Get patching, people! The National Security Agency has been calling for system administrators of both government and business computer networks to install patches to software programs and firmware on hardware to remedy vulnerabilities for a while now.
While last week’s much-publicized hack of government computer systems, including the breach at the DOE’s National Nuclear Security Administration, which maintains systems that are related to the U.S. nuclear weapons stockpile, hardening computer systems to prevent attacks has been a priority for a while.
Other federal agencies hit by this massive hacking effort include DOD, NIH, State Department, Department of Homeland Security, Department of the Treasury, as well as the Department of Commerce.
Cybersecurity and Infrastructure Security Agency, a branch of Department of Homeland Security, has been overwhelmed in responding to this recent attack, and the Department of Energy, one of the victims of this latest hack, will be allocating additional resources of its own to investigate.
Shaylyn Hynes, a spokesperson from the DOE had this to say on the matter:
“At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the department, including the National Nuclear Security Administration. When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”
The software company SolarWinds, a provider of IT management solutions, has been found to be the weak link, and has sold its faulty Orion software to thousands of government and private-sector clients.
While the latest hack has been attributed to Russia in major media outlets, this conclusion is merely speculative, at this point. What is known is that it’s said to be the most significant breach of sensitive U.S. computer network systems that has come to light.
According to the AP News Service, Kremlin spokesman Dmitry Peskov asserted that Russia wasn’t involved at all and “had “nothing to do with” the recent breach. According to the AP, Peskov told reporters, “Once again, I can reject these accusations. If for many months the Americans couldn’t do anything about it, then, probably, one shouldn’t unfoundedly blame the Russians for everything.”
While the Solarwinds hack, specifically, hasn’t been attributed to Russia by NSA, a December 7, 2020 alert attributed hackers exploiting a vulnerability in VMware®1Access and VMware Identity Manager2 products to Russian “state sponsored malicious cyber actors.”
Microsoft, helping to bulwark insecure systems, put out a statement by company president Brad Smith, entitled A moment of reckoning: the need for a strong and global cybersecurity response. Smith opens by affirming the seriousness of this breach:
“This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms. It illuminates the ways the cybersecurity landscape continues to evolve and become even more dangerous. As much as anything, this attack provides a moment of reckoning. ” Smith provides a statistic that 80% of affected systems we within the United States.
According to a December 17 CISA alert, Smith’s assessment is right-on: “This…actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
Not all hacking efforts are equal, ranging from “script kiddies” who get hold of malware, to seriously adept hacking experts who really know their stuff. Smith quotes FireEye CEO Kevin Mandia, a company affected by the SolarWinds vulnerability, “We are witnessing an attack by a nation with top-tier offensive capabilities.”
Smith continues later in his piece, “All this is changing because of a second evolving threat, namely the growing privatization of cybersecurity attacks through a new generation of private companies, akin to 21st-century mercenaries. This phenomenon has reached the point where it has acquired its own acronym – PSOAs, for private sector offensive actors. Unfortunately, this is not an acronym that will make the world a better place.”
Andrea Mitchell of MSNBC was reminded of the gravity of the attack by Sen. Chris Coons (D-Del.): “It’s pretty hard to distinguish this from an act of aggression that rises to the level of an attack that qualifies as war. … [T]his is as destructive and broad scale an engagement with our military systems, our intelligence systems as has happened in my lifetime.”
This has been a season of requests for system admins to take alrts seriously. According to an early December Directive from the DOD, “…the products affected by this vulnerability are the VMware® Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector, with specific product versions also identified in the VMware® advisory.
Hacking is a real hazard to computers connected to the Internet, and the National Security Agency recently published a list of 25 known security issues back in October. The more recent vulnerabilities were not included on this list.
Any computer connected to the Internet is vulnerable to hacking, and the methods utilized are drawn from exploits that are found in software and hardware systems.
A hacked machine can spill its secrets, and it’s no secret that China has been hiring hackers on its behalf to work on scanning, targeting, and exploiting vulnerabilities in computer systems in the United States.
It’s true that nearly every major country practices electronic warfare, and of course, it’s necessary to take a defensive posture in response. This applies to private citizen and companies, as well as government computer systems.
In fact, besides nation-state actors, there are various criminal groups seeking to find and exploit system vulnerabilities as well, where ever they can . Why?
It’s an opportunity to make money. Such groups can install ransomware on a system, demanding Bitcoin in exchange for unlocking the data. Some groups place malware on a remote system, which ranges from benign to severe in its capabilities and goals.
Malware of this type might be as innocuous as redirects to online pharmacy or gambling websites, but could also be used for data mining passwords and usernames, a, and anything else stored on the remote system, or even data passing through that is not stored, such as credit card data of users.
Some private hacking groups are in the employ of nation-states, doing the dirty work for them and keeping thus keeping their bosses’ “hands clean.”
According to N.S.A., “…One of the greatest threats to U.S. National Security Systems (NSS), the U.S. Defense Industrial Base (DIB), and Department of Defense (DoD) information networks is Chinese state-sponsored malicious cyber activity.”
This is not merely a guess, but rather a known fact. “We hear loud and clear that it can be hard to prioritize patching and mitigation efforts,” remarked Anne Neuberger, director of NSA Cybersecurity Directorate. “We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, Cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.”
The FBI and the Department of Homeland Security’s Cybersecurity agency, the Cybersecurity and Infrastructure Security Agency sounded the alarm that hackers connected to the Ministry of State Security (MSS) in China, were taking advantages of some of the exploits detailed below.
Also back in September, the U.S. Justice Department charged five Chinese nationals with hacking more than one hundred companies. While those charged were not cited as working on behalf of Beijing, Deputy Attorney General Jeffrey Rosen said that Chinese authorities “choose not to” enforce laws against computer intrusions.
