Cybersecurity Saturday

On Thursday, the Senate Armed Services Committee held a hearing featuring Gen. Paul Nakasone, the director of the National Security Agency, who also serves as the head of U.S. Cyber Command. A topic of discussion was the SolarWinds and Microsoft Exchanges hack.

The Wall Street Journal reports that these hacks have a “scope, a scale, a level of sophistication that we hadn’t seen previously. * * * “This isn’t simply email phishing attempts—this is the use of supply chains, or this is the use of vulnerabilities we hadn’t seen before.” During a discussion of why the private sector discovered the hacks before the government, it was pointed out that

The NSA, for instance, is only authorized to operate outside U.S. borders, whereas the Federal Bureau of Investigation and other agencies are responsible for cybersecurity law enforcement domestically. Foreign attackers are aware of this and use U.S.-based servers to launch attacks from inside the country, effectively bypassing the NSA, Gen. Nakasone said. “It’s not the fact that we can’t connect the dots. We can’t see all of the dots,” he said.

Gen. Nakasone stopped short of calling for the NSA to be given the authority to surveil domestic networks when questioned directly by Sen. Mike Rounds (R., S.D.). He said that there are a number of ways to tackle the issues revealed by such sweeping and complex attacks, including enhanced cooperation with the private sector. The issue of surveillance, he said, carries both policy and legal concerns and was closely linked to the Fourth Amendment, which protects against unreasonable searches and seizures.

Cyberscoop adds

Part of being able to understand and better track adversarial hacking moving forward, even when it takes advantage of U.S. internet infrastructure, could rely on broader government and private sector information sharing.

“How do we take the best tools not only from the government but also from the private sector to look at what’s occurring and being able to shine that spotlight?” Gen. Nakasone said. “I think a lot of times we look and just say we’ll simply go ahead and downgrade that intelligence rapidly. Sometimes the better answer is, okay where are the other streams of information, how can we use that?”

Gen. Nakasone suggested that incentives for private sector could be introduced, adding that legislation could push private sector internet infrastructure companies to better understand who their customers are, as well.

In a recognition of the importance that information sharing between the public and private sector will play a role in responding to the flurry of Microsoft hacking, the Biden administration has convened an emergency cybersecurity incident response group at the National Security Council and invited private sector participation for the first time ever.

In this regard, Health IT Security reports that recently

The Department of Health and Human Services Cybersecurity and Infrastructure Security Agency unveiled the CISA Hunt and Incident Response Program (CHIRP) tool, which is designed to support entities detect threat activity within on-prem environments. * * *

CISA previously launched an IOC tool to help detect compromises within the cloud. The latest provided tool is specifically meant for on-prem networks.

By default, CHIRP scans for signs of compromise within an on-prem environment, particularly IOCs associated with the malicious activity around SolarWinds threat activities “that have spilled into an on-premises enterprise environment.”

“CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise,” CISA explained. “CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures.” 

“CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity,” they added.

Enterprises can leverage the tool without cost directly from DHS CISA. Officials said they intend to continuously monitor for new threats and will release IOC packages and plugins for new threats, as available.

Fortune Magazine reports that

A tool designed to help businesses protect themselves from further compromises after a global hack of Microsoft email server software has been downloaded more than 25,000 times since it was released last week, the White House’s National Security Council said Monday.

As a result, the number of vulnerable systems has fallen by 45%, according to an NSC spokesperson. 

The one-click Microsoft tool was created to protect against cyberattacks and to scan systems for compromises and fix them. It was developed after a massive hack affecting an estimated tens of thousands of users of servers running Microsoft’s Exchange email program.

From the ransomware front, Business Insurance reports that

CNA Financial Corp.’s computer systems remained down on Friday as the insurer grappled with a cyberattack by a hacker group known as Phoenix. Nearly a week after the insurer discovered it had been attacked, its website remained inaccessible and just contained alternative contact information.

Bleeping Computer offers its analysis of the cyberattack.

BleepingComputer has confirmed that CNA suffered an attack by a new ransomware known as ‘Phoenix CryptoLocker.’

Sources familiar with the attack have told BleepingComputer that the threat actors deployed the ransomware on CNA’s network on March 21, where it proceeded to encrypt over 15,000 devices on their network.

BleepingComputer has learned that it also encrypted the computers of employees working remotely who were logged into the company’s VPN at the time of the attack.

BleepingComputer was further told that CNA would be restoring from backups but has not confirmed that with the company.

Bleeping Computer also discusses possible Phoenix links to Evil Corp. which is a ransomware mastermind that the federal government has sanctioned.

Here is a link to the FBI’s computer hygiene guidance that helps prevent ransomware attacks. As the FEHBlog expects that CNA Financial was following these steps and more, it will be interesting to find out how this happened.