Compromised SolarWinds Update Found at 37 US Defense Suppliers; Microsoft Exchange and RDP Vulnerabilities are Prime Attacker Targets; Cyberinsurance Provider CNA Hit by Ransomware and Pays $40M Ransom

Key quote here: “… the Cybersecurity Maturity Model Certification, DOD’s nascent program for improving the cybersecurity of the defense industrial base, would not necessarily have prevented the intrusions.” Maturity models are great for identifying and communicating the most dangerous gaps in security processes but do NOT focus on actual testing and continual monitoring. Simple example: many software vendors that achieved the highest levels on the software Capability Maturity Model continued to deliver code with well-known vulnerabilities. Active monitoring and testing are needed to deal with software supply chain attacks.

John Pescatore

To support work from home, many organizations hurriedly pushed out RDP-based approaches and attackers have been taking advantage of that (also see the Sophos news item below). As we return to the “new normal,” more secure ways of supporting remote access should be top priority as part of the plan for employees returning to some amount of working from the office.

John Pescatore

While Exchange vulnerabilities are the newest shiny thing to exploit, don’t lose sight of other less sexy vulnerabilities. Your email IT team should already be on a rapid cadence of patching Exchange, even though you’ve already asked them to start migrating to your chosen cloud email solution, so the rest of your team can focus on the regular bouts of OS and application patches. In case you missed it, Wind River released updates to VxWorks which may impact many of your OT systems.

Lee Neely

This incident pre-dates the recent ransomware attack that hit AXA, another large cyber insurance carrier that had issued coverage to Colonial Pipeline, who also paid ransom. AXA recently announced it would stop issuing policies that would cover ransom payments – more carriers are likely to do the same. CNA Financial has over $10B in annual revenue and is in the top ten of cyberinsurance policy issuers and offered a “CyberPrep” service to policy holders, a “ … proactive program of cyber risk services designed to help identify, mitigate and respond to persistent and emerging threats.” I’d like to hear if they were using their own service and what went wrong.

John Pescatore

Before making the payment, CNA checked guidance and informed their regulators, including the Office of Foreign Assets Control, which enforces economic and trade sanctions against targeted foreign countries and regimes, terrorists and drug traffickers; and the FBI. While payment is not desired, being aligned with legal and regulatory guidance will minimize future blowback. Transparency about the event and relating actions has shown itself to be the best option as you need a consistent message not only for customers but also for employees, board members, shareholders and regulators if appropriate. With the current volume of ransomware payback, regulators are focusing on how to slow it down; make sure the relevant guidance hasn’t changed prior to making a decision.

Lee Neely

WOW, that is a big number! Please remember though, ransomware is nothing more than a type of malware. It’s not a new attack method, it’s a new monetization method, albeit a very profitable one, and thus the reason we are seeing exponential growth. Also remember there are other attacks just as costly but not nearly as public, such as CEO fraud. This attack method costs billions of dollars a year, but it’s hardly in the news as companies rarely go public when it happens.

Lance Spitzner

This blog is an exploration of how sometimes intrusions don't align no matter the coincidence. It's a great learning style blog for intrusion/cyber threat intelligence analysts.

Robert M. Lee

Do not worry too much about the attacks that you identify. Worry about the ones you do not see. In this case, the highly visible initial attack may have been a "good thing" as it started an investigation that revealed more stealthy unrelated attacks happening at the same time.

Johannes Ullrich

Even though we’ve seen announcements that ransomware operators are not going to target healthcare organizations, or other critical sectors, you cannot assume that you’re no longer a target. Per DHB Chief Executive Kevin Snee, this attacked originated from a malicious email attachment. Emphasizing the need to validate both technical controls and UAT are where they need to be. Also make sure that your DR plans addresses routing customers to alternate providers while services are offline versus having them wait. Talk to those providers ahead of time if you’re going to use that option, and offer reciprocal support to sweeten the pot.

