2 stories from the Hacker News: Solar Winds Hackers Targeting Government
The Solarwinds hack from last year (the one I discussed in several stories including this one: SolarWinds hackers Hacked Multi-factor Authentication.
It is sometimes instructive to review past hacks to see what the hackers are up to (how they hack).
Here is some interesting information:
- Compromising multiple accounts within an environment and using each of those accounts for different functions to limit exposure,
- Using a combination of Tor, Virtual Private Servers (VPS) and public Virtual Private Networks (VPN) to access victim environments,
- Hosting second-stage payloads as encrypted blobs on legitimate websites running WordPress, and
- Using residential IP address ranges to authenticate to victim environments.
The useful tidbit from the CISA article Directive 22-01:
Binding operational directive 22-01 is one of the broader directives – in fact, it’s very broad, referring to over three hundred vulnerabilities. It’s a dramatic step for CISA to take – it’s not just another run-of-the-mill communications message.
With this directive, CISA presents a list of vulnerabilities that it thinks are the most commonly exploited within the larger field of tens of thousands of known vulnerabilities. Some of these vulnerabilities are quite old.
and some more information from article at The hacker News:
These vulnerabilities are not unique to government services – any technology environment can be affected.
And here’s the rub: just like government technology environments, your technology estate may be full of vulnerabilities that need remediation. The CISA list would be an excellent place to start fixing things.
And to top it all off, these are not just -potentially- exploitable vulnerabilities.
If you read the directive closely, these are vulnerabilities -currently- being exploited in the wild, meaning that exploit code is either readily available for everyone or being distributed in the less savory corners of the Internet. Either way, these are not just a hypothetical threat anymore.
This is why I wanted to focus on the 2 posts, SolarWinds was a hack using similar methods of the CISA directive and the story of Cybersecurity is always the same – you must keep up on patching and updating the devices while having good security practices for everyone – as the weak point will be used to allow the hacker a way in, and once they are in it is just one step after another before the goals are realized.
Purchase my book to get started on shoring up Cybersecurity in your environment.