Make sure to add us or contact us for the latest news
 |
 |
 |
 |
 |
 |
 |
The Week in Breach: Featured – US Government Hack is a Cautionary Tale of Nation-State Hacking, Third-Party Risk, and Phishing
The US federal government was sent reeling by a massive cybersecurity incident that sounds like it came out of a spy novel. Suspected Russian nation-state actors were not only able to hack into critical systems at a laundry list of federal agencies, they were able to hang out in them for months, conducting a massive espionage operation – and US officials were none the wiser. This tale of a US government hack featuring third party security risk, nation-state hacking, phishing, and cybercrime should serve as a caution for every organization.
Third-Party Vendors Bring Risk
The unraveling of this cybersecurity disaster began with cybersecurity penetration testing and development heavyweight FireEye announcing that it had been breached by suspected Russia-backed nation-state hackers. The company disclosed that hackers had snatched it’s fabled Red Team tools, used to test and monitor the safety of some of the world’s most critical data. FireEye also noted in a blog post that this was an extremely uncommon type of attack, seemingly specially designed just for that purpose and using technology that had never been seen before.
The next round of revelations would turn those rumbles into an earthquake. Multiple US federal agencies began discovering that they too had experienced security breaches that could be traced to Russia-backed hackers, likely GRU operatives and cybercriminals from the notorious Cozy Bear group. All of these agencies had a common denominator that tied them together: they used security tools created by Austin-based software developer SolarWinds.
Then SolarWinds announced that it too had been breached by suspected Russian nation-state hackers. Bad actors obtained legitimate credentials allowing them to access systems undetected, likely through a variety of phishing. They then slipped snippets of malware code into a routine update to the company’s Orion software, commonly used for monitoring by government agencies, Fortune 500 companies, and other heavyweight organizations with intense security needs.
You See Mundane Tasks, But Bad Actors See Opportunity
Patching or updating and maintenance are routine tasks performed by IT teams every day. It’s not really something that gets a great deal of attention – making it the perfect way for these crafty hackers to get inside important organizations without raising suspicion. While patches aren’t automatic and undergo reviews to ensure that functionality is maintained, no one looks twice at the security implications of a patch from a trusted vendor like SolarWinds -and that opens companies up to supply chain risk.
But in a banner year for cybercrime, this one was anything but routine: it was laced with malware that allowed the hackers to open back doors into the systems of those who applied the patch. SolarWinds advised customers as part of an SEC filing that Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with malware. Of the company’s 300,000 customers worldwide, they estimate that 15,000 have been impacted. CISA has released updated guidance on this issue.
The Impact Strikes Far and Wide
That list includes many major organizations, including multiple US federal government agencies and administrative operations, as well as national defense targets including:
- The US Department of Homeland Security
- The US Department of State
- The National Institutes of Health
- The US Department of Commerce
- The US Department of the Treasury
As organizations began to assess the damage from the incident, it was noted that these attacks had been carried out with great subtlety. Bad actors had been quietly exploring email accounts, copying data, reviewing records, and accessing other sensitive information and US federal agencies for months. It’s not yet clear what the full scope of the damage is or how intense the recovery may be.
In addition to US government targets, major entities including non-US government agencies, power companies, manufacturers, and defense contractors could be at risk of incursion, or may already have hackers using these techniques floating around inside their systems. The hackers involved made a habit of obtaining legitimate credentials to access systems and data whenever possible and quickly created and deleted files to reduce their digital footprint, making them harder to catch,
The fallout from this mess will reverberate throughout the cybersecurity landscape for many months, if not years, to come. One important takeaway from this incident can help businesses avoid similar pitfalls in the future: it’s time to take the risk of unanticipated disasters from third-party compromise seriously. No company can afford to just hope that their vendors and partners are taking security as seriously as they do.
Get Stronger Locks to Keep Cybercriminals Out
The first line of defense for every company is secure identity and access management. The hackers in these incidents were careful to use official credentials whenever possible, most likely gained through password cracking and phishing. Adding a secure identity and access management solution to your security stack is a must-have.
- Multifactor Authentication – Take the bite out of a stolen, phished, or cracked password by requiring a second identifier for that user to gain access to systems and data.
- Single Sign-On LaunchPads – One great benefit of single sign-on is LaunchPads is that it makes it easy for IT teams to quarantine and remove access from compromised accounts in a flash, preventing them from doing more damage.
- Secure Shared Password Vaults – Keep your company’s most valuable passwords for critical systems and data in a central location with special security protection. Not only does this make it easy for IT teams to get to important passwords quickly in an emergency incident, but it also throws up additional roadblocks between highly privileged credentials and hackers.