Lee Neely

The choice to pay is harder than ever. Double Encryption (multiple ransomware strains, with two payouts), extortion for exfiltrated information, or threats of cyber-attack for non-payment, let alone the desire to return to operation, make things complex. Hold a tabletop exercise to go analyze the landscape and determine at which point, if any, you’d make a payment and why. Include key stakeholders in the process and obtain management support. If applicable share with your regulator to determine what their response will be and adjust accordingly.

Lee Neely

It appears from the limited reports, that Colonial Pipeline was not prepared for such an attack and did not have a plan for how to deal with it. While the decision to meet extortion demands is a business, rather than a security, decision, it should be done only in accordance with a plan made before the attack. This decision appears to have been made in the absence of any plan. Chainalysis reported last week that “Known payments to ransomware attackers rose 337% from 2019 to 2020, when they reached over $400 million worth of cryptocurrency. Attackers show no signs of slowing down in 2021, and have already taken in more than $81 million from victims so far.”

William Hugh Murray

The ransomware gang made a decryptor available for free after the HSE refused to pay. It isn't clear if the decryptor worked. But the data was leaked, and is now being used in scams. Scammers are calling individuals, pretending to be associated with healthcare providers, and are using personal data about recent medical procedures to trick victims into providing bank account access data. It is not clear if these scams are conducted by the ransomware gang or scavengers taking advantage of the data leaks. In addition to recovering from the technical impact of the breach, the Irish healthcare providers will have difficulties restoring trust with clients and recovering from these additional effects of the attacks.

Johannes Ullrich

Many weeks to restore services probably exceeds most of our RTO projections. The question is are you prepared for large scale system recovery? Do you have contracts in place to bring in help? Do you have documentation on how to rebuild components and what the interdependencies are? Is your recovery priority and order still accurate? Did you incorporate all those cloud services you’ve been migrating to? Conducing a formal exercise to recreate a system from the backup to include running a parallel business process is essential and a valuable learning experience.

Lee Neely

I’ve used the ITRC data for many years – it is “breach-centric” but has been using a consistent methodology over the years. The takeaway here: just because ransomware is getting all the press coverage, the most important issue is NOT pay ransom/don’t pay, it is that the same weaknesses being exploited in ransomware attacks are continuing to enable breaches and many other forms of damaging attacks.

John Pescatore

While health departments have been quietly doing contact tracing for generations, privacy concerns about its use have been raised in the light of the pandemic. A breach of this kind gives some credence to those concerns.

William Hugh Murray

Unlike the ingredients in food, when something goes bad on the SBOM it can be patched rather than recalled or disposed of. The trick is not only the continuous monitoring but also application of fixes in the field. Not just commodity desktops and servers but also IOT devices need to be actively monitored and updated. The consumer will need an “easy button” to succeed. I’m still trying to decide if I liked write-protected firmware better as updates are a lot easier, yet malicious code can also be written there.

Lee Neely

Knowing what is supposed to be there improves one's ability to recognize what is not supposed to be there.

William Hugh Murray

The RSA hack was enabled by a phishing attack against an employee who was running an outdated version of Windows and Microsoft Office, with no application control or privilege restrictions on external downloaded apps. The employee clicked on what looked like an internal spreadsheet and an Adobe Flash vulnerability was exploited and the game was over – sound familiar? Ten years later, the majority of attacks are enabled by these same failures in a small number of essential hygiene steps. Use any of the recent headline grabbers to get support from above to drive the well-known changes needed.

John Pescatore

The question is, would this attack work today in your organization? Are your detection and response capabilities up to tracking malicious actors on your network? While the desired responses are obvious, make sure that your assumption is founded on real input and testing. Detection and response to attack needs to replace missing these entirely or finding out from someone else.

Lee Neely

Some very good news! One of the key lessons I learned from Richard Bejtlich is that “attacker dwell time” should be a strategic security metric for almost every organization. As we all know, fool-proof prevention is not possible; cybersecurity is about resilience. Dwell time is a great way to measure that. Several years ago we were measuring dwell time in months, now it appears to be weeks.

Lance Spitzner

This suggests that our goal should be to detect breaches in hours to days. Few enterprises have such a goal and fewer still are measuring and reporting results.

William Hugh Murray