China-based Spiral group is believed to be behind year-long attack, which exploited a flaw in SolarWinds Orion technology to drop a Web shell.

Members of an advanced persistent threat (APT) group, masquerading as teleworking employees with legitimate credentials, accessed a US organization’s network and planted a backdoor called Supernova on its SolarWinds Orion server for conducting reconnaissance, domain mapping, and data theft.

The attackers had access to the network for nearly one year, from March 2020 to February 2021, before they were discovered and blocked, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said Thursday in a report summarizing the findings of its investigation into the incident.

The report is the latest involving SolarWinds and its Orion network management server technology. However, the Supernova tool and the APT group behind it are separate from the group that used legitimate Orion software updates to distribute malware dubbed Sunburst to 18,000 organizations around the world. Last week the US government formally attributed that widely reported attack — described by many as one of the most sophisticated ever — to Russia’s Foreign Intelligence Service, SVR.

CISA’s malware analysis report, which includes indicators of compromise and mitigation recommendations, did not attribute the Supernova attack to any specific group or country. However, others such as Secureworks that have investigated similar intrusions lately have ascribed Supernova and its operators to Spiral, a believed China-based threat group. Only a small handful of organizations are known to have been infected with Supernova, so far at least.

In its report, CISA describes the incident as likely beginning last March when the attackers connected to the unnamed US entity’s network via a Pulse Secure virtual private network (VPN) appliance. CISA’s investigation showed the attackers used three residential IP addresses to access the VPN appliance. They authenticated to it using valid user accounts, none of which were protected by multifactor authentication. CISA said it has not been able to determine how the attackers obtained the credentials. The VPN access allowed the attackers to masquerade as legitimate remote employees of the organization.

Once the attackers gained initial access to the victim network, they moved laterally on it to the SolarWinds Orion server and installed Supernova, a .Net Web shell, on it. As was the case with the handful of other breaches involving Supernova, the attackers appear to have exploited an authentication bypass flaw (CVE-2020-10148) in SolarWinds Orion’s API to execute a PowerShell script for running the Web shell.

“CISA believes the threat actor leveraged CVE-2020-10148 to bypass the authentication to the SolarWinds appliance and then used SolarWinds Orion API to run commands with the same privileges the SolarWinds appliance was running (in this case SYSTEM),” CISA explained.

Unlike the Sunburst backdoor associated with the Russia campaign, the attackers did not embed Supernova into the Orion technology. Instead, they installed the malware on servers running Orion by exploiting CVE-2020-10148. Once installed, the attackers used the Web shell to dump credentials from the SolarWinds server. Weeks later the adversary again connected via the VPN appliance and tried using the stolen credentials to access an additional workstation. On another occasion, the threat actor used Windows Management Instrumentation and other legitimate utilities to gather information about running process to collect, archive, and exfiltrate data.

Consistent With Other Attacks
Don Smith, senior director with Secureworks’ counter threat unit, says the timing, tools, tactics, and procedures that CISA described this week are consistent with the company’s own findings from its investigation of two intrusions at a customer location.

The report corroborates “our assessment that the two intrusions we responded to at the same organization were both perpetrated by the same threat actor, [(Spiral aka Bronze Spiral],” Smith says.

Those TTPs included initial access through exploitation of vulnerable Internet-facing systems, he says. It also includes “deployment of the Supernova Web shell, credential theft, ongoing access through VPN services using legitimate credentials, the deployment of other tools renamed to disguise their function, and the use of compromised infrastructure for command and control,” Smith says.

The Supernova campaign was highly targeted and appears to have impacted only a very small number of organizations. However, it does serve as an example of how adversaries are constantly looking to exploit vulnerabilities they can exploit for initial access. Once established on a network, such threats can be hard to eliminate, Smith notes.

“We should also remember that it does not take long for other, more opportunistic threats like ransomware operators to seize on exploits once they become public and look to use them for their own gain, at which point any organization is a potential target,” he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

The National Security Agency (NSA) recently issued a warning to private industry about four zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 used on-premises. The NSA recommends immediate patching of the vulnerabilities before they are exploited by threat actors.

