Gregory C. Rasner

Cybersecurity and Third-Party Risk


Скачать книгу

from the top‐tier security company FireEye. As of the time of this writing, it has been confirmed to have affected dozens of U.S. cabinet‐level agencies. Due to the pervasiveness of the SolarWinds product across the world, more breaches will be discovered in the following days, weeks, months, and years to come. Some may never be discovered (or admitted); however, there will be international victims. It is a coup for the suspected perpetrators, thought to be a state actor who used a supply side attack, exploiting the weakness of a popular network and monitoring tool, SolarWinds, to circumvent the tight defenses of the intended victims.

      On December 18th, Microsoft released information identifying more than 40 government agencies, higher learning institutions, Non‐Governmental Organizations (NGOs), and information technology companies that were infiltrated, with four‐fifths of them being U.S.‐based, and nearly half of those being tech companies. On his blog, Brad Smith said

      This is not “espionage as usual,” even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under.

      If customers had performed some key cybersecurity assessment on a third‐party software maker like SolarWinds, this attack could have been detected. Were intake questions asked about the type of data to which SolarWinds had access and where that data might go or be stored? Depending on a company's solution type, asking questions about how the secure software development lifecycle is managed and audited is considered to be appropriate.

      With the hardware device, what was SolarWind's supply chain security for the hardware parts and assembly? For the company that had ventured to perform an on‐site cybersecurity physical validation of SolarWinds, was any evidence produced on how they performed external security scans (which might have detected the default password on their download page “SolarWinds123”)? Who performed these external scans? The company? Or did they hire an outside firm and were the results viewable? Often, such companies will not share these results, so you must negotiate to at least see the Table of Contents, who performed such security scans, and when.

      Final question: Had SolarWinds remediated all the findings in the external security scan? While this is not the first time a breach has occurred, the scale of the SolarWinds breach will dwarf all others.

      The VGCA also develops and makes available for download a toolkit to automate the process of e‐signatures. This toolkit is widely used by the government, private companies, and individuals. VGCA's website was hacked as early as July 23rd, and no later than August 16, 2020. The compromised toolkits contained malware known as PhantomNet, and SManager ESET confirms that the files were downloaded from the VGCA website directly, and not the result of a redirect from another location. While these infected files were not signed with proper digital certificates, it appears that prior files were not correctly signed either. This may have led to users not rejecting the improper digital certificates of the trojan‐infected files because they behaved the same before the malware was added.

      When an infected file was downloaded and run, the correct VGCA program ran along with the malware. This masqueraded the trojan to the end user because they saw the normal program running correctly, being unaware of the trojan or unlikely to look for it because the program appeared to be running normally. The file eToken.exe extracted a Windows cabinet file (.cab), which was used as an archive file to support compression and maintain archive integrity. The file 7z.cab was the file that contained a backdoor for the attackers to exploit. The attackers went to great lengths to ensure that the backdoor ran, regardless of the user's privileges on the device.

      The trojan was determined to be a simple program, and according to the sophistication of the attack, it is likely there were other more malicious plugins added to exploit the backdoor. When the victim's web configuration was determined, then it reached out to a command and control (C&C) server to get instructions. Communications with the C&C servers was done over HTTPS (secure, encrypted web traffic), and the attackers went to the trouble of preventing the interception of traffic (i.e., man‐in‐the‐middle attack on their own data) by using their own certificates.

      Data analysis indicates that the malware was used for lateral movement. Once inside the computer, it enabled the attacker to move around the network for other data. The malware collected and transferred information about the computer, user accounts, and victim. In the post‐attack forensics, no data was discovered nor was the goal of the attack.

      ESET wrote on its website:

      Conclusion: With the compromise of Able Desktop, the attack on WIZVERA VeraPort by Lazarus and the recent supply‐chain attack on SolarWinds Orion, we see that supply‐chain attacks are a quite common compromise vector for cyberespionage groups. In this specific case, they compromised the website of a Vietnamese certificate authority, in which users are likely to have a high level of trust. Supply‐chain attacks are typically hard to find, as the malicious code is generally hidden among a lot of legitimate code, making its discovery significantly more difficult.

      A hardcoded backdoor root account is one that cannot be underestimated in how critical the security flaw is. When an account is built within the code of a product, it cannot be removed unless the code itself is changed or updated by the manufacturer. Additionally, the root account is what is referred to as a “super user,” which has privileges as an administrator. The products affected the manufacturers Advanced Threat Protection (i.e., firewall), Unified Security Gateway (i.e., hybrid firewall/virtual private network [VPN] gateway), USG FLEX (i.e., hybrid firewall/VPN gateway), VPN, and NXC (i.e., Wi‐Fi access point controller) series. These devices formed the perimeter and internal security control points for thousands of companies worldwide. The attacker's ability to exploit these network