Tag: Russia

  • Cyber Civil Defense: We Can All Fight the Russians

    Most of us here in the US have followed the Russian invasion of Ukraine with a mix of disgust, outrage, and even existential fear. But there is a way to channel these negative feelings into positive actions by making yourself and your company a harder target for hackers, including those affiliated with or supported by the Russian government.

    During World War II, families planted victory gardens to help feed our military here and abroad. As the Cold War brought us to the brink of nuclear conflict, private citizens were called on to be part of a civil defense force to supplement local emergency management personnel. Now, technology has introduced us to a new battlefield in cyberspace. 

    Though cyber war doesn’t offer the horrific imagery of a physical invasion, it is every bit as real, the stakes are incredibly high, and threats are growing more sophisticated. Russia sent its soldiers into Ukraine, but it also has an army of malicious hackers on its payroll and/or under its protection as well. 

    Many of these are coin-operated criminal gangs working with the expressed or implicit approval of Vladimir Putin. They have a track record of targeting his enemies worldwide. The United States has been and will continue to be in their crosshairs. 

    As with generations past, it’s our turn now to recognize we all have a role to play – as private companies and private citizens – in protecting our institutions from attack. Here are some ways to do that immediately.

    For individuals, it’s critical to enable multifactor authentication, create complex passwords and/or use a secure password manager. An old poster from WWII cautioned, “Loose lips might sink ships.” The point was that small pieces of information could be combined by our enemies to paint a clear picture of larger operations. 

    As professional hackers, we often rely on that same principle – piecing together minor vulnerabilities that ultimately enable us to breach networks and exfiltrate data. The key is to make sure you’re not the weak link at home or at work.

    For businesses, now is the time to recognize that cybersecurity is part of your corporate mission, no matter what industry you’re in. If you’re a leader in your organization, be sure to establish regular check-ins with your information security team – if you haven’t already — and heed their advice. 

    This poster, found in bars across the US during WWII, was a reminder that Americans had a duty to protect information:

    Loose lips might sink ships

    The point was that small pieces of information could be combined by our enemies to paint a clear picture of larger operations. As professional hackers, we often rely on that same principle – piecing together minor vulnerabilities that ultimately enable us to breach networks and exfiltrate data. The key is to make sure you’re not the weak link at home or at work.

    Help is also available from the United States Cybersecurity and Infrastructure Security Agency (CISA). Its Shields Up publication offers some excellent recommendations about steps you can take to harden your defenses. Take a few minutes to read and consider these suggestions.

    Remember, too, that Raxis and other companies have veteran cybersecurity experts on their teams whose life’s work is to help protect you from those who would steal from you, hold your data hostage, or disrupt your operations. Now, as always, our certified professionals are ready to help.

    Raxis can perform in-depth penetration tests, conduct red team assessments, test your web applications, or help train your infosec team. But we also offer a number of free resources that are publicly available as well.

    Check out our YouTube channel, follow us on social media, and make sure you subscribe to this blog. We provide a lot of great security information aimed at helping you understand the latest threats and what you can do about them.

    The people of Ukraine are rightfully in our thoughts and prayers at present. It’s unconscionable for one sophisticated, powerful nation to attack and invade its neighbor simply because it can. But we can do much more than fret over what’s happening overseas. We can take action that will make it harder for the Russian government to escalate its cyber war in Europe and here at home.

    This is your chance to join the fight. Make your actions count.

  • Why Mutual Assured Destruction is an Incomplete Cyber Defense Strategy

    “Like it or not, all of us are on the front lines in a cyberwar that is heating up with every day that passes.”

    Bonnie Smyre, Raxis Chief Operating Officer

    In the wake of the Colonial Pipeline breach, security analysts have discussed the idea that direct retribution might be an effective deterrent to the large-scale cyberattacks of the sort the US is experiencing ever more frequently nowadays. As someone with a strong background in Russian and Eastern European studies, I understand the historical precedent that drives this mindset. However, as a cybersecurity professional, I know that half-century-old strategy will not be nearly as effective against the challenges we face today.

    Some ‘MAD’ Background

    In the most dangerous days of the Cold War, US and Soviet leaders agreed to a counterintuitive policy that helped ensure neither side would launch a catastrophic nuclear first strike. Recognizing that stockpiles of atomic weapons were sufficient to destroy Earth many times over, the two superpowers agreed that the world was most secure when both sides maintained the ability to respond to a first strike with an equally devastating counterstrike.

    Though it sounds barbaric, the strategy of mutual assured destruction (MAD) was one reason a period of détente lasted long enough for both nations to de-escalate tensions and negotiate dramatic reductions in the size of their nuclear arsenals.

    The New Battlespace

    Though the Soviet Union fell apart in the early 1990s, and the US ‘normalized’ relations with China, the threat they posed to America never disappeared completely. Instead, it has evolved with new technology and shifted into cyberspace. Hackers with ties to Russia and China are widely believed to have been responsible for high-profile breaches of government agencies and contractors, meddling in US political campaigns, and sabotaging critical infrastructure.

    I say ‘widely believed’ because in the shadowy world of hackers it’s nearly impossible to prove an attack was state-sponsored. Malicious actors are very much cybercriminals without borders, and it’s not hard for hostile nations to contract out some of their dirtiest work.

    As for the weaponry, ransomware, like the type used in the Colonial Pipeline hack, can be a few lines of code, readily available for sale on the dark web. Some of the more helpful black hats even offer support for an additional fee.

    Where Deterrence Fails

    The simplicity and anonymity of cyberwarfare do more than give cover to state-sponsored actors. In the context of mutual assured destruction, a more dangerous possibility is that non-state actors could launch an attack that triggers a misdirected, full-scale state response. In that scenario, it’s easy to envision a rapid escalation leading to military action.

    An even bigger problem with the MAD concept, however, is its central tenet that the civilian population is purposely left exposed. In the case of nuclear war, there is a macabre logic behind that. Taking away the fallout shelters, civil defense infrastructure, and air raid drills made clear to everyone that a nuclear war between the superpowers would likely be the end of civilization. Entering the launch codes meant worldwide annihilation, plain and simple.

    In the case of cyberwarfare, there simply isn’t a clear delineation between military and civilian or even public and private sector targets. Colonial is a private company, as are many utilities and other organizations that are of vital importance to our national security. Was the recent ransomware attack a simple economic crime or a strategic strike on the Eastern Seaboard?

    Nor is there a foolproof way to gauge the severity of the attack. A small business might be hacked in order to reach a larger upstream supplier. And disrupting several municipalities could have the same strategic impact as an attack on the federal government.

    We are the Front Line

    From a practical perspective, what all this means is that, at most, deterrence can only be one part of a much larger strategy. And, unlike the Cold War, this new state of perpetual, persistent cyberwarfare can’t be waged solely by our military or managed by diplomats alone.

    We’re all in this together. As long as one business is at risk, all of our businesses are. If our businesses are at risk, so is our government. And if our government is at risk, so are our people – from all walks of life.

    Like it or not, all of us are on the front lines in a cyberwar that is heating up with every day that passes. The good news is that there are things we can do to protect ourselves and to become harder targets. As we do so, we raise the technological barriers, drive up the costs, and increase the risk to those who would attack us.

    Mutual assured destruction helped end the Cold War without nuclear confrontation. But the key to ending global cyberwarfare may well be mutual cooperation – among our government, our military, and our businesses of all sizes.

  • NSA, FBI, CISA Statement on Russian SVR Activity

    What does it mean for your business?

    Summary of the Statement

    Last week, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a joint statement on five different vulnerabilities that the Foreign Intelligence Service of the Russian Federation (SVR RF) is known to be exploiting currently.

    How does this affect your business?

    Even if your business is not a target of the SVR RF, other threat actors such as ransomware gangs, are taking advantage of the same vulnerabilities. Therefore, if you have been using any of the affected product versions, you should take them offline, upgrade to the most recent version, and begin an incident response process to verify your servers are not compromised. Additionally, Raxis recommends performing the same process on other recently exploited products such as SolarWinds Orion and Microsoft Exchange Server.

