US hacked December 2020

[OceanBonfire]

The US just got hacked and it's the worst hack in history. Trump is doing nothing to date and hasn't been doing his job for months and looks very likely to leave this mess to Biden:

Federal authorities are expressing increased alarm about a long-undetected intrusion into U.S. and other computer systems around the globe that officials suspect was carried out by Russian hackers. The nation’s cybersecurity agency warned of a “grave” risk to government and private networks.

The hack compromised federal agencies and “critical infrastructure” in a sophisticated attack that was hard to detect and will be difficult to undo, the Cybersecurity and Infrastructure Security Agency said in an unusual warning message Thursday. The Department of Energy acknowledged it was among those that had been hacked.

...


https://apnews.com/article/donald-trump-politics-foreign-policy-hacking-russia-f32a2c951c84718381efd282d566f614

https://apnews.com/article/joe-biden-donald-trump-politics-moscow-russia-33fcc75eb00bd2b0ea44e22fe4755973

https://www.reuters.com/article/us-usa-cyber-breach-congress/u-s-lawmakers-say-trump-administration-giving-few-details-on-hack-idUSKBN28S26S

 

[Bruce Monkhouse]

Didn't know he was the Govt cyber expert .....you could actually post about something else once in a while, hey, maybe even read the forum instead of a post and run.

 

[brihard]

Didn't know he was the Govt cyber expert .....you could actually post about something else once in a while, hey, maybe even read the forum instead of a post and run.

Your attack on him is out of line and uncalled for, especially coming from a member of the page staff. That kind of reply is exactly the sort of thing you or other DS would shut the rest of us down for were we to introduce it into a discussion.

Incidentally, in the past couple weeks he's also been active in posting about the C20 sniper system, the invitation to the Chinese to train on our bases, domestic terrorism/extremism, and the acquisition and distribution of vaccines. Yes, he has also posted on US political subjects, and there are political themes or tones in some of his other posts, but that's not against any rules and it hasn't been the dominant theme of his posting, especially not in the past few weeks. Some members post long personal analyses and opinions. Some mostly share articles or analyses from others that they think may be of others. It's not against the rules and at least one member of the DS largely posts the same way, so it certainly seems accepted.

I'm not sure why you think it's necessary or appropriate to be blasting him like that, but it isn't.

 

[Bruce Monkhouse]

You're right...I'll eat it.
Sorry folks.

 

[Jarnhamar]

The US just got hacked and it's the worst hack in history. Trump is doing nothing to date and hasn't been doing his job for months and looks very likely to leave this mess to Biden:

What should Trump have done/what should he do?

 

[Mike Bobbitt]

I’d like to say “not fire his experienced head of CISA” but this attack was initiated months ago, while Kerbs was in office. Honestly not sure anything reasonable could have deterred this, short of unshackling cyber operations from legal constraints - not where we want to go though.

 

[Remius]

Since %u201CTrump%u201D is taboo for some, let%u2019s just discuss what the leader of any country should be doing in situations like this.

Public denouncement would be good.  Diplomatic pressure overt and behind the scenes.  Call in the ambassador.  Etc etc. Reassuring your domestic audience.  Then let your experts do their jobs. 

But, these types of hacking events are relatively new in the global conflict/competition.

Should these be viewed as acts of war?  Or a new tool in the world global influencing.  I don%u2019t know.  But I am sure the US is doing it too.

 

[brihard]

You're right...I'll eat it.
Sorry folks.

Credit to you for that. Thanks Bruce. 

 

[brihard]

Since %u201CTrump%u201D is taboo for some, let%u2019s just discuss what the leader of any country should be doing in situations like this.

Public denouncement would be good.  Diplomatic pressure overt and behind the scenes.  Call in the ambassador.  Etc etc. Reassuring your domestic audience.  Then let your experts do their jobs. 

But, these types of hacking events are relatively new in the global conflict/competition.

Should these be viewed as acts of war?  Or a new tool in the world global influencing.  I don%u2019t know.  But I am sure the US is doing it too.

