Security Snacks #11 – The SolarWinds Saga continued & The evolution of cybersecurity in 2020

Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Happy holidays to all! This is the last edition of 2020, an already eventful year that ends with a bang. More and more information is emerging about the SolarWinds hack. We hear names like Sunburst, Solorigate, SUPERNOVA, CosmicGale, UNC2452, Dark Halo… Read on to quickly find out what these terms refer to, and what are the latest development in this supply chain attack that seems full of surprises.

Notable Security News

A second hacking group has targeted SolarWinds systems

More information is surfacing everyday about the SolarWinds attacks dubbed Sunburst (or Solorigate). A second threat actor has hacked SolarWinds to plant another unrelated backdoor named SUPERNOVA/CosmicGale. Sunburst hackers also targeted CrowdStrike to create another attack vector but weren’t successful. Security experts have decoded Sunburst’s domain generation algorithm (DGA) and published lists of breached subdomains/organizations. The reason the SolarWinds intrusion was noticed by FireEye is that they used Multi-Factor Authentication.

On the defensive side, CrowdStrike published a free tool to identify and help mitigate risks in Azure Active Directory. TrustedSec shared a response playbook that is a checklist of recommended actions for victims of the SolarWinds backdoor. Qualys is offering a free 60-day service to help patch all vulnerabilities that can be exploited with the stolen FireEye tools. They estimate that more than 7.5 million devices are potentially exposed!

NSA warns of federated login abuse for local-to-cloud attacks

The NSA is warning about two techniques used recently to escalate attacks from on-premise networks to cloud infrastructure, along with technical detection and hardening recommendations. Incidentally, these techniques were used in the SolarWinds hack though it is not explicitly mentioned in this advisory.

A moment of reckoning: the need for a strong and global cybersecurity response

This is an excellent piece by Microsoft’s President on the global state of cyber security in 2020. It goes over how the threats have evolved and which new strategy is needed in the light of recent nation-state attacks such as the SolarWinds hack.

DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors

The threat actors behind the SolarWinds supply chain attack are referred to as UNC2452 (sometimes also Dark Halo). If you’re wondering what UNC groups (or “uncategorized” groups) are, this is an enlightening read on the topic by FireEye.

Unpatched, Unprepared, Unprotected: How Critical Device Vulnerabilities Remain Unaddressed

Despite many warnings by NSA, CISA, FBI and others, “97% of the OT devices impacted by URGENT/11 have not been patched; and 80% of those affected by CDPwn remain unpatched” as Armis found out. Millions of devices (including medical and enterprise devices, ICS and OT systems…) remain at risk months after the disclosure of these vulnerabilities.

Other Interesting News

Cybercrime

Vulnerabilities

Reports

Tech

Misc.