The vulnerabilities could lead to remote execution of code that would allow threat actors to take full control of the Exchange Servers and have access to, and control of, entire networks. Two of the vulnerabilities can be exploited remotely without any user interaction (which means that there is no need for phishing or other types of scams to get employees to do something to introduce the code into the system). The NSA has rated the vulnerabilities as highly critical.

Following the discovery of the vulnerabilities, the Cybersecurity and Infrastructure Security Agency ordered patching of all federal agency on-premises affected Exchange Servers and has instructed agencies to remove from federal networks any servers that are unable to be patched.

Patches for the vulnerabilities were released this week by Microsoft on Patch Tuesday. IT professionals may wish to consider the warning by NSA when prioritizing those patches.

The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign “skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, and avoid detection.”

As further proof of this, new research published today shows that the threat actor carefully planned each stage of the operation to “avoid creating the type of patterns that make tracking them simple,” thus deliberately making forensic analysis difficult.

By analyzing telemetry data associated with previously published indicators of compromise, RiskIQ said it identified an additional set of 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware, representing a 56% jump in the attacker’s known command-and-control footprint.

password auditor

The “hidden patterns” were uncovered through an analysis of the SSL certificates used by the group.

The development comes a week after the U.S. intelligence agencies formally attributed the supply chain hack to the Russian Foreign Intelligence Service (SVR). The compromise of the SolarWinds software supply chain is said to have given APT29 (aka Cozy Bear or The Dukes) the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the U.S. government.

The attacks are being tracked by the cybersecurity community under various monikers, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), and Dark Halo (Volexity), citing differences in the tactics, techniques, and procedures (TTP) employed by the adversary with that of known attacker profiles, counting APT29.

“Researchers or products attuned to detecting known APT29 activity would fail to recognize the campaign as it was happening,” said Kevin Livelli, RiskIQ’s director of threat intelligence. “They would have an equally hard time following the trail of the campaign once they discovered it, which is why we knew so little about the later stages of the SolarWinds campaign.”

Earlier this year, the Windows maker noted how the attackers went to great lengths to ensure that the initial backdoor (SUNBURST aka Solorigate) and the post-compromise implants (TEARDROP and RAINDROP) stayed separated as much as possible so as to hinder efforts to spot their malicious activity. This was done so that in the event the Cobalt Strike implants were discovered on victim networks; it wouldn’t reveal the compromised SolarWinds binary and the supply chain attack that led to its deployment in the first place.

password auditor

But according to RiskIQ, this is not the only step the APT29 actor took to cover its tracks, which included —

  • Purchasing domains via third-party resellers and at domain auctions under varying names, in an attempt to obscure ownership information and repurchasing expired domains hitherto owned by legitimate organizations over a span of several years.
  • Hosting the first-stage attack infrastructure (SUNBURST) entirely in the U.S., the second-stage (TEARDROP and RAINDROP) primarily within the U.S., and the third-stage (GOLDMAX aka SUNSHUTTLE) mainly in foreign countries.
  • Designing attack code such that no two pieces of malware deployed during successive stages of the infection chain looked alike, and
  • Engineering the first-stage SUNBURST backdoor to beacon to its command-and-control (C2) servers with random jitter after a two-week period, in a likely attempt to outlive the typical lifespan of event logging on most host-based Endpoint Detection and Response (EDR) platforms.

“Identifying a threat actor’s attack infrastructure footprint typically involves correlating IPs and domains with known campaigns to detect patterns,” Livelli said.

“However, our analysis shows the group took extensive measures to throw researchers off their trail,” suggesting the threat actor took extensive measures to avoid creating such patterns.

Web sites for customers of agricultural equipment maker John Deere contained vulnerabilities that could have allowed a remote attacker to harvest sensitive information on the company’s customers including their names, physical addresses and information on the Deere equipment they own and operate.

The researcher known as “Sick Codes” (@sickcodes) published two advisories on Thursday warning about the flaws in the web site and the John Deere Operations Center web site and mobile applications. In a conversation with Security Ledger, the researcher said that a he was able to use VINs (vehicle identification numbers) taken from a farm equipment auction site to identify the name and physical address of the owner. Furthermore, a flaw in the website could allow an unauthenticated user to carry out automated attacks against the site, possibly revealing all the user accounts for that site.

