The Week in Security: Sunburst attack set off alarms for months before discovery

This week: The supply chain hack of SolarWinds Orion was setting off alarms months before it was finally recognized and disclosed, according to reporting by Wired. Also: anxiety, fear, depression — life as a ransomware criminal.

This Week’s Top Story

WIRED: SolarWinds breach set off alarms for months before it was disclosed

Reporting by award-winning journalist Kim Zetter has shed new light on the infamous Sunburst supply chain compromise, which was behind the attack on SolarWinds, with a story in WIRED that shows private and public sector organizations had evidence of a security breach months earlier than was previously known, but failed to locate the source of the incident.

The public first heard about the compromise of SolarWinds, a software producer used by thousands of critical public- and private sector entities, in December 2020. At the time, reports indicated that the discovery of the sophisticated supply chain breach happened within weeks of the release of a SolarWinds Orion update that contained a back door component installed by hackers believed to be working for the government of Russia.

However, a subsequent analysis by ReversingLabs pushed the timeline of the attack back much further, to October 2019, when the attackers planted benign code in the Orion application as a dry run for their eventual attack.

Zetter's reporting, citing the findings of subsequent investigations as well as sources like Steven Adair, the CEO of Volexity, reveals that investigators at firms like Volexity, Mandiant, Microsoft and staff at the U.S. Department of Justice (DOJ) had come across evidence of the compromise by Russian hackers as much as six months prior, in mid 2020. Zetter notes that the DOJ did not realize the significance of the breach until December 2020, shortly before the incident was disclosed to the public. In many cases, flags were raised with SolarWinds, under the assumption that a remotely exploitable flaw in the company's Orion software was to blame.

However, no flaw was ever found and the possibility of a compromise of the company's development pipeline apparently did not occur to investigators or SolarWinds staff. Zetter’s investigation yielded that communications between the DOJ and SolarWinds between May and July 2020 led to the case being deemed insignificant by the DOJ. In August 2020, the DOJ purchased the Orion system, which sources say suggests that the DOJ was “satisfied” that there was no further threat posed by the Orion software. Private sector firms including Volexity were likewise puzzled by the source of the compromises, but never considered a breach of SolarWinds' build servers or development pipeline.

The breach on SolarWinds’ Orion software was the catalyst for sweeping policy changes brought forth by the federal government in recent years, starting with the White House’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028). This EO prompted more guidelines, even mandatory ones, primarily M-22-18, which calls on software publishers to self attest to their product’s secure software practices.

This latest development regarding the DOJ and other major entities further demonstrates the severity of software supply chain attacks, and bolsters the federal government’s moves to craft and mandate software supply chain security policies in recent years.

News Roundup

Here are the stories we’re paying attention to this week…

Life as a ransomware criminal? Anxiety, fear and depression (Bankinfosecurity.com)

It's not all Lambos and champagne. A ransomware affiliate hacker known as "Bassterlord," who has been linked to ransomware gangs like REvil, LockBit, Avaddon and Ransomware X, gave something like an exit interview to Jon DiMaggio, the chief security strategist at Analyst1. Speaking via chats, Bassterlord described the dark side of life as a cybercriminal, including the constant fear of getting caught. "At the end of the day, crime doesn't pay," DiMaggio said. "This guy has got all these issues - health and mental issues. He's on antidepressants. He has panic attacks. He's constantly looking over his shoulder."

Chinese hacker group Earth Longzhi resurfaces with advanced malware tactics (The Hacker News)

A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity.

Meta expunges multiple APT, cybercrime groups from Facebook, Instagram (DarkReading)

Facebook parent Meta said it thwarted the activity of three advanced persistent threat groups (APTs) in South Asia engaged in cyber espionage as well as six adversarial groups from various global regions engaged in what it deems "inauthentic behavior" on Facebook and other social networks.

Cybercriminals won’t become AI experts over night (Axios)

“The likelihood of cybercriminals investing energy and money into incorporating artificial intelligence into their schemes anytime soon is vastly overblown… If anything, cyber defenders will see the more immediate benefits of AI — it can help them block the run-of-the-mill security holes that criminals keep exploiting.”

Researchers found DoS flaws in popular BGP implementation (Security Affairs)

Forescout Vedere Labs researchers discovered multiple vulnerabilities in the software implementation of the Border Gateway Protocol (BGP). The issues reside in the BGP message parsing in version 8.4 of FRRouting implementation, a leading open-source implementation of the protocol.

Facebook disrupts new NodeStealer information-stealing malware (BleepingComputer)

The U.S. government’s Cyber National Command Force (CNCF) is sending its experts abroad in so-called “hunt forward” operations to aid partner countries in combating cybercrime, and has launched 47 operations in 20 countries over the last three years.