Attackers May Still Be Breaking into US Networks Without SolarWinds, CISA says

On Friday, America's Cybersecurity and Infrastructure Security Agency revealed that the "threat actor" behind the massive breach of U.S. networks through compromised SolarWinds software also used password guessing and password spraying attacks, according to ZDNet.

And they may still be breaching federal networks, reports GCN: "Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary's behavior is present, yet where impacted SolarWinds instances have not been identified," according to updated guidance published Jan 6. "CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs)." SAML tokens having a 24-hour validity period or not containing multi-factor authentication details where expected are examples of these red flags.

As more about the SolarWinds Orion breach has surfaced, analysts and lawmakers have repeatedly commented on how difficult it will be to remove hackers from the government's networks because their access is probably no longer predicated on flaws in SolarWinds Orion, an IT management software. CISA's new guidance appears to confirm that suspicion, stating Microsoft, which is helping the federal government investigate the hack, reported the hackers are tampering with the trust protocols in Azure/Microsoft 365.

"Microsoft reported that the actor has added new federation trusts to existing on premises infrastructure," according to the agency's guidance. "Where this technique is used, it is possible that authentication can occur outside of an organization's known infrastructure and may not be visible to the legitimate system owner." In cases where administrative level credentials were compromised, organizations should conduct a "full reconstruction of identity and trust services," CISA said.

Microsoft published a query to help identify this type of activity.

how come we never hear of...

[AlexHilbertRyan]

breaking into networks from France, or UK, or USA basically any other country ?

Re:how come we never hear of...

[phantomfive]

People from France and the UK sometimes break into US computers, but it's a lot riskier because those countries have an extradition treaty with the US. See for example [go.com]. Although sometimes politics gets in the way [bbc.com].

Re:

[AlexHilbertRyan]

Thats not what i asked. Im just wondering why the stories about America being a victim seem to outnumber everybody else by a factor of 100 which is strange. Those figures dont seem right.

Re:

[AlexHilbertRyan]

Sorry i mistplaced a word i meant how come we never hear of Fr or UK or Au or Ca being attacked.

Re: how come we never hear of...

[flyingfsck]

European homes donâ(TM)t have basements for script kiddies to hide in. Other than that, Europe is more fragmented and difficult to attack.

Re:

[AlexHilbertRyan]

Europe is very much integrated, and has many integrated systems that span that part of the world. Im sure France or Germany or UK is large enough to be a target.

Re:

[AleRunner]

Thats not what i asked. Im just wondering why the stories about America being a victim seem to outnumber everybody else by a factor of 100 which is strange.

Those figures dont seem right.

The US has a freedom of information act and a history of free release of public information so officials don't have as much of an incentive to hide things. Most of those other countries have a much stronger tradition of state secrecy. The UKs "Official Secrets Act" [wikipedia.org] is famously oppressive. Also the attackers seem to have been Russian with a specific aim of attacking the US so they likely concentrated on that. Any IT infrastructure which in some way trusted Solarwinds should be reinstalled which probably mea

Re:

[AlexHilbertRyan]

Stop talking nonsense, the UK, Fr, Ca, Au, and half of Europe are just as free or even more free than the USA gov and its policies. Lets face it if the UK got attacked and somebody attacked the power grid, you cant hide that.

Re:

[raymorris]

>> The Freedom of Information Act
> Stop talking nonsense, the UK, Fr, Ca, Au, and half of Europe

What do you imagine the Freedom of Information Act is called in the UK? France?

> Lets face it if the UK got attacked and somebody attacked the power grid, you cant hide that.

If the power grid were taken down you couldn't hide the fact that something went wrong with the power. That's true. Are you under the impression that Solarwinds is a solar and wind power grid or something? Is that comment in a

Re:

[Anonymous Coward]

What do you imagine the Freedom of Information Act is called in the UK? France?

They're called, respectively:

• The Freedom of Information Act 2000 (2000 c. 36)
• Loi n78-753 du 17 juillet 1978 portant diverses mesures d'amélioration des relations entre l'administration et le public et diverses dispositions d'ordre administratif, social et fiscal (Act No. 78-753 of 17 July 1978. On various measures for improved relations between the Civil Service and the public and on various arrangements of administrative, social and fiscal nature).

So I guess that means you can't Google.