Not new, now by a long shot, just rarely public. Cyber espionage has been long established at this point- though there’s some blur between ‘mere’ information collection, and active efforts to influence/disrupt. The same system compromises that allow the former can potentially allow or enable the latter. It’s like if you are able to find an infil route through enemy lines- you could use it for a recce, or a raid.

 

[Brad Sallows]

Hard to figure out how we'd know what is being done about it unless the US disclosed whatever it does in response to cyber/secret threats.

Maybe the president is trying to avoid inflaming tensions with Russia.

 

[QV]

I’d like to say “not fire his experienced head of CISA” but this attack was initiated months ago, while Kerbs was in office. Honestly not sure anything reasonable could have deterred this, short of unshackling cyber operations from legal constraints - not where we want to go though.

I'd say this somewhat validates the firing of Krebs.   

 

[Bruce Monkhouse]

Maybe the Russians are being set up....im sure everyone hacks into everyone....and then "throw the scent off" evidence is left behind.

 

[Old Sweat]

Could be, or he has just tuned out. I saw an interview a hour or so ago with Senator Angus King from Maine about the hacking. According to him, it started last winter, and was only discovered a short while ago by a private company. They are not sure, or are being very tight-lipped, about what was being "hacked", if that is the term.

 

[Cloud Cover]

I’d like to say “not fire his experienced head of CISA” but this attack was initiated months ago, while Kerbs was in office. Honestly not sure anything reasonable could have deterred this, short of unshackling cyber operations from legal constraints - not where we want to go though.

The weakest link in the security chain is ... if they have been rooted thickly by multiple exploits across multiple systems that aren't even connected to each other it might be they have to look at vulnerabilities in the IT supply chain, and that is a huge undertaking.

 

[Navy_Pete]

I'd say this somewhat validates the firing of Krebs. 

Firing a guy for something no one knew about? He was fired for saying the election was secure, not for any specific job performance issues. Maybe outsourcing cybersecurity to a complicated web of private companies is a bad idea? Almost like understanding your supply chain applies digitally as well. That's been a big growth industry for several decades, so it's not on any one guy.

 

[tomahawk6]

Speculation is that the cause of the breech was a failed firewall.

 

[PuckChaser]

Trump is doing nothing to date and hasn't been doing his job for months and looks very likely to leave this mess to Biden:

Don't make us move/lock this thread because you can't resist taking partisan jabs. There's a reason why this place is much calmer after locking down the US Politics area.

- Milnet.ca Staff

 

[Retired AF Guy]

Speculation is that the cause of the breech was a failed firewall.

An excerpt from a larger Washington Post article on the breach:

A major avenue for breaching victims%u2019 networks was an update for computer software made by a Texas-based company called SolarWinds. The firm said about 18,000 customers that received the patch, for network management software called Orion, were potentially exposed. The Russians covertly added malware to the update, which installed a backdoor on computers that the hackers could use to enter a victim%u2019s system at will.

But the intruders were selective in choosing who to compromise. Not everyone who downloaded the patch was seen as an attractive target, Microsoft said.

The SolarWinds update was not the only path into victims%u2019 networks, the Department of Homeland Security%u2019s Cybersecurity and Infrastructure Security Agency said in an alert this week. %u201CCISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,%u201D the agency said.

And, from the President of Microsoft, who says that the US was not the only target**:

While roughly 80% of these customers are located in the United States, this work so far has also identified victims in seven additional countries. This includes Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East. It%u2019s certain that the number and location of victims will keep growing.

** This article also includes a map that shows the locations around the world (including Canada) that were targeted.

 

[Retired AF Guy]

And for those computer nerds out there, here, courtesy of the US Cybersecurity and Infrastructure Security Agency (CISA) is how it was done:

Technical Details
Overview

CISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered. CISA will continue to update this Alert and the corresponding indicators of compromise (IOCs) as new information becomes available.
Initial Infection Vectors [TA0001]

CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. Volexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication protecting access to Outlook Web App (OWA).[1]

Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.