Sick Codes disclosed both flaws to John Deere and also to the U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA), which monitors food and agriculture as a critical infrastructure sector. As of publication, the flaws discovered in the Operations Center have been addressed while the status of the flaws is not known.

Contacted by The Security Ledger, John Deere did not offer comment regarding the bulletins prior to publication.

Sick Codes, the researcher, said he created a free developer account with Deere and found the first vulnerability before he had even logged into the company’s web site. The two flaws he disclosed represent only an hour or two of probing the company’s website and Operations Center. He feels confident there is more to be found, including vulnerabilities affecting the hardware and software deployed inside the cabs of Deere equipment.

“You can download and upload stuff to tractors in the field from the web. That is a potential attack vector if exploitable.”

Ag Equipment Data: Fodder for Nation States

The information obtained from the John Deere websites, including customer names and addresses, could put the company afoul of data security laws like California’s CCPA or the Personal Information Protection Act in Deere’s home state of Illinois. However, the national security consequences of the company’s leaky website could be far greater. Details on what model combines and other equipment is in use on what farm could be of very high value to an attacker, including nation-states interested in disrupting U.S. agricultural production at key junctures, such as during planting or harvest time.

The consolidated nature of U.S. farming means that an attacker with knowledge of specific, Internet connected machinery in use by a small number of large-scale farming operations in the midwestern United States could launch targeted attacks on that equipment that could disrupt the entire U.S. food supply chain.

Despite creating millions of lines of software to run its sophisticated agricultural machinery, Deere has not registered so much as a single vulnerability with the Government’s CVE database, which tracks software flaws.

At Risk: Devastating Attacks on Food Chain

Agriculture is uniquely susceptible to such disruptions, says Molly Jahn, a Program Manager in the Defense Sciences Office at DARPA, the Defense Advanced Research Projects Agency and a researcher at the University of Wisconsin, Madison.

Molly Jahn is Program Manager at DARPA and a researcher at the University of Wisconsin, Madison.

“Unlike many industries, there is extreme seasonality in the way John Deere’s implements are used,” Jahn told Security Ledger. “We can easily imagine timed interference with planting or harvest that could be devastating. And it wouldn’t have to persist for very long at the right time of year or during a natural disaster – a compound event.” An attack aimed at economic sabotage and carried out through combines at harvest time in the midwest it would be “devastating and unrecoverable depending on the details,” said Jahn.

DHS Warns That Drones Made in China Could Steal U.S. Data

However, the Agriculture sector and firms that supply it, like Deere, lag other industries in cyber security preparedness and resilience. A 2019 report released by Department of Homeland Security concluded that the “adoption of advanced precision agriculture technology and farm information management systems in the crop and livestock sectors is introducing new vulnerabilities into an industry which had previously been highly mechanical in nature.”

DHS Report: Threats to Ag Not Taken Seriously

“Most of the information management / cyber threats facing precision agriculture’s embedded and digital tools are consistent with threat vectors in all other connected industries. Malicious actors are also generally the same: data theft, stealing resources, reputation loss, destruction of equipment, or gaining an improper financial advantage over a competitor,” the report read.

The research group that prepared that report visited large farms and precision agriculture technology manufacturers “located throughout the United States.” The report concluded that “potential threats to precision agriculture were often not fully understood or were not being treated seriously enough by the front-line agriculture producers,” the report concluded.

Jahn said the U.S. agriculture sector has emphasized efficiency and cost savings over resilience. The emergence of precision agriculture in the last 15 years has driven huge increases in productivity, but also introduced new risks of disruptions that have not been accounted for.

“We have not thought about protecting the data from unwanted interference of any type,” she said. “That includes industrial espionage, sabotage or a full on attack…I have consistently maintained cyber risk on the short list of existential threats to US food and agriculture system.”

Goodness is hard to measure. More so in the field of Cybersecurity. In the physical world, if you possess something, say a $1 bill, you have it. If you spend it, you don’t have it. If someone steals it, you don’t have it, either. The digital world is quite different. Digital copies are the same as the original – exactly the same. Each replicated copy is at least as original as the original original. “Can you send me a copy?” can only be answered, “No, but I can send you an original.”

