these files are first exfiltrated or stolen to serve as further leverage for the victims to pay the ransom.
The group behind the ransomware called “REvil”, also known as Sodinokibi ransomware, recently announced in a hacker forum that it will also leak online the stolen data from ransomware victims who refuse to pay ransom. Other than leaking the stolen data online, the group behind REvil ransomware also said the stolen data from ransomware victims who refuse to pay could be sold.
Maze ransomware initially infects victims’ computers via phishing campaigns or via Fallout exploit kit – a hacking tool that exploits the security vulnerabilities in Adobe Flash Player and Microsoft Windows. REvil ransomware, meanwhile, also initially infects victims’ computers via phishing campaigns and exploit kits, as well as by exploiting a security vulnerability in Oracle’s WebLogic server and by brute-forcing Remote Desktop Protocol (RDP) access.
Steve E. Driz, I.S.P., ITCP