'More complex, more frequent and more destructive': Six months in cyber security

Three stories that define cyber in the first half of 2021

The first half of 2021 has picked up where 2020 left off, and that's not good news for those tasked with keeping their organisation's systems and data secure.

Let's take a look at three of the main themes so far: the SolarWinds supply chain attack, the widespread exploitation of Exchange Server vulnerabilities, and the continuing scourge of ransomware.

SolarWinds

In December last year, security firm FireEye reported an attack it believed to be by a state-sponsored threat group, which had stolen some of the hacking tools the company uses for testing customers' defences.

FireEye's admission was quickly followed by a statement from the US government detailing a state backed attack on the US Treasury and Commerce departments and possibly others too. This list lengthened worryingly as the days went by and even included the US nuclear weapons agency.

The attackers were revealed to have gained unrestricted access to internal email systems, enabling them to monitor emails in these agencies over many months, perhaps even up to a year.

Soon the entry point was identified as a malicious update for SolarWinds Orion network monitoring software. Aside from the US government, around 18,000 companies were believed to have installed the malware-laced update which allowed attackers remote access into their networks.

According to cyber experts, the attack was incredibly sophisticated, using up to 18 separate components to breach defences, open backdoors, disable systems designed to verify the Orion source code and keep ports open all without raising the alarm. These included a variety of backdoors, post exploitation downloaders, tools to allow source code compromise, custom HTTP trace tools used to find a path out to a command and control server, and malware designed to impersonate Windows services while doing something very different behind the scenes.

This is a whole ecosystem of interacting malware that allows multiple ways in and evolves with the attack.

The SolarWinds hackers also accessed code from tech firms including Cisco, Intel, Microsoft and Mimecast.

The US pinned the blame on Cozy Bear or Nobelium, a group connected with Russia's SRV foreign intelligence services, the duration of the attack and the meticulous attention to detail suggesting intelligence gathering as the motive.

Since January there has been a steady flow of stories about new compromises by groups who may or may not be related to the original attackers, with targets rippling rapidly outwards from the initial bullseye of Washington DC.

For example, researchers from Swiss company Prodaft said a hacking group, dubbed SilverFish, has been running a separate massive campaign since August to steal sensitive data from around 4,700 government organisations and private firms.

US organisations may have made up the bulk of the attacks, but a third occurred in Europe. The significant overlap with the US victims of SilverFish and those hit in the original SolarWinds attacks suggests that this the same group, or possibly a spinoff, but it could be a new actor attacking the same vulnerabilities.

Last month Nobelium was found to be attacking NGOs including USAID, hacking the email system to send phishing emails that appeared genuine as they came from within USAID itself.

In response, the Biden administration is proposing billions of dollars worth of improvements to security, including new standards for software development that companies must meet if they supply the government.

The US government has also promised a mix of ‘seen and unseen' retaliations against the attackers, and it sanctioned six Russian tech forms for allegedly aiding government hackers.

In the UK the DCMS opened up a supply chain security consultation about the best ways to defend attacks like SolarWinds.

And NATO members released a communique in which they equated a cyber attack on a member with an armed assualt in terms of how the organisation might respond. " Cyber threats to the security of the Alliance are complex, destructive, coercive, and becoming ever more frequent," they said.

Exchange Server

Thread number two is Microsoft Exchange Server

On March 2nd, security vendor Volexity reported an active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities which were being used to steal email and compromise networks. These attacks appear to have started in January, the company said.

A couple of days later, Microsoft hurriedly released patches for four vulnerabilities in its email server software, which included a flaw that enables attackers to steal mailbox content, a bug allowing attackers to execute code as admin, and vulnerabilities that let them write a file to any part of the server.

In combination these created a serious hole, allowing attackers full remote control of the compromised system.

Microsoft attributed the attacks to a state-sponsored threat actor, which they called Hafnium, in keeping with a current trend to name hacking groups after chemical elements.

In the past, Hafnium has targeted laws firms, scientific researchers, educational institutions and defence contractors, with the apparent aim of stealing sensitive information.

