U.S. intelligence agencies, including the FBI, the Office of the Director of National Intelligence, the National Security Agency and the Cybersecurity and Infrastructure Security Agency, have confirmed that Russia was behind the SolarWinds hack. It is reported that the FBI is investigating whether Russia hacked into project management software JetBrains’ TeamCity DevOps tool to originally plant its malware in SolarWinds Orion, causing a cascade of downstream opportunities for Russia to access numerous governmental agencies’ systems, as well as thousands of private company systems.

In the fall-out, the Department of Justice, which includes the FBI, the Drug Enforcement Agency and the U.S. Marshal’s Service, announced this week that 3 percent of its employees’ emails were compromised as a result of the SolarWinds hack. This is very concerning and shows the magnitude and seriousness of the incident.

In more disturbing news, Microsoft has confirmed that the hackers behind the SolarWinds incident were able to access its systems and that some of its source code was viewed by the hackers. Notably, Microsoft confirmed that the code was not modified and that the Russians did not access its products or services, including customer information.

Cybersecurity firms are offering free solutions for companies to use to identify the SUNBURST malware variant and whether they have been affected, including Palo Alto Networks and SentinelOne.

We will continue to see significant fall-out from this devastating incident. If your company has not assessed its risk of being affected by the SolarWinds hack, you may wish to consider devoting time and resources to help make that determination now

Development and Operations (DevOps) teams are often pressured by executives and sales teams to get software products completed and out the door and into the market as quickly as possible so the products can generate income. Often, security is not the highest priority for DevOps, as adding security features may affect the performance of the software or add time to the deployment schedule.

The SolarWinds hack is a crucial reminder to DevOps teams to build security into software products, and to complete due diligence on the security protocols regarding the DevOps teams of vendors that make components used by software manufacturers, such as JetBrains.

JetBrains is a Czech-based company that developed a product called TeamCity, which Reuters reports is “used by tens of thousands of customers to construct other software.” According to other news reports, the FBI is investigating whether the Russians hacked into JetBrains’ TeamCity DevOps tool in order to infect SolarWinds’ Orion software [see related post].  If your DevOps team is using TeamCity, it may present another risk associated with the SolarWinds incident that has much broader impact on other software development.

Check with your DevOps team to see what kind of security due diligence they are completing on the vendors that are providing the component parts of the software they are developing, including JetBrains. If no due diligence is being done, this is a perfect time to start.

The Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) this week issued Alert (AA20-301A) titled North Korean Advanced Persistent Threat Focus: Kimsuky warning U.S. businesses, and particularly those in the commercial sector, about tactics used by North Korean advanced persistent threat (APT) group Kimusky. https://us-cert.cisa.gov/ncas/alerts/aa20-301a

The Alert, co-authored by the Federal Bureau of Investigation (FBI) and the U.S. Cyber Command Cyber National Mission Force, “describes the tactics, techniques and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government.”

The key findings of the government on Kimsuky’s activities include:

  • The Kimsuky APT group has most likely been operating since 2012.
  • Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.
  • Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.
  • Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.
  • Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.
  • Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
  • Kimsuky specifically targets:
    • Individuals identified as experts in various fields,
    • Think tanks, and
    • South Korean government entities.
  • CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.

The methods used by Kimsuky include social engineering and spearphishing, which are outlined in the Alert and are worth reviewing. After obtaining access, Kimsuky uses BabyShark Malware, PowerShell or the Windows Command Shell to execute the malware.

The Alert lists the indicators of compromise, including domains that have been used by Kimsuky, which IT professionals may wish to consult.

On October 27, 2020, the FBI and the Department of Homeland Security (DHS) warned the health care industry about “an imminent cybercrime threat to U.S. hospitals and healthcare providers.”

According to the warning, which was shared during a conference call, the government has received “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The information was being shared with participants so they can take timely precautions to protect their networks from the threat.

According to KrebsonSecurity, the threat is believed to stem from a Russian cybercriminal gang that may be deploying Ryuk ransomware to more than 400 health care facilities in the U.S. It appears the attack is planned to be coordinated in order to maximize disruption in the health care sector.

Hospitals are urged to confirm that patching of all known vulnerabilities has been completed. Mandiant Solutions has released a list of domains and Internet addresses that have been used by Ryuk in the past in order to assist hospitals with identifying known methods used to infiltrate systems.

