2021 Week 12 Security Roundup
Summary
This blog is geared towards cybersecurity events that are of interest to State, Local, Tribal, and Territorial (SLTT) governments in the United States of America. It is hoped that this focus will help SLTT information technology workers and policymakers to get the information relevant to their mission. If you are in other sectors hopefully there is information you can find useful as well.
Updates on Solar Wind and the Microsoft ProxyLogon issues dominated news again this week. Breaking news is that as of Thursday night, Defender and System Center Endpoint Protection have added automatic patching for the linchpin of the attack playbook. This was so successful they evidently broke one of their honey-pot farms.
In other news, we had updates from the US and other Federal governments. There are even more signs of escalation by nation-state actors, primarily China, in what many are seeing as a global cyberwar. We also saw a lot of activity in the school arena with hacks on school systems from primary through university.
News
Windows Outlook Vulnerability (ProxyLogon)
With the release of the proof-of-concept (PoC) of the ProxyLogon vulnerability in Exchange server, there continues to be an increase of attacks trying to utilize this. This attack is no longer just being exploited by Advanced Persistent Threats (APT's) but now many threat actors are trying to attack the (as of March 14th) 69,548 vulnerable Exchange servers. It has been reported by several, that you no longer have to get on the dark web to find it, a simple Google search will get you the information you need to use it. Check Point indicated that they had seen 7200 attacks on March 15th which is a 10 fold increase from the 11th when they saw 700. The most targeted segment remains government at 23%. To help, Microsoft released a one=click mitigation tool (linked below) to help customers who were uncomfortable with shoring up their configuration until they can patch. Many experts, however, caution that if you have gone through the weekend unpatched, you should assume that you have been breached.
Researchers are indicating that they have been observing and learning from the use of the China Chopper we shell which is used on victim machines. Hafnium for instance is using the JScript version of the web shell, researchers have discovered.
Also of note, the White House has formed a joint government private sector task force on the ProxyLogon hack. The hope is that a rapid response will help to mitigate any nefarious activities.
It also appears that the Western Australian Parliament election was targeted by Chinese threat actors. The Australian Cyber Security Centre (ACSC) used this as a cautionary tail that all Exchange servers need to be patched immediately. It should be noted that Assistant Defence Minister Andrew Hastie would neither confirm nor deny any compromises to government nor private servers. He basically said that Cyber is a war domain (battlefield) and it was not prudent to discuss battle wins and losses during combat. This is some of the strongest wording yet from a government official as to the gravity of the initial activities.
The Dutch National Cyber Security Centre indicated that at least 1200 Dutch servers have likely been affected by the breach.
Thursday night Microsoft announced that Microsoft Defender Antivirus and System Center Endpoint Protection will now mitigate CVE-2021-26855. This is one of the 4 ProxyLogon exploits that threat actors have been using to gain access to servers. 26855 is often used to set up the other 3 so Defender and System Center blocking it, means that many of the playbooks used by the threat actors will not work. Microsoft has pledged to get the information to other end-point vendors so that everyone can be patched.
Microsoft Tools:
https://aka.ms/eomt - Microsoft One-Click-Mitigation tool
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download - Microsoft Safety Scanner
Government links
FCC Published a list of Equipment that can't be used on Federal contracts
The list includes Huawei Technologies, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology company, and Dahua Technology Company. Products from these companies, can not be used on any projects with federal funding, so watch those grants programs. The list is an appendix to the Supply Chain Covered List which can be found at https://www.fcc.gov/supplychain/coveredlist .
More Chinese companies facing removal from US market
In 2019 (I believe) the U.S. security agencies released a report of companies that were owned or in their opinion greatly influenced by the Chinese government. In April of 2020 the FCC asked these companies to divest themselves of the Chinese government or face removal from U.S. markets and/or defunding for any projects involved in federal government funding. As part of that, this week the FCC started the proceeding to remove China Unicom and ComNet. Their contention is that both companies have not successfully defended their independence from China oversite. The companies publicly have argued that they are not under the control of any government control.
Regardless, like last week, these companies make popular network equipment that might make federal grants tricky. It is worth keeping an eye on it for infrastructure or grant-funded projects.
Buffalo New York public school cyber attack
Cyber attackers encrypted the school's computer prompting a cancelation of classes. It is worth reminding that the US Department of Homeland security has K-12 schools under alert for heightened ransomware due to online classes. It is believed that threat actors will target schools believing them more likely to pay in order to get classes back operational as soon as possible.
