Microsoft on Thursday revealed that the threat actors behind the SolarWinds supply chain attack were able to gain access to a small number of internal accounts and escalate access inside its internal network.

The “very sophisticated nation-state actor” used the unauthorized access to view, but not modify, the source code present in its repositories, the company said.

“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the Windows maker disclosed in an update.

“The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”

The development is the latest in the far-reaching espionage saga that came to light earlier in December following revelations by cybersecurity firm FireEye that attackers had compromised its systems via a trojanized SolarWinds update to steal its Red Team penetration testing tools.

During the course of the probe into the hack, Microsoft had previously admitted to detecting malicious SolarWinds binaries in its own environment but denied its systems were used to target others or that attackers had access to production services or customer data.

Several other companies, including Cisco, VMware, Intel, NVIDIA, and a number of other US government agencies, have since discovered markers of the Sunburst (or Solorigate) malware on their networks, planted via tainted Orion updates.

The Redmond-based company said its investigation is still ongoing but downplayed the incident, adding “viewing source code isn’t tied to elevation of risk” and that it had found evidence of attempted activities that were neutralized by its protections.

In a separate analysis published by Microsoft on December 28, the company called the attack a “cross-domain compromise” that allowed the adversary to introduce malicious code into signed SolarWinds Orion Platform binaries and leverage this widespread foothold to continue operating undetected and access the target’s cloud resources, culminating in the exfiltration of sensitive data.

SolarWinds’ Orion software, however, wasn’t the only initial infection vector, as the US Cybersecurity and Infrastructure Security Agency (CISA) said the attackers used other methods as well, which have not yet been publicly disclosed.

The agency also released supplemental guidance urging all US federal agencies that still run SolarWinds Orion software to update to the latest 2020.2.1 HF2 version.

“The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code,” the agency said.

Malicious SolarWinds Orion backdoor installed in Microsoft’s network led to the attackers viewing some of its source code.

Microsoft today disclosed its discovery that the attackers behind the SolarWinds breach and rigged software update had commandeered one of its internal accounts to view — but not alter — some of its source code “in a number of source code repositories.”

The revelation is the latest twist in a complex breach believed to be perpetrated by Russian hackers on behalf the nation’s SVR intelligence arm that has infiltrated major US government agencies, including the US State Department and Treasury, as well as major companies such as Microsoft and FireEye, the security giant that first detected and revealed the breach. The so-called Dark Halo group (aka UNC2452) infiltrated network management vendor SolarWinds’ software build system and planted a backdoor called Sunburst into updates of the company’s Orion software used by the victims. Some 33,000 organizations worldwide received the software update, and around 18,000 installed it on their systems — including Microsoft.

SolarWinds’ Orion software wasn’t the only initial attack vector, however. The Cybersecurity & Infrastructure Security Agency (CISA) said the attackers used other methods as well, which have not yet been publicly disclosed.

Microsoft said that the attackers’ viewing its source code poses no increase in security risk because its security threat model assumes attackers have some knowledge of the code. One of Microsoft’s user accounts was used by the attackers to view the company’s source code, but the company said that account was not authorized to modify code or engineering systems. Microsoft was able to confirm no changes were made to the code, and the compromised user accounts have been “remediated.”

“Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor,” Microsoft said in the blog post today.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Let’s face it, 2020 was a terrible year. The Coronavirus has killed almost two million people globally and caused trillions of dollars in economic disruption. Wildfires, floods and hurricanes have ravaged the United States, central America, Australia and parts of Asia.

But trying times have a way of peeling back the curtains and seeing our world with new eyes. COVID messed up our lives, and focused our attention on what really matters.

Maybe that’s why this very bad year has led to some really good conversations and insights here on The Security Ledger on topics ranging from election security, to security supply chains and the security risks of machine learning.

The Security Risks of Machine Learning

To start off, I pulled a March interview from Episode 180 that i did with security luminary Gary McGraw, the noted entrepreneur, author and now co-founder of the Berryville Institute of Machine Learning.

To wrap up 2020, I went back through 35 episodes that aired this year and selected four interviews that stuck out and, in my mind, captured the 2020 zeitgeist, as we delved into issues as diverse as the security implications of machine learning to the cyber threats to election systems and connected vehicles. We’re excerpting those conversations now in a special end of year edition of the podcast. We hope you enjoy it.

Taking Hardware Off Label to Save Lives

As winter turned to spring this year, the COVID virus morphed from something happening “over there” to a force that was upending life here at home. As ICUs in places like New York City rapidly filled, the U.S. faced shortage of respirators for critically ill patients. As they often do: the hacking community rose to the challenge. In our second segment, I pulled an interview from Episode 182 with Trammell Hudson of Lower Layer Labs. In this conversation, Trammell talks to us about Project Airbreak, his work to jailbreak a CPAP machines and how an NSA hacking tool helped make this inexpensive equipment usable as a makeshift respirator.

