SolarWinds Settles Multi-Million Dollar Shareholder Lawsuit and Expects SEC Enforcement Action; Microsoft Digital Defense Report 2022; Malicious Python Packages are Being Used to Spread W4SP Stealer Trojan

Just this settlement cost alone is many time more than SolarWinds would have spent to prevent this incident. That $26M is likely less than 20% of SolarWinds total costs for failing to protect its development systems and product code, but raises a key point: more of these lawsuits are starting to succeed so we are seeing more settlements.

John Pescatore

Expect the total expense to SolarWinds to be staggering, when you include this settlement, regulatory fines, remediation costs and lost business. The message here - make sure that you're leveraging guidance on securing your supply chain: whether a developer, distributer or consumer, nobody gets a free ride. If you see weaknesses in your processes, use the lessons learned from SolarWinds to build a case to take action, including taking a pass on suppliers and developers who are not doing their part to ensure their software is genuine and securely maintained/delivered.

Lee Neely

An interesting defense strategy to claim they were the victim of “the most sophisticated cyberattack in history.” There are parallels to a defense strategy employed by a cyber insurance company in denying a claim by using the war exclusion clause. As reported neither strategy was successful. Adherence to basic cybersecurity practices, in this case a robust software configuration management process would have limited cost to the company in both cleanup, recovery, and damage to the brand.

Curtis Dukes

Not only is $26M far more than preventing the problem would have cost, it is a tiny fraction of the cost to SolarWind's customers and to our economy as a whole. That said, this may be a step toward holding suppliers accountable for distributing malicious code.

William Hugh Murray

One of the highlighted findings is that nation states stockpile zero-day vulnerabilities and exploits for future use. In my opinion, a nation state is not serious about preparing for a future conflict if they do not stockpile vulnerabilities to use during a crisis, and it should not be a surprise that zero days are withheld, but quickly exploited once they are discovered by others and patched.

Johannes Ullrich

The summary is a quick read which should grab your CISO's attention. Then grab the full report and dive into the Cyber Resilience section. Check the eye roll at that term: they provide background and context information for the improvements in cyber security that you can leverage in the board room and elsewhere in the business to get support for raising the bar along with actionable insights which could also help you build your punch list of things to investigate.

Lee Neely

Luckily, these packages have not been downloaded very often. But they follow the proven playbook of publishing well-respected and frequently used packages under a slightly different name with malicious add-ons. This is likely going to catch developers new to Python. Python makes it relatively easy to enumerate packages used and you should regularly create lists of packages used by your code. Don't miss dependencies that may have been installed by package managers like pip.

Johannes Ullrich

The attackers used various techniques to import their trojan by modifying the __init.py__ or setup.py script, which are subtle and hard to spot. That import statement creates a temporary file which is executed, downloading obfuscated code from multiple sites which contains a compressed object which is, actually, the W4SP Stealer, which is designed to steal information from users’ systems including browser passwords, crypto wallets and interesting files with financial related information. Make sure that you're using the actual package you're expecting, and the vetted version, particularly if you're using any of the packages mentioned in the Phylum report.

Lee Neely

Each of the critical infrastructure sectors share more in common when it comes to developing cybersecurity best practices. Establishing a common and prioritized set of safeguards to achieve a baseline cybersecurity posture across all sectors should be a national imperative. The CIS Critical Security Controls, starting with implementation group 1 are measurably effective against the top five attacks being used against every industry sector, why not start there.

Curtis Dukes

Our water and waste system delivery operators are all over the map when it comes to size and complexity. As such, it's important that smaller system operators weigh in to make sure that guidance is relevant, actionable, and not expecting organizations with deeper pockets. Also needed is guidance for operators who have outsourced services who need to ensure those are also being operated securely.

Lee Neely

While the alert is specific to Iranian threat actors, the underlying cyberattack techniques employed are common across all threat actors. The CIS Community Defense Model uses the MITRE ATT&CK framework to document those common attack techniques into the top five attack patterns and then measures the effectiveness of the critical security controls in disrupting each of those attacks. At the end of the day, organizations want to defend themselves against cyberattack by every threat actor.

Curtis Dukes

Whether or not you see yourself as a target from Iranian threat actors, leverage the briefing, taking the listed TTPs to tabletop exercises to make sure that you're covered for these attack vectors. Make sure that you test those assumptions and address gaps.

Lee Neely

Providing actionable data to the healthcare industry is only part of the problem. Healthcare providers have to raise their own bar and increase focus on cyber security, which will require resources and may but the CISO at odds with those pushing to deliver more patient services quickly. Those CISOs can leverage resources from their local CISA offices, not just guidance but help with some activities. If you haven't been briefed on their services, reach out and ask.

Lee Neely

It would be nice if government could "protect healthcare" but that is a big order. In practice the healthcare enterprises must protect themselves.

William Hugh Murray

Updates to the affected ETIC and DIALink products have been published. Implement mitigations from Nokia until a fix is released. Also make sure that you're properly segmenting these systems, allowing only vetted users and systems to access them. Don't enable direct access from the Internet: use a secure VPN, and possibly a bastion host. Make sure that entry points require MFA where possible; don't get undone after implementing layered defenses by a credential compromise.

Lee Neely

In this case, there were alternate NOTAM bulletin suppliers, the US FAA and International Civil Aviation Organization. Even so, no indication was made about how hard it was to switch to the alternate suppliers. When building DR plans, make sure to include the impact and difficulty of moving to your fail-over services, ensure that switch is viable and won't do more harm than being offline. The Aviation sector has become a target of attacks. According to the European Organisation for the Safety of Air Navigation, the industry is seeing ransomware attacks at a rate of one per week, and overall attacks are up as much as 530% year-on-year. That is not the sort of exercise to validate your DR plans I'm talking about. Test and vet them outside of an incident so you're ready. (And I hope you don't need them often.)

Lee Neely

When paying the extorted ransom, there is not a guarantee that your data won't surface at a later date, other than the belief that ransomware operators won't do that to ensure they get paid moving forward. Medibank is assuming all their customer data have been accessed and advising customers accordingly. Two things to keep in mind if you find yourself in this position. First, known compromised companies are at the top of the list for attackers to attempt to "re-compromise" them, so remediation requires not only addressing the entry point but also making sure that you don't leave any behind; second, your customers are at risk for direct-attacks, whether their data is being used for identity theft or leveraged to make a case for them to pay a ransom directly, in which case you need to support your customers with identity protection and information/support in the event they are targeted.

Lee Neely

The bulletin covers areas we've talked about before, which you should be following. To that list I would add making sure that you've enabled DDoS protections on your boundary, to include both your firewall and WAF. Also look at reporting discovered attacks, not just because you may have a regulatory requirement, but also to give agencies like the FBI and DHS/CISA information to go after the source.

Lee Neely