Tuesday, December 22, 2020
The advanced persistent threat (APT) began in March 2020, when adversaries employed a series of tactics, techniques and procedures (TTP) to escape detection as they infiltrated numerous government departments.
"The adversary is using a complex network of IP addresses to obscure their activity, which can result in a detection opportunity referred to as 'impossible travel,'" CISA analysts wrote. "Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins)."
CISA analysts also detected "impossible tokens" that were neither linked to legitimate users nor used within their hour of issuance. These anomalies raised concerns among investigators that key personnel, IT email accounts and operational security agencies had been compromised. An alert, posted Dec. 21, 2020, called for increased operational security measures to ensure all staff members are sufficiently aware of "applicable handling caveats," CISA administrators stated.
A Dec. 7, 2020, bulletin from the U.S. National Security Agency, traced the APT to March 2020, when bad actors exploited vulnerabilities in VMware products. "Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Manager products, allowing the actors access to protected data and abusing federated authentication," NSA analysts wrote, adding that VMware released a patch for the Command Injection Vulnerability on Dec. 3, 2020, approximately nine months after criminals had gained access to classified government departments and data.
CISA forensic investigators are pursuing evidence of initial access vectors in March 2020, when bad actors injected malware into SolarWinds, an enterprise network software suite used by select government agencies. The audit trail suggests the adversary may have more TTP and attack vectors to deploy, CISA stated.
CISA further noted that the attacker collected information from victim environments by "compromising the SAML signing certificate using their escalated Active Directory privileges." Key systems that use SAML include hosted email services, hosted business intelligence applications, travel systems, timecard systems and file storage services such as SharePoint, according to the CISA advisory.
Shelly Palmer, business consultant and technology advisor, published What You Should Know About the SolarWinds Hack, on Dec. 20, 2020, urging organizations to protect internet-facing systems. "A security system is only as secure as the third-party-provided FTE who writes their password on a Post-it note," Palmer wrote.
Palmer added that the high-profile cyberattack highlights the need for formal document classification. Implement cybersecurity protocols to protect the most sensitive documents, he stated, and buy cybersecurity insurance to cover the rest.
On Dec. 15, 2020, Arkose Labs hosted a webinar titled 7 Top Fraud Trends in 2021 and Beyond. The session featured Johnny Ayers, founder and CEO at Socure and Kevin Gosschalk, founder and CEO at Arkose Labs, who made the following predictions:
Ayers proposed that the digital world has created a complex, dynamic landscape for consumers and merchants as well as a potential goldmine for cybercriminals. "I think that you're going to continue to see these really creative phishing and social engineering attacks, just because there's a lot of unsuspecting government agencies and consumers," he said, adding that privacy regulations can make it more difficult for organizations to authenticate legitimate consumers.
Gosschalk agreed, stating, "[T]hat's a fascinating point: as consumers become more privacy centric, it makes the job of identifying bad people that much harder because it's that much easier for them to hide under the radar."
Gosschalk went on to say that as criminals continue to exploit vulnerabilities, individuals and organizations must evaluate their digital assets to determine which products or services present money-making opportunities to criminals. Then they can figure out how to remove the attacker's financial incentive, he stated.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