Report: Hacking Risk for Connected Vehicles Shows Significant Decline

COVID Spotlights Zoom’s Security Woes

One of the big cyber security themes of 2020 was of the security implications of changes forced by the COVID virus. Chief among them: the rapid shift to remote work and the embrace of technologies, such as Zoom that enabled remote work and remote meetings. For our third segment, I returned to Episode 183 and my interview with security researcher Patrick Wardle, a Principle Security Researcher at the firm JAMF. In April, he made headlines for disclosing a zero day vulnerability in the Zoom client – one that could have been used by an attacker to escalate their privileges on a compromised machines. That earned him a conversation with Zoom’s CEO that took place – to Wardle’s dismay – via Zoom.

Securing Connected Vehicles

Finally, while COVID and the ripple effects of the pandemic dominated the news in 2020, it isn’t as it was the only news. In the shadows of the pandemic, other critical issues continued to bubble. One of them is the increasing tensions about the power held by large companies and technology firms. In our final segment, I’m returning to my conversation with Assaf Harel of Karamba Security in Episode 193. Harel is one of the world’s top experts in the security of connected vehicles. In this conversation, Assaf and I talk about the state of vehicle cyber security: what the biggest cyber risks are to connected cars. We also go deep on the right to repair -and how industries like automobiles can balance consumer rights with security and privacy concerns.


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

Our polarized climate and COVID-19 are putting the nation’s cybersecurity in imminent danger, and it’s past time to act.

Whenever a polarizing event occurs, there are people looking for ways to exploit the situation. Cyber crooks are long known for using large events or important topics to try to phish and scam, infiltrate networks, and establish footholds. And the events that polarized the world’s largest economy in 2020 set the perfect stage for advanced persistent threat (APT) groups and other organized cybercriminals to act. It is the ideal combination of all the ingredients you need for successful attacks, not only in the United States but everywhere in the world.

Why? Simply put, when large segments of the population are polarized (in fact, tribalized), they are eager to consume the things that help them make sense of their convictions. Opponents’ facts and experiences are perceived with bias and even disbelief, which amplifies the impact of things that a person believes “makes sense.” Playing to this scenario makes it straightforward for cybercriminals to distribute infected files or share links to malicious websites or downloads.

Furthermore, coping with a global health crisis takes a substantial amount of focus, especially with the numbers rising. There isn’t a single person who is not affected, directly or indirectly, by COVID-19, who doesn’t have it on the brain every day as they worry about the health and safety of loved ones or their income.

Finally, the pandemic has fundamentally changed the way we work — now predominantly from home — and the impacts on our networking infrastructure are significant. So many unmonitored devices are now in close vicinity to the entry points on a corporation’s network and radically increasing the attack surface for companies around the globe. Important critical infrastructure, such as healthcare and energy systems, must also be considered. Many critical infrastructure systems are under stress, aging, unstable, or experiencing negative side effects from the increased demand. Solving these issues is an enormous task that requires proper management and focus.

Cybercriminals Are in it For the Long Term
Vaccine research is a prime target for cybercriminals, as there is no object more valuable right now. It is the right time for attackers to infiltrate and establish footholds in networks; cyber-defense architectures are weak due to the effects of remote work in general, but also because employees distracted by polarizing topics may forget their cybersecurity awareness and become more vulnerable. 

Note that this is not about short-term gain for attackers. Establishing footholds in large numbers of organizations now will enable them to expand inside the infrastructure and prepare even larger attacks later. 

In addition, because digitalization is mainly driven by business decisions, cybersecurity is all too often an afterthought. Many businesses are interconnected globally through international supply chains and their products and services are delivered to distant countries. The dependence this places on information technology and its cross-connection between sectors is mostly invisible. Coordination efforts are hampered, and key management resources are unavailable.

Two Steps to Build Cyber Resilience
Given all of these ingredients and the context we’re living in, the nation’s cybersecurity status appears to be more vulnerable than usual. Therefore, this is a plea to businesses and organizations to bolster their cyber resilience.

1. Embrace the Paradigm Shift
The first step to achieving cyber resilience is to start with a fundamental paradigm shift: Expect to be breached, and expect it to happen sooner than later. You are not “too small to be of interest,” what you do is not “irrelevant for an attacker,” it doesn’t matter that there is a “bigger fish in the pond to go after.” Your business is interconnected to all the others; it will happen to you. 

Embrace the shift. Step away from a one-size-fits-all cybersecurity approach. Ask yourself: What parts of the business and which processes are generating substantial value? Which must continue working, even when suffering an attack, to stay in business? Make plans to provide adequate protection — but also for how to stay operational if the digital assets in your critical processes become unavailable.

2. Inventory Your Assets Now
Know your most important assets, and share this information among stakeholders. If your security admin discovers a vulnerability on a server with IP address 172.32.100.100 but doesn’t know the value of that asset within your business processes, how can IT security properly communicate the threat? Would a department head fully understand the implications of a remote code execution (RCE) attack on that system? 

Do the resilience basics for your important assets (if you don’t want to do it for all), put technical controls in place for changes and vulnerabilities, and tie these controls into a security architecture that enables automated information exchange, not only between the systems in your security operation center and its team members but also between all of your stakeholders. 

