You are subscribed to National Cyber CISA Releases Free Detection Tool for Azure/M365 12/24/2020 Original release date: December 24, 2020 CISA has created a free tool for CISA strongly encourages users and This product is Having trouble viewing this You are subscribed to updates from the Connect with CISA:
|
Protecting Microsoft 365 from on-premises attacks
This Post by Alex Weinert is important to read
Protecting Microsoft 365 from on-premises attacks
Many customers connect their private corporate networks to Microsoft 365 to benefit their users, devices, and applications. However, there are many well-documented ways these private networks can be compromised. As we have seen in recent events related to the SolarWinds compromise, on-premises compromise can propagate to the cloud. Because Microsoft 365 acts as the “nervous system” for many organizations, it is critical to protect it from compromised on-premises infrastructure.
This document will show you how to configure your systems to protect your Microsoft 365 cloud environment from on-premises compromise. We primarily focus on Azure AD tenant configuration settings, the ways Azure AD tenants can be safely connected to on-premises systems, and the tradeoffs required to operate your systems in ways that protect your cloud systems from on-premises compromise.
We strongly recommend you implement this guidance to secure your Microsoft 365 cloud environment.
Please read the Full Blog HERE
Microsoft Advice for incident responders on recovery from systemic identity compromises
As Microsoft alongside our industry partners and the security community continues to investigate the extent of the Solorigate attack, our goal is to provide the latest threat intelligence including IOCs and guidance across our products and solutions to help the community fight back against, harden your infrastructure, and begin to recover from this attack of unprecedented scale. As new information becomes available, we will make updates to this article.
This blog will outline lessons learned from this and other incident response to date in on-premises and cloud environments. This latest guidance is for customers looking to re-establish trusted identities for credentials that are suspected of compromise by Solorigate malware.
This article is intended to give experienced incident responders some advice on techniques to consider when helping an organization respond to a suspected systemic identity compromise, like we’re seeing in some victims of the Solorigate malware, based on our experience in the field in similar scenarios. Re-establishing trust in the organization’s on-premises and cloud environments with minimal business impact requires in-depth investigation and an understanding of potential methods of persistence. While not meant to cover every possible scenario, this guidance is intended to summarize our experience with similar customer breaches and will be updated if we learn of new information that would help with successful recovery. Please review the resources referenced at the end of this article for additional information. This information is provided as-is and constitutes generalized guidance; the ultimate determination about how to apply this guidance to your IT environment and tenant(s) must consider your unique environment and needs, which each Customer is in the best position to determine.
The Solorigate investigation referenced in this guidance is ongoing at the time of publication and our teams continue to act as first responders to these attacks. As new information becomes available, we will make updates through our Microsoft Security Response Center (MSRC) blog.
Overview of the intrusion
As described in this Microsoft blog post, the hallmarks of this actor’s activity include, but are not limited to, the following techniques that are likely to result in systemic identity compromise:
- An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Microsoft Defender now has detections for these files. Read our in-depth technical analysis of the Solorigate malware.
- An intruder using administrative permissions (acquired through an on-premises compromise) to gain access to an organization’s trusted SAML token-signing certificate. This enables them to forge SAML tokens to impersonate any of the organization’s existing users and accounts, including highly privileged accounts.
- Anomalous logins using the SAML tokens signed with a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate. An organization may miss the use of illegitimate SAML tokens because they are signed with a legitimate certificate.
- The use of highly privileged accounts (acquired through the technique above or other means) to add illegitimate credentials to existing application service principals, enabling the attacker to call APIs with the permission assigned to that application.
Overview of response objectives
Organizations that have experienced systemic identity compromise need to start recovery by re-establishing trustworthy communications. This will enable effective triage and coordination of business operations recovery.
Many organizations have complex internal and external interdependencies. Core business processes and applications in an organization are likely to be temporarily impacted during recovery efforts until trust within your environment is re-established. Microsoft recommends that Incident Responders establish secure communications with key organizational personnel as the first step toward organizational recovery. If your investigation indicates that the attacker has used techniques outside of identity compromise at lower levels of your organizations’ infrastructure, such as hardware or firmware attacks, you will need to address those threats to reduce the risk of re-compromise.
Response objectives in approximate order:
- Establish secure communications for personnel key to the investigation and response effort.
- Investigate the environment for persistence and initial access point, while establishing continuous monitoring operations during recovery efforts.
- Regain and retain administrative control of your environment and remediate or block possible persistence techniques and initial access exploits.
- Improve posture by enabling security features and capabilities following best practice recommendations.
We recommend that incident responders review and digest the entirety of this guidance before taking action, as the specific order of actions taken to achieve the response objectives is very situational and depends heavily on the results (and completeness) of investigation and the business constraints of the specific organization. The following sections describe the incident Response techniques we recommend you consider for each of the above objectives.
Establish secure communications and productivity
Successful response requires being able to communicate without the attacker eavesdropping on your communications. Until you have achieved assurance in the privacy of your communications on your current infrastructure, use completely isolated identities and communication resources to coordinate your response and discuss topics that could potentially tip off the attacker to your investigation. Until your investigation has achieved assurance in actor eviction, we strongly recommend that you keep all incident-related comms isolated to enable you to have the element of surprise when taking remediation actions.
- Initial one-on-one and group communications can be achieved through phone (PSTN) calling, conference bridges not connected to the corporate infrastructure, and end-to-end encrypted messaging solutions.
- One way that many customers have established secure productivity and collaboration is to create a new Office 365 tenant which is completely isolated from the organization’s production tenant and create accounts only for the key personnel needed, and any incident response vendors or partners who need to be part of the response.
- Make sure to follow best practices for securing this tenant, especially administrative accounts and rights by default. The new tenant should be limited on Administrative rights along with no trusts with outside applications or vendors. If you need further assistance or want information on hardening Microsoft 365, you can review the guidance here.
Investigate your environment
Once your incident responders and key personnel have a secure place to collaborate, the next step is to investigate the suspected compromised environment. Successful investigation will be a balance between getting to the bottom of every anomalous behavior to fully scope the extent of attacker activity and persistence and taking action quickly to stop any further activity on objectives by the attacker. Successful remediation requires as complete an understanding of the initial method of entry and persistence mechanisms controlled by the attacker as possible. Any persistence mechanisms missed could result in continued access by the attacker and potential for re-compromise.
- Investigate and review cloud environment logs for suspicious actions and attacker IOCs, including:
- Unified Audit Logs (UAL).
- Azure Active Directory (Azure AD) logs.
- Active Directory logs.
- Exchange on-prem logs.
- VPN logs.
- Engineering systems logging.
- Antivirus and endpoint detection logging.
- Review endpoint audit logs for changes from on-premises for actions including, but not limited to, the following:
- Group membership changes.
- New user account creation.
- Delegations within Active Directory.
- Along with other typical signs of compromise or activity.
- Review Administrative rights in your environments
- Review privileged access in the cloud and remove any unnecessary permissions. Implement Privileged Identity Management (PIM); setup Conditional Access policies to limit administrative access during hardening.
- Review privileged access on-premise and remove unnecessary permissions. Reduce membership of built-in groups, verify Active Directory delegations, harden Tier 0 environment, and limit who has access to Tier 0 assets.
- Review all Enterprise Applications for delegated permissions and consent grants that allow (sample script to assist):
- Modification of privileged users and roles.
- Reading or accessing all mailboxes.
- Sending or forwarding email on behalf of other users.
- Accessing all OneDrive or SharePoint sites content.
- Adding service principals that can read/write to the Directory.
- Review access and configuration settings for the following Office 365 products:
- SharePoint Online Sharing
- Teams
- PowerApps
- OneDrive for Business
- Review user accounts
- Review and remove guest users that are no longer needed.
- Review email configurations using Hawk or something similar.
- Delegates
- Mailbox folder permissions
- ActiveSync mobile device registrations
- Inbox Rules
- Outlook on the Web Options
- Validate that both MFA and self-service password reset (SSPR) contact information for all users is correct.
You may find that one or more of the logging sources above are data sources that the organization does not currently include in its security program. Some of them, especially the logging available in the cloud, are available only if configured and we recommend that you configure them as soon as possible to enable both the detections in the next section and forensics review of logs going forward. Make sure to configure your log retention to support your organization’s investigation goals going forward and retain evidence, if needed for legal, regulatory, or insurance purposes.