You know all that.

A non time-sensitive digital asset that could be infinitely replicated was itself of little value. It could be replicated many times and in theory “spent” many times. But of course, there were no buyers. Enter cryptocurrency, Bitcoin for an obvious example. A Bitcoin aspires to be a digital $1 bill that can neither be double-spent nor infinitely replicated. How do those two miracles occur? Blockchain. 

Data’s Deep Fake Problem

What else can we do with this marvelous technology that allows us to prove in the digital world that if I have something, I really have it, and if I do not have it, I really don’t have it?

First Digital Photo

The first digital image ever created was of Russel Kirsch’s son, Walden, scanned from a photograph in 1957.
(Source: Wikipedia.)

More than 60 years ago, the first digital photograph was created. Businesses missed the implication. Film-based photographs were hard to manipulate; not so digital photographs which can be easily manipulated. The implication is that the integrity of the photographic data on which a business decision was being made had very substantially degraded. And, no one seemed to notice… for a while.

When businesses did notice, they just started to drop photographs from their business processes. Rightly so. The integrity of the data was highly suspect and nowhere near the quality for a serious business decision. Enter blockchain once again. Blockchain enables the data to be “frozen” at the “moment of creation.” The integrity of the data is preserved and actionable business decisions can be made by responsible people.

How do we think about this? What is the right way to analogize what we know? For illustration and conversation, the present authors offer the table below, the Data Integrity Scale, in the hope of making levels of “goodness” contributory to decision support. Availability has metrics – downtime can easily be measured – but, until now, Integrity has not had a firm scale to measure with.

A Scale for Data Integrity

Most current systems are not designed to protect the Integrity of the data from the moment of creation until the point of use. Protect its Confidentiality? Yes. Protect its Availability? Yes, again. The more we depend on data to drive processes of increasing complexity, the more Integrity supplants Confidentiality and Availability as the paramount goal of cybersecurity.

The authors propose a scale to measure data integrity.

The Cyber Integrity Question of 2021

The table attempts to correlate the measures of trustworthiness across the domains of Law, Accounting, and Business. The sort of question that jumps out from the table might be:

Since I require the proof of a person’s identity (credentialing) be above the red bar before I would let him or her act on the company’s data, why should I not also require that data be above the red bar before I allow it to act on other company data?

“Data integrity is the maintenance of, and the assurance of the accuracy and consistency of data over its entire life-cycle, and is a critical aspect to the design, implementation, and usage of any system which stores, processes, or retrieves data.” … It is at times used as a proxy term for data quality.”5

But “quality” without a way to define and measure it, is an ephemeral term. One common definition of quality is “conformance to requirements.” Here, we might require that the Integrity of data be “above the bar” on the Data Integrity Scale. 

A report from Deloitte (PDF) indicates that Data Integrity violations account for over 40 percent of pharmaceutical warning letters issued globally. 

The historical methods of chasing Visibility and Context through Data Governance down a long chain-of-custody/audit trail are now outdated techniques (and not very reliable in any event – too many steps along the way). A registered “record copy” via blockchain technology is a far better solution. Businesses that are assiduously checking for viruses (aka automated tampering), should also ensure the data they actually use for major decisions has Integrity and is not the result of automated or physical tampering. Blockchain technology allows photos, videos, and other data to jump “above the bar.”

Back to the Future

Roll back those 50 years – actually to 1957 – when the world encountered the first digital photograph. A person needed the skills of a professional photographer to fake a photograph. There was a general feeling of “trust” in what was depicted in a photograph. That was then and this is now, but with adroit use of blockchain technology it is once again possible to have “trust” in photographs and videos, and restore Integrity

What can you do with that “trust?” Business decision makers no longer have to deal with information along a previously believed continuum of certitude; “through a glass darkly,”  but rather can see clearly the demarcations where information is useful and not useful.

The rapid digitalization of business processes has caused a greater need for accurate data as there are no longer humans further upstream in the process to keep the low-quality data from infecting the automated business decision process.