Doing these two things changes your approach to cybersecurity into a forward-looking, resilient posture, even in these polarized times.

 

A native of Germany, Dirk Schrader brings more than 25 years of delivering IT expertise and product management at a global scale. His work focuses on advancing cyber resilience as a sophisticated new approach to tackle cyberattacks faced by governments and organizations of … View Full Bio

Recommended Reading:

More Insights

Despite a pandemic and possibly the worst cyberattack campaign ever waged against the US, the year still had some bright spots when it came to “good” and creative hacks.

2020 unsurprisingly went out with a bang, and not in a good way. The massive cyberattack campaign by Russian nation state-actors shattered hopes for a quiet holiday break for security teams who have been heads-down since March when the COVID-19 pandemic first took hold and rocked SOCs. Workers — including security analysts — were sent home to set up makeshift offices, and existing network architectures were transformed practically overnight.

While this year for sure was fraught with disruption and uncertainty, it also made some space for ingenuity by security teams, who navigated a new normal, and security researchers, who unearthed new vulnerabilities that otherwise might not have been uncovered. In addition, some inspired white-hat hacks were already in the works before the pandemic struck.

Among the head-turning hacks in 2020: The Tesla’s smart-car camera fell victim to a piece of good old, black electrical tape. Light hacked sound. And a pair of pen testers who got busted for doing their jobs finally shared details of their harrowing experience that nearly ruined their personal and professional lives, including how they sat in lockup overnight and then were mired in legal jeopardy for months amid a territorial and political battle between a small-town sheriff and the state of Iowa.

Kicking back and truly relaxing over this holiday season is not so simple. We get that. But you’ve earned it, so grab a cup of cheer (2020 is behind us now) and take a look back at some of the coolest hacks by researchers that graced Dark Reading’s news coverage this year.

Tesla Fail
So much for the smart car.

Researchers from McAfee were able to fool older-model autonomous vehicles made by Tesla to dangerously accelerate: They merely affixed black electrical tape on a traffic sign, changing the “3” in 35 mph to an “8,” and the Teslas automatically accelerated their speed to 85 mph.

The experiment focused on Teslas equipped with Mobileye version EyeQ3 (Tesla hardware Pack 1), and the good news is that a newer version of the camera didn’t fall for their attack. (Also good news: The latest Tesla models don’t use Mobileye or appear to conduct traffic-sign recognition).

The attack works if the car is set for traffic-aware cruise control, but the researchers noted the driver would likely notice the issue and retake control of the acceleration.

“We are not trying to spread fear here and saying that attackers are likely going to be driving cars off the road,” said Steve Povolny, head of McAfee Advanced Threat Research.

Then why the scary car test? Povolny said the research was all about adversarial machine learning (ML), testing ML algorithms for their vulnerability for exploitation. Mobileye cameras’ algorithms are trained to specific data sets, including known traffic signs, leaving them vulnerable to a previously unknown or altered data.

“If we project 10 to 20 years into the future, at some point these issues are going to be become very real,” Povolny said. “If we have completely autonomous vehicles and computing systems that are making medical diagnoses without human oversight, we have a real problem space that is coming up.”

A Pen Test That Went Very Wrong
Physical penetration testing relies on a pact between the client and the pen-testing company that the testers will be free from legal — and physical — risk. But red-team experts Gary De Mercurio and Justin Wynn of Coalfire this year shared their personal story of just how these engagements can expose pen testers to inherent vulnerabilities in the pacts themselves.

It was a few minutes after midnight on Sept. 11, 2019, during the final phase of De Mercurio and Wynn’s pen-testing engagement for the state of Iowa’s Judicial Branch, when their lives were forever changed. After breaking into the front door of the Dallas County Courthouse in Iowa with a plastic cutting board retrofitted with a handy notch fitted into the doorjamb, the pair went to work poking around for potential security weaknesses in the courthouse as the alarm went off.

Soon officers arrived at the city of Adel, Iowa, courthouse, just across the street from the Dallas County Sheriff’s Department. In what was at first a tense but ultimately friendly exchange once the officers confirmed their story, everything fell apart after the Dallas County Sheriff arrived on the scene and had De Mercurio and Wynn handcuffed and perp-walked to the jail across the street. They spent the night in separate cells, were hit with felony charges, and spent nearly five months in an ugly and very public legal battle in part due to a political fight between state and county officials in Iowa over who had legal jurisdiction over the courthouse where the pen testers had been conducting their engagement. Their client, the state of Iowa, “disavowed” them, leaving them in further legal jeopardy.

“They [the state] had no doubt” what it had hired Coalfire to do, maintained Wynn.

De Mercurio and Wynn were fully exonerated in January after a state legislative hearing that led to the charges getting dropped. They’re now on a crusade to hack the process of setting up social engineering and physical pen tests so other pen testers won’t be at risk like they were.

“Always record your phone calls, at least with physical engagements,” De Mercurio recommended. “Try to make your contract as ironclad and succinct as possible,” as well.