Based upon these warnings, hospitals and health care providers may wish to consider prioritizing patching and blacklisting the known domains and Internet addresses used by Ryuk today.

Late last week, October 9, 2020, the U.S. Attorney’s Office for the Northern District of New York issued a warning to the public entitled “Internet Predators: Warnings & Prevention for Families During the Pandemic and Beyond”  which is a must read for parents, teachers, families, and frankly, everyone.

Warning: it is a scary read in which the FBI, Department of Justice, Department of Homeland Security, United States Marshals Service and the National Center for Missing and Exploited Children (NCMEC) “warn the public of increased risks to children and teens from online sexual predators. In an era where children are spending more time on the Internet, it is essential that parents, guardians, educators and trusted adults know the risks and how to prevent exploitation.”

 The warning outlines how, during the pandemic, children are online more than ever before. They are downloading and using apps that parents are unable to monitor, and exploiters know how to use social media and online platforms to target children and teens. 

The warning states “[W]e must all educate ourselves and talk to our children about the risks inherent in the open access the Internet provides. Talk to your kids about what sites they are visiting, what apps they use, whom they are texting and messaging, what kinds of pictures they take of themselves, and what kinds of pictures other people send to them. Encourage them to share with you anything makes them uncomfortable, whether an image, a message, or a solicitation.”

 It also provides a list of resources for consideration:

  • NetSmartz has a number of websites with tool kits, games, videos for all ages, PowerPoints for educators, tip sheets and more. Go to NetSmartz.org
  • Homeland Security Investigations and NCMEC just launched their SafetyPledge campaign, encouraging parents to pledge to talk with their children about this threat. Their website includes a tool kit packed with information. Go to SafetyPledge.org
  • The Federal Bureau of Investigation’s website, entitled Safe Online Surfing, has resources categorized from 3rd grade through 8th grade, for teachers and students. Go to SOS.FBI.gov

The alert reminds all of us to educate children and each other about the risks to children and teens when they are online. October is Cybersecurity Awareness Month, and this is a good reminder to revisit conversations about online activity with the children and teens in our lives.

Keyboard to the internet

On October 6, 2020, the Federal Bureau of Investigations (FBI) issued a warning to consumers about using WiFi when teleworking from a hotel.

The FBI acknowledges that many workers are having difficulty working from home during the pandemic due to a host of issues. According to the FBI, “U.S. hotels, predominantly in major cities, have begun to advertise daytime room reservations for guests seeking a quiet, distraction-free work environment.” As a result of the increase in the use of hotel rooms for work purposes, the FBI is warning consumers about using hotel WiFi to conduct their work.

According to the FBI’s announcement, “[M]alicious actors can exploit inconsistent or lax hotel Wi-Fi security and guests’ security complacency to compromise the work and personal data of hotel guests. Following good cyber security practices can minimize some of the risks associated with using hotel Wi-Fi for telework.”

Here are the recommendations from the FBI announcement:

“RECOMMENDATIONS FOR REDUCING THE RISKS OF HOTEL WI-FI

  • If possible, use a reputable Virtual Private Network (VPN) while teleworking to encrypt network traffic, making it harder for a cybercriminal to eavesdrop on your online activity.
  • If available, use your phone’s wireless hotspot instead of hotel Wi-Fi.
  • Before travelling, ensure your computer’s operating system (OS) and software are up to date on all patches; important data is backed up; and your OS has a current, well-vetted security or anti-virus application installed and running.
  • Confirm with the hotel the name of their Wi-Fi network prior to connecting.
  • Do not connect to networks other than the hotel’s official Wi-Fi network.
  • Connect using the public Wi-Fi setting, and do not enable auto-reconnect while on a hotel network.
  • Always confirm an HTTPS connection when browsing the internet; this is identified by the lock icon near the address bar.
  • Avoid accessing sensitive websites, such as banking sites, or supplying personal data, such as social security numbers.
  • Make sure any device that connects to hotel Wi-Fi is not discoverable and has Bluetooth disabled when not in use.
  • Follow your employer’s security policies and procedures for wireless networking.
  • If you must log into sensitive accounts, use multi-factor authentication.
  • Enable login notifications to receive alerts on suspicious account activity.”

 These are solid recommendations for workers to follow and for companies to share with their employees.