FBI warns of major spike in education attacks
A Flash alert issued on the 16th (link below) warms that PYSA (Mespionoza) Ransomware has been seen in attacks on schools in the US and United Kingdom. The targets are everything from k-12 and higher education, private, public, secular, and seminaries. Additionally, the threat actors have been seen to target government and healthcare entities.
For those not familiar with PYSA it is known for exfiltrating certain kinds of data prior to encrypting all Windows and Linux endpoints and servers on the network. Threat actors have been known to not only extort victims for the decryption keys but also to not post the data online. It should also be pointed out that some threat actors have also been known to remove the data and encrypt empty folders so once decrypted there actually is no data there.
Government resources:
Florida high-school student 'hacks' homecoming queen election
A 17-year-old high school student used her mother's credentials to access student records and change votes for the homecoming queen election. The votes were cast through Election Runner and they sent notice to the school of suspected fraudulent votes. The system required student name and ID number, which seems to be the reason behind the school systems access. This serves as a reminder of keeping critical systems (like those with FERPA) data under enhanced observation.
SolarWinds Orion (Sunburst)
A new Mimecast update says that the hackers behind the SolarWinds had accessed source code repositories from Mimecast. They indicate that they believe that the threat actors did not alter any source code. Separately it appears that the threat actors also got source code from Microsoft.
Additionally, CISA Hunt and Incident Response Program (CHIRP {don't you love government acronyms}) released an executable and Python script that will let you know if you have been affected. Link below.
Additionally, the Biden administration among others have begun to mention Cyber Security Ratings as a protective measure from these type of incidents in the future. Many security experts caution there are both positives and negatives. I will say that I have explored this to a great degree, and full disclosure has thought to add this as a service offered by my private security firm. I honestly am not sure you can ever mitigate against an event like this with external review only.
Government links
RedEcho - Indian Power Grid hack
Recorded Future is indicating that the attackers behind the so-called RedEcho hack seem to be APT41 (aka Barium). The group used ShadowPad which is a know Chinese state hacking tool. Their ties are the use of AXIOMATICASYMPTOTE servers hosting DDNS domains that have in turn hosted Barium according to Microsoft researches in previous incidents. This attack attempted to disrupt power from 4 Regional Load Despatch Centres (RDPL's) as well as 2 seaports in Loci and Mumbai. Collectively the 10 (overall) targeted organizations account for 80% of India's power distribution system by landmass.
Supply Chain Executive Order
I debated about putting anything about this here as it is not entirely related to SLTT entities but thought some mention was needed. One of the first things that Biden did was to suspend all of Trump's executive orders (EO's) for a 90 review. One of those was the Supply Chain Executive order (13872). This was superseded by a new EO titled Executive Order on American's supply Chains. This EO seeks to bring some guidance to the Federal Government as well as the American supply chain for critical components of infrastructure and business to include IT components. There are a lot of changes that I encourage you to look up yourself if you are involved in critical infrastructure grants. That being said, I wanted to point out that Facebook meme's to the contrary, the repeal of EO13873 did not release entities to purchase equipment on the ban list nor contract with governments hostile to the wishes of the United States (i.e. China). As a matter of fact, the new EO goes further and encourages all firms to evaluate their entire supply chain for any instability in the governments in which they operate. This is good advice as the shortages caused by COVID-19 highlighted.
Legislative actions
United States
The US. House of Representatives introduced a bipartisan bill that would strengthen Cybersecurity and Infrastructure Security Agency (CISA)'s role in protecting critical infrastructure against cyber-attack. The Department of Homeland Security Industrial Control Systems Enhancement Act requires the director of CISA to maintain the ability to detect and respond to attacks on Industrial Control Systems (ICS) and to collect and distribute information on vulnerabilities in systems to the owners and operators of those systems. While $650 million was earmarked for these efforts in the COVID-19 relief bill, the discussion on this current bill reiterated that ^650 Million is just a downpayment as to what is necessary.
Great Britain
Lord Holmes of Richmond is adding his voice to urge Boris Johnson's administration to update the Computer Misuse Act. One of the proposed clarifications is to clarify language which currently simply criminalizes any "unauthorized access" to computers which can mean that backtracking criminals onto their systems merely to identify them is technically illegal in the UK. It should be noted that this law was enacted long before the act of track routing ip's (which some fear is technically criminal).
Oklahoma
Oklahoma's House of Representatives unanimously passed a bill to update language in the Oklahoma Computer Crimes Act. The goal of this act was to modernized and hopefully to a degree future proof the language to address modern and evolving threats to computers and their networks. It specifically added language for example to define ransomware and removed some language that was outdated. HB1759 will have its first reading in the Senate on March 11.
Comments
Post a Comment