Re:

[AlexHilbertRyan]

You missed my point - i was not denying acts lie you mention do exist, your sarcasm detector is broken. My point is UK, FR, etc all have freedoms around information, and their gov are just as honest if not more so than USA's.

Re:

[AlexHilbertRyan]

Im not denying solar winds, what i am saying is America loves to play the victim and take something small and exaggerate beyojd hyperbole, taking something small and making it beyond belief in size. 9/11, hurricanes ... SUre you can do the math, more people in Africa die nearly every day every month in the past 20 years than that one day 9/11 from civil war, tribal and religion violence or even terrorism.

Re:how come we never hear of...

[ytene]

This is just a guess...

Several reasons:-

1. Advanced Technology
The US spends more on research and development than any other nation. Stealth and advanced weapons technology is years ahead of anyone else; drug research, computing, aviation, you name it... So breaking in to that data would enable another nation to jump-start their own programs. We know that China has been stealing IP for years.

2. Counter Intelligence
The Snowden leaks confirmed a well-known secret: the US spends more on foreign intelligence gathering than any other nation. This requires agents, handlers, techniques and - in many cases - the ability to penetrate the security of other nations. Data on all of this will be stored in say State Department systems and might help a foreign actor to purge agents embedded in their governments, if they can be identified. To see an example of how effective getting such intelligence would be, look what happened in Saudi Arabia in 2017 - massive purge of "disloyalists" from the government.

3. Long Term Disruption
Look at the impact that the corrupted centrifuges had on the Iranian Nuclear program, brought about by the development and deployment of Stuxnet... The ability for a foreign actor to get in to US infrastructure would be particularly helpful, given the size and power of the US and the influence the US has on the world stage. Disrupting the US government has the effect of forcing US security services to "look inward" - and while that is happening, the threat actor is free to cause mayhem elsewhere.

For a case in point - look at this breach itself. CISA was "all over" the election infrastructure, protecting the integrity of the 2020 election became their number one goal, which meant they may have taken their eyes off other targets and dropped the ball...


Although there are undoubtedly more examples we could use, I hope the above three illustrations show that, in many cases, the US represents the "biggest target" in the world today. Now, the tools and techniques used to penetrate computer systems are highly sought after. You will come across references to "zero day exploits", for example. The thing about a "zero day exploit" is that it is a vulnerability that has not previously been detected and not previously been exploited. What that means is that if you are a hostile adversary and want to penetrate the security of western governments, who are you going to attack? If you limit your consideration to one of the "Five Eyes" nations: the US, Canada, Great Britain, Australia and New Zealand, then if you go after any nation other than the US, the risk you take is that your target may detect your zero-day exploit and alert the other 4 members of Five Eyes to the threat.

So given that you have to treat each exploit like a "one time" pass, you are almost certainly always going to go for the biggest prize each time. Which, invariably, is going to be a US computer system somewhere.

Re:

[AlexHilbertRyan]

The way you write your reply its almost like Europe or Canada or Au or NZ dont even have electricity. Like i asked before how come nobody but USA seems to report hacks against them ? Theres a very simple answer, something you have missed and has been evident in the media for 50. years.

Re:

[AlexHilbertRyan]

2 & 3 You didnt actually address my point. Why is it that UK or Fr or anybody else in Europe never reports being attacked ?

Re:

[ytene]

You'd have to ask them.

I don't know, but maybe they have different secrecy laws? Maybe as a matter of policy they don't disclose breaches in those countries?

Re:

[PPH]

Maybe as a matter of policy they don't disclose breaches in those countries?

This. You find a bug, you don't rip it out. Because this alerts your adversary to the fact that they have been found out. And that they need to change their methodology. Making them harder to catch.

The whole "Oh noes! We've been hacked!" is political posturing.

Re:

[AlexHilbertRyan]

The UK is just as open as USA, not that long ago news about terrorist attacks were common when the IRA and friends were running around causing havoc. I dont think its fair to pretend that the UK Is a dictatorship where everything is censored, that simply isnt true. America loves to play the victim and they never shut up about it and keep exaggerating, eg 9/11. My country (Australia) is far smaller and suffered far more terrorist victims and we here dont hear about it on the scale of America and its crying

Re: how come we never hear of...

[Type44Q]

Thats not what i asked. Im just wondering why the stories about America being a victim seem to outnumber everybody else by a factor of 100

So you compared to all the other stories in all the papers in all the languages in all the countries, to determine this.