Now is the time to align the ordinal scales of jurisprudence and accounting with each other and with like-minded ordinal scales for business processes. We offer a first cut at that necessary advance; we hope that it is sufficient to purpose and self-explanatory, and will allow this advancement in technology to open new markets with innovative products.


  1. Legal

“Beyond a Reasonable Doubt.”  Whitman J. (2005) The Origins of Reasonable Doubt, Yale University Press. 

“Clear and Convincing Proof.” Colorado v. New Mexico, 467 U.S. 310, 467 (1984)

“Preponderance of the evidence.” Leubsdorf J., (2015), The Surprising History of The Preponderance of the Standard of Civil Proof, 67 Fla. L. Rev. 1569 

“Substantial Evidence” Richardson v. Perales, 402 U.S. 389, 401 (1971)

“Probable Cause” United States v. Clark, 638 F.3d 89, 100–05 (2d Cir. 2011)

“Reasonable Suspicion” Terry v. Ohio 392 U.S. 1 (1968)

“Mere Scintilla” Hayes v. Lucky, 33 F. Supp. 2d 987 (N.D. Ala. 1997)

  1. CPA

“In all material respects” Materiality considerations for attestation engagements, AICPA, 2020 

“Reasonable Assurance” Guide to Financial Statement Services: Compilation, Review, and Audit. AICPA. 2015 AU-C 200: Overall Objectives of the Independent Auditor. AICPA. 2015. AU-C 240: Consideration of Fraud in a Financial Statement Audit. AICPA. 2015 

“Substantial Authority” “Realistic possibility “Reasonable basis” “Frivolous or Patently Improper”

Interpretations of Statement on Standards for Tax Services No. 1, Tax Return Positions, AICPA (Effective Jan. 1, 2012, updated April 30, 2018,)

  1. Identities

NIST Special Publication 800-63 Revision 3 June 2017

  1. Photos and Videos

“SOC2” AICPA -Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. Updated January 1, 2018

“ISO 270001” is an international standard on how to manage information security. Revised 2013. The International Organization for Standardization is an international standard-setting body composed of representatives from various national standards organizations.

“GDPR” The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. Implementation date: 25 May 2018

  1. Boritz, J. “IS Practitioners’ Views on Core Concepts of Information Integrity”. International Journal of Accounting Information Systems. Elsevier. Archived from the original on 5 October 2011.
  1. Under the spotlight: Data Integrity in life sciences [Internet]. Deloitte LLP. 2017. [Cited: 4 March 2020].

Password Reset

There are many labor-intensive tasks that the IT service desk carries out on a daily basis. None as tedious and costly as resetting passwords.

Modern IT service desks spend a significant amount of time both unlocking and resetting passwords for end-users. This issue has been exacerbated by the COVID-19 pandemic.

Causes of account lockouts and password resets

End-user password policies, such as those found in Microsoft Active Directory Domain Services (ADDS), typically define a password age. The password age is the length of time an end-user can keep their current password.

While new guidance from NIST recommends against the long-held notion of forced password changes, it is still a common and required security mechanism across other compliance standards and industry certifications such as PCI and HITRUST.

When the password age is reached for the user account, the user must change their account password. It is generally prompted at the next login on their workstation. This scenario creates a series of likely events. Many end-users procrastinate changing their password, even if they are notified ahead of time.

Users also have various mobile devices connected to their accounts. If a user does not synchronize all device passwords when the account password is eventually changed, this will create issues that can lead to a lockout. It can create further confusion as the end-user may be using the correct password on their workstation.

What are the costs of account lockouts and password resets?

It might seem like a simple password reset is a trivial matter with no actual cost to the business. However, the data shows otherwise. A study by the Gartner Group found that between 20-50% of all service desk calls were for performing password resets. Forester Research adds to this finding by research showing the average help desk labor cost for a single password reset can cost upwards of $70 or more.

You may wonder, how is this possible?

First, suppose the organization is conscious of best practice security processes (which they should be) before a password can be changed for an end-user. In that case, the identity of the user requesting the password change must be verified. Why is this? An attacker may use social engineering tactics to persuade the service desk to change a legitimate user’s account password. This scenario hands an attacker legitimate credentials, which leads to a compromise of the environment. The process to verify end-user identity by manual means can be time-consuming.