Honeypot on Steroids
Industrial prototyping company MeTech was hit with ransomware, remote access Trojans (RATs), malicious cryptojacking, and online fraud, as well as botnet-style beaconing malware that infected its robotics workstation in a seven-month period in 2019.

MeTech’s exposed industrial control system (ICS) network was flagged by a researcher known for spotting vulnerable industrial systems via Shodan, but a team of Trend Micro researchers asked him to stand down: They informed him that MeTech was a fictitious manufacturing company they had built as part of an elaborate honeypot-type operation, complete with its own website.

The researchers had set up phony employee personas, a website, and PLCs on a simulated factory network in order to track and study attacks and threats to the industrial control sector. The advanced interactive honeypot model provided them just that, and what they found was mostly the typical threats IT networks see, with a few exceptions.

In one case, the attacker got to the robotics system, closed the HMI (aka human machine interface), and powered down the system. Another attack started up the factory network, stopped the simulated conveyer belt, and shut down the phony factory network; another opened the log view of the robot’s optical eye.

“Yes, your factories will be attacked if they are directly connected to the [Internet],” says Stephen Hilt, who went public with the project in January of this year after running the amped-up honeypot with fellow Trend Micro researchers Federico Maggi, Charles Perine, Lord Remorin, Martin Rösler, and Rainer Vosseler from September to December 2019.

They even performed a real-world negotiation with ransomware attackers who had dropped Crysis ransomware on the phony network:

“The system was down for a week because it [the malware] spread,” said Hilt, who added the PLCs weren’t affected but did lose visibility into plant operations, while the HMI files were locked down by the ransomware.

The researchers talked the attackers down from $10,000 in Bitcoin to $6,000 but never actually paid up: They had backups and were able to recover.

The Mysterious Case of Light Hacking Sound
Researchers at the University of Michigan and the University of Electro-Communications (Tokyo) took their initial digital voice assistant hacking research from 2019 to the next level this year: At Black Hat Europe Virtual, they showed how the built-in microphones of newer model digital voice assistants can be manipulated by light, using laser pointers. They previously had hacked Google Assistant, Amazon Alexa, Facebook Portal, and Apple Siri as well as smartphones and tablets via a vulnerability in their embedded MEMS mikes, using laser beams to inject inaudible commands.

This time they hijacked the Amazon Echo 3 via light and then manipulated a security camera connected to the Echo.

They spent just $2,000 in equipment for the attack technique they have christened as “Light Commands,” but say it could be pulled off for as little as $100, including a low-end laser pointer for cats that can be bought on Amazon.

Benjamin Cyr, a Ph.D. student at Michigan, and researcher Sara Rampazzi confessed they still don’t know how they are able to hack sound with light: Why do the mikes respond to the light as if it’s sound?

“There’s still some mystery around the physical causality on how it’s working. We’re investigating that more in-depth,” Cyr said. “We want to try to nail down what’s happening on a physical level, so that future hardware designs” protect them from light-injection attacks.

The researchers also are studying sensing system security of medical devices, autonomous vehicles, industrial systems, and space systems.

“We want to understand … how to defend against these vulnerabilities. Our final goal is to protect the system and make it more resilient, not only for the attack we found but for future attacks that have not yet been discovered,” Rampazzi said.

When Smart Bulbs Go Dim
A light bulb is likely the last thing you’d think could be abused for a cyberattack, but researchers this year again demonstrated the dangers of a smart home with a new exploit against the Philips Hue Smart Bulb.

Philips fixed a flaw the researchers had found in previous work in 2017, but the researchers this year found a way an attacker could infiltrate a home network and install malware via a vuln in the popular Zigbee communications protocol used in the Philips bulbs.

“In an office environment, it would probably be the first step in an attempt to attack the organization, steal documents from it, or prepare a dedicated ransomware attack on sensitive servers inside the network,” said Eyal Itkin, a security researcher at Check Point. “From our perspective, the main takeaway from this research is emphasizing that IoT devices, even the most simple and mundane ones, could be attacked and taken over by attackers.”

Here’s how the new attack works: Check Point researchers found and exploited a heap-based buffer overflow (CVE-2020-6007) in the Zigbee implementation in Philips Hue’s smart-bulb control bridge. This allowed them to gain control of the smart bulb and install malware on it via an over-the-air firmware update.

That let them control the bulb’s color and brightness so it appears to be malfunctioning, and then shows the bulb as “unreachable” to the user’s control app. That in turn would prompt the user to reset the bulb and unknowingly trigger the malicious firmware update that exploits the control bridge vulnerability.

An attacker then can spread spyware, ransomware, or any other type of malware using a known exploit such as the infamous EternalBlue, according to the researchers.

There are some key caveats to the attack, however: An attacker must be nearby to wrest control of the bulb, and the attack will only work if the bridge is adding a light bulb to the network.

“Without the user issuing a command to search for new light bulbs, the bridge won’t be accessible to our now-owned light bulb, and we won’t be able to launch the attack,” Itkin said.