Establish continuous monitoring
There are many ways to detect activity associated with this campaign. Exactly how your organization will detect attacker behavior depends on which security tools you have available, or choose to deploy in response. Microsoft has provided examples publicly for some of the core security products and services that we offer and are continually updating those documents as new threat intelligence is identified related to this attacker. If you use other vendor’s products, review your vendor’s recommendations, and review the Microsoft documentation below to understand the detection techniques if you need to implement analogous detections in your environment on your own.
For readers using Azure Sentinel in their environments, review SolarWinds Post-Compromise Hunting guidance.
For readers using Microsoft Defender for Endpoint, review our guidance here, and review Microsoft Defender Antivirus guidance.
To Learn More go here
Microsoft Responding to sophisticated cyberattacks
Microsoft
is aware of a sophisticated attack that utilizes malicious SolarWinds software.
On December 17, 2020, Brad Smith posted a blog sharing the most up to date information
and detailed technical information for defenders.
As this is an ongoing investigation, Microsoft cybersecurity teams continue to
act as first responders to these attacks. We know that customers and partners
will have ongoing questions and Microsoft is committed to providing timely
updates as new information becomes available. We will make updates through our
Microsoft Security Response Center (MSRC) blog at https://aka.ms/solorigate.
There are a number of published resources to assist customers in securing their
environments:
• |
We have published a blog outlining this dynamic threat landscape |
• |
We have published an anchor blog with technical details of the attack. |
• |
Microsoft Defender antivirus and Microsoft Defender for |
• |
Microsoft Azure Sentinel has released guidance to help Azure Sentinel customers |
• |
Microsoft 365 Defender and Microsoft Defender for Endpoint |
• |
For any Microsoft Threat Experts (MTE) customers, where we |
• |
If a customer has any product support related needs, please |
• |
For Identity professionals and Microsoft 365 admin, we have |
Microsoft Blog Posts
Advisories
& Additional Resources
• |
If your customer has a specific question regarding FireEye, |
• |
If your customer has a specific question regarding SolarWinds, |
• |
The Cybersecurity and Infrastructure Security Agency (CISA) |
Three million internet users are believed to have installed extensions that contain malicious code
Browser extensions are usually useful, sometimes fun — and occasionally dangerous.
That’s the case for at least 28 browser extensions analyzed by Avast Threat Intelligence researchers after the threat was identified by Czech researchers at CZ.NIC. The affected extensions contain malware and include Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock, as well as additional browser extensions for Google Chrome and Microsoft Edge. According to the browser store download numbers, more than three million people may be affected worldwide.
Avast said it found code to:
- redirect user traffic to ads
- redirect user traffic to phishing sites
- collect personal data, such as birth dates, email addresses, and active devices
- collect browsing history
- download further malware onto a user’s device
“Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular and then pushed an update containing the malware,” Avast researcher Jan Rubin says. “It could also be that the author sold the original extensions to someone else after creating them and then his client introduced the malware afterwards.”
The infected JavaScript-based extensions contain malicious code that makes it possible to download even more malware to a person’s computer. They also manipulate all links that the victims click on after downloading the extensions. For example, links in Google Search leads users to other, seemingly random, sites. This includes phishing sites and ads.
“We believe that these domains are not owned by the cybercriminals, but that the owners of these domains pay the cybercriminals for every redirection,” Rubin says.
Clicking on the links also causes the extensions to send information to the attacker’s control server, creating a log of all of their clicks. That log is then sent to third-party websites and can be used to collect personal information about the user, including birth date, email addresses, device information, first sign in time, last login time, name of their device, operating system, browser used and version, and IP address.
The Avast Threat Intelligence team started monitoring this threat in November 2020, but believe that it could have been active for years without anyone noticing. In fact, there are reviews on the Chrome Web Store mentioning link hijacking from as far back as December 2018. That means it’s possible this has been infecting people’s devices for much longer than researchers have been aware of the threat.
At the time of publishing, the infected extensions are still available for download. If you suspect you might have downloaded one, Avast researchers recommend disabling and uninstalling them immediately and then scan for and remove malware. They have also reported the issue to Microsoft and Google, who are into it.
Below is the list of Chrome extensions that Avast said it found to contain malicious code:
- Direct Message for Instagram
- DM for Instagram
- Invisible mode for Instagram Direct Message
- Downloader for Instagram
- App Phone for Instagram
- Stories for Instagram
- Universal Video Downloader
- Video Downloader for FaceBook™
- Vimeo™ Video Downloader
- Zoomer for Instagram and FaceBook
- VK UnBlock. Works fast.
