Attackers staged a dry-run against SolarWinds in October 2019
Yahoo News’ sources say the operators of the attack conducted a test run of the campaign five months before the supply-chain attack began in earnest. This test sent files without backdoors through signed updates to Orion, seemingly to test if they would actually be delivered and detected. An updated FAQ by SolarWinds indicates that this was the first modification to its updates it was aware of.
In related news, an analysis by the Wall Street Journal, Farsight Security and RiskIQ identified 24 organizations that installed SolarWinds Orion platform with malicious backdoors installed, including Cisco, Intel, Nvidia, VMware, Belkin, Kent State University, the California Department of State Hospitals, and Deloitte.
NSO Group spyware reportedly used against journalists
A new report from security researchers at Citizen Lab at the University of Toronto details how government operatives used the Pegasus spyware from NSO group to attack the phones of 36 journalists, producers and executives at Al Jazeera as well as one journalist at Al araby TV in London. The attack was carried out using the zero-click KISMET exploit chain in iMessage which worked against phones running iOS 13.5.1 or earlier. Apple said it patched the vulnerability, seemingly with iOS 14.
CIA agents exposed with stolen data
A new report in Foreign Policy looks at the impact of data stolen by state-backed groups and other APTs. Around 2013, the CIA began to notice that undercover operatives in Africa and Europe began to be rapidly identified by Chinese operatives. This marked a period where the US intelligence community noted a professionalization of China’s intelligence operations, building infrastructure to process the data it was collecting both officially and illicitly, as well as a general rooting out of corruption that led to deep CIA penetration to the Chinese government in the early 2000s. China began tracking flights and passenger lists. It also went after biometrics data at airports, like Bangkok. This information was correlated with data gathered on an attack on the US Office of Personnel Management in 2012, which leaked personnel data from 21.5 million people. That data could be analyzed to figure out who was a US agent. Pair that information with travel data and you could figure out who from China those agents met with, with background data indicating who might have been approached at becoming a CIA asset.
Europol and the European Commission Launch New Decryption Platform
This platform was launched in collaboration with the European Commission’s Joint Research Centre, designed to aid authorities in decrypting information that is obtained lawfully in criminal investigations, and managed by Europol’s European Cybercrime Centre. Functionally this platform will use in-house expertise with both software and hardware tools to provide effective assistance to national Member State investigations. National police forces from EU member states can now send lawfully obtained evidence to Europol for decryption.
Thanks to our episode sponsor, ReversingLabs
A second backdoor found in Orion?
Security researchers at Palo Alto Networks found a webshell that appears to be a trojanized variant of a legitimate .NET library planted in the code of SolarWinds’ Orion platform, which they’ve named SUPERNOVA. This would appear to be a legitimate DLL from even manual inspection, but is set to receive commands from a C2 server, which could run arbitrary code as a user on the local machine. Researchers at Intezer show the malware timestamped to late March 2020. Researchers believe this to be the work of a different adversary group, as it lacks a digital signature like the SunBurst/Solarigate malware we’re covered. Malware samples are available on VirusTotal.
Microsoft details the malicious DLL used in SolarWinds attack
The company found that 4,000 lines of code were injected into the SolarWinds Orion DLL, ultimately leading to the Solorigate back door. This was digitally signed, indicating the attackers had access to SolarWinds’ software development or distribution pipeline. Microsoft laid out the sophistication of the attack, which used the lightweight code to run in a parallel thread so that the core functions of the DLL were not disrupted. The code also did checks to make sure it wasn’t running in an analyst sandbox before contacting C2 servers, and used a unique subdomain for each affected domain. As for prevention of future attacks, Microsoft advised that organizations would be best served to focus on solutions that can look at different facets of network operations to detect ongoing attacks already inside the network, rather than just strong preventative measures.
Ransomware surges in Q3
According to Positive Technologies’ Cybersecurity Threatscape report, the quarter saw ransomware attacks account for the majority of recorded malware attempts, growing to 51% compared to 39% in Q2. Healthcare organizations were particularly targeted during the quarter, with more than half of all cyberattacks against them reported as ransomware. Network insecurity exacerbated by the shift to remote work remained an increasing point of attack for all cyberattacks. The report actually found that social engineering attacks decreased in the quarter, and that the allure of COVID-19 related social engineering seems to be cratering, down from 16% to just 4% on the quarter. We’ll see if the emergence of COVID-19 vaccines in Q4 spikes those numbers.
EFF scoffs at Facebook’s criticism of Apple’ ad policy
Apple is set to enforce changes in iOS 14 that would require users to opt-in to personalized advertising and cross app tracking by applications. Facebook has criticized the change, recently taking out full page ads in the Washington Post, New York Times, and Wall Street Journal saying it would negatively impact small businesses who rely on advertising. In response to this, the nonprofit Electronic Frontier Foundation issued a statement skeptical of this claim, saying Facebook has “built a massive empire around the concept of tracking everything you do,” noting that studies have shown most of the revenue from targeted advertising goes to third-party data brokers. The EFF applauded Apple’s change in policy, saying, “when a company does the right thing for its users, EFF will stand with it.”