Silicon Shecky

Infosec Practitioner

Connect

Solarwinds Sunburst: Haven’t We Been Here Before?

By Leave a Comment

Timing is not everything, it is the only thing. I really believe that and have for a good portion of my life. A little bit off, a little bit early or late and things do not happen, things can be missed, and who knows what the result would have been. How this relates to the title of this post is simple, the past tends to repeat itself and I currently am seeing that through a book that I am reading.

The book is called Sandworm by Andy Greenberg. It covers a Russian hacking group that has been attributed to NotPetya amongst other attacks on the Ukraine. We all know about NotPetya, remember how it crippled a shipping company called Maersk. All this happened a month after Wannacry hit. There are many similarities I am noticing as I watch those who are unravelling the Solarwinds Sunburst attack, and what has been revealed about how the Sandworm group operates, namely leading into the NotPetya attack. Surprisingly, I have not seen mention of this on twitter, or in any news reports/blog posts on the Sunburst attack.

Mr. Greenberg, in his book Sandworm had interview Amit Serper of CyberReason about his reverse engineering of NotPetya and subsequent investigation of the malware and attack. The short version is that it was a supply chain attack that used M.E. Doc’s own update server to install a compromised update. The NotPetya attack happened in June of 2017, but Mr. Serper found a webshell on those update servers going back to November 2015. So they were on the network for at least a year and a half before the attack.

Let us take a look at what has been revealed about Sunburst. It is a supply chain attack that used Solarwind’s own update servers to install a compromised update. Currently the information security world sees October 2019 (just over a year) as the latest that Solarwinds was compromised (while that timeframe is accepted right now, since the investigation is still going on I do not want to say that it is definitive). Now go back a paragraph and re-read what I learned about NotPetya. Sounds similar, doesn’t it?

I have not yet finished reading Sandworm, but other interesting tidbits that I read included Robert M. Lee of Dragos(among others) wanting to warn the ICS world about this type of attack due to the Ukraine blackout attacks which were also attributed to the Sandworm hacking group. It also revealed how little the U.S. Government did to warn about these types of attacks or this hacking group since it was the Ukraine that was targeted.

The timing of me reading this book is really what has brought the similarities up to me(I do recommend the book). I am not attributing the Solarwinds situation to the Sandworm group. I do not have the expertise to do that. I am saying that it looks like history might be repeating itself. I do not know if anyone else has noticed these similarities, but I assume someone else has. The question remains though, will we actually learn from this, or will this become yet another case of all this has happened before and it will happen again?

Solarwinds Sunbursts a Supernova: Early lessons learned

By Leave a Comment

There will be more fallout from Solarwinds to come. More companies will realize they are compromised due to either SUNBURST or SUPERNOVA (got to love the catchy, similar style names).

The question is what are you and your company going to do about it? What have you and your company learned?

Do not just throw money at this. Vendors will start trying to use this as a marketing ploy, especially to those that do in house development. If you do in house development, work on getting your Secure Development Lifecycle (SDLC) better. Do not over promise and over push your developers. If developers say they need some extra time for security testing, understand it will save you more issues in the long run. Understand that meeting compliance check boxes will not mean that security was met.

The rest of the corporate world should be doing a few things starting with your people and processes. Make sure that your company has in place a solid detection process, which includes enough staff, proper logging, solid SIEM/SOAR rules and notebooks, and a solid Incident Response plan. If your company is lacking in any of these, and that includes keeping people trained, it will be money well spent in the long term. Your company will get breached at some point and these processes plus properly trained people will always be needed. There is no perfect security, so detection is as important if not more important.

Understand there is no magic bullet. Security is a process not a destination, and burned out, overworked security people (especially in the SOC) do your company no good. Compensating by getting more and more tools without enough staff will cause burnout. People can only do so much in any given time. Make sure they get time off, and that means not disturbing them when they are off, if possible.

These are the lessons every company should learn from this situation.

 

 

Zoom Zoom or WTF people?

By 1 Comment

Slide by Dave Kennedy, CEO of TrustedSec and Binary Defense from his closing remarks at Grimmcon.

Zoom is not malware. Repeat with me…  ZOOM IS NOT MALWARE!

Zoom has been everywhere and on many peoples minds. We have also failed the company, not by finding holes in their software, but by playing the role of chicken little. The sky is not falling, at least not from Zoom. We in the world of security have lost it, and as Dave Kennedy said at Grimmcon this week, and I paraphrase, “We have pushed back our relations with the everyday person. We have forgotten that usability is part of our equation of risk, and that responsibility in disclosing of bugs is important.”

Here is a great blog post about the whole situation with Zoom (written by Amit Serper and Dave Kennedy): https://medium.com/@0xamit/zoom-isnt-malware-ae01618e2046

To those that do not want to read that, here are a few key points:

  1. Zoom usage grew from 10 Million people to 200 Million people in a matter of weeks. That is 20x the people in a matter of weeks, unbelievable growth in a product.
  2. Zoom has made mistakes and has bugs. All software does, and the real proof of a company is how they respond.
  3. Zoom has a PDF of best practices for securing Zoom meetings.

On point 2, Zoom has not only been fast to respond and push out fixes, but has not complained about people finding these issues. As of April 2, 2020 Zoom announced a 90 day hold on any new features to focus on security fixes. This is amazing in its own right. I have not heard of many companies doing this. These bugs that Zoom has been fixing have been fixed in a matter of days in most cases. Last time I checked Microsoft, Apple, Cisco, Oracle, take months or longer to fix bugs in most cases. They have done this with no warning about the bugs, they are hearing about them at nearly the same time as we are. Google, Microsoft, Oracle, Cisco, usually get 90 days from notification of a bug to fix it, and the bug is usually not announced until a fix is out.

As far as End to End Encryption goes, that was a marketing mistake. Cisco WebEx, while offering End to End Encryption, does not offer it for Video conferencing. There also have been plenty of flaws found on WebEx and other Video conferencing systems over the years.

As far as the breach with usernames and passwords, all I have to say is.. Target, Best Buy, Home Depot, Equifax, Anthem, need I go on?

Zoom has made mistakes, no doubt. They are not perfect, but their model is one of simplicity. One of allowing people to communicate easily, and that is what it was easy. Easy for grandma to not have to log into anything and just take a link sent to her by her family to video chat with them. Easy to just set up and go. It was not designed to be used for State Secrets. Its threat model at the time was different than what it was starting to be used for by Governments and Corporations. It is a product that got shoved under a microscope, and has responded to being under that microscope a lot better than many companies I have seen over the years.

So yes, Zoom is safe for the everyday person to use. Zoom now defaults to requiring passwords for the meeting sessions. Zoom now wants people to log in. Zoom has taken away some of its simplicity. Zoom is not Malware!