Friday 18 December 2020

US atomic citadels hacked-off

Just when you thought 2020 could not possibly get any worse, comes the extraordinary - and alarming- news that foreign hackers have infiltrated the top level security institutions in the US, including Los Alamos national nuclear laboratory ( where nuclear warheads are designed and built), Sandia national nuclear laboratory, the Richland field office at Hanford, where huge stocks of nuclear explosive plutonium are stored, the National Nuclear Security Administration (sic) and the NNSA’s Office for Secure Transportation, that ships nuclear warheads around the country! And the hack has been going on unreported for 8 months! "The biggest cybersecurity breach of federal networks in more than two decades." -That's how the New York Times describes a massive cyber breach into U.S. public and private networks. It now appears to have been made possible by more than just a vulnerable update server from the Texas-based network management firm, SolarWinds. That new twist comes from a critical update Thursday from the Homeland Security Department's Cybersecurity and Infrastructure Security Agency that warned "this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations." Most worrisome: "CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform," CISA announced Thursday, with "Orion" referring to the problematic update server. "It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered." Or, as David Sanger of the Times writes, "That suggests other software, also used by the government, has been infected and used for access by foreign spies." Which means this could all get much messier and much more damaging. Newly added to the list of known victims: The Energy Department, and the National Nuclear Security Administration, including "networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE," Politico reported Thursday. Here is how specialist newsletter, DefenseOne News, reported the revelations overnight, written by Aaron Boyd. “SolarWinds Isn't the Only Way Hackers Entered Networks, Cybersecurity and Infrastructure Security Agency (CISA) Says. The agency warned that ejecting attackers from networks will be tough, especially because they can likely read the email of IT and cybersecurity employees https://www.defenseone.com/threats/2020/12/the-d-brief-december-17-2020/170850/ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> • CYBER PENTAGON INDUSTRY The fallout from the SolarWinds breaches will be far more difficult and time-consuming to remediate than originally assumed, as the attackers likely found more ways to enter federal networks than just the SolarWinds Orion product and have been targeting IT and response personnel, according to the government’s lead cybersecurity agency. The Cybersecurity and Infrastructure Security Agency, or CISA, released an alert Thursday through the U.S. Computer Emergency Readiness Team, or US-CERT, detailing what the agency currently knows about the attack. The alert calls out at least one other attack vector beyond SolarWinds products and identifies IT and security personnel as prime targets of the hacking campaign. “CISA has determined that this threat poses a grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” officials wrote. While the alert does not name suspects, officials offered a look into what is known about the attackers’ techniques and motivations. “The adversary’s initial objectives, as understood today, appear to be to collect information from victim environments,” the alert states. “CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.” Between the potential depth of the intrusions, additional yet unknown attack vectors and the focus on IT and security personnel’s email, CISA officials warned organizations to maintain extra security around remediation discussions. “Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures,” the alert states. “An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats.” The alert cites four versions of the SolarWinds Orion software that were found to be compromised. Those vectors have since been stitched shut, denying any new breaches but not remediating any deeper intrusions. “Based on coordinated actions by multiple private sector partners, as of December 15, 2020, avsvmcloud[.]com resolves to 20.140.0[.]1, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease,” the alert states. “In the case of infections where the attacker has already moved [command and control] past the initial beacon, infection will likely continue notwithstanding this action.” That last bit is the big worry for federal IT and security managers, as the SolarWinds Orion product was designed to access broad swaths of the network it is installed on. The alert notes the perpetrators were able to leverage their initial access to get more privileged access across agency networks, burrowing in deep before covering their trails. “Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust [Security Assertion Markup Language] tokens from the environment,” the alert states. “These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces.” The depth with which the attackers might have penetrated networks, combined with sophisticated masking—or “anti-forensic techniques”—means detection and remediations work will continue for some time. “This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions,” officials said. “CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.” However, officials have also discovered additional attack vectors beyond Orion products. “CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” the agency said. “CISA will update this alert as new information becomes available.” The alert offers some details on one other potentially related attacks discovered by security researchers at Volexity. After FireEye published its findings on Dec. 13—the first public acknowledgement of the SolarWinds breaches—Volexity researchers were able to tie that intrusion to ongoing campaigns they had been tracking for years dubbed Dark Halo. Those attacks, using similar tactics, targeted U.S. think tanks as far back as 2019. “In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for several years. After being extricated from the network, Dark Halo then returned a second time,” researchers wrote in a Dec. 14 blog post. “Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication to access the mailbox of a user via the organization’s Outlook Web App service.” In a statement, a Duo Security spokesperson clarified the “described incidents were not due to any vulnerability in Duo’s products.” The attackers were able to get past the multifactor authentication security measures after compromising another service, “such as an email server,” they said. It wasn’t until Dark Halo’s third attempt to access the think tank’s networks in June and July that researchers saw the SolarWinds Orion exploit. “This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known,” CISA wrote in Thursday’s alert. “This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” CISA officials wrote. “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures that have not yet been discovered.” The latest release also does not give any information on who the government believes is behind the attack. While several news outlets have cited anonymous government sources pointing to Russian government group Cozy Bear, also known as APT29, the alert offers no attribution, only a summation of the quality of the attackers’ work. “This threat actor has demonstrated sophistication and complex tradecraft in these intrusions,” the alert states, noting that, “removing the threat actor from compromised environments will be highly complex and challenging.” The alert also offers a comprehensive list of known infected SolarWinds Orion products and identified indicators of compromise. This story is developing and will be updated. It has been updated to include comments from Duo Security and correct a grammatical error. Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations Original release date: December 17, 2020 Summary This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 8 framework. See the ATT&CK for Enterprise version 8 for all referenced threat actor tactics and techniques. The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations. One of the initial access vectors for this activity is a supply chain compromise of the following SolarWinds Orion products (see Appendix A). • Orion Platform 2019.4 HF5, version 2019.4.5200.9083 • Orion Platform 2020.2 RC1, version 2020.2.100.12219 • Orion Platform 2020.2 RC2, version 2020.2.5200.12394 • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432 Note: CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available. On December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices. Note: this Activity Alert does not supersede the requirements of Emergency Directive 21-01 (ED-21-01) and does not represent formal guidance to federal agencies under ED 21-01. CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations. CISA advises stakeholders to read this Alert and review the enclosed indicators (see Appendix B). Key Takeaways • This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks. • The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged. • Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions. • Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans. Click here for a PDF version of this report. Technical Details Overview CISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered. CISA will continue to update this Alert and the corresponding indicators of compromise (IOCs) as new information becomes available. Initial Infection Vectors [TA0001] CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. Volexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication protecting access to Outlook Web App (OWA).[1] Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known. SolarWinds Orion Supply Chain Compromise SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is common for network administrators to configure SolarWinds Orion with pervasive privileges, making it a valuable target for adversary activity. The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products[2] (see Appendix A). The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic. Consequently, entities that observe traffic from their SolarWinds Orion devices to avsvmcloud[.]com should not immediately conclude that the adversary leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into whether the SolarWinds Orion device engaged in further unexplained communications. If additional Canonical Name record (CNAME) resolutions associated with the avsvmcloud[.]com domain are observed, possible additional adversary action leveraging the back door has occurred. Based on coordinated actions by multiple private sector partners, as of December 15, 2020, avsvmcloud[.]com resolves to 20.140.0[.]1, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease. In the case of infections where the attacker has already moved C2 past the initial beacon, infection will likely continue notwithstanding this action. SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted. Anti-Forensic Techniques The adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. The attackers also frequently rotate their “last mile” IP addresses to different endpoints to obscure their activity and avoid detection. FireEye has reported that the adversary is using steganography (Obfuscated Files or Information: Steganography [T1027.003]) to obscure C2 communications.[3] This technique negates many common defensive capabilities in detecting the activity. Note: CISA has not yet been able to independently confirm the adversary’s use of this technique. According to FireEye, the malware also checks for a list of hard-coded IPv4 and IPv6 addresses—including RFC-reserved IPv4 and IPv6 IP—in an attempt to detect if the malware is executed in an analysis environment (e.g., a malware analysis sandbox); if so, the malware will stop further execution. Additionally, FireEye analysis identified that the backdoor implemented time threshold checks to ensure that there are unpredictable delays between C2 communication attempts, further frustrating traditional network-based analysis. While not a full anti-forensic technique, the adversary is heavily leveraging compromised or spoofed tokens for accounts for lateral movement. This will frustrate commonly used detection techniques in many environments. Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user’s normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyber threat intelligence database. Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence. Privilege Escalation and Persistence [TA0004, TA0003] The adversary has been observed using multiple persistence mechanisms across a variety of intrusions. CISA has observed the threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premise and hosted resources. Microsoft has released a query that can help detect this activity.[4] Microsoft reported that the actor has added new federation trusts to existing infrastructure, a technique that CISA believes was utilized by a threat actor in an incident to which CISA has responded. Where this technique is used, it is possible that authentication can occur outside of an organization’s known infrastructure and may not be visible to the legitimate system owner. Microsoft has released a query to help identify this activity.[5] User Impersonation The adversary’s initial objectives, as understood today, appear to be to collect information from victim environments. One of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs). CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel. These are some key functions and systems that commonly use SAML. • Hosted email services • Hosted business intelligence applications • Travel systems • Timecard systems • File storage services (such as SharePoint) Detection: Impossible Logins The adversary is using a complex network of IP addresses to obscure their activity, which can result in a detection opportunity referred to as “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). Note: implementing this detection opportunity can result in false positives if legitimate users apply virtual private network (VPN) solutions before connecting into networks. Detection: Impossible Tokens The following conditions may indicate adversary activity. • Most organizations have SAML tokens with 1-hour validity periods. Long SAML token validity durations, such as 24 hours, could be unusual. • The SAML token contains different timestamps, including the time it was issued and the last time it was used. A token having the same timestamp for when it was issued and when it was used is not indicative of normal user behavior as users tend to use the token within a few seconds but not at the exact same time of issuance. • A token that does not have an associated login with its user account within an hour of the token being generated also warrants investigation. Operational Security Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures. An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats. Operational security plans should include: • Out-of-band communications guidance for staff and leadership; • An outline of what “normal business” is acceptable to be conducted on the suspect network; • A call tree for critical contacts and decision making; and • Considerations for external communications to stakeholders and media. MITRE ATT&CK® Techniques CISA assesses that the threat actor engaged in the activities described in this Alert uses the below-listed ATT&CK techniques. • Query Registry [T1012] • Obfuscated Files or Information [T1027] • Obfuscated Files or Information: Steganography [T1027.003] • Process Discovery [T1057] • Indicator Removal on Host: File Deletion [T1070.004] • Application Layer Protocol: Web Protocols [T1071.001] • Application Layer Protocol: DNS [T1071.004] • File and Directory Discovery [T1083] • Ingress Tool Transfer [T1105] • Data Encoding: Standard Encoding [T1132.001] • Supply Chain Compromise: Compromise Software Dependencies and Development Tools [T1195.001] • Supply Chain Compromise: Compromise Software Supply Chain [T1195.002] • Software Discovery [T1518] • Software Discovery: Security Software [T1518.001] • Create or Modify System Process: Windows Service [T1543.003] • Subvert Trust Controls: Code Signing [T1553.002] • Dynamic Resolution: Domain Generation Algorithms [T1568.002] • System Services: Service Execution [T1569.002] • Compromise Infrastructure [T1584] Mitigations SolarWinds Orion Owners Owners of vulnerable SolarWinds Orion products will generally fall into one of three categories. • Category 1 includes those who do not have the identified malicious binary. These owners can patch their systems and resume use as determined by and consistent with their internal risk evaluations. • Category 2 includes those who have identified the presence of the malicious binary—with or without beaconing to avsvmcloud[.]com. Owners with malicious binary whose vulnerable appliances only unexplained external communications are with avsvmcloud[.]com—a fact that can be verified by comprehensive network monitoring for the device—can harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation. • Category 3 includes those with the binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address. If you observed communications with avsvmcloud[.]com that appear to suddenly cease prior to December 14, 2020— not due to an action taken by your network defenders—you fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately. Compromise Mitigations If the adversary has compromised administrative level credentials in an environment—or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network. In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action. SolarWinds Orion Specific Mitigations The following mitigations apply to networks using the SolarWinds Orion product. This includes any information system that is used by an entity or operated on its behalf. Organizations that have the expertise to take the actions in Step 1 immediately should do so before proceeding to Step 2. Organizations without this capability should proceed to Step 2. Federal civilian executive branch agencies should ignore the below and refer instead to Emergency Directive 21-01 (and forthcoming associated guidance) for mitigation steps. • Step 1 o Forensically image system memory and/or host operating systems hosting all instances of affected versions of SolarWinds Orion. Analyze for new user or service accounts, privileged or otherwise. o Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections. • Step 2 o Affected organizations should immediately disconnect or power down affected all instances of affected versions of SolarWinds Orion from their network. o Additionally:  Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.  