SolarWinds Attack, AIR-FI Technique, & Zodiac Cypher Decoded – PSW #678

“This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations,”

We need to take the time to educate: "Nearly half of parents let children access devices with saved passwords on them, data shows, but 14% admit their kids have caused trouble by accessing an account with a saved password. One noted their child got into their bank account and wired money to a random account."

I will not believe it until I see it: https://www.cellebrite.com/en/blog/cellebrites-new-solution-for-decrypting-the-signal-app/

“We initially detected the incident because we saw a suspicious authentication to our VPN solution,” said Charles Carmakal, senior vice president and chief technology officer at Mandiant, FireEye’s incident response arm. “The attacker was able to enroll a device into our multi-factor authentication solution, and that generates an alert which we then followed up on.”

"Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the spring of 2020, and we are in the process of notifying those organizations. Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction."

Sounds like they mapped NIST CSF to Mitre Att&ck. Happy dance?

More of the same, if you want to pwn stuff, just use firmware and IoT, still... "According to researchers at Armis, a whopping 97 percent of the OT devices impacted by URGENT/11 have not been patched, despite fixes being delivered in 2019. And, 80 percent of those devices affected by CDPwn remain unpatched."

Coming to an embassy near (or far away?) from you: "The AIR-FI attack relies on DDR SDRAM buses for emitting electromagnetic signals on the 2.4 GHz Wi-Fi band and for encoding data on top of these signals. A nearby Wi-Fi-capable device that has been infected with malware is used to intercept these signals, decode them, and then transmit them to the attacker, over the Internet."

A 51-year-old cipher: "Cryptologist David Oranchak, who has been trying to crack the notorious “340 cipher” (it contains 340 characters) for more than a decade, made a crucial breakthrough earlier this year when applied mathematician Sam Blake came up with about 650,000 different possible ways in which the code could be read. From there, using code-breaking software designed by Jarl Van Eycke, the team’s third member, they came up with a small number of valuable clues that helped them piece together a message in the cipher"

"Developer machines, source control management systems, build servers, or even sites that developers download tools from may be compromised, giving an attacker an entry point to inject malicious code. Too often, these are the weakest links in the chain, and attackers will always focus on the weak links. There's no need to spend the time and effort to attack the hard targets when there are easier options available; attackers — especially those that work for state-backed operations — have deadlines too."

The profile is weird. The attackers were smart enough to backdoor Solarwinds. But yet, they reportedly stole some of Fireeye's attack tools. But then, left it easy to shut down the campaign: "During its analysis of the malware, FireEye noticed that SUNBURST had been communicating with a domain named avsvmcloud[.]com. The cybersecurity firm worked with Microsoft and registrar GoDaddy to seize control of the domain." Smoke and mirrors?

This may help explain it: "Security researcher Vinoth Kumar told Reuters that he contacted the company in 2019, alerting it that anyone could access its update server by guessing the password “solarwinds123.” Reuters also reports that hackers claiming they could sell access to SolarWinds’ computers since 2017. It is not clear from the wording of the story whether the offer was for a method of infiltrating SolarWinds itself, or if the black hat was offering to sell access to computers that used SolarWinds software."

I want to end the year on a high note, I LOVE this story: "A second mistake happened during Williams’ freshman year in high school, when a teacher inadvertently enrolled her in an honors geometry class. Williams said she was excited, but her heart dropped when the teacher told her it was a mishap and offered to re-enroll her in a normal math class. “But by this time, I knew that mistakes were my strength,” she said. “Mistakes gave me a second chance. Mistakes have me showing a whole generation of students how cool math and science can be.” Williams forged ahead, got an A in the class, and the rest is history. In 2017, she made her first splash when she penned lyrics teaching the quadratic formula. The song explained coefficients and x-axis intercepts over the sound bed of Soulja Boy’s 2007 summer anthem “Crank Dat.” A music video for the song got thousands of views on Youtube and helped catapult Williams to a level of stardom for her catchy educational jingles."

"Some companies are about to find out they actually do use SolarWinds in production…"

this one's for Larry

These rules are provided freely to the community without warranty. In this GitHub repository you will find rules in multiple languages: Snort Yara IOC ClamAV

SANS ISC summary on the Solarwinds event

SANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack - YouTube

Emergency Directive 21-01 December 13, 2020 Mitigate SolarWinds Orion Code Compromise - mitigations and actions required.

Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452.

As many as 3 million people have been infected by Chrome and Edge browser extensions that steal personal data and redirect users to ad or malware infected sites. - This one is from Chelle (my wife)

Forescout Research Labs discovered 33 vulnerabilities impacting millions of IoT , OT and IT devices that present an immediate risk for organizations worldwide.

Personally identifiable information (PII) belonging to some 243 million living and dead Brazilians was found exposed online after web developers inadvertently left the password to a government database in the source code of an official Brazilian Ministry of Health website for roughly six months.

In this case, customers were unable to use credit and debit cards at certain vending machines and tap-to-pay fare gates, but TransLink said that payment card data was not compromised. Egregor ransomware was used in this attack.

A new credential capturing phishing attack has been discovered targeting Adobe users. This particular campaign uses an email that purports to be from the non-existent service Adobe Cloud. (As opposed to Adobe Creative Cloud which exists.)

Clop ransomware is claiming to have stolen 2 million credit cards from E-Land Retail over a one-year period ending with last months ransomware attack. E-Land claims no customer data was accessed or exposed in the attack as that data was encrypted on a different server.

IBM is warning companies instrumental in the distribution of COVID-19 vaccines that its "cold chain" process for keeping vaccines at the proper temperature during delivery is being targeted in a global phishing campaign.

The Energy Department and National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, have evidence that hackers accessed their networks as part of an extensive espionage operation that has affected at least half a dozen federal agencies. They found suspicious activity in networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE.