Microsoft Vulnerability – Never Scramble To Patch Again

On March 2nd, 2021 Microsoft informed the world of a vulnerability in Microsoft Exchange. This vulnerability is active in the wild and has already been exploited by malicious actors from China and beyond. This well documented attack found by the security researchers at Volexity in Reston VA, exploits four different vulnerabilities in Exchange to gain access to emails without authentication.

Fact is, software teams are always under pressure to continuously release new features at breakneck pace. This is driven by the urgent need to keep up with market demands and competitive pressures.

This means that the vulnerability posture of all software continuously deviates with every update and upgrade. Software that at some point was free from vulnerabilities, may be riddled with them after updates. Even if the update includes security patches, the patches themselves along with new features may introduce new vulnerabilities.

So how can you defend against these popup vulnerabilities?

The traditional recommendations have been to implement “defense in depth”  — the layering of multiple security products. However, not only is this model expensive, it also does not address the challenges new exploits introduce. In most cases, it creates complexity that further weakens security.  This is especially true for hybrid infrastructure, where many different tools have to be implemented across offices, clouds, SaaS, data centers and remote users.

So “defense in depth” is not a viable security approach moving forward. It costs a lot of money and burns a lot of resources to actually make security worse. There is more information here: 5 Reasons Security Products Make You Less Secure.

Lots of attention and budget is going to the hip new security model “Detection and Response” (xDR). But what does xDR really buy you? It tells you when something bad has happened and  that you should do something about it — patch all systems, find the compromise and inform customers.

If there was ever a whack-a-mole approach to security, it is xDR. This is often referred to as the “you’re screwed” approach to security. Not particularly proactive, resource efficient or preventative, is it?

The key to prevention is reduction of the attack surface. Today, many applications have to be exposed to the Internet at-large so users can access applications before being authenticated. This is called “Access before Auth”.

Acreto however, uses a very different approach where there is a transparent authentication before users can gain any access to applications. This is called “Auth before Access”.  This approach completely shields the application from exposure to the Internet at-large.

The Acreto approach altogether eliminates the threats and exposures from Internet connected systems. And if authorized users mis-behave, the bad behavior is automatically mitigated.

Limiting access to the attack surface avoids mass exposure. In the case of the Exchange vulnerabilities, it would limit access of the Exchange server to authorized users only, no matter where they are located or what network or networks they operate on.

Reducing your attack surface in this case basically means that the Exchange servers — or any other system, server or application for that matter — will not be exposed on the Internet.

Access is allowed only after authenticating to Acreto and going through a set of controls, as well as ongoing threat and validation checks. This ensures that 1) the user is authorized, 2) the device is authorized, and 3) they never behave maliciously.

This is the default model with Acreto SASE+, where all customer systems benefit from a reduced attack surface — without any special effort, architecture or consideration.

Remote users connect to Acreto, and are transparently authenticated before access to systems,  servers, applications, SaaS, clouds or networks including Exchange or Office365. Acreto protects against Internet or internal attacks, even if the Exchange server or other application is left unpatched.

 

Get more detail on this best practice approach to reduce your exposure to Internet-born, Ransomware or zero-day attacks.  Contact us at info@acreto.io

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Putin’s Eleven: Nation State Hacker Teams Uncovered

Before we discuss Russian nation state hacker teams, let’s look at how military branches have historically been born. On July 2, 1926, the United States Army established the Army Air Corps. After World War II it was determined that we were best served by a separate Air Force, and on September 18, 1947 the Air Force became America’s fifth service. On October 1, 2010 the Army Cyber Command (Army Cyber) was established and commanded by Major General Rhett A. Hernandez. United States Army Cyber Command’s mission is to direct and conduct integrated electronic warfare, information and cyberspace operations as authorized, or directed, to ensure freedom of action in and through cyberspace and the information environment, and to deny the same to our adversaries. It is only a matter of time before the Army Cyber Command becomes our sixth military branch. Much like the US has Special Operations teams – or ‘SpecOps’ – such as the Navy SEALs or Army Delta Force, we have Cyber SpecOps teams. So do our adversaries!

 

Nation State Hacker Teams: The Cyber Special Forces

Think of state sponsored or nation state actors as each country’s cyber special forces team. There are a few reasons that the nation state cyber teams can be more effective than hacktivists, terrorists or financial hackers. To start, they have permission to hack. This means they only have to hide from their remote adversary, and not local authorities; very much like the drone pilots in Nevada, operating behind enemy lines without the physical dangers. The approaches and techniques they use can be a bit louder and bolder without worrying about local authorities.  Furthermore, the only consideration they have for their target is while the attack is in process.  Often once the attack is over, it does not matter if the target knows of the attack and who the attackers are.  The nation’s response to accusations when called out is easy: Deny, Deny, Deny!

So when it comes to hacking, local authorities are all that matter. Just think of the 13 Russians indicted in February 2018, along with the most recent batch of 12 additional Russians in July 2018 indicted by Robert Mueller. So long as they don’t step into the US or allied countries, it just does not matter.

By virtue of not having to expend as much energy hiding, they spend less time on obfuscation and more time on their malicious intent. Moreover, in the event they conduct a cyber attack that is extremely high profile, they don’t have to run and lay low.

 

Russian Tradecraft

The Russian Nation State Hackers used a combination of technical and psychological tradecraft. Despite Robert Mueller’s identification of the attackers personally, there is little chance the indicted Russians will be extradited or suffer repercussions.  

State sponsored cyber hackers also benefit from functional teams. On NCIS, Abbey and McGee can hack into any and every type of system. If there is a lull in the plot – Hack Something! By the way, CBS, would it kill you to hire a subject matter expert so we don’t have to listen to nonsensical techno-babel? There’s no such thing as a “2048 bit firewall”.

In reality though, not every hacker is expert in everything. Complex compromises require teams of specialist subject matter experts that come together within different functional groups, each with a specified expertise.

 

The “Who” Behind Putin’s Eleven

First there is the strategy group. This group either identifies or receives orders on what or who to target for a cyber attack. Sometimes their target is very specific, such as the communications of the National Security Advisor, or it may be a broad mandate, such as demand for access to US critical infrastructure. Examples of critical infrastructure include election systems, power grids and water supplies. Other areas may include communications infrastructure like telephone carriers, radio and TV stations; healthcare infrastructure such as hospitals and blood banks; and transportation infrastructure that include roadways, airports, buses, and trains.

The strategy group will take the broad mandate and develop a specific strategy on how to implement it. For example, they would identify their target – let’s say a power station. To compromise the power station they may define the level of access required to accomplish their objective and specific person or persons to be personally targeted.

They may draw in the research group to perform information gathering and leg work. Prior to the strategy group formulating its approach, the research group investigates the options to identify and gather information on organizations, geographies, sites, systems, vendors, people, and more. This is used by the strategy group to develop the specific action plan.

With their mandates and plans in hand, other groups are brought in with specific functions and specialties. Lets take a closer look.

 

Specialized Cyber Special Forces

The Psychological Operations – or PsyOps – group whose work is focused on social engineering. Not all hackers operate with technology; there are also people hackers or social engineers. Often unsuspecting people are involved as part of the compromise effort. Think of the person who clicks on the malware laced email or the person who plugs in the USB stick they found in the parking lot. These examples are simple. A more advanced, real-life example is when a system administrator was identified and profiled. He turned out to be a fan of hobby trains and belonged to an associated forum. Though the organization systems that needed to be compromised were not vulnerable at the time, the cyber attackers did manage to compromise the hobby train site and collect the sys admin’s password, which happened to be the same as his company password.

In this case, they managed to spend over six months in the system stealing data and committing acts of cyber espionage. The compromise was only discovered after the damage irreversibly impacted the integrity of the company’s data dating six months back. At that point the affected organization did not know what were good data or bad data.  A horrible position to be in!

Thirdly, there is also the exploit development group. These guys are the folks who identify vulnerabilities, and weaponize them.

Another group consists of malware packagers. This is the team that takes an exploit and packages it up for delivery and dissemination. Just like in any sport in which you need to position yourself to be lined up before taking a shot, cyber exploits need specific circumstances to be properly executed. Typically there are existing dissemination frameworks that this team uses and adapts to their specific needs, however nation state hacker teams are known to develop their own dissemination framework as required. An example of the custom framework is StuxNet, where a unique and advanced framework was used to infiltrate Iranian nuclear centrifuges.

Then, there is the BotMaster. There may be instances where an exploit or cyber attack is disseminated, or data from an already implemented exploit is collected and forwarded via a BotNet. BotNets consist of many distributed systems that are already exploited and controlled by the BotMaster, where the user of the system is unaware.  BotNets can be used to disseminate or receive content. A nation-state may have their own BotNet or they may rent one from the various that are on the market – or a combination as required.

There is also a recruiter, the proverbial “Danny Ocean” who knows and is trusted by the different players to make sure the right resources are accessible as they are needed. Some of the hackers recruited are pure mercenary, while others need to be deceived. Often the recruit doesn’t know who they are working for. Interestingly enough, the recruiter may also be recruited themselves and be unaware of their employer.

Lastly, there is the buyer. The buyer has relationships with commercial exploit developers as well as a reach into the deep dark crevices of the dark web that exploit developers lurk in. This is how the state sponsored cyber-warriors have access to the best exploits, including zero-day exploits that the industry may not even be aware of. These exploits are purchased from commercial exploit developers authorized to sell to sanctioned groups, or on the dark web by the highest bidder. The dark web bidder is often anonymous and may be a country such as the US, Russia, China, North Korea, Iran or EU countries, among others. To do this they use Cryptocurrency, and lots of it. Usually, only nation states can afford to spend money on the juiciest exploits. And if you want exclusivity, then you will pay more. Nation states also have the resources to “get even” if the exploit seller does not respect their exclusivity.

 

Nation State Hacker Teams: Well-Funded & Well-Trained

Nation state Hacker teams are the best funded of all cyber attacker types. Hacking is expensive at this level. You need to be able to afford the rock stars, their support teams and infrastructure, tools, and exploits. Occasionally, they may need to bring in the “consultant” experts in a particular area, and these people cost money too. This type of operation needs management and is typically managed by a team of executive, director and manager ranks that are usually military. Though inexpensive compared to the cost of conventional troops and warfare, nation-state hacking teams still have a cost structure that can not be afforded by other Hacktivist, Terrorist or Financial groups.

With access to the broad resources with formal operational management, these teams are also the best trained. There is formal training, but also the training that comes from access to so many different approaches, techniques and other smart people. It drives up the expectations and operating tempo.

The best example of this “Putin’s Eleven” model is the 25 Russians Robert Mueller indicted for taking part in the compromise of the 2016 US elections that leveraged both technical and psyops efforts.  The 25 indicted Russians are representative of only two groups: “Fancy Bear” or APT28 and “Cozy Bear” or APT29. Moreover, these indictments may represent only the key players in the groups. It’s likely that many more were involved in support roles. The Russian nation state hacker teams are not your granddaddy’s spray and pray hackers.

In comparison to industry standard cyber security protection models, with roots dating back to medieval times, nation state hacker teams are organized, directed, well funded and use advanced techniques and the latest exploits to pinpoint and devastate their befuddled targets!

 

About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

Russian Nation State Hackers & What We’re Not Doing

The effective use of Russian nation state hackers led to a hacked election that has resulted in a hacked America. We’re still licking our wounds and not doing anything about it. In fact, we are arguing if it happened at all!

Cybersecurity strategy incorporates the confluence of technology, business and geopolitics with so many moving parts that to call them complex is an understatement. Strategies must span multiple geographies across a plurality of nations and continents. That is why no one can “go it alone”.  Today we need our friends more than ever – not just for geopolitics, but also for cyber defense. Collaboration is the underpinning of cybersecurity.

As the largest global economy that comprises infrastructure, industry, enterprise and institutions, the US is the most technologically advanced. Many American companies span the globe making them one big glass house while the rest of the cyber world are kids with rocks on a dare. These “kids with rocks” fall into four major categories.

 

Four Major Types of Hackers

First, there are hacktivists, who hack for their cause. The most well known of these being the loosely bound group called Anonymous. The second category is terrorist organizations such as ISIS and Al Qaeda. These organizations recognize cyber warfare as a cornerstone to their mid to long-term strategy and are working feverishly and investing heavily to get them to maturity. The third group is financial hackers. The best way to describe financial hackers is the Mob and Cartels’ online arm. And finally, the most dangerous are state-sponsored hackers.

Even though they operate behind triple or quadruple blind systems, which makes tracking them extremely difficult, they can be identified by their unique hacking techniques or fingerprints.

Nation state hackers are not the moody lone-wolf nocturnal teenagers cranking death metal and surviving on Amp energy drinks. That’s a TV cliche. And hacking is not an organic game of pickup, where individual hackers are swapped indiscriminately. Nation state hackers are carefully curated teams that train, collaborate and solve problems together. Not only do they have to get along and gel over time, but they have to build and test many foundational tools they need to perform the advanced objectives they are charged with. Sometimes this can take years!

 

Hacking Fingerprints

Cyber-threat intelligence organizations that monitor and track Advanced Persistent Threats – APTs – use their threat fingerprints to build a profile on each team over time. The collection of fingerprints defines each team, otherwise called an APT. The profile fingerprints for the Russians, Chinese, North Koreans and Iranians all vary.

Each APT, or different hacking group, is assigned a unique number for identification. For example, APT37 is North Korea, APT34 is Iran, and the American election hacks are associated with APT28 and APT29 – which are obviously Russian nation state hackers. In fact, APT28, otherwise known as “Fancy Bear”, is a completely different team than APT29, “Cozy Bear”, both of which work for the Russian Government.  As an example, here is a sample of the fingerprint for Fancy Bear (APT28) that has been tracked since 2007, and the reasons for American intelligence agencies’ confidence in Russia as source for the election hacks:

APT28

Source: FireEye

Target Sectors:

The Caucasus, particularly Georgia, eastern European countries and militaries, North Atlantic Treaty Organization (NATO) and other European security organizations and defense firms

 

Type:

Cyber Espionage

 

Overview:

APT28 is a skilled team of developers and operators collecting intelligence on defense and geopolitical issues—intelligence that would be useful only to a government. This APT group compiles malware samples with Russian language settings during working hours (8 a.m. to 6 p.m.), consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg. This suggests that APT28 receives direct ongoing financial and other resources from a well-established organization, most likely the Russian government.

 

Associated Malware:

 CHOPSTICK, SOURFACE

 

Attack Vectors:

Tools commonly used by APT28 include the SOURFACE downloader, its second-stage backdoor EVILTOSS and a modular family of implants dubbed CHOPSTICK. APT28 has employed RSA encryption to protect files and stolen information moved from the victim’s network to the controller. It has also made incremental and systematic changes to the SOURFACE downloader and its surrounding ecosystem since 2007, indicating a long-standing and dedicated development effort.

 

Operations:

Operation RussianDoll:  Adobe & Windows Zero-Day Exploits Likely Leveraged by Russian APT28 in Highly-Targeted Attack

 

Detailed Report:

https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html

 

There are other means for determining the source of attacks.  Aside from fingerprinting, intelligence agencies do track the sale of zero-day exploits purchased on the markets. Zero-days are exploits for previously unknown vulnerabilities.

 

Exploits on the Market

There are numerous commercial and underground organizations whose business is finding, exploiting and weaponizing vulnerabilities.  Once the exploit is developed, it’s put up for bid – and governments are the most affluent bidders. Commercial organizations offer them for sale on the public market to sanctioned agencies, while underground groups sell their exploits on the black market to the highest bidder indiscriminately. In the case of juicy exploits, the buyer may pay significant sums for the privilege of exclusivity. The buyer wants the advantage of a weapon that nobody else has. All governments use a variety of proprietary techniques, technologies and informants to track the exploit inventory of both rival and ally countries.

Ultimately the recourse to cyber attacks is a blunt instrument in the form of counter-attack. Counter attacks may be counter hacks, economic sanctions, embargoes, or a combination.  However, countering the attacks on commercial and critical infrastructure is often reserved for the largest organizations and limited to the largest and most egregious attacks. American election compromises is such an example.

At this particular point in time, America has opted for a “go it alone” approach to global relationships. Collaboration on cyber issues is not exempt from this. As the occupant of “The Big Glass House” in a world of rock-throwing kids, especially Russian nation state hackers, America needs its friends more than ever.

 

Hacked America Not Minding The Store

Collaboration between government and commercial threat intelligence is key to a successful cyber strategy.

The nation’s top intelligence officer, Director of National Intelligence Dan Coats, indicated on Friday, July 13 that the “persistent danger of Russian cyberattacks today was akin to the warnings the United States had of stepped-up terror threats ahead of the Sept. 11, 2001, attacks.” (nytimes.com) “The system was blinking red,” Coats said. “Here we are nearly two decades later and I’m here to say the warning lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack. Every day, foreign actors – the worst offenders being Russia, China, Iran, and North Korea – are penetrating our digital infrastructure and conducting a range of cyber-intrusions and attacks against targets in the United States.”

Recently, Congress has zeroed out nearly $400 million from the fund used to protect the integrity of our election and has blocked subsequent efforts to fund it across partisan lines. In April 2018, the White House Cybersecurity coordinator was relieved from his role less than six months from the November elections. As of the end of July no replacement has been named. Moreover, tough sanctions passed by congress in July 2017 are yet to be implemented as of July 2018. It may be too late for anyone to take the helm and implement meaningful protections at such a late stage.

Collaborating to stop these attacks requires leadership, funding, a competent team, communications and sharing. At this point in time we have the competent team members in the form of our intelligence agencies that are raring to be let loose. However there is no leadership, no mandate and no funding. We also find ourselves in a strange situation with sparse dialog with our allies due to newly formed political trust issues. The patient is not in trouble because a first- year med student is the surgeon. Rather, the patient has been abandoned by the surgeon with little time to live while the operating room is dark because nobody paid the utility bill.

Next in this series we will look at an example of Russia’s nation-state hacking teams and their construct in our blog: Putin’s Eleven: Nation State Hacker Teams Uncovered.

 

About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.