Ring-a-Ling: How Hackers Can Abuse Video Doorbells
Sometimes buying a cheaper device that’s marked as Amazon’s Choice isn’t the smartest choice. Take the smart video doorbell: Researchers found some major security flaws in nearly a dozen inexpensive doorbell products sold on Amazon and eBay and popular among UK consumer sites.

NCC Group worked with UK consumer organization Which? to study the security of 11 lesser-known brands of smart doorbells and found several of them gather and send Wi-Fi names, passwords, location data, photos, video, email, and other information back to the manufacturer.

“The most surprising finding was seeing some of the doorbells sending home Wi-Fi passwords over the Internet and unencrypted to remote servers. It’s not really clear what the purpose of such a feature would be for, and it certainly exposes a person’s entire home network to potential attackers and criminals,” said Matt Lewis, research director at NCC Group.

The researchers found two Victure and Ctronics video doorbells that contained a vuln that could allow an attacker to pilfer the victim’s network password and hack the doorbell, as well as the router and other network devices.

Another Victure doorbell with a top seller rating on Amazon was sending Wi-Fi network names and passwords — unencrypted — to servers in China.

There were other eye-popping flaws, such as one generic brand video doorbell that contained a vulnerable WPA-2 protocol implementation that could let an attacker access the user’s home network directly.

Many of the doorbells had weak or easily guessed default passwords.

“The main takeaway for consumers is to really do their homework before purchasing devices like these and, where possible, stick with popular and known brands,” Lewis said.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Recommended Reading:

More Insights

Variety is the spice of life, and it’s also the perfect analogy for the article topics that resonated most with Edge readers this past year.

Before we collectively step forward into 2021, we thought we’d take a look back at which articles resonated most with Edge readers in 2020. We also sprinkled in a few of our own favorites to bring you this top 20 list of features, best practices, 101s, profiles, and more. Their takeaways remain relevant as we kick off a new year.

What’s Anonymous Up to Now?
In the midst of the Black Lives Matter protests, the familiar Anonymous caricature of Guy Fawkes reappeared — multiple times, according to the hacktivist group. But was Anonymous back? And if so, how did it change from its heyday a decade ago?
Read more

Security Jobs With a Future  — And Ones on the Way Out
Some titles are hot, while others are not, amid rapidly shifting business priorities. The Edge asked around about which titles and skills security hiring managers are, and aren’t, interested in as the skill sets they need continue to evolve.
Read more

MFA Mistakes: 6 Ways to Screw Up Multifactor Authentication
Fearful of messing up its implementation, many enterprises are still holding out on MFA. What are some of the common missteps organizations make when they deploy MFA – and what can they do to avoid them?
Read more

Emotet 101: How the Ransomware Works  — and Why It’s So Darn Effective
While numerous types of ransomware exist, one of the more prominent and dangerous versions is Emotet. Managing the risk involves starts with understanding the way it works.
Read more

8 New and Hot Cybersecurity Certifications for 2020
In October 2019, The Edge brought you “14 Hot Cybersecurity Certifications Now.” Time, per usual, has flown, leaving us to wonder, “What difference does a year make? Especially in this very unusual year?” And are the certs a sign of things to come?
Read more

A Hacker’s Playlist
What sound do you hear in your head when you think “stereotypical hacker music”? Nine security researchers share their favorite songs and genres.
Read more

2021 Security Budgets: 6 Top Priorities, New Realities
An unprecedented 2020 has shaken up security leaders’ usual list of must-have technologies. What’s on the horizon? They share with us their spending plans for 2021.
Read more

Cybercriminals Could be Coming After Your Coffee
Researchers show no IoT device is too small to fall victim to ransomware techniques.
Read more

5 Ways to Prove Security’s Worth in the Age of COVID-19
Tightened budgets are placing jobs at risk, but security pros say they’re armed with ways to demonstrate that what they’re doing merits keeping them employed.
Read more

Election Security in the Age of Social Distancing
Although the controversial option of voting by mobile app is one pressing consideration, cybersecurity experts agree that older issues need to be resolved before November 3.
Read more

How Ransomware Defense Is Evolving With Ransomware Attacks
As data exfiltration threats and bigger ransom requests become the norm, security professionals are advancing from the basic “keep good backups” advice.
Read more

Next-Gen Firewalls 101: Not Just a Buzzword
In a rare twist, “next-gen” isn’t just marketing-speak when it comes to next-gen firewalls, which function differently than traditional gear and may enable you to replace a variety of devices.
Read more

Beyond Burnout: What Is Cybersecurity Doing to Us?
Infosec professionals may feel not only fatigued, but isolated, unwell, and unsafe (and this was before the pandemic. And the problem may hurt both them and the businesses they aim to protect.
Read more

7 Infamous Moments in Adobe Flash’s Security History
End-of-life is here: Adobe’s support for Flash is gone as of Jan. 1. Here’s what we won’t miss about the multimedia software platform.
Read more

Zero-Trust Security 101
Zero trust sounds so harsh. But real cybersecurity results can come from the harsh-sounding scheme that defines every relationship as fraught with danger and mistrust.
Read more

Biometrics in the Great Beyond
A thumbprint may be a good authentication factor for the living, but are you prepared to access mission-critical data and devices after an employee’s death?
Read more

