SolarWinds Orion and What To Do About Cyber Security?

Headshot Awen.jpg

This post is the fourth and final in the series of blog posts written by Roy Seaman, our Percy Hobart Fellowship 2021 fellow from the Royal Marines. We’re calling the series “Posting Roy.” Opinions are personally by and of Roy only, and not necessarily of Awen Collective, the Royal Marines or UK MOD. Opinions are also temporal, and based on the information that could be found at the time.

As we embark on ‘secure’, integrated, easily accessible, and fast-flowing data on demand; the opportunity for exploitation of that data increases. The more accessible the data, the more at risk the data. 

December 2020, Microsoft and the cybersecurity firm FireEye reported around 18000 organisations had been hacked. Luckily it was not more, considering that they have many many more customers. To gain some perspective this includes 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, as well as hundreds of universities and colleges worldwide. The Pentagon of all places! I’m sure that they have cyber security solutions in place which are a bit more robust than the out-of-the-box virus software you get from purchasing a new PC or laptop down at the local store. 

How did it happen? 

The organisations had a relationship immediate or at reach to the SolarWinds Orion IT system management platform. Further, “[The] attacker has been able to add a malicious, unauthorised modification to SolarWinds Orion products which allows them to send administrator-level commands to any affected installation. This modification:

  • Causes the Orion products to connect to an attacker-controlled server to request instructions

  • Does not rely on the attacker being able to directly connect from the internet to the Orion server

There is evidence of the attacker using this capability in some cases to move from a single Orion server to other parts of the victim’s IT network.” (Dealing with the SolarWinds Orion compromise, 2021)

The attack was a prolonged and progressive APTAdvanced Persistent Threats (APT’s) refer to threats that break into a system, establish persistence and lurk around undetected for a period of time. In this case, attackers used malware called Sunburst, also known as Solorigate. Over several months, the attackers conducted probing small tests such as changing SolarWinds code and exploiting the relationship it had with its customers through its software updates. This, combined with loopholes in the supply chain, easy access through Single Sign-On Systems (SSO’s), and overtaking multi-factor authentication (MFA) systems allowed attackers to methodically implant malware without setting off alarms.

Loopholes in the Supply Chain

“Attackers gained access to the SolarWinds development process and injected malware, gaining access to the core network and the ability to launch multiple attacks. When SolarWinds customers received notifications of a software update sent by the company, they trusted it, which then allowed attackers to gain access to thousands of systems. As soon as the infected software was launched, a Command and Control (C2) channel was quickly established and became the launchpad for more attacks.” (Engle, 2021).

Something to consider for organisations when implementing staff cyber awareness training programs is the identification and origin of genuine emails and software updates etc. IT and Cyber departments could, for example, coordinate synchronised workforce updates as a simplified measure to assist in identifying legitimate updates. Zero trust security models not only on devices, but on account permissions could also be put in place. 

Easy access through Single Sign-On (SSO) Systems

SSO’s allow organisations to protect many systems with one username and password. “Once in the network, the intruder then uses the administrative permissions acquired through the on-premises compromise to gain access to the organization’s global administrator account and/or trusted SAML token signing certificate.  Anomalous logins using the SAML tokens can then be made against any on-premises resources (regardless of identity system or vendor) as well as to any cloud environment (regardless of vendor) because they have been configured to trust the certificate.” (Engle, 2021).

I find it challenging to come to a conclusion on the subject of SSO. On one hand the productivity, efficiency and convenience of logging in once and having access to all the relevant applications of an organisation. The negative is only one login needs to be defeated to give access to all applications.  On the other hand, given that today we have password managers to help us remember the thousands of login details for emails, banking details, subscriptions, software account details etc; means that a hacker only needs to target the password manager and defeat it, and they then have access to your entire life. I am sure that, as I write this, there are a number of people who I know which have lists of all their login details, such as: a diary with them all in, or a note on an iPhone, or a digital sticky note on their computer, or a physical sticky note on the underside of their workstation. The discipline required to avoid reusing passwords. The UK NCSC has provided guidance on password policy administration for system owners.

Overtaking Multifactor Authentication (MFA) System

“FireEye noticed that hackers gained access to the organization’s email servers with a username and password and they had bypassed the MFA system. FireEye shouldn’t have relied on just the MFA system to protect their email servers, but rather required proof of the user with biometrics.” (Engle, 2021).

What is interesting is that 2FA/MFA is widely used and considered secure. Hackers leveraged a vulnerability in the organisation’s Microsoft Exchange Control Panel and used a novel technique to bypass MFA from Cisco-owned Duo Security, and then accessed emails. Volexity, a U.S based cybersecurity company affected by the attack, were able to determine:

“Logs from the Exchange server showed that the attacker provided username and password authentication like normal but was not challenged for a second factor through Duo. The logs from the Duo authentication server further showed that no attempts had been made to log into the account in question. Volexity was able to confirm that session hijacking was not involved and, through a memory dump of the OWA [(Outlook Web App)] server, could also confirm that the attacker had presented a cookie tied to a Duo MFA session named duo-sid,” Volexity explained. “Volexity’s investigation into this incident determined the attacker had accessed the Duo integration secret key (akey) from the OWA server. This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie.

After successful password authentication, the server evaluated the duo-sid cookie and determined it to be valid. This allowed the attacker with knowledge of a user account and password to then completely bypass the MFA set on the account.

Volexity has clarified that the method did not involve exploitation of a vulnerability in the Duo product. The attack was possible due to the victim’s failure to change all secrets associated with key integrations after the breach was discovered. ” (Kovacs, 2020)

It shows that we need to consider how we structure our cybersecurity measures. Consider a layered login system that includes 2-factor authentication along with biometric and or cryptographic protection combinations - protective measures don’t always need to be of a digital/technical nature. 

  • Education is knowing that the threat exists, and is ultimately about creating awareness. 

  • Controlling access to information by ensuring staff only have access to the information relevant to their role.

  • Know your weaknesses - Dot is specifically designed for this from a technical perspective (specifically for Operational Technologies), and knowing which are your critical systems and ensuring the data is regularly backed-up (where possible) will allow a swift recovery or response if you are unfortunately attacked.

  • Ensure that you adopt governing policies on behaviour, access to the internet, use of data storage devices, email policies and connectivity. Make it a part of your staff roles and responsibility in order to create ownership.

  • Continually monitor and review your organisational behaviour and culture to cybersecurity.

This list is by no means comprehensive and shows that something can always be done.

How did it stay undetected?

“To avoid detection, attackers used temporary file replacement techniques to remotely execute their tools. This means they modified a legitimate utility on the targeted system with their malicious one, executed it, and then replaced it back with the legitimate one. A similar technique involved the temporary modification of system scheduled tasks by updating a legitimate task to execute a malicious tool and then reverting the task back to its original configuration. Defenders can examine logs for SMB sessions that show access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short amount of time, the FireEye researchers said.” (Constantin, 2020)

Mitigation Strategies

Recognising this risk, the NCSC’s Exercise in the Box is an online tool which helps organisations test and practice their response to a cyber attack. For those with Operational Technology (OT) systems you could use Dot by Awen Collective for asset & vulnerability discovery and management! They do say prevention is better than cure!

Another initiative of the NCSC is the Cyber Information Sharing Partnership (CiSP), which is a joint industry and government partnership set up to allow UK organisations to share cyber threat information in a secure and confidential environment.

The Cyber Assessment Framework (CAF) and equally the EU Security of Networks & Information Systems Directive on Information Security (“NIS Directive”) is aimed at protecting important key systems such as our Critical National Infrastructure (CNI). To some the NIS and CAF may seem incomprehensible but Awen’s Profile software can not only help decipher it but understand and actively work with it to keep you within your obligations and make it a part of your organisations’ processes.  

The IEC 62443 (by the International Electrotechnical Commission) is a series of standards including technical reports on securing Industrial Automation and Control Systems (IACS). Despite progress being made in the right direction in the cyber domain; 2020 in the UK saw its largest increase in cyberattacks on record. Our critical systems, which keep our economies flowing, are still being frequently targeted and often attacked. Our industrial production sectors now have another topic on board room agendas, an agenda which is starting to fill up significant space in strategy and operational performance meeting time.

References 

Constantin, L., 2020. SolarWinds attack explained: And why it was so hard to detect. [online] CSO Online. Available at: <https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html> [Accessed 16 April 2021].