Re:

[AlexHilbertRyan]

UK, CA, AU, NZ - im australian i can count the attack stories on one hand for all those countries. Aus 25m vs USA 300m thats 12:1, the Australian attack count is not 7% of the story count about America.

Re:

[HiThere]

Perhaps because the US is a large target, and you were looking at news written in English. The combination of those two might suffice. A secondary consideration might be that you pay more attention to attacks that happen relatively locally.

There may be additional reasons, but those alone would probably suffice.

Re:

[AlexHilbertRyan]

Canada, UK and Australia also speak English. Thats a target of 100M people and yet basically zero attacks compared to the 100s of America. Something does nt add up.

Re:

[CatalinaCahee]

Hy.I'm serh a bd by fr relaing tgethr I m waiting you Se me hre ==>> v.ht/FL6GT

Re:

[kot-begemot-uk]

breaking into networks from France, or UK, or USA basically any other country ?

1. Because the Russians and the Chinese have it as a matter of policy to never release anything on the subject. We learn years if not decades later about successful hacks like this one: https://www.wired.com/2004/03/... [wired.com]

2. We "attribute" any hack by anyone to the Russians to promote our forever war and regime change agenda.

They for the time being are simply ignoring us despite the regime-change-o-meter being somewhere around 10. If Biden tries to crank it one more notch to 11, they will go for the final

Re:

[AlexHilbertRyan]

Wrong, America doesnt have a problem with tyrants. You might want to check all the other tyrants, dictators and murdering barstard leaders around the world. THey are nearly all friends of America. You completely missed the point.

Re:

[AlexHilbertRyan]

Didnt ask who the USA attributes attacks, i asked why it has so many attacks against it made public and nobody else mentions on practical elvel mentions any.

Re:

[AlexHilbertRyan]

Its a bit like 9/11, barely hours old and they already figured out far too much abiout the attackers, and yet hours before hand they knew nothing. Sbiff sniff, theres only one reasonable answer.

Re:

[Ostracus]

2. We "attribute" any hack by anyone to the Russians to promote our forever war and regime change agenda.

Really? Name one Russian government we've helped install. For that matter any puppet Russian government we've helped overthrow? Cuba so far is still standing.

How is this news?

[gweihir]

Most network security is still utter crap these days. After all it has to be cheap. Actual (expensive) experts never get hired or if they get hired, they are not listened to.

Not a small task

[miceliux]

Sounds like a lot of fun for the people involved.

Re:

[kot-begemot-uk]

Sounds like we are learning about the actual fallout.

When the hack came out I commented that the information seems to be full of shit: https://www.fagain.co.uk/node/... [fagain.co.uk]

Namely, the Russian software "captured" in the process was 2+ years old. That means either:

Case A: Someone has gotten their mitts on old Russian trophy tank and have taken it for a ride. +/- some domestically produced ammunition.

Case B: All key networks of Western Governments and military have been hacked at a level which gives "God A

all digtal forms of news are comprmised.

[CaptnCrud]

Make no mistake, if you operate in the digital realm alone you are a fool.

No biggie

[quonset]

It's only the con artist's benefactor in Russia. They're helping to look [youtube.com] for all those "missing" votes [youtube.com]. This is why you haven't heard him say one word about this hack. Wouldn't want to annoy the place you'll be fleeing to.

Azure/Microsoft 365 trust protocols

[minorityreport]

Do you think such "trust protocols" were deliberately weakened at the behest of the spooks to give then backdoor access to the Azure "Cloud" in the process diluting security that some third part has exploited. you know like that backdoor that Google inserted into Gmail [malwarebytes.com] that the Chinese discovered and used to monitor dissidents.

Re:

[PPH]

Yeah. Since Microsoft was almost split up. And the eventual settlement was supervised by Judge Kollar-Kotelly. A judge sitting on the Foreign Intelligence Surveillance Court [wikipedia.org]. In other words, someone cleared to know where all the back doors in Windows were. And in a position to side track any examination of the "wrong" binaries.

no kidding

[jmccue]

No kidding, how anyone could seriously believe once SolarWinds was patched, the breach is over ?

Gov and Security experts said these people were smart and sophisticated, so even I thought the first thing they would do is plant 1 or more backdoors in systems they cared about. Then they would move on from the initial breach.

So the real fix is probably to wipe and reinstall all the systems attached to the internal network. Otherwise you will be looking and hundreds of systems for a very long time and still mi