Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Threat Assessment’ Category

Supply Chain Attacks and Nation State Pwnage: A Primer

leave a comment »

I've seen things, you people, wouldn't believe....

Last Sunday night, while I was lounging on the couch watching some British Bake Off, I got word of the Solar Winds supply chain hack. After kicking back the last of my whiskey, I immediately got on the phone to start IR at work, cuz, yep, we have Solar Winds too.

Who’da thunk it?

Anyway, three days of IR stuff later, I am here to blog on the meanings for the muggles out there after having a conversation with a reporter on what it all meant. The reporter asked me about a tweet that was put out by Richard Blumenthal about needing to know more about this evolving hack and fallout thereof.

While I think that Dick is being a bit hyperbolic here, I also can tell you, gentle reader, that there is a lot to in fact be worried about regarding this instance of adversarial activity (most likely Russia’s APT29 Sluzhba vneshney razvedki Rossiyskoy /SVR group) which managed to break into a system application that many in the government, military, and corporations still run to manage their network.

This system is so prevalent in the space, that even in my environment, we still had it running and man, I thought we had made it go away long ago. So, you might be wondering what does Solar Winds really do? Well, glad you asked, it is a series of applications that help you maintain your large networks.

As you can see from the graphic from their site, the companies software performs a lot of management and monitoring capabilities within a network of individual systems. Servers, routers, databases, service desk applications, resource monitoring, network configuration, and security management. Now, you might be saying; “Ok, well, those are a lot of things that this stuff does, but, what does that mean security wise if the application (Orion) is compromised?” and that is a good question, the primary one I want you to comprehend if you are not in tech or security of the tech. What this means, is that this program suite by SolarWinds, is the ‘skeleton key’ now to a host of around 33k companies/networks that downloaded the tampered with update. This could affect around 300k clients in all, should there be more tampering or vulnerabilities exploited by the adversary now that they have the code base (assuming here) after they spent all that time inside SolarWinds systems.

So, we have a rather prevalent application suite that usually functions on a level of administrative access to do the very things it is bought to do. This means, that the Orion system contains ALL of your admin passwords up to and including domain administrator and enterprise administrator. What does this mean? It means that once the adversary had control over the Orion system, they had control over EVERYTHING that that system touched as well as now, if it did not have direct control, the passwords that would allow access within a network running this compromised system, are in the hands of the enemy.

Put simply, the adversary, has control over pretty much everything you own. They can log in, take data, manipulate data, and in the most extreme, burn your network down using other malware like a wiper or ransomware to do it. All of this, while you may not see the activity because everything is using credentials that are admin level and authenticated on your network. This is why it was so hard to detect this attack and to stop it and why they were inside the systems for so long.

Ok, so, what does that mean from the perspective of damage and about what groups the adversary hit? Well, so far, we know that the following entities were hit in this supply chain attack(s)

  • Department of Homeland Security
  • FireEye
  • Treasury
  • Commerce
  • The National Security Council

These are all either government agencies or companies that handle a lot of government contracts, so you can kind of get a sense of what it means. However, let me expand on this, DHS and the NSC alone is a treasure trove for the Russians to gather all kinds of unclassified/classified data that they would want. Not only that, but, if you own the Orion systems in places like that, and that systems is in fact running in the CLASSIFIED space, then you have broached into the CLASSIFIED networks of things like NIPRNET and SIPRNET as well probably JWICS.

What does this mean? Lemme put it into internet vernacular for you;

This could be spectacularly bad. This is why so many are freaked out about this supply chain attack and the incident responses are all going on 24×7 now. It has yet to really be determined (at least publicly) how long the adversaries were inside these networks, but, I am going to assume that it was a long time, and a lot of damage has been done. Now all these places have to clean up the mess, re-set their networks and rebuild so that this cannot happen again. Then they have to assess the real damage to our security and perhaps someday give testimony in congress about it.

Now, about the other entities, these are the reasons that this hack is bad;

  • FireEye: They do all the pentesting and security work for many of the same orgs as well as incident response. If they were owned as hard as we think, well, there is a lot of data that the adversaries could use on top of using all the tools they stole from them.
  • Treasury, well, money right? Plans? Routes? All things monetary that the adversaries could use to mess with the united states up to and including theft of large sums of money potentially.
  • Commerce as well, plans and other details that they could use against the US financially internally as well as globally.

Time will tell just how many other orgs got hit and may in fact have had data lost to the attackers. Also, do not forget the potential for further logic bombs out there that might be placed by the actor as well for future fun. Of course I have been hearing stories about power and water companies and systems being affected by this as well. All in all, it could be very bad for us all, and places us in our back foot most solidly globally.

One other aspect here, and this is highly speculative, but, what other secret orgs had connections to others with Orion? What orgs themselves in the secret spaces like FireEye, had the same software as well? What classified intelligence has been lost here?

Let that sink in…

Also, on the critical infrastructure end, I am not worried that the power will go off nationally, but, the Russians could mount more, and working attacks against regions with the right kind of access vis a vis this kind of hack.

