NewsBites Volume XXII - Issue #101 December 29, 2020

Top of the News

2020-12-23

SolarWinds: NERC Advisory

The North American Electric Reliability Corp. (NERC) has issued an advisory noting that the SolarWinds supply chain attack "poses a potential threat" to elements of the power sector. NERC is also asking utilities and other power companies to respond to a list of questions on the level of exposure their systems have to the SolarWinds campaign.

Editor's Note

Even if you're using SolarWinds on an isolated network, you may still have impacted versions as updates would have passed file integrity checks before deployment there. The list of impacted versions continues to increase; it's prudent to locate all instances of the product and disable them until new clean versions can be installed, or replace SolarWinds entirely.

Lee Neely

SolarWinds: CISA Incident Response Guide

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that federal, state, and local governments, critical infrastructure entities, and private organizations "may need to rebuild all network assets" in the wake of the SolarWinds supply chain attack. CISA urges organizations to determine whether or not they are affected by the SolarWinds issue and if they are, to make response and remediation their top priority.

Editor's Note

CISA also released a free detection PowerShell script (Sparrow) for your Azure/M365 environment. This tool is designed to be used by incident responders for detecting unusual and/or malicious activities in those environments and requires the CloudConnect, AzureAD and MSOnline PowerShell modules. See https://us-cert.cisa.gov/ncas/current-activity/2020/12/24/cisa-releases-free-detection-tool-azurem365-environment

Lee Neely

SolarWinds: SUPERNOVA

SolarWinds has updated its security advisory to include information about malware known as SUPERNOVA. Unlike SUNBURST, "SUPERNOVA is not malicious code embedded within the builds of [the SolarWinds] Orion(R) Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer's network and is designed to appear to be part of a SolarWinds product."

US Financial Regulators Propose Breach Notification Requirement; Senators Introduce Bill That Would Require Agencies to File Incident Reports

US federal financial regulatory agencies have published a notice of proposed rulemaking "that would require a banking organization to provide its primary federal regulator with prompt notification of any 'computer-security incident' that rises to the level of a 'notification incident.' The proposed rule would require such notification upon the occurrence of a notification incident as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred." In a separate story, a bill introduced in the US Senate would require federal agencies that experience cyberattacks that could cause significant harm to national security or agency operations to provide congress with an incident report within seven days of the attacks.

Editor's Note

I think the more important part of the proposed regulatory language is that "...a bank service provider would be required to notify at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours." Incident notification of customers being required is a much more powerful measure than simply the regulators being notified. Also, including service outages caused by incidents, and not just information disclosure events, is a positive move.

John Pescatore

Financial Institutions remain at the top of the list as primary cyber-attack targets, and the proposed breach notification could allow regulators to have timely insight into current actions and trends. The current Bank Security Act (BSA) reporting requires a Suspicious Activity Report (SAR) within 30 days, and other regulations require notification to the regulator "as soon as possible"; this legislation now defines the requirement at 36 hours, to keep the information timely and relevant. Additionally, notification is required from service providers, aka outsourced services, to their impacted financial institution customers. If you are a financial institution, review the proposed regulation and provide comment.

Lee Neely

The Rest of the Week's News

2020-12-27

Worst Hacks of 2020

The SolarWinds supply chain attack tops two lists of the worst hacks and breaches of 2020. Also included are the Twitter hack, the University Hospital Duesseldorf ransomware attack, and the data theft at Finland's Vastaamo mental healthcare provider.

DHS Warns US Businesses Against Chinese Tech

The US Department of Homeland Security (DHS) has published a Data Security Business Advisory, urging US businesses to avoid using Chinese hardware or digital services. DHS warns that using Chinese technology could expose companies to "theft of trade secrets, of intellectual property, and of other confidential business information; violations of U.S. export control laws; violations of U.S. privacy laws; breaches of contractual provisions and terms of service; security and privacy risks to customers and employees; risk of PRC surveillance and tracking of regime critics; and reputational harm to U.S. businesses."

Editor's Note

The DHS advisory provides a good synopsis of China's privacy and cryptography laws, and how they impact businesses partnering with or buying data services from PRC. The recommendations include mitigations, including clear contract language which identifies sensitive data, its location and who has access, coupled with language which clearly states how liability is allocated due to a failure to adhere to legal requirements.

Lee Neely

International Law Enforcement Effort Takes Down VPN Services Used by Criminals

In a coordinated operation, Europol, along with law enforcement agencies from Germany, the Netherlands, France, Switzerland, and the US, have taken down three VPN services that were widely used by criminals to conduct cyberattacks. The three services, insorg<dot>org, safe-inet<dot>com, and safe-inet<dot>net, had been active for more than a decade.

Editor's Note

These services were characterized as bulletproof, meaning that they ignore or fabricate responses to complaints about user activities, and proactively move users between servers, countries, and IP addresses to help avoid detection. While agencies have disclosed they intend to use the seized assets to track and prosecute criminals that had been using them, they have not disclosed any intentions to file charges against the service operators as co-conspirators.

Lee Neely

Eurojust Becomes Full Partner in SIRIUS Project

Europol and Eurojust have signed a new contribution agreement making Eurojust a full partner in the SIRIUS project, which was "launched by Europol in 2017 ... [and which] aims to foster the co-development of practical and innovative tools and solutions for EU law enforcement and judicial authorities that can support internet-based investigations."

Kaspersky: Lazarus Group Hackers are After COVID-19 Intellectual Property

According to a report from Kaspersky, a hacking group with ties to North Korea has been targeting organizations involved in COVID-19 vaccine research and development. The Lazarus Group has broken into networks at a pharmaceutical company and a government health ministry. Kaspersky researchers say the attackers are trying to steal intellectual property.

Cyberattack Against Finland's Parliament Affected MP eMail Accounts

Finland's Parliament says that a cyberattack targeting its systems compromised email accounts of several Finnish members of parliament (MPs). The incident occurred in autumn 2020 and was detected earlier this month. It bears similarities to an cyberattack against Norway's Parliament earlier this year.

Editor's Note

This is similar to the Norway Parliament attack by APT28 (Russia's GRU) which used credential stuffing and brute force to gain access. Multi-factor authentication for internet accessible services, including your VPN, is a good first step. Monitor access to email, including impossible logins, to detect anomalous behavior.

Lee Neely

Whirlpool Hit with Ransomware

Home appliance maker Whirlpool was hit by a ransomware attack in November or early December 2020. The attackers stole company data before encrypting files on the company's network. Whirlpool says that their systems have been fully restored.