6 Unique InfoSec Metrics CISOs Should Track in 2020
You might not find these measurements on a standard cybersecurity department checklist. But they can help evaluate risks you haven’t even considered yet.
Read more

Martin and Dorothie Hellman on Love, Crypto & Saving the World
Martin Hellman, co-creator of the Diffie-Hellman key exchange, and his wife of 53 years, Dorothie, talk about the current state of cryptography and what making peace at home taught them about making peace on Earth.
Read more

How to Evict Attackers Living Off Your Land
As cyber defenses improve, adversaries are shifting to stealthy “living-off-the-land” attacks that use targets’ own tools against them. Here are some tips to defend your turf.
Read more

An Inside Look at an Account Takeover
Earlier this year a phishing attack slipped through an email gateway, leading to a large-scale compromise. Here’s how it happened – and how artificial intelligence was key in its detection. Read more

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Recommended Reading:

More Insights

A combination of best practices and best-in-class technology will help keep your enterprise from falling victim to ever-growing threats.

There are plenty of security solutions in place that protect sensitive data in motion, and at rest in enterprise storage and the cloud, from firewalls to data loss prevention software. But the mobile endpoint is one of the biggest security weaknesses today. Hackers know this and are exploiting it every day — Verizon’s “2020 Mobile Security Report” found that four in 10 companies were breached through a mobile device.

Mobile devices have been at the crux of some of the year’s most notable and high-profile attacks. Amazon CEO Jeff Bezos’ alleged iPhone compromise incident became a key example of how mobile devices can be penetrated without sophisticated brute-force hacking or techniques.

Simple phishing is the most common way mobile devices are compromised, and this threat is on the rise thanks to the increase in mobile device adoption and the surge in remote work during the COVID-19 pandemic. Not surprisingly, there was a 37% increase worldwide in enterprise mobile phishing between fourth quarter of 2019 and the first quarter of 2020, according to Lookout. Malicious Wi-Fi hotspots and malicious applications are other common entry points to mobile device compromise.

What Happens if Mobile Device Security Fails
A lapse in mobile endpoint security can present significant threats, particularly when it comes to enterprise environments.

Mobile ransomware payloads can result in some of these worst outcomes, as these are notoriously difficult to detect and remove from mobile devices. Once a successful malware payload is dropped through a common attack method, such as a text phishing attack or a malicious app download, an attacker can move laterally across the corporate network the device is connected to, locking files across other devices and asking for ransoms.

Spyware payloads provide an attacker with the ability to plug into an enterprise network via the mobile device or even access the devices’ microphone, camera, or location services. Information obtained by device snooping can then be sold on the Dark Web to the highest bidder or be used to launch subsequent, sophisticated phishing attacks on other employees.

If an attacker creates a sophisticated phishing attack disguised as a user’s bank, it’s easy to mistakenly enter sensitive account credentials to a phony login prompt on a mobile device. The same can occur with enterprise apps like Microsoft 365 or Dropbox. Entering this login information can give the attackers everything they need to enter into a corporate account and exfiltrate critically important company data.

Mobility and Enterprise-Grade Security
There is no way to guarantee security in a mobile world. In addition to device security solutions like endpoint protection or application security solutions such as cloud access security brokers, and basic precautions like avoiding public Wi-Fi and utilizing a VPN, there are other best practices for securing the mobile endpoint. A combination of best practices and best-in-class technology solutions will help safeguard your enterprises from falling victim to ever-growing threats:

  • Ensure devices OS and apps are up to date: Make sure any devices connected to a corporate network are updating their operating systems frequently, as many updates include patches for vulnerabilities that can be used by hackers to exploit mobile devices. Turn on “auto update” for applications so that the latest patches for the applications themselves are being pushed to the device once available.
  • Use only sanctioned apps: All devices that touch an enterprise environment should download only their apps from official app stores like Google Play and the Apple App Store. Hacker groups have been known to create duplicate apps available from third-party websites that are laced with malware.
  • Invest in employer training security: Employees are the weakest security link in an enterprise environment. It’s critical that they have the knowledge and training to not take the bait and click on malicious links or fall for social engineering attempts. Security technologies are often left with limited options once malware has infiltrated a device.
  • Require encryption: Encryption needs to be a requirement on sensitive corporate documents and communications. Your level of encryption should be congruent with the sensitivity of the business your organization conducts. For example, a top financial services firm should be very strict about its document and communication encryption policies and ensure its employees are only using sanctioned, communications platforms that are end-to-end encrypted and within the bounds of company compliance regulations.  
  • Strong passwords and password management: Implement a stringent company password policy. Require random characters, nothing shorter than 15 characters in length, and ensure employees don’t use the same password across enterprise and personal accounts. It’s also important to utilize the principle of least privileged access.

The Threat Continues
Mobile device attacks will continue to grow as more devices come online and as business users stay in a remote working environment. By sending, receiving, and storing important corporate data on their personal mobile devices, users are putting their organizations at risk and treating mobile security as an afterthought. It’s critical for enterprise employees to stay vigilant, use best security practices, and not underestimate the value and sensitivity of the data being shared across mobile devices. 