SolarWinds Orion Supply Chain Compromise

SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is common for network administrators to configure SolarWinds Orion with pervasive privileges, making it a valuable target for adversary activity.

The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products[2] (see Appendix A).


The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic. Consequently, entities that observe traffic from their SolarWinds Orion devices to avsvmcloud[.]com should not immediately conclude that the adversary leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into whether the SolarWinds Orion device engaged in further unexplained communications. If additional Canonical Name record (CNAME) resolutions associated with the avsvmcloud[.]com domain are observed, possible additional adversary action leveraging the back door has occurred.

Based on coordinated actions by multiple private sector partners, as of December 15, 2020, avsvmcloud[.]com resolves to 20.140.0[.]1, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease. In the case of infections where the attacker has already moved C2 past the initial beacon, infection will likely continue notwithstanding this action.

SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted.

Anti-Forensic Techniques

The adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. The attackers also frequently rotate their “last mile” IP addresses to different endpoints to obscure their activity and avoid detection.

FireEye has reported that the adversary is using steganography (Obfuscated Files or Information: Steganography [T1027.003]) to obscure C2 communications.[3]

This technique negates many common defensive capabilities in detecting the activity. Note: CISA has not yet been able to independently confirm the adversary’s use of this technique.

According to FireEye, the malware also checks for a list of hard-coded IPv4 and IPv6 addresses—including RFC-reserved IPv4 and IPv6 IP—in an attempt to detect if the malware is executed in an analysis environment (e.g., a malware analysis sandbox); if so, the malware will stop further execution. Additionally, FireEye analysis identified that the backdoor implemented time threshold checks to ensure that there are unpredictable delays between C2 communication attempts, further frustrating traditional network-based analysis.

While not a full anti-forensic technique, the adversary is heavily leveraging compromised or spoofed tokens for accounts for lateral movement. This will frustrate commonly used detection techniques in many environments. Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user’s normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyber threat intelligence database.

Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.

Privilege Escalation and Persistence [TA0004, TA0003]

The adversary has been observed using multiple persistence mechanisms across a variety of intrusions. CISA has observed the threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premise and hosted resources. Microsoft has released a query that can help detect this activity.[4]

Microsoft reported that the actor has added new federation trusts to existing infrastructure, a technique that CISA believes was utilized by a threat actor in an incident to which CISA has responded. Where this technique is used, it is possible that authentication can occur outside of an organization’s known infrastructure and may not be visible to the legitimate system owner. Microsoft has released a query to help identify this activity.[5]

User Impersonation

The adversary’s initial objectives, as understood today, appear to be to collect information from victim environments. One of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).

CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.

These are some key functions and systems that commonly use SAML.

    Hosted email services
    Hosted business intelligence applications
    Travel systems
    Timecard systems
    File storage services (such as SharePoint)

The rest of the much more detailed article is here.

 

[shawn5o]

Your attack on him is out of line and uncalled for, especially coming from a member of the page staff. That kind of reply is exactly the sort of thing you or other DS would shut the rest of us down for were we to introduce it into a discussion.

Incidentally, in the past couple weeks he's also been active in posting about the C20 sniper system, the invitation to the Chinese to train on our bases, domestic terrorism/extremism, and the acquisition and distribution of vaccines. Yes, he has also posted on US political subjects, and there are political themes or tones in some of his other posts, but that's not against any rules and it hasn't been the dominant theme of his posting, especially not in the past few weeks. Some members post long personal analyses and opinions. Some mostly share articles or analyses from others that they think may be of others. It's not against the rules and at least one member of the DS largely posts the same way, so it certainly seems accepted.

I'm not sure why you think it's necessary or appropriate to be blasting him like that, but it isn't.

Sorry Brihard but BM spoke truth.

And distracting from the issue bringing up OB's other activities is called distraction. Address the issue that BM brought up and don't distract.