Quote:Microsoft and cybersecurity experts believe the massive hack against the Microsoft Exchange Server this year was conducted by a Chinese hacker group, but the Biden administration has yet to point the finger.

President Joe Biden signed a cybersecurity executive order earlier this month, naming three recent prominent cyberattacks — SolarWinds, Colonial Pipeline, and Microsoft — with a White House fact sheet saying those “recent cybersecurity incidents … are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.” The United States has said Russian intelligence is behind the SolarWinds hack and that a Russian hacker gang is behind the Colonial Pipeline attack, but it has not publicly attributed the Microsoft hack to anyone.

The tech giant announced in March that it had detected “multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks” in March and said its Threat Intelligence Center attributed the cybercampaign with “high confidence” to a hacker group dubbed “Hafnium,” which “operates primarily from leased virtual private servers in the United States.” Microsoft said the hacker group was “state-sponsored” and operating out of China. Microsoft said the hackers had used vulnerabilities to access email accounts and install additional malware “to facilitate long-term access to victim environments.”

The Microsoft Exchange Server handles the company’s email, calendar, scheduling, contact, and collaboration services.

Tom Burt, the corporate vice president of customer security and trust at Microsoft, wrote in March that “Hafnium operates from China, and this is the first time we’re discussing its activity.” He called the Chinese hacker group “a highly skilled and sophisticated actor” that “primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.”

Jake Sullivan, Biden’s national security adviser, was asked whether China was behind the Microsoft hack during a March press conference at the White House.

“I’m not in a position, standing here today, to provide attribution, but I do pledge to you that we will be in a position to attribute that attack at some point in the near future,” Sullivan said. “And we won’t hide the ball on that. We will come forward and say who we believe perpetrated the attack.”

FBI REMOVES WEB SHELLS TIED TO CHINA-LINKED MICROSOFT HACKERS

The Biden administration has since been silent on attributing the hack to China. A spokesperson for the National Security Agency told the Washington Examiner to reach out to the National Security Council. The NSC did not provide a comment. A spokesperson for DHS said to “please contact the FBI for help with this inquiry.” The FBI spokesperson said that “unfortunately, we do not have a comment.” A DOJ spokesperson said they "don't have anything to share with you on this at this time.” A spokesperson for the Cybersecurity and Infrastructure Security Agency said that “we do not have a comment on attribution.” And the Office of the Director of National Intelligence did not respond to a request for comment.

In April, the Biden administration attributed the massive SolarWinds cyberattack to Russia’s Foreign Intelligence Service, also known as the SVR, and a fact sheet released by the White House said the U.S. was “formally naming” the SVR “as the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructures” and that the intelligence community “has high confidence in its assessment of attribution to the SVR.” Former Secretary of State Mike Pompeo and former Attorney General William Barr both said in December they believed the cybercampaign was likely carried out by Russia.

Biden said in May that the ransomware attack on the Colonial Pipeline by the DarkSide gang wasn’t directed by the Kremlin but said the U.S. had "strong reason" to believe the criminals "are living in Russia." The White House says it has been in "direct communication" with Moscow, though, calling on Vladimir Putin's government to take action against the ransomware attackers.

Ben Read, the director of analysis at Mandiant Threat Intelligence, which is part of the FireEye cybersecurity firm, told the Washington Examiner there had been “three stages” of the Microsoft hack, arguing the first stage “was kind of limited use by what Microsoft tracks as Hafnium — we think likely China,” while the second stage was “a more widespread use by additional different Chinese groups.” The third stage was when the vulnerability became “publicly available” and was exploited by a yet-unknown number of other hacker groups.

“With sort of the initial Hafnium stuff, I have no reason to doubt Microsoft, they’re very good at what they do, their security team, and there’s so much of it, and we’re aware that it was likely used by other actors as well, especially when the proof of concept go out there, so it’s not sort of a singular event that I can easily talk about as sort of one event, but in general, yes, the initial use and since follow-up stuff we saw we think is likely China,” Read said. “The exploit was used, we believe, by multiple groups, so our analytic line is we have probably moderate confidence that at least some of the exploitation is linked to previously tracked groups we attribute to China.”

When describing how FireEye attributes hacks to China, he said: “With these specific groups, they are groups we believe, at the very least, act in support of, sort of, PRC goals … They appear to have significant funding because they’re able to operate for an extended period of time, sort of with a large amount of operations with sophistication — it takes money to do that. And the information they’re stealing is not easily monetizable, and in some cases, you have further forensic or pattern of life or other reasons, the belief that they’re located in China, or things like that, they speak Chinese … so the specific constellation is different for every group, but that’s kind of the general we have, that middle phase, linked to China.”

Read said that Hafnium’s actions were “unusual for an espionage group because not every place is gonna have interesting information,” and yet, the hackers had pursued vulnerabilities against a host of individuals, small businesses, and other unusual espionage targets.

“Your mom-and-pop deli in Connecticut is just not gonna have a ton of information of interest to the Chinese government, but if they had a vulnerable exchange server, they got a web shell," he said. "There are interesting questions as to why China chose to operate that way but not a whole lot of technical leads in explaining it.”

As for Hafnium, Read said: “As Microsoft said, it was a new group to them, we don’t have that stuff traced back historically, where we can sort of make a super confident attribution,” but “it matches the sort of general profile how the Chinese operate, some of the malware is familiar.”

John Hammond, a senior security researcher at the Huntress cybersecurity firm, was confident that China was behind the Microsoft hack.

“Every effort that the cyber threat intelligence community has made does point to HAFNIUM being a Chinese group,” he told the Washington Examiner. “While some HAFNIUM operations were often carried out from a U.S.-based IP address, this is simply indirection: using a DigitalOcean virtual private server to appear as if the attacks come from elsewhere. We have seen communication to deployed China Chopper webshells from Chinese IP addresses, and further research with honeypots certainly received a lot of traffic from China. Nothing can be guaranteed as absolute proof — but seeing a trend of repeated indicators, it certainly makes for a confident claim.”

The FBI said in March it is “aware of Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software, attributed to the advanced persistent threat actor known by Microsoft as Hafnium.” But the bureau declined to comment when asked if this meant the FBI was also assessing if this was a Chinese operation.

Cybersecurity expert Brian Krebs reported in March that “at least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities, and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber-espionage unit that’s focused on stealing email from victim organizations.”

The Cybersecurity Huntress blog contended in March that “the webshell that these threat actors are using is known as the ‘China Chopper’ one-liner.” FireEye said in March that in a separate environment, it had seen the vulnerable Microsoft Exchange Server exploited by a threat actor that matched the China Chopper, which it says has “growing prevalence, especially among Chinese cybercriminals.” The cybersecurity firm Volexity appeared to first spot the hack, writing that it detected the “anomalous activity” in January.

Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said in April that the Biden administration was “standing down” its Unified Coordination Groups responding to the SolarWinds and Microsoft hacks but stressed the administration was taking a “whole-of-government effort” to deal with cyberattacks.

The Justice Department announced a “court-authorized operation” by the FBI last month to copy and remove “malicious web shells” from hundreds of U.S. computers in response to the massive cyberattacks against Microsoft’s Exchange Server.

The Chinese Foreign Ministry rejected Microsoft’s claim that it was involved in the newly discovered cyberattacks, just as Russia has denied culpability for the SolarWinds hack.

Link

Quote:A criminal gang of hackers caused one of America’s largest oil and gas pipelines to shut down for days, and even though the pipeline is operational again, it will take days for gas stations in the affected area to resupply.

As I wrote yesterday, the gas shortages could have been avoided if people just remained calm and only purchased what they needed, when they needed it, but here we are. At least where I live in Northern Virginia, almost every gas station in the area is closed because they ran out of gas. The only two gas stations that were open a couple days ago had massive lines in all directions. At the time of this writing, a gas station in Richmond is charging $6.99 a gallon.