Contact IntegraMSP today to see how we can protect your business. Don’t wait to put simple, affordable, protection in place that keeps cybercriminals out. Password security is a business essential, but it’s also a tremendous tangle of tools, solutions, and conflicting priorities. We can make it easy for you to make sure that the right people in your business have access to the right things – and only the right people.
The Week in Breach News – United States
United States – SolarWinds
https://www.newsweek.com/solarwinds-hack-customer-list-suspected-russian-cyberattack-1554467
Exploit: Hacking (Nation-State)
SolarWinds: Cybersecurity Software Developer
Risk to Business: 1.122 = Extreme
An incursion by suspected Russian nation-state hackers at this major cybersecurity solutions provider was the suspected starting point of a massive hacking incident impacting a number of federal agencies and defense assets. The hackers were able to obtain authentic credentials that enabled them to inject code into a routine software patch, opening backdoors into client files and systems. SEE MORE ABOUT THIS STORY>>
Individual Risk: No personal or consumer information was reported as impacted in this incident.
Customers Impacted: 3,000
How it Could Affect Your Business: Nation-state hacking is a growing problem that can lead to damaging, nightmarish consequences. One tool that was used in this hack was that old favorite – phishing.
IntegraMSP to the Rescue: Phishing resistance training is a must-have for every company in 2021. BullPhish ID is an affordable, effective training solution that fits every business. SEE WHAT BULLPHISH ID CAN DO>>
United States – FireEye
https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html
Exploit: Hacking (Nation-State)
FireEye: Cybersecurity Solutions Development and Testing
Risk to Business: 1.411 = Severe
FireEye was also impacted in this week’s suspected Russian hacking operation. Hackers were able to penetrate FireEye’s systems security to obtain several of their vaunted Red Team tools. FireEye immediately detected the hack and released a statement exposing it. That was the first domino in the cybersecurity disaster cascade. SEE MORE ABOUT THIS STORY>>
Customers Impacted: Unknown
Individual Risk: No personal or consumer information was reported as impacted in this incident.
How it Could Affect Your Business Even the biggest kids on the block can be taken down by determined hackers. Reviewing and updating cybersecurity and incident response plans has to be a top priority in 2020.
IntegraMSP to the Rescue: Your customers need solutions that protect their data from risks like this one, but tough times and tight budgets may be standing in the way of closing that sale. With Goal Assist, you can tag in an ID Agent expert to help you seal the deal. LEARN MORE>>
United States – Netgain
Exploit: Ransomware
Netgain: Data Hosting Provider
Risk to Business: 2.127 = Severe
A ransomware incident led to shutdowns and slowdowns across Netgain’s data hosting environment. The company was forced to completely shut down all systems on 12/4 for containment and remediation. Service has been restored to customers but they may still experience performance issues.
Individual Risk: No personal or consumer information was reported as impacted in this incident.
Customers Impacted: Unknown
How it Could Affect Your Business: Ransomware can have damaging consequences for businesses that go beyond the initial hit causing huge operational headaches and long recovery operations.
IntegraMSP to the Rescue: Don’t just hope that you’re not next – fight back against ransomware threats. See why you’re at risk and how to protect your business fast. CONTACT US>>
United States – Dental Care Alliance
https://www.infosecurity-magazine.com/news/1m-us-dental-patients-impacted-by/
Exploit: Hacking
Dental Care Alliance: Dental Practice Support Organization
Risk to Business: 2.336 = Severe
Dental Care Alliance, a professional support organization that includes more than 320 dentists in 20 states, has discovered that it experienced a data breach. The incident began on 09/18/20 and was ameliorated on 10/13/20. No cause has yet been specified and the incident is still under investigation.
Individual Risk: 2.114 = Severe
The stolen information included patient names, addresses, dental diagnosis and treatment information, patient account numbers, billing information, bank account numbers, the name of the patient’s dentist, and health insurance information. potentially 10% of patients also had bank account information exposed. Impacted patients are being notified by mail and should be wary of spear phishing attempts using this information.
Customers Impacted: 1 million patients
How it Could Affect Your Business: When protecting sensitive information like medical data, it’s essential to maintain strong access point protection to avoid expensive breaches and expensive fines.
IntegraMSP to the Rescue: Protecting your data and systems with more than one layer of security keeps hackers out no matter where they’re from.. LEARN MORE>>
The Week in Breach Risk Levels
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.