- Odnoklassniki UnBlock. Works quickly.
- Upload photo to Instagram™
- Spotify Music Downloader
- The New York Times News
Below is the list of Edge extensions that Avast said it found to contain malicious code:
- Direct Message for Instagram™
- Instagram Download Video & Image
- App Phone for Instagram
- Universal Video Downloader
- Video Downloader for FaceBook™
- Vimeo™ Video Downloader
- Volume Controller
- Stories for Instagram
- Upload photo to Instagram™
- Pretty Kitty, The Cat Pet
- Video Downloader for YouTube
- SoundCloud Music Downloader
- Instagram App with Direct Message DM
CVMAP for CVE Numbering Authorities (CNAs) and Authorized Data Publishers: NISTIR 8246
Intended
audience: CNAs (CVE Numbering Authorities), Authorized Data Publishers]
NIST
announces the publication of NISTIR
8246, Collaborative
Vulnerability Metadata Acceptance Process (CVMAP) for CVE Numbering Authorities
(CNAs) and Authorized Data Publishers.
The
number of Common Vulnerabilities and Exposures identifiers (CVE IDs) created
year over year has rapidly increased, and this trend is expected to continue
indefinitely. Currently, a National
Vulnerability Database (NVD) analyst manually reviews each CVE
and attaches multiple forms of CVE metadata used by downstream consumers to
prioritize and assist automated vulnerability scanning tools. This is a
manually intensive process, and in many cases, this metadata is provided by the
source, or CNA (CVE Numbering Authority), of the CVE with no policies or
procedures in place to validate and accept the information.
This
NISTIR leverages the technical knowledge provided by the CNAs and the
application of consistent CVE metadata provided by NVD analysts through the
formalization of a CVE entry metadata submission process. This allows for more
efficient integration of the CNAs’ efforts into the NVD analyst workflow, which
directly benefits downstream users and improves the security of our national IT
infrastructure.
Publication
details:
https://csrc.nist.gov/publications/detail/nistir/8246/final
National
Vulnerability Database (NVD):
https://nvd.nist.gov/
Chrome Extensions: Extending Too Far
If you trust Google, and trust Chrome, the Chrome web store is a trusted place to look for extensions. Some are extremely useful, some are capable of blocking-ads, some make the browser look like a game, and some have a little more than expected. Over 80 million Chrome users installed one of 295 Chrome extensions that hijack and insert ads in to Google and Bing search results. AdGuard, an ad-blocking company, uncovered many of these extensions on the Chrome Web Store. The malicious browser extensions were divided into 3 groups:
· Extensions that load what appears to be an analytics script which transforms based on cookies to allow it to add an obfuscated script into each freshly opened tab. This new script checks the page and loads an image that has ads ‘coded in’ if it’s a Bing or Google search results page. Most of the discoveries were of this group and consisted of background extensions.
· Extensions that utilize ‘cookie stuffing’ and ‘ad fraud’ where it generates “affiliate” cookies, which makes revenue for site owners, despite not visiting the site. Only 6 were discovered but with 1,650,000 total users.
· Extensions that are spam but could be malicious in the future. Although AdGuard did not disclose how many existed, the top 5 has 10 million users combined. These can share a similar name with a valid extension or perform a legitimate function, but the potential malice exists in the ‘Google Tag Manager’ code. The Google Tag Manager account owner can change the ‘tag’ to upload new potentially malicious code.
The biggest problem here is not that they were created, but that they persist. Google tried to put in strict review guidelines to help secure extensions, but they just frustrate legitimate developers who suffer through complicated review processes without limiting malware. Last year, Google included Chrome extensions into their bug bounty program. The blog writers at AdGuard believe “Google fails with managing Chrome Web Store and keeping it safe.” They do acknowledge “Google did do one thing right — they introduced a position of Chrome Extensions Developer Advocate.” But if the malicious extensions aren’t violating Chrome extension policies (and understand that remote code is allowed, meaning extensions can change their behavior at any time and be within policy) they will be difficult to remove. Until Google fixes these issues, what can you do to protect yourself? The blog authors offered the following suggestions:
· Consider if a browser extension is the only way to achieve a goal.
· Install extensions only from the developers you trust.
· Don’t believe what you read in the extension’s description.
· Users reviews won’t help. It can have excellent reviews & still be malicious.
· Don’t use the Chrome Web Store internal search, follow the links on the trusted developers’ website directly.
Sources:
· https://adguard.com/en/blog/fake-ad-blockers-part-3.html
40% of Android Phones Vulnerable to New System Attack
Attacks on specific chips or chipsets usually have wide reaching implications. Devices tend to use off the shelf chips inside rather than develop their own for a number of reasons. For Android phones the most popular processor chip family is the Qualcomm Snapdragon family of system on a chip (SoC). The Snapdragon is used in phones made by Samsung, Google, LG, and Xiaomi, to name a few. Recently at the DEFCON Safe Mode security conference, researchers from Check Point security revealed 6 critical flaws in the popular Snapdragon SoC that open nearly 40% of smartphones to attack.
Snapdragon is a SoC, meaning it contains various embedded components instead of just being a traditional processor with a single task. One component it embeds is the digital signal processor (DSP), which is responsible for turning data from various sensors into digital data that the operating system can work with. The DSP is where the researchers focused their efforts after discovering a software development kit (SDK) for the component was available. The SDK is available for legitimate software to utilize when it requires functionality that the DSP provides. The researchers instead were able to use it to get a clearer understanding of how to interface with the DSP, which normally operates like a black box to external software.
The researchers were able to develop their own instructions for the DSP that would allow them to do things like start a persistent DoS attack only fixable via a complete factory reset. They were also able to demonstrate a privilege escalation attack on the system, allowing them to completely take over the handset. Once the system is compromised in this manner further malware would be able to completely hide its activity and become un-removable. In order to perform these attacks, the researchers say that a user needs to be tricked into running a malicious executable. This might not be too difficult as the code can be embedded into legitimate looking apps. Normal phone virus scanners won’t detect the presence of malicious code because they don’t scan the SDK instruction sets.
Qualcomm was notified about the vulnerabilities between February and March of this year according to the researchers. Patches to the vulnerable components were developed in July but do not appear to have been pushed to handsets yet. Users of the affected devices should watch for future updates to ensure that their devices do not remain vulnerable to the attacks.
Sources
Qualcomm Bugs Open 40 Percent of Android Handsets to Attack | Threatpost
Microsoft Security Blogs
Title: Cyberattacks targeting health care must stop
URL: https://www.microsoft.com/security/blog/2020/11/18/cyberattacks-targeting-health-care-must-stop/
Overview: In recent months, we’ve detected cyberattacks from three nation-state
actors targeting seven prominent companies directly involved in researching
vaccines and treatments for COVID-19. The targets include leading
pharmaceutical companies and vaccine researchers in Canada, France, India,
South Korea, and the United States. The attacks came from Strontium, an actor
originating from Russia, and two actors…
Title: Hunt across cloud app activities with Microsoft 365 Defender
advanced hunting
URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857
Overview: We’re thrilled to share that the new CloudAppEvents table
is now available as a public preview in advanced hunting for Microsoft 365
Defender.
Title: Using the VirusTotal V3 API with MSTICPy and Azure Sentinel
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/using-the-virustotal-v3-api-with-msticpy-and-azure-sentinel/ba-p/1893121
Overview: MSTICPy, our CyberSec toolset for Jupyter notebooks, has supported
VirusTotal lookups since the very earliest days (the earliest days being only
around two years ago!). We recently had a contribution to MSTICPy from Andres
Ramirez and Juan Infantes at VirusTotal (VT), which provides a new Python
module to access the recently-released version 3 of their API.
Title: Modernize secure access for your on-premises resources with Zero
Trust
URL: https://www.microsoft.com/security/blog/2020/11/19/modernize-secure-access-for-your-on-premises-resources-with-zero-trust/
Overview: Change came quickly in 2020. More likely than not, a big chunk of
your workforce has been forced into remote access. And with remote work came an
explosion of bring-your-own-device (BYOD) scenarios, requiring your
organization to extend the bounds of your network to include the entire
internet (and the added security risks that come with…
Title: Upcoming Changes to Microsoft Information Protection Metadata
Storage
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/upcoming-changes-to-microsoft-information-protection-metadata/ba-p/1904418
Overview: In Microsoft Information Protection (MIP) SDK version 1.7, changes
were made to support a new label metadata storage location for Office files –
Word, Excel, and PowerPoint. For your applications and services to continue
reading and writing MIP sensitivity labels for Office file types, it’s critical
that you update to MIP SDK version 1.7. Applications running older versions
will not be capable of reading the updated metadata format.
Title: Enriching DDoS Protection Alerts with Logic Apps
URL: https://techcommunity.microsoft.com/t5/azure-network-security/enriching-ddos-protection-alerts-with-logic-apps/ba-p/1928000
Overview: This post will detail how to create enriched DDoS Protection alerts
that will provide the information needed to triage and respond.
Title: IoT security: how Microsoft protects Azure Datacenters
URL: https://www.microsoft.com/security/blog/2020/11/23/iot-security-how-microsoft-protects-azure-datacenters/
Overview: Azure Sphere first entered the IoT Security market in 2018 with a
clear mission—to empower every organization on the planet to connect and create
secure and trustworthy IoT devices. Security is the foundation for durable
innovation and business resilience. Every industry investing in IoT must
consider the vulnerabilities of the cyberthreat landscape. For our customers,…
Title: Go inside the new Azure Defender for IoT including CyberX
URL: https://www.microsoft.com/security/blog/2020/11/25/go-inside-the-new-azure-defender-for-iot-including-cyberx/
Overview: In 2020, the move toward digital transformation and Industry 4.0 took
on new urgency with manufacturing and other critical infrastructure sectors
under pressure to increase operational efficiency and reduce costs. But the
cybersecurity model for operational technology (OT) was already shown to be
lacking before the pandemic. A series of major cyberattacks across industries
served…
Title: Zerologon is now detected by Microsoft Defender for Identity
URL: https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/
Overview: There has been a huge focus on the recently patched CVE-2020-1472
Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While
Microsoft strongly recommends that you deploy the latest security updates to
your servers and devices, we also want to provide you with the best detection
coverage possible for your domain controllers. Microsoft Defender for…
Title: What’s New: Azure Sentinel Logic Apps Connector improvements and
new capabilities
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-logic-apps-connector-improvements-and/ba-p/1888416
Overview: Azure Sentinel Logic Apps connector is the bridge between Sentinel
and Playbooks, serving as the basis of incident automation scenarios. As we
prepare for new Incident Trigger capabilities (coming soon), we have made some
improvements to bring the most updated experience to playbooks users.
Title: Deploying DDoS Protection Standard with Azure Policy
URL: https://techcommunity.microsoft.com/t5/azure-network-security/deploying-ddos-protection-standard-with-azure-policy/ba-p/1942133
Overview: One of the most important questions customers ask when deploying
Azure DDoS Protection Standard for the first time is how to manage the
deployment at scale. A DDoS Protection Plan represents an investment in
protecting the availability of resources, and this investment must be applied
intentionally across an Azure environment.
Title: Threat actor leverages coin miner techniques to stay under the
radar – here’s how to spot them
URL: https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/
Overview: BISMUTH, which has been running increasingly complex cyberespionage
attacks as early as 2012, deployed Monero coin miners in campaigns from July to
August 2020. The group’s use of coin miners was unexpected, but it was
consistent with their longtime methods of blending in.
CISA SolarWinds Orion Code Compromise Advisory
The Cybersecurity and
Infrastructure Security Agency (CISA) is aware of active exploitation of a
vulnerability in SolarWinds Orion Platform software versions 2019.4 through
2020.2.1, which was released between March 2020 through June 2020.
In response CISA has published an urgent Current Activity Alert “Active Exploitation of SolarWinds
Software“ which can be found at:
https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software
and Emergency Directive 21-01, “Mitigate
SolarWinds Orion Code Compromise,” directed at Federal
Civilian Agencies, further emphasizing the urgency of this
Alert: https://cyber.dhs.gov/ed/21-01/
CISA encourages affected organizations to read the SolarWinds and
FireEye advisories for more information and FireEye’s GitHub
page for detection countermeasures:
SolarWinds Security Advisory
- FireEye
Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to
Compromise Multiple Global Victims With SUNBURST Backdoor - FireEye
GitHub page: Sunburst Countermeasures
We kindly request any
questions, feedback, or related incidents related to this product be reported
to CISA at [email protected] or
888-282-0870.