Next, businesses may still be using interconnected legacy systems that require manually changing passwords in multiple places rather than a single change flowing across the environment seamlessly. The manual process required for the helpdesk team to ensure a password is changed correctly may be labor-intensive.

It can require the helpdesk team to log in and use many different tools for changing a password in multiple systems for a single user account. Finally, the end-user may be “dead in the water” waiting on the IT service desk to assist with unlocking a locked user account or resetting a password. The time spent where an end-user is locked out and unable to perform their work duties in itself will result in impacted business processes and will ultimately cost the business.

What tools reduce the cost of account lockouts and password resets?

Organizations looking to reduce the cost of account lockouts and password resets can significantly benefit from Self-Service Password Reset (SSPR) tools. Much as the name implies, an SSPR solution allows end-users to unlock their account and reset their passwords using a self-service workflow.

End-users have to enroll or be enrolled by system admins ahead of time in the SSPR solution for onboarding purposes. The user-led enrollment process allows the end-user to configure the various multi-factor identification methods needed to verify their identity to perform the self-service actions. It may include setting up synchronization with an authenticator app such as Google Authenticator, mobile verification by text or phone call, or other means. If led by the admin, this can require pre-filing the required verifier information in users’ Active Directory profiles.

Once the end-user enrolls/is enrolled in the solution, they can visit a web portal to begin the workflows to unlock their account or reset their password. They can do this without any involvement or intervention from the IT helpdesk. As you can imagine, this can reap tremendous benefits in terms of offloading the workflow from the service desk and allowing the end-user to take care of triaging their account issues.

SSPR solutions are only as good as the number of end-users who are enrolled. A good SSPR solution allows administrators to have the tools needed to onboard users programmatically. This capability includes pre-enrolling users, which doesn’t require effort from admins or end-users as the system would rely on existing Active Directory identifier data to enable users to use authentication methods that rely on that data. When this option is present in SSPR solutions, it can dramatically increase the adoption of the SSPR solution across the board.

Lowering password reset costs with Specops uReset SSPR

An effective SSPR solution provides the tools and capabilities needed for businesses to quickly give end-users easy enrollment capabilities and perform self-service account workflows. Specops uReset is a robust Self-Service Password Reset solution that effectively allows companies to eliminate password reset calls to their IT helpdesk.

It provides the following capabilities:

  • Enables users to reset their Active Directory passwords securely
  • Users can use any device and can reset their password from anywhere
  • Enrollment enforcement
  • Users can initiate the password reset process from a browser, mobile device, or right from the Windows logon screen
  • It allows companies to implement a series of multi-factor authentication requirements that align with the business cybersecurity policies
  • It includes geo-blocking
  • Administrators have access to PowerShell scripts to quickly onboard users into uReset.

Specops uReset self-service workflow

When users are locked out of their account or have forgotten their password, the Specops web portal allows them to unlock their account quickly.

Specops uReset allows quickly unlocking accounts and resetting passwords

The end-user is asked to verify their identity using the first of the configured multi-factor verification methods.

Mobile Code verification in Specops uReset

The user is prompted for the second form of multi-factor authentication configured. If you notice below, Specops uses a means to accumulate the required number of “stars” using the multi-factor authentication mechanisms configured. Below, three stars are needed for verification. However, this is configurable and can include multiple verification methods.

A second form of multi-factor authentication is needed for identity verification

The end-user enters the code from Google authenticator.

Entering the code from Google authenticator

Specops uReset mandatory enrollment

Specops provides effective tools to enforce end-user enrollment into Specops uReset. One of those tools is the Enrollment reminder mode. Organizations can implement mandatory enrollment using the option Start unclosable fullscreen browser.

With an unclosable browser window, end-users will be helped/mandated to enroll into uReset. This setting can then be “assigned” to all users via an Active Directory Group Policy object.

Setting the enrollment reminder mode with Specops

Wrapping Up

Account unlock and password reset activities are incredibly costly to IT helpdesk operations. According to researchers, these activities can add up to over $70 per password reset. Self-Service Password Reset (SSPR) solutions provide the means to allow end-users to perform these activities themselves without involvement from the service desk.

Specops uReset is a robust SSPR solution providing the tools needed for organizations to effectively implement self-service capabilities for end-users to triage their account lockouts and password resets without helpdesk involvement.

It offers robust capabilities, including easy onboarding, configurable multi-factor authentication, enrollment enforcement, geo-blocking, and many other capabilities.

Learn more about Specops uReset here.

Adversaries are increasingly abusing Telegram as a “command-and-control” system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems.

“Even when Telegram is not installed or being used, the system allows hackers to send malicious commands and operations remotely via the instant messaging app,” said researchers from cybersecurity firm Check Point, who have identified no fewer than 130 attacks over the past three months that make use of a new multi-functional remote access trojan (RAT) called “ToxicEye.”

password auditor

The use of Telegram for facilitating malicious activities is not new. In September 2019, an information stealer dubbed Masad Stealer was found to plunder information and cryptocurrency wallet data from infected computers using Telegram as an exfiltration channel. Then last year, Magecart groups embraced the same tactic to send stolen payment details from compromised websites back to the attackers.

The strategy also pays off in a number of ways. For a start, Telegram is not only not blocked by enterprise antivirus engines, the messaging app also allows attackers to remain anonymous, given the registration process requires only a mobile number, thereby giving them access to infected devices from virtually any location across the world.

The latest campaign spotted by Check Point is no different. Spread via phishing emails embedded with a malicious Windows executable file, ToxicEye uses Telegram to communicate with the command-and-control (C2) server and upload data to it. The malware also sports a range of exploits that allows it to steal data, transfer and delete files, terminate processes, deploy a keylogger, hijack the computer’s microphone and camera to record audio and video, and even encrypt files for a ransom.

password auditor

Specifically, the attack chain commences with the creation of a Telegram bot by the attacker, which is then embedded into the RAT’s configuration file, before compiling it into an executable (e.g. “paypal checker by saint.exe”). This .EXE file is then injected into a decoy Word document (“solution.doc”) that, when opened, downloads and runs the Telegram RAT (“C:\Users\ToxicEye\rat.exe”).

“We have discovered a growing trend where malware authors are using the Telegram platform as an out-of-the-box command-and-control system for malware distribution into organizations,” Check Point R&D Group Manager Idan Sharabi said. “We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organizations, utilizing this system to perform cyber attacks, which can bypass security restrictions.”

Facebook on Wednesday said it took steps to dismantle malicious activities perpetrated by two state-sponsored hacking groups operating out of Palestine that abused its platform to distribute malware.

The social media giant attributed the attacks to a network connected to the Preventive Security Service (PSS), the security apparatus of the State of Palestine, and another threat actor known as Arid Viper (aka Desert Falcon and APT-C-23), the latter of which is alleged to be connected to the cyber arm of Hamas.

The two digital espionage campaigns, active in 2019 and 2020, exploited a range of devices and platforms, such as Android, iOS, and Windows, with the PSS cluster primarily targeting domestic audiences in Palestine. The other set of attacks went after users in the Palestinian territories and Syria and, to a lesser extent Turkey, Iraq, Lebanon, and Libya.

password auditor

Both the groups appear to have leveraged the platform as a springboard to launch a variety of social engineering attacks in an attempt to lure people into clicking on malicious links and installing malware on their devices. To disrupt the adversary operations, Facebook said it took down their accounts, blocked domains associated with their activity, and alerted users it suspects were singled out by these groups to help them secure their accounts.

Android Spyware in Benign-Looking Chat Apps

PSS is said to have used custom-built Android malware that was disguised as secure chat applications to stealthily capture device metadata, capture keystrokes, and upload the data to Firebase. In addition, the group deployed another Android malware called SpyNote that came with the ability to monitor calls and remotely access the compromised phones.

This group used fake and compromised accounts to create fictitious personas, often posing as young women, and also as supporters of Hamas, Fatah, various military groups, journalists, and activists with an aim to build relationships with the targets and guide them toward phishing pages and other malicious websites.

“This persistent threat actor focused on a wide range of targets, including journalists, people opposing the Fatah-led government, human rights activists and military groups including the Syrian opposition and Iraqi military,” Facebook researchers leading the cyber espionage investigations said.

A Sophisticated Espionage Campaign

Arid Viper, on the other hand, was observed incorporating a new custom iOS surveillanceware dubbed “Phenakite” in their targeted campaigns, which Facebook noted was capable of stealing sensitive user data from iPhones without jailbreaking the devices prior to the compromise. Phenakite was delivered to users in the form of a fully functional but trojanized chat application named MagicSmile hosted on a third-party Chinese app development site that would surreptitiously run in the background and grab data stored on the phone without the user’s knowledge.

The group also maintained a huge infrastructure comprising 179 domains that were used to host malware or acted as command-and-control (C2) servers.

password auditor

“Lure content and known victims suggest the target demographic is individuals associated with pro-Fatah groups, Palestinian government organizations, military and security personnel, and student groups within Palestine,” the researchers added.

Facebook suspects Arid Viper used the iOS malware only in a handful of cases, suggesting a highly-targeted operation, with the Hamas-linked hackers simultaneously focusing on an evolving set of Android-based spyware apps that claimed to facilitate dating, networking, and regional banking in the Middle East, with the adversary masking the malware as fake app updates for legitimate apps like WhatsApp.

Once installed, the malware urged victims to disable Google Play Protect and give the app device admin permissions, using the entrenched access to record calls, capture photos, audio, video, or screenshots, intercept messages, track device location, retrieve contacts, call logs, and calendar details, and even notification information from messaging apps such as WhatsApp, Instagram, Imo, Viber, and Skype.

In an attempt to add an extra layer of obfuscation, the malware was then found to contact a number of attacker-controlled sites, which in turn provided the implant with the C2 server for data exfiltration.

“Arid Viper recently expanded their offensive toolkit to include iOS malware that we believe is being deployed in targeted attacks against pro-Fatah groups and individuals,” Facebook researchers said. “As the technological sophistication of Arid Viper can be considered to be low to medium, this expansion in capability should signal to defenders that other low-tier adversaries may already possess, or can quickly develop, similar tooling.”

The company plans to use Velociraptor’s technology and insights to build out its own incident response capabilities.

Security firm Rapid7 today confirmed its acquisition of Velociraptor, an open source technology and community focused on endpoint monitoring, digital forensics, and incident response.

Velociraptor was built to help digital forensics and incident response (DFIR) professionals collect endpoint incident data, search for malicious activity, and analyze evidence if an attack occurs.

The platform was developed a few years ago by infosec specialist Mike Cohen, who previously worked on Google Rapid Response and Rekall, a memory analysis and forensic framework, along with community contributors.

This community approach lets DFIR professionals using Velociraptor share insight in a single place where it can be accessible to more people. Custom detections and analysis capabilities can be written in queries, which can then be shared so members of the community can hunt for new threats.

Rapid7 plans to continue expanding the Velociraptor community. While there are no plans to make it a commercial product, the company plans to integrate Velociraptor technology into its Rapid7 Insight platform – it has already started by embedding Velociraptor’s endpoint data collection capabilities.

Read the full Rapid7 release and blog post for more information.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

One goal of the group is to take down the criminal ecosystem that enables ransomware, officials say.

The Justice Department is forming a task force of FBI agents, prosecutors, and national security representatives to stop the spread of ransomware attacks.

This group will increase training and dedicate more resources to the ever-growing problem of ransomware, according to the Wall Street Journal, which first reported on the task force. Some reports state as many as one in four cyberattacks today involve ransomware, which affects thousands of businesses each year.

Citing an internal memo, the report explains this task force wants to improve intelligence sharing across the department and work to identify “links between criminal actors and nation-states.”

The memo also notes that one of its goals is to develop a strategy that targets the entire criminal ecosystem around ransomware, including stopping ongoing attacks and disrupting certain services that enable ransomware, like Dark Web forums that advertise ransomware for sale.

The full Wall Street Journal report can be found here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights