John Pescatore - SANS Director of Emerging Security Trends
Focus on Critical Supply Risks to Start--and That Includes Security Vendors
This week's Drilldown will focus on two related items (included below) from NewsBites Issue 8, detailing that (1) North Korean threat actors have been targeting cybersecurity researchers; and (2) the Russian attackers who compromised security vendor FireEye and many other organizations via SolarWinds also compromised security vendor Mimecast and possibly Mimecast customers.
The SolarWinds compromise and subsequent use of implanted malicious capabilities in SolarWinds Orion software has definitely brought media and management attention to what are now being broadly called "supply chain attacks."
More attention to supply chain security is better than less, but there is a trap here, which I call the "Climate Change Inaction Trap"--too often when a problem is acknowledged but seems too big to solve completely, nothing gets done. Many companies say, "We have hundreds of vendors, we can't make sure they are all secure."
This is like saying, "We have hundreds of food items in the house, it is impossible to make sure all of them are safe to eat." It is pretty obvious that there are some high-risk foods that should be frozen/refrigerated and thrown out if the sell-by date is past or the containers start bulging! I bet none of the cafeterias in any of the Fortune 1000 companies leave the egg salad unrefrigerated overnight. And if the cafeteria managers figured out how to do this complex risk prioritization, CISOs can, as well.
It is pretty obvious that some products and services in our supply chain are critical to the success of business. Focus on the top 10% and require extra measures to mandate that supplies are secure before contracting with them and that their products and services stay secure is doable. Many are doing just that.
Vendors of your security products should, by default, be in that 10%. Vulnerable security products and services can be lethal to business, as these NewsBites items point out.
In my NewsBites comments, I mention requiring "... evidence of external third-party active security assessments and acceptable scores from third-party risk analysis services." This should be done for those top critical suppliers, as a minimum. There are many choices of both types of services from a wide range of supply chain security vendors.
______________________________________________________________________________
North Korean Threat Actors Targeting Cybersecurity Researchers
(January 26, 2021)
Google's Threat Analysis Group has detected an ongoing campaign launched by North Korean cyber threat actors against cybersecurity researchers. The threat actors created a blog and Twitter profiles to establish their credibility with the targeted researchers. After gaining their trust, the threat actors asked the researchers if they would like to work together on research projects. If the researchers agreed, the hackers sent collaboration tools that included malware. Some researchers' computers were compromised after they visited the hackers' blog.
[Editor Comments]
[Pescatore] In the last SANS Top New Attacks and Threat Report, we highlighted two active and sophisticated threat vectors: what I called "Highly Targeted Phishing" attacks, like this campaign against cybersecurity researchers, and a more dangerous variant that Ed Skoudis called "Very Deep Persistence" attacks. In these kinds of attacks, malicious capabilities are buried within hardware, accessories, or components such as charging stations in public places, charging cables, or modified USB drives. While this news item focuses on cybersecurity researchers, these techniques have been used against CEOs, CFOs, and Boards of Directors, as well as researchers from many industries. Good topic for a mid-quarter special topic briefing or tabletop exercise with CXOs/boards.
[Neely] While I most often worry about social engineering scams that my family members would fall for, this one targets us as cybersecurity professionals, with pretty decent supporting research and credentials. This example should be used as a teaching moment for colleagues newer to InfoSec. The actor's accounts are reportedly deactivated; even so, reference the Google blog list of social media accounts and make sure they're no longer connected with you. That blog also contains C2 site and hashes to incorporate in your detection tools.
[Murray] If cybersecurity "researchers" can be taken in by these "grooming" attacks, imagine the vulnerability of young people. Parents cannot monitor all the activity of children online, but they should try to ensure that they do not correspond with "friends" that they meet online.
Read more in:
Google: New campaign targeting security researchers
https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/amp/
Wired: North Korea Targets--and Dupes--a Slew of Cybersecurity Pros
www.wired.com/story/north-korea-hackers-target-cybersecurity-researchers/
Ars Technica: North Korea hackers use social media to target security researchers
Dark Reading: North Korean Attackers Target Security Researchers via Social Media: Google
Vice: North Korean Hackers Hacked Famous Hackers With Fake Hacking Website, Google Says
The Register: I was targeted by North Korean 0-day hackers using a Visual Studio project, vuln hunter tells El Reg
www.theregister.com/2021/01/26/north_korea_targeted_me_0_day/
Mimecast Says Certificate Compromise Perpetrated by SolarWinds Threat Actors
(January 26 and 28, 2021)
Mimecast has confirmed that the certificate compromise reported in January was carried out by the same threat actors responsible for the SolarWinds supply chain attack. In a blog post, Mimecast writes, "Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes."
[Editor Comments]
[Pescatore] Two key points here: First, the Russian attackers targeted and compromised at least two large security vendors, FireEye and Mimecast. All major security product and service procurements should be evaluating what security vendors in particular are doing to prevent this, including evidence of external third-party active security assessments and acceptable scores from third-party risk analysis services. Second, compromises of cloud service providers like Mimecast have been rare, but they do happen. When they occur, they point out that when cloud services are in your supply chain, they have a lot of moving parts and interdependencies. The severe impact of the SolarWinds compromise has raised the visibility of the need for upgrades in supply chain security--good to add a special focus on the cloud services aspect.
[Neely] Mimecast is neither a small nor inexperienced security service provider. Both Mimecast and FireEye should be noted for their exemplary transparency, sharing lessons learned and proactive response to protect users and follow up. Do your service providers have a similar posture in the event of compromise? Also, kudos to Microsoft's security team for reaching out to potential competitors when security problems were identified.
[Murray] Signing keys should not be stored online when not in use.
Read more in:
Mimecast: Important Security Update
www.mimecast.com/blog/important-security-update/
Cyberscoop: Mimecast confirms SolarWinds attackers breached security certificate, 'potentially exfiltrated' credentials
www.cyberscoop.com/mimecast-solarwinds-software-certificate-russia/
Gov Infosecurity: Mimecast Confirms SolarWinds Hackers Breached Company
www.govinfosecurity.com/mimecast-confirms-solarwinds-hackers-breached-company-a-15855
Threatpost: Mimecast Confirms SolarWinds Hack as List of Security Vendor Victims Snowball
https://threatpost.com/mimecast-solarwinds-hack-security-vendor-victims/163431/
