Symantec Security Summary – January 2021

Sedition and cyber risk.  As learn more about what transpired during the assault on the Capitol building on Jan. 6, the offensive has also opened up a Pandora’s Box of information security risks and data privacy concerns, related to everything from missing laptops to the potential for malware and other national security and intelligence threats.

As rioters stormed the building, they broke into Congressional offices, ransacked papers, and in a few cases, stole laptops, including one from Jeff Merkley, the Democratic senator from Oregon, and another unit used for presentations swiped from the office of House Speaker Nancy Pelosi.

While there is no evidence that skilled hackers or committed spies were part of the coordinated mob, the thefts do shine a spotlight on Congress’ overall security posture and raise concerns about whether individual legislators are doing enough to safeguard their computing devices and networks from direct access and infiltration. Security experts say physical access can be even more dangerous than a cyber breach because hackers gain options for compromising a device and its material. In addition, any paperwork on legislators’ desks was left open to exposure, and looters could have captured sensitive material simply by taking photos on their cell phones.

Countermeasures in the works. Experts contend the incident must be treated as a legitimate breach of IT assets, involving such measures as sweeping devices, monitoring network traffic, and also taking surveillance countermeasures to ensure there were no eavesdropping devices planted. One upside is that Senate rules passed a couple of years back to mandate encryption by default for all new devices. In addition, the legislative body works on a two-to-three-year upgrade cycle—an indicator that there is a relatively robust level of data security protection on individual computers.

* * *

In other government-related cyber security news, there is continuing fallout from the on-going SolarWinds attack revealed last month. The massive, on-going intrusion campaign, said to be perpetrated by Russian hackers and spanning government agencies, private companies, and infrastructure entities, is now thought to comprise a variety of unidentified tactics—not just a breach of the SolarWinds Orion infrastructure monitoring and management platform.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning that some victims of the hack had been breached without ever using the SolarWinds platform. Hackers used “tactics, techniques, and procedures that have not yet been discovered,” the alert revealed, and the on-going cyber campaign began as early as March 2019—a harbinger of its sweeping impact.

The hackers turned to a rarely-used technique to keep their command and control (C&C) communications under the radar—a tactic explored in a Symantec Threat Hunter Team blog post. According to the post, the malware used to Trojanize the SolarWinds Orion software employed a domain generation algorithm (DGA) to generate domain names to contact for C&C purposes. Instead of randomly generating characters, this DGA encodes information into the text making up the generated domain names, which helps it fly under the radar. A separate report maintains that malware known as Sunspot was deployed in the SolarWinds build environment and used to inject the Sunburst backdoor into the Orion software.

A new focus. A new office at the State Department, the Bureau of Cyberspace Security and Emerging Technologies (CSET), was recently approved to address cyber security and emerging technologies, including working to prevent cyber conflicts with adversarial nations. The incoming Biden administration has also announced plans for the first deputy national security adviser for cyber and emerging technology to be held by Anne Neuberger, who most recently had oversight of an organization tasked with preventing digital threats to sensitive government and military industry networks.

Deep investigative dive. SolarWinds, the company whose cyber security software is at the epicenter of the national security breach, is taking on-going steps to mitigate the damage. The firm recently hired Christopher Krebs, the former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to consult on the breach and investigate how hackers penetrated its Orion software with malicious code. Krebs, fired by the Trump administration, has started a cyber security consulting company with Alex Stamos, formerly Chief Security Officer at Facebook.

* * *

Buyer beware. PayPal users should beware of a SMS phishing (dubbed smishing) campaign that tries to trick people into handing over account credentials and other sensitive personal data. An SMS message asserts that the recipient’s PayPal account has been “limited” due to suspicious activity and asks the receiver to verify their account by clicking on a link. If they bite, the link serves up a fake PayPal login screen that sends entered information such as data of birth, bank details, etc. to attackers. Paypal advises anyone who has fallen for the attack to immediately go to the site and change their password.

* * *

What is Babuk Locker? The first new targeted enterprise ransomware of 2021. Discovered by security researcher Chuong Dong, the ransomware operation targets corporate victims in human-operated attacks with ransom demands ranging in the tens of thousands of dollars to be paid in Bitcoin. Already claiming victims as diverse an elevator and escalator company to a medical testing products manufacturer, Babuk Locker executables are customized on a per-victim basis to contain a hardcoded extension, ransom note, and a Tor victim URL. While Dong says the coding is not very advanced, Babuk Locker includes secure encryption preventing victims from recovering their files free of charge.