Joel Wallenstrom is the CEO and President of Wickr and a world-renowned information security expert. Joel has led top white-hat hacker teams responding to some of the most high-profile incidents in the past 20 years. Under his executive guidance Wickr has since pivoted the … View Full Bio

Recommended Reading:

More Insights

Global pandemic and the easy availability of for-hire services and inexpensive tool sets gave adversaries more opportunities to attack.

The large-scale shift to remote work and the increased reliance on online services as the result of the global pandemic this year gave threat actors new opportunities to use distributed denial-of-service (DDoS) attacks to harass and extort organizations.

Providers of DDoS mitigation services reported an overall increase in attack volumes, attack sophistication, and attack complexity in 2020 compared with prior years. Adversaries went after more organizations in more industries than ever before, and the motives for launching attacks became as varied as the attacks themselves.

Tom Emmons, principal architect at Akamai, says the increased dependency on remote connectivity as a result of COVID-19 drove up risk levels overall and provided bad actors with more opportunities to monetize DDoS attacks.

The barriers to entry for DDoS attacks also became extremely low, driven by tool-set improvements and the easy availability of for-hire services that allowed attackers to launch bigger and more consequential attacks, Emmons says. The combination of the two trends led not only to an increase in attacks but also, more interestingly, to a change in targets, he says.

The evolving nature of DDoS attacks heightened the need for formal mitigation strategies at many organizations. “DDoS is a relatively simple attack to orchestrate since all public Internet-facing websites and services are sitting ducks,” says Mark Kedgley, CTO at New Net Technologies (NNT).

The best mitigation approaches continue to be the use of content distribution networks or Web application firewall technology to filter out malicious traffic. “The only real defense is using a reverse-proxy, content-distributed Web infrastructure that multiplies your Web presence and distributes access geographically while a mitigation process takes place to filter out the attack traffic,” Kedgley says.

Here are the major DDoS trends for 2020, according to Kedgley and other experts.

1) The Global Pandemic Drove a Sharp Increase in DDoS Attacks
Threat actors launched more DDoS attacks this year than ever before. Much of the increase was tied to the large-scale shift to remote work as a result of the global pandemic. Adversaries perceived more opportunities to attack organizations that suddenly were forced to support large distributed workforces and employees logging in from weakly protected home networks.

“As a result of the pandemic, we saw an unprecedented number of systems going online, with corporate resources now in less-secure home environments, and a massive increase in the use of VPN technology,” says Richard Hummel, threat intelligence lead at Netscout.

Netscout’s current projections forecast more than 10 million DDoS attacks in 2020, the most ever in a single year. In May 2020 alone, Netscout observed some 929,000 DDoS attacks, the largest ever in a 31-day period. During the height of the pandemic-related lockdown between March and June, the frequency of DDoS attacks increased 25% compared with the previous three-month period.

The attacks consumed huge amounts of network throughput and bandwidth and increased costs for both Internet service providers and enterprises.

Other vendors reported a similar increase in DDoS attack volumes. Nexusguard observed a 287% increase in attack volumes in the third quarter of 2020, with the online gaming and gambling community bearing the brunt of the attacks.

“Most recently, and as we headed into the holiday season primed with pent-up shopping demand driven by COVID restrictions, we again observed a significant uptick in both the number of DDoS attacks, up 65%, and the number of customers attacked, up 57%,” says Roger Barranco, vice president of global security operations at Akamai.

Contributing to the growth in attack volumes was the relatively easy availability of DDoS-for-hire services that allowed even novice threat actors to launch denial-of-service attacks. In many cases, it’s likely that low-level threat actors carried out DDoS attacks because of low entry-barriers and the potential for monetary gain, says Stefano De Blasi, threat researcher at Digital Shadows. “In 2017, the average cost of a DDoS service was around $25,” De Blasi says. “In our recent analysis, similar services are available for an average of just less than $7,” he says.

2) Extortion DDoS Attacks Increased in Number
For the most part, threat actors continued to use DDoS attacks for diversionary purposes more so than anything else. In many cases, DDoS attacks were used as a diversion for data exfiltration attempts, or for distributing malware on networks while defenders were busy mitigating a DDoS flood.

At the same time, providers of DDoS mitigation services reported an increase in incidents where adversaries used large DDoS attacks — or threats of them — to try to extort organizations in multiple sectors.

One example was a large, and still ongoing, campaign that Akamai and others first reported in August involving threat actors who identified themselves as belonging to previously known nation-state-backed groups: Fancy Bear, Lazarus Group, and the Armada Collective. The campaign targeted thousands of organizations in the financial services, e-commerce, and travel sectors and involved multivector DDoS floods, some of which peaked at around 200 Gbps.

Before the attacks began, the threat actors typically sent intended victims a ransom denial-of-service extortion email in which they claimed they would conduct a small DoS attack as proof of their capabilities. The email warned targets of substantially larger attacks if they weren’t paid a ransom in six days. Most organizations that received the threatening emails crossed the six-day mark without further incident. A few, though — including some very prominent ones —experienced substantial operational issues as a result of follow-on attacks, according to an FBI advisory on the campaign.