The shutdown was caused by hacking group DarkSide, the FBI said, who used ransomware on Colonial’s business networks (which weren’t connected to the pipeline) and demanded a ransom to provide the decryption program that would slowly remove the malware. Colonial reportedly paid the ransom of $5 million.

But what will America do in response to this cyberattack? So far, it doesn’t look like much, and that’s worrisome. Most of the response from the Biden administration so far has been focused on whether private companies should pay ransom or not. The FBI discourages ransom payments, saying that it “doesn’t guarantee you or your organization will get any data back,” and “encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”

Yet, this is where we are with the Colonial pipeline. They reportedly paid the ransom. Maybe we’ll find out soon that this was yet another fake news story, but if that were the case, shouldn’t we have known by now? If Colonial didn’t pay, wouldn’t they have said so? I suspect DarkSide might have sent word they hadn’t received any payment, though would we be able to trust the word of these criminals? What would be the reasoning behind letting Americans – and our enemies – think that American companies will pay millions in ransom?

There hasn’t been much in the way of encouraging news out of the Biden administration. On Thursday, when Biden finally spoke about the issue, he said his administration wouldn’t rule out a counterattack, insisting the U.S. would pursue “a measure to disrupt their ability to operate.” White House Press Secretary Jen Psaki said such an attack would wait on recommendations from U.S. Cyber Command.

Okay, I guess. Those aren’t the strongest statements given the implications of what just happened.

Before that, Biden signed an executive order that directed the Commerce Department to come up with new standards for software vendors that supplied the federal government. This does absolutely nothing to go after DarkSide, but damn it, it sounds tough. Plus, Biden received glowing praise from former Director of the Cybersecurity and Infrastructure Security Agency Christopher Krebs, who called the executive order a “dramatic game change” and said it showed Biden’s “committed leadership vision” on cybersecurity concerns. Methinks someone wants a job in the administration.

Prior to Biden’s tepid comments about going after DarkSide, his Energy Secretary, Jennifer Granholm, sniped at Americans suffering from the gas shortage by saying if they drove electric cars, it “would not be affecting you.” His deputy national security advisor for cyber and emerging technologies, Anne Neuberger, suggested it was “a private sector decision” for Colonial to pay the ransom.

Maybe if Colonial thought the federal government might go after the hackers or offered any kind of support, it wouldn’t have felt compelled to pay the hackers. We already know the Biden administration is no friend to oil and gas, so why would the company think the administration would help? Or maybe the company just panicked (if Bloomberg’s report is true).

We have no indication that our government is going to seriously go after these criminals, so what’s a private company to do? They can’t just call the police when the criminals are international, and paying a ransom encourages others to seek demands.

The Biden administration’s response, however, doesn’t inspire hope that this kind of thing won’t be an issue in the future. Sure, companies should do what they can to protect themselves, but if our government is just going to let criminals go, what’s to stop this from becoming open season on our country’s infrastructure?

Link

They will do nothing, this is NOT the right kind of infrastructure.

Well, now I know why Microsoft has been patching exchange and cors related software like made the past couple of months.

For some reason I find it mildly funny that a tech firm can't defend it self from hackers. But that's just me, I guess. We must not be getting the 'best and brightest' Asians working for tech firms here.

(05-27-2021 01:53 PM)MileHighBronco Wrote:  For some reason I find it mildly funny that a tech firm can't defend it self from hackers. But that's just me, I guess. We must not be getting the 'best and brightest' Asians working for tech firms here.

Or maybe we are and that’s the problem......

(05-27-2021 02:00 PM)BartlettTigerFan Wrote:  

(05-27-2021 01:53 PM)MileHighBronco Wrote:  For some reason I find it mildly funny that a tech firm can't defend it self from hackers. But that's just me, I guess. We must not be getting the 'best and brightest' Asians working for tech firms here.

Or maybe we are and that’s the problem......

This is what happens when you let a company run as a monopoly and allow them to squash competition; Since the 80's, MS had no financial reason to redesign systems to build in security from the ground up. So they didnt.

They should have used PCMatic.


I purchased the lifetime license back when it was $50 and I haven't had a problem since.