Think about that too.

Gotta hand it to the Russians man, they play a good long game. Expect to be hearing about fallout on this for quite a long time. If you want to kind of get a sense of the scope of this, I would recommend watching “Sneakers” the whole McGuffin of the movie is the little black box that the mathematician created that decrypts all the things. This hack is kinda like that. With one box, the Russians decrypted EVERYTHING and then, like the Grinch, took it all up the chimney.

K.

Here’s a reading list too for you all to follow along with:

https://triblive.com/news/world/cyberattack-may-have-exposed-deep-u-s-secrets-damage-yet-unknown/

https://www.darkreading.com/attacks-breaches/concerns-run-high-as-more-details-of-solarwinds-hack-emerge/d/d-id/1339726?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software

https://us-cert.cisa.gov/ncas/current-activity/2020/12/08/theft-fireeye-red-team-tools

https://us-cert.cisa.gov/ncas/current-activity/2020/12/07/nsa-releases-advisory-russian-state-sponsored-malicious-cyber

https://www.nbcnews.com/tech/security/russian-hacking-campaign-highlights-supply-chain-vulnerabilities-n1251187

https://www.solarwinds.com/securityadvisory/faq

https://www.solarwinds.com/securityadvisory

Post Script:

Someone put out a tweet earlier that is very prescient;

This is an important context to have. Russia has used Ukraine as their down range test bed. If you remember back to NotPetya, you can see this exact supply chain attack cycle being leveraged there first, and tested. The Russians are old hands at this now.

Not Petya:

Written by Krypt3ia

2020/12/16 at 18:47

2020 Threat Assessment

Here’s my threat assessment for the United States post the impeachment acquittal of Trump and the possible scenarios for the 2020 election cycle. I am putting these out there for you all to consider and to keep in the back of your minds as we move forward these nine months to the election as well as what we may see after November 8th 2020. Given recent events it is not hard to posit these scenarios as equally possible and all having grave import to the freedom of this nation and its people.

As we have seen so far, the elections systems are insecure, the government itself and the Framers intentions are all now in question as to what is real, and the net effect is this; we now have a president who believes he has the power to do anything and now likely will push the envelope before the election. However, if he wins this election, you will see the power grabs and the illegalities only increase, eroding the rule of law further with his co-conspirators in the DOJ and elsewhere.

What we have seen in the last week alone should have you all thinking about the actions to come, and what, if anything, the government can do about it. I will tell you straight up here right now, this is a slide into fascism boys and girls. In the last day we have seen the President Tweet a comment about the “unfair” sentencing of Roger Stone with an almost immediate response from the DOJ to throw out the sentencing guidelines and recommendations of the prosecution and with that, the resignation of the four DOJ lawyers who were handling the case for the government.

This. Is. Not. Normal.

…. And it’s just the start.

As we move into the Election cycle, I would hasten you all to go and read this piece in The Atlantic on the disinformation war to come. We are going to see an all out attack cycle not only from the outside, but from within in this election. Added to this, the outcomes of the election are a key factor in what may be to come and at what rate things happen. So, read on and consider these scenarios.

Things are going to be very messy.

The Election Cycle:

Scenario 1: Trump Wins The Election By The Electoral College Again

This is the most likely event that I foresee for the 2020 election. Given the information war to come, I am willing to say that what happened in 2016 will happen again given the polarity of the nation and the machinations on the part of the Republicans to fudge the vote. There will be no need for Russia to really weigh in here and tip the scales with hacking for this to happen, but imagine if we have a replay of 2016 though. Once Trump has won the second term he will have four more years to push the envelope and do whatever he likes. This is primarily because once the election is won, he has no reason to be restrained in any way.

Think about it, impeachment was a failure. The senate is willing to not only tow the party line in a partisan way, but to whole cloth eschew the constitution for Trumpism merely to stay in power. With the senate under his thrall, and the beliefs that Article Two says he can do whatever he pleases, he will overreach, and with the help of the senate and now the DOJ…

Well, you can see what that means.

Scenario 2: Trump Wins By A “Landslide”

Given the polling and the stats that have been pretty consistent, if Trump won by a landslide, there would definitely be something wrong with the process in 2020. If this were to come to pass, it would surely mean that the election had been manipulated in a way that we have only seen in countries in Africa and South America. No amount of persuasion allows for this scenario. So, if it happens the outcome will be these:

  • The election will be investigated while Trump will still be in office
  • The investigation will take a long time, and during that time Trump and his minions will do everything in their power to obfuscate
  • The election would likely have to be re-run… But… Could Trump attempt a coup and declare a national emergency to keep power?

All of these scenarios are not as likely as the Electoral College win, but, this should scare you all because you know, he will not just leave the White House and allow for a free and fair election right?