“At the end of the day, criminal actors are about one thing: money, money, and more money,” says Akamai’s Barranco.

For DDoS in particular, adversaries are highly motivated to try extortion attempts to drive profits, he says. The fact that the DDoS extortion campaign that started in August is still ongoing indicates that threat actors are making money and that some victim organizations are paying the ransom, he says. “It’s easy to foresee the problem continuing into 2021 unless arrests are made,” he says. “Paying the threat actors just emboldens them and incentivizes their criminal endeavors.”

3) Multivector Attacks Became More Common
DDoS attacks became faster and a lot more complex this year. Adversaries tried to overwhelm enterprises defenses with campaigns that combined multiple different attack vectors at the network, application, and data layers.

An analysis of network data that Netscout conducted in 2020 found a 2,815% increase over 2017 in DDoS attacks using 15 or more attack vectors. The most common among them were attacks that abused protocols such as CLDAP and DNS as well as TCP, Chargen, MTP, OpenVPN, SNMP, SSDP, and BitTorrent. Other commonly used attack vectors included HTML, TFTP, Quake, NetBIOS, and IPMI.

Netscout found that even as multivector attacks increased sharply, the number of single-vector DDoS attacks dropped 43% in the first half of 2020. The average duration of DDoS attacks, too, was down 51% in the first half of 2020 compared with the same period the prior year, shortening the window for mitigation response.

All of this equated to increased complexity for organizations and heightened risk of service downtime, customer churn, and increased network transit and mitigation costs, says Netscout’s Hummel. “Cybercriminals pounced on pandemic-driven vulnerabilities, launching an unprecedented number of shorter, faster, more-complex attacks designed to increase ROI,” Hummel says.

According to Akamai, multivector attacks became so common in 2020 that some 33% of the attacks the company mitigated in the first half of the year involved three or more vectors.

4) DDoS Attacks Became Bigger
Most DDoS attacks in 2020 were relatively small in size, as they have been in recent years. Some 99% of the DDoS attacks that AWS mitigated on its network, for instance, were about 43 Gbps in size. However, at the same time, big attacks got bigger in 2020. In February, AWS reported blocking a CLDAP reflection attack with a peak volume of 2.3 Tbps, which was about 44% larger than any other attack the company had previously blocked. Before that incident, the largest DDoS attacks on AWS networks were less than 1 Tbps.

In late May and continuing into June, Akamai reported mitigating a 1.44 Tbps attack that at its peak involved a staggering 809 million packets per second. The company described it as the largest and most sophisticated DDoS attack it had helped mitigate. “During the first half of 2020, it was all about large, complex attacks against customers in the financial services and hosting spaces,” Barranco says.

UDP reflection was by far the most commonly observed vector in large DDoS attacks, according to AWS. This included attacks such as NTP reflection, DNS reflection, and SSDP reflection attacks. “Each of these vectors is similar in that an attacker spoofs the source IP of the victim application and floods legitimate UDP services on the Internet,” AWS said in its threat landscape report for the first quarter of 2020. “Many of these services will unwittingly respond with one or more larger packets, resulting in a larger flood of traffic to the victim application.”

Hummel says the main factors that drove the bandwidth and throughput of DDoS attacks were attacker innovation and the continued development and deployment of insecure servers, services, and applications across the global Internet. Also contributing to the growing scale of DDoS attacks were the attempts by attackers to make use of both compromised servers and a group of reflectors located topologically near their targets, whenever possible, in order to get as much attack traffic as possible on target.

5) DDoS Attacks Targeted More Organizations Across More Industries Than Ever
Organizations within the online gaming and gambling communities once again tended to be the most frequently targeted in DDoS attacks. Seventy-seven percent of the DDoS attacks that Nexusguard observed in the third quarter were aimed at the gaming and gambling communities.

However, in 2020 attackers also broadened their range of targets to include organizations in verticals such as e-commerce, healthcare, and educational services. With more people working, shopping, and studying online as a result of pandemic-related social distancing measures, attackers also turned their attention to websites belonging to delivery services firms, retailers, and organizations providing distance learning services.

The attacker activity reflects the broader trend of threat actors moving beyond high-risk sectors commonly associated with DDoS attacks to a much wider set of industries and verticals to target for disruption, Barranco says. “There was a major shift in DDoS trends where attacks were being spread out amongst multiple verticals versus, for example, last year the games vertical was targeted comparatively at a much higher level,” he says.

According to Akamai, the industries that experienced the biggest spike in DDoS attacks included the financial services sector, which saw a 222% year-over-year increase; the education sector, with a 178% jump; and the Internet and telecom sector, which experienced a 210% increase over 2019.

In the week following Thanksgiving, financial services firms were more heavily targeted in DDoS attacks than even the online gaming companies, Barranco says. “Throughout 2020, DDoS threat actors [went] wider and deeper among a diverse array of industries than ever before,” he notes.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights