On Wednesday, CyberScoop reported that Trustwave had found three new critical vulnerabilities in the SolarWinds Orion software for which SolarWinds has offered patches. “[Karl] Sigler, a researcher at Trustwave’s SpiderLabs security division, said his firm plans to release proof-of-concept exploit code for the vulnerabilities on Feb. 9. The goal is to spur people to apply the SolarWinds software patches before malicious hackers use their own exploits.”
The article added that “A SolarWinds spokesperson said the attackers in that breach added malicious software known as Supernova to the Orion software “on a customer’s network.”” In that regard, yesterday, NextGov reported that
Reuters first reported on Tuesday that the department’s National Finance Center, which runs a payroll system serving over 600,000 federal employees across 160 agencies, was penetrated by suspected Chinese hackers exploiting a flaw in SolarWinds’ software.
The intrusion is separate from earlier reports in December associated with a trojanized update SolarWinds distributed to about 18,000 of its customers, according to Reuters. In response to that hacking campaign, which a number of agencies acknowledged they were affected by, the Cybersecurity and Infrastructure Security Agency directed all agencies to remove certain SolarWinds products from their systems. Government officials have since publicly said Russia is likely behind that event, along with the abuse of authentication configurations in Microsoft’s Office 365 cloud service.
“In compliance with CISA’s emergency directive and to protect USDA systems, USDA notified customers in December that it had removed SolarWinds Orion products from its networks due to the SolarWinds compromise,” the USDA spokesperson told Nextgov. “While we continue to look into it, we have no evidence of a data breach of the USDA National Finance Center.”
Health IT Security points out that this new vulnerability was resolved in the latest SolarWinds Orion software release. Here is a link to the CISA Alert on this Supernova vulnerability.
On Tuesday, the National Institute of Standards and Technology issued a new Special Publication 800-172 intended to assist the government and private entities to address “advanced persistent threats” such as these.
“We developed [NIST] SP 800-171 in response to major cyberattacks on U.S. critical infrastructure, and its companion document SP 800-172 is designed to mitigate attacks from advanced cyber threats such as the APT,” Ross said. “Implementing the cyber safeguards in SP 800-172 will help system owners protect what state-level hackers have considered to be particularly high-value targets: sensitive information about people, technologies, innovation and intellectual property, the revelation of which could compromise our economy and national security.”
The enhanced security requirements are to be implemented in addition to those in SP 800-171, since that publication is not designed to address the APT. The requirements in SP 800-172 apply to the components of nonfederal systems that process, store or transmit [Confidential Unclassified Information] CUI or that provide protection for such components. To further narrow the scope, the requirements are applied only when the designated CUI is associated with a critical program or high-value asset — the highest priority for protection.
Yesterday, The FEHBlog noticed that
The National Cyber Investigative Joint Task Force (NCIJTF) has released a joint-sealed ransomware factsheet to address current ransomware threats and provide information on prevention and mitigation techniques. The Ransomware Factsheet was developed by an interagency group of subject matter experts from more than 15 government agencies to increase awareness of the ransomware threats to police and fire departments; state, local, tribal, and territorial governments; and critical infrastructure entities.
To reduce the risk of public and private sector organizations falling victim to common infection vectors like those outlined in the NCIJTF factsheet, CISA launched the Reduce the Risk of Ransomware Campaignin January to provide informational resources to support organizations’ cybersecurity and data protection posture against ransomware.
CISA encourages users and administrators to review the NCIJTF Ransomware Factsheet and CISA’s Ransomware webpage for additional resources to combat ransomware attacks.