Targets included “software development companies, computer manufacturers, telecommunications providers, social media companies, gaming firms, nonprofits, universities, think-tanks as well as foreign governments and politicians and civil society figures in Hong Kong” according at a Reuters article dated September 16, 2020.
The list of 25 exploits are known Common Vulnerabilities and Exposures (CVEs) that Chinese state-sponsored cybercriminals are scanning U.S. computer networks for. Using a connection to the Internet, these hackers can gain unauthorized access and steal private data or worse.
Six Key Concepts NSA Wants You To Understand
There are six key concepts that NSA wants all U.S.-based system administrators to become familiar with and actively practice:
-NSA suggests keeping systems and products updated with the latest version, and patching as soon as new updates are released.
-Understand that a patched device or software program was leaky up until the time of the update, and so best practices include updating passwords and looking for installed malware.
-Disabling external management options (such as Remote Desktop) is a good idea, as is using an out-of-band management network that Internet hackers cannot possibly access regardless of system vulnerabilities.
-Disable and block obsolete or unnecessary network protocols at the network edge. There’s simply no reason to keep them active;if needed in future, simply re-enable such functionality.
-Isolation of Internet-facing services in network Demilitarized Zones (DMZ) keep internal networks safer.
-Keep detailed server logs! There’s a lot of data to be gained, and while hackers will almost certainly use proxies, the information gleaned from such logs is priceless. Of course, check these logs periodically, and not just after an event suggesting a compromised system occurs.
Vulnerabilities Cited In Recent NSA Alerts
The following is a list of vulnerabilities cited in the recent press release. If you’re using any of the products below, be sure that you’re up to date with your patches. For further details, please click here to review the Cybersecurity Advisory dated October 20, 2020, published by the NSA at media.defense.gov.
- Pulse SecureVPNs (Pulse Connect Secure®(PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4)
- F5 BIG-IP® 8proxy / load balancer devices (F5 BIG-IPversions 15.0.0-184.108.40.206, 14.1.0-220.127.116.11, 13.1.0-18.104.22.168, 12.1.0-22.214.171.124, and 11.6.1-126.96.36.199)
- Citrix® Application Delivery Controller (ADC) and Gateway (CitrixADC and Gateway versions before 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versionsbefore 10.2.6b and 11.0.3b)
- Citrix®ADC and Citrix®Gateway and Citrix®SDWAN WAN-OP (CitrixADC and Gateway versions before 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b)
- Windows Remote Desktop Services® (Microsoft Windows®XP -7, Microsoft Windows Server®122003 -2008)
- MobileIron®13mobile device management (MDM) (MobileIron®Core and Connector versions 10.6 and earlier, and Sentry versions 9.8 and earlier)
- Windows®Domain Name System servers (Microsoft Windows Server®2008 -2019)
- Netlogon Remote Protocol (MS-NRPC) (Microsoft Windows Server®2008 -2019)
- Microsoft Windows® NTLM MIC (Message Integrity Check) protection (Microsoft Windows®7 -10, Microsoft Windows Server®2008 -2019)
- Exim ( before 4.90.1) mail transfer agent, Microsoft Exchange® (Microsoft Exchange Server®2010Service Pack 3 Update Rollup29 and earlier, 2013 Cumulative Update22and earlier, 2016Cumulative Update 13and earlier and 2019Cumulative Update 2and earlier
- Adobe ColdFusion® (AdobeColdFusion (2016 release) (Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions.)
- Oracle®Coherence product of Oracle Fusion®Middleware (Oracle Coherence220.127.116.11, 18.104.22.168.0, 22.214.171.124.0 and 126.96.36.199.0)
- Widget Connector macro in Atlassian Confluence®17Server (Atlassian Confluencebefore 6.6.12, 6.7.0 to before 6.12.3,6.13.0 to before 6.13.3, and 6.14.0 to before 6.14.2)
- Atlassian®Crowd or Crowd Data Center (Atlassian Crowdfrom2.1.0 to before 3.0.5, 3.1.0 to before 3.1.6, 3.2.0 to before 3.2.8, 3.3.0 to before 3.3.5, and 3.4.0 to before 3.4.4.)
- Zoho ManageEngine®18Desktop Central (Zoho ManageEngine Desktop Centralbefore 10.0.479)
- Progress Telerik®19UI for ASP.NET AJAX (Progress Telerik UI for ASP.NET AJAXthrough 2019.3.1023)
- Windows®CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates (Microsoft Windows®10, Server®2016-2019)
- Windows® Win32k (Microsoft Windows®7 -10, Microsoft Windows Server®2008 -201)
- Symantec®22Messaging Gateway (Symantec Messaging Gatewaybefore 10.6.3-267)
- Cisco®Discovery Protocol implementation for Cisco IOS®23XR Software (Cisco IOS XR5.2.5, 6.5.2, 6.5.3, 6.6.25, 7.0.1)
- DrayTek Vigor®24devices (Vigor2960®1.3.1_Beta, Vigor3900®1.4.4_Beta, and Vigor300B®1.3.3_Beta, 188.8.131.52_Beta, and 1.4.4_Beta devices)
From December 3, 2020 advisorry:
- VMware Access®320.01and 20.10on Linux®4
- VMware vIDM®53.3.1, 3.3.2, and 3.3.3on Linux
- VMware vIDM Connector3.3.1, 3.3.2, 3.3.3, 19.03
- VMware Cloud Foundation®64.x
- VMware vRealize Suite Lifecycle Manager®78.x
From December 13, 2020 advisory:
- SolarWinds Orion products