This Section was created by Corpnet Global Corporation Cyber Security Group.
To ensure that our clients are updated in all the latest news related in Cyber Security and Computer Technology.
Suspected Russian hackers attributed to the worst supply chain attack breached email security provider Mimecast affecting a subset of its customers, the company said.
Although Mimecast did not associate the breach with the state-sponsored SolarWinds hackers, three cybersecurity investigators knowledgeable on the matter and speaking on the condition of anonymity confirmed the link to Reuters.
Additionally, the techniques and procedures used to breach the email security firm were consistent with SolarWinds hackers’ activity.
Mimecast said that Microsoft’s security experts notified the company of “a sophisticated threat actor” who hijacked its certificates used to connect to Mimecast customers’ Microsoft 365 Exchange products.
Mimecast’s products include anti-phishing email security tools capable of detecting malicious links and fake identities. The breach adds to the list of growing victims and expanding attack vectors exploited by the advanced persistent threat actor APT29.
Email security provider Mimecast confirmed the breach, Reuters blame SolarWinds hackers
Mimecast said 10% of its 36,000-customer base was affected by the certificate breach. However, the email security provider estimated that the suspected SolarWinds hackers targeted only a “low single-digit number” of its Microsoft 365 tenants.
The threat actors hijacked the certificate used to authenticate Mimecast’s Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products to customers’ Microsoft 365 Exchange Web Services.
“As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available,” the company said in a statement posted online.
Although she declined further comment, Mimecast spokeswoman Laura Barnes acknowledged the breach adding that the email security provider was investigating the incident.
It’s unclear how the SolarWinds hackers managed to compromise Mimecast as neither Microsoft nor Mimecast provided additional details.
However, the email security company said in a statement that it engaged a third-party forensics expert, law enforcement, and Microsoft in analyzing the breach.
Terence Jackson, Chief Information Security Officer at Thycotic, says that “the certificates that were compromised were used by Mimecast email security products.”
“These products would access customers’ Microsoft 365 exchange servers in order for them to provide security services (backup, spam, and phishing protection). Since these certificates were legit, an adversary would have been able to connect without raising suspicions to eavesdrop and exfiltrate email communications.”
Weeks earlier, SolarWinds hackers attempted to spy on the cybersecurity company CrowdStrike using a Microsoft products reseller’s account.
Microsoft had warned that the threat actors associated with the SolarWinds hacking campaign could use a compromised third-party vendor’s environment to target more customers.
Earlier, SolarWinds hackers were found capable of compromising the Security Assertion Markup Language (SAML) signing certificate to generate authentication tokens for Microsoft’s cloud platform.
The cybercrime gang used the obtained credentials to authenticate on Microsoft Active Directory Domain Services to escalate privileges on the Domain Controller and spread laterally across the entire corporate network.
SolarWinds hackers used similar techniques against previous victims, including corporations and U.S. government agencies, such as the FBI, the Treasury, Homeland Security, and the Commerce departments.
Although only a few customers were targeted in Mimecast’s data breach, the threat actors behind the SolarWinds hacking focus on high-value targets instead of attacking everyone.
Unless the victims were identified, their role in the software supply chain determined and analyzed for additional indicators of compromise, a breach on a single victim could have severe implications like the SolarWinds hack or the FireEye breach.
Commenting on the email security provider’s breach, Saryu Nayyar, CEO, Gurucul, says:
“The attack against Mimecast and their secure connection to Microsoft’s Office 365 infrastructure appears to be the work of the same sophisticated attackers that breached SolarWinds and multiple government agencies.”
She noted that the breach served as an example of the level of skill and tenacity that state-sponsored threat actors could apply to achieve their objectives.
“Basic cybersecurity is not enough. Organizations need to employ industry best practices, and then go farther with user education, programs to review and update their security, and deploying best in breed security solutions, including security analytics.”
On the bright side, Nayyar notes that the advanced defenses employed against sophisticated nation-state hackers “should be more than enough to thwart the more common cybercriminal.”
Chris Hickman, the chief security officer at Keyfactor, noted a developing pattern of “leveraging cryptographic assets to gain network access and evade security controls.”
“These attacks are not about FireEye, SolarWinds, or Mimecast; the disturbing trend we are seeing is that these breaches are becoming habitual,” Hickman says. “The threat actors behind the attacks, whether they are using the SolarWinds backdoor or another, are targeting certificates and credentials.”
He claims that companies were less keen on managing certificates and treating them as “just certificates” instead of cryptographic assets playing a crucial role in hardening network security.