Identify and remove all threat actor-controlled accounts and identified persistence mechanisms. • Step 3 o Only after all known threat actor-controlled accounts and persistence mechanisms have been removed:  Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that the threat actor has deployed further persistence mechanisms.  Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.  Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.  Take actions to remediate kerberoasting, including—as necessary or appropriate—engaging with a third party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following Microsoft’s documentation on kerberoasting: https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448.  Require use of multi-factor authentication. If not possible, use long and complex passwords (greater than 25 characters) for service principal accounts, and implement a good rotation policy for these passwords.  Replace the user account by group Managed Service Account (gMSA), and implement Group Managed Service Accounts: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview.  Set account options for service accounts to support AES256_CTS_HMAC_SHA1_96 and not support DES, RC4, or AES128 bit encryption.  Define the Security Policy setting for Network Security: Configure Encryption types allowed for Kerberos. Set the allowable encryption types to AES256_HMAC_SHA1 and Future encryption types: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.  See Microsoft’s documentation on how to reset the Kerberos Ticket Granting Ticket password twice: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password. See Joint Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information on incident investigation and mitigation steps based on best practices. CISA will update this Alert, as information becomes available and will continue to provide technical assistance, upon request, to affected entities as they work to identify and mitigate potential compromises. Contact Information CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at • 1-888-282-0870 (From outside the United States: +1-703-235-8832) • central@cisa.dhs.gov (UNCLASS) • us-cert@dhs.sgov.gov (SIPRNET) • us-cert@dhs.ic.gov (JWICS) CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/. Appendix A: Affected SolarWinds Orion Products Table 1 identifies recent versions of SolarWinds Orion Platforms and indicates whether they have been identified as having the Sunburst backdoor present. Table 1: Affected SolarWinds Orion Products Orion Platform Version Sunburst Backdoor Code Present File Version SHA-256 2019.4 Tampered but not backdoored 2019.4.5200.8890 a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc 2019.4 HF1 No 2019.4.5200.8950 9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690 2019.4 HF2 No 2019.4.5200.8996 bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d 2019.4 HF3 No 2019.4.5200.9001 ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad 2019.4 HF4 No 2019.4.5200.9045 9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee 2020.2 RC1 Yes 2020.2.100.12219 dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b 2019.4 HF5 Yes 2019.4.5200.9083 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 2020.2 RC2 Yes 2020.2.5200.12394 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 2020.2 2020.2 HF1 Yes 2020.2.5300.12432 ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 2019.4 HF6 No 2019.4.5200.9106 8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a 2020.2.1 2020.2.1 HF1 No 2020.2.15300.12766 143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a 2020.2.1 HF2 No 2020.2.15300.12901 cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f Appendix B: Indicators of Compromise Due to the operational security posture of the adversary, most observable IOCs are of limited utility; however, they can be useful for quick triage. Below is a compilation of IOCs from a variety of public sources provided for convenience. CISA will be updating this list with CISA developed IOCs as our investigations evolve. Table 2: Indicators of Compromise IOC Type Notes References Source 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 hash Backdoor.Sunburst https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc hash Backdoor.Sunburst https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/ d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af hash Backdoor.Sunburst https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/ 13.59.205[.]66 IPv4 DEFTSECURITY[.]com https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity deftsecurity[.]com domain Domain malicious on VT, registered with Amazon, hosted on US IP address 13.59.205.66, malware repository, spyware and malware https://www.virustotal.com/gui/domain/deftsecurity.com/details https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 54.193.127[.]66 IPv4 FREESCANONLINE[.]com https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c hash No info available https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 hash No info available https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b hash No info available https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed hash No info available https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ 65.153.203[.]68 IPv4 Not seen as malicious on VT, Registered in USCenturyLink Communications, LLC https://www.hybrid-analysis.com/sample/12e76c16bbf64e83b79d8dac921c9cccabbe40d28ad480c636f94a5737b77c9a?environmentId=100 avsvmcloud[.]com domain Reported by FireEye/ The malicious DLL calls out to a remote network infrastructure using the domains avsvmcloud.com. to prepare possible second-stage payloads, move laterally in the organization, and compromise or exfiltrate data. Malicious on VT. Hosted on IP address 20.140.0.1, which is registered with Microsoft. malware callhome, command and control https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ FireEye Report Talos Volexity 3.87.182[.]149 IPv4 Resolves to KUBECLOUD[.]com, IP registered to Amazon. Tracked by Insikt/RF as tied to SUNBURST intrusion activity. https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 3.16.81[.]254 IPv4 Resolves to SEOBUNDLEKIT[.]com, registered to Amazon. Tracked by Insikt/RF as tied SUNBURST intrusion activity. https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 12.227.230[.]4 IPv4 Seen as malicious on VT, Registered in US, AT&T Services, Inc https://www.hybrid-analysis.com/sample/8d34b366f4561ca1389ce2403f918e952584a56ea55876311cfb5d2aad875439 54.215.192[.]52 IPv4 THEDOCCLOUD[.]com https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 hash Trojan.MSIL.SunBurst ttps://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/ ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 hash Trojan.MSIL.SunBurst https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/ 8.18.144[.]11 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]12 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]9 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]20 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]40 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]44 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]62 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]130 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]135 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]136 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]149 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]156 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]158 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]165 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]170 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]180 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.144[.]188 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]3 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]21 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]33 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]36 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]131 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]134 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]136 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]139 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]150 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]157 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 8.18.145[.]181 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 13.27.184[.]217 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 18.217.225[.]111 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 18.220.219[.]143 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 20.141.48[.]154 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 34.219.234[.]134 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.1[.]3 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.21[.]54 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.48[.]22 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.101[.]22 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.113[.]55 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.145[.]34 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.209[.]33 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.212[.]52 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.224[.]3 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.229[.]1 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.240[.]3 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 184.72.245[.]1 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity 196.203.11[.]89 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity digitalcollege[.]org domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity freescanonline[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity globalnetworkissues[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity kubecloud[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity lcomputers[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity seobundlekit[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity solartrackingsystem[.]net domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity thedoccloud[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity virtualwebdata[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity webcodez[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ Volexity d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 hash https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 hash https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public References [1] Volexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations [2] SolarWinds Security Advisory [3] FireEye: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compr… [4] GitHub: Azure / Azure-Sentinel - AzureAADPowerShellAnomaly.yaml [5] GitHub: Azure / Azure-Sentinel - ADFSDomainTrustMods.yaml Revisions Initial Version: December 17, 2020 This product is provided subject to this Notification and this Privacy & Use policy. More Hacking Attacks Found as Officials Warn of ‘Grave Risk’ to U.S. Government Minutes after the government statement, President-elect Joseph R. Biden Jr. warned that his administration would impose “substantial costs” on those responsible. President Trump has been silent on the hacking. New York Times, 18 December 2020 • https://www.nytimes.com/2020/12/17/us/politics/russia-cyber-hack-trump.html • The Commerce, Treasury and Defense Departments, as well as other federal agencies, were the targets of Russian hackers.Credit...Jim Lo Scalzo/EPA, via Shutterstock By David E. Sanger and Nicole Perlroth • Published Dec. 17, 2020Updated Dec. 18, 2020, 8:28 a.m. ET WASHINGTON — Federal officials issued an urgent warning on Thursday that hackers who American intelligence agencies believed were working for the Kremlin used a far wider variety of tools than previously known to penetrate government systems, and said that the cyberoffensive was “a grave risk to the federal government.” The discovery suggests that the scope of the hacking, which appears to extend beyond nuclear laboratories and Pentagon, Treasury and Commerce Department systems, complicates the challenge for federal investigators as they try to assess the damage and understand what had been stolen. Minutes after the statement from the cybersecurity arm of the Department of Homeland Security, President-elect Joseph R. Biden Jr. warned that his administration would impose “substantial costs” on those responsible. “A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Mr. Biden said, adding, “I will not stand idly by in the face of cyberassaults on our nation.” President Trump has yet to say anything about the attack. Echoing the government’s warning, Microsoft said Thursday that it had identified 40 companies, government agencies and think tanks that the suspected Russian hackers, at