Hafnium carried out its recent attacks in three steps: first, it used zero-day bugs or stolen passwords to gain access to an Exchange Server. The attackers then created a web shell to control the compromised server remotely; and finally, used their remote access to exfiltrate sensitive data from compromised systems.

Hafnium is thought to be based in China, but it primarily uses leased virtual private servers in the US, showing how difficult it can be to pin the blame for a particular attack on one group or jurisdiction when cyber crime's infrastructure is global.

Just a few days later, it was reported that at least 30,000 organisations across the United States and probably hundreds of thousands worldwide had been compromised through Exchange Server flaws.

The pace of the attacks stepped up markedly after Microsoft released its patches, which is worrying as the patches are not effective after a breach has occurred. The uptick also suggests the attacker has plenty of resources and is able to intensify its efforts while the opportunity is there.

Another worrying thing was that within a week of Microsoft releasing its patches, ten new hacker groups were observed to be exploiting the Exchange bugs, which shows that the patching window for major vulnerabilities like these has become very narrow indeed.

And of course, it wasn't long before the attack du jour, ransomware, came along. Just three weeks after the announcement, two strains of ransomware, DearCry and BlackKingdom exploiting the Exchange Server flaws, and more recently a new strain called 'Epsilon Red' was found to be actively hunting for unpatched Microsoft Exchange servers.

So the moral to this tale is simple: Keep your eye on alerts and patch as soon as you possibly can.

Ransomware

Which brings us to our third story thread: Ransomware.

Over recent weeks, there have been discussions in this country and elsewhere about whether paying ransoms should be made illegal. It's easy to take the moral high ground before it happens, not so much when your business is about to go under, or if you have already purchased cyber-insurance for this purpose, in which case paying up may be the least bad option.

Nevertheless, over the past 18 months ransomware has become a fast-evolving pandemic, and we really don't need any more of those... So if you don't cut off the funding in that way, what can the authorities do? I suspect we'll see payment bans coming in fairly soon.

Here are a few ransomware stories from this year - there are many, many more where these came from.

One of the first to succumb in 2021 was UK Research and Innovation, which lost some websites and internal communications to ransomware.

Next to topple was Serco, apparently done over by the Babuk ransomware gang.

Data was apparently stolen from Serco and the typical badly written menaces followed: "Your partners such as NATO, or Belgian Army or anyone else won't be happy that their secret documents are in [sic] free access in the internet."

CD Projekt Red, the developer of the dystopian future video game Cyberpunk 2077, unfortunately succumbed to a dystopian tech attack by a ransomware gang who threatened to release the source code of the then-unreleased game.

The education sector had more than its fair share of misfortune with Northampton and Hertfordshire Universities and two Birmingham colleges forced to shut down online learning for a period. Harris Academies was another casualty.

On the high street, FatFace coughed up £1.5 million, and in the US a major fuel transport company Colonial handed over $5 million to a gang who had forced the shutdown of a major pipeline, leading to long queues for petrol in many states. We learned later that the hackers use a compromised VPN password to gain access, and the at the FBI somehow managed to recover a substantial proportion of the ransom.

Meanwhile, a fascinating interview by Russian cyber expert Dmitry Smilyanets with a REvil hacker called 'Unknown' gave insight into the mentality of the ransomware gangs.

Unknown said the REvil gang doesn't target businesses within Russia or the ex-Soviet Union for reasons of patriotism (or perhaps to avoid defenestration), but everyone else is fair game.

A favourite tactic is to hack insurers to find out which customers have cyber insurance and are therefore most likely to pay, then to go after those firms. Later the gang returns to attack the insurance company itself.

Unknown describes extorting companies as 'helping' them, and was keen to ‘help' pharmaceutical companies which he sees as profiteering from the pandemic. Perhaps most disturbingly Unknown claims the gang has hacked a missile launch system, a US Navy cruiser and a nuclear power plant - although fortunately it believes starting a war would be bad for business. Which is quite a relief.

Meanwhile, food packing giant JBS paid $11 million to REvil to unlock its systems, and to mitigate other issues connected to the attack.

Keep your heads down - we're only half way through!