In a digital world, cybersecurity has taken on a different priority as senior executives and policy makers realise the criticality of it to the proper, safe, and secure core functioning of organisations, companies and even governments.
As reported in the media, recently a bunch of networks, including US Government networks, have been allegedly hacked by the Chinese.
The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key.
The US Congress wants answers.
The phrase “negligent security practices” is being tossed about—and with good reason.
Master signing keys are not supposed to be left around, waiting to be stolen.
Two things went badly wrong here.
The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity.
The second is that this key was supposed to remain in the system’s Hardware Security Module—and not be in software.
This implies a really serious breach of good security practice.
The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.
I believe this all traces back to SolarWinds.
In addition to Russia inserting malware into a SolarWinds update, China used a different SolarWinds vulnerability to break into networks.
We know that Russia accessed Microsoft source code in that attack.
I have heard from various cybersecurity sites and authorities that China used their SolarWinds vulnerability to break into Microsoft and access source code, including Azure’s.
I think we are grossly underestimating the long-term results of the SolarWinds attacks.
That backdoored update was downloaded by over 14,000 networks worldwide.
Organisations patched their networks, but not before Russia—and others—used the vulnerability to enter those networks.
And once someone is in a network, it’s hard to be sure that you’ve kicked them out and removed all access.
Sophisticated threat actors are realising that stealing source code of infrastructure providers, and then combing that code for vulnerabilities, is an excellent way to break into organisations who use those infrastructure providers.
Nation state cyber attackers like Russia and China—and presumably the US and others as well—are prioritising going after those providers.
Here’s a very covert, almost undetectable way of doing it.
In Jenna Phipps’ (from esecurityplanet.com) article which I do quote and paraphrase in parts below, she sees that given the large resources allocated to these cyber ‘black ops’, certain cyber-attack vectors have evolved in recent years.
These are more covert and subtle and play the long game.
As an example, living off the land (LOTL) attacks use legitimate programs that already exist on a computer, rather than installing malware from an external source onto a system.
The stealthy nature of these attacks can make them effective — and difficult for security teams to detect and prevent.
To prevent LOTL attacks, security teams must use sophisticated detection methods, as well as closing loops in popular computer programs with known vulnerabilities.
Living off the land attacks originate within a valid computer program, like script-writing software or a command line tool.
Attackers gain access to the program and perform actions like writing new malicious code or escalating their own user privileges with high preference on administrator (or root) access.
Many attacks like these are known as fileless malware attacks because they don’t need code to be installed onto a machine through an external file.
Rather, they use a legitimate source.
Often, LOTL attacks don’t have a signature, either.
A lack of signature or of recognisable malware makes it very difficult to track and identify LOTL attacks.
Such an attack can’t always be found in a feed of common threats.
IT and security teams will often have trouble locating the initial problem because the threat comes from a valid computer program within their organisation’s network.
If a threat actor finds legitimate existing credentials for an application or program, they can log in without having to download malware or brute force their way into the system.
They may use a tool like Mimikatz to extract credentials stored in memory, steal credentials to a powerful management program like PowerShell, or they might find login information for IT remote access applications like TeamViewer and AnyDesk, which help IT admins connect remote computers.
Any compromised application that allows users to make changes — or even an application that simply allows too many permissions — can result in an LOTL attack.
Note that although brute forcing passwords can still permit a threat actor to carry out an LOTL attack, they’re more noticeable to security teams.
Threat actors can also identify backdoors that haven’t been closed off properly.
Back doors are vulnerabilities within a computer program that allow users to access the program without following the predetermined guidelines for entry (namely, credentials and any additional authentication).
LOTL attacks are often simplest for malicious insiders to carry out.
These attackers may not even need to steal credentials or find a backdoor because they’re already a trusted member of the organisation they’re attacking.
Once more LOTL attacks are difficult to attribute to any one cyber attacker making it ideal for nation states involved in cyber espionage and more.
While there are literally hundreds of avenues an LOTL attacker can use, not all of them are regularly exploited.
A prized target of hackers is often Active Directory, which controls credentials and access rights on Windows domain networks.
If your business has already undergone an LOTL attack, take the following recovery steps:
• Change credentials for any accounts or systems affected.
Setting new passwords, particularly strong ones, will help re-strengthen exploited accounts.
• Store credentials securely.
Don’t just rely on creating strong passwords — use cryptographic tools like password managers to protect them from prying eyes.
• Back up all necessary files on the hard drive from the infected system and then perform a clean install of your machine’s OS.
This deletes any compromised programs so they can be replaced by a newly-installed, uninfected version.
• Perform an access control audit. Everyone in the organisation should only have access to the applications they absolutely need to do their job; this reduces the number of available credentials to vulnerable programs.
While living off the land attacks are challenging for security teams to identify, the development of advanced cybersecurity methods like AI and threat detection will help organisations approach LOTL with more confidence.
While LOTL threat reduction can be time-consuming, tactics like managed threat hunting and behavioural analytics are promising because they help teams dive into the specifics of attack prevention and identification.
The more data your team can access and understand, the better prepared you’ll be to identify subtle attacks.
As a security expert once observed: “Time is what determines security. With enough time, nothing is unhackable!”
Go Fiji go against France this weekend.
As always God bless and stay safe in both digital and physical worlds.
* ILAITIA B. TUISAWAU is the expert in telecommunications, computer network infrastructure, cybersecurity and risk management. Led multiskilled project teams in the successful delivery of ICT projects in Fiji and the Pacific region. One of two Telecom engineers that designed and built the first commercial Internet service in Fiji in November 1995. The views expressed in this article belong to him and do not necessarily reflect the views of this newspaper.
