Follow ISA on LinkedIn to get notified of the latest cybersecurity news.
SolarWinds breach fallout continues
As we enter 2021, the news continues to be bad for SolarWinds as a result of the Orion supply chain hacking incident disclosed in mid-December. The breach is now believed to have affected up to 250 American federal and state agencies, as well as dozens of other businesses around the world, according to a report in the New York Times. FireEye, the security firm that first identified the malware infection, has confirmed victims in North America, Europe, Asia and the Middle East – these include tech firms, healthcare organizations, and oil and gas concerns among others. Microsoft has now confirmed that the impact to their own operations was greater than first thought, with some source code and internal libraries having been exposed to the threat actors.
Meanwhile, a second backdoor (nicknamed “Supernova”) has been documented by researchers, joining the original “Sunburst” backdoor discovered by FireEye researchers. On December 19, 2020, Microsoft found evidence of an attack distinct from Sunburst that compromised some versions of SolarWinds’ Orion software. Unlike Sunburst, Supernova was not signed with a digital signature, leading researchers to believe that a different group was involved in developing the second stream of malware.
Responding to the new threat, SolarWinds published updated guidance on responding to both the Sunburst and Supernova backdoors on its advisory page, which has now been augmented with an extensive FAQ section and a CERT advisory summary page.
While Russian interests are still widely believed to be behind the intrusion, further investigation has revealed that the hackers managed the attack from servers inside the United States, “exploiting legal prohibitions on the National Security Agency from engaging in domestic surveillance and eluding cyber defenses deployed by the Department of Homeland Security,” according to the New York Times report.
Many also wonder if the backdoors and surveillance are only prelude to larger attacks in the future. Given the nature – and length – of the SolarWinds breach, it is possible that the hackers were merely laying the groundwork for more serious threats to infrastructure and operations around the world.
Understandably, concerns are mounting about the very future of SolarWinds itself. Their compromised Orion product accounts for nearly half the company’s annual revenue. At year-end, SolarWinds’ stock had dropped 35% since the disclosure of the incident. Moody’s Investors Service currently has SolarWinds under watch, considering a rating downgrade for the company. There is a “potential for reputational damage, material loss of customers, a slowdown in business performance and high remediation and legal costs,” stemming from the cyber attack, according to a Moody’s rating action bulletin.
Restoring confidence in the company will be a major challenge for SolarWinds’ new CEO Sudhakar Ramakrishna, whose first day on the job is January 4, 2021. Ramakrishna, who was named to the post just days before the cyber attacks were made public in December, replaces Kevin Thompson who left the company at the end of 2020 (in a departure planned months earlier).
Kawasaki Heavy Machinery confirms June 2020 breach
On December 28, 2020, Japan’s Kawasaki Heavy Industries issued a press release that confirmed they had suffered a security breach dating back to June 2020. The release outlined a chronology extending from their initial discovery of the breach (unauthorized system access from an office in Thailand to the home office in Japan) through their global investigation and remediation efforts. The incident, at least in part, prompted the manufacturing company to establish a Cyber Security Group in November 2020 to strengthen security analysis and response.
The company addressed the significant delay in publicly announcing the breach, as the discovery and notification to business partners potentially affected by the incident took place months earlier. Since the scope of the unauthorized access spanned multiple offices worldwide, Kawasaki advised, “it took a considerable amount of time until the company [could] formally announce the incident. We sincerely apologize for this delay and for the inconvenience and concern to customers and other related parties.”
Kawasaki did not disclose what information was affected by the breach, but confirmed that since the intrusion left no digital footprints, it has not been possible to confirm what – or even if – data had been disclosed to third parties as a result of the incident.
21 arrested for buying stolen data online
On December 25, the UK’s National Crime Agency (NCA) announced that 21 people had been arrested as part of a five-week, nation-wide crackdown on former customers of weleakinfo.com, a now-shuttered online clearing house for stolen data.
According to the report, cyber criminals paid for access to the site in order to download personal data and user credentials, which were in turn used to drive further criminal activities like credential stuffing attacks and fraud offences. By the time weleakinfo.com was finally shut down in January 2020, it hosted an estimated 12 billion stolen credentials from over 10,000 data breaches around the world.
As well as being customers of weleakinfo.com, the bulletin suggested that some of those arrested had also purchased other cybercrime tools such as remote access trojan (RAT) malware and crypters (software used to try to mask malware in order to make it more difficult for anti-malware applications to identify it).
Of those arrested – all men aged between 18 and 38 – nine were suspected of Computer Misuse Act offences, nine for fraud offences, and the remaining three are under investigation for both. Over $72,000 (Canadian) in bitcoins was also seized in the raids. A further 69 individuals in England, Wales and Northern Ireland were visited by Cyber Prevent officers, warning them of their potentially criminal activity. Many more “warning visits” are scheduled for the coming months.
Looking back at 2020
CISO Magazine has compiled a pair of 2020 retrospectives, reflecting on an explosive year in cybersecurity.
Their “Top Nine Data Breaches of 2020” report highlights the some of the most newsworthy cyber incidents of the year, culminating with the SolarWinds supply chain breach that came to light in mid-December. Meanwhile, their “Biggest Datasets Sold on the Darknet” piece is a “top five” list that outlines the largest recorded sales of stolen data on the dark web, with information sold at prices ranging from 1/5 of a cent per record all the way up to thousands of dollars (US) per item.