“Technology alone cannot prevent breaches like this – companies need to ensure that they have in place the right controls, policies and follow industry best practices in order defend themselves against the evolving threat landscape,” he continues.
Hickman added that companies needed to rethink how they “manage and secure digital certificates and cryptographic keys” to ensure optimum security for themselves and their customers.
Ubiquiti Networks has sent out notification emails to its customers informing them of a recent security breach. According to Ubiquiti, the intruder accessed servers that stored data on UI.com users, such as names, email addresses, and salted and hashed passwords. It is currently unclear how many users have been affected.
The company says there is no indication that there has been unauthorized activity with respect to any user's account. Ubiquiti instructed users to change their passwords on any website where they use the same password or user ID.
Joseph Carson, chief security scientist and Advisory CISO at Thycotic, notes that passwords are again at the forefront of the latest unauthorized access at network equipment provider Ubiquiti Networks."
"The latest data breach, and unauthorized access, has led Ubiquiti to advise its customers to rotate passwords, including any other internet services where the same passwords have been used - a common poor practice that results in data breaches escalating further. The response has been mixed as the notification did not provide much details on what a good password is or using a password management solution to help increase the security of such privileged access. The scary thought is whether or not this unauthorized access has allowed attackers access to customer’s networks, including security camera footage," Carson says.
He adds, "Companies, such as Ubiquiti, that focus on access and security should demand multi-factor authentication by default and integrate into password management security solutions, as this breach shows the importance of not letting a password be your only security control.”
On 13 December, it disclosed that Orion had been compromised. It was used as a means to penetrate US government networks and companies including Intel.
It was later revealed that the product had also been compromised by malware from a suspected second perpetrator, adding a separate backdoor.
SolarWinds said industry experts were helping it investigate the attacks.
The Texas-based company provides computer network management tools to a wide variety of clients including British accountants Deloitte, US chip-maker Nvidia and the Californian cloud-computer software firm VMWare.
A UK security source told the BBC a small number of British organisations had probably been affected.
Some experts have warned it could take more than a year for organisations to determine whether attackers have penetrated their systems, stolen any data or installed backdoors.
Sean Koessel, from the cyber-security company Volexity, warned companies: "Don't leave any stone unturned."
"I could easily see it taking half a year or more to figure out, if not into the years, for some of these organisations," he told the Reuters news agency.
The identities of those responsible for the attacks on Orion remain unclear.
However, several US government officials and security experts have pointed the finger at Russia for being behind the more devastating "Sunburst" attack. The Kremlin has denied responsibility.
US National Security Adviser Robert O'Brien told Fox News: "It's clearly a sophisticated intelligence operation and no doubt was done by a state actor. And we'll get around to attribution of that at a time and place of our choosing."
Crowdstrike - a leading US cyber-security firm - has said that it believes those responsible for the Sunburst hack also tried to breach its systems earlier this year.
The firm said it was alerted to the fact by Microsoft on 15 December, although the hackers' attempt had failed.
(TNS) — At least 200 organizations, including government agencies and companies around the world, have been hacked as part of a suspected Russian cyberattack that implanted malicious code in a widely used software program, said a cybersecurity firm and three people familiar with ongoing investigations.
The number of actual hacking victims has been one of many unanswered questions surrounding the cyberattack, which used a backdoor in SolarWinds Corp.’s Orion network management software as a staging ground for further attacks.
As many as 18,000 SolarWinds’ customers received a malicious update that included the backdoor, but the number that was actually hacked — meaning the attackers used the backdoor to infiltrate computer networks — is likely to be far fewer.
Recorded Future Inc., a cybersecurity firm based in Massachusetts, has identified 198 victims that were hacked using the SolarWinds backdoor, said threat analyst Allan Liska. Three other people said the inquiry so far has determined that the hackers further compromised at least 200 victims, moving within the computer networks or attempting to gain user credentials — what cybersecurity experts call “hands on keyboard” activity. The final number could rise from there.
Neither Recorded Future, nor the people familiar with the inquiry, provided the identities of victims. The number is expected to grow as the wide-ranging investigation continues. The hackers’ motive remains unknown, and it’s not clear what they reviewed or stole from the computer networks they infiltrated.
Of the roughly 18,000 SolarWinds customers that received the infected update, more than 1,000 experienced the malicious code ping a so-called second stage “command and control” server operated by hackers, giving them the option to hack further into the network, according to publicly available data and the three people. Command and control servers are used by hackers to manage malicious code once it’s inside a target network. Of that more than 1,000, investigators have so far determined that at least 200 were further hacked.
The next step would be for the hackers themselves to infiltrate the computer network.
A SolarWinds spokesperson said the company “remains focused on collaborating with customers and experts to share information and work to better understand this issue.”
“It remains early days of the investigation,” the spokesperson said.
Hackers affiliated with the Russian government have been suspected from the start, and Secretary of State Michael Pompeo on Friday provided confirmation in an interview.
“There was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems, and it now appears systems of private companies and companies and governments across the world as well,” Pompeo said in a radio interview. “This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.”
On Saturday, President Donald Trump downplayed the hack on Twitter and suggested that China, not Russia, might be responsible, while the acting chairman of the Senate Intelligence Committee, Marco Rubio, said it was “increasingly clear that Russian intelligence conducted the gravest cyberintrusion in our history.”
A top U.S. cybersecurity agency issued an alert on Thursday saying the hackers posed a “grave risk” to federal, state and local governments, as well as critical infrastructure and the private sector. The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, said the attackers were patient, well resourced, and “demonstrated sophistication and complex tradecraft.”
CISA also said it had found evidence of other potential backdoors besides the SolarWinds Orion platform, suggesting there could be entirely different batches of potential victims that haven’t yet been identified.
Microsoft Corp. said on Thursday that 40 of its customers had been hacked, that the attacks were ongoing, and that the number of victims is expected to increase. Among those hit were unnamed cybersecurity companies, government agencies, and government contractors, roughly 80% of which are in the U.S.
Cybersecurity company FireEye Inc. was the first victim to disclose that it been hacked, on Dec. 8, and said that while investigating its own breach, researchers at the company discovered the SolarWinds backdoor. Microsoft itself said that it found the malicious SolarWinds update within its network, but that it found no evidence of access to “production services or customer data.
©2020 Bloomberg L.P. Distributed by Tribune Content Agency, LLC
Internal machines used by Cisco researchers were targeted via SolarWinds as the impact of the colossal hacking campaign on the tech sector becomes apparent, Bloomberg reported.
Roughly two dozen computers in a Cisco lab were compromised through malicious updates to SolarWinds’ Orion network monitoring platform, Bloomberg reported, citing a person familiar with the incident. The San Jose, Calif.-based networking giant told CRN its security team moved quickly to address the issue, and that there isn’t currently any known impact to Cisco offers or products.
“While Cisco does not use SolarWinds Orion for its enterprise network management or monitoring, we have identified and mitigated affected software in a small number of lab environments and a limited number of employee endpoints,” Cisco said in a statement. “We continue to investigate all aspects of this evolving situation with the highest priority.”
Network management and monitoring are key parts of Cisco’s machinery and software, which Bloomberg said directly look at data traffic moving through a network. Access to that flow could provide a malicious actor with multiple avenues to cause harm, according to Bloomberg. Cisco told CRN there’s no evidence at this time to indicate customer data has been exposed as a result of the compromise.
The company didn’t respond to CRN questions about the number of machines affected as well as who in the organization was using the compromised machines. Cisco is the third tech vendor to get publicly ensnared in the fallout from the SolarWinds hack in the past 24 hours, following in the footsteps of Microsoft and VMware.
Reuters reported late Thursday that Microsoft was compromised via SolarWinds, with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN Thursday that sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.”
Then Friday afternoon, KrebsOnSecurity reported that a VMware vulnerability allowing federated authentication abuse and access to protected data was used by the SolarWinds hackers to attack high-value targets. VMware told CRN Friday that it had received no notification or indication that this vulnerability “was used in conjunction with the SolarWinds supply chain compromise.”
FireEye put the state-sponsored hacking campaign in the public consciousness Dec. 8 when the company disclosed that it was breached in an attack designed to gain information on some of the company’s government customers. The attacker was able to access some of FireEye’s internal systems but apparently didn’t exfiltrate data from the company’s primary systems that store customer information.
After FireEye, the next several organizations to be publicly identified as victims of the SolarWinds hack were all federal agencies, including the U.S. Departments of Defense, State, Treasury, Homeland Security and Commerce, according to reports from Reuters and others.
Contrary to public perception at the time, Microsoft President Brad Smith disclosed Thursday that a decisive plurality – 44 percent – of the company’s customers compromised through SolarWinds are actually in the IT sector, and includes software and security firms as well as IT services and equipment providers.
Some 18 percent of the compromised Microsoft customers are government agencies, another 18 percent are think tanks or non-governmental organizations (NGOs), and 9 percent are government contractors, according to Smith. He said that more than 40 Microsoft customers were precisely targeted and compromised through SolarWinds Orion, roughly 80 percent whom are located in the United States.