    Affected Product Versions & Associated CVEs

    Fortinet FortiGate VPN

    • Version: Fortinet FortiOS6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
    • CVE: CVE-2018-13379

    Synacor Zimbra Collaboration Suite

    • Version: Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10
    • CVE: CVE-2019-9670

    Pulse Secure Pulse Connect Secure VPN

    • Version: Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
    • CVE: CVE-2019-11510

    Citrix Application Delivery Controller and Gateway

    • Version: CitrixADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b
    • CVE: CVE-2019-19781

    VMware Workspace ONE Access

    • Version: VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 -3.3.3 on Linux, VMware Identity Manager Connector 3.3.1-3.3.3 and 19.03, VMware Cloud Foundation 4.0-4.1, and VMware Vrealize Suite Lifecycle Manager8.x
    • CVE: CVE-2020-4006

    Remediation

    If your business is running any of the aforementioned product versions, upgrade immediately to the most recent versions following the guides for each product below:

    Fortinet FortiGate VPN

    Synacor Zimbra Collaboration Suite

    Pulse Secure Pulse Connect Secure VPN

    Citrix Application Delivery Controller and Gateway

    VMware Workspace ONE Access

    Solarwinds Orion

    Microsoft Exchange

    Additionally, Raxis recommends beginning an incident response process on any servers exposed to the internet that are running these product versions, as they are actively being exploited in the wild.

    Associated Links

    NSA, FBI & CISA Statement: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/

    CVE Links:

  • SolarWinds Supply Chain Attack – Updated 12/18/2020

    On December 8, 2020, FireEye disclosed that it had been breached by a sophisticated threat actor that had accessed some of its internally developed red team tools. On December 12, FireEye disclosed that this access, and access to many other companies, was accomplished through a supply chain attack against SolarWinds, a monitoring product that is deployed across a myriad of other organizations in the public and private sectors.

    What we know: SolarWinds’ Orion Platform versions 2019.4 HF 5 through 2020.2.1, released between March and June 2020, were affected by the supply chain attack. At present, we believe other versions are not affected.

    Who was affected: In addition to FireEye, anyone running these SolarWinds versions should assume they have been compromised and should take immediate action to mitigate this exposure.

    What to do:
    • Power down any SolarWinds Orion products that are running or have run versions 2019.4 HF 5 through 2020.2.1.
    • Upgrade to the SolarWinds Orion Platform version 2020.2.1 HF 1 immediately.
    • On Tuesday December 15, 2020, upgrade to SolarWinds Orion Platform version 2020.2.1 HF 2. This is a critical release that addresses the exposure.
    • If your company has used the affected versions, assume that the network has been breached and implement applicable incident response processes.
    • This was a far-reaching attack perpetrated by highly skilled threat actors. Evidence of the attack may be hard to detect, and Indications of Compromise (IOCs) may change over time as more information becomes available.
    How did this happen:

    SolarWinds was the victim of a sophisticated supply chain attack. Supply chain attacks target components that are trusted by their users in order to gain a foothold within an organization, product, or other target. This can happen to in-house software components, third-party libraries, or even in the manufacturing of devices. How the attack was deployed via the SolarWinds platform remains unclear, but multiple payloads were delivered via digitally signed updates from SolarWinds from March to May 2020 through the SolarWinds.Orion.Core.BusinessLayer.dll.

    Technical Details:
    • The trojan placed on the system lays dormant for up to two weeks before making a DNS request to avsvmcloud[.]com to get the details of a Command and Control (C2) server.
    • Further communications with the C2 server masquerade as SolarWinds API traffic.
    • The trojan downloads multiple types of payloads, including a memory-only dropper that FireEye has named, “TEARDROP.” A Cobalt Strike Beacon payload has also been detected.
    • After gaining a foothold, the attacker used remote access and conducted lateral movement using legitimate account credentials to establish persistence and levy ongoing attacks.
    • The attack prioritizes stealth and persistence, only using hostnames enumerated within the target environment and restricting traffic to mostly IP addresses from the target’s country.
    • The attacker modifies files and scheduled tasks to drive remote execution and later reverts them back to their original contents in order to evade detection.

    FireEye has released countermeasures for these threats, including Snort and Yara rules. For more specific details on the delivered malware, how it avoided detection, and other threat signatures, see the FireEye blog post detailing the attack.

    Updates

    December 18, 2020

    Who was affected:

    In addition to FireEye, Microsoft confirmed their systems were affected by the SolarWinds breach and have helped identify an additional 40+ customers of their own that have been affected. [1]

    Additionally, RedDrip7 and Bambenek have put forth research into DNS records and other Indicators of Compromise to help people determine whether they have been compromised. [2]

    However, anyone running these SolarWinds versions should still assume they have been compromised and should take immediate action to mitigate this exposure.

    [1] https://www.bleepingcomputer.com/news/security/microsoft-identifies-40-plus-victims-of-solarwinds-hack-80-percent-from-us/

    [2] https://github.com/bambenek/research/tree/main/sunburst