a minimum, had infiltrated. Nearly half are private technology firms, Microsoft said, many of them cybersecurity firms, like FireEye, that are charged with securing vast sections of the public and private sector. “It’s still early days, but we have already identified 40 victims — more than anyone else has stated so far — and believe that number should rise substantially,” Brad Smith, Microsoft’s president, said in an interview on Thursday. “There are more nongovernmental victims than there are governmental victims, with a big focus on I.T. companies, especially in the security industry.” The Energy Department and its National Nuclear Security Administration, which maintains the American nuclear stockpile, were compromised as part of the larger attack, but its investigation found the hack did not affect “mission-essential national security functions,” Shaylyn Hynes, a Department of Energy spokeswoman, said in a statement. “At this point, the investigation has found that the malware has been isolated to business networks only,” Ms. Hynes said. The hack of the nuclear agency was reported earlier by Politico. Officials have yet to publicly name the attacker responsible, but intelligence agencies have told Congress that they believe it was carried out by the S.V.R., an elite Russian intelligence agency. A Microsoft “heat map” of infections shows that the vast majority — 80 percent — are in the United States, while Russia shows no infections at all. The government warning, issued by the Cybersecurity and Infrastructure Security Agency, did not detail the new ways that the hackers got into the government systems. But it confirmed suspicions expressed this week by FireEye, a cybersecurity firm, that there were almost certainly other routes that the attackers had found to get into networks on which the day-to-day business of the United States depend. FireEye was the first to inform the government that the suspected Russian hackers had, since at least March, infected the periodic software updates issued by a company called SolarWinds, which makes critical network monitoring software used by the government, hundreds of Fortune 500 companies and firms that oversee critical infrastructure, including the power grid. Investigators and other officials say they believe the goal of the Russian attack was traditional espionage, the sort the National Security Agency and other agencies regularly conduct on foreign networks. But the extent and depth of the hacking raise concerns that hackers could ultimately use their access to shutter American systems, corrupt or destroy data, or take command of computer systems that run industrial processes. So far, though, there has been no evidence of that happening. The alert was a clear sign of a new realization of urgency by the government. After playing down the episode — in addition to Mr. Trump’s silence, Secretary of State Mike Pompeo has deflected the hacking as one of the many daily attacks on the federal government, suggesting China was the biggest offender — the government’s new alert left no doubt the assessment had changed. “This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert said. “It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures,” which, it said, “have not yet been discovered.” Investigators say it could take months to unravel the extent to which American networks and the technology supply chain are compromised. In an interview on Thursday, Mr. Smith, of Microsoft, said the supply-chain element made the attack perhaps the gravest cyberattack against the United States in years. “Governments have long spied on each other but there is a growing and critical recognition that there needs to be a clear set of rules that put certain techniques off limits,” Mr. Smith said. “One of the things that needs to be off limits is a broad supply chain attack that creates a vulnerability for the world that other forms of traditional espionage do not.” Reuters reported Thursday that Microsoft was itself compromised in the attack, a claim that Mr. Smith emphatically denied Thursday. “We have no indication of that,” he said. Officials say that with only one month left in its tenure, the Trump administration is planning to simply hand off what appears to be the biggest cybersecurity breach of federal networks in more than two decades. Mr. Biden’s statement said he had instructed his transition team to learn as much as possible about “what appears to be a massive cybersecurity breach affecting potentially thousands of victims.” “I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” Mr. Biden said, adding that he plans to impose “substantial costs on those responsible.” The Cybersecurity and Infrastructure Security Agency’s warning came days after Microsoft took emergency action along with FireEye to halt the communication between the SolarWinds network management software and a command-and-control center that the Russians were using to send instructions to their malware using a so-called kill switch. That shut off further penetration. But it is of no help to organizations that have already been penetrated by an attacker who has been planting back doors in their systems since March. And the key line in the warning said that the SolarWinds “supply chain compromise is not the only initial infection vector” that was used to get into federal systems. That suggests other software, also used by the government, has been infected and used for access by foreign spies. Across federal agencies, the private sector and the utility companies that oversee the power grid, forensic investigators were still trying to unravel the extent of the compromise. But security teams say the relief some felt that they did not use the compromised systems turned to panic on Thursday, as they learned other third-party applications may have been compromised. Inside federal agencies and the private sector, investigators say they have been stymied by classifications and siloed approach to information sharing. “We have forgotten the lessons of 9/11,” Mr. Smith said. “It has not been a great week for information sharing and it turns companies like Microsoft into a sheep dog trying to get these federal agencies to come together into a single place and share what they know.” David E. Sanger reported from Washington, and Nicole Perlroth from Palo Alto, Calif.

No comments:

Post a Comment