Engle, M., 2021. Three Vulnerabilities Exposed During SolarWinds Attack & How It Could Have Been Prevented. [online] https://www.cpomagazine.com/. Available at: <https://www.cpomagazine.com/cyber-security/three-vulnerabilities-exposed-during-solarwinds-attack-how-it-could-have-been-prevented/> [Accessed 22 March 2021].

Kritzinger E., von Solms P.S. (2005) Five Non-Technical Pillars of Network Information Security Management. In: Chadwick D., Preneel B. (eds) Communications and Multimedia Security. IFIP — The International Federation for Information Processing, vol 175. Springer, Boston, MA. https://doi.org/10.1007/0-387-24486-7_21

Kovacs, E., 2020. Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank | SecurityWeek.Com. [online] https://Securityweek.com. Available at: <https://www.securityweek.com/group-behind-solarwinds-hack-bypassed-mfa-access-emails-us-think-tank> [Accessed 16 April 2021].

Ncsc.gov.uk. 2021. Dealing with the SolarWinds Orion compromise. [online] Available at: <https://www.ncsc.gov.uk/guidance/dealing-with-the-solarwinds-orion-compromise> [Accessed 14 April 2021].

Solarwinds.com. 2021. Government Cyber Security Solutions | SolarWinds. [online] Available at: <https://www.solarwinds.com/federal-government/solution/cyber-security> [Accessed 14 April 2021].

Quick overview of the 2017 NotPetya cyber attack

unsplash-image-DHYfjAe_eeo.jpg
Headshot Awen.jpg

This post is the third in a series of blog posts written by Roy Seaman, our Percy Hobart Fellowship 2021 fellow from the Royal Marines. We’re calling the series “Posting Roy

In 2017 as part of a global malware incident the NotPetya cyber attack inflicted misery on companies all over the world. 

NotPetya is the far more dangerously aggressive and transmissible version of its predecessor Petya ransomware. Petya seemed like a straightforward malware that infects a targeted Windows only computer, encrypts some data on it and sends a message to the user giving instructions on how they can get their data back for a payment in bitcoin. It did however differ from your standard ransomware seen before. Standard malware seeks out specific files and encrypts them. Petya however, installed its own boot loader overwriting the master boot record, encrypting the master file table, which is the file system that provides the “road map” for the hard drive. To simplify your files are there and unencrypted but the filesystem that tells your computer their locationcannot be accessed. The key Achilles heel to Petya is it required the permission of the user to authorise it. Those warnings that pop-up on your screen saying not to open unfamiliar files as they may be infected are there for a reason! 

Fast forward to June 2017 and Petya 2.0 or now known as NotPetya was identified. Its focus appeared to be Ukraine; however, it was found elsewhere in Europe and globally. I cannot help but muse that, Europe and elsewhere were just collateral of the attack that was focused on the Ukraine. 

NotPetya differed from Petya in several ways: 

  • NotPetya did not require a victim to spread it. It had multiple avenues of infection such as EternalBlue and EternalRomance, which exploit the Windows Server Message Block (SMB) protocol. It also used tools to find network administration credentials within an infected machines memory before remotely accessing other computers on its local network using tools within Windows itself.

  • NotPetya encrypts everything, not just the master boot record.

  • The nasty side of NotPetya is that it was not designed to be ransomware it was designed to destroy with all the hallmarks of ransomware. It made the same demands for ransom but essentially it was just false hope as NotPetya encrypted and damaged the data beyond repair.

What is interesting is NotPetya only affected computers running older versions of Windows. Which makes the case for businesses to ensure they are updating their system as a matter of process, rather than seeing it as an expense that can be put off. 

One organisation that was affected by NotPetya, and has brought another issue surrounding how organisations mitigate the risks and effects of cybercriminal activity, is Mondelez.

Mondelez is a huge multinational confectionery company that includes well-known brands such as Cadburys, Oreo, Belvita, Tuc, Toblerone etc - all the guilty pleasures we enjoy.  It has operations in 80 countries, employing around 80000 employees. The virus infected 1700 servers and 24000 laptops in Mondelez alone that is a lot of unproductive incapacitated staff. Mondelez did have an insurance policy with Zurich and submitted a claim for $100 million despite losses being much higher. Zurich has viewed NotPetya as an act of war and base the attack as a state-on-state, refusing to pay out resulting in the dispute in court which can only add to the cost of the attack.  No doubt every organisation with an insurance policy covering cyber attacks is now reviewing their policy and seeking assurances - are the terms of their insurance policy clear? How will insurance policies be structured going forward? 