Scenario 3: Trump Loses and Declares The Vote To Be Rigged

IF Trump loses the election, do you really all believe he will accede to the will of the people and leave? Do you further believe he will leave knowing that right after he does the SDNY will be slapping cuffs on him and trying him for crimes he committed pre election and after? The short answer to this is no, he will not willingly leave in my opinion.

So, with that said, let’s look at the scenario that he does lose, even losing the Electoral College. You all have seen him already use the terms “rigged” before in the first election, but now with so much on the line, he will immediately call for a recall. In fact, this may already be a contingency plan that the Russians or others can help with by actively penetrating our election systems. The damage would only have to be the fact that some votes were changed or databases were abused, that is all it would take to call into question the vote, and for Trump to use his powers as president to mandate an emergency situation in which he will retain power.

Once again, if this happens, the elections investigations will take a long time, and in that interim Trump will still be in power and able to overreach to keep it. So far, I have little faith in the system (e.g. the government) to stop him from doing this. We have seen how Impeachment went, and we have seen just how dangerous a totally tribal majority is in power.

Use of the DOJ As A Weapon:

Scenario 1: Trump And DOJ Start Arresting Opponents

We are already seeing this play out with Barr and Trump. With the DOJ now directly accepting disinformation dirt from Rudy for the 2020 campaign, I have little doubt that that information will now be used as a means to an end of creating charges at the most, but at the least reasons for search warrants and the like for the DOJ to start using against Trumps opponents (primarily Biden at this time)

Right now Trump has an enemies list, but first on that list seems to be Bolton. If Bolton is suddenly presented with search warrants or arrested, this will be the first domino to fall in a cascade of abuse that Trump and Barr will carry out. If there is nothing to stop them arresting Bolton, expect others on that enemies list to be next. Post re-election, you will likely see this escalate and the enemies list will grow as well.

Scenario 2: Trump Pardons and Free’s Manafort & Stone

As of yesterday, the events around Trump and Barr’s manipulation of the DOJ shows you where they are willing to go for their peeps. It is likely that Trump will Pardon Stone after the Judge decides whatever she is going to give him. She does have discretion, so, one hopes that the original 7-9 year stint is what she chooses to do. However, if that happens, yeah, he will get pardoned and inserted back into the election cycle where Trump would like him.

Manafort too will also get a pardon, likely after re-election. This will also allow Manafort to re-kindle his ties to Ukraine and help Rudy as well. Trump will pardon Manafort most of all for his steadfast not being a rat and rolling over on Trump. This is the real key to this happening. This will set the precedent for others, like any other mob boss, Trump will show that if you do time for him, he will reward you later for not being a rat.

Scenario 3: Trump and Barr Close Cases Against Flynn & Erik Prince

Next in line are Flynn and Prince. My assessment will be that these two will slip away for two different reasons. Flynn will get away because he dealt with the government in the first place, but, he also did not totally rat out Trump. It’s been obvious that he has been holding back and obfuscating, so whatever it is, he has given enough to get leniency from the government, but with Barr in DOJ, well, they can just make it all go away right?

Erik Prince will get good treatment from Trump and have his case tossed because Prince is the wet works guy that Trump needs for the proxy wars and connections. This too will likely happen after re-election.

Scenario 4: Trump Starts Removing Non Conforming Justices

This is already starting to happen. The administration recently set forth the idea that they were going to “investigate” doing this in sanctuary cities. Those left leaning justices need to be removed according to Trump. Of course, if this happens just to sanctuary city justices I will be truly surprised. This is a means to an end. If you will note, Trump has been putting in more right wing justices than anyone every has. The control of the judicial system is a keystone in the ultra rights playbook, so don’t expect this to be forgotten.

Scenario 5: Trump and His Operatives Start Disinformation Campaigns Against Journalists and Starts Arresting Them

In the run up to the 2020 election you will see directed attacks on reporters by the Trump admin and the Republican machine. If you read the above linked disinformation story in The Atlantic you can see how Trumps son Don Jr, is directly working with operatives on caching dirt on reporters to sow disinformation on and use dirty tricks against to discredit anyone who opposes them. Post re-election this will likely continue if not actually escalate. (As Trump becomes more aggressive without checks against him and as the media continues to do its job)

Final Assessment:

You might be reading this and thinking that I am just paranoid.

Maybe.

But, what we are actively seeing today is not a slide into a greater democracy. These tactics, the overall machinations by the Republican party (aka Trump party) are all indicators of an overall planned slide into authoritarian tactics. Given that the laws of the land have not been able to stop Trump and the Russians so far, has shown the inherent weaknesses of the American systems that have been attacked. With the rule of law being presently slowly poisoned by Barr’s acquiescence to Trumps will, we are sliding further and further into a quasi fascist state. The longer Trump is in power and keeps pushing the envelope without reproach, the further and further from autocracy to totalitarianism we will be.

The system has been challenged and we are finding that it is insecure and unable to right itself. These scenarios are just posits, but if they come to pass, you had better be thinking of an exit plan.

K.

Written by Krypt3ia

2020/02/12 at 16:36