Other organisations that were affected the shipping and logistics company Maersk sustaining approximately $400 million in losses. Merck a pharmaceutical company $870 million and Saint Gobain a construction organisation $384 million as some of the more prominent victims. While this highlights some of the big corporations who are more than capable of resourcing the necessary cyber risk mitigation strategies and processes it highlights my closing point.  Cybercriminal activity is a threat to everyone, it is not limited to one industry. If we want to all work in this big integrated system with information and data on demand, then businesses need to ensure they are servicing the biproducts of that. Cybersecurity is a collaborative effort, it will only continue to grow and become a main pillar within the worlds future business environment. The basics that everyone takes for granted, the annoying cybersecurity department that some businesses have but only because it is the “done thing” but no one can tell you what it does exactly, are in the past.

Profile by Awen Collective helps to ensure that industrial organisations are meeting the best practice in terms of cyber security policies and procedures. Dot by Awen Collective helps industrial organisations to know what devices they have on their Operational Technology (OT) networks, and provides actionable intelligence on how to reduce the potential cyber vulnerabilities.

Honda Cyber Attacks Case Study

unsplash-image-JIcR3-O8ko8.jpg
Roy Headshot Awen.jpg

This post is the second in a series of blog posts written by Roy Seaman, our Percy Hobart Fellowship 2021 fellow from the Royal Marines. We’re calling the series “Posting Roy

Honda is arguably one of the most respected and well-known mobility manufacturers in the motor industry. Established in 1948 and are still one of the leading innovators within the industry consistently at the top of the field across several product lines. Their success is driven by their ability to consistently embrace, develop and integrate the most advanced innovative technologies as a key pillar of their business model. As a bi-product of being so successfully innovative and technologically advanced, it has become a target of cybercriminal activity as they are not infallible.

The Attacks 

In 2017, Honda’s Sayama plant near Tokyo was infected by the WannaCry ransomware; a Honda spokesman stated the infection was limited to several older production line computers resulting in its production facilities stopping for one day and 1000 units not being produced. 

WannaCry ransomware in a simplified explanation encrypts files within the PC’s hard drive making user access impossible whilst demanding bitcoin in exchange for the decryption. The vulnerability WannaCry exploits lies in the Windows implementation of the Server Message Block (SMB) protocol. “The SMB protocol helps various nodes on a network communicate, and Microsoft's implementation could be tricked by specially crafted packets into executing arbitrary code. Frustratingly, the United States U.S. National Security Agency discovered this vulnerability and, rather than reporting it to the infosec community, developed code to exploit it, called Eternal Blue. This exploit was in turn stolen by a hacking group known as the Shadow Brokers, who released it obfuscated in a seemingly political Medium post on April 8, 2017. Microsoft itself had discovered the vulnerability a month prior and had released a patch, but many systems remained vulnerable, and WannaCry, which used Eternal Blue to infect computers, began spreading rapidly on May 12. In the wake of the outbreak, Microsoft slammed the U.S. government for not having shared its knowledge of the vulnerability sooner.” (Fruhlinger, 2021). The notion that a patch was available reiterates the practice of good cybersecurity basics of keeping operating systems updated and how it needs to be a part of standard working processes. It also reiterates the need for a collaborative approach to cyber crime such as the Cyber Information Sharing Partnership (CISP), and we should also shout out to the cyber security clusters being established around the world especially those connected with GlobalEPIC such as CyberWales and the Hague Security Delta (HSD).

2020 Honda was subjected to another attack this time by EKANS (SNAKE) ransomware. It is believed the ransomware was a follow on from a cyber oversight in 2019. Shodan listed an eleastic search database by Honda. Shodan is a search engine for internet-connected devices. The information available in the database consisted of 40 GB of inventoried internal machines. This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda’s endpoint security software. Fast forward to 2020, Honda had several remote desktop protocols (RDP) access publicly exposed. An insecure RDP configuration allows EKANS distribution through a number of methods such as spam and malicious attachments, but also can be delivered via botnets, exploit packs, malicious ads, web injections, fake updates, and repackaged and infected installers.

EKANS is specifically designed to attack industrial control systems (ICS) systems, specifically not just the individual machines but rather the entire ICS network. EKANS will remove the computer's Shadow Volume Copies and then kill numerous processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and so on. This affected Honda’s production, sales and development activities and operations around the entire world. 

The cyber attacks experienced by Honda seem to be lapses in the basics, small lapses in cyber security  good practice which allowed cyber criminals access. Seems the cliché that the foundations of cyber security are founded in the basics. Those basics will quickly make redundant any organisation's investments in any pricey sophisticated cyber security infrastructure!

Safe to say, if Honda were using Profile to understanding missing elements of their cyber security policies and procedures, or Dot to understand their OT asset landscape and their potential cyber vulnerabilities, then they might have averted these cyber attacks and any other potentially undiscovered threats.

References

Fruhlinger, J., 2021. What is WannaCry ransomware, how does it infect, and who was responsible?. [online] CSO Online. Available at: <https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-responsible.html> [Accessed 17 March 2021].

Cyber Security and its far-reaching shadow over our Manufacturing Sector

unsplash-image-QMjCzOGeglA.jpg
Headshot Awen.jpg

This post is the first in a series of blog posts written by Roy Seaman, our Percy Hobart Fellowship 2021 fellow from the Royal Marines. We’re calling the series “Posting Roy

The COVID pandemic will go down as one of those memorable moments in history that has made its mark on the working world. Forcing the working world to transform from a traditional working model to a remote working model and likely to form a hybrid model going forward into the future. It is fair to say the cyber criminal’s world has been made much easier to operate in if businesses fail to address the very real cyber threat that is out there. The unforeseen short disruptive transformation from a traditional working model to a remote model has meant that focus has switched to tech to maintain business operations. This has meant a reliance on bringing your own device (BYOD) which subsequently means an increase in vulnerable pathways that cyber-criminal activity has been able to exploit.

Bridewell Consulting commissioned the “CNI Cyber Report: Risk and Resilience” which found that 86% of CNI organisations have detected and experienced operational technology (OT) and industrial control systems (ICS) cyber attack over 2020. Ninety-three percent of organisations admit to at least one successful attempt and 24% more than 5 successful attacks. Given that only 42% of OT/ICS environments are not accessible from the internet and only 28% are confident their OT systems are protected the numbers aren’t all that surprising. Eighty-five percent of decision-makers have felt an increase in pressure to improve cybersecurity control for the OT/ICS environment over the last 12 months. The Enterprise Strategy Group research insight paper “Threat Detection and Response in Manufacturing, Current and Future Use Cases for Deception Technology” states that 49% of organisations claim that IT and OT are tightly integrated. The irony is 84% of CNI organisations predict a cybersecurity skills shortage within 3 -5 years, 32% reduced their cybersecurity budget over the COVID period and experienced a 50% increase in attacks during the pandemic. The knock-on effect on the manufacturing sector is huge. 

PriceWaterhouseCoopers (PwC) 2020 Annual Manufacturing Report identifies that 90% of consumer goods manufacturers prioritise digital transformation as a top 3 concern. Eighty-seven percent of manufacturers believe digital manufacturing technologies (smart factory technologies) will accelerate innovation and design development and 89% believe it will improve supply chain relationships. Seventy-one percent said they are already bringing OT and IT together to digitise their business. Cloud computing will be a big part of the digital transformation making data that is real-time use and disruptive technologies such as the Internet of things (IoT) to make a “new experience” for employees and customer experience. This means the challenge of maintaining secure cyber domains will be made even more complex and will become critical in all parts of business operations.  The cyber criminals ability to operate is growing and is currently faster at innovating according to the Nippon Telegraph and Telephone Corporation (NTT) 2020 Global Threat Intelligence Report.

Finally, if the UK manufacturing sector is going to transform and aspire to be world-leading innovators, it needs to embrace integrated smart factory technology and the cybersecurity risks that ensue. For success to occur businesses need to prioritise cybersecurity; to lead the way for following innovative technology. When you compare the two reports we can see attitudes towards cybersecurity need to improve and the pandemic has shone a light on weaknesses within the sector. The National Cyber Security Centres (NCSC) Cyber Security Information Sharing Partnership (CiSP)  has a good basis showing the UK government recognises the cyber threat needs to be tackled as a collaborative. Businesses need to ensure their organisations are doing their part and taking the